@glassmkr/crucible 0.7.0 → 0.8.0

package/src/collect/memory.ts

@@ -1,30 +0,0 @@
-import { readProcFile, parseKb } from "../lib/parse.js";
-import type { MemoryInfo } from "../lib/types.js";
-
-export async function collectMemory(): Promise<MemoryInfo> {
-  const raw = readProcFile("/proc/meminfo") || "";
-  const kv: Record<string, string> = {};
-  for (const line of raw.split("\n")) {
-    const match = line.match(/^(\w+):\s+(.+)/);
-    if (match) kv[match[1]] = match[2];
-  }
-
-  const totalKb = parseKb(kv["MemTotal"]);
-  const availableKb = parseKb(kv["MemAvailable"]);
-  const swapTotalKb = parseKb(kv["SwapTotal"]);
-  const swapFreeKb = parseKb(kv["SwapFree"]);
-
-  const totalMb = Math.round(totalKb / 1024);
-  const availableMb = Math.round(availableKb / 1024);
-  const usedMb = totalMb - availableMb;
-  const swapTotalMb = Math.round(swapTotalKb / 1024);
-  const swapUsedMb = Math.round((swapTotalKb - swapFreeKb) / 1024);
-
-  return {
-    total_mb: totalMb,
-    used_mb: usedMb,
-    available_mb: availableMb,
-    swap_total_mb: swapTotalMb,
-    swap_used_mb: swapUsedMb,
-  };
-}

package/src/collect/network.ts

@@ -1,193 +0,0 @@
-import { readProcFile, sleep } from "../lib/parse.js";
-import { readFileSync, readdirSync } from "fs";
-import type { NetworkInfo } from "../lib/types.js";
-
-interface IfaceStats {
-  rx_bytes: number; rx_packets: number; rx_errors: number; rx_drops: number;
-  tx_bytes: number; tx_packets: number; tx_errors: number; tx_drops: number;
-}
-
-// Previous cumulative counters for delta computation (persists in process memory across cycles)
-interface PreviousCounters {
-  rx_errors: number;
-  tx_errors: number;
-  rx_drops: number;
-  tx_drops: number;
-  rx_packets: number;
-  tx_packets: number;
-  rx_crc_errors?: number;
-  rx_frame_errors?: number;
-  rx_length_errors?: number;
-  tx_carrier_errors?: number;
-}
-
-const previousCounters = new Map<string, PreviousCounters>();
-
-function readStatCounter(iface: string, name: string): number | undefined {
-  try {
-    const raw = readFileSync(`/sys/class/net/${iface}/statistics/${name}`, "utf-8").trim();
-    const val = parseInt(raw, 10);
-    return Number.isFinite(val) ? val : undefined;
-  } catch {
-    return undefined;
-  }
-}
-
-function parseNetDev(): Record<string, IfaceStats> {
-  const raw = readProcFile("/proc/net/dev") || "";
-  const result: Record<string, IfaceStats> = {};
-  for (const line of raw.split("\n").slice(2)) {
-    const match = line.match(/^\s*(\S+):\s+(.*)/);
-    if (!match) continue;
-    const name = match[1];
-    // Skip virtual interfaces
-    if (name === "lo" || name.startsWith("veth") || name.startsWith("docker") || name.startsWith("br-") || name.startsWith("virbr")) continue;
-    const parts = match[2].trim().split(/\s+/).map(Number);
-    result[name] = {
-      rx_bytes: parts[0] || 0, rx_packets: parts[1] || 0, rx_errors: parts[2] || 0, rx_drops: parts[3] || 0,
-      tx_bytes: parts[8] || 0, tx_packets: parts[9] || 0, tx_errors: parts[10] || 0, tx_drops: parts[11] || 0,
-    };
-  }
-  return result;
-}
-
-function getSpeed(iface: string): number {
-  try {
-    const speed = readFileSync(`/sys/class/net/${iface}/speed`, "utf-8").trim();
-    const val = parseInt(speed, 10);
-    return isNaN(val) || val <= 0 ? 0 : val;
-  } catch {
-    return 0;
-  }
-}
-
-function getOperstate(iface: string): string {
-  try {
-    return readFileSync(`/sys/class/net/${iface}/operstate`, "utf-8").trim();
-  } catch {
-    return "unknown";
-  }
-}
-
-function getBondMaster(iface: string): string | undefined {
-  try {
-    const bonds = readdirSync("/proc/net/bonding/");
-    for (const bond of bonds) {
-      const content = readFileSync(`/proc/net/bonding/${bond}`, "utf-8");
-      if (content.includes(`Slave Interface: ${iface}`)) return bond;
-    }
-  } catch {
-    // No bonds or /proc/net/bonding doesn't exist
-  }
-  return undefined;
-}
-
