defense-mcp-server 0.7.2 → 0.8.0

package/README.md

@@ -1,6 +1,6 @@
 # Defense MCP Server
 
-A Model Context Protocol (MCP) server that gives AI assistants access to **94 defensive security tools** on Linux. Connect it to Claude Desktop, Cursor, or any MCP-compatible client to harden systems, manage firewalls, scan for vulnerabilities, and enforce compliance — all through natural language conversation.
+A Model Context Protocol (MCP) server that gives AI assistants access to **31 defensive security tools** (with 150+ actions) on Linux. Connect it to Claude Desktop, Cursor, or any MCP-compatible client to harden systems, manage firewalls, scan for vulnerabilities, and enforce compliance — all through natural language conversation.
 
 ## Why I Made This
 Basically I'm a total noob when it comes to really serious system hardening so I thought I'd test the latest LLM models and see how far I could get. Turns out they're pretty helpful! I got tired of hardening my new systems by hand every time I spun up a new one so I made this MCP server to make it pretty easy. I jam packed as many security tools as I could into this thing so be prepared to burn tokens using it. Hopefully it helps you about half as much as its helped me. 

package/build/core/auto-installer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auto-installer.d.ts","sourceRoot":"","sources":["../../src/core/auto-installer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AASH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAIvD,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,QAAQ,GAAG,eAAe,GAAG,aAAa,GAAG,SAAS,GAAG,MAAM,CAAC;IACtE,MAAM,EACF,gBAAgB,GAChB,KAAK,GACL,KAAK,GACL,OAAO,GACP,YAAY,GACZ,iBAAiB,GACjB,mBAAmB,GACnB,UAAU,GACV,SAAS,CAAC;IACd,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,cAAc,EAAE,CAAC;IAC5B,WAAW,EAAE,OAAO,CAAC;IACrB,sBAAsB,EAAE,MAAM,EAAE,CAAC;CAClC;AAyFD;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEzD;AAgLD,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAC,SAAS,CAA8B;IACtD,OAAO,CAAC,WAAW,CAA2B;IAE9C,4CAA4C;IAC5C,MAAM,CAAC,QAAQ,IAAI,aAAa;IAahC;;;OAGG;IACH,MAAM,CAAC,aAAa,IAAI,IAAI;IAI5B,mDAAmD;IACnD,SAAS,IAAI,OAAO;IAIpB;;;;;OAKG;IACG,UAAU,CACd,QAAQ,EAAE,YAAY,EACtB,eAAe,EAAE,MAAM,EAAE,EACzB,aAAa,CAAC,EAAE,MAAM,EAAE,EACxB,UAAU,CAAC,EAAE,MAAM,EAAE,EACrB,gBAAgB,CAAC,EAAE,MAAM,EAAE,GAC1B,OAAO,CAAC,iBAAiB,CAAC;IA6G7B;;;;;;OAMG;IACG,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IA4J5D;;;;;;;OAOG;IACG,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAiHlE;;;;;;OAMG;IACG,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IA8G7D;;;;;;OAMG;IACG,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAyG1D;;OAEG;YACW,SAAS;IAOvB;;OAEG;IACH,OAAO,CAAC,aAAa;CAmBtB"}
+{"version":3,"file":"auto-installer.d.ts","sourceRoot":"","sources":["../../src/core/auto-installer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AASH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAIvD,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,QAAQ,GAAG,eAAe,GAAG,aAAa,GAAG,SAAS,GAAG,MAAM,CAAC;IACtE,MAAM,EACF,gBAAgB,GAChB,KAAK,GACL,KAAK,GACL,OAAO,GACP,YAAY,GACZ,iBAAiB,GACjB,mBAAmB,GACnB,UAAU,GACV,SAAS,CAAC;IACd,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,cAAc,EAAE,CAAC;IAC5B,WAAW,EAAE,OAAO,CAAC;IACrB,sBAAsB,EAAE,MAAM,EAAE,CAAC;CAClC;AAyFD;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEzD;AAiOD,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAC,SAAS,CAA8B;IACtD,OAAO,CAAC,WAAW,CAA2B;IAE9C,4CAA4C;IAC5C,MAAM,CAAC,QAAQ,IAAI,aAAa;IAahC;;;OAGG;IACH,MAAM,CAAC,aAAa,IAAI,IAAI;IAI5B,mDAAmD;IACnD,SAAS,IAAI,OAAO;IAIpB;;;;;OAKG;IACG,UAAU,CACd,QAAQ,EAAE,YAAY,EACtB,eAAe,EAAE,MAAM,EAAE,EACzB,aAAa,CAAC,EAAE,MAAM,EAAE,EACxB,UAAU,CAAC,EAAE,MAAM,EAAE,EACrB,gBAAgB,CAAC,EAAE,MAAM,EAAE,GAC1B,OAAO,CAAC,iBAAiB,CAAC;IA6G7B;;;;;;OAMG;IACG,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAwK5D;;;;;;;OAOG;IACG,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAiHlE;;;;;;OAMG;IACG,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IA8G7D;;;;;;OAMG;IACG,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAyG1D;;OAEG;YACW,SAAS;IAOvB;;OAEG;IACH,OAAO,CAAC,aAAa;CAmBtB"}

