Denis Parfionovich
e185af7116
PATENT-LEAK (HIGH):
- hooks/no-python-without-approval.sh: genesis-verify пример → my-project
- docs/encyclopedia/rust-crates-H-N.md: убран термин «Genesis IP, ITAR»
PATENT-LEAK (MEDIUM):
- CHANGELOG: project-vortex → reduced scope
- _blocks/registries (submodule bump): убраны имена приватных
project-specialists из комментария agent-profiles.toml
- docs/encyclopedia/skills-and-agents.md: ML/RL/CfC → ML/RL
CLASSICAL-SAFETY (MEDIUM):
- install/lib-preflight.sh: eval "$version_cmd" → bash -c "..."
(защита от инъекции если providers.toml расширят)
- _primitives/provision-{vultr,hetzner}.sh: /tmp/$$ → mktemp
(устраняет symlink TOCTOU race)
- web-install.sh: chmod 600 + umask 077 на ~/.keisei-install.log
(Forgejo admin creds + токены в логе)
- scripts/regen-counts.sh: eval "$1" → bash -c
NOT FIXED (требуют действий юзера):
- HIGH: @keisei scope не зарегистрирован на npmjs.org — typosquat
возможен пока не задан NPM_TOKEN и не сделан publish
- HIGH: install.keisei.app DNS не настроен — DNS-hijack возможен
- LOW: parfionovich@keilab.io в SECURITY.md, plugin.json, ~40 Cargo
файлах — intentional contact, оставлен
Локальный git author установлен на parfionovich@keilab.io вместо
parfionovichd@icloud.com (только для будущих коммитов в этом репо).
|
||
|---|---|---|
| .. | ||
| registries@c5590658ee | ||
| api-anthropic.md | ||
| api-apify.md | ||
| api-elevenlabs.md | ||
| api-fal-ai.md | ||
| api-graphql.md | ||
| api-openapi-first.md | ||
| api-rest-conventions.md | ||
| api-versioning-pagination-ratelimit.md | ||
| auth-authorization.md | ||
| auth-oauth2-oidc.md | ||
| auth-passkeys.md | ||
| auth-sessions.md | ||
| baseline.md | ||
| build-index.sh | ||
| ci-forgejo-actions.md | ||
| ci-github-actions.md | ||
| ci-release-automation.md | ||
| ci-security-gate.md | ||
| db-drizzle.md | ||
| db-migration-hygiene.md | ||
| db-postgres.md | ||
| db-sqlite.md | ||
| db-sqlx.md | ||
| deploy-aws-ec2.md | ||
| deploy-cloudflare.md | ||
| deploy-docker.md | ||
| deploy-hetzner-cloud.md | ||
| deploy-local-only.md | ||
| deploy-modal.md | ||
| deploy-vps-generic.md | ||
| docs-architecture-diagrams.md | ||
| docs-claude-md.md | ||
| docs-decisions-adr.md | ||
| docs-readme-template.md | ||
| docs-runbook.md | ||
| domain-has-secrets.md | ||
| domain-ml-training.md | ||
| domain-paid-apis.md | ||
| evidence-grading.md | ||
| INDEX.md | ||
| memory-protocol.md | ||
| mode-devils-advocate.md | ||
| mode-first-principles.md | ||
| mode-matrix.md | ||
| mode-maximalist.md | ||
| mode-minimalist.md | ||
| mode-skeptic.md | ||
| obs-metrics.md | ||
| obs-structured-logs.md | ||
| obs-traces.md | ||
| path-user-hooks.md | ||
| path-user-memory.md | ||
| path-user-rules.md | ||
| pipeline-5phase-template.md | ||
| README.md | ||
| rule-double-audit.md | ||
| rule-error-budget.md | ||
| rule-math-first.md | ||
| rule-pre-dev-gate.md | ||
| rule-pure-click-contract.md | ||
| rule-test-first.md | ||
| scraper-free-tier.md | ||
| scraper-paid-tier.md | ||
| scraper-unified-output.md | ||
| security-audit-logging.md | ||
| security-firewall-ufw.md | ||
| security-patching.md | ||
| security-ssh-hardening.md | ||
| security-tls-caddy.md | ||
| stack-astro.md | ||
| stack-embedded-stm32.md | ||
| stack-fastapi-postgres.md | ||
| stack-flutter.md | ||
| stack-go-server.md | ||
| stack-nextjs.md | ||
| stack-python-ml.md | ||
| stack-react-vite.md | ||
| stack-rust-axum.md | ||
| stack-rust-cli.md | ||
| stack-sveltekit.md | ||
| stack-swift-ios.md | ||
| stack-swift-spm.md | ||
| stack-tailwind.md | ||
| test-e2e.md | ||
| test-fuzz.md | ||
| test-load.md | ||
| test-property.md | ||
_blocks/ — Composable Agent Content
Each .md file in this directory is a block: a single-concern, standalone-readable snippet that any agent manifest can include via its blocks = [...] list. The _assembler concatenates selected blocks + manifest metadata into the final agent .md that Claude Code loads.
Blocks are grouped by prefix:
| Prefix | Purpose |
|---|---|
baseline, evidence-grading, memory-protocol |
Obligatory base — every manifest must include these |
rule-* |
Discipline rules (pre-dev-gate, test-first, error-budget, double-audit, math-first) |
mode-* |
Cognitive mode blocks (see below) |
stack-* |
Language / framework constraints (Rust Axum, React Vite, Swift SPM, …) |
deploy-* |
Deployment target rules (Modal, AWS EC2, Cloudflare, Hetzner, …) |
api-* |
External API conventions (Apify, fal.ai, ElevenLabs, Anthropic, …) |
db-* |
Database rules (Postgres, SQLite, Drizzle, sqlx, migrations) |
auth-*, security-*, obs-*, ci-*, test-*, scraper-*, domain-*, docs-* |
Domain-specific rules |
Cognitive mode blocks
Composable behavioural skews. Add any combination to a manifest's blocks list to stack the mode. Modes compose — e.g. mode-skeptic + mode-minimalist yields an adversarial pruner.
| Block | Purpose |
|---|---|
mode-skeptic.md |
Doubt the conclusion until proved; flag claims without E1/E2 grade |
mode-devils-advocate.md |
Steel-man the opposite; name the strongest objection before agreeing |
mode-minimalist.md |
Prefer deleting over adding; justify every addition against existing code |
mode-maximalist.md |
Explore 10× scope; return both maximum and minimum bounds; only when user invokes exploration |
mode-first-principles.md |
Derive from invariants; cite the physical / mathematical constraint, not "best practice" |
See mode-matrix.md for the agent-role × recommended-modes table used by the skills/new-agent wizard (Phase 3.6). It is the suggested starting set per role — modes remain a free pick per manifest.
Adding a new block
- Pick a stable prefix (existing category or a new one documented here).
- One concern per file. 20–50 LOC target,
<200 LOChard cap (Constructor Pattern). - Imperative voice (
"Do X"not"the agent should do X") — these land verbatim in agent prompts. - Standalone-readable — do not assume sibling blocks are present. Cross-references OK, hard dependencies not.
- Reference from a manifest's
blocks = [...]list; the assembler validates existence.
Ownership
Blocks are kit-owned — install.sh overwrites _blocks/ on re-run, backing up local edits to _blocks.bak-TIMESTAMP/. User-owned content belongs in _manifests/*.toml (which are never overwritten).