History

Parfii-bot ca99f78f66 fix(release): path-scoped npmrc + hard-fail publish (v0.14.3 retry) v0.14.2 publish run reported "success" but @keisei/mcp-server NEVER landed on keigit because: 1. Host-scoped `.npmrc` token (`//keigit.com/:_authToken=...`) was silently ignored by npm 10 — every publish errored with ENEEDAUTH. 2. The publish loop's `\|\| echo ":⚠️:"` swallowed the failure so the job exited 0 (W1+W3 finding F3). Two fixes in one commit: A) Path-scoped npmrc per Forgejo docs: `//keigit.com/api/packages/keisei/npm/:_authToken=${KEIGIT_TOKEN}` + `always-auth=true` for scoped registry. Also tee'd to $HOME/.npmrc so the publish loop's `cd packages/<pkg>` cwd doesn't lose the auth line. [VERIFIED: curl PUT with Bearer to /api/packages/keisei/npm/ returns 400 "package is invalid" (auth ACCEPTED, payload bad) — auth format is correct] B) Hard-fail publish loop for packages with publishConfig: - Iterate all packages - For each: read .publishConfig presence - If publish errors AND has publishConfig → record gated_failed=1 - If publish errors AND no publishConfig → notice "skipped" (adapter without registry pin reached npm.org default, expected fail) - End of loop: exit 1 if any gated_failed - Adapters without publishConfig (gmail/grok/recall/telegram/youtube) correctly skip; only @keisei/mcp-server is gated, and a real failure now blocks the job. Bump 0.14.2 → 0.14.3 (0.14.2 tag exists with previous failed publish). Verification done locally: - PAT owner Parfionovich is member of org keisei [REAL: api/v1/user + api/v1/users/Parfionovich/orgs] - Bearer auth to keigit npm registry works [REAL: curl probe → 400 "package invalid", not 401 "unauthorized"] - Cargo workspace clean [REAL: cargo check exit 0] After tag v0.14.3: - npm-publish job creates .npmrc with path-scoped auth - Publishes @keisei/mcp-server@0.14.3 to https://keigit.com/api/packages/keisei/npm/ - Adapters skip cleanly (no publishConfig, no NPM_TOKEN) - Job exits 0 only if mcp-server actually landed Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-05-03 23:48:07 +08:00
..
packages	fix(release): path-scoped npmrc + hard-fail publish (v0.14.3 retry)	2026-05-03 23:48:07 +08:00
.gitignore	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
bun.lock	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
package-lock.json	fix(release): path-scoped npmrc + hard-fail publish (v0.14.3 retry)	2026-05-03 23:48:07 +08:00
package.json	chore: author email + Cargo metadata SSoT (parfionovich@keilab.io)	2026-05-03 13:55:28 +08:00
README.md	Revert "feat(mcp-server): production-ready publish path via GitHub Packages"	2026-05-03 18:04:00 +08:00
tsconfig.base.json	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00

README.md

KeiSeiKit TypeScript Packages

v0.14.0 part B: MCP server layer + external-API adapters.

RULE 0.2 exception

TypeScript is chosen here under RULE 0.2 exception #4 (Browser/DOM adjacent) because:

The official Model Context Protocol SDK is TypeScript-native; Rust MCP libraries are immature (as of 2026-04).
The API adapters rely on JS-native SDKs with no Rust equivalents:
- grammy (type-safe Telegram bot)
- googleapis (official Google API SDK for Gmail + YouTube)
- youtube-transcript (Tier-1 free transcript extractor)
Async, JSON-heavy glue code is TypeScript's sweet spot.

Core primitives (signing, ledger, graph, memory, refactor, etc.) remain Rust in ../_primitives/_rust/. This TS layer is a THIN wrapper: it spawns the Rust CLIs as subprocesses and exposes them as MCP tools, plus the six adapters above that have no Rust equivalent.

Layout

_ts_packages/
├── package.json              npm workspace root
├── tsconfig.base.json        strict TS 5.x
└── packages/
    ├── mcp-server/           @keisei/mcp-server
    ├── telegram-adapter/     @keisei/telegram-adapter
    ├── recall-adapter/       @keisei/recall-adapter  (Zoom via Recall.ai)
    ├── grok-adapter/         @keisei/grok-adapter    (xAI)
    ├── gmail-adapter/        @keisei/gmail-adapter
    └── youtube-adapter/      @keisei/youtube-adapter

Install (for end users)

1. Install workspace deps

cd _ts_packages
npm install
npm run build

2. Link each package as a global CLI (optional)

npm i -g ./packages/mcp-server
npm i -g ./packages/telegram-adapter
# ... etc

Or install into a Claude agent directory:

npm i --prefix ~/.claude/agents/_ts_packages/packages/mcp-server \
      ./_ts_packages/packages/mcp-server

Environment variables (RULE 0.8 — secrets in `~/.claude/secrets/.env`)

Var	Package	Purpose
`TELEGRAM_BOT_TOKEN`	telegram-adapter	Bot API token
`RECALL_API_KEY`	recall-adapter	Recall.ai API key (Zoom meetings)
`XAI_API_KEY`	grok-adapter	xAI Grok API key
`GMAIL_CLIENT_ID`	gmail-adapter	Google OAuth2 client id
`GMAIL_CLIENT_SECRET`	gmail-adapter	Google OAuth2 client secret
`GMAIL_REFRESH_TOKEN`	gmail-adapter	Long-lived OAuth2 refresh token
`YOUTUBE_API_KEY`	youtube-adapter	YouTube Data API v3 key
`KEI_MCP_AUTH_TOKEN`	mcp-server	HMAC token for tool callers
`KEI_RUST_BIN_DIR`	mcp-server	Override directory holding Rust primitive CLIs

All are read via process.env. Hardcoding tokens is forbidden (RULE 0.8).

MCP server integration

The @keisei/mcp-server exposes the Rust primitive CLIs as MCP tools. The pattern is one Rust binary = one MCP tool, with the kei meta-tool on top that routes natural-language queries via kei-router.

Stdio mode (for Claude Code native integration):

npx @keisei/mcp-server --stdio

HTTP mode:

npx @keisei/mcp-server --port 3000 --auth-token-file ~/.claude/mcp-token

Verification

npm install
npm run build --workspaces
npm run test --workspaces

All six packages compile under strict: true. Total new LOC: see commit.

Migration notes

Zero impact on existing KeiSeiKit users unless they opt into the MCP server (planned v0.14.1 installer flag --enable-mcp).
The Rust primitives are unchanged; this layer only wraps them.
Gmail and YouTube adapters are new (gaps in LBM).