KeiSei84
4e5e6bd2c0
Closes the "hooks only fire on Claude" gap. Phase C extends KeiSeiKit safety
enforcement (no-github-push, safety-guard, destructive-guard, citation-verify,
numeric-claims-guard) to any MCP-capable LLM CLI through a 3-tier honesty model.
## 3-tier model
TIER 1 (full native): claude (existing), grok (port hooks to grok settings.json)
TIER 2 (MCP-wrapped): copilot (--excluded-tools=shell + force kei_bash via MCP)
TIER 3 (advisory): agy + kimi (cannot disable native shell; prompt-level only)
## Design (Constructor Pattern)
1. hooks/_lib/policy-chain.toml — SSoT: which hooks gate which tool (bash/edit/write)
2. _primitives/_rust/kei-mcp/src/handlers/safe_tools.rs — new module, 3 built-in
MCP tools that synthesize Claude PreToolUse JSON, run hook chain, abort on
exit-2, exec on all-pass. Same input contract → hooks reused as-is, no rewrite.
3. tools.rs short-circuit: kei_bash/kei_edit/kei_write dispatched before atom layer
4. 6 wire scripts: orchestrator + one per CLI (Constructor Pattern, no mixin)
5. bin/kei mcp-wire arm
6. docs/encyclopedia/cross-cli-policy.md — honest 3-tier matrix + verification
## Double-enforcement guard
If kei-mcp invoked from a process with $CLAUDECODE=1 or $GROKCODE=1, the chain
SKIPS — native hooks already fired. Wire scripts set these env vars in the
MCP server registration for claude/grok respectively. On copilot/agy/kimi the
env is unset → chain runs.
## Smoke (verified live)
Block: kei_bash{command: forbidden-push-pattern}
→ JSON-RPC error -32603 with full "BLOCK — RULE 0.1 NO GITHUB PUSH" stderr ✓
Pass: kei_bash{command: "echo HELLO-FROM-KEI-BASH"}
→ result.content[0].text = "HELLO-FROM-KEI-BASH" ✓
tools/list: 4 built-ins present (spawn_agent + kei_bash + kei_edit + kei_write) ✓
## Tests
kei-mcp: 3/3 (tools_list assertions updated for atoms+4 built-ins).
Build clean with toml = "0.8" dep added.
## Out of scope (deferred)
- Codex CLI wiring (not installed locally)
- ACP middleware proxy (transport, not middleware — ruled out at research)
- Container/firejail sandboxing for agy/kimi (heavy; documented limit instead)
- Native Rust PatternGate migration (optimization, separate phase)
5.9 KiB
Cross-CLI policy enforcement
Same safety rules. Any LLM CLI. Three honesty tiers.
KeiSeiKit's safety hooks (no-github-push, safety-guard, destructive-guard,
citation-verify, numeric-claims-guard) originally fired only inside Claude
Code's PreToolUse pipeline. Phase C extends enforcement to other CLIs —
but the strength of enforcement depends on what each CLI permits.
The 3-tier honesty model
| Tier | What it means | CLIs |
|---|---|---|
| TIER 1 — full native | Tool-call enforcement at the CLI's own hook layer. Same as Claude. | claude, grok |
| TIER 2 — MCP-wrapped | Native shell disabled at launch; agent forced to use our policy-gated kei_bash/kei_edit/kei_write MCP tools. |
copilot |
| TIER 3 — advisory | CLI can't disable native shell; we register kei-mcp and instruct the agent to prefer kei_* tools, but enforcement is prompt-level only. |
agy, kimi |
For patent-sensitive or production-PR work — stick to TIER 1 (claude or grok).
How to wire
One command sets up enforcement for whichever CLIs you have installed:
kei mcp-wire # detect + wire all installed CLIs
kei mcp-wire grok # wire one CLI
kei mcp-wire --dry-run # preview config changes without writing
kei mcp-wire --list # show enforcement tier per CLI
The orchestrator is idempotent — running twice produces the same config.