-function isBondMaster(iface: string): boolean {
-  try {
-    return readdirSync("/proc/net/bonding/").includes(iface);
-  } catch {
-    return false;
-  }
-}
-
-// Compute delta, handling counter wraps (current < previous means reset, use current as delta)
-function delta(current: number, previous: number): number {
-  if (current >= previous) return current - previous;
-  return current; // counter wrapped or reset
-}
-
-export async function collectNetwork(): Promise<NetworkInfo[]> {
-  const stats1 = parseNetDev();
-  await sleep(1000);
-  const stats2 = parseNetDev();
-
-  const currentIfaces = new Set<string>();
-  const results: NetworkInfo[] = [];
-
-  for (const [name, s2] of Object.entries(stats2)) {
-    const s1 = stats1[name];
-    if (!s1) continue;
-    currentIfaces.add(name);
-
-    const prev = previousCounters.get(name);
-
-    // /sys/class/net/*/statistics/ exposes finer-grained RX/TX subtype
-    // counters than /proc/net/dev. Read cumulative values here; delta is
-    // derived below against the previous cycle's snapshot.
-    const rxCrcCum = readStatCounter(name, "rx_crc_errors");
-    const rxFrameCum = readStatCounter(name, "rx_frame_errors");
-    const rxLenCum = readStatCounter(name, "rx_length_errors");
-    const txCarrierCum = readStatCounter(name, "tx_carrier_errors");
-
-    // Compute error/drop deltas (0 on first cycle after start or new interface)
-    let rxErrorsDelta = 0;
-    let txErrorsDelta = 0;
-    let rxDropsDelta = 0;
-    let txDropsDelta = 0;
-    let rxPacketsDelta = 0;
-    let txPacketsDelta = 0;
-    let rxCrcDelta: number | undefined;
-    let rxFrameDelta: number | undefined;
-    let rxLenDelta: number | undefined;
-    let txCarrierDelta: number | undefined;
-
-    if (prev) {
-      rxErrorsDelta = delta(s2.rx_errors, prev.rx_errors);
-      txErrorsDelta = delta(s2.tx_errors, prev.tx_errors);
-      rxDropsDelta = delta(s2.rx_drops, prev.rx_drops);
-      txDropsDelta = delta(s2.tx_drops, prev.tx_drops);
-      rxPacketsDelta = delta(s2.rx_packets, prev.rx_packets);
-      txPacketsDelta = delta(s2.tx_packets, prev.tx_packets);
-      if (rxCrcCum != null && prev.rx_crc_errors != null) rxCrcDelta = delta(rxCrcCum, prev.rx_crc_errors);
-      if (rxFrameCum != null && prev.rx_frame_errors != null) rxFrameDelta = delta(rxFrameCum, prev.rx_frame_errors);
-      if (rxLenCum != null && prev.rx_length_errors != null) rxLenDelta = delta(rxLenCum, prev.rx_length_errors);
-      if (txCarrierCum != null && prev.tx_carrier_errors != null) txCarrierDelta = delta(txCarrierCum, prev.tx_carrier_errors);
-    }
-
-    // Store current cumulative values for next cycle
-    previousCounters.set(name, {
-      rx_errors: s2.rx_errors,
-      tx_errors: s2.tx_errors,
-      rx_drops: s2.rx_drops,
-      tx_drops: s2.tx_drops,
-      rx_packets: s2.rx_packets,
-      tx_packets: s2.tx_packets,
-      rx_crc_errors: rxCrcCum,
-      rx_frame_errors: rxFrameCum,
-      rx_length_errors: rxLenCum,
-      tx_carrier_errors: txCarrierCum,
-    });
-
-    const entry: NetworkInfo = {
-      interface: name,
-      speed_mbps: getSpeed(name),
-      rx_bytes_sec: s2.rx_bytes - s1.rx_bytes, // already a 1-second delta
-      tx_bytes_sec: s2.tx_bytes - s1.tx_bytes,
-      rx_errors: rxErrorsDelta,
-      tx_errors: txErrorsDelta,
-      rx_drops: rxDropsDelta,
-      tx_drops: txDropsDelta,
-      rx_packets: rxPacketsDelta,
-      tx_packets: txPacketsDelta,
-      operstate: getOperstate(name),
-    };
-    if (rxCrcDelta !== undefined) entry.rx_crc_errors = rxCrcDelta;
-    if (rxFrameDelta !== undefined) entry.rx_frame_errors = rxFrameDelta;
-    if (rxLenDelta !== undefined) entry.rx_length_errors = rxLenDelta;
-    if (txCarrierDelta !== undefined) entry.tx_carrier_errors = txCarrierDelta;
-    const master = getBondMaster(name);
-    if (master) entry.bond_master = master;
-    // Identify bond masters (have at least one slave pointing at them).
