keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/hooks/agent-fork-logger.sh
Parfii-bot f77c1b7fdc fix(v0.15.1): RED-1 CVE + typed-handoff + schema minItems 
Security hotfix — v0.15.1 Wave 1 fixes from 4-parallel audit.

RED-1 (CVE): KEI_DISABLED_HOOKS tokenized match — was `*all*`
substring-glob (trivially bypassable via "install", "wall-clock", etc.),
now exact-token split on comma/space. Patched in all 9 hooks:
no-hand-edit-agents, assemble-agents, assemble-validate, tomd-preread,
agent-fork-logger, site-wysiwyd-check, error-spike-detector,
milestone-commit-hook, session-end-dump.

RED-2 (observability): minimal profile whitelist now includes
agent-fork-logger and session-end-dump (ledger + trace paths) so
observability is not silently lost on minimal installs.

HIGH: review.json schema minItems:1 on findings — rejects empty
reviews; new Rust test review_schema_rejects_empty_findings.

HIGH: typed-handoff wire-up — produces_artifact declared at top
level on 5 manifests (kei-security-auditor, kei-validator,
kei-architect, kei-code-implementer, kei-critic); duplicate
per-handoff declarations removed.

MED: kei-artifact validate.rs gains warn_unsupported_keywords —
non-fatal stderr warning when schema uses keywords outside the
hand-rolled 2020-12 subset.

LOW: CI Node matrix dropped 18, now ['20','22'].

Doc drift: skills/hooks-control/SKILL.md reflects tokenized-match
semantics and updated minimal-profile hook list.

Tests: 191 Rust workspace + 30 assembler (both pass). RED-1
reproducer 10/10 (4 former-CVE vectors blocked, 5 legit vectors
accepted, empty passes).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 15:08:51 +08:00

78 lines
2.6 KiB
Bash
Executable file
Raw Blame History

#!/bin/sh
# agent-fork-logger.sh — PreToolUse:Agent advisory hook (RULE 0.12).
#
# Reads the Agent tool invocation JSON from stdin and, if kei-ledger is on
# PATH, logs a fork row so the orchestrator can later validate the bundle.
# NEVER blocks: every exit path is `exit 0`. Hard-dependency absent (no jq,
# no kei-ledger, no git) → silent no-op.
command -v jq >/dev/null 2>&1 || exit 0
# --- RUNTIME CONTROLS (v0.15.1) ---
# KEI_DISABLED_HOOKS: tokenized exact-match list (comma- or space-separated).
# Repro of pre-v0.15.1 substring bypass (CVE-class): KEI_DISABLED_HOOKS="foo-all-bar"
# previously disabled every hook via `*all*`. v0.15.1 requires token equality.
_hook_name="$(basename "$0" .sh)"
_disabled=" $(printf '%s' "${KEI_DISABLED_HOOKS:-}" | tr ',' ' ') "
case "$_disabled" in
*" $_hook_name "*|*" all "*) unset _disabled; exit 0 ;;
esac
unset _disabled
case "${KEI_HOOK_PROFILE:-full}" in
off) exit 0 ;;
minimal)
case "$_hook_name" in
no-hand-edit-agents|assemble-validate|agent-fork-logger|session-end-dump) ;;
*) exit 0 ;;
esac
;;
advisory-off)
case "$_hook_name" in
recurrence-suggest|citation-verify|error-spike-detector|milestone-commit-hook) exit 0 ;;
esac
;;
full|*) ;;
esac
# --- end runtime controls ---
set -eu
input="$(cat)"
# Extract subagent_type / prompt / isolation from the Agent tool_input.
subagent=$(printf '%s' "$input" | jq -r '.tool_input.subagent_type // empty' 2>/dev/null || true)
prompt=$(printf '%s' "$input" | jq -r '.tool_input.prompt // empty' 2>/dev/null || true)
isolation=$(printf '%s' "$input" | jq -r '.tool_input.isolation // empty' 2>/dev/null || true)
# No subagent name → not an agent call we know how to track.
if [ -z "$subagent" ]; then
exit 0
fi
# Spec fingerprint = first 16 hex chars of SHA-256(prompt).
spec_sha=$(printf '%s' "$prompt" | shasum -a 256 2>/dev/null | cut -c1-16)
spec_sha=${spec_sha:-unknown}
ts=$(date +%s)
agent_id="${subagent}-${ts}"
if [ "$isolation" = "worktree" ]; then
branch="agent/${subagent}-${ts}"
else
branch="inline-${subagent}-${ts}"
fi
# Current git branch (if we're inside a repo). Non-fatal if git absent.
current_branch=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo none)
# If kei-ledger is unavailable, bail silently — the hook is advisory only.
command -v kei-ledger >/dev/null 2>&1 || exit 0
# Emit the fork row. Always exit 0 even if kei-ledger returns non-zero:
# the hook must never block an Agent invocation on ledger trouble.
kei-ledger fork "$agent_id" "$branch" \
--parent "$current_branch" \
--spec-sha "$spec_sha" \
>/dev/null 2>&1 || true
exit 0
Reference in a new issue View git blame Copy permalink