keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/CHANGELOG.md
Parfii-bot ca046e61c1 fix(v0.19.1): supply-chain hardening remainder — ci.yml SHA-pin + dependabot + bun.lock placeholder 
Follow-up to c27b626 (release.yml pinning). Finishes H4 + H5.

ci.yml:
  - 11 third-party actions SHA-pinned with # vN.m.k comments
  - actions/checkout@34e114876b... (v4.3.1)
  - actions/setup-node@49933ea5288... (v4.4.0)
  - dtolnay/rust-toolchain@3c5f7ea28... (rust 1.94.1)
  - Swatinem/rust-cache@c19371144... (v2.9.1)

.github/dependabot.yml (NEW):
  - 3 ecosystems weekly: github-actions, npm, cargo
  - PR cap 5, labels [dependencies, <ecosystem>]
  - Auto-opens update PRs for SHA bumps — human reviews, not silent churn

_ts_packages/packages/mcp-server/bun.lock (NEW — placeholder):
  - 13-line comment explaining H4 gate
  - Instructs: 'cd _ts_packages/packages/mcp-server && bun install' before release
  - release.yml (since v0.19.1) uses --frozen-lockfile with NO fallback —
    missing real lockfile fails the build deliberately

BUILD.md:
  - New 'Lockfile' section (19 LOC) documenting the pre-release workflow

CHANGELOG.md:
  - [Unreleased] → Security: 3 bullets covering this + prior supply-chain commit

All SHAs E1 (verified via api.github.com or reused from release.yml).

NEXT STEP BEFORE TAGGING v0.19.1:
  Populate real bun.lock locally, commit, then tag. Workflow will fail
  on missing/stale lockfile — that's the point of H4 defense.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 17:12:15 +08:00

9.6 KiB
Raw Blame History

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Entries are generated from the git history via _primitives/_rust/kei-changelog (a conventional-commits walker). Regenerate a single version block with, e.g.:

_primitives/_rust/target/release/kei-changelog \
  --from v0.14.2 --to v0.15.0 --version v0.15.0 --update CHANGELOG.md

Unreleased

Work in flight on feat/v0.16-changelog-gen and follow-up branches. Only placeholders — no corresponding commits exist yet. Any line that ships must be replaced with the real commit summary before release.

Added

  • primitives: keisei CLI MVP — attach <brain-path> + status subcommands for mounting a portable exobrain directory into Claude Code. First step of the v0.18 exobrain architecture (multi-client adapter surface prepared; only claude-code adapter ships in MVP).
  • primitives (v0.19 — multi-client exobrain):
    • keisei mount <brain-path> — attach a brain to EVERY detected AI client in one shot (Claude Code + Cursor + Continue + Zed).
    • keisei detach — remove the brain from every client recorded in the marker, preserving user's other MCP/context-server entries.
    • keisei list-adapters — tabular dump of every registered adapter and whether it's detected on this host.
    • 3 new ClientAdapter implementations: cursor (.cursor/mcp.json project-local or ~/.cursor/mcp.json global), continue (~/.continue/config.{yaml,json} — YAML preferred, JSON fallback), zed (~/Library/Application Support/Zed/settings.json on macOS or ~/.config/zed/settings.json on Linux, under context_servers).
    • keisei-attached.toml schema v2 — carries a list of [[attachments]] (client_type + config_path) instead of a single client_type. v1 markers read transparently (auto-migrated in memory).
    • New error variants: AdapterFailed { client, reason } and ConfigParseError { path, reason }.
  • Placeholder: CHANGELOG.md generation wired through kei-changelog (this file).
  • Placeholder: .github/workflows/release.yml — tag-driven multi-platform release.
  • Placeholder: pre-built-binary install path in install.sh (KEI_SKIP_RUST_BUILD=1).
  • added: kei-mcp-server single-binary compile for 5 platforms (linux/darwin/windows × x64/arm64 where available) via bun build --compile — v0.18 Phase 1 of the exobrain distribution architecture. Ships as bare binaries + .sha256 sums on every GitHub release; install.sh detects a dropped binary at _primitives/_rust/target/release/kei-mcp-server-<os>-<arch> and skips bun/npm build. Opt-out via KEI_SKIP_MCP_BUILD=1. See _ts_packages/packages/mcp-server/BUILD.md.

Changed

  • Placeholder: plugin / block format refresh targeted for v0.16.0.

Fixed

  • Placeholder: hook-bypass edge case follow-up to v0.15.1.
  • primitives/keisei (v0.19 audit hardening): close 3 Security HIGH + 3 Critic HIGH + 2 Critic MEDIUM findings. Path-escape guard on mcp_server + memory/artifacts/manifests (absolute / .. / canonical-mismatch → PathEscape); brain-name regex ^[a-z][a-z0-9_-]{0,63}$ (InvalidName); symlink-rooted brain inputs rejected (BrainIsSymlink — closes USB → $HOME pivot); MCP-entry collision check across all 4 adapters (NameConflict instead of silent clobber); dropped unused rusqlite dep (no C toolchain tail); BrainPaths.{memory,artifacts,manifests} relaxed to Option<String>; $KEISEI_HOME/$HOME resolver deduped into paths.rs SSoT; fsx::write_atomic rewritten on tempfile::NamedTempFile for Windows + cross-fs correctness; 5 adversarial integration tests added (16 total pass).