-    if (isBondMaster(name)) entry.is_bond_master = true;
-    results.push(entry);
-  }
-
-  // Remove stale interfaces that disappeared
-  for (const name of previousCounters.keys()) {
-    if (!currentIfaces.has(name)) {
-      previousCounters.delete(name);
-    }
-  }
-
-  return results;
-}

package/src/collect/ntp.ts

@@ -1,114 +0,0 @@
-import { run } from "../lib/exec.js";
-
-export interface NtpData {
-  synced: boolean;
-  offset_seconds: number;
-  source: string;
-  daemon_running: boolean;
-  daemon_name: string;
-}
-
-// Check whether a systemd unit is active. Returns false for missing units, not-found, etc.
-async function isUnitActive(unit: string): Promise<boolean> {
-  const out = await run("systemctl", ["is-active", unit], 3000);
-  return out?.trim() === "active";
-}
-
-// Detect which time-sync daemon unit is currently active on the host, if any.
-// Returns "" when none are. We check the common names in order of preference.
-async function detectActiveDaemon(): Promise<string> {
-  const candidates = ["chrony", "chronyd", "systemd-timesyncd", "ntp", "ntpsec", "ntpd"];
-  for (const unit of candidates) {
-    if (await isUnitActive(unit)) return unit;
-  }
-  return "";
-}
-
-export async function collectNtp(): Promise<NtpData> {
-  // The authoritative "is the daemon running" check is systemctl is-active,
-  // not any derived flag from timedatectl. This catches daemon crashes and
-  // manual stops where the kernel clock is still synced.
-  const daemonName = await detectActiveDaemon();
-  const daemonRunning = daemonName !== "";
-
-  // Try timedatectl first (works for systemd-timesyncd and records the kernel
-  // NTPSynchronized flag regardless of which daemon set it).
-  const tdctl = await run("timedatectl", ["show", "--property=NTPSynchronized", "--value"]);
-  if (tdctl !== null && (tdctl.trim() === "yes" || tdctl.trim() === "no")) {
-    const synced = tdctl.trim() === "yes";
-
-    let offset = 0;
-    try {
-      const tsStatus = await run("timedatectl", ["timesync-status"]);
-      if (tsStatus) {
-        const match = tsStatus.match(/Offset:\s*([+-]?\d+\.?\d*)(us|ms|s)/);
-        if (match) {
-          const val = parseFloat(match[1]);
-          const unit = match[2];
-          if (unit === "us") offset = val / 1_000_000;
-          else if (unit === "ms") offset = val / 1000;
-          else offset = val;
-        }
-      }
-    } catch { /* offset stays 0 */ }
-
-    // Prefer an explicitly detected daemon name; fall back to systemd-timesyncd
-    // since timedatectl is most commonly the timesyncd frontend.
-    const source = daemonName || "systemd-timesyncd";
-    return { synced, offset_seconds: offset, source, daemon_running: daemonRunning, daemon_name: daemonName };
-  }
-
-  // Chrony tracking. Validate Leap status so we do not misread error text.
-  const chronyOut = await run("chronyc", ["tracking"]);
-  if (chronyOut) {
-    const leapMatch = chronyOut.match(/Leap status\s*:\s*(.+)/);
-    if (leapMatch) {
-      const synced = leapMatch[1].trim() === "Normal";
-      let offset = 0;
-      const offsetMatch = chronyOut.match(/Last offset\s*:\s*([+-]?\d+\.?\d*)\s*seconds/);
-      if (offsetMatch) offset = parseFloat(offsetMatch[1]);
-      return {
-        synced,
-        offset_seconds: Math.abs(offset),
-        source: daemonName || "chrony",
-        daemon_running: daemonRunning,
-        daemon_name: daemonName,
-      };
-    }
-  }
-
-  // ntpq peer table. Header check avoids false positives on error messages.
