npm - @factiii/stack - Versions diffs - 0.1.2 → 0.1.8 - Mend

@factiii/stack 0.1.2 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (89) hide show

package/dist/plugins/addons/server-mode/scanfix/mac.js CHANGED Viewed

@@ -5,13 +5,30 @@
  * Fixes for configuring Mac as a deployment server HOST (no Docker/dev tools).
  * Focus: what makes a Mac reliable as a server.
  *
+ * Power Management (pmset):
  * - Disable sleep (system, disk, display)
  * - Auto-restart on power loss
- * - Don't turn off when inactive (disablesleep)
- * - Disable screensaver
+ * - Fully disable sleep (disablesleep)
+ * - Wake on LAN (womp)
+ * - Disable hibernate
+ * - Disable standby
+ * - Disable Power Nap
+ * - Disable proximity wake
+ * - Keep awake during SSH (ttyskeepawake)
+ *
+ * System Services:
+ * - Disable screensaver (-currentHost)
  * - Enable SSH (Remote Login)
  * - Disable App Nap
- * - Auto-login on boot (optional)
+ * - Disable Spotlight indexing
+ * - Disable Time Machine
+ * - Disable auto-update restart
+ * - Disable Bluetooth (manual)
+ * - Auto-login on boot (manual)
+ *
+ * Network/Security:
+ * - Enable NTP (network time)
+ * - Disable file sharing (manual)
  */
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
@@ -50,27 +67,57 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.macFixes = void 0;
 const child_process_1 = require("child_process");
 const fs = __importStar(require("fs"));
+function macFixPair(def) {
+    return ['staging', 'prod'].map(stage => ({
+        id: def.idBase + '-' + stage,
+        stage,
+        os: 'mac',
+        severity: def.severity,
+        description: def.description,
+        scan: def.scan,
+        fix: def.fix,
+        manualFix: def.manualFix,
+    }));
+}
+// ============================================================
+// Helper: check a pmset value
+// ============================================================
+function pmsetValueIs(key, expected) {
+    try {
+        const result = (0, child_process_1.execSync)('pmset -g 2>/dev/null | grep -i ' + key + ' || true', {
+            encoding: 'utf8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        // If key not found in pmset output, the setting doesn't exist on this hardware (e.g. desktop Macs
+        // don't have hibernatemode, disablesleep, proximitywake). Treat as not applicable = OK.
+        if (!result.trim())
+            return true;
+        return result.trim().includes(expected);
+    }
+    catch {
+        return false;
+    }
+}
 exports.macFixes = [
     // ============================================================
-    // STAGING FIXES
+    // POWER MANAGEMENT (pmset)
     // ============================================================
-    {
-        id: 'macos-sleep-enabled-staging',
-        stage: 'staging',
-        os: 'mac',
+    ...macFixPair({
+        idBase: 'macos-sleep-enabled',
         severity: 'warning',
         description: 'macOS sleep is enabled (server may go offline)',
         scan: async (_config, _rootDir) => {
             try {
-                const result = (0, child_process_1.execSync)('pmset -g | grep -E "^\\s*sleep\\s+"', {
+                const result = (0, child_process_1.execSync)('pmset -g | grep -E "^\\s*sleep\\s+" || true', {
                     encoding: 'utf8',
                     stdio: ['pipe', 'pipe', 'pipe'],
                 });
-                // Check if sleep is not 0
+                if (!result.trim())
+                    return false; // Key not found = not applicable
                 return !result.includes('sleep 0');
             }
             catch {
-                return false; // Can't determine, assume OK
+                return false;
             }
         },
         fix: async (_config, _rootDir) => {
@@ -84,139 +131,119 @@ exports.macFixes = [
             }
         },
         manualFix: 'Run: sudo pmset -a sleep 0 disksleep 0 displaysleep 0',
-    },
-    {
-        id: 'macos-screensaver-enabled-staging',
-        stage: 'staging',
-        os: 'mac',
-        severity: 'info',
-        description: 'macOS screensaver is enabled',
+    }),
+    ...macFixPair({
+        idBase: 'macos-autorestart-disabled',
+        severity: 'critical',
+        description: 'Auto-restart on power loss is disabled (server may stay off after outage)',
         scan: async (_config, _rootDir) => {
             try {
-                const result = (0, child_process_1.execSync)('defaults read com.apple.screensaver idleTime 2>/dev/null || echo "300"', {
+                const result = (0, child_process_1.execSync)('pmset -g 2>/dev/null | grep -i autorestart || true', {
                     encoding: 'utf8',
+                    stdio: ['pipe', 'pipe', 'pipe'],
                 });
-                const idleTime = parseInt(result.trim(), 10);
-                return idleTime > 0;
