npm - defense-mcp-server - Versions diffs - 0.7.1 → 0.7.3 - Mend

defense-mcp-server 0.7.1 → 0.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (92) hide show

package/CHANGELOG.md +6 -6
package/LICENSE +1 -1
package/README.md +10 -10
package/build/core/auto-installer.d.ts +1 -1
package/build/core/auto-installer.js +5 -5
package/build/core/backup-manager.d.ts +1 -1
package/build/core/backup-manager.js +2 -2
package/build/core/changelog.d.ts +1 -1
package/build/core/changelog.js +1 -1
package/build/core/command-allowlist.d.ts.map +1 -1
package/build/core/command-allowlist.js +4 -3
package/build/core/config.d.ts +7 -7
package/build/core/config.d.ts.map +1 -1
package/build/core/config.js +27 -27
package/build/core/dependency-validator.d.ts +2 -2
package/build/core/dependency-validator.js +5 -5
package/build/core/distro-adapter.d.ts +1 -1
package/build/core/distro-adapter.js +2 -2
package/build/core/encrypted-state.d.ts +5 -5
package/build/core/encrypted-state.js +7 -7
package/build/core/executor.js +2 -2
package/build/core/logger.d.ts +1 -1
package/build/core/logger.js +2 -2
package/build/core/rate-limiter.d.ts +3 -3
package/build/core/rate-limiter.js +6 -6
package/build/core/rollback.js +1 -1
package/build/core/safeguards.js +1 -1
package/build/core/spawn-safe.js +1 -1
package/build/core/sudo-guard.js +3 -3
package/build/core/tool-dependencies.d.ts.map +1 -1
package/build/core/tool-dependencies.js +2 -1
package/build/core/tool-wrapper.d.ts +2 -2
package/build/core/tool-wrapper.js +2 -2
package/build/index.js +4 -4
package/build/tools/access-control.d.ts +1 -1
package/build/tools/access-control.js +1 -1
package/build/tools/api-security.d.ts +1 -1
package/build/tools/api-security.js +1 -1
package/build/tools/app-hardening.d.ts +1 -1
package/build/tools/app-hardening.js +1 -1
package/build/tools/backup.d.ts +1 -1
package/build/tools/backup.js +3 -3
package/build/tools/cloud-security.d.ts +1 -1
package/build/tools/cloud-security.js +1 -1
package/build/tools/compliance.d.ts +1 -1
package/build/tools/compliance.js +1 -1
package/build/tools/container-security.d.ts +2 -1
package/build/tools/container-security.d.ts.map +1 -1
package/build/tools/container-security.js +84 -11
package/build/tools/deception.d.ts +1 -1
package/build/tools/deception.js +2 -2
package/build/tools/dns-security.d.ts +1 -1
package/build/tools/dns-security.js +3 -3
package/build/tools/encryption.d.ts +1 -1
package/build/tools/encryption.js +2 -2
package/build/tools/firewall.d.ts +1 -1
package/build/tools/firewall.d.ts.map +1 -1
package/build/tools/firewall.js +29 -7
package/build/tools/hardening.d.ts +1 -1
package/build/tools/hardening.d.ts.map +1 -1
package/build/tools/hardening.js +17 -7
package/build/tools/incident-response.d.ts +1 -1
package/build/tools/incident-response.js +3 -3
package/build/tools/integrity.d.ts +1 -1
package/build/tools/integrity.js +3 -3
package/build/tools/logging.d.ts +1 -1
package/build/tools/logging.js +2 -2
package/build/tools/malware.d.ts +1 -1
package/build/tools/malware.js +2 -2
package/build/tools/meta.d.ts.map +1 -1
package/build/tools/meta.js +65 -31
package/build/tools/network-defense.d.ts +1 -1
package/build/tools/network-defense.js +1 -1
package/build/tools/patch-management.js +1 -1
package/build/tools/process-security.d.ts +1 -1
package/build/tools/process-security.js +1 -1
package/build/tools/secrets.d.ts +1 -1
package/build/tools/secrets.js +1 -1
package/build/tools/sudo-management.d.ts +1 -1
package/build/tools/sudo-management.d.ts.map +1 -1
package/build/tools/sudo-management.js +129 -153
package/build/tools/threat-intel.d.ts +1 -1
package/build/tools/threat-intel.js +3 -3
package/build/tools/vulnerability-management.d.ts +1 -1
package/build/tools/vulnerability-management.js +2 -2
package/build/tools/waf.d.ts +1 -1
package/build/tools/waf.js +1 -1
package/build/tools/wireless-security.d.ts +1 -1
package/build/tools/wireless-security.js +2 -2
package/build/tools/zero-trust-network.js +1 -1
package/docs/SAFEGUARDS.md +20 -20
package/package.json +9 -3

