keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_ts_packages
History
Parfii-bot 8a885a7d76 fix(release+slices): v0.14.4 publish auth fallback + 4 fix-implementer slices 
After v0.14.3 npm-publish failed again with 401 Unauthorized despite
path-scoped _authToken. Direct curl probe to keigit confirmed BOTH Bearer
and Basic auth schemes work — so the issue is npm 10 not sending the
auth header in CI. Likely cause: deprecated `always-auth=true` interfered
with token resolution.

== Publish auth fix ==
- Drop `always-auth=true` (deprecated in npm 10+; warns in logs)
- Keep path-scoped `_authToken` (npm 10 canonical)
- Add legacy Basic-auth fallback rows (username/_password/email) — Forgejo
  accepts both schemes per direct probe; if one resolution path fails,
  npm tries the other
- chmod 600 on $HOME/.npmrc and project .npmrc (defense-in-depth)
- Bump 0.14.3 → 0.14.4

== Slice A — TS server hardening (Sonnet code-implementer-typescript) ==
File: _ts_packages/packages/mcp-server/src/server.ts (+3/-1)
File: _ts_packages/packages/mcp-server/src/index.ts (+14/-4)
- safeEqual constant-time path on length mismatch (timing oracle close)
- HTTP server defaults to 127.0.0.1 bind; --bind <addr> opt-in for 0.0.0.0
- Body cap 1 MiB with 413 response (DoS prevention)
- VERIFIED: tsc -b --noEmit exit 0

== Slice B — Outcome-only profile hardening (Sonnet code-implementer) ==
Files: install.sh, install/lib-args.sh, install/lib-profile-outcome-only.sh
- Confirm-screen gate before destructive install (skips on --dry-run / --yes)
- _outcome_install_ledger return value tracked → summary reflects reality
  (was: false-success "ledger: ..." when init failed)
- --dry-run silent-ignored on non-outcome profiles → now warns
- VERIFIED: end-to-end smoke against fake $HOME with `<<< "y"` — all 5
  files installed, schema v9 + 2 triggers, summary correct

== Slice D — jq-merge dedup tuple (Sonnet code-implementer) ==
File: install/lib-hooks.sh
- Replaced `unique_by(.command)` with reduce-into-object keyed on
  norm-ed command (tilde-vs-absolute path collision fix)
- Snippet-wins precedence on collision
- 3 manual scenario traces pass: tilde+tilde, absolute+tilde, idempotency

== Slice E — Doc honesty pass (Sonnet code-implementer, selective-merged) ==
Files: README.md, docs/{INSTALL,ARCHITECTURE,PROFILE-OUTCOME-ONLY}.md
Note: Slice E worktree was based on an older main commit; merged
selectively to preserve current-main values (565 DNAs, not worktree's 518)
- README:62 plugin marketplace URL: KeiSei84/KeiSeiKit → KeiSei84/KeiSeiKit-1.0
  (consistent with line 66 git clone URL + Cargo.toml repository field)
- README:9-15: per-claim [REAL: <command>] markers on all 8 numerics
- README:124-132 + PROFILE-OUTCOME-ONLY.md:43-55 + ARCHITECTURE.md:288-302:
  rephrase 100-row router claim — now describes Wilson lower-bound
  (δ=0.10, q*=0.70) continuous metric with file:line pointer to select.rs
- INSTALL.md: ESTIMATE-HTC marker covering all install-time / disk-size
  numerics in profile table (RULE 0.18 compliance)
- PROFILE-OUTCOME-ONLY.md privacy section: discloses agent-toolstats.jsonl
  sidecar (was undocumented per W3 finding)
- PROFILE-OUTCOME-ONLY.md uninstall: added 6th rm -f for .bak-* cleanup
  (closes orphan-accumulation per W3+W4 audits)

[FROM-JOURNAL: tasks.jsonl this session — 12 audit agents waves 5+6 +
4 parallel fix-implementer worktrees ran ~25 min wall-time]

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 00:16:48 +08:00
..
packages fix(release+slices): v0.14.4 publish auth fallback + 4 fix-implementer slices 2026-05-04 00:16:48 +08:00
.gitignore KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
bun.lock KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
package-lock.json fix(release+slices): v0.14.4 publish auth fallback + 4 fix-implementer slices 2026-05-04 00:16:48 +08:00
package.json chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
README.md Revert "feat(mcp-server): production-ready publish path via GitHub Packages" 2026-05-03 18:04:00 +08:00
tsconfig.base.json KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00

README.md

KeiSeiKit TypeScript Packages

v0.14.0 part B: MCP server layer + external-API adapters.

