@ebowwa/hetzner 0.3.0 → 0.3.2

package/dist/actions.d.ts

@@ -0,0 +1,355 @@
+/**
+ * Hetzner Cloud API action polling and management
+ *
+ * Provides a robust polling service for monitoring async Hetzner actions
+ * with progress tracking, error handling, and cancellation support.
+ */
+import type { HetznerClient } from "./client.js";
+import type { HetznerAction, ActionPollingOptions, RateLimitInfo } from "./types.js";
+import { ActionStatus, ActionCommand } from "./types.js";
+import { HetznerActionError } from "./errors.js";
+/**
+ * Enhanced options for action polling with more granular control
+ */
+export interface EnhancedActionPollingOptions {
+    /** Polling interval in milliseconds (default: 2000) */
+    pollInterval?: number;
+    /** Maximum number of polling attempts before timeout */
+    maxRetries?: number;
+    /** Maximum time to wait in milliseconds before timeout */
+    timeout?: number;
+    /** Callback fired on each progress update */
+    onProgress?: (action: HetznerAction) => void;
+    /** Callback fired when action completes successfully */
+    onComplete?: (action: HetznerAction) => void;
+    /** Callback fired when action fails */
+    onError?: (error: HetznerActionError, action: HetznerAction) => void;
+    /** Callback fired on each retry attempt */
+    onRetry?: (attempt: number, delay: number) => void;
+    /** Abort signal for cancellation */
+    signal?: AbortSignal;
+    /** Whether to use adaptive polling intervals (default: false) */
+    adaptive?: boolean;
+    /** Concurrency limit for multiple actions (default: 5) */
+    concurrency?: number;
+}
+/**
+ * Result of a polling operation
+ */
+export interface PollingResult<T = HetznerAction> {
+    /** Whether the operation completed successfully */
+    success: boolean;
+    /** The final action state (if successful) */
+    action?: HetznerAction;
+    /** Error that occurred (if failed) */
+    error?: Error;
+    /** Number of polling attempts made */
+    attempts: number;
+    /** Total time elapsed in milliseconds */
+    elapsed: number;
+}
+/**
+ * Result for batch polling operations
+ */
+export interface BatchPollingResult {
+    /** Map of action ID to result */
+    results: Map<number, PollingResult>;
+    /** Count of successful actions */
+    successful: number;
+    /** Count of failed actions */
+    failed: number;
+    /** Total time elapsed in milliseconds */
+    elapsed: number;
+}
+/**
+ * Action operations for the Hetzner Cloud API
+ *
+ * Provides methods for managing and polling actions with enhanced
+ * polling capabilities including cancellation, progress tracking,
+ * and batch operations.
+ */
+export declare class ActionOperations {
+    private client;
+    constructor(client: HetznerClient);
+    /**
+     * Get a specific action by ID
+     *
+     * @param id - Action ID
+     * @returns Action details
+     */
+    get(id: number): Promise<HetznerAction>;
+    /**
+     * List all actions
+     *
+     * @param options - Optional filters (status, sort, server_id, etc.)
+     * @returns Array of actions
+     */
+    list(options?: {
+        status?: ActionStatus;
+        sort?: string;
+        page?: number;
+        per_page?: number;
+        server_id?: number;
+    }): Promise<HetznerAction[]>;
+    /**
+     * Poll a single action until completion (enhanced version)
+     *
+     * This is the main polling service method with full feature support:
+     * - Progress tracking with onProgress callback
+     * - Success/failure callbacks
+     * - Cancellation via AbortSignal
+     * - Adaptive polling intervals
+     * - Comprehensive error handling
+     *
+     * @param actionId - Action ID to poll
+     * @param options - Polling options
+     * @returns Promise resolving to the completed action
+     *
+     * @example
+     * ```typescript
+     * const action = await client.actions.poll(123, {
+     *   onProgress: (a) => console.log(`Progress: ${a.progress}%`),
+     *   onComplete: (a) => console.log('Done!'),
+     *   onError: (e) => console.error('Failed:', e.message),
+     *   timeout: 300000, // 5 minutes
+     *   signal: abortController.signal
+     * });
+     * ```
+     */
+    poll(actionId: number, options?: EnhancedActionPollingOptions): Promise<HetznerAction>;
+    /**
+     * Poll multiple actions until completion
+     *
+     * Handles concurrent polling of multiple actions with optional
+     * concurrency limit and individual action tracking.