package/CHANGELOG.md CHANGED Viewed

@@ -236,13 +236,13 @@ Major security remediation release consolidating 157 tools down to 78 action-bas
 - **Fix 1.1: Password Buffer Pipeline** — Sudo password now stored in a zeroable `Buffer` (not V8-interned strings). Auto-expires after configurable timeout. Temp files overwritten with random bytes before deletion.
 - **Fix 1.2: Command Allowlist** — All commands executed via `spawn()` are resolved against a strict allowlist of known-safe binaries. Unknown binaries are rejected before execution. Paths resolved to absolute at startup.
-- **Fix 1.3: Auto-Install Hardening** — `KALI_DEFENSE_AUTO_INSTALL` now defaults to `false`. When enabled, only packages from the `DEFENSIVE_TOOLS` catalog are installable — arbitrary package names are blocked.
+- **Fix 1.3: Auto-Install Hardening** — `DEFENSE_MCP_AUTO_INSTALL` now defaults to `false`. When enabled, only packages from the `DEFENSIVE_TOOLS` catalog are installable — arbitrary package names are blocked.
 - **Fix 1.4: Secure File Permissions** — All state files (`changelog.json`, `rollback-state.json`, backups, quarantine) created with `0o600`/`0o700` permissions. Existing directories hardened at startup via `hardenDirPermissions()`.
 ### Test Infrastructure (Phase 2)
 - **Fix 2.1: Vitest Test Suite** — 221 tests across 6 test files covering sanitizer, config, command-allowlist, secure-fs, changelog, and safeguards modules. All tests pass with zero failures.
-- **Fix 2.2: Backup/Rollback Unification** — `BackupManager` and `RollbackManager` consolidated under `~/.kali-defense/` with consistent secure file permissions.
+- **Fix 2.2: Backup/Rollback Unification** — `BackupManager` and `RollbackManager` consolidated under `~/.defense-mcp/` with consistent secure file permissions.
 - **Fix 2.3: Safeguards Real Blockers** — `SafeguardRegistry.checkSafety()` now produces real blocking conditions, not just advisory warnings.
 - **Fix 2.4: spawn-safe.ts Circular Dependency** — Extracted safe spawn helper to break circular dependency between `executor.ts` and `sudo-session.ts`.
@@ -343,8 +343,8 @@ Adds a comprehensive pre-flight validation system that automatically checks depe
 - `formatStatusMessage()` — compact one-line status for prepending to tool output
 #### New Environment Variables
-- `KALI_DEFENSE_PREFLIGHT` (default: `true`) — enable/disable pre-flight checks entirely
-- `KALI_DEFENSE_PREFLIGHT_BANNERS` (default: `true`) — show pre-flight status banners in tool output
+- `DEFENSE_MCP_PREFLIGHT` (default: `true`) — enable/disable pre-flight checks entirely
+- `DEFENSE_MCP_PREFLIGHT_BANNERS` (default: `true`) — show pre-flight status banners in tool output
 ### Changed
@@ -485,7 +485,7 @@ Major release expanding the server from 69 tools across 12 categories to 130+ to
 - All detection errors are caught gracefully and converted to warnings rather than failures
 #### `src/core/backup-manager.ts` — BackupManager
-- Manages file backups with manifest tracking under `~/.kali-mcp-backups/`
+- Manages file backups with manifest tracking under `~/.defense-mcp-backups/`
 - Each backup entry has a UUID, original path, backup path, timestamp, and size
 - `manifest.json` maintains the full backup inventory for list and restore operations
 - `backup(filePath)` — creates timestamped copy and adds to manifest, returns UUID
@@ -495,7 +495,7 @@ Major release expanding the server from 69 tools across 12 categories to 130+ to
 #### `src/core/rollback.ts` — RollbackManager
 - Singleton that tracks system changes within and across sessions
-- State persisted to `~/.kali-defense/rollback-state.json`
+- State persisted to `~/.defense-mcp/rollback-state.json`
 - Supports four change types: `file` (backup path), `sysctl` (previous value), `service` (previous state), `firewall` (rollback command)
 - `rollback(operationId)` — reverses all changes for a specific operation in reverse order
 - `rollbackSession(sessionId)` — reverses all changes from the current session

package/LICENSE CHANGED Viewed

@@ -1,6 +1,6 @@
 MIT License
-Copyright (c) 2026 Kali Defense Contributors
+Copyright (c) 2026 Defense MCP Server Contributors
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md CHANGED Viewed

@@ -78,7 +78,7 @@ You don't need to pre-install every security tool. The server automatically dete
 To disable auto-installation entirely, run with:
 ```bash
-KALI_DEFENSE_AUTO_INSTALL=false node build/index.js
+DEFENSE_MCP_AUTO_INSTALL=false node build/index.js
 ```
 ## Requirements
@@ -186,18 +186,18 @@ Configuration is via environment variables. All have secure defaults:
 | Variable | Default | Description |
 |----------|---------|-------------|
-| `KALI_DEFENSE_DRY_RUN` | `true` | Preview changes without applying |
-| `KALI_DEFENSE_REQUIRE_CONFIRMATION` | `true` | Require confirmation for destructive actions |
-| `KALI_DEFENSE_ALLOWED_DIRS` | `/tmp,/home,/var/log` | Directories the server can access |
-| `KALI_DEFENSE_LOG_LEVEL` | `info` | Log verbosity (debug/info/warn/error) |
-| `KALI_DEFENSE_BACKUP_ENABLED` | `true` | Auto-backup before system changes |
-| `KALI_DEFENSE_AUTO_INSTALL` | `true` | Auto-install missing tool dependencies |
-| `KALI_DEFENSE_PREFLIGHT` | `true` | Enable pre-flight dependency checks |
-| `KALI_DEFENSE_PREFLIGHT_BANNERS` | `true` | Show pre-flight status in tool output |
+| `DEFENSE_MCP_DRY_RUN` | `true` | Preview changes without applying |
+| `DEFENSE_MCP_REQUIRE_CONFIRMATION` | `true` | Require confirmation for destructive actions |
+| `DEFENSE_MCP_ALLOWED_DIRS` | `/tmp,/home,/var/log` | Directories the server can access |
+| `DEFENSE_MCP_LOG_LEVEL` | `info` | Log verbosity (debug/info/warn/error) |
+| `DEFENSE_MCP_BACKUP_ENABLED` | `true` | Auto-backup before system changes |
+| `DEFENSE_MCP_AUTO_INSTALL` | `true` | Auto-install missing tool dependencies |
+| `DEFENSE_MCP_PREFLIGHT` | `true` | Enable pre-flight dependency checks |
+| `DEFENSE_MCP_PREFLIGHT_BANNERS` | `true` | Show pre-flight status in tool output |
 To apply changes for real (not just preview), set:
 ```bash
-KALI_DEFENSE_DRY_RUN=false node build/index.js
+DEFENSE_MCP_DRY_RUN=false node build/index.js
 ```
 ## Security

