feat: Jeli Phase 1 — core primitives, Scoped MCP tools, stdio server#1
Conversation
Squashed re-publication of local Phase 1 work onto the repo's published history (local dev history predates the repo's privacy-scrubbed re-push and is intentionally not carried over). Core (from local Phase 1 baseline): - core/hash_chain.py: HMAC-SHA256 chain, canonical records, validators, amendment tracking - core/trust_score.py: trust model (user 1.0 … external 0.3), decay, confirmation boost, contradiction penalty - core/contradiction.py: direct/temporal/semantic/trust-conflict detection - security.py: injection defense, timing-safe API key validation - database/pool.py (asyncpg), embedding/provider.py (OpenAI + Ollama), alembic 001 schema (memory_entry, memory_audit_log, memory_contradiction) New in this change: - tools/memory_tools.py: capture_memory / search_memory / audit_trail / verify_chain — the scoped agent surface (no shell, no files, no raw SQL) - server/mcp_server.py: stdio transport via official mcp SDK; server-side actor identity (agents cannot impersonate writers) - injection-like content capped at external-grade trust (0.3) + flagged, never blocked - config: SCOPED_MCP_CHAIN_KEY (required), SCOPED_MCP_AGENT_ACTOR - alembic 002: embedding UUID placeholder -> JSONB (pgvector later) - tests: 119 passing, coverage 74% Co-Authored-By: Claude Fable 5 <[email protected]>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
- .github/workflows/ci.yml: lint/test/sast/audit/secrets/sbom via dev-rig reusable workflows (coverage gate 70%) - .github/workflows/lint-workflows.yml + .github/zizmor.yml: zizmor on workflow changes; hash-pin policy, first-party ref-pin allowance - src/jeli_scoped_mcp/cli.py: 'jeli verify' — full-chain HMAC walk, exit 0/1/2, --json mode; runs without API key or embedding provider (MemoryTools embedder now optional; write path guards) - .githooks/pre-push: scans every commit being pushed (not just the tree) for LAN IPs / ssh user@host / key paths / home paths; enable with 'git config core.hooksPath .githooks' (2026-07-02 incident) - lint debt cleared for CI gates: ruff clean, mypy clean (16 files), bandit clean 124 tests passing, coverage 74%. Co-Authored-By: Claude Fable 5 <[email protected]>
|
Pushed a second commit extending this PR: dev-rig CI wiring (lint/test/sast/audit/secrets/sbom + zizmor workflow linting — jeli was the only public LegionForge repo with no CI), the |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Same pattern as guardian: dummy keys in tests trip generic-api-key; dev-rig lint job expects bandit installed via .[dev]. Co-Authored-By: Claude Fable 5 <[email protected]>
…l format final) The canonical hashed form is the one thing that cannot change cheaply after real data exists, so both format changes land together, pre-v0.1: - key_id names the chain key that signed each record and lives INSIDE the hash — a record cannot be re-pointed at a weaker/compromised key without breaking its own hash. Enables per-record key rotation and the OpenBAO transit path (vault key versions). Registry: key_id -> key material; verification uses each record's own key; unknown key_id fails closed. - trust_score canonicalizes to integer hundredths (0.6 -> 60) so float/Decimal round-trips through the DB can never alter a hash. - alembic 003: key_id column (server_default 'k1') + index. - config SCOPED_MCP_CHAIN_KEY_ID (default k1), wired through server and CLI. - 3 new tests: verification across rotation, fail-closed on unknown key, key_id tamper-evidence. 127 passing. Co-Authored-By: Claude Fable 5 <[email protected]>
Co-Authored-By: Claude Fable 5 <[email protected]>
|
Third commit set: canonical format finalized pre-v0.1 — |
Publishes the local Phase 1 work as a single squashed, scrubbed commit onto the repo's published history. (Local dev history predates the privacy-scrubbed re-push of this repo and is intentionally not carried over; an internal repo-audit doc and vault-path references were scrubbed from the docs.)
What's here
Core primitives (from the local Phase 1 baseline, 99 tests):
core/hash_chain.py— HMAC-SHA256 chain, canonical records, chain validation, amendment trackingcore/trust_score.py— trust model (user-stated 1.0 … external 0.3), decay/boost/penaltycore/contradiction.py— direct / temporal / semantic / trust-conflict detectionsecurity.py— injection defense (MINJA-derived patterns), timing-safe key validationNew: the Scoped MCP surface (the first-priority deliverable from CLAUDE.md — until now no agent could reach any of this):
capture_memorysearch_memoryaudit_trailverify_chainSecurity decisions
SCOPED_MCP_AGENT_ACTOR), not a tool argument — agents cannot impersonate writers in the audit log.SCOPED_MCP_CHAIN_KEYrequired at startup;verify_chaintreats walk position as authoritative so a forged first record claiming an arbitraryprev_hashfails.Tests
119 passing (20 new over an in-memory pool fake: chain linkage, tamper via content edit / reorder / forged hash without key, trust capping, audit rows). Coverage 74%.
Follow-ups
pgvector migration + semantic mode · write-path contradiction detection (Phase 3) ·
summarize_session· HTTP transport🤖 Generated with Claude Code