defense-mcp-server 0.7.0 → 0.7.2

package/CHANGELOG.md

@@ -6,6 +6,43 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ---
 
+## [0.7.1] — 2026-03-14
+
+### v0.7.1 — Critical PAM Hardening Fix
+
+#### Security Fix
+- **CRITICAL**: Fixed `pam_configure` action corrupting `/etc/pam.d/common-auth` — sed commands stripped whitespace separators between PAM fields, breaking ALL authentication system-wide (required GRUB recovery to fix)
+- **CRITICAL**: Fixed `[success=N]` jump count not being updated after faillock rule insertion — would cause authentication denial on Debian/Ubuntu systems
+
+#### New Module: `src/core/pam-utils.ts`
+- Safe in-memory PAM config parser/serializer replacing fragile sed-based manipulation
+- `parsePamConfig()` — Lossless parser handling comments, blanks, `@include`, bracket-style controls
+- `serializePamConfig()` — Serializer with proper formatting (matching `pam-auth-update` canonical format)
+- `validatePamConfig()` — Triple validation: field formatting, module existence, and `[success=N]` jump count correctness
+- `adjustJumpCounts()` — Automatically updates bracket-control jump counts when rules are inserted/removed
+- Manipulation helpers: `removeModuleRules()`, `insertBeforeModule()`, `insertAfterModule()` with pamType filter
+- Sudo-aware I/O: `readPamFile()`, `writePamFile()` (atomic via `sudo install`), `backupPamFile()`, `restorePamFile()`
+
+#### Safety Layers (Defense-in-Depth)
+- Mandatory backup before any PAM file modification
+- In-memory validation before writing (catches corrupted fields, missing pam_unix.so, wrong jump counts)
+- Atomic file write using `sudo install -m 644 -o root -g root` (no partial state)
+- Post-write re-read validation
+- Auto-rollback on ANY failure (restores from backup automatically)
+
+#### Security Review Remediations
+- Fixed partial write state on chmod/chown failure (atomic `sudo install`)
+- Fixed temp file symlink race (secure `mkdtempSync`)
+- Fixed insert helpers matching by module only (added pamType filter)
+- Fixed `backupPamFile` mutating BackupEntry internal state
+- Fixed `restorePamFile` leaking PAM content to stdout via `tee`
+- Added PAM modification warning to SafeguardRegistry
+
+#### Testing
+- 63 new tests in `tests/core/pam-utils.test.ts` covering parser, serializer, validator, jump count adjustment, manipulation helpers, and full faillock integration flow
+- 7 new tests in `tests/tools/access-control.test.ts` for pam_configure regression testing
+- Critical regression test: verifies concatenated PAM fields (the original lockout bug) can never be produced
+
 ## [0.7.0] — 2026-03-12
 
 ### v0.7.0 — Tool Consolidation & Sudo Hardening Overhaul
@@ -199,13 +236,13 @@ Major security remediation release consolidating 157 tools down to 78 action-bas
 
 - **Fix 1.1: Password Buffer Pipeline** — Sudo password now stored in a zeroable `Buffer` (not V8-interned strings). Auto-expires after configurable timeout. Temp files overwritten with random bytes before deletion.
 - **Fix 1.2: Command Allowlist** — All commands executed via `spawn()` are resolved against a strict allowlist of known-safe binaries. Unknown binaries are rejected before execution. Paths resolved to absolute at startup.
-- **Fix 1.3: Auto-Install Hardening** — `KALI_DEFENSE_AUTO_INSTALL` now defaults to `false`. When enabled, only packages from the `DEFENSIVE_TOOLS` catalog are installable — arbitrary package names are blocked.
+- **Fix 1.3: Auto-Install Hardening** — `DEFENSE_MCP_AUTO_INSTALL` now defaults to `false`. When enabled, only packages from the `DEFENSIVE_TOOLS` catalog are installable — arbitrary package names are blocked.
 - **Fix 1.4: Secure File Permissions** — All state files (`changelog.json`, `rollback-state.json`, backups, quarantine) created with `0o600`/`0o700` permissions. Existing directories hardened at startup via `hardenDirPermissions()`.
 
 ### Test Infrastructure (Phase 2)
 
 - **Fix 2.1: Vitest Test Suite** — 221 tests across 6 test files covering sanitizer, config, command-allowlist, secure-fs, changelog, and safeguards modules. All tests pass with zero failures.
-- **Fix 2.2: Backup/Rollback Unification** — `BackupManager` and `RollbackManager` consolidated under `~/.kali-defense/` with consistent secure file permissions.
+- **Fix 2.2: Backup/Rollback Unification** — `BackupManager` and `RollbackManager` consolidated under `~/.defense-mcp/` with consistent secure file permissions.
 - **Fix 2.3: Safeguards Real Blockers** — `SafeguardRegistry.checkSafety()` now produces real blocking conditions, not just advisory warnings.
 - **Fix 2.4: spawn-safe.ts Circular Dependency** — Extracted safe spawn helper to break circular dependency between `executor.ts` and `sudo-session.ts`.
 
