keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_primitives/_rust/kei-mcp
History
KeiSei84 155d187699 refactor(kei-mcp): v0.46 — decompose safe_tools + fix CRITICAL Grok bypass 
ARCHITECTURAL FIXES (Constructor Pattern — file >200 LOC):

1. safe_tools.rs (738 LOC god-object) → safe_tools/ module (5 files):
   - mod.rs       (99 LOC) — descriptors + dispatch
   - env_guard.rs (79 LOC) — KillPgGuard RAII + apply_safe_env
   - path_guard.rs (166 LOC) — validate_path + canonicalize walk-up
   - chain_runner.rs (159 LOC) — hook chain loader/runner
   - exec.rs (222 LOC) — handle_bash/edit/write with O_NOFOLLOW

2. CRITICAL Grok bypass closed (Claude critic finding):
   - REMOVED env-based chain skip (CLAUDECODE / GROKCODE checks)
   - The skip assumed native PreToolUse would catch the call, but
     PreToolUse matchers fire on tool_name="Bash"|"Edit"|"Write" while
     MCP tools are named kei_bash/kei_edit/kei_write — so native hooks
     NEVER fire on MCP tool calls. The skip created an auth-bypass hole.
   - Chain now ALWAYS runs for kei_bash/kei_edit/kei_write.
   - Wire scripts (kei-mcp-wire-claude.sh + -grok.sh) updated: empty
     env block + comment explaining v0.46 rationale.

3. Fail-closed defaults (architecturally correct, not bandaid):
   - validate_path: empty allowed_roots() → ERROR (was silent disable)
   - load_chain: missing/empty section → ERROR unless KEI_POLICY_CHAIN_OPTIONAL=1

4. RAII guard for process-group cleanup:
   - KillPgGuard fires killpg on ANY exit path (success, error, timeout,
     panic) until explicitly disarmed. Replaces error-path-only killpg.

5. validate_path moved off tokio worker via spawn_blocking — was blocking
   syscalls in async context.

VERIFIED:
- cargo build --release → clean
- cargo test -p kei-mcp --release → 2 passed
- MCP smoke: chain fires under CLAUDECODE=1, GROKCODE=1, and no env
  (all three previously skipped; all three now block kei_bash on
  forbidden git push patterns).
- Safe commands still pass (kei_bash echo HELLO → HELLO returned).

README: substrate counts refreshed (105→110 Rust crates, v0.45→v0.46).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 14:00:16 +08:00
..
src refactor(kei-mcp): v0.46 — decompose safe_tools + fix CRITICAL Grok bypass 2026-05-27 14:00:16 +08:00
tests feat(phase-C): cross-CLI hook enforcement + v0.40.0 release (#48) 2026-05-26 17:10:14 +07:00
Cargo.toml feat(v0.41): 5 audit fixes + doc + claude/grok perms (#49) 2026-05-26 18:52:40 +07:00
README.md KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00

README.md

kei-mcp — Model Context Protocol server

kei-mcp exposes the KeiSeiKit atom registry over the Model Context Protocol so MCP-aware clients (Claude Code, Cline, OpenClaw, etc.) can discover and call our 13 atoms + N primitives as MCP tools, and read our skills as MCP resources.

What you get

  • Tools — every atom in _primitives/_rust/*/atoms/*.md becomes one MCP tool. Tool name is the atom's full id (<crate>::<verb>), the description is the first paragraph of the atom's body, and the input schema is the JSON-Schema referenced by the atom's frontmatter.
  • Resources — every skills/<name>/SKILL.md becomes one MCP resource at skill://<name> returning the SKILL.md text on read.
  • Prompts — placeholder list (empty) for now.

Wire format

JSON-RPC 2.0 over stdio, line-delimited (one request per line, one response per line). stdout carries protocol frames ONLY; everything else (diagnostics, warnings) goes to stderr.

Supported methods: initialize, tools/list, tools/call, resources/list, resources/read, prompts/list, prompts/get.

Build

cargo build -p kei-mcp --release
# binary: target/release/kei-mcp

Configuration (env)

Variable Default What it does
KEI_MCP_ATOMS_ROOT _primitives/_rust Where to walk for <crate>/atoms/*.md
KEI_MCP_SKILLS_ROOT skills Where to walk for <name>/SKILL.md
KEI_RUNTIME_BIN_DIR (unset) Resolve <crate> binaries here before falling back to $PATH

Register with Claude Code

Add to ~/.claude/mcp_servers.json:

{
  "kei": {
    "command": "/absolute/path/to/kei-mcp",
    "args": [],
    "env": {
      "KEI_MCP_ATOMS_ROOT": "/absolute/path/to/KeiSeiKit/_primitives/_rust",
      "KEI_MCP_SKILLS_ROOT": "/absolute/path/to/KeiSeiKit/skills",
      "KEI_RUNTIME_BIN_DIR": "/absolute/path/to/KeiSeiKit/_primitives/_rust/target/release"
    }
  }
}

Register with Cline

Edit Cline's cline_mcp_settings.json (open via Cline: Edit MCP Settings from the command palette):

{
  "mcpServers": {
    "kei": {
      "command": "/absolute/path/to/kei-mcp",
      "args": [],
      "env": {
        "KEI_MCP_ATOMS_ROOT": "/absolute/path/to/KeiSeiKit/_primitives/_rust",
        "KEI_MCP_SKILLS_ROOT": "/absolute/path/to/KeiSeiKit/skills"
      }
    }
  }
}

Register with OpenClaw

Add to ~/.openclaw/mcp.json:

{
  "servers": {
    "kei": {
      "command": "/absolute/path/to/kei-mcp",
      "args": [],
      "env": {
        "KEI_MCP_ATOMS_ROOT": "/absolute/path/to/KeiSeiKit/_primitives/_rust",
        "KEI_MCP_SKILLS_ROOT": "/absolute/path/to/KeiSeiKit/skills"
      }
    }
  }
}

Manual smoke test

echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05"}}' \
  | ./kei-mcp

You should see one line of JSON on stdout containing serverInfo.name: "kei-mcp".