keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_primitives/_rust/kei-mcp
History
KeiSei84 8086bec486
Some checks are pending
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / preflight (push) Waiting to run
Details
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / vps-smoke (push) Waiting to run
Details
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:frustration-matrix,kei-frustration-loop,kei-skill-importer,kei-projects-index,kei-projects-watcher,kei-gdrive-import,kei-leak-matrix,kei-skills,kei-gateway,kei-cron-scheduler,kei-export-trajectories,kei-backend-daytona,kei-d… (push) Blocked by required conditions
Details
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-compute-baremetal,kei-compute-vultr,kei-compute-linode,kei-compute-digitalocean,kei-svc-systemd,kei-llm-bridge-mlx name:hosted-sleep-compute]) (push) Blocked by required conditions
Details
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-diff,kei-scheduler,kei-watch,kei-prune,kei-discover,kei-brain-view,kei-hibernate,kei-ledger-sign,kei-fork name:wave13-15]) (push) Blocked by required conditions
Details
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-git-gitea,kei-git-forgejo,kei-git-gitlab,kei-git-bitbucket,kei-memory-sled,kei-memory-redis,kei-memory-postgres,kei-memory-sqlite,kei-auth-google,kei-auth-apple,kei-auth-magiclink,kei-auth-webauthn,kei-notify-slack,kei-n… (push) Blocked by required conditions
Details
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-ledger,kei-migrate,kei-changelog,kei-memory,kei-store,kei-conflict-scan,kei-refactor-engine,kei-graph-check,kei-shared,kei-dna-index,kei-pet name:core]) (push) Blocked by required conditions
Details
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-machine-probe,kei-llm-ollama,kei-llm-llamacpp,kei-llm-mlx,kei-llm-router,kei-model name:llm-stack]) (push) Blocked by required conditions
Details
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-router,kei-sage,kei-task,kei-chat-store,kei-crossdomain,kei-search-core,kei-content-store,kei-social-store,kei-curator,kei-auth,kei-artifact name:mcp-lbm]) (push) Blocked by required conditions
Details
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:keisei,kei-forge,kei-runtime,kei-runtime-core,kei-atom-discovery,kei-agent-runtime,kei-capability,kei-provision,kei-entity-store,kei-pipe,kei-cache,kei-spawn,kei-replay name:atom-substrate]) (push) Blocked by required conditions
Details
feat(v0.41): patch 5 Gemini security findings + Copilot doc bug + claude/grok perms 
Audit pass via Phase C dogfooding (security-auditor @ Agy/Gemini reviewing
our own safe_tools.rs) surfaced 5 real bugs. All fixed.

## Gemini findings (5 real bugs)

[#1 HIGH] FAIL-OPEN on missing config/hook
  Before: missing policy-chain.toml → "passing through" warning; missing
          hook script → "skipped" warning. Misconfig silently disabled
          enforcement.
  After:  both paths FAIL-CLOSED with clear error surfaced to caller.
          Tests/dev can opt in to pass-through via KEI_POLICY_CHAIN_OPTIONAL=1.

[#2 HIGH] Path traversal in kei_edit/kei_write
  Before: no validation; attacker could pass file_path=/etc/passwd or
          $HOME/.ssh/authorized_keys.
  After:  validate_path() rejects '..' segments, system dirs (/etc/, /usr/,
          /System/, /var/, /root/), and dotfile-secret dirs (~/.ssh/,
          ~/.aws/, ~/.gnupg/, ~/.config/gcloud/). Override via
          KEI_ALLOWED_ROOTS for explicit single-root confinement.

[#3 HIGH] CLAUDECODE/GROKCODE env bypass
  Behavior unchanged — this guard is a perf/UX optimization to avoid
  double-firing hooks when called from inside Claude/Grok (which already
  ran their own PreToolUse). Documented explicitly as NOT a security
  boundary: attacker controlling parent env already owns the invocation.
  Module header gains a DESIGN NOTE making this load-bearing.

[#4 MED] std::fs in async context
  Before: handle_edit/handle_write used std::fs::{read_to_string,write},
          which block the tokio worker thread. Pathological paths like
          /dev/random would freeze a worker indefinitely.
  After:  tokio::fs::{read_to_string,write}.await — async I/O, worker
          stays responsive.

[#5 MED] kill_on_drop only kills immediate child
  Before: timeout in kei_bash drops the Child handle; tokio's kill_on_drop
          SIGKILLs only the shell. Grandchildren (e.g., 'sleep 1000 &')
          orphaned.
  After:  Unix-only: spawn child in its own process group
          (Command::process_group(0)), and on timeout libc::kill(-pid,
          SIGKILL) to take down the whole group. New libc dep on Unix.

## Copilot doc fix

Doc claimed "kei-mcp exposes 4 built-in tools" without saying spawn_agent
lives in tools.rs while kei_bash/edit/write live in safe_tools.rs.
Validator agent flagged this as FALSE/MISLEADING. Now the doc spells out
the two-file structure + adds a v0.41 hardening summary.