package/build/core/auto-installer.d.ts CHANGED Viewed

@@ -4,7 +4,7 @@
  * Handles installation of missing dependencies across system package managers
  * (apt, dnf, yum, pacman, apk, zypper, brew), pip, and npm.  This module is
  * part of the pre-flight validation pipeline and is invoked when
- * `KALI_DEFENSE_AUTO_INSTALL=true`.
+ * `DEFENSE_MCP_AUTO_INSTALL=true`.
  *
  * Design constraints:
  *   - Uses `execFileSafe` from `spawn-safe.ts` (NOT the executor) to avoid

package/build/core/auto-installer.js CHANGED Viewed

@@ -4,7 +4,7 @@
  * Handles installation of missing dependencies across system package managers
  * (apt, dnf, yum, pacman, apk, zypper, brew), pip, and npm.  This module is
  * part of the pre-flight validation pipeline and is invoked when
- * `KALI_DEFENSE_AUTO_INSTALL=true`.
+ * `DEFENSE_MCP_AUTO_INSTALL=true`.
  *
  * Design constraints:
  *   - Uses `execFileSafe` from `spawn-safe.ts` (NOT the executor) to avoid
@@ -310,7 +310,7 @@ export class AutoInstaller {
                     type: "binary",
                     method: "skipped",
                     success: false,
-                    message: "Auto-install is disabled (set KALI_DEFENSE_AUTO_INSTALL=true to enable)",
+                    message: "Auto-install is disabled (set DEFENSE_MCP_AUTO_INSTALL=true to enable)",
                 });
             }
             for (const dep of missingPython ?? []) {
@@ -319,7 +319,7 @@ export class AutoInstaller {
                     type: "python-module",
                     method: "skipped",
                     success: false,
-                    message: "Auto-install is disabled (set KALI_DEFENSE_AUTO_INSTALL=true to enable)",
+                    message: "Auto-install is disabled (set DEFENSE_MCP_AUTO_INSTALL=true to enable)",
                 });
             }
             for (const dep of missingNpm ?? []) {
@@ -328,7 +328,7 @@ export class AutoInstaller {
                     type: "npm-package",
                     method: "skipped",
                     success: false,
-                    message: "Auto-install is disabled (set KALI_DEFENSE_AUTO_INSTALL=true to enable)",
+                    message: "Auto-install is disabled (set DEFENSE_MCP_AUTO_INSTALL=true to enable)",
                 });
             }
             for (const dep of missingLibraries ?? []) {
@@ -337,7 +337,7 @@ export class AutoInstaller {
                     type: "library",
                     method: "skipped",
                     success: false,
-                    message: "Auto-install is disabled (set KALI_DEFENSE_AUTO_INSTALL=true to enable)",
+                    message: "Auto-install is disabled (set DEFENSE_MCP_AUTO_INSTALL=true to enable)",
                 });
             }
             return {

package/build/core/backup-manager.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * BackupManager — manages file backups with manifest tracking.
  *
- * Backups are stored under ~/.kali-defense/backups/ with timestamped filenames.
+ * Backups are stored under ~/.defense-mcp/backups/ with timestamped filenames.
  * A manifest.json tracks all backups for listing and restore operations.
  */
 export interface BackupEntry {

package/build/core/backup-manager.js CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * BackupManager — manages file backups with manifest tracking.
  *
- * Backups are stored under ~/.kali-defense/backups/ with timestamped filenames.
+ * Backups are stored under ~/.defense-mcp/backups/ with timestamped filenames.
  * A manifest.json tracks all backups for listing and restore operations.
  */
 import { existsSync, readFileSync, unlinkSync, statSync, lstatSync, } from "node:fs";
@@ -59,7 +59,7 @@ export class BackupManager {
     backupDir;
     manifestPath;
     constructor(backupDir) {
-        this.backupDir = backupDir ?? join(homedir(), ".kali-defense", "backups");
+        this.backupDir = backupDir ?? join(homedir(), ".defense-mcp", "backups");
         this.manifestPath = join(this.backupDir, "manifest.json");
     }
     /** Ensure backup directory exists. */

package/build/core/changelog.d.ts CHANGED Viewed

@@ -59,7 +59,7 @@ export declare function logChange(entry: ChangeEntry): void;
 export declare function getChangelog(limit?: number): ChangeEntry[];
 /**
  * Creates a backup copy of a file using the unified BackupManager.
- * The backup is tracked in the manifest at ~/.kali-defense/backups/manifest.json.
+ * The backup is tracked in the manifest at ~/.defense-mcp/backups/manifest.json.
  *
  * @param filePath Absolute path to the file to back up
  * @returns Path to the backup file

package/build/core/changelog.js CHANGED Viewed

@@ -97,7 +97,7 @@ export function getChangelog(limit) {
 }
 /**
  * Creates a backup copy of a file using the unified BackupManager.
- * The backup is tracked in the manifest at ~/.kali-defense/backups/manifest.json.
+ * The backup is tracked in the manifest at ~/.defense-mcp/backups/manifest.json.
  *
  * @param filePath Absolute path to the file to back up
  * @returns Path to the backup file