package/build/core/auto-installer.js

@@ -240,6 +240,48 @@ function binaryAvailable(binary) {
         return false;
     }
 }
+// ── Post-install binary identity verification ────────────────────────────────
+/**
+ * Expected version output patterns for binaries that come from third-party repos.
+ * Protects against package name collisions in third-party or default repos
+ * (e.g., Trivy and Grype don't exist in stock Debian/Ubuntu repos).
+ */
+const BINARY_VERSION_PATTERNS = {
+    trivy: /trivy/i,
+    grype: /grype/i,
+    syft: /syft/i,
+    cosign: /cosign/i,
+};
+/**
+ * After installing a package, verify the binary is the expected tool.
+ * Checks `--version` output against known patterns.
+ * Protects against package name collisions in third-party or default repos.
+ *
+ * @returns `true` if verified or no verification needed, `false` if mismatch detected
+ */
+function verifyInstalledBinary(binary) {
+    const pattern = BINARY_VERSION_PATTERNS[binary];
+    if (!pattern)
+        return true; // No verification needed for well-known distro packages
+    try {
+        const stdout = execFileSafe(binary, ["--version"], {
+            timeout: 10_000,
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        });
+        if (!pattern.test(stdout ?? "")) {
+            console.error(`[auto-installer] ⚠️  Installed '${binary}' but --version output doesn't match ` +
+                `expected pattern /${pattern.source}/. The package may be a name collision, not the security tool.`);
+            return false;
+        }
+        return true;
+    }
+    catch {
+        // Can't verify — warn but don't block
+        console.error(`[auto-installer] ⚠️  Could not verify '${binary}' identity via --version (non-fatal)`);
+        return false;
+    }
+}
 // ── Helper: resolve package install command args per distro ───────────────────
 function getInstallArgs(pkgManager, packageName) {
     switch (pkgManager) {
@@ -490,6 +532,15 @@ export class AutoInstaller {
         // Verify installation
         const installed = binaryAvailable(binary);
         const elapsed = ((Date.now() - start) / 1000).toFixed(1);
+        // Post-install identity verification for third-party repo binaries
+        if (installed) {
+            const verified = verifyInstalledBinary(binary);
+            if (!verified) {
+                console.error(`[auto-installer] ⚠️  Binary '${binary}' installed but identity verification failed. ` +
+                    `The package may be a name collision (not the expected security tool). ` +
+                    `Trivy, Grype, Syft, and Cosign require third-party repositories.`);
+            }
+        }
         if (installed) {
             console.error(`[auto-installer] ✓ Installed '${binary}' via ${distro.packageManager} (${elapsed}s)`);
             // Log successful installation to the audit changelog

package/build/core/changelog.d.ts

@@ -30,6 +30,17 @@ export interface ChangeEntry {
     user?: string;
     /** MCP session identifier (if available) */
     sessionId?: string;
+    /**
+     * SHA-256 hash-chain value.
+     *
+     * For the first entry: SHA-256 of the entry's core fields with previousHash="genesis".
+     * For subsequent entries: SHA-256 of the entry's core fields concatenated with
+     * the previous entry's hash. This creates a tamper-evident chain — modifying or
+     * deleting any entry breaks the chain, which is detectable via `verifyChangelog()`.
+     *
+     * Auto-populated by `logChange()`. Not present in legacy entries.
+     */
+    hash?: string;
 }
 /**
  * Versioned changelog state file format.
@@ -39,6 +50,38 @@ export interface ChangelogState {
     version: 1;
     entries: ChangeEntry[];
 }
+/**
+ * Compute the SHA-256 hash-chain value for a changelog entry.
+ *
+ * The hash is computed over the entry's immutable fields (id, timestamp, tool,
+ * action, target, dryRun, success) concatenated with the previous entry's hash.
+ * This creates a tamper-evident chain.
+ *
+ * @param entry - The entry to hash (hash field is excluded from the computation)
+ * @param previousHash - Hash of the previous entry, or "genesis" for the first entry
+ * @returns SHA-256 hex digest
+ */
+export declare function computeEntryHash(entry: ChangeEntry, previousHash: string): string;
+/**
+ * Verify the integrity of the changelog hash chain.
+ *
+ * Walks all entries with `hash` fields and checks that each hash matches
+ * the recomputed value from the previous entry's hash. Legacy entries
+ * without `hash` fields are skipped.
+ *
+ * @returns Object with `valid` boolean and details of any broken links
+ */
+export declare function verifyChangelog(): {
+    valid: boolean;
+    totalEntries: number;
+    hashedEntries: number;
+    brokenLinks: Array<{
+        index: number;
+        entryId: string;
+        expected: string;
+        actual: string;
+    }>;
+};
 /**
  * Creates a new ChangeEntry with auto-generated id and timestamp.
  */
@@ -47,6 +90,7 @@ export declare function createChangeEntry(partial: Omit<ChangeEntry, "id" | "tim
  * Appends a change entry to the changelog JSON file.
  * Creates the file and parent directories if they don't exist.
  * Rotates old entries when the file exceeds MAX_CHANGELOG_ENTRIES.
+ * Computes and attaches a hash-chain value for tamper evidence.
  * Fails silently (logs to stderr) to avoid disrupting tool execution.
  */
 export declare function logChange(entry: ChangeEntry): void;