+                if (!result.trim())
+                    return false; // Key not found = not applicable
+                return !result.trim().includes('1');
             }
             catch {
-                return false;
+                return true;
             }
         },
         fix: async (_config, _rootDir) => {
             try {
-                console.log('   Disabling macOS screensaver...');
-                (0, child_process_1.execSync)('defaults write com.apple.screensaver idleTime 0', { stdio: 'inherit' });
+                console.log('   Enabling auto-restart on power loss...');
+                (0, child_process_1.execSync)('sudo pmset -a autorestart 1', { stdio: 'inherit' });
                 return true;
             }
             catch {
                 return false;
             }
         },
-        manualFix: 'Run: defaults write com.apple.screensaver idleTime 0',
-    },
-    {
-        id: 'macos-ssh-disabled-staging',
-        stage: 'staging',
-        os: 'mac',
-        severity: 'critical',
-        description: 'macOS Remote Login (SSH) is disabled',
+        manualFix: 'Run: sudo pmset -a autorestart 1',
+    }),
+    ...macFixPair({
+        idBase: 'macos-disablesleep-disabled',
+        severity: 'warning',
+        description: 'System sleep is not fully disabled (disablesleep=0 allows Sleep menu)',
         scan: async (_config, _rootDir) => {
             try {
-                const result = (0, child_process_1.execSync)('sudo systemsetup -getremotelogin 2>/dev/null', {
+                const result = (0, child_process_1.execSync)('pmset -g custom 2>/dev/null | grep -i disablesleep || true', {
                     encoding: 'utf8',
+                    stdio: ['pipe', 'pipe', 'pipe'],
                 });
-                return result.toLowerCase().includes('off');
+                if (!result.trim())
+                    return false; // Key not found on desktop Macs = not applicable
+                return !result.trim().includes('1');
             }
             catch {
-                return false;
+                return true;
             }
         },
         fix: async (_config, _rootDir) => {
             try {
-                console.log('   Enabling macOS Remote Login (SSH)...');
-                (0, child_process_1.execSync)('sudo systemsetup -setremotelogin on', { stdio: 'inherit' });
+                console.log('   Disabling system sleep (server mode)...');
+                (0, child_process_1.execSync)('sudo pmset -a disablesleep 1', { stdio: 'inherit' });
                 return true;
             }
             catch {
                 return false;
             }
         },
-        manualFix: 'Run: sudo systemsetup -setremotelogin on',
-    },
-    {
-        id: 'macos-app-nap-enabled-staging',
-        stage: 'staging',
-        os: 'mac',
-        severity: 'info',
-        description: 'macOS App Nap may pause background processes',
+        manualFix: 'Run: sudo pmset -a disablesleep 1',
+    }),
+    ...macFixPair({
+        idBase: 'macos-wake-on-lan',
+        severity: 'warning',
+        description: 'Wake on LAN is disabled (cannot remotely wake server via magic packet)',
         scan: async (_config, _rootDir) => {
-            try {
-                const result = (0, child_process_1.execSync)('defaults read NSGlobalDomain NSAppSleepDisabled 2>/dev/null || echo "0"', {
-                    encoding: 'utf8',
-                });
-                return result.trim() !== '1';
-            }
-            catch {
-                return true; // If can't read, assume App Nap is enabled
-            }
+            return !pmsetValueIs('womp', '1');
         },
         fix: async (_config, _rootDir) => {
             try {
-                console.log('   Disabling macOS App Nap...');
-                (0, child_process_1.execSync)('defaults write NSGlobalDomain NSAppSleepDisabled -bool YES', { stdio: 'inherit' });
+                console.log('   Enabling Wake on LAN...');
+                (0, child_process_1.execSync)('sudo pmset -a womp 1', { stdio: 'inherit' });
                 return true;
             }
             catch {
                 return false;
             }
         },
-        manualFix: 'Run: defaults write NSGlobalDomain NSAppSleepDisabled -bool YES',
-    },
-    {
-        id: 'macos-autorestart-disabled-staging',
-        stage: 'staging',
-        os: 'mac',
+        manualFix: 'Run: sudo pmset -a womp 1 (requires Ethernet and compatible hardware)',
+    }),
+    ...macFixPair({
+        idBase: 'macos-hibernate-enabled',
         severity: 'warning',
-        description: 'Auto-restart on power loss is disabled (server may stay off after outage)',
+        description: 'Hibernate mode is enabled (server writes RAM to disk and powers off)',