What kei mcp-wire writes
claude (TIER 1 — already enforced)
No-op. Native PreToolUse hooks already gate every tool call. kei mcp-wire claude
prints the optional mcpServers snippet you can add to
~/.claude/settings.json if you want claude to also see spawn_agent for
sub-agent dispatch.
grok (TIER 1 — port our hooks)
Writes ~/.grok/settings.json hooks.PreToolUse block:
Bashmatcher →no-github-push.sh+safety-guard.sh+destructive-guard.shEditmatcher →citation-verify.sh+numeric-claims-guard.shWritematcher →citation-verify.sh+numeric-claims-guard.sh
Plus registers kei-mcp with GROKCODE=1 env (so kei-mcp's policy chain skips
duplicate enforcement when invoked via Grok — your native hooks already fired).
xAI's Grok uses the same JSON input contract as Claude Code's PreToolUse, so our hook scripts run unchanged. Identical enforcement to claude.
copilot (TIER 2 — disable native shell, force MCP)
Writes ~/.copilot/mcp-config.json registering kei-mcp. To activate enforcement,
launch copilot with --excluded-tools='shell':
alias copilot='copilot --excluded-tools=shell'
The agent will have NO native shell tool, only kei-mcp's kei_bash —
which runs the policy chain before execution. kei_edit / kei_write
similarly gate file mutations.
agy / kimi (TIER 3 — advisory)
Writes their MCP config (~/.gemini/config/mcp_config.json for agy,
~/.kimi/mcp.json for kimi) registering kei-mcp.
The honest part: these CLIs do NOT have a way to disable their native
shell. The agent CAN reach for native bash regardless of what we tell it.
The system prompt nudges it toward kei_bash, but a determined or careless
agent can bypass.
For patent-sensitive work — don't use agy or kimi as orchestrator. Use them for analysis / brainstorming / no-side-effect tasks only.
Internals
policy-chain.toml (SSoT)
One file declares which hooks gate which tool, for all CLIs that go through the MCP layer:
# ~/.claude/hooks/_lib/policy-chain.toml
[bash]
chain = ["no-github-push.sh", "safety-guard.sh", "destructive-guard.sh"]
[edit]
chain = ["citation-verify.sh", "numeric-claims-guard.sh"]
[write]
chain = ["citation-verify.sh", "numeric-claims-guard.sh"]
To add a hook: append its basename. The hook script must already exist in
~/.claude/hooks/ and follow the standard PreToolUse contract (read JSON
on stdin with .tool_name + .tool_input, return exit 0 = pass / 2 = block).
kei-mcp built-in tools
kei-mcp (Rust MCP server at _primitives/_rust/kei-mcp/) exposes four
built-in tools that bypass atom discovery:
spawn_agent(name, task, on?)— invokes a KeiSeiKit agent on any backendkei_bash(command, cwd?)— runs[bash]chain → executeskei_edit(file_path, old_string, new_string)— runs[edit]chain → editskei_write(file_path, content)— runs[write]chain → writes
The chain runs against the same hook scripts Claude uses; identical input shape, identical decisions. On block, the hook's stderr surfaces as the MCP error message so the calling agent sees exactly why.
Double-enforcement guard
If kei-mcp is invoked from a process where $CLAUDECODE=1 or $GROKCODE=1,
it SKIPS its hook chain — the CLI's native hooks already fired. This is set
automatically by kei mcp-wire claude / kei mcp-wire grok. On copilot /
agy / kimi the env is unset → chain runs.
Verification
# All 4 built-ins must list:
echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}' \
| kei-mcp | jq -r '.result.capabilities'
# Block test (kei_bash refuses forbidden command):
echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05"}}
{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"kei_bash","arguments":{"command":"git push https://github.com/x/y.git main"}}}' \
| kei-mcp 2>&1 | grep "RULE 0.1" # expects: BLOCK — RULE 0.1 NO GITHUB PUSH
# Pass test:
echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05"}}
{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"kei_bash","arguments":{"command":"echo OK"}}}' \
| kei-mcp | tail -1 | jq -r '.result.content[0].text' # expects: OK
Related
- Multi-CLI agent invocation — DNA-resolved agent dispatch
kei-mcpsource:_primitives/_rust/kei-mcp/src/handlers/safe_tools.rs- Policy SSoT:
hooks/_lib/policy-chain.toml - Wire scripts:
scripts/kei-mcp-wire*.sh