package/build/core/command-allowlist.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"command-allowlist.d.ts","sourceRoot":"","sources":["../../src/core/command-allowlist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAeH,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,MAAM,EAAE,MAAM,CAAC;IACf,gDAAgD;IAChD,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,2EAA2E;IAC3E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,+EAA+E;IAC/E,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,uEAAuE;IACvE,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,sDAAsD;AACtD,MAAM,WAAW,wBAAwB;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;~~AA8WD~~;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAkD1C;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAsDtD;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CActD;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB,CA6CA;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,aAAa,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAE7E;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAEvC;AAED;;GAEG;AACH,wBAAgB,gCAAgC,IAAI,OAAO,CAE1D;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAEjE;AA8CD;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAE9E;AAeD;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,MAAM,EAClB,eAAe,CAAC,EAAE,MAAM,GACvB,wBAAwB,CA6G1B;AAiHD;;;;;;;;;;GAUG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,wBAAwB,EAAE,CAAC,CA6C7E"}
1	+ {"version":3,"file":"command-allowlist.d.ts","sourceRoot":"","sources":["../../src/core/command-allowlist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAeH,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,MAAM,EAAE,MAAM,CAAC;IACf,gDAAgD;IAChD,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,2EAA2E;IAC3E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,+EAA+E;IAC/E,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,uEAAuE;IACvE,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,sDAAsD;AACtD,MAAM,WAAW,wBAAwB;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AA+WD;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAkD1C;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAsDtD;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CActD;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB,CA6CA;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,aAAa,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAE7E;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAEvC;AAED;;GAEG;AACH,wBAAgB,gCAAgC,IAAI,OAAO,CAE1D;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAEjE;AA8CD;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAE9E;AAeD;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,MAAM,EAClB,eAAe,CAAC,EAAE,MAAM,GACvB,wBAAwB,CA6G1B;AAiHD;;;;;;;;;;GAUG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,wBAAwB,EAAE,CAAC,CA6C7E"}

package/build/core/command-allowlist.js CHANGED Viewed

@@ -241,6 +241,7 @@ const ALLOWLIST_DEFINITIONS = [
     // ── GUI askpass helpers (sudo-management.ts) ───────────────────────────
     { binary: "zenity", candidates: ["/usr/bin/zenity"] },
     { binary: "kdialog", candidates: ["/usr/bin/kdialog"] },
+    { binary: "setsid", candidates: ["/usr/bin/setsid", "/usr/sbin/setsid"] },
     { binary: "ksshaskpass", candidates: ["/usr/bin/ksshaskpass"] },
     { binary: "lxqt-sudo", candidates: ["/usr/bin/lxqt-sudo"] },
     // ── DNS security ───────────────────────────────────────────────────────
@@ -324,10 +325,10 @@ let initialized = false;
  * mitigating TOCTOU (time-of-check-time-of-use) attacks where a binary is
  * replaced between startup resolution and runtime execution.
  *
- * Configurable via KALI_DEFENSE_RUNTIME_PATH_VERIFY env var.
+ * Configurable via DEFENSE_MCP_RUNTIME_PATH_VERIFY env var.
  * Default: true (verify at runtime). Set to "false" to disable for performance.
  */
-let runtimePathVerification = process.env.KALI_DEFENSE_RUNTIME_PATH_VERIFY !== "false";
+let runtimePathVerification = process.env.DEFENSE_MCP_RUNTIME_PATH_VERIFY !== "false";
 // Populate the map immediately so `isAllowlisted()` works before init
 for (const entry of ALLOWLIST_DEFINITIONS) {
     allowlistMap.set(entry.binary, entry);
@@ -349,7 +350,7 @@ export function initializeAllowlist() {
     // Clear reverse map for re-initialization
     reversePathMap.clear();
     // Re-read runtime path verification setting on re-init
-    runtimePathVerification = process.env.KALI_DEFENSE_RUNTIME_PATH_VERIFY !== "false";
+    runtimePathVerification = process.env.DEFENSE_MCP_RUNTIME_PATH_VERIFY !== "false";
     for (const entry of ALLOWLIST_DEFINITIONS) {
         entry.resolvedPath = undefined;
         entry.resolvedInode = undefined;

package/build/core/config.d.ts CHANGED Viewed

@@ -1,11 +1,11 @@
 /**
  * Known defensive tools that support per-tool timeout overrides
- * via KALI_DEFENSE_TIMEOUT_<TOOL> environment variables.
+ * via DEFENSE_MCP_TIMEOUT_<TOOL> environment variables.
  */
 export declare const KNOWN_TOOLS: readonly ["lynis", "aide", "clamav", "oscap", "snort", "suricata", "rkhunter", "chkrootkit", "tcpdump", "auditd", "nmap", "fail2ban-client", "debsums", "yara"];
 export type KnownTool = (typeof KNOWN_TOOLS)[number];
 /**
- * Configuration interface for the Kali Defense MCP Server.
+ * Configuration interface for the Defense MCP Server.
  * All values are derived from environment variables with sensible defaults.
  */
 export interface DefenseConfig {
@@ -21,7 +21,7 @@ export interface DefenseConfig {
      * SECURITY (CICD-014): Dry-run mode — when true, modifying operations preview
      * commands without executing them. Defaults to `true` so the server operates
      * in a safe, read-only mode until explicitly opted out via
-     * KALI_DEFENSE_DRY_RUN=false. This prevents accidental system modifications.
+     * DEFENSE_MCP_DRY_RUN=false. This prevents accidental system modifications.
      */
     dryRun: boolean;
     /** Path to the changelog JSON file */
@@ -32,7 +32,7 @@ export interface DefenseConfig {
      * SECURITY (CICD-014): Whether to create backups before modifying files.
      * Defaults to `true` — every file modification is backed up first so that
      * changes can be rolled back if needed. Disable only in CI/test environments
-     * via KALI_DEFENSE_BACKUP_ENABLED=false.
+     * via DEFENSE_MCP_BACKUP_ENABLED=false.
      */
     backupEnabled: boolean;
     /** Whether to auto-install missing tools */
@@ -44,7 +44,7 @@ export interface DefenseConfig {
      * actions. Defaults to `true` — the server will request explicit confirmation
      * before executing operations that modify system state. Disable only when
      * running automated/unattended workflows via
-     * KALI_DEFENSE_REQUIRE_CONFIRMATION=false.
+     * DEFENSE_MCP_REQUIRE_CONFIRMATION=false.
      */
     requireConfirmation: boolean;
     /** Directory for quarantined files */
@@ -55,9 +55,9 @@ export interface DefenseConfig {
     toolTimeouts: Partial<Record<KnownTool, number>>;
     /** Sudo session timeout in milliseconds (default: 15 minutes) */
     sudoSessionTimeout: number;
-    /** Command execution timeout in ms (falls back to defaultTimeout; env: KALI_DEFENSE_COMMAND_TIMEOUT) */
+    /** Command execution timeout in ms (falls back to defaultTimeout; env: DEFENSE_MCP_COMMAND_TIMEOUT) */
     commandTimeout: number;
-    /** Network operation timeout in ms (default: 30s; env: KALI_DEFENSE_NETWORK_TIMEOUT) */
+    /** Network operation timeout in ms (default: 30s; env: DEFENSE_MCP_NETWORK_TIMEOUT) */
     networkTimeout: number;
 }
 /**