         scan: async (_config, _rootDir) => {
-            try {
-                const result = (0, child_process_1.execSync)('pmset -g 2>/dev/null | grep -i autorestart || true', {
-                    encoding: 'utf8',
-                    stdio: ['pipe', 'pipe', 'pipe'],
-                });
-                // Problem if autorestart is 0 or line doesn't contain 1
-                return !result.trim().includes('1');
-            }
-            catch {
-                return true; // Assume needs fix if we can't read
-            }
+            return !pmsetValueIs('hibernatemode', '0');
         },
         fix: async (_config, _rootDir) => {
             try {
-                console.log('   Enabling auto-restart on power loss...');
-                (0, child_process_1.execSync)('sudo pmset -a autorestart 1', { stdio: 'inherit' });
+                console.log('   Disabling hibernate mode...');
+                (0, child_process_1.execSync)('sudo pmset -a hibernatemode 0', { stdio: 'inherit' });
                 return true;
             }
             catch {
                 return false;
             }
         },
-        manualFix: 'Run: sudo pmset -a autorestart 1',
-    },
-    {
-        id: 'macos-disablesleep-disabled-staging',
-        stage: 'staging',
-        os: 'mac',
-        severity: 'info',
-        description: 'System sleep is not fully disabled (disablesleep=0 allows Sleep menu)',
+        manualFix: 'Run: sudo pmset -a hibernatemode 0',
+    }),
+    ...macFixPair({
+        idBase: 'macos-standby-enabled',
+        severity: 'warning',
+        description: 'Standby mode is enabled (server enters deep sleep after extended idle)',
         scan: async (_config, _rootDir) => {
             try {
-                const result = (0, child_process_1.execSync)('pmset -g custom 2>/dev/null | grep -i disablesleep || true', {
+                // Use 'standby ' with trailing space to avoid matching standbydelayhigh/standbydelaylow
+                const result = (0, child_process_1.execSync)('pmset -g 2>/dev/null | grep -E "^\\s*standby\\s+" || true', {
                     encoding: 'utf8',
                     stdio: ['pipe', 'pipe', 'pipe'],
                 });
-                return !result.trim().includes('1');
+                if (!result.trim())
+                    return false; // Key not found on desktop Macs = not applicable
+                return !result.trim().includes('0');
             }
             catch {
                 return true;
@@ -224,77 +251,78 @@ exports.macFixes = [
         },
         fix: async (_config, _rootDir) => {
             try {
-                console.log('   Disabling system sleep (server mode)...');
-                (0, child_process_1.execSync)('sudo pmset -a disablesleep 1', { stdio: 'inherit' });
+                console.log('   Disabling standby mode...');
+                (0, child_process_1.execSync)('sudo pmset -a standby 0', { stdio: 'inherit' });
                 return true;
             }
             catch {
                 return false;
             }
         },
-        manualFix: 'Run: sudo pmset -a disablesleep 1',
-    },
-    {
-        id: 'macos-autologin-disabled-staging',
-        stage: 'staging',
-        os: 'mac',
+        manualFix: 'Run: sudo pmset -a standby 0',
+    }),
+    ...macFixPair({
+        idBase: 'macos-powernap-enabled',
         severity: 'info',
-        description: 'Auto-login on boot is not configured (may require manual login after power loss)',
+        description: 'Power Nap is enabled (wastes CPU for iCloud/Mail checks on server)',
         scan: async (_config, _rootDir) => {
+            return !pmsetValueIs('powernap', '0');
+        },
+        fix: async (_config, _rootDir) => {
             try {
-                const plist = '/Library/Preferences/com.apple.loginwindow.plist';
-                if (!fs.existsSync(plist))
-                    return true;
-                const result = (0, child_process_1.execSync)(`defaults read ${plist} autoLoginUser 2>/dev/null || echo ""`, {
-                    encoding: 'utf8',
-                });
-                return !result.trim();
+                console.log('   Disabling Power Nap...');
+                (0, child_process_1.execSync)('sudo pmset -a powernap 0', { stdio: 'inherit' });
+                return true;
             }
             catch {
-                return true;
+                return false;
             }
         },
-        fix: null,
-        manualFix: 'Set auto-login: System Settings > Users & Groups > Login Options > Automatic login > select user. ' +
-            'Or: sudo defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser -string "admin" (then reboot)',
-    },
-    // ============================================================
-    // PROD FIXES (same as staging)