-  const ntpqOut = await run("ntpq", ["-pn"]);
-  if (ntpqOut) {
-    const hasHeader = ntpqOut.split("\n").some((line) => line.includes("remote"));
-    if (hasHeader) {
-      const synced = ntpqOut.split("\n").some((line) => line.startsWith("*"));
-      let offset = 0;
-      const selectedLine = ntpqOut.split("\n").find((line) => line.startsWith("*"));
-      if (selectedLine) {
-        const fields = selectedLine.trim().split(/\s+/);
-        if (fields.length >= 9) {
-          const rawOffset = parseFloat(fields[8]);
-          if (!isNaN(rawOffset)) offset = Math.abs(rawOffset) / 1000;
-        }
-      }
-      return {
-        synced,
-        offset_seconds: offset,
-        source: daemonName || "ntpd",
-        daemon_running: daemonRunning,
-        daemon_name: daemonName,
-      };
-    }
-  }
-
-  // No usable probe output. If systemd still reports a daemon as active, trust that;
-  // otherwise report fully down.
-  return {
-    synced: false,
-    offset_seconds: 0,
-    source: daemonName || "none",
-    daemon_running: daemonRunning,
-    daemon_name: daemonName,
-  };
-}

package/src/collect/os-alerts.ts

@@ -1,43 +0,0 @@
-import { run } from "../lib/exec.js";
-import { readProcFile } from "../lib/parse.js";
-import { readdirSync, readFileSync } from "fs";
-import type { OsAlerts } from "../lib/types.js";
-
-export async function collectOsAlerts(): Promise<OsAlerts> {
-  // OOM kills
-  let oomKills = 0;
-  const dmesg = await run("dmesg", ["--level=err,crit", "--since", "5 min ago"]);
-  if (dmesg) {
-    oomKills = (dmesg.match(/Out of memory/gi) || []).length;
-  }
-
-  // Zombie processes
-  let zombies = 0;
-  try {
-    const pids = readdirSync("/proc").filter((f) => /^\d+$/.test(f));
-    for (const pid of pids) {
-      try {
-        const stat = readFileSync(`/proc/${pid}/stat`, "utf-8");
-        // Field 3 is the state character
-        const state = stat.split(" ")[2];
-        if (state === "Z") zombies++;
-      } catch { /* process disappeared */ }
-    }
-  } catch { /* /proc not readable */ }
-
-  // Time drift (simple: check if chrony/ntp reports drift)
-  let timeDriftMs = 0;
-  const chrony = await run("chronyc", ["tracking"]);
-  if (chrony) {
-    const match = chrony.match(/System time\s*:\s*([\d.]+)\s*seconds\s*(slow|fast)/);
-    if (match) {
-      timeDriftMs = parseFloat(match[1]) * 1000;
-    }
-  }
-
-  return {
-    oom_kills_recent: oomKills,
-    zombie_processes: zombies,
-    time_drift_ms: Math.round(timeDriftMs * 100) / 100,
-  };
-}

package/src/collect/raid.ts

@@ -1,40 +0,0 @@
-import { readProcFile } from "../lib/parse.js";
-import type { RaidInfo } from "../lib/types.js";
-
-export async function collectRaid(): Promise<RaidInfo[]> {
-  const raw = readProcFile("/proc/mdstat");
-  if (!raw) return [];
-
-  const results: RaidInfo[] = [];
-  const lines = raw.split("\n");
-
-  for (let i = 0; i < lines.length; i++) {
-    const match = lines[i].match(/^(md\d+)\s*:\s*(\w+)\s+(\w+)\s+(.*)/);
-    if (!match) continue;
-
-    const device = match[1];
-    const status = match[2]; // "active" or "inactive"
-    const level = match[3]; // "raid1", "raid5", etc.