## claude/grok subprocess permissions

Cross-CLI audit demo revealed that 'claude -p' and 'grok --print' returned
empty when invoked headless with a real audit task — they need explicit
permission flags to use Read/Grep tools in non-interactive mode. Added:

  claude:  --permission-mode=bypassPermissions
  grok:    --always-approve
  agy:     --dangerously-skip-permissions

Override via KEI_AGENT_PERMISSIVE=0 to keep strict default.
Re-verified: claude+grok both echo SMOKE-OK-V41 with the flag.

## Verification

cargo test -p kei-mcp --release  → 3/3 pass
MCP JSON-RPC smoke (all 7):
  - tools/list shows 4 built-ins ✓
  - kei_bash blocks RULE 0.1 push ✓
  - kei_bash passes 'echo OK' ✓
  - kei_write rejects /etc/passwd ✓
  - kei_write rejects ../ traversal ✓
  - kei_write rejects ~/.ssh/* ✓
  - missing policy-chain → FAIL-CLOSED with clear error ✓
  - KEI_POLICY_CHAIN_OPTIONAL=1 → opt-in pass-through ✓
2026-05-26 19:48:29 +08:00
..
src feat(v0.41): patch 5 Gemini security findings + Copilot doc bug + claude/grok perms 2026-05-26 19:48:29 +08:00
tests feat(phase-C): cross-CLI hook enforcement via kei_bash/kei_edit/kei_write MCP tools 2026-05-26 18:03:33 +08:00
Cargo.toml feat(v0.41): patch 5 Gemini security findings + Copilot doc bug + claude/grok perms 2026-05-26 19:48:29 +08:00
README.md KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00

README.md

kei-mcp — Model Context Protocol server

kei-mcp exposes the KeiSeiKit atom registry over the Model Context Protocol so MCP-aware clients (Claude Code, Cline, OpenClaw, etc.) can discover and call our 13 atoms + N primitives as MCP tools, and read our skills as MCP resources.

What you get

  • Tools — every atom in _primitives/_rust/*/atoms/*.md becomes one MCP tool. Tool name is the atom's full id (<crate>::<verb>), the description is the first paragraph of the atom's body, and the input schema is the JSON-Schema referenced by the atom's frontmatter.
  • Resources — every skills/<name>/SKILL.md becomes one MCP resource at skill://<name> returning the SKILL.md text on read.
  • Prompts — placeholder list (empty) for now.

Wire format

JSON-RPC 2.0 over stdio, line-delimited (one request per line, one response per line). stdout carries protocol frames ONLY; everything else (diagnostics, warnings) goes to stderr.

Supported methods: initialize, tools/list, tools/call, resources/list, resources/read, prompts/list, prompts/get.

Build

cargo build -p kei-mcp --release
# binary: target/release/kei-mcp

Configuration (env)

Variable Default What it does
KEI_MCP_ATOMS_ROOT _primitives/_rust Where to walk for <crate>/atoms/*.md
KEI_MCP_SKILLS_ROOT skills Where to walk for <name>/SKILL.md
KEI_RUNTIME_BIN_DIR (unset) Resolve <crate> binaries here before falling back to $PATH

Register with Claude Code

Add to ~/.claude/mcp_servers.json:

{
  "kei": {
    "command": "/absolute/path/to/kei-mcp",
    "args": [],
    "env": {
      "KEI_MCP_ATOMS_ROOT": "/absolute/path/to/KeiSeiKit/_primitives/_rust",
      "KEI_MCP_SKILLS_ROOT": "/absolute/path/to/KeiSeiKit/skills",
      "KEI_RUNTIME_BIN_DIR": "/absolute/path/to/KeiSeiKit/_primitives/_rust/target/release"
    }
  }
}

Register with Cline

Edit Cline's cline_mcp_settings.json (open via Cline: Edit MCP Settings from the command palette):

{
  "mcpServers": {
    "kei": {
      "command": "/absolute/path/to/kei-mcp",
      "args": [],
      "env": {
        "KEI_MCP_ATOMS_ROOT": "/absolute/path/to/KeiSeiKit/_primitives/_rust",
        "KEI_MCP_SKILLS_ROOT": "/absolute/path/to/KeiSeiKit/skills"
      }
    }
  }
}

Register with OpenClaw

Add to ~/.openclaw/mcp.json:

{
  "servers": {
    "kei": {
      "command": "/absolute/path/to/kei-mcp",
      "args": [],
      "env": {
        "KEI_MCP_ATOMS_ROOT": "/absolute/path/to/KeiSeiKit/_primitives/_rust",
        "KEI_MCP_SKILLS_ROOT": "/absolute/path/to/KeiSeiKit/skills"
      }
    }
  }
}

Manual smoke test

echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05"}}' \
  | ./kei-mcp

You should see one line of JSON on stdout containing serverInfo.name: "kei-mcp".