+     *
+     * @param actionIds - Array of action IDs to poll
+     * @param options - Polling options
+     * @returns Promise resolving to array of completed actions
+     *
+     * @example
+     * ```typescript
+     * const actions = await client.actions.pollMany([1, 2, 3], {
+     *   onProgress: (a) => updateUI(a),
+     *   concurrency: 3, // Poll 3 at a time
+     *   signal: abortController.signal
+     * });
+     * ```
+     */
+    pollMany(actionIds: number[], options?: EnhancedActionPollingOptions): Promise<HetznerAction[]>;
+    /**
+     * Poll multiple actions with detailed result tracking
+     *
+     * Returns a BatchPollingResult with success/failure counts and
+     * per-action results for better error handling.
+     *
+     * @param actionIds - Array of action IDs to poll
+     * @param options - Polling options
+     * @returns Batch polling result with detailed status
+     *
+     * @example
+     * ```typescript
+     * const result = await client.actions.pollManyDetailed([1, 2, 3], {
+     *   concurrency: 2
+     * });
+     * console.log(`Success: ${result.successful}, Failed: ${result.failed}`);
+     * for (const [id, r] of result.results) {
+     *   if (r.error) console.error(`Action ${id} failed:`, r.error);
+     * }
+     * ```
+     */
+    pollManyDetailed(actionIds: number[], options?: EnhancedActionPollingOptions): Promise<BatchPollingResult>;
+    /**
+     * Wait for an action to complete (backward compatible alias)
+     *
+     * @param id - Action ID
+     * @param options - Polling options
+     * @returns Completed action
+     * @deprecated Use poll() instead for new code
+     */
+    waitFor(id: number, options?: ActionPollingOptions): Promise<HetznerAction>;
+    /**
+     * Wait for multiple actions to complete (backward compatible alias)
+     *
+     * @param ids - Array of action IDs
+     * @param options - Polling options
+     * @returns Array of completed actions
+     * @deprecated Use pollMany() instead for new code
+     */
+    waitForMany(ids: number[], options?: ActionPollingOptions): Promise<HetznerAction[]>;
+    /**
+     * Batch check multiple actions (no polling, single fetch)
+     *
+     * @param ids - Array of action IDs
+     * @returns Map of action ID to action
+     */
+    batchCheck(ids: number[]): Promise<Map<number, HetznerAction>>;
+}
+/**
+ * Default timeouts for different action types (in milliseconds)
+ * Adjusted based on typical operation durations
+ */
+export declare const ACTION_TIMEOUTS: Record<ActionCommand, number>;
+/**
+ * Get default timeout for an action command
+ */
+export declare function getActionTimeout(command: ActionCommand): number;
+/**
+ * Poll for an action to complete with full feature support
+ *
+ * This is the core polling service function that provides:
+ * - Progress tracking via onProgress callback
+ * - Success/error notification via onComplete/onError
+ * - Cancellation support via AbortSignal
+ * - Adaptive polling intervals
+ * - Retry logic with exponential backoff
+ *
+ * @param client - Hetzner API client
+ * @param actionId - Action ID to poll
+ * @param options - Polling options
+ * @returns Completed action
+ * @throws {HetznerActionError} If action fails
+ * @throws {HetznerTimeoutError} If action times out
+ *
+ * @example
+ * ```typescript
+ * const action = await pollAction(client, 123, {
+ *   onProgress: (a) => console.log(`Progress: ${a.progress}%`),
+ *   onComplete: (a) => console.log('Completed:', a.command),
+ *   onError: (e) => console.error('Failed:', e.message),
+ *   timeout: 60000,
+ *   signal: abortSignal
+ * });
+ * ```
+ */
+export declare function pollAction(client: HetznerClient, actionId: number, options?: EnhancedActionPollingOptions): Promise<HetznerAction>;
+/**
+ * Poll multiple actions concurrently
+ *
+ * Manages polling of multiple actions with optional concurrency limit.