Security

  • Pinned all GitHub Actions (ci.yml, release.yml) by full commit SHA to defend against CVE-2025-30066-class supply-chain attacks via mutable tag re-pointing.
  • Removed || bun install fallback from release.yml build-mcp-binary job — lockfile is now strictly REQUIRED (H4 audit finding).
  • Added .github/dependabot.yml for weekly SHA update PRs on github-actions, npm, and cargo ecosystems.

0.15.0 — 2026-04-22

Added

  • primitives: kei-artifact typed handoff pipeline (BMAD-style doc passthrough) (3f303b7)
  • blocks: 5 cognitive mode blocks + 2 manifest wirings (fdfc690)

0.14.2 — 2026-04-22

Added

  • hooks: runtime controls via KEI_DISABLED_HOOKS + KEI_HOOK_PROFILE (v0.14.2) (1a448e8)

Removed

  • genesis-scan from public kit (internal tool, Bundle-only) (268226b)

0.14.1 — 2026-04-22

Added

  • ci: GitHub Actions workflows + .claude/worktrees gitignore (407e8b7)

Changed

  • readme + install: reconcile all count drift (F4 RELEASE BLOCKER) (0199fd4)
  • rust: misc schema/main refactor in 8 crates (assorted CP splits) (61448b9)
  • mock-render: split main.rs 227 LOC into 4 cubes (F5a Constructor Pattern) (ad5977d)

Fixed

  • kei-auth: remove --key CLI flag (F12 HIGH — /proc/cmdline leak) (b449587)
  • kei-refactor-engine: retract 'git apply-ready' claim (F1 RELEASE BLOCKER) (f50ef43)
  • kei-store: path-traversal guard (F2 RELEASE BLOCKER) + S3 stub gate (F7) + GitHub RULE 0.1 guard (F8) (ad9c53f)

0.14.0 — 2026-04-22

Added

  • primitives: 10 Rust crates extracted from LBM (Genesis-scrubbed) (a5e6649)
  • ts-packages: 6 TS packages — MCP server + 5 external-API adapters (7b647d5)

Changed

  • rust-core: Constructor-Pattern splits in kei-router + kei-auth (afed921)

0.13.0 — 2026-04-22

Added

  • integration: deep-sleep wired into MANIFEST + sleep-setup Phase 3b + README (bcd80f6)
  • primitives: 4 Rust crates for deep-sleep — conflict-scan, refactor-engine, graph-check, store (0f75493)
  • skills: /onboard auto-project-analyze with 3-mode apply (full-auto / step-by-step / full-manual) (1396139)

Changed

  • readme: "Why Rust, not Python" paragraph in author note (92c918a)
  • readme: clarify "my sample, not claim of originality" in author note (47d2448)
  • readme: add "double sorry" disclaimer in author note (3d5d768)
  • readme: move "From the author" to opening, expand with transformer-error context (fd67315)
  • readme: add "From the author" note (b103c3d)

0.12.0 — 2026-04-22

Added

  • integration: Phase A incubation wired into trigger + install + README (d72de64)
  • skills: /sleep-on-it 6-phase wizard + kei-sleep-queue CRUD + incubation prompt (30df6cb)

0.11.0 — 2026-04-22

Added

  • integration: --with-sleep-sync flag + README Cloud REM sync section (1dd05c6)
  • skills: /sleep-setup 5-phase wizard (click + 1 free-text URL) (b658f81)
  • hooks: session-end-dump calls kei-sleep-sync after ingest (1ab39d5)
  • primitives: kei-sleep-setup wizard + kei-sleep-sync helper + trigger template (4fdaab6)

0.10.0 — 2026-04-22

Added

  • integration: register genesis-scan in MANIFEST core+full + README + install.sh sizing (93ba0a0)
  • hooks: git-pre-commit-genesis — template for repo symlink into .git/hooks/pre-commit (670af3f)
  • primitives: genesis-scan Rust — patent-IP leak detector (CI / pre-commit) (5db8548)
  • integration: wire kei-memory into MANIFEST + settings-snippet + README for v0.10 (0b5da5a)
  • skills: /self-audit 5-phase triage pipeline (334a867)
  • hooks: 3 self-audit triggers — stop / milestone / error-spike (a5c3896)
  • primitives: kei-memory Rust crate — offline session analyzer (Genesis-clean) (448fc07)

0.9.1 — 2026-04-21

Added

  • install: interactive menu (whiptail / dialog / plain) + confirm screen + --yes / --no-execute (4809269)

0.9.0 — 2026-04-21

Added

  • install: modular profiles + --add / --remove / --list incremental install (b1b8de0)
  • primitives: MANIFEST.toml — SSoT for 21 primitives + 6 profiles (764a999)

Changed

  • readme: install profiles table + migration note for v0.9.0 (47931a3)

BREAKING: default install profile is now minimal (was full). Re-run with --profile=full to preserve prior behaviour.

0.8.0 — 2026-04-21

Added

  • install: copy _primitives/ + build Rust workspace; register agent-fork-logger + site-wysiwyd hooks (b0d9389)
  • hooks: site-wysiwyd-check PostToolUse(Edit | Write) drift advisory (c2041b4)
  • skills: /site-create pipeline (phases 04 — phases 56 deferred) (839ae57)

Changed

  • compose-solution: prior-art grep paths + phase-5 cross-refs for 10 pipelines + 21 primitives (f664cbc)
  • readme: v0.8.0 — 73 blocks / 34 skills / 21 primitives / 6 hooks / 11 bridges + pipelines section (ed7d566)