-    const disksPart = match[4];
-
-    // Parse component disks (e.g., "sda1[0] sdb1[1]")
-    const disks = (disksPart.match(/\w+\[\d+\]/g) || []).map((d) => d.replace(/\[\d+\]/, ""));
-
-    // Check next line for degraded status (e.g., "[UU_]" means one drive missing)
-    const statusLine = lines[i + 1] || "";
-    const bracketMatch = statusLine.match(/\[([U_]+)\]/);
-    const degraded = bracketMatch ? bracketMatch[1].includes("_") : false;
-
-    const failedDisks: string[] = [];
-    if (degraded && bracketMatch) {
-      const pattern = bracketMatch[1];
-      pattern.split("").forEach((c, idx) => {
-        if (c === "_" && disks[idx]) failedDisks.push(disks[idx]);
-      });
-    }
-
-    results.push({ device, level, status, degraded, disks, failed_disks: failedDisks });
-  }
-
-  return results;
-}

package/src/collect/security.ts

@@ -1,268 +0,0 @@
-import { run } from "../lib/exec.js";
-import { readFileSync, existsSync, readdirSync } from "fs";
-
-export interface SshSecurityStatus {
-  permitRootLogin: string;
-  passwordAuthentication: string;
-  rootPasswordExposed: boolean;
-}
-
-export interface FirewallStatus {
-  active: boolean;
-  source: string;
-  details: string;
-}
-
-export interface SecurityUpdateStatus {
-  distro: string;
-  pendingCount: number;
-  available: boolean;
-}
-
-export interface VulnerabilityStatus {
-  name: string;
-  status: string;
-  mitigated: boolean;
-}
-
-export interface KernelRebootStatus {
-  running: string;
-  installed: string;
-  needsReboot: boolean;
-}
-
-export interface AutoUpdateStatus {
-  configured: boolean;
-  mechanism: string;
-  details: string;
-}
-
-export interface SecurityData {
-  ssh: SshSecurityStatus | null;
-  firewall: FirewallStatus;
-  pending_updates: SecurityUpdateStatus | null;
-  kernel_vulns: VulnerabilityStatus[];
-  kernel_reboot: KernelRebootStatus | null;
-  auto_updates: AutoUpdateStatus;
-}
-
-export async function collectSecurity(): Promise<SecurityData> {
-  const [ssh, firewall, pendingUpdates, kernelVulns, kernelReboot, autoUpdates] = await Promise.all([
-    checkSshConfig(),
-    checkFirewall(),
-    checkSecurityUpdates(),
-    checkKernelVulnerabilities(),
-    checkKernelReboot(),
-    checkAutoUpdates(),
-  ]);
-
-  return { ssh, firewall, pending_updates: pendingUpdates, kernel_vulns: kernelVulns, kernel_reboot: kernelReboot, auto_updates: autoUpdates };
-}
-
-// === SSH ===
-
-async function checkSshConfig(): Promise<SshSecurityStatus | null> {
-  // Prefer sshd -T (resolves includes and match blocks)
-  const output = await run("sshd", ["-T"], 5000);
-  if (output) {
-    const getVal = (key: string): string => {
-      const line = output.split("\n").find((l) => l.startsWith(key + " "));
-      return line ? line.split(" ")[1].trim() : "";
-    };
-    const permitRootLogin = getVal("permitrootlogin");
-    const passwordAuth = getVal("passwordauthentication");
-    const rootPasswordExposed = permitRootLogin === "yes" && passwordAuth !== "no";
-    return { permitRootLogin, passwordAuthentication: passwordAuth, rootPasswordExposed };
-  }
-
-  // Fallback: parse sshd_config directly
-  try {
-    const config = readFileSync("/etc/ssh/sshd_config", "utf-8");
-    const lines = config.split("\n").map((l) => l.trim()).filter((l) => l && !l.startsWith("#"));
-    const find = (key: string): string | null => {
-      const line = lines.find((l) => l.toLowerCase().startsWith(key.toLowerCase()));
-      return line ? line.split(/\s+/)[1] : null;
-    };
-    const permitRootLogin = find("PermitRootLogin") || "prohibit-password";
-    const passwordAuth = find("PasswordAuthentication") || "yes";
-    const rootPasswordExposed = permitRootLogin.toLowerCase() === "yes" && passwordAuth.toLowerCase() !== "no";
-    return { permitRootLogin, passwordAuthentication: passwordAuth, rootPasswordExposed };
-  } catch {
-    return null;
-  }
-}
-
-// === Firewall ===
-
-async function checkFirewall(): Promise<FirewallStatus> {
-  // UFW: if installed, its status is authoritative (ignores Docker iptables chains)
-  const ufw = await run("ufw", ["status"], 5000);
-  if (ufw && ufw.includes("Status:")) {
-    const active = ufw.includes("Status: active");
-    return { active, source: "ufw", details: active ? "UFW is active" : "UFW is inactive" };