-    // ============================================================
-    {
-        id: 'macos-sleep-enabled-prod',
-        stage: 'prod',
-        os: 'mac',
-        severity: 'warning',
-        description: 'macOS sleep is enabled (server may go offline)',
+        manualFix: 'Run: sudo pmset -a powernap 0',
+    }),
+    ...macFixPair({
+        idBase: 'macos-proximitywake-enabled',
+        severity: 'info',
+        description: 'Proximity wake is enabled (nearby Apple devices can wake the Mac)',
         scan: async (_config, _rootDir) => {
+            return !pmsetValueIs('proximitywake', '0');
+        },
+        fix: async (_config, _rootDir) => {
             try {
-                const result = (0, child_process_1.execSync)('pmset -g | grep -E "^\\s*sleep\\s+"', {
-                    encoding: 'utf8',
-                    stdio: ['pipe', 'pipe', 'pipe'],
-                });
-                return !result.includes('sleep 0');
+                console.log('   Disabling proximity wake...');
+                (0, child_process_1.execSync)('sudo pmset -a proximitywake 0', { stdio: 'inherit' });
+                return true;
             }
             catch {
                 return false;
             }
         },
+        manualFix: 'Run: sudo pmset -a proximitywake 0',
+    }),
+    ...macFixPair({
+        idBase: 'macos-ttyskeepawake-disabled',
+        severity: 'warning',
+        description: 'TTY keep-awake is disabled (Mac may sleep during active SSH sessions)',
+        scan: async (_config, _rootDir) => {
+            return !pmsetValueIs('ttyskeepawake', '1');
+        },
         fix: async (_config, _rootDir) => {
             try {
-                console.log('   Disabling macOS sleep...');
-                (0, child_process_1.execSync)('sudo pmset -a sleep 0 disksleep 0 displaysleep 0', { stdio: 'inherit' });
+                console.log('   Enabling TTY keep-awake...');
+                (0, child_process_1.execSync)('sudo pmset -a ttyskeepawake 1', { stdio: 'inherit' });
                 return true;
             }
             catch {
                 return false;
             }
         },
-        manualFix: 'Run: sudo pmset -a sleep 0 disksleep 0 displaysleep 0',
-    },
-    {
-        id: 'macos-ssh-disabled-prod',
-        stage: 'prod',
-        os: 'mac',
+        manualFix: 'Run: sudo pmset -a ttyskeepawake 1',
+    }),
+    // ============================================================
+    // SYSTEM SERVICES
+    // ============================================================
+    ...macFixPair({
+        idBase: 'macos-ssh-disabled',
         severity: 'critical',
         description: 'macOS Remote Login (SSH) is disabled',
         scan: async (_config, _rootDir) => {
@@ -319,19 +347,18 @@ exports.macFixes = [
             }
         },
         manualFix: 'Run: sudo systemsetup -setremotelogin on',
-    },
-    {
-        id: 'macos-screensaver-enabled-prod',
-        stage: 'prod',
-        os: 'mac',
+    }),
+    ...macFixPair({
+        idBase: 'macos-screensaver-enabled',
         severity: 'info',
-        description: 'macOS screensaver is enabled',
+        description: 'macOS screensaver is enabled (wasted GPU cycles on headless host)',
         scan: async (_config, _rootDir) => {
             try {
-                const result = (0, child_process_1.execSync)('defaults read com.apple.screensaver idleTime 2>/dev/null || echo "300"', {
+                const result = (0, child_process_1.execSync)('defaults -currentHost read com.apple.screensaver idleTime 2>/dev/null || echo "300"', {
                     encoding: 'utf8',
                 });
-                return parseInt(result.trim(), 10) > 0;
+                const idleTime = parseInt(result.trim(), 10);
+                return idleTime > 0;
             }
             catch {
                 return false;
@@ -339,19 +366,18 @@ exports.macFixes = [
         },
         fix: async (_config, _rootDir) => {
             try {
-                (0, child_process_1.execSync)('defaults write com.apple.screensaver idleTime 0', { stdio: 'inherit' });
+                console.log('   Disabling macOS screensaver...');
+                (0, child_process_1.execSync)('defaults -currentHost write com.apple.screensaver idleTime 0', { stdio: 'inherit' });
                 return true;
             }
             catch {
                 return false;
             }
         },
-        manualFix: 'Run: defaults write com.apple.screensaver idleTime 0',
-    },
-    {
-        id: 'macos-app-nap-enabled-prod',
-        stage: 'prod',
-        os: 'mac',
+        manualFix: 'Run: defaults -currentHost write com.apple.screensaver idleTime 0',
+    }),
+    ...macFixPair({
+        idBase: 'macos-app-nap-enabled',
         severity: 'info',
