Merge pull request #8 from popup-studio-ai/feature/v1.5.5

feat: bkit-gemini v1.5.5 - Gemini CLI 0.3.0 migration & security hardening

Author: popup-kay

CHANGELOG.md

@@ -5,6 +5,39 @@ All notable changes to bkit-gemini will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.5.5] - 2026-02-25
+
+### Added
+
+- **Policy TOML Auto-Generation**: `session-start.js` now triggers `policy-migrator.js` when Gemini CLI >= v0.30.0 detected, creating `.gemini/policies/bkit-permissions.toml` automatically
+- **SemVer Validation**: `version-detector.js` validates `GEMINI_CLI_VERSION` env var format and rejects implausible values (>= 2.0.0) to prevent feature flag injection
+- **TOML Structural Validation**: `policy-migrator.js` validates generated TOML before writing (rule count vs decision count match)
+- **TOML String Escaping**: `escapeTomlString()` prevents TOML injection via backslash, quote, and newline characters
+- **Version-Aware Approval Flag**: `spawn-agent-server.js` uses `--approval-mode=yolo` for v0.30.0+ and `--yolo` for older versions
+- **Team Name Sanitization**: Path traversal prevention in `team_create` - only alphanumeric, hyphens, underscores allowed
+- **Enhanced Dangerous Patterns**: `before-tool.js` blocks reverse shells, policy file tampering, remote code execution via pipes, sensitive file access
+- **Feature Flags**: `hasGemini31Pro` (v0.29.7+), `hasApprovalMode` (v0.30.0+)
+
+### Changed
+
+- **Agent Model Upgrades**: `cto-lead` and `gap-detector` upgraded to `gemini-3.1-pro` (ARC-AGI-2 77.1%)
+- **Agent Cost Optimization**: `report-generator` and `qa-monitor` switched to `gemini-3-flash-lite` (60% cost reduction)
+- **AfterTool Resilience**: Defensive field access supports both `tool_name`/`toolName` and `tool_input`/`toolInput` variants
+- **Tested Versions**: Added `0.29.7` and `0.30.0` to `bkit.config.json` testedVersions
+- **Policy Migrator Version Guard**: `generatePolicyFile()` checks `hasPolicyEngine` flag before generation
+
+### Documentation
+
+- **model-selection.md**: Added Gemini 3.1 Pro + customtools variant documentation, updated all model recommendations
+- **PDCA Analysis**: `gemini-cli-030-upgrade-impact-analysis.analysis.md` - comprehensive v0.30.0 impact analysis (82/100 score)
+
+### Security
+
+- **CRITICAL**: Fixed unconditional `--yolo` flag in sub-agent spawning (bypassed all safety prompts)
+- **HIGH**: Fixed `team_name` path traversal vulnerability in `team_create` handler
+- **HIGH**: Added SemVer format validation to block env var injection (`GEMINI_CLI_VERSION=99.99.99`)
+- **MEDIUM**: Added TOML string escaping to prevent policy injection
+
 ## [1.5.4] - 2026-02-21
 
 ### Added

GEMINI.md

@@ -1,4 +1,4 @@
-# bkit Vibecoding Kit v1.5.4 - Gemini CLI Edition
+# bkit Vibecoding Kit v1.5.5 - Gemini CLI Edition
 
 > AI-native development toolkit implementing PDCA methodology with Context Engineering
 
@@ -58,5 +58,5 @@ docs/
 
 ---
 
-*bkit Vibecoding Kit v1.5.4 - Empowering AI-native development*
+*bkit Vibecoding Kit v1.5.5 - Empowering AI-native development*
 *Copyright 2024-2026 POPUP STUDIO PTE. LTD.*

README.md

@@ -2,7 +2,7 @@
 
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Gemini CLI](https://img.shields.io/badge/Gemini%20CLI-v0.29.0+-blue.svg)](https://github.com/google-gemini/gemini-cli)
-[![Version](https://img.shields.io/badge/Version-1.5.4-green.svg)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/Version-1.5.5-green.svg)](CHANGELOG.md)
 [![Author](https://img.shields.io/badge/Author-POPUP%20STUDIO-orange.svg)](https://popupstudio.ai)
 