package/build/core/config.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,eAAO,MAAM,WAAW,iKAed,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC;AAErD;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,8CAA8C;IAC9C,cAAc,EAAE,MAAM,CAAC;IACvB,0CAA0C;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,oBAAoB;IACpB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC9C;;;;;OAKG;IACH,MAAM,EAAE,OAAO,CAAC;IAChB,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB;;;;;OAKG;IACH,aAAa,EAAE,OAAO,CAAC;IACvB,4CAA4C;IAC5C,WAAW,EAAE,OAAO,CAAC;IACrB,wCAAwC;IACxC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB;;;;;;OAMG;IACH,mBAAmB,EAAE,OAAO,CAAC;IAC7B,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;IACjD,iEAAiE;IACjE,kBAAkB,EAAE,MAAM,CAAC;IAC3B,~~wGAAwG~~;~~IACxG~~,cAAc,EAAE,MAAM,CAAC;IACvB,~~wFAAwF~~;~~IACxF~~,cAAc,EAAE,MAAM,CAAC;CACxB;AAmGD;;;;GAIG;AACH,wBAAgB,SAAS,IAAI,aAAa,CAQzC;AAwFD;;;GAGG;AACH,wBAAgB,qBAAqB,IAAI,IAAI,CAG5C;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,aAAa,GACrB,MAAM,CAIR"}
1	+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,eAAO,MAAM,WAAW,iKAed,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC;AAErD;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,8CAA8C;IAC9C,cAAc,EAAE,MAAM,CAAC;IACvB,0CAA0C;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,oBAAoB;IACpB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC9C;;;;;OAKG;IACH,MAAM,EAAE,OAAO,CAAC;IAChB,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB;;;;;OAKG;IACH,aAAa,EAAE,OAAO,CAAC;IACvB,4CAA4C;IAC5C,WAAW,EAAE,OAAO,CAAC;IACrB,wCAAwC;IACxC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB;;;;;;OAMG;IACH,mBAAmB,EAAE,OAAO,CAAC;IAC7B,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;IACjD,iEAAiE;IACjE,kBAAkB,EAAE,MAAM,CAAC;IAC3B,uGAAuG;IACvG,cAAc,EAAE,MAAM,CAAC;IACvB,uFAAuF;IACvF,cAAc,EAAE,MAAM,CAAC;CACxB;AAmGD;;;;GAIG;AACH,wBAAgB,SAAS,IAAI,aAAa,CAQzC;AAwFD;;;GAGG;AACH,wBAAgB,qBAAqB,IAAI,IAAI,CAG5C;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,aAAa,GACrB,MAAM,CAIR"}