         description: 'macOS App Nap may pause background processes',
         scan: async (_config, _rootDir) => {
@@ -367,6 +393,7 @@ exports.macFixes = [
         },
         fix: async (_config, _rootDir) => {
             try {
+                console.log('   Disabling macOS App Nap...');
                 (0, child_process_1.execSync)('defaults write NSGlobalDomain NSAppSleepDisabled -bool YES', { stdio: 'inherit' });
                 return true;
             }
@@ -375,77 +402,117 @@ exports.macFixes = [
             }
         },
         manualFix: 'Run: defaults write NSGlobalDomain NSAppSleepDisabled -bool YES',
-    },
-    {
-        id: 'macos-autorestart-disabled-prod',
-        stage: 'prod',
-        os: 'mac',
-        severity: 'warning',
-        description: 'Auto-restart on power loss is disabled',
+    }),
+    ...macFixPair({
+        idBase: 'macos-spotlight-enabled',
+        severity: 'info',
+        description: 'Spotlight indexing is enabled (burns CPU/disk on headless server)',
         scan: async (_config, _rootDir) => {
             try {
-                const result = (0, child_process_1.execSync)('pmset -g 2>/dev/null | grep -i autorestart || true', {
+                const result = (0, child_process_1.execSync)('mdutil -s / 2>/dev/null', {
                     encoding: 'utf8',
-                    stdio: ['pipe', 'pipe', 'pipe'],
                 });
-                return !result.trim().includes('1');
+                return result.toLowerCase().includes('indexing enabled');
             }
             catch {
-                return true;
+                return false;
             }
         },
         fix: async (_config, _rootDir) => {
             try {
-                (0, child_process_1.execSync)('sudo pmset -a autorestart 1', { stdio: 'inherit' });
+                console.log('   Disabling Spotlight indexing...');
+                (0, child_process_1.execSync)('sudo mdutil -a -i off', { stdio: 'inherit' });
                 return true;
             }
             catch {
                 return false;
             }
         },
-        manualFix: 'Run: sudo pmset -a autorestart 1',
-    },
-    {
-        id: 'macos-disablesleep-disabled-prod',
-        stage: 'prod',
-        os: 'mac',
+        manualFix: 'Run: sudo mdutil -a -i off',
+    }),
+    ...macFixPair({
+        idBase: 'macos-timemachine-enabled',
         severity: 'info',
-        description: 'System sleep is not fully disabled',
+        description: 'Time Machine is enabled (causes periodic heavy disk I/O)',
         scan: async (_config, _rootDir) => {
             try {
-                const result = (0, child_process_1.execSync)('pmset -g custom 2>/dev/null | grep -i disablesleep || true', {
+                const result = (0, child_process_1.execSync)('defaults read /Library/Preferences/com.apple.TimeMachine AutoBackup 2>/dev/null || echo "0"', {
                     encoding: 'utf8',
-                    stdio: ['pipe', 'pipe', 'pipe'],
                 });
-                return !result.trim().includes('1');
+                return result.trim() === '1';
             }
             catch {
+                return false;
+            }
+        },
+        fix: async (_config, _rootDir) => {
+            try {
+                console.log('   Disabling Time Machine...');
+                (0, child_process_1.execSync)('sudo tmutil disable', { stdio: 'inherit' });
                 return true;
             }
+            catch {
+                return false;
+            }
+        },
+        manualFix: 'Run: sudo tmutil disable',
+    }),
+    ...macFixPair({
+        idBase: 'macos-autoupdate-restart',
+        severity: 'critical',
+        description: 'macOS auto-update may reboot the server without warning',
+        scan: async (_config, _rootDir) => {
+            try {
+                const result = (0, child_process_1.execSync)('defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 2>/dev/null || echo "0"', {
+                    encoding: 'utf8',
+                });
+                return result.trim() === '1';
+            }
+            catch {
+                return false;
+            }
         },
         fix: async (_config, _rootDir) => {
             try {
-                (0, child_process_1.execSync)('sudo pmset -a disablesleep 1', { stdio: 'inherit' });
+                console.log('   Disabling automatic macOS update installs...');
+                (0, child_process_1.execSync)('sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool false', { stdio: 'inherit' });
                 return true;
             }
             catch {
                 return false;
             }
         },
-        manualFix: 'Run: sudo pmset -a disablesleep 1',
-    },
-    {
-        id: 'macos-autologin-disabled-prod',
