refactor(kei-mcp): v0.46 — decompose safe_tools + fix CRITICAL Grok bypass
ARCHITECTURAL FIXES (Constructor Pattern — file >200 LOC):
1. safe_tools.rs (738 LOC god-object) → safe_tools/ module (5 files):
- mod.rs (99 LOC) — descriptors + dispatch
- env_guard.rs (79 LOC) — KillPgGuard RAII + apply_safe_env
- path_guard.rs (166 LOC) — validate_path + canonicalize walk-up
- chain_runner.rs (159 LOC) — hook chain loader/runner
- exec.rs (222 LOC) — handle_bash/edit/write with O_NOFOLLOW
2. CRITICAL Grok bypass closed (Claude critic finding):
- REMOVED env-based chain skip (CLAUDECODE / GROKCODE checks)
- The skip assumed native PreToolUse would catch the call, but
PreToolUse matchers fire on tool_name="Bash"|"Edit"|"Write" while
MCP tools are named kei_bash/kei_edit/kei_write — so native hooks
NEVER fire on MCP tool calls. The skip created an auth-bypass hole.
- Chain now ALWAYS runs for kei_bash/kei_edit/kei_write.
- Wire scripts (kei-mcp-wire-claude.sh + -grok.sh) updated: empty
env block + comment explaining v0.46 rationale.
3. Fail-closed defaults (architecturally correct, not bandaid):
- validate_path: empty allowed_roots() → ERROR (was silent disable)
- load_chain: missing/empty section → ERROR unless KEI_POLICY_CHAIN_OPTIONAL=1
4. RAII guard for process-group cleanup:
- KillPgGuard fires killpg on ANY exit path (success, error, timeout,
panic) until explicitly disarmed. Replaces error-path-only killpg.
5. validate_path moved off tokio worker via spawn_blocking — was blocking
syscalls in async context.
VERIFIED:
- cargo build --release → clean
- cargo test -p kei-mcp --release → 2 passed
- MCP smoke: chain fires under CLAUDECODE=1, GROKCODE=1, and no env
(all three previously skipped; all three now block kei_bash on
forbidden git push patterns).
- Safe commands still pass (kei_bash echo HELLO → HELLO returned).
README: substrate counts refreshed (105→110 Rust crates, v0.45→v0.46).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
KeiSei84
155d187699