@@ -306,8 +343,8 @@ Adds a comprehensive pre-flight validation system that automatically checks depe
 - `formatStatusMessage()` — compact one-line status for prepending to tool output
 
 #### New Environment Variables
-- `KALI_DEFENSE_PREFLIGHT` (default: `true`) — enable/disable pre-flight checks entirely
-- `KALI_DEFENSE_PREFLIGHT_BANNERS` (default: `true`) — show pre-flight status banners in tool output
+- `DEFENSE_MCP_PREFLIGHT` (default: `true`) — enable/disable pre-flight checks entirely
+- `DEFENSE_MCP_PREFLIGHT_BANNERS` (default: `true`) — show pre-flight status banners in tool output
 
 ### Changed
 
@@ -448,7 +485,7 @@ Major release expanding the server from 69 tools across 12 categories to 130+ to
 - All detection errors are caught gracefully and converted to warnings rather than failures
 
 #### `src/core/backup-manager.ts` — BackupManager
-- Manages file backups with manifest tracking under `~/.kali-mcp-backups/`
+- Manages file backups with manifest tracking under `~/.defense-mcp-backups/`
 - Each backup entry has a UUID, original path, backup path, timestamp, and size
 - `manifest.json` maintains the full backup inventory for list and restore operations
 - `backup(filePath)` — creates timestamped copy and adds to manifest, returns UUID
@@ -458,7 +495,7 @@ Major release expanding the server from 69 tools across 12 categories to 130+ to
 
 #### `src/core/rollback.ts` — RollbackManager
 - Singleton that tracks system changes within and across sessions
-- State persisted to `~/.kali-defense/rollback-state.json`
+- State persisted to `~/.defense-mcp/rollback-state.json`
 - Supports four change types: `file` (backup path), `sysctl` (previous value), `service` (previous state), `firewall` (rollback command)
 - `rollback(operationId)` — reverses all changes for a specific operation in reverse order
 - `rollbackSession(sessionId)` — reverses all changes from the current session

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 Kali Defense Contributors
+Copyright (c) 2026 Defense MCP Server Contributors
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -2,11 +2,14 @@
 
 A Model Context Protocol (MCP) server that gives AI assistants access to **94 defensive security tools** on Linux. Connect it to Claude Desktop, Cursor, or any MCP-compatible client to harden systems, manage firewalls, scan for vulnerabilities, and enforce compliance — all through natural language conversation.
 
-## What It Does
+## Why I Made This
+Basically I'm a total noob when it comes to really serious system hardening so I thought I'd test the latest LLM models and see how far I could get. Turns out they're pretty helpful! I got tired of hardening my new systems by hand every time I spun up a new one so I made this MCP server to make it pretty easy. I jam packed as many security tools as I could into this thing so be prepared to burn tokens using it. Hopefully it helps you about half as much as its helped me. 
 
-This server exposes Linux security tools as MCP tools that an AI assistant can invoke on your behalf. Instead of memorizing command syntax for dozens of security utilities, you describe what you want in plain English and the assistant calls the right tool with the right parameters.
+## So What It Does
 
-The 94 tools are organized into 32 modules:
+This server exposes Linux security tools as MCP tools that an AI assistant can invoke on your behalf. Instead of memorizing command syntax for dozens of security utilities, you describe what you want in plain English and the assistant calls the right tool with the right parameters. Sounds pretty good right!
+
+Here are the tools:
 
 | Module | What It Does |
 |--------|-------------|
@@ -75,7 +78,7 @@ You don't need to pre-install every security tool. The server automatically dete
 
 To disable auto-installation entirely, run with:
 ```bash
-KALI_DEFENSE_AUTO_INSTALL=false node build/index.js
+DEFENSE_MCP_AUTO_INSTALL=false node build/index.js
 ```
 
 ## Requirements
@@ -183,18 +186,18 @@ Configuration is via environment variables. All have secure defaults:
 
 | Variable | Default | Description |
 |----------|---------|-------------|
-| `KALI_DEFENSE_DRY_RUN` | `true` | Preview changes without applying |
-| `KALI_DEFENSE_REQUIRE_CONFIRMATION` | `true` | Require confirmation for destructive actions |
-| `KALI_DEFENSE_ALLOWED_DIRS` | `/tmp,/home,/var/log` | Directories the server can access |
-| `KALI_DEFENSE_LOG_LEVEL` | `info` | Log verbosity (debug/info/warn/error) |
-| `KALI_DEFENSE_BACKUP_ENABLED` | `true` | Auto-backup before system changes |
-| `KALI_DEFENSE_AUTO_INSTALL` | `true` | Auto-install missing tool dependencies |
-| `KALI_DEFENSE_PREFLIGHT` | `true` | Enable pre-flight dependency checks |
-| `KALI_DEFENSE_PREFLIGHT_BANNERS` | `true` | Show pre-flight status in tool output |
+| `DEFENSE_MCP_DRY_RUN` | `true` | Preview changes without applying |
+| `DEFENSE_MCP_REQUIRE_CONFIRMATION` | `true` | Require confirmation for destructive actions |
+| `DEFENSE_MCP_ALLOWED_DIRS` | `/tmp,/home,/var/log` | Directories the server can access |
+| `DEFENSE_MCP_LOG_LEVEL` | `info` | Log verbosity (debug/info/warn/error) |
+| `DEFENSE_MCP_BACKUP_ENABLED` | `true` | Auto-backup before system changes |
+| `DEFENSE_MCP_AUTO_INSTALL` | `true` | Auto-install missing tool dependencies |
+| `DEFENSE_MCP_PREFLIGHT` | `true` | Enable pre-flight dependency checks |
+| `DEFENSE_MCP_PREFLIGHT_BANNERS` | `true` | Show pre-flight status in tool output |
 