package/build/core/config.js CHANGED Viewed

@@ -2,7 +2,7 @@ import { homedir } from "node:os";
 import { join } from "node:path";
 /**
  * Known defensive tools that support per-tool timeout overrides
- * via KALI_DEFENSE_TIMEOUT_<TOOL> environment variables.
+ * via DEFENSE_MCP_TIMEOUT_<TOOL> environment variables.
  */
 export const KNOWN_TOOLS = [
     "lynis",
@@ -50,19 +50,19 @@ function parsePaths(value, defaultValue) {
     return paths.filter((p) => {
         // Reject root directory and single-character root-level paths (e.g. "/")
         if (REJECTED_DIRS.has(p) || (p.startsWith("/") && p.length <= 2 && p !== "/" + p.slice(1).replace(/\//g, ""))) {
-            console.error(`[KALI-DEFENSE] SECURITY: Rejecting overly broad allowedDir '${p}' — ` +
+            console.error(`[DEFENSE-MCP] SECURITY: Rejecting overly broad allowedDir '${p}' — ` +
                 `granting access to the entire filesystem is not permitted.`);
             return false;
         }
         // Reject any single-character root-level path like "/x"
         if (/^\/[^/]$/.test(p)) {
-            console.error(`[KALI-DEFENSE] SECURITY: Rejecting overly broad allowedDir '${p}' — ` +
+            console.error(`[DEFENSE-MCP] SECURITY: Rejecting overly broad allowedDir '${p}' — ` +
                 `single-character root-level paths are not permitted.`);
             return false;
         }
         // Warn about broad directories
         if (BROAD_DIRS.has(p)) {
-            console.error(`[KALI-DEFENSE] WARNING: allowedDir '${p}' is very broad. ` +
+            console.error(`[DEFENSE-MCP] WARNING: allowedDir '${p}' is very broad. ` +
                 `Consider using a more specific subdirectory.`);
         }
         return true;
@@ -80,12 +80,12 @@ function parseLogLevel(value) {
 }
 /**
  * Reads per-tool timeout overrides from environment variables.
- * Format: KALI_DEFENSE_TIMEOUT_<TOOL> (value in seconds, stored as ms).
+ * Format: DEFENSE_MCP_TIMEOUT_<TOOL> (value in seconds, stored as ms).
  */
 function parseToolTimeouts() {
     const timeouts = {};
     for (const tool of KNOWN_TOOLS) {
-        const envKey = `KALI_DEFENSE_TIMEOUT_${tool.toUpperCase()}`;
+        const envKey = `DEFENSE_MCP_TIMEOUT_${tool.toUpperCase()}`;
         const value = process.env[envKey];
         if (value !== undefined) {
             const seconds = parseInt(value, 10);
@@ -119,8 +119,8 @@ export function getConfig() {
  * This is the actual parsing logic, called by the cached `getConfig()` wrapper.
  */
 function buildConfigFromEnv() {
-    const defaultTimeoutSec = parseInt(process.env.KALI_DEFENSE_TIMEOUT_DEFAULT ?? "120", 10);
-    const maxBufferBytes = parseInt(process.env.KALI_DEFENSE_MAX_OUTPUT_SIZE ?? String(10 * 1024 * 1024), 10);
+    const defaultTimeoutSec = parseInt(process.env.DEFENSE_MCP_TIMEOUT_DEFAULT ?? "120", 10);
+    const maxBufferBytes = parseInt(process.env.DEFENSE_MCP_MAX_OUTPUT_SIZE ?? String(10 * 1024 * 1024), 10);
     const config = {
         defaultTimeout: isNaN(defaultTimeoutSec) || defaultTimeoutSec <= 0
             ? 120_000
@@ -132,26 +132,26 @@ function buildConfigFromEnv() {
         // contains sensitive system configuration files (shadow, sudoers, ssh configs).
         // Granting default read/write access to /etc is too permissive. Tools that
         // need /etc access should require explicit configuration via
-        // KALI_DEFENSE_ALLOWED_DIRS=/tmp,/home,/var/log,/etc
-        allowedDirs: parsePaths(process.env.KALI_DEFENSE_ALLOWED_DIRS, "/tmp,/home,/var/log"),
-        logLevel: parseLogLevel(process.env.KALI_DEFENSE_LOG_LEVEL),
+        // DEFENSE_MCP_ALLOWED_DIRS=/tmp,/home,/var/log,/etc
+        allowedDirs: parsePaths(process.env.DEFENSE_MCP_ALLOWED_DIRS, "/tmp,/home,/var/log"),
+        logLevel: parseLogLevel(process.env.DEFENSE_MCP_LOG_LEVEL),
         // SECURITY (CICD-014): Default to dry-run=true (safe preview mode)
-        // Set KALI_DEFENSE_DRY_RUN=false to enable live system modifications
-        dryRun: process.env.KALI_DEFENSE_DRY_RUN !== "false",
-        changelogPath: expandHome(process.env.KALI_DEFENSE_CHANGELOG_PATH ??
-            "~/.kali-defense/changelog.json"),
-        backupDir: expandHome(process.env.KALI_DEFENSE_BACKUP_DIR ?? "~/.kali-defense/backups"),
+        // Set DEFENSE_MCP_DRY_RUN=false to enable live system modifications
+        dryRun: process.env.DEFENSE_MCP_DRY_RUN !== "false",
+        changelogPath: expandHome(process.env.DEFENSE_MCP_CHANGELOG_PATH ??
+            "~/.defense-mcp/changelog.json"),
+        backupDir: expandHome(process.env.DEFENSE_MCP_BACKUP_DIR ?? "~/.defense-mcp/backups"),
         // SECURITY (CICD-014): Backup before modify — enabled by default
-        // Set KALI_DEFENSE_BACKUP_ENABLED=false only in CI/test environments
-        backupEnabled: process.env.KALI_DEFENSE_BACKUP_ENABLED !== "false",
-        autoInstall: process.env.KALI_DEFENSE_AUTO_INSTALL === "true",
-        protectedPaths: parsePaths(process.env.KALI_DEFENSE_PROTECTED_PATHS, "/boot,/usr/lib/systemd,/usr/bin,/usr/sbin"),
-        requireConfirmation: process.env.KALI_DEFENSE_REQUIRE_CONFIRMATION !== "false",
-        quarantineDir: expandHome(process.env.KALI_DEFENSE_QUARANTINE_DIR ?? "~/.kali-defense/quarantine"),
-        policyDir: expandHome(process.env.KALI_DEFENSE_POLICY_DIR ?? "~/.kali-defense/policies"),
+        // Set DEFENSE_MCP_BACKUP_ENABLED=false only in CI/test environments
+        backupEnabled: process.env.DEFENSE_MCP_BACKUP_ENABLED !== "false",
+        autoInstall: process.env.DEFENSE_MCP_AUTO_INSTALL === "true",
+        protectedPaths: parsePaths(process.env.DEFENSE_MCP_PROTECTED_PATHS, "/boot,/usr/lib/systemd,/usr/bin,/usr/sbin"),
+        requireConfirmation: process.env.DEFENSE_MCP_REQUIRE_CONFIRMATION !== "false",
+        quarantineDir: expandHome(process.env.DEFENSE_MCP_QUARANTINE_DIR ?? "~/.defense-mcp/quarantine"),
+        policyDir: expandHome(process.env.DEFENSE_MCP_POLICY_DIR ?? "~/.defense-mcp/policies"),
         toolTimeouts: parseToolTimeouts(),
         sudoSessionTimeout: (() => {
-            const envVal = process.env.KALI_DEFENSE_SUDO_TIMEOUT;
+            const envVal = process.env.DEFENSE_MCP_SUDO_TIMEOUT;
             if (envVal) {
                 const minutes = parseInt(envVal, 10);
                 if (!isNaN(minutes) && minutes > 0)
@@ -160,17 +160,17 @@ function buildConfigFromEnv() {
             return 15 * 60 * 1000; // default: 15 minutes
         })(),
         commandTimeout: (() => {
-            const sec = parseInt(process.env.KALI_DEFENSE_COMMAND_TIMEOUT ?? "120", 10);
+            const sec = parseInt(process.env.DEFENSE_MCP_COMMAND_TIMEOUT ?? "120", 10);
             return isNaN(sec) || sec <= 0 ? 120_000 : sec * 1000;
         })(),
         networkTimeout: (() => {
-            const sec = parseInt(process.env.KALI_DEFENSE_NETWORK_TIMEOUT ?? "30", 10);
+            const sec = parseInt(process.env.DEFENSE_MCP_NETWORK_TIMEOUT ?? "30", 10);
             return isNaN(sec) || sec <= 0 ? 30_000 : sec * 1000;
         })(),
     };
     // Warn when dry-run is active so operators know no changes will be applied
     if (config.dryRun) {
-        console.error("[KALI-DEFENSE] DRY_RUN mode is ACTIVE — no changes will be applied");
+        console.error("[DEFENSE-MCP] DRY_RUN mode is ACTIVE — no changes will be applied");
     }
     return config;
 }

