9aa29aca15
Group C — kei-cortex daemon security hardening (post-audit 2026-05-02).
- fal_ssrf.rs (new): validate_fal_url whitelist (fal.ai/.media/.run only).
Applied to upload_url, file_url, status_url, images[0].url,
and download_image. Closes SSRF where compromised fal response
could direct daemon to fetch IMDSv1 (169.254.169.254) and
stream cloud creds.
- fal_pipeline.rs (new): HTTP step functions extracted from fal.rs; fal.rs trimmed
to thin orchestrator (101 LOC, was over 200 LOC limit).
- auth.rs: save_token now writes to <path>.<nanos>.tmp + sync_all + rename. Was
non-atomic OpenOptions truncate+write — crash mid-write produced empty
token file -> bootstrap rotated -> stale clients locked out.
- routes.rs + routes_auth.rs (new): explicit DefaultBodyLimit per route — chat 256 KiB,
tool/apply 11 MiB, pet/interaction 64 KiB, tts 32 KiB.
Bearer auth middleware extracted to routes_auth.
- handlers/chat.rs: validate_body enforces MAX_MESSAGE_CHARS = 50_000. Closed cost
amplification where 1.99 MiB chat message billed 500K tokens
($1.50/turn at Sonnet pricing) on every send.
- anthropic_sse.rs: SseParser MAX_BUF = 1 MiB cap; was unbounded — peer streaming
1 GB without \\n\\n would OOM daemon.
- http_helpers.rs (new): HTTP_CLIENT: Lazy<reqwest::Client> shared across handlers
(was per-request Client::new() => 100-300ms TLS handshake
per chat turn, no HTTP/2 multiplexing, fd leak risk on
macOS TIME_WAIT).
- http_helpers.rs::read_capped: per-response body cap (16 KiB error / 64 MiB success).
Applied to anthropic, anthropic_invoker, elevenlabs,
fal_pipeline. Closed unbounded resp.text() / .bytes()
pattern that compromised upstream could exploit.
Test results: 462 passed; 0 failed (single-threaded). cargo check clean.
2 pre-existing port-binding flakes in openai_loop_wiring tests are unrelated.
Findings consensus: fal SSRF + body-size + bearer-token-atomicity appeared in
Wave-A retest; chat message cap + SSE buf cap appeared in Wave-A only. Would have
been missed by single audit pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| _rust | ||
| templates | ||
| design-scrape.sh | ||
| figma-tokens.sh | ||
| frontend-inspect.sh | ||
| harden-base.sh | ||
| kei-ci-lint.sh | ||
| kei-docs-scaffold.sh | ||
| kei-doctor.sh | ||
| kei-sleep-queue.sh | ||
| kei-sleep-setup.sh | ||
| kei-sleep-sync.sh | ||
| live-preview.sh | ||
| log-ship.sh | ||
| MANIFEST.toml | ||
| metrics-scrape.sh | ||
| provision-hetzner.sh | ||
| provision-vultr.sh | ||
| README.md | ||
| screenshot-decode.sh | ||
| tomd.sh | ||
_primitives — first-class building blocks
_primitives/ holds standalone utilities that agents, hooks, and skills
(including /compose-solution) depend on. Unlike _blocks/ (behavioral
markdown) or _manifests/ (agent TOML), primitives are executable shell
programs installed at $HOME/.claude/agents/_primitives/ by install.sh.
Current primitives
| Primitive | Purpose | Invocation |
|---|---|---|
tomd.sh |
Universal non-native-format → markdown converter (PDF, DOCX, XLSX, PPTX, CSV, images, code). | ~/.claude/agents/_primitives/tomd.sh <file> |
tomd.sh is a first-class primitive. Universal non-native-format →
markdown converter with configurable cache directory
(KEISEI_TOMD_CACHE) and KeiSeiKit-style error tags ([tomd]).
Hook integration
hooks/tomd-preread.sh is a PreToolUse(Read) hook that auto-redirects
Claude to the converted markdown when a Read targets .docx / .doc / .xlsx / .pptx / .csv. Cached under $KEISEI_TOMD_CACHE (default
/tmp/keisei-tomd-cache).
/compose-solution discovery
Phase 3 prior-art sweep greps _primitives/ alongside _blocks/,
_manifests/, skills/, _bridges/, hooks/. If a user task involves
file-format parsing, the meta-composer surfaces tomd automatically —
reuse over rewrite (RULE "No Patching").