package/build/core/changelog.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"changelog.d.ts","sourceRoot":"","sources":["../../src/core/changelog.ts"],"names":[],"mappings":"AAQA;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,kCAAkC;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,qCAAqC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,iDAAiD;IACjD,MAAM,EAAE,MAAM,CAAC;IACf,8BAA8B;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,6BAA6B;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6CAA6C;IAC7C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,MAAM,EAAE,OAAO,CAAC;IAChB,mCAAmC;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kCAAkC;IAClC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,uDAAuD;IACvD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,WAAW,EAAE,CAAC;CACxB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,GAAG,WAAW,GAAG,MAAM,CAAC,GACtD,WAAW,CAOb;AA2BD;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI,CA0BlD;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,WAAW,EAAE,CAmB1D;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAKnD;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI,CAU1E"}
+{"version":3,"file":"changelog.d.ts","sourceRoot":"","sources":["../../src/core/changelog.ts"],"names":[],"mappings":"AAQA;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,kCAAkC;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,qCAAqC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,iDAAiD;IACjD,MAAM,EAAE,MAAM,CAAC;IACf,8BAA8B;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,6BAA6B;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6CAA6C;IAC7C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,MAAM,EAAE,OAAO,CAAC;IAChB,mCAAmC;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kCAAkC;IAClC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,uDAAuD;IACvD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;;;;;OASG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,OAAO,EAAE,WAAW,EAAE,CAAC;CACxB;AAID;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,GAAG,MAAM,CAcjF;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,IAAI;IACjC,KAAK,EAAE,OAAO,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,KAAK,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC1F,CAuCA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,GAAG,WAAW,GAAG,MAAM,CAAC,GACtD,WAAW,CAOb;AA2BD;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI,CAiClD;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,WAAW,EAAE,CAmB1D;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAKnD;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI,CAU1E"}