+ * Each action is polled independently with shared callbacks.
+ *
+ * @param client - Hetzner API client
+ * @param actionIds - Array of action IDs to poll
+ * @param options - Polling options
+ * @returns Array of completed actions in same order as input
+ *
+ * @example
+ * ```typescript
+ * const actions = await pollActions(client, [1, 2, 3], {
+ *   onProgress: (a) => console.log(`Action ${a.id}: ${a.progress}%`),
+ *   onComplete: (a) => console.log(`Action ${a.id} complete`),
+ *   concurrency: 3 // Poll 3 actions at a time
+ * });
+ * ```
+ */
+export declare function pollActions(client: HetznerClient, actionIds: number[], options?: EnhancedActionPollingOptions): Promise<HetznerAction[]>;
+/**
+ * Poll multiple actions with detailed result tracking
+ *
+ * Similar to pollActions but returns a BatchPollingResult with
+ * success/failure counts and per-action results for better
+ * error handling and monitoring.
+ *
+ * @param client - Hetzner API client
+ * @param actionIds - Array of action IDs to poll
+ * @param options - Polling options
+ * @returns Batch polling result with detailed status
+ *
+ * @example
+ * ```typescript
+ * const result = await pollActionsDetailed(client, [1, 2, 3], {
+ *   onProgress: (a) => updateProgressBar(a)
+ * });
+ *
+ * console.log(`Completed: ${result.successful}/${actionIds.length}`);
+ * for (const [id, r] of result.results) {
+ *   if (r.error) {
+ *     console.error(`Action ${id} failed:`, r.error.message);
+ *   }
+ * }
+ * ```
+ */
+export declare function pollActionsDetailed(client: HetznerClient, actionIds: number[], options?: EnhancedActionPollingOptions): Promise<BatchPollingResult>;
+/**
+ * Poll for an action to complete (backward compatible)
+ *
+ * @deprecated Use pollAction() instead for new code
+ */
+export declare function waitForAction(client: HetznerClient, actionId: number, options?: ActionPollingOptions): Promise<HetznerAction>;
+/**
+ * Poll for multiple actions concurrently (backward compatible)
+ *
+ * @deprecated Use pollActions() instead for new code
+ */
+export declare function waitForMultipleActions(client: HetznerClient, actionIds: number[], options?: ActionPollingOptions): Promise<HetznerAction[]>;
+/**
+ * Poll for multiple actions with concurrency limit (backward compatible)
+ *
+ * @deprecated Use pollActions() with concurrency option instead
+ */
+export declare function waitForMultipleActionsWithLimit(client: HetznerClient, actionIds: number[], concurrency?: number, options?: ActionPollingOptions): Promise<HetznerAction[]>;
+/**
+ * Batch check multiple actions in a single API call
+ *
+ * Uses the /actions?id=42&id=43 endpoint to fetch multiple actions at once
+ *
+ * @param client - Hetzner API client
+ * @param actionIds - Array of action IDs to check
+ * @returns Map of action ID to action
+ */
+export declare function batchCheckActions(client: HetznerClient, actionIds: number[]): Promise<Map<number, HetznerAction>>;
+/**
+ * Check if an action is running
+ */
+export declare function isActionRunning(action: HetznerAction): boolean;
+/**
+ * Check if an action completed successfully
+ */
+export declare function isActionSuccess(action: HetznerAction): boolean;
+/**
+ * Check if an action failed
+ */
+export declare function isActionError(action: HetznerAction): boolean;
+/**
+ * Format action progress for display
+ */
+export declare function formatActionProgress(action: HetznerAction): string;
+/**