-  }
-
-  // firewalld: if installed, its status is authoritative
-  const fwd = await run("firewall-cmd", ["--state"], 5000);
-  if (fwd) {
-    if (fwd.trim() === "running") {
-      return { active: true, source: "firewalld", details: "firewalld is running" };
-    }
-    if (fwd.includes("not running") || fwd.includes("dead")) {
-      return { active: false, source: "firewalld", details: "firewalld is not running" };
-    }
-  }
-
-  // nftables (only if no managed firewall found)
-  const nft = await run("nft", ["list", "ruleset"], 5000);
-  if (nft) {
-    const ruleLines = nft.split("\n").filter((l) => l.trim().match(/^\s*(meta|ip |ip6 |tcp |udp |ct |drop|reject|accept)/));
-    if (ruleLines.length > 0) {
-      return { active: true, source: "nftables", details: `${ruleLines.length} nftables rules` };
-    }
-  }
-
-  // iptables fallback: filter out Docker/container chains to avoid false positives
-  const ipt = await run("iptables", ["-L", "-n"], 5000);
-  if (ipt) {
-    const lines = ipt.split("\n").filter((l) =>
-      l.trim() &&
-      !l.startsWith("Chain ") &&
-      !l.startsWith("target ") &&
-      !l.includes("DOCKER") &&
-      !l.includes("docker") &&
-      !l.includes("br-") &&
-      !l.includes("f2b-")
-    );
-    if (lines.length > 0) return { active: true, source: "iptables", details: `${lines.length} user iptables rules` };
-    if (ipt.includes("policy DROP") || ipt.includes("policy REJECT")) {
-      return { active: true, source: "iptables", details: "Default policy is DROP/REJECT" };
-    }
-  }
-
-  return { active: false, source: "none", details: "No firewall detected (checked ufw, firewalld, nftables, iptables)" };
-}
-
-// === Pending Security Updates ===
-
-async function checkSecurityUpdates(): Promise<SecurityUpdateStatus | null> {
-  let osRelease = "";
-  try { osRelease = readFileSync("/etc/os-release", "utf-8").toLowerCase(); } catch { return null; }
-
-  if (osRelease.includes("debian") || osRelease.includes("ubuntu") || osRelease.includes("mint")) {
-    const output = await run("bash", ["-c", 'apt list --upgradable 2>/dev/null | grep -i "security" | wc -l'], 30000);
-    if (output) {
-      const count = parseInt(output.trim()) || 0;
-      return { distro: osRelease.includes("ubuntu") ? "ubuntu" : "debian", pendingCount: count, available: true };
-    }
-    return { distro: "debian", pendingCount: 0, available: false };
-  }
-
-  if (osRelease.includes("rhel") || osRelease.includes("rocky") || osRelease.includes("alma") || osRelease.includes("fedora") || osRelease.includes("centos")) {
-    const cmd = existsSync("/usr/bin/dnf") ? "dnf" : "yum";
-    const output = await run("bash", ["-c", `${cmd} updateinfo list security --available 2>/dev/null | grep -c "/"`], 60000);
-    if (output) {
-      const count = parseInt(output.trim()) || 0;
-      const distro = osRelease.includes("rocky") ? "rocky" : osRelease.includes("alma") ? "alma" : osRelease.includes("fedora") ? "fedora" : "rhel";
-      return { distro, pendingCount: count, available: true };
-    }
-    return { distro: "rhel", pendingCount: 0, available: false };
-  }
-
-  return null;
-}
-
-// === Kernel Vulnerabilities ===
-
-function checkKernelVulnerabilities(): VulnerabilityStatus[] {
-  const vulnDir = "/sys/devices/system/cpu/vulnerabilities";
-  if (!existsSync(vulnDir)) return [];
-
-  try {
-    const files = readdirSync(vulnDir);
-    return files.map((file) => {
-      try {
-        const status = readFileSync(`${vulnDir}/${file}`, "utf-8").trim();
-        const mitigated = status.includes("Not affected") || status.includes("Mitigation:");
-        return { name: file, status, mitigated };
-      } catch {
-        return { name: file, status: "unknown", mitigated: true };
-      }
-    });
-  } catch {
-    return [];
-  }
-}
-
-// === Kernel Reboot ===
-
-async function checkKernelReboot(): Promise<KernelRebootStatus | null> {
-  const running = (await run("uname", ["-r"]))?.trim();
-  if (!running) return null;
-
-  // Method 1: reboot-required flag (Debian/Ubuntu)
-  if (existsSync("/var/run/reboot-required")) {
-    // Filter to versioned images only (e.g. linux-image-6.8.0-107-generic),
-    // excluding metapackages like linux-image-generic, linux-image-virtual.