package/build/core/dependency-validator.d.ts CHANGED Viewed

@@ -1,9 +1,9 @@
 /**
- * Dependency Validator for Kali Defense MCP Server.
+ * Dependency Validator for Defense MCP Server.
  *
  * Provides three key capabilities:
  * 1. **Startup validation** — checks all tool dependencies when the server starts
- *    and auto-installs missing ones if KALI_DEFENSE_AUTO_INSTALL=true
+ *    and auto-installs missing ones if DEFENSE_MCP_AUTO_INSTALL=true
  * 2. **Runtime dependency check** — `ensureDependencies()` can be called before
  *    any tool execution to verify (and optionally install) required binaries
  * 3. **Dependency status cache** — avoids redundant `which` calls by caching

package/build/core/dependency-validator.js CHANGED Viewed

@@ -1,9 +1,9 @@
 /**
- * Dependency Validator for Kali Defense MCP Server.
+ * Dependency Validator for Defense MCP Server.
  *
  * Provides three key capabilities:
  * 1. **Startup validation** — checks all tool dependencies when the server starts
- *    and auto-installs missing ones if KALI_DEFENSE_AUTO_INSTALL=true
+ *    and auto-installs missing ones if DEFENSE_MCP_AUTO_INSTALL=true
  * 2. **Runtime dependency check** — `ensureDependencies()` can be called before
  *    any tool execution to verify (and optionally install) required binaries
  * 3. **Dependency status cache** — avoids redundant `which` calls by caching
@@ -215,7 +215,7 @@ export async function validateAllDependencies() {
         for (const cm of criticalMissing) {
             console.error(`[dep-validator]   - ${cm.toolName}: needs ${cm.missingBinaries.join(", ")}`);
         }
-        console.error(`[dep-validator] Set KALI_DEFENSE_AUTO_INSTALL=true to auto-install missing tools`);
+        console.error(`[dep-validator] Set DEFENSE_MCP_AUTO_INSTALL=true to auto-install missing tools`);
     }
     return report;
 }
@@ -330,7 +330,7 @@ export async function isBinaryInstalled(binary) {
 export function formatValidationReport(report) {
     const lines = [];
     lines.push("╔══════════════════════════════════════════════════════════╗");
-    lines.push("║       Kali Defense MCP — Dependency Validation          ║");
+    lines.push("║       Defense MCP — Dependency Validation          ║");
     lines.push("╚══════════════════════════════════════════════════════════╝");
     lines.push("");
     lines.push(`  Binaries checked:    ${report.totalChecked}`);
@@ -367,7 +367,7 @@ export function formatValidationReport(report) {
     lines.push("");
     lines.push(`  Auto-install: ${report.autoInstallEnabled ? "ENABLED" : "DISABLED"}`);
     if (!report.autoInstallEnabled && report.missing.length > 0) {
-        lines.push("  💡 Set KALI_DEFENSE_AUTO_INSTALL=true to auto-install missing tools");
+        lines.push("  💡 Set DEFENSE_MCP_AUTO_INSTALL=true to auto-install missing tools");
     }
     lines.push(`  Duration: ${report.durationMs}ms`);
     return lines.join("\n");

package/build/core/distro-adapter.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
- * DistroAdapter — unified cross-distribution API for the Kali Defense MCP Server.
+ * DistroAdapter — unified cross-distribution API for the Defense MCP Server.
  *
  * This module provides a single, cached adapter instance that abstracts away
  * distribution-specific differences in:

package/build/core/distro-adapter.js CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
- * DistroAdapter — unified cross-distribution API for the Kali Defense MCP Server.
+ * DistroAdapter — unified cross-distribution API for the Defense MCP Server.
  *
  * This module provides a single, cached adapter instance that abstracts away
  * distribution-specific differences in:
@@ -396,7 +396,7 @@ function buildFirewallPersistenceConfig(distro) {
             return {
                 packageName: "iptables-persistent",
                 checkInstalledCmd: ["dpkg", "-l", "iptables-persistent"],
-                installCmd: ["DEBIAN_FRONTEND=noninteractive", "apt-get", "install", "-y", "iptables-persistent"],
+                installCmd: ["apt-get", "install", "-y", "iptables-persistent"],
                 serviceName: "netfilter-persistent",
                 enableCmd: ["systemctl", "enable", "netfilter-persistent"],
                 saveCmd: ["netfilter-persistent", "save"],