RULE 0.2 exception

TypeScript is chosen here under RULE 0.2 exception #4 (Browser/DOM adjacent) because:

  1. The official Model Context Protocol SDK is TypeScript-native; Rust MCP libraries are immature (as of 2026-04).
  2. The API adapters rely on JS-native SDKs with no Rust equivalents:
    • grammy (type-safe Telegram bot)
    • googleapis (official Google API SDK for Gmail + YouTube)
    • youtube-transcript (Tier-1 free transcript extractor)
  3. Async, JSON-heavy glue code is TypeScript's sweet spot.

Core primitives (signing, ledger, graph, memory, refactor, etc.) remain Rust in ../_primitives/_rust/. This TS layer is a THIN wrapper: it spawns the Rust CLIs as subprocesses and exposes them as MCP tools, plus the six adapters above that have no Rust equivalent.

Layout

_ts_packages/
├── package.json              npm workspace root
├── tsconfig.base.json        strict TS 5.x
└── packages/
    ├── mcp-server/           @keisei/mcp-server
    ├── telegram-adapter/     @keisei/telegram-adapter
    ├── recall-adapter/       @keisei/recall-adapter  (Zoom via Recall.ai)
    ├── grok-adapter/         @keisei/grok-adapter    (xAI)
    ├── gmail-adapter/        @keisei/gmail-adapter
    └── youtube-adapter/      @keisei/youtube-adapter

Install (for end users)

1. Install workspace deps

cd _ts_packages
npm install
npm run build

2. Link each package as a global CLI (optional)

npm i -g ./packages/mcp-server
npm i -g ./packages/telegram-adapter
# ... etc

Or install into a Claude agent directory:

npm i --prefix ~/.claude/agents/_ts_packages/packages/mcp-server \
      ./_ts_packages/packages/mcp-server

Environment variables (RULE 0.8 — secrets in ~/.claude/secrets/.env)

Var Package Purpose
TELEGRAM_BOT_TOKEN telegram-adapter Bot API token
RECALL_API_KEY recall-adapter Recall.ai API key (Zoom meetings)
XAI_API_KEY grok-adapter xAI Grok API key
GMAIL_CLIENT_ID gmail-adapter Google OAuth2 client id
GMAIL_CLIENT_SECRET gmail-adapter Google OAuth2 client secret
GMAIL_REFRESH_TOKEN gmail-adapter Long-lived OAuth2 refresh token
YOUTUBE_API_KEY youtube-adapter YouTube Data API v3 key
KEI_MCP_AUTH_TOKEN mcp-server HMAC token for tool callers
KEI_RUST_BIN_DIR mcp-server Override directory holding Rust primitive CLIs

All are read via process.env. Hardcoding tokens is forbidden (RULE 0.8).

MCP server integration

The @keisei/mcp-server exposes the Rust primitive CLIs as MCP tools. The pattern is one Rust binary = one MCP tool, with the kei meta-tool on top that routes natural-language queries via kei-router.

Stdio mode (for Claude Code native integration):

npx @keisei/mcp-server --stdio

HTTP mode:

npx @keisei/mcp-server --port 3000 --auth-token-file ~/.claude/mcp-token

Verification

npm install
npm run build --workspaces
npm run test --workspaces

All six packages compile under strict: true. Total new LOC: see commit.

Migration notes

  • Zero impact on existing KeiSeiKit users unless they opt into the MCP server (planned v0.14.1 installer flag --enable-mcp).
  • The Rust primitives are unchanged; this layer only wraps them.
  • Gmail and YouTube adapters are new (gaps in LBM).