package/build/core/changelog.js

@@ -2,9 +2,77 @@ import { readFileSync } from "node:fs";
 import { dirname } from "node:path";
 import { userInfo } from "node:os";
 import { secureWriteFileSync, secureMkdirSync, secureCopyFileSync } from "./secure-fs.js";
-import { randomUUID } from "node:crypto";
+import { randomUUID, createHash } from "node:crypto";
 import { getConfig } from "./config.js";
 import { BackupManager } from "./backup-manager.js";
+// ── Hash-Chain Integrity ─────────────────────────────────────────────────────
+/**
+ * Compute the SHA-256 hash-chain value for a changelog entry.
+ *
+ * The hash is computed over the entry's immutable fields (id, timestamp, tool,
+ * action, target, dryRun, success) concatenated with the previous entry's hash.
+ * This creates a tamper-evident chain.
+ *
+ * @param entry - The entry to hash (hash field is excluded from the computation)
+ * @param previousHash - Hash of the previous entry, or "genesis" for the first entry
+ * @returns SHA-256 hex digest
+ */
+export function computeEntryHash(entry, previousHash) {
+    const payload = [
+        entry.id,
+        entry.timestamp,
+        entry.tool,
+        entry.action,
+        entry.target,
+        String(entry.dryRun),
+        String(entry.success),
+        entry.error ?? "",
+        previousHash,
+    ].join("|");
+    return createHash("sha256").update(payload).digest("hex");
+}
+/**
+ * Verify the integrity of the changelog hash chain.
+ *
+ * Walks all entries with `hash` fields and checks that each hash matches
+ * the recomputed value from the previous entry's hash. Legacy entries
+ * without `hash` fields are skipped.
+ *
+ * @returns Object with `valid` boolean and details of any broken links
+ */
+export function verifyChangelog() {
+    const config = getConfig();
+    const state = loadChangelogState(config.changelogPath);
+    const entries = state.entries;
+    let previousHash = "genesis";
+    const brokenLinks = [];
+    let hashedEntries = 0;
+    for (let i = 0; i < entries.length; i++) {
+        const entry = entries[i];
+        if (!entry.hash) {
+            // Legacy entry without hash — skip but DON'T reset the chain.
+            // The next hashed entry will chain from the last known hash.
+            continue;
+        }
+        hashedEntries++;
+        const expected = computeEntryHash(entry, previousHash);
+        if (entry.hash !== expected) {
+            brokenLinks.push({
+                index: i,
+                entryId: entry.id,
+                expected,
+                actual: entry.hash,
+            });
+        }
+        previousHash = entry.hash;
+    }
+    return {
+        valid: brokenLinks.length === 0,
+        totalEntries: entries.length,
+        hashedEntries,
+        brokenLinks,
+    };
+}
 /**
  * Creates a new ChangeEntry with auto-generated id and timestamp.
  */
@@ -49,6 +117,7 @@ function loadChangelogState(changelogPath) {
  * Appends a change entry to the changelog JSON file.
  * Creates the file and parent directories if they don't exist.
  * Rotates old entries when the file exceeds MAX_CHANGELOG_ENTRIES.
+ * Computes and attaches a hash-chain value for tamper evidence.
  * Fails silently (logs to stderr) to avoid disrupting tool execution.
  */
 export function logChange(entry) {
@@ -60,6 +129,12 @@ export function logChange(entry) {
         secureMkdirSync(dir);
         // Read existing entries (with migration)
         const state = loadChangelogState(changelogPath);
+        // Compute hash-chain value
+        const lastEntry = state.entries.length > 0
+            ? state.entries[state.entries.length - 1]
+            : null;
+        const previousHash = lastEntry?.hash ?? "genesis";
+        entry.hash = computeEntryHash(entry, previousHash);
         // Append new entry
         state.entries.push(entry);
         // Rotate: keep only the most recent entries to prevent unbounded growth

package/build/core/command-allowlist.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"command-allowlist.d.ts","sourceRoot":"","sources":["../../src/core/command-allowlist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAeH,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,MAAM,EAAE,MAAM,CAAC;IACf,gDAAgD;IAChD,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,2EAA2E;IAC3E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,+EAA+E;IAC/E,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,uEAAuE;IACvE,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,sDAAsD;AACtD,MAAM,WAAW,wBAAwB;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AA8WD;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAkD1C;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAsDtD;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CActD;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB,CA6CA;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,aAAa,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAE7E;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAEvC;AAED;;GAEG;AACH,wBAAgB,gCAAgC,IAAI,OAAO,CAE1D;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAEjE;AA8CD;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAE9E;AAeD;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,MAAM,EAClB,eAAe,CAAC,EAAE,MAAM,GACvB,wBAAwB,CA6G1B;AAiHD;;;;;;;;;;GAUG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,wBAAwB,EAAE,CAAC,CA6C7E"}
+{"version":3,"file":"command-allowlist.d.ts","sourceRoot":"","sources":["../../src/core/command-allowlist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAeH,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,MAAM,EAAE,MAAM,CAAC;IACf,gDAAgD;IAChD,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,2EAA2E;IAC3E,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,+EAA+E;IAC/E,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,uEAAuE;IACvE,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,sDAAsD;AACtD,MAAM,WAAW,wBAAwB;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AA+WD;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAkD1C;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAsDtD;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CActD;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB,CA6CA;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,aAAa,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAE7E;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAEvC;AAED;;GAEG;AACH,wBAAgB,gCAAgC,IAAI,OAAO,CAE1D;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAEjE;AA8CD;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAE9E;AAeD;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,MAAM,EAClB,eAAe,CAAC,EAAE,MAAM,GACvB,wBAAwB,CA6G1B;AAiHD;;;;;;;;;;GAUG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,wBAAwB,EAAE,CAAC,CA6C7E"}

package/build/core/command-allowlist.js

@@ -241,6 +241,7 @@ const ALLOWLIST_DEFINITIONS = [
     // ── GUI askpass helpers (sudo-management.ts) ───────────────────────────
     { binary: "zenity", candidates: ["/usr/bin/zenity"] },
     { binary: "kdialog", candidates: ["/usr/bin/kdialog"] },
+    { binary: "setsid", candidates: ["/usr/bin/setsid", "/usr/sbin/setsid"] },
     { binary: "ksshaskpass", candidates: ["/usr/bin