 To apply changes for real (not just preview), set:
 ```bash
-KALI_DEFENSE_DRY_RUN=false node build/index.js
+DEFENSE_MCP_DRY_RUN=false node build/index.js
 ```
 
 ## Security

package/build/core/auto-installer.d.ts

@@ -4,7 +4,7 @@
  * Handles installation of missing dependencies across system package managers
  * (apt, dnf, yum, pacman, apk, zypper, brew), pip, and npm.  This module is
  * part of the pre-flight validation pipeline and is invoked when
- * `KALI_DEFENSE_AUTO_INSTALL=true`.
+ * `DEFENSE_MCP_AUTO_INSTALL=true`.
  *
  * Design constraints:
  *   - Uses `execFileSafe` from `spawn-safe.ts` (NOT the executor) to avoid

package/build/core/auto-installer.js

@@ -4,7 +4,7 @@
  * Handles installation of missing dependencies across system package managers
  * (apt, dnf, yum, pacman, apk, zypper, brew), pip, and npm.  This module is
  * part of the pre-flight validation pipeline and is invoked when
- * `KALI_DEFENSE_AUTO_INSTALL=true`.
+ * `DEFENSE_MCP_AUTO_INSTALL=true`.
  *
  * Design constraints:
  *   - Uses `execFileSafe` from `spawn-safe.ts` (NOT the executor) to avoid
@@ -310,7 +310,7 @@ export class AutoInstaller {
                     type: "binary",
                     method: "skipped",
                     success: false,
-                    message: "Auto-install is disabled (set KALI_DEFENSE_AUTO_INSTALL=true to enable)",
+                    message: "Auto-install is disabled (set DEFENSE_MCP_AUTO_INSTALL=true to enable)",
                 });
             }
             for (const dep of missingPython ?? []) {
@@ -319,7 +319,7 @@ export class AutoInstaller {
                     type: "python-module",
                     method: "skipped",
                     success: false,
-                    message: "Auto-install is disabled (set KALI_DEFENSE_AUTO_INSTALL=true to enable)",
+                    message: "Auto-install is disabled (set DEFENSE_MCP_AUTO_INSTALL=true to enable)",
                 });
             }
             for (const dep of missingNpm ?? []) {
@@ -328,7 +328,7 @@ export class AutoInstaller {
                     type: "npm-package",
                     method: "skipped",
                     success: false,
-                    message: "Auto-install is disabled (set KALI_DEFENSE_AUTO_INSTALL=true to enable)",
+                    message: "Auto-install is disabled (set DEFENSE_MCP_AUTO_INSTALL=true to enable)",
                 });
             }
             for (const dep of missingLibraries ?? []) {
@@ -337,7 +337,7 @@ export class AutoInstaller {
                     type: "library",
                     method: "skipped",
                     success: false,
-                    message: "Auto-install is disabled (set KALI_DEFENSE_AUTO_INSTALL=true to enable)",
+                    message: "Auto-install is disabled (set DEFENSE_MCP_AUTO_INSTALL=true to enable)",
                 });
             }
             return {

package/build/core/backup-manager.d.ts

@@ -1,7 +1,7 @@
 /**
  * BackupManager — manages file backups with manifest tracking.
  *
- * Backups are stored under ~/.kali-defense/backups/ with timestamped filenames.
+ * Backups are stored under ~/.defense-mcp/backups/ with timestamped filenames.
  * A manifest.json tracks all backups for listing and restore operations.
  */
 export interface BackupEntry {

package/build/core/backup-manager.js

@@ -1,7 +1,7 @@
 /**
  * BackupManager — manages file backups with manifest tracking.
  *
- * Backups are stored under ~/.kali-defense/backups/ with timestamped filenames.
+ * Backups are stored under ~/.defense-mcp/backups/ with timestamped filenames.
  * A manifest.json tracks all backups for listing and restore operations.
  */
 import { existsSync, readFileSync, unlinkSync, statSync, lstatSync, } from "node:fs";
@@ -59,7 +59,7 @@ export class BackupManager {
     backupDir;
     manifestPath;
     constructor(backupDir) {
-        this.backupDir = backupDir ?? join(homedir(), ".kali-defense", "backups");
+        this.backupDir = backupDir ?? join(homedir(), ".defense-mcp", "backups");
         this.manifestPath = join(this.backupDir, "manifest.json");
     }
     /** Ensure backup directory exists. */

package/build/core/changelog.d.ts

@@ -59,7 +59,7 @@ export declare function logChange(entry: ChangeEntry): void;
 export declare function getChangelog(limit?: number): ChangeEntry[];
 /**
  * Creates a backup copy of a file using the unified BackupManager.
- * The backup is tracked in the manifest at ~/.kali-defense/backups/manifest.json.
+ * The backup is tracked in the manifest at ~/.defense-mcp/backups/manifest.json.
  *
  * @param filePath Absolute path to the file to back up
  * @returns Path to the backup file