package/build/core/encrypted-state.d.ts CHANGED Viewed

@@ -5,7 +5,7 @@
  * policy files, sudo session tokens, and other sensitive state.
  *
  * Key derivation uses PBKDF2 from a configurable secret via the
- * `KALI_DEFENSE_STATE_KEY` environment variable. If no key is
+ * `DEFENSE_MCP_STATE_KEY` environment variable. If no key is
  * configured, falls back to unencrypted mode with a warning.
  *
  * @module encrypted-state
@@ -13,15 +13,15 @@
 /**
  * Encrypted state storage for sensitive data at rest.
  *
- * Uses AES-256-GCM with PBKDF2-derived keys when `KALI_DEFENSE_STATE_KEY`
+ * Uses AES-256-GCM with PBKDF2-derived keys when `DEFENSE_MCP_STATE_KEY`
  * is set. Falls back to plaintext JSON when no key is configured.
  */
 export declare class SecureStateStore {
     private readonly stateDir;
     private readonly secret;
     /**
-     * @param stateDir - Directory for state files (default: `/tmp/kali-defense/state/`)
-     * @param secret - Encryption secret. If omitted, reads from `KALI_DEFENSE_STATE_KEY` env var.
+     * @param stateDir - Directory for state files (default: `/tmp/defense-mcp/state/`)
+     * @param secret - Encryption secret. If omitted, reads from `DEFENSE_MCP_STATE_KEY` env var.
      *                 Pass empty string or omit to use unencrypted fallback.
      */
     constructor(stateDir?: string, secret?: string);
@@ -70,7 +70,7 @@ export declare class SecureStateStore {
  * Default singleton SecureStateStore instance.
  *
  * Uses the default state directory and reads the encryption key from
- * the `KALI_DEFENSE_STATE_KEY` environment variable.
+ * the `DEFENSE_MCP_STATE_KEY` environment variable.
  */
 export declare const secureState: SecureStateStore;
 //# sourceMappingURL=encrypted-state.d.ts.map

package/build/core/encrypted-state.js CHANGED Viewed

@@ -5,7 +5,7 @@
  * policy files, sudo session tokens, and other sensitive state.
  *
  * Key derivation uses PBKDF2 from a configurable secret via the
- * `KALI_DEFENSE_STATE_KEY` environment variable. If no key is
+ * `DEFENSE_MCP_STATE_KEY` environment variable. If no key is
  * configured, falls back to unencrypted mode with a warning.
  *
  * @module encrypted-state
@@ -31,13 +31,13 @@ const PBKDF2_DIGEST = "sha512";
 /** Salt length in bytes. */
 const SALT_LENGTH = 16;
 /** Default state directory. */
-const DEFAULT_STATE_DIR = "/tmp/kali-defense/state/";
+const DEFAULT_STATE_DIR = "/tmp/defense-mcp/state/";
 /** File permission: owner read/write only. */
 const SECURE_FILE_MODE = 0o600;
 /** Directory permission: owner read/write/execute only. */
 const SECURE_DIR_MODE = 0o700;
 /** Environment variable name for the encryption key. */
-const ENV_KEY_NAME = "KALI_DEFENSE_STATE_KEY";
+const ENV_KEY_NAME = "DEFENSE_MCP_STATE_KEY";
 // ── Encrypted file format ────────────────────────────────────────────────────
 // Binary layout: [salt (16)] [iv (12)] [authTag (16)] [ciphertext (...)]
 // JSON fallback (unencrypted): plain JSON text
@@ -45,15 +45,15 @@ const ENV_KEY_NAME = "KALI_DEFENSE_STATE_KEY";
 /**
  * Encrypted state storage for sensitive data at rest.
  *
- * Uses AES-256-GCM with PBKDF2-derived keys when `KALI_DEFENSE_STATE_KEY`
+ * Uses AES-256-GCM with PBKDF2-derived keys when `DEFENSE_MCP_STATE_KEY`
  * is set. Falls back to plaintext JSON when no key is configured.
  */
 export class SecureStateStore {
     stateDir;
     secret;
     /**
-     * @param stateDir - Directory for state files (default: `/tmp/kali-defense/state/`)
-     * @param secret - Encryption secret. If omitted, reads from `KALI_DEFENSE_STATE_KEY` env var.
+     * @param stateDir - Directory for state files (default: `/tmp/defense-mcp/state/`)
+     * @param secret - Encryption secret. If omitted, reads from `DEFENSE_MCP_STATE_KEY` env var.
      *                 Pass empty string or omit to use unencrypted fallback.
      */
     constructor(stateDir, secret) {
@@ -204,6 +204,6 @@ export class SecureStateStore {
  * Default singleton SecureStateStore instance.
  *
  * Uses the default state directory and reads the encryption key from
- * the `KALI_DEFENSE_STATE_KEY` environment variable.
+ * the `DEFENSE_MCP_STATE_KEY` environment variable.
  */
 export const secureState = new SecureStateStore();

package/build/core/executor.js CHANGED Viewed

@@ -322,7 +322,7 @@ export async function executeCommand(options) {
                 const timeoutSec = Math.round(timeout / 1000);
                 stderr += `\nCommand timed out after ${timeoutSec} seconds. ` +
                     `The target may be unreachable or the operation is taking too long. ` +
-                    `Consider increasing KALI_DEFENSE_COMMAND_TIMEOUT (current: ${timeoutSec}s).`;
+                    `Consider increasing DEFENSE_MCP_COMMAND_TIMEOUT (current: ${timeoutSec}s).`;
             }
             // Detect permission errors from combined output
             const combinedOutput = stdout + "\n" + stderr;
@@ -346,7 +346,7 @@ export async function executeCommand(options) {
                 const timeoutSec = Math.round(timeout / 1000);
                 const timeoutMsg = `\nCommand timed out after ${timeoutSec} seconds. ` +
                     `The target may be unreachable or the operation is taking too long. ` +
-                    `Consider increasing KALI_DEFENSE_COMMAND_TIMEOUT (current: ${timeoutSec}s).`;
+                    `Consider increasing DEFENSE_MCP_COMMAND_TIMEOUT (current: ${timeoutSec}s).`;
                 resolve({
                     stdout: Buffer.concat(stdoutChunks).toString("utf-8"),
                     stderr: Buffer.concat(stderrChunks).toString("utf-8") + timeoutMsg,

package/build/core/logger.d.ts CHANGED Viewed

@@ -45,7 +45,7 @@ export declare class Logger {
     private minLevel;
     constructor(minLevel?: LogLevel);
     /**
-     * Read the minimum log level from `KALI_DEFENSE_LOG_LEVEL` env var.
+     * Read the minimum log level from `DEFENSE_MCP_LOG_LEVEL` env var.
      * Falls back to `"info"` if unset or invalid.
      */
     private parseEnvLevel;