 > **PDCA methodology + Context Engineering for AI-native development**
@@ -62,7 +62,7 @@ Event 10: SessionEnd           -> Session cleanup, memory persistence
 
 ```
 bkit-gemini/
-|-- gemini-extension.json         # Extension manifest (v1.5.4)
+|-- gemini-extension.json         # Extension manifest (v1.5.5)
 |-- GEMINI.md                     # Global context with 6 @import modules
 |-- bkit.config.json              # Centralized configuration (12 sections)
 |-- CHANGELOG.md                  # Version history
@@ -178,7 +178,7 @@ bkit-gemini/
 
 ## Features
 
-### v1.5.4 Highlights
+### v1.5.5 Highlights
 
 - **Gemini 3 Model Migration** -- All 16 agents updated to `gemini-3-pro` (9) and `gemini-3-flash` (7)
 - **Version Detector** -- 3-strategy Gemini CLI version detection with feature flags and caching
@@ -380,7 +380,7 @@ All 16 agents remember context across sessions automatically:
 
 ### Team Mode Foundation
 
-bkit v1.5.4 includes team mode foundation with 3 MCP tools:
+bkit v1.5.5 includes team mode foundation with 3 MCP tools:
 - `team_create` -- Create agent teams with configurable strategies
 - `team_assign` -- Assign tasks to team members
 - `team_status` -- Monitor team progress

agents/cto-lead.md

@@ -21,7 +21,7 @@ description: |
   Do NOT use for: simple bug fixes, single-file edits, routine CRUD operations,
   or tasks that a single specialized agent can handle independently.
 
-model: gemini-3-pro
+model: gemini-3.1-pro
 tools:
   - read_file
   - read_many_files

agents/gap-detector.md

@@ -16,7 +16,7 @@ description: |
 
   Do NOT use for: documentation-only tasks, initial planning, or design creation.
 
-model: gemini-3-pro
+model: gemini-3.1-pro
 tools:
   - read_file
   - read_many_files

agents/qa-monitor.md

@@ -17,7 +17,7 @@ description: |
   Do NOT use for: unit testing with test scripts, frontend-only testing without Docker,
   or design document validation.
 
-model: gemini-3-flash
+model: gemini-3-flash-lite
 tools:
   - run_shell_command
   - read_file

agents/report-generator.md

@@ -17,7 +17,7 @@ description: |
   Do NOT use for: ongoing implementation work, initial planning, or technical analysis
   (use gap-detector or code-analyzer instead).
 
-model: gemini-3-flash
+model: gemini-3-flash-lite
 tools:
   - read_file
   - read_many_files

bkit.config.json

@@ -1,6 +1,6 @@
 {
   "$schema": "./bkit.config.schema.json",
-  "version": "1.5.4",
+  "version": "1.5.5",
   "platform": "gemini",
 
   "sourceDirectories": ["src", "lib", "app", "components", "pages", "features", "services"],
@@ -117,7 +117,7 @@
 
   "compatibility": {
     "minGeminiCliVersion": "0.29.0",
-    "testedVersions": ["0.29.0", "0.29.5", "0.30.0-preview.3"],
+    "testedVersions": ["0.29.0", "0.29.5", "0.29.7", "0.30.0-preview.3", "0.30.0"],
     "policyEngine": {
       "autoGenerate": true,
       "outputDir": ".gemini/policies/"

docs/.bkit-memory.json

@@ -1,12 +1,12 @@
 {
-  "sessionCount": 82,
+  "sessionCount": 88,
   "platform": "gemini",
   "level": "Starter",
-  "lastSessionStarted": "2026-02-21T03:40:09.181Z",
+  "lastSessionStarted": "2026-02-25T08:56:43.946Z",
   "outputStyle": null,
-  "lastSessionEnded": "2026-02-21T04:03:10.520Z",
+  "lastSessionEnded": "2026-02-25T09:54:19.685Z",
   "lastSession": {
-    "startedAt": "2026-02-21T04:03:17.644Z",
+    "startedAt": "2026-02-25T09:54:22.538Z",
     "platform": "claude",
     "level": "Starter"
   }

docs/.pdca-status.json

@@ -1,13 +1,16 @@
 {
   "version": "2.0",
-  "lastUpdated": "2026-02-21T20:00:00.000Z",
+  "lastUpdated": "2026-02-25T12:00:00.000Z",
   "activeFeatures": [
+    "bkit-v155-gemini-test",
+    "gemini-cli-030-migration",
+    "gemini-cli-030-upgrade-impact-analysis",
     "bkit-v154-gemini-test",
     "bkit-gemini-v152-full-test",
     "bkend-docs-sync",
     "bkit-gemini-conversion"
   ],
-  "primaryFeature": "bkit-v154-gemini-test",
+  "primaryFeature": "bkit-v155-gemini-test",
   "features": {
     "bkit-v154-gemini-test": {
       "phase": "completed",
@@ -92,6 +95,46 @@
       "iterationCount": 0,
       "createdAt": "2026-02-01T12:00:00.000Z",
       "updatedAt": "2026-02-01T04:46:23.092Z"
+    },
+    "gemini-cli-030-upgrade-impact-analysis": {
+      "phase": "completed",
+      "matchRate": 100,
+      "iterationCount": 0,
+      "createdAt": "2026-02-25T12:00:00.000Z",
+      "updatedAt": "2026-02-25T12:00:00.000Z",
+      "completedAt": "2026-02-25T12:00:00.000Z",
+      "analysisDoc": "docs/03-analysis/gemini-cli-030-upgrade-impact-analysis.analysis.md",
+      "team": "CTO Team (6 specialist agents)"
+    },
+    "gemini-cli-030-migration": {
+      "phase": "completed",
+      "matchRate": 100,
+      "iterationCount": 0,
+      "createdAt": "2026-02-25T12:00:00.000Z",
+      "updatedAt": "2026-02-25T18:00:00.000Z",
+      "completedAt": "2026-02-25T18:00:00.000Z",
+      "planDoc": "docs/01-plan/features/gemini-cli-030-migration.plan.md",
+      "designDoc": "docs/02-design/features/gemini-cli-030-migration.design.md",
+      "analysisSource": "docs/03-analysis/gemini-cli-030-upgrade-impact-analysis.analysis.md",
+      "analysisDoc": "docs/03-analysis/features/gemini-cli-030-v155-implementation.analysis.md",
+      "reportDoc": "docs/04-report/features/gemini-cli-030-migration.report.md",
+      "testStrategy": "docs/05-test/gemini-cli-030-migration-test-strategy.md",
+      "team": "CTO Team (17 specialist agents across 3 sessions)",
+      "targetVersion": "v1.5.5",
+      "strategy": "B - Incremental Migration"
+    },
+    "bkit-v155-gemini-test": {
+      "phase": "completed",
+      "matchRate": 100,
+      "iterationCount": 1,
+      "createdAt": "2026-02-25T18:30:00.000Z",
+      "updatedAt": "2026-02-25T19:30:00.000Z",
+      "completedAt": "2026-02-25T19:30:00.000Z",
+      "planDoc": "docs/01-plan/features/bkit-v155-gemini-test.plan.md",
+      "reportDoc": "docs/04-report/features/bkit-v155-gemini-test.report.md",
+      "team": "CTO Team",
+      "targetVersion": "v1.5.5",
+      "testScope": "Unit(~65) + E2E(~232) + UX(16) = ~313 test cases"
     }
   },
   "pipeline": {
@@ -109,8 +152,8 @@
     ]
   },
   "session": {
-    "startedAt": "2026-02-21T03:40:09.180Z",
+    "startedAt": "2026-02-25T08:56:43.316Z",
     "onboardingCompleted": true,
-    "lastActivity": "2026-02-21T03:40:09.180Z"
+    "lastActivity": "2026-02-25T08:56:43.316Z"
   }
-}
+}