package/build/core/changelog.js

@@ -97,7 +97,7 @@ export function getChangelog(limit) {
 }
 /**
  * Creates a backup copy of a file using the unified BackupManager.
- * The backup is tracked in the manifest at ~/.kali-defense/backups/manifest.json.
+ * The backup is tracked in the manifest at ~/.defense-mcp/backups/manifest.json.
  *
  * @param filePath Absolute path to the file to back up
  * @returns Path to the backup file

package/build/core/command-allowlist.js

@@ -324,10 +324,10 @@ let initialized = false;
  * mitigating TOCTOU (time-of-check-time-of-use) attacks where a binary is
  * replaced between startup resolution and runtime execution.
  *
- * Configurable via KALI_DEFENSE_RUNTIME_PATH_VERIFY env var.
+ * Configurable via DEFENSE_MCP_RUNTIME_PATH_VERIFY env var.
  * Default: true (verify at runtime). Set to "false" to disable for performance.
  */
-let runtimePathVerification = process.env.KALI_DEFENSE_RUNTIME_PATH_VERIFY !== "false";
+let runtimePathVerification = process.env.DEFENSE_MCP_RUNTIME_PATH_VERIFY !== "false";
 // Populate the map immediately so `isAllowlisted()` works before init
 for (const entry of ALLOWLIST_DEFINITIONS) {
     allowlistMap.set(entry.binary, entry);
@@ -349,7 +349,7 @@ export function initializeAllowlist() {
     // Clear reverse map for re-initialization
     reversePathMap.clear();
     // Re-read runtime path verification setting on re-init
-    runtimePathVerification = process.env.KALI_DEFENSE_RUNTIME_PATH_VERIFY !== "false";
+    runtimePathVerification = process.env.DEFENSE_MCP_RUNTIME_PATH_VERIFY !== "false";
     for (const entry of ALLOWLIST_DEFINITIONS) {
         entry.resolvedPath = undefined;
         entry.resolvedInode = undefined;

package/build/core/config.d.ts

@@ -1,11 +1,11 @@
 /**
  * Known defensive tools that support per-tool timeout overrides
- * via KALI_DEFENSE_TIMEOUT_<TOOL> environment variables.
+ * via DEFENSE_MCP_TIMEOUT_<TOOL> environment variables.
  */
 export declare const KNOWN_TOOLS: readonly ["lynis", "aide", "clamav", "oscap", "snort", "suricata", "rkhunter", "chkrootkit", "tcpdump", "auditd", "nmap", "fail2ban-client", "debsums", "yara"];
 export type KnownTool = (typeof KNOWN_TOOLS)[number];
 /**
- * Configuration interface for the Kali Defense MCP Server.
+ * Configuration interface for the Defense MCP Server.
  * All values are derived from environment variables with sensible defaults.
  */
 export interface DefenseConfig {
@@ -21,7 +21,7 @@ export interface DefenseConfig {
      * SECURITY (CICD-014): Dry-run mode — when true, modifying operations preview
      * commands without executing them. Defaults to `true` so the server operates
      * in a safe, read-only mode until explicitly opted out via
-     * KALI_DEFENSE_DRY_RUN=false. This prevents accidental system modifications.
+     * DEFENSE_MCP_DRY_RUN=false. This prevents accidental system modifications.
      */
     dryRun: boolean;
     /** Path to the changelog JSON file */
@@ -32,7 +32,7 @@ export interface DefenseConfig {
      * SECURITY (CICD-014): Whether to create backups before modifying files.
      * Defaults to `true` — every file modification is backed up first so that
      * changes can be rolled back if needed. Disable only in CI/test environments
-     * via KALI_DEFENSE_BACKUP_ENABLED=false.
+     * via DEFENSE_MCP_BACKUP_ENABLED=false.
      */
     backupEnabled: boolean;
     /** Whether to auto-install missing tools */
@@ -44,7 +44,7 @@ export interface DefenseConfig {
      * actions. Defaults to `true` — the server will request explicit confirmation
      * before executing operations that modify system state. Disable only when
      * running automated/unattended workflows via
-     * KALI_DEFENSE_REQUIRE_CONFIRMATION=false.
+     * DEFENSE_MCP_REQUIRE_CONFIRMATION=false.
      */
     requireConfirmation: boolean;
     /** Directory for quarantined files */
@@ -55,9 +55,9 @@ export interface DefenseConfig {
     toolTimeouts: Partial<Record<KnownTool, number>>;
     /** Sudo session timeout in milliseconds (default: 15 minutes) */
     sudoSessionTimeout: number;
-    /** Command execution timeout in ms (falls back to defaultTimeout; env: KALI_DEFENSE_COMMAND_TIMEOUT) */
+    /** Command execution timeout in ms (falls back to defaultTimeout; env: DEFENSE_MCP_COMMAND_TIMEOUT) */
     commandTimeout: number;
-    /** Network operation timeout in ms (default: 30s; env: KALI_DEFENSE_NETWORK_TIMEOUT) */
+    /** Network operation timeout in ms (default: 30s; env: DEFENSE_MCP_NETWORK_TIMEOUT) */
     networkTimeout: number;
 }
 /**