+ * Get human-readable action description
+ */
+export declare function getActionDescription(command: ActionCommand | string): string;
+/**
+ * Get adaptive polling interval based on operation type
+ */
+export declare function getPollInterval(command: ActionCommand): number;
+/**
+ * Get adaptive polling interval based on action progress
+ */
+export declare function getAdaptivePollInterval(progress: number): number;
+/**
+ * Poll with adaptive intervals (backward compatible)
+ *
+ * @deprecated Use pollAction() with adaptive: true option instead
+ */
+export declare function waitForActionAdaptive(client: HetznerClient, actionId: number, command: ActionCommand, options?: ActionPollingOptions): Promise<HetznerAction>;
+/**
+ * Parse rate limit headers from response
+ */
+export declare function parseRateLimitHeaders(headers: Headers): RateLimitInfo | null;
+/**
+ * Check if rate limit is low (should warn user)
+ */
+export declare function isRateLimitLow(info: RateLimitInfo, threshold?: number): boolean;
+/**
+ * Get human-readable rate limit status
+ */
+export declare function formatRateLimitStatus(info: RateLimitInfo): string;
+/**
+ * Wait for rate limit to reset
+ */
+export declare function waitForRateLimitReset(info: RateLimitInfo): Promise<void>;
+/**
+ * Create a progress logger for actions
+ */
+export declare function createProgressLogger(prefix?: string): (action: HetznerAction) => void;

package/dist/auth.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Hetzner authentication utilities
+ */
+export declare function getTokenFromCLI(): string;
+export declare function isAuthenticated(apiToken: string): boolean;
+export declare function resolveApiToken(explicitToken?: string): string;

package/dist/bootstrap/cloud-init.d.ts

@@ -0,0 +1,78 @@
+/**
+ * Cloud-Init Bootstrap Generator
+ *
+ * Generates cloud-init YAML scripts for first-boot server provisioning.
+ * Handles seed repository installation and initial setup.
+ *
+ * Security Integration:
+ * This module integrates all security modules in the correct order:
+ * 1. UFW Firewall (network-level defense)
+ * 2. Kernel Hardening (system-level hardening)
+ * 3. SSH Hardening (service-level hardening)
+ * 4. Security Audit (verification and reporting)
+ */
+export interface BootstrapOptions {
+    /** Seed repository URL (default: https://github.com/ebowwa/seed) */
+    seedRepo?: string;
+    /** Seed repository branch (default: dev) */
+    seedBranch?: string;
+    /** Installation path (default: /root/seed) */
+    seedPath?: string;
+    /** Whether to run setup.sh non-interactively (default: true) */
+    runSetup?: boolean;
+    /** Additional environment variables for setup.sh */
+    setupEnv?: Record<string, string>;
+    /** Additional packages to install */
+    packages?: string[];
+    /** Additional commands to run after seed installation */
+    additionalCommands?: string[];
+    /** Enable security hardening (default: true) */
+    enableSecurity?: boolean;
+}
+/**
+ * Generate a cloud-init YAML script for seed installation
+ *
+ * @param options - Bootstrap configuration options
+ * @returns Cloud-init YAML string
+ */
+export declare function generateSeedBootstrap(options?: BootstrapOptions): string;
+/**
+ * Generate a minimal cloud-init script that uses #include to fetch from a URL
+ *
+ * This is useful for larger bootstrap scripts or when you want to update
+ * the bootstrap without code changes.