-        stage: 'prod',
-        os: 'mac',
+        manualFix: 'Run: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates -bool false',
+    }),
+    ...macFixPair({
+        idBase: 'macos-bluetooth-enabled',
         severity: 'info',
-        description: 'Auto-login on boot is not configured',
+        description: 'Bluetooth is enabled (unnecessary attack surface on headless server)',
+        scan: async (_config, _rootDir) => {
+            try {
+                const result = (0, child_process_1.execSync)('defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState 2>/dev/null || echo "1"', {
+                    encoding: 'utf8',
+                });
+                return result.trim() !== '0';
+            }
+            catch {
+                return false;
+            }
+        },
+        fix: null,
+        manualFix: 'Disable Bluetooth (only if no BT keyboard/mouse): System Settings > Bluetooth > Turn Off. ' +
+            'Or: sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0 && sudo killall -HUP bluetoothd',
+    }),
+    ...macFixPair({
+        idBase: 'macos-autologin-disabled',
+        severity: 'info',
+        description: 'Auto-login on boot is not configured (may require manual login after power loss)',
         scan: async (_config, _rootDir) => {
             try {
                 const plist = '/Library/Preferences/com.apple.loginwindow.plist';
                 if (!fs.existsSync(plist))
                     return true;
-                const result = (0, child_process_1.execSync)(`defaults read ${plist} autoLoginUser 2>/dev/null || echo ""`, {
+                const result = (0, child_process_1.execSync)('defaults read ' + plist + ' autoLoginUser 2>/dev/null || echo ""', {
                     encoding: 'utf8',
                 });
                 return !result.trim();
@@ -455,7 +522,67 @@ exports.macFixes = [
             }
         },
         fix: null,
-        manualFix: 'System Settings > Users & Groups > Login Options > Automatic login. Or: sudo defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser -string "admin"',
-    },
+        manualFix: 'Set auto-login: System Settings > Users & Groups > Login Options > Automatic login > select user. ' +
+            'Or: sudo defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser -string "admin" (then reboot)',
+    }),
+    // ============================================================
+    // NETWORK / SECURITY
+    // ============================================================
+    ...macFixPair({
+        idBase: 'macos-ntp-disabled',
+        severity: 'warning',
+        description: 'Network time (NTP) is disabled (accurate time needed for TLS, logs, cron)',
+        scan: async (_config, _rootDir) => {
+            try {
+                const result = (0, child_process_1.execSync)('sudo systemsetup -getusingnetworktime 2>/dev/null', {
+                    encoding: 'utf8',
+                });
+                return result.toLowerCase().includes('off');
+            }
+            catch {
+                return false;
+            }
+        },
+        fix: async (_config, _rootDir) => {
+            try {
+                console.log('   Enabling network time (NTP)...');
+                (0, child_process_1.execSync)('sudo systemsetup -setusingnetworktime on', { stdio: 'inherit' });
+                return true;
+            }
+            catch {
+                return false;
+            }
+        },
+        manualFix: 'Run: sudo systemsetup -setusingnetworktime on',
+    }),
+    ...macFixPair({
+        idBase: 'macos-file-sharing-enabled',
+        severity: 'info',
+        description: 'File sharing (AFP/SMB) is enabled (unnecessary attack surface on server)',
+        scan: async (_config, _rootDir) => {
+            try {
+                // Check if smbd is running (SMB file sharing)
+                (0, child_process_1.execSync)('launchctl list 2>/dev/null | grep com.apple.smbd', {
+                    stdio: ['pipe', 'pipe', 'pipe'],
+                });
+                return true;
+            }
+            catch {
+                // smbd not running, check AFP
+                try {
+                    const result = (0, child_process_1.execSync)('defaults read /Library/Preferences/com.apple.AppleFileServer guestAccess 2>/dev/null || echo "0"', {
+                        encoding: 'utf8',
+                    });
+                    return result.trim() === '1';
+                }
+                catch {
+                    return false;
+                }
+            }
+        },
+        fix: null,
+        manualFix: 'Disable file sharing: System Settings > General > Sharing > File Sharing > Off. ' +
+            'Only disable if file sharing is not intentionally used.',
+    }),
 ];
 //# sourceMappingURL=mac.js.map