package/build/core/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,eAAO,MAAM,WAAW,iKAed,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC;AAErD;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,8CAA8C;IAC9C,cAAc,EAAE,MAAM,CAAC;IACvB,0CAA0C;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,oBAAoB;IACpB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC9C;;;;;OAKG;IACH,MAAM,EAAE,OAAO,CAAC;IAChB,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB;;;;;OAKG;IACH,aAAa,EAAE,OAAO,CAAC;IACvB,4CAA4C;IAC5C,WAAW,EAAE,OAAO,CAAC;IACrB,wCAAwC;IACxC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB;;;;;;OAMG;IACH,mBAAmB,EAAE,OAAO,CAAC;IAC7B,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;IACjD,iEAAiE;IACjE,kBAAkB,EAAE,MAAM,CAAC;IAC3B,wGAAwG;IACxG,cAAc,EAAE,MAAM,CAAC;IACvB,wFAAwF;IACxF,cAAc,EAAE,MAAM,CAAC;CACxB;AAmGD;;;;GAIG;AACH,wBAAgB,SAAS,IAAI,aAAa,CAQzC;AAwFD;;;GAGG;AACH,wBAAgB,qBAAqB,IAAI,IAAI,CAG5C;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,aAAa,GACrB,MAAM,CAIR"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,eAAO,MAAM,WAAW,iKAed,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC;AAErD;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,8CAA8C;IAC9C,cAAc,EAAE,MAAM,CAAC;IACvB,0CAA0C;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,oBAAoB;IACpB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC9C;;;;;OAKG;IACH,MAAM,EAAE,OAAO,CAAC;IAChB,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB;;;;;OAKG;IACH,aAAa,EAAE,OAAO,CAAC;IACvB,4CAA4C;IAC5C,WAAW,EAAE,OAAO,CAAC;IACrB,wCAAwC;IACxC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB;;;;;;OAMG;IACH,mBAAmB,EAAE,OAAO,CAAC;IAC7B,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;IACjD,iEAAiE;IACjE,kBAAkB,EAAE,MAAM,CAAC;IAC3B,uGAAuG;IACvG,cAAc,EAAE,MAAM,CAAC;IACvB,uFAAuF;IACvF,cAAc,EAAE,MAAM,CAAC;CACxB;AAmGD;;;;GAIG;AACH,wBAAgB,SAAS,IAAI,aAAa,CAQzC;AAwFD;;;GAGG;AACH,wBAAgB,qBAAqB,IAAI,IAAI,CAG5C;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,aAAa,GACrB,MAAM,CAIR"}