-    const installed = (await run("bash", ["-c", 'dpkg -l "linux-image-*" 2>/dev/null | grep "^ii" | awk \'{print $2}\' | grep "linux-image-[0-9]" | sed "s/linux-image-//" | sort -V | tail -1']))?.trim() || "unknown";
-    return { running, installed, needsReboot: true };
-  }
-
-  // Method 2: Compare packages (Debian/Ubuntu)
-  // Same filter: only versioned images, no metapackages.
-  const debPkg = (await run("bash", ["-c", 'dpkg -l "linux-image-*" 2>/dev/null | grep "^ii" | awk \'{print $2}\' | grep "linux-image-[0-9]" | sed "s/linux-image-//" | sort -V | tail -1']))?.trim();
-  if (debPkg) {
-    return { running, installed: debPkg, needsReboot: debPkg !== running };
-  }
-
-  // Method 3: RPM-based
-  const rpmPkg = (await run("bash", ["-c", 'rpm -q kernel --queryformat "%{VERSION}-%{RELEASE}.%{ARCH}\\n" 2>/dev/null | sort -V | tail -1']))?.trim();
-  if (rpmPkg) {
-    return { running, installed: rpmPkg, needsReboot: rpmPkg !== running };
-  }
-
-  return null;
-}
-
-// === Auto Updates ===
-
-async function checkAutoUpdates(): Promise<AutoUpdateStatus> {
-  // Debian/Ubuntu: unattended-upgrades
-  const uuInstalled = await run("bash", ["-c", 'dpkg -l unattended-upgrades 2>/dev/null | grep "^ii"'], 5000);
-  if (uuInstalled) {
-    // Check config file
-    const autoConf = "/etc/apt/apt.conf.d/20auto-upgrades";
-    let configEnabled = false;
-    if (existsSync(autoConf)) {
-      const content = readFileSync(autoConf, "utf-8");
-      configEnabled = content.includes('Update-Package-Lists "1"') && content.includes('Unattended-Upgrade "1"');
-    }
-
-    // Check systemd service state
-    const serviceEnabled = (await run("bash", ["-c", "systemctl is-enabled unattended-upgrades 2>/dev/null"], 5000))?.trim() === "enabled";
-    const serviceActive = (await run("bash", ["-c", "systemctl is-active unattended-upgrades 2>/dev/null"], 5000))?.trim() === "active";
-
-    if (configEnabled && serviceEnabled) {
-      return { configured: true, mechanism: "unattended-upgrades", details: serviceActive ? "Installed, enabled, and running" : "Installed and enabled (service not active)" };
-    }
-    if (!configEnabled && !serviceEnabled) {
-      return { configured: false, mechanism: "unattended-upgrades", details: "Installed but not configured and service disabled" };
-    }
-    if (!serviceEnabled) {
-      return { configured: false, mechanism: "unattended-upgrades", details: "Installed and configured but service disabled" };
-    }
-    return { configured: false, mechanism: "unattended-upgrades", details: "Installed but not enabled in 20auto-upgrades" };
-  }
-
-  // RHEL/Rocky/Alma: dnf-automatic
-  const dnfAuto = await run("bash", ["-c", "rpm -q dnf-automatic 2>/dev/null"], 5000);
-  if (dnfAuto && !dnfAuto.includes("not installed")) {
-    const timerActive = await run("bash", ["-c", "systemctl is-enabled dnf-automatic-install.timer 2>/dev/null || systemctl is-enabled dnf-automatic.timer 2>/dev/null"], 5000);
-    if (timerActive && timerActive.includes("enabled")) {
-      return { configured: true, mechanism: "dnf-automatic", details: "Installed and timer enabled" };
-    }
-    return { configured: false, mechanism: "dnf-automatic", details: "Installed but timer not enabled" };
-  }
-
-  return { configured: false, mechanism: "none", details: "No automatic security update mechanism detected" };
-}