+ *
+ * @param url - URL to fetch the cloud-init config from
+ * @returns Cloud-init YAML string with #include directive
+ */
+export declare function generateRemoteBootstrap(url: string): string;
+/**
+ * Bootstrap configuration presets for common scenarios
+ */
+export declare const BootstrapPresets: {
+    /**
+     * Default seed installation with setup.sh and full security hardening
+     */
+    readonly default: () => string;
+    /**
+     * Seed installation with full security hardening and verbose logging
+     */
+    readonly secure: () => string;
+    /**
+     * Seed installation without running setup.sh (useful for debugging)
+     */
+    readonly cloneOnly: () => string;
+    /**
+     * Development bootstrap without security hardening (for testing)
+     */
+    readonly development: () => string;
+    /**
+     * Verbose bootstrap with logging enabled
+     */
+    readonly verbose: () => string;
+};
+export { generateGenesisBootstrap, generateRemoteGenesisBootstrap, GenesisBootstrapPresets, type GenesisBootstrapOptions, } from "./genesis";
+export { sshdHardeningPackages, sshdHardeningWriteFiles, sshdHardeningRunCmd, } from "./ssh-hardening";
+export { ufwFirewallPackages, ufwFirewallWriteFiles, ufwFirewallRunCmd, DEFAULT_UFW_WORKER_OPTIONS, DEFAULT_UFW_GENESIS_OPTIONS, generateUFWFirewallForGenesis, generateUFWFirewallForWorker, type UFWFirewallOptions, } from "./firewall";
+export { kernelHardeningPackages, kernelHardeningWriteFiles, kernelHardeningRunCmd, } from "./kernel-hardening";
+export { securityAuditPackages, securityAuditWriteFiles, securityAuditRunCmd, } from "./security-audit";

package/dist/bootstrap/firewall.d.ts

@@ -0,0 +1,118 @@
+/**
+ * UFW Firewall Cloud-Init Components
+ *
+ * Composable cloud-init blocks for securing servers with UFW (Uncomplicated Firewall).
+ * Includes: default deny incoming, allow outgoing, rate limiting, and logging.
+ *
+ * Background: Hetzner public IPs face constant scanning and brute-force attacks.
+ * UFW provides a simple interface to iptables/nftables with secure defaults.
+ *
+ * This module is imported by cloud-init.ts (seed/worker nodes) and genesis.ts
+ * (control plane) so every new server gets firewall protection at first boot.
+ *
+ * Three composable functions return cloud-init line arrays for splicing into
+ * the appropriate YAML sections:
+ *   - ufwFirewallPackages()    → packages: section
+ *   - ufwFirewallWriteFiles()  → write_files: section
+ *   - ufwFirewallRunCmd()      → runcmd: section
+ *
+ * Security Policy:
+ *   - Default: deny incoming, allow outgoing (stateful)
+ *   - SSH (22): rate limited to prevent brute-force
+ *   - HTTP/HTTPS (80/443): allowed for web services
+ *   - Node Agent (8911): allowed for internal communication
+ *   - Tailscale (41641): allowed for VPN
+ *   - Logging: enabled with rate limiting to prevent log flooding
+ */
+/**
+ * UFW firewall configuration options.
+ */
+export interface UFWFirewallOptions {
+    /** Allow SSH from specific IPs/CIDRs (default: allow from anywhere) */
+    allowSSHFrom?: string[];
+    /** Allow HTTP (port 80) */
+    allowHTTP?: boolean;
+    /** Allow HTTPS (port 443) */
+    allowHTTPS?: boolean;
+    /** Allow Node Agent port (8911) */
+    allowNodeAgent?: boolean;
+    /** Additional ports to allow */
+    additionalPorts?: Array<{
+        port: number;
+        protocol?: string;
+        comment?: string;
+    }>;
+    /** Enable verbose logging (default: rate-limited logging) */
+    verboseLogging?: boolean;
+}
+/**
+ * Default firewall options for Genesis control plane servers.
+ */
+export declare const DEFAULT_UFW_GENESIS_OPTIONS: UFWFirewallOptions;
+/**
+ * Default firewall options for worker/seed servers.
+ */
+export declare const DEFAULT_UFW_WORKER_OPTIONS: UFWFirewallOptions;
+/**
+ * Packages required for UFW firewall.
+ * Returns cloud-init YAML lines for the `packages:` section.
+ *
+ * - ufw: Uncomplicated Firewall interface to iptables/nftables
+ */
+export declare function ufwFirewallPackages(): string[];
+/**
+ * Files to write at first boot for UFW firewall configuration.
+ * Returns cloud-init YAML lines for the `write_files:` section.
+ *
+ * Drops 2 files onto the server:
+ *
+ * 1. /etc/ufw/before.rules
+ *    - Custom before rules for stateful firewall behavior
+ *    - Allows loopback, established/related connections
+ *    - Drops invalid packets early
+ *
+ * 2. /etc/ufw/sysctl.conf
+ *    - Enables kernel network security parameters
+ *    - IP spoofing protection
+ *    - ICMP redirect protection
+ *    - Log martian packets
+ */
+export declare function ufwFirewallWriteFiles(options?: UFWFirewallOptions): string[];
+/**
+ * Commands to configure and activate UFW firewall at first boot.
+ * Returns cloud-init YAML lines for the `runcmd:` section.
+ *
+ * Order matters:
+ *   1. Set default policies (deny incoming, allow outgoing)
+ *   2. Allow loopback interface
+ *   3. Allow SSH with rate limiting (prevents brute-force)
+ *   4. Allow HTTP/HTTPS if enabled
+ *   5. Allow Node Agent port if enabled
+ *   6. Allow Tailscale port (required for VPN)
+ *   7. Enable logging with rate limiting
+ *   8. Enable and reload UFW
+ *   9. Display firewall status
+ */
+export declare function ufwFirewallRunCmd(options?: UFWFirewallOptions): string[];
+/**
+ * Generate complete UFW firewall configuration for Genesis servers.
+ *
+ * @param options - UFW firewall options (uses DEFAULT_UFW_GENESIS_OPTIONS if not provided)
+ * @returns Object with packages, writeFiles, and runCmd arrays
+ */
+export declare function generateUFWFirewallForGenesis(options?: UFWFirewallOptions): {
+    packages: string[];
+    writeFiles: string[];
+    runCmd: string[];
+};
+/**
+ * Generate complete UFW firewall configuration for worker/seed servers.
+ *
+ * @param options - UFW firewall options (uses DEFAULT_UFW_WORKER_OPTIONS if not provided)
+ * @returns Object with packages, writeFiles, and runCmd arrays
+ */
+export declare function generateUFWFirewallForWorker(options?: UFWFirewallOptions): {
+    packages: string[];
+    writeFiles: string[];
+    runCmd: string[];
+};

package/dist/bootstrap/genesis.d.ts

@@ -0,0 +1,82 @@
+/**
+ * Genesis Server Bootstrap Generator
+ *
+ * Generates cloud-init YAML scripts for Genesis server provisioning.
+ * Genesis is a bootstrap/control plane node that runs com.hetzner.codespaces
+ * and manages Hetzner VPS worker nodes.
+ *
+ * Security Integration:
+ * This module integrates all security modules in the correct order:
+ * 1. UFW Firewall (network-level defense)
+ * 2. Kernel Hardening (system-level hardening)
+ * 3. SSH Hardening (service-level hardening)
+ * 4. Security Audit (verification and reporting)
+ */
+export interface GenesisBootstrapOptions {
+    /** Admin SSH public key for genesis user */
+    adminSSHKey: string;
+    /** Genesis repository URL (default: https://github.com/ebowwa/com.hetzner.codespaces) */
+    genesisRepo?: string;
+    /** Genesis repository branch or tag */
+    genesisBranch?: string;
+    /** Genesis server hostname (default: genesis) */
+    hostname?: string;
+    /** Default Hetzner server type for workers */
+    defaultServerType?: string;
+    /** Default Hetzner location */
+    defaultLocation?: string;
+    /** Maximum concurrent workers */
+    maxWorkers?: string;
+    /** Additional packages to install */
+    packages?: string[];
+    /** Additional commands to run after genesis setup */
+    additionalCommands?: string[];
+    /** Enable security hardening (default: true) */
+    enableSecurity?: boolean;
+}
+/**
+ * Generate a cloud-init YAML script for Genesis server bootstrap
+ *
+ * @param options - Genesis bootstrap configuration options
+ * @returns Cloud-init YAML string
+ */
+export declare function generateGenesisBootstrap(options: GenesisBootstrapOptions): string;
+/**
+ * Generate a minimal cloud-init script that uses #include to fetch from a URL
+ *
+ * This is useful for larger bootstrap scripts or when you want to update
+ * the bootstrap without code changes.
+ *
+ * @param url - URL to fetch the cloud-init config from
+ * @returns Cloud-init YAML string with #include directive
+ */
+export declare function generateRemoteGenesisBootstrap(url: string): string;
+/**
+ * Genesis bootstrap configuration presets for common scenarios
+ */
+export declare const GenesisBootstrapPresets: {
+    /**
+     * Default Genesis server with standard configuration and full security
+     */
+    readonly default: (adminSSHKey: string) => string;
+    /**
+     * Genesis server with ARM architecture (CAX series - best €/performance)
+     */
+    readonly arm: (adminSSHKey: string) => string;
+    /**
+     * Genesis server with high-performance CPU (CPX series)
+     */
+    readonly performance: (adminSSHKey: string) => string;
+    /**
+     * Genesis server with dedicated CPU (CCX series)
+     */
+    readonly dedicated: (adminSSHKey: string) => string;
+    /**
+     * Development Genesis server without security hardening
+     */
+    readonly development: (adminSSHKey: string) => string;
+    /**
+     * Secure Genesis server with full hardening and verbose logging
+     */
+    readonly secure: (adminSSHKey: string) => string;
+};

package/dist/bootstrap/index.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Bootstrap Security Modules
+ *
+ * Comprehensive security hardening for cloud-init server provisioning.
+ * All modules are composable and can be integrated independently.
+ *
+ * Security Module Order:
+ * 1. UFW Firewall (network-level defense)
+ * 2. Kernel Hardening (system-level hardening)
+ * 3. SSH Hardening (service-level hardening)
+ * 4. Security Audit (verification and reporting)
+ *
+ * Usage:
+ * ```ts
+ * import { generateSeedBootstrap } from './bootstrap';
+ *
+ * const cloudInit = generateSeedBootstrap({
+ *   enableSecurity: true,
+ *   seedRepo: 'https://github.com/ebowwa/seed',
+ *   seedBranch: 'dev',
+ * });
+ * ```
+ */
+export { generateSeedBootstrap, generateRemoteBootstrap, BootstrapPresets, type BootstrapOptions, } from './cloud-init';
+export { generateGenesisBootstrap, generateRemoteGenesisBootstrap, GenesisBootstrapPresets, type GenesisBootstrapOptions, } from './genesis';
+export { ufwFirewallPackages, ufwFirewallWriteFiles, ufwFirewallRunCmd, DEFAULT_UFW_WORKER_OPTIONS, DEFAULT_UFW_GENESIS_OPTIONS, generateUFWFirewallForGenesis, generateUFWFirewallForWorker, type UFWFirewallOptions, } from './firewall';
+export { kernelHardeningPackages, kernelHardeningWriteFiles, kernelHardeningRunCmd, } from './kernel-hardening';
+export { sshdHardeningPackages, sshdHardeningWriteFiles, sshdHardeningRunCmd, } from './ssh-hardening';
+export { securityAuditPackages, securityAuditWriteFiles, securityAuditRunCmd, } from './security-audit';