package/build/core/config.js

@@ -2,7 +2,7 @@ import { homedir } from "node:os";
 import { join } from "node:path";
 /**
  * Known defensive tools that support per-tool timeout overrides
- * via KALI_DEFENSE_TIMEOUT_<TOOL> environment variables.
+ * via DEFENSE_MCP_TIMEOUT_<TOOL> environment variables.
  */
 export const KNOWN_TOOLS = [
     "lynis",
@@ -50,19 +50,19 @@ function parsePaths(value, defaultValue) {
     return paths.filter((p) => {
         // Reject root directory and single-character root-level paths (e.g. "/")
         if (REJECTED_DIRS.has(p) || (p.startsWith("/") && p.length <= 2 && p !== "/" + p.slice(1).replace(/\//g, ""))) {
-            console.error(`[KALI-DEFENSE] SECURITY: Rejecting overly broad allowedDir '${p}' — ` +
+            console.error(`[DEFENSE-MCP] SECURITY: Rejecting overly broad allowedDir '${p}' — ` +
                 `granting access to the entire filesystem is not permitted.`);
             return false;
         }
         // Reject any single-character root-level path like "/x"
         if (/^\/[^/]$/.test(p)) {
-            console.error(`[KALI-DEFENSE] SECURITY: Rejecting overly broad allowedDir '${p}' — ` +
+            console.error(`[DEFENSE-MCP] SECURITY: Rejecting overly broad allowedDir '${p}' — ` +
                 `single-character root-level paths are not permitted.`);
             return false;
         }
         // Warn about broad directories
         if (BROAD_DIRS.has(p)) {
-            console.error(`[KALI-DEFENSE] WARNING: allowedDir '${p}' is very broad. ` +
+            console.error(`[DEFENSE-MCP] WARNING: allowedDir '${p}' is very broad. ` +
                 `Consider using a more specific subdirectory.`);
         }
         return true;
@@ -80,12 +80,12 @@ function parseLogLevel(value) {
 }
 /**
  * Reads per-tool timeout overrides from environment variables.
- * Format: KALI_DEFENSE_TIMEOUT_<TOOL> (value in seconds, stored as ms).
+ * Format: DEFENSE_MCP_TIMEOUT_<TOOL> (value in seconds, stored as ms).
  */
 function parseToolTimeouts() {
     const timeouts = {};
     for (const tool of KNOWN_TOOLS) {
-        const envKey = `KALI_DEFENSE_TIMEOUT_${tool.toUpperCase()}`;
+        const envKey = `DEFENSE_MCP_TIMEOUT_${tool.toUpperCase()}`;
         const value = process.env[envKey];
         if (value !== undefined) {
             const seconds = parseInt(value, 10);
@@ -119,8 +119,8 @@ export function getConfig() {
  * This is the actual parsing logic, called by the cached `getConfig()` wrapper.
  */
 function buildConfigFromEnv() {
-    const defaultTimeoutSec = parseInt(process.env.KALI_DEFENSE_TIMEOUT_DEFAULT ?? "120", 10);
-    const maxBufferBytes = parseInt(process.env.KALI_DEFENSE_MAX_OUTPUT_SIZE ?? String(10 * 1024 * 1024), 10);
+    const defaultTimeoutSec = parseInt(process.env.DEFENSE_MCP_TIMEOUT_DEFAULT ?? "120", 10);
+    const maxBufferBytes = parseInt(process.env.DEFENSE_MCP_MAX_OUTPUT_SIZE ?? String(10 * 1024 * 1024), 10);
     const config = {
         defaultTimeout: isNaN(defaultTimeoutSec) || defaultTimeoutSec <= 0
             ? 120_000
@@ -132,26 +132,26 @@ function buildConfigFromEnv() {
         // contains sensitive system configuration files (shadow, sudoers, ssh configs).
         // Granting default read/write access to /etc is too permissive. Tools that
         // need /etc access should require explicit configuration via
-        // KALI_DEFENSE_ALLOWED_DIRS=/tmp,/home,/var/log,/etc
-        allowedDirs: parsePaths(process.env.KALI_DEFENSE_ALLOWED_DIRS, "/tmp,/home,/var/log"),
-        logLevel: parseLogLevel(process.env.KALI_DEFENSE_LOG_LEVEL),
+        // DEFENSE_MCP_ALLOWED_DIRS=/tmp,/home,/var/log,/etc
+        allowedDirs: parsePaths(process.env.DEFENSE_MCP_ALLOWED_DIRS, "/tmp,/home,/var/log"),
+        logLevel: parseLogLevel(process.env.DEFENSE_MCP_LOG_LEVEL),
         // SECURITY (CICD-014): Default to dry-run=true (safe preview mode)
-        // Set KALI_DEFENSE_DRY_RUN=false to enable live system modifications
-        dryRun: process.env.KALI_DEFENSE_DRY_RUN !== "false",
-        changelogPath: expandHome(process.env.KALI_DEFENSE_CHANGELOG_PATH ??
-            "~/.kali-defense/changelog.json"),
-        backupDir: expandHome(process.env.KALI_DEFENSE_BACKUP_DIR ?? "~/.kali-defense/backups"),
+        // Set DEFENSE_MCP_DRY_RUN=false to enable live system modifications
+        dryRun: process.env.DEFENSE_MCP_DRY_RUN !== "false",
+        changelogPath: expandHome(process.env.DEFENSE_MCP_CHANGELOG_PATH ??
+            "~/.defense-mcp/changelog.json"),
+        backupDir: expandHome(process.env.DEFENSE_MCP_BACKUP_DIR ?? "~/.defense-mcp/backups"),
         // SECURITY (CICD-014): Backup before modify — enabled by default
-        // Set KALI_DEFENSE_BACKUP_ENABLED=false only in CI/test environments
-        backupEnabled: process.env.KALI_DEFENSE_BACKUP_ENABLED !== "false",
-        autoInstall: process.env.KALI_DEFENSE_AUTO_INSTALL === "true",
-        protectedPaths: parsePaths(process.env.KALI_DEFENSE_PROTECTED_PATHS, "/boot,/usr/lib/systemd,/usr/bin,/usr/sbin"),
-        requireConfirmation: process.env.KALI_DEFENSE_REQUIRE_CONFIRMATION !== "false",
-        quarantineDir: expandHome(process.env.KALI_DEFENSE_QUARANTINE_DIR ?? "~/.kali-defense/quarantine"),
-        policyDir: expandHome(process.env.KALI_DEFENSE_POLICY_DIR ?? "~/.kali-defense/policies"),
+        // Set DEFENSE_MCP_BACKUP_ENABLED=false only in CI/test environments
+        backupEnabled: process.env.DEFENSE_MCP_BACKUP_ENABLED !== "false",
+        autoInstall: process.env.DEFENSE_MCP_AUTO_INSTALL === "true",
+        protectedPaths: parsePaths(process.env.DEFENSE_MCP_PROTECTED_PATHS, "/boot,/usr/lib/systemd,/usr/bin,/usr/sbin"),
+        requireConfirmation: process.env.DEFENSE_MCP_REQUIRE_CONFIRMATION !== "false",
+        quarantineDir: expandHome(process.env.DEFENSE_MCP_QUARANTINE_DIR ?? "~/.defense-mcp/quarantine"),
+        policyDir: expandHome(process.env.DEFENSE_MCP_POLICY_DIR ?? "~/.defense-mcp/policies"),
         toolTimeouts: parseToolTimeouts(),
         sudoSessionTimeout: (() => {
-            const envVal = process.env.KALI_DEFENSE_SUDO_TIMEOUT;
+            const envVal = process.env.DEFENSE_MCP_SUDO_TIMEOUT;
             if (envVal) {
                 const minutes = parseInt(envVal, 10);
                 if (!isNaN(minutes) && minutes > 0)
@@ -160,17 +160,17 @@ function buildConfigFromEnv() {
             return 15 * 60 * 1000; // default: 15 minutes
         })(),
         commandTimeout: (() => {
-            const sec = parseInt(process.env.KALI_DEFENSE_COMMAND_TIMEOUT ?? "120", 10);
+            const sec = parseInt(process.env.DEFENSE_MCP_COMMAND_TIMEOUT ?? "120", 10);
             return isNaN(sec) || sec <= 0 ? 120_000 : sec * 1000;
         })(),
         networkTimeout: (() => {
-            const sec = parseInt(process.env.KALI_DEFENSE_NETWORK_TIMEOUT ?? "30", 10);
+            const sec = parseInt(process.env.DEFENSE_MCP_NETWORK_TIMEOUT ?? "30", 10);
             return isNaN(sec) || sec <= 0 ? 30_000 : sec * 1000;
         })(),
     };
     // Warn when dry-run is active so operators know no changes will be applied
     if (config.dryRun) {
-        console.error("[KALI-DEFENSE] DRY_RUN mode is ACTIVE — no changes will be applied");
+        console.error("[DEFENSE-MCP] DRY_RUN mode is ACTIVE — no changes will be applied");
     }
     return config;
 }

