Acted on 2 of 10 findings Kimi caught when auditing its own integration
on PR #11 head 8d02c7f. Skipped 8 (false positives or out-of-scope).
1. crates/gateway/src/v1/kimi.rs — flatten OpenAI multimodal content
array to plain string before forwarding to api.kimi.com. The Kimi
coding endpoint is text-only; passing a [{type,text},...] array
returns 400. Use Message::text() to concat text-parts and drop
non-text. Verified with curl using array-shape content: gateway now
returns "PONG-ARRAY" instead of upstream error.
2. auditor/checks/kimi_architect.ts — computeGrounding switched from
readFileSync to async readFile inside Promise.all. Doesn't matter
at 10 findings; would matter at 100+. Removed unused readFileSync
import.
Skipped findings (with reason):
- drift_report.ts:18 schema bump migration concern: the strict
schema_version refusal IS the migration boundary (v1 readers
explicitly fail on v2; not a silent corruption risk).
- replay.ts:383 ISO timestamp precision: Date.toISOString always
emits "YYYY-MM-DDTHH:mm:ss.sssZ" (ms precision). False positive.
- mode.rs:1035 matrix_corpus deserializer compat: deserialize_string
_or_vec at mode.rs:175 already accepts both shapes. Confabulation
from not seeing the deserializer in the input bundle.
- /etc/lakehouse/kimi.env world-readable: actually 0600 root. Real
concern would be permission-drift; not a code bug.
- callKimi response.json hang: obsolete; we use curl now.
- parseFindings silent-drop: ergonomic concern, not a bug.
- appendMetrics join with "..": works for current path; deferred.
- stubFinding dead-type extension: cosmetic.
Self-audit grounding rate at v1.0.0: 10/10 file:line citations
verified by grep. 2 of 10 actionable bugs landed. The other 8 were
correctly flagged as concerns but didn't earn a code change.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ff5de76241