package/build/core/dependency-validator.d.ts

@@ -1,9 +1,9 @@
 /**
- * Dependency Validator for Kali Defense MCP Server.
+ * Dependency Validator for Defense MCP Server.
  *
  * Provides three key capabilities:
  * 1. **Startup validation** — checks all tool dependencies when the server starts
- *    and auto-installs missing ones if KALI_DEFENSE_AUTO_INSTALL=true
+ *    and auto-installs missing ones if DEFENSE_MCP_AUTO_INSTALL=true
  * 2. **Runtime dependency check** — `ensureDependencies()` can be called before
  *    any tool execution to verify (and optionally install) required binaries
  * 3. **Dependency status cache** — avoids redundant `which` calls by caching

package/build/core/dependency-validator.js

@@ -1,9 +1,9 @@
 /**
- * Dependency Validator for Kali Defense MCP Server.
+ * Dependency Validator for Defense MCP Server.
  *
  * Provides three key capabilities:
  * 1. **Startup validation** — checks all tool dependencies when the server starts
- *    and auto-installs missing ones if KALI_DEFENSE_AUTO_INSTALL=true
+ *    and auto-installs missing ones if DEFENSE_MCP_AUTO_INSTALL=true
  * 2. **Runtime dependency check** — `ensureDependencies()` can be called before
  *    any tool execution to verify (and optionally install) required binaries
  * 3. **Dependency status cache** — avoids redundant `which` calls by caching
@@ -215,7 +215,7 @@ export async function validateAllDependencies() {
         for (const cm of criticalMissing) {
             console.error(`[dep-validator]   - ${cm.toolName}: needs ${cm.missingBinaries.join(", ")}`);
         }
-        console.error(`[dep-validator] Set KALI_DEFENSE_AUTO_INSTALL=true to auto-install missing tools`);
+        console.error(`[dep-validator] Set DEFENSE_MCP_AUTO_INSTALL=true to auto-install missing tools`);
     }
     return report;
 }
@@ -330,7 +330,7 @@ export async function isBinaryInstalled(binary) {
 export function formatValidationReport(report) {
     const lines = [];
     lines.push("╔══════════════════════════════════════════════════════════╗");
-    lines.push("║       Kali Defense MCP — Dependency Validation          ║");
+    lines.push("║       Defense MCP — Dependency Validation          ║");
     lines.push("╚══════════════════════════════════════════════════════════╝");
     lines.push("");
     lines.push(`  Binaries checked:    ${report.totalChecked}`);
@@ -367,7 +367,7 @@ export function formatValidationReport(report) {
     lines.push("");
     lines.push(`  Auto-install: ${report.autoInstallEnabled ? "ENABLED" : "DISABLED"}`);
     if (!report.autoInstallEnabled && report.missing.length > 0) {
-        lines.push("  💡 Set KALI_DEFENSE_AUTO_INSTALL=true to auto-install missing tools");
+        lines.push("  💡 Set DEFENSE_MCP_AUTO_INSTALL=true to auto-install missing tools");
     }
     lines.push(`  Duration: ${report.durationMs}ms`);
     return lines.join("\n");

package/build/core/distro-adapter.d.ts

@@ -1,5 +1,5 @@
 /**
- * DistroAdapter — unified cross-distribution API for the Kali Defense MCP Server.
+ * DistroAdapter — unified cross-distribution API for the Defense MCP Server.
  *
  * This module provides a single, cached adapter instance that abstracts away
  * distribution-specific differences in:

package/build/core/distro-adapter.js

@@ -1,5 +1,5 @@
 /**
- * DistroAdapter — unified cross-distribution API for the Kali Defense MCP Server.
+ * DistroAdapter — unified cross-distribution API for the Defense MCP Server.
  *
  * This module provides a single, cached adapter instance that abstracts away
  * distribution-specific differences in:

package/build/core/encrypted-state.d.ts

@@ -5,7 +5,7 @@
  * policy files, sudo session tokens, and other sensitive state.
  *
  * Key derivation uses PBKDF2 from a configurable secret via the
- * `KALI_DEFENSE_STATE_KEY` environment variable. If no key is
+ * `DEFENSE_MCP_STATE_KEY` environment variable. If no key is
  * configured, falls back to unencrypted mode with a warning.
  *
  * @module encrypted-state
@@ -13,15 +13,15 @@
 /**
  * Encrypted state storage for sensitive data at rest.
  *
- * Uses AES-256-GCM with PBKDF2-derived keys when `KALI_DEFENSE_STATE_KEY`
+ * Uses AES-256-GCM with PBKDF2-derived keys when `DEFENSE_MCP_STATE_KEY`
  * is set. Falls back to plaintext JSON when no key is configured.
  */
 export declare class SecureStateStore {
     private readonly stateDir;
     private readonly secret;
     /**
-     * @param stateDir - Directory for state files (default: `/tmp/kali-defense/state/`)
-     * @param secret - Encryption secret. If omitted, reads from `KALI_DEFENSE_STATE_KEY` env var.
+     * @param stateDir - Directory for state files (default: `/tmp/defense-mcp/state/`)
+     * @param secret - Encryption secret. If omitted, reads from `DEFENSE_MCP_STATE_KEY` env var.
      *                 Pass empty string or omit to use unencrypted fallback.
      */
     constructor(stateDir?: string, secret?: string);
@@ -70,7 +70,7 @@ export declare class SecureStateStore {
  * Default singleton SecureStateStore instance.
  *
  * Uses the default state directory and reads the encryption key from
- * the `KALI_DEFENSE_STATE_KEY` environment variable.
+ * the `DEFENSE_MCP_STATE_KEY` environment variable.
  */
 export declare const secureState: SecureStateStore;
 //# sourceMappingURL=encrypted-state.d.ts.map

package/build/core/encrypted-state.js

@@ -5,7 +5,7 @@
  * policy files, sudo session tokens, and other sensitive state.
  *
  * Key derivation uses PBKDF2 from a configurable secret via the
- * `KALI_DEFENSE_STATE_KEY` environment variable. If no key is
+ * `DEFENSE_MCP_STATE_KEY` environment variable. If no key is
  * configured, falls back to unencrypted mode with a warning.
  *
  * @module encrypted-state
@@ -31,13 +31,13 @@ const PBKDF2_DIGEST = "sha512";
 /** Salt length in bytes. */
 const SALT_LENGTH = 16;
 /** Default state directory. */
-const DEFAULT_STATE_DIR = "/tmp/kali-defense/state/";
+const DEFAULT_STATE_DIR = "/tmp/defense-mcp/state/";
 /** File permission: owner read/write only. */
 const SECURE_FILE_MODE = 0o600;
 /** Directory permission: owner read/write/execute only. */
 const SECURE_DIR_MODE = 0o700;
 /** Environment variable name for the encryption key. */
-const ENV_KEY_NAME = "KALI_DEFENSE_STATE_KEY";
+const ENV_KEY_NAME = "DEFENSE_MCP_STATE_KEY";
 // ── Encrypted file format ────────────────────────────────────────────────────
 // Binary layout: [salt (16)] [iv (12)] [authTag (16)] [ciphertext (...)]
 // JSON fallback (unencrypted): plain JSON text
@@ -45,15 +45,15 @@ const ENV_KEY_NAME = "KALI_DEFENSE_STATE_KEY";
 /**
  * Encrypted state storage for sensitive data at rest.
  *
- * Uses AES-256-GCM with PBKDF2-derived keys when `KALI_DEFENSE_STATE_KEY`
+ * Uses AES-256-GCM with PBKDF2-derived keys when `DEFENSE_MCP_STATE_KEY`
  * is set. Falls back to plaintext JSON when no key is configured.
  */
 export class SecureStateStore {
     stateDir;
     secret;
     /**
-     * @param stateDir - Directory for state files (default: `/tmp/kali-defense/state/`)
-     * @param secret - Encryption secret. If omitted, reads from `KALI_DEFENSE_STATE_KEY` env var.
+     * @param stateDir - Directory for state files (default: `/tmp/defense-mcp/state/`)
+     * @param secret - Encryption secret. If omitted, reads from `DEFENSE_MCP_STATE_KEY` env var.
      *                 Pass empty string or omit to use unencrypted fallback.
      */
     constructor(stateDir, secret) {
@@ -204,6 +204,6 @@ export class SecureStateStore {
  * Default singleton SecureStateStore instance.
  *
  * Uses the default state directory and reads the encryption key from
- * the `KALI_DEFENSE_STATE_KEY` environment variable.
+ * the `DEFENSE_MCP_STATE_KEY` environment variable.
  */
 export const secureState = new SecureStateStore();

package/build/core/executor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../src/core/executor.ts"],"names":[],"mappings":"AAqEA;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,uCAAuC;IACvC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,0CAA0C;IAC1C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iEAAiE;IACjE,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,QAAQ,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAgFD;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,aAAa,CAAC,CAmNxB"}
+{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../src/core/executor.ts"],"names":[],"mappings":"AAkFA;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,uCAAuC;IACvC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,0CAA0C;IAC1C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iEAAiE;IACjE,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,QAAQ,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AA0FD;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,aAAa,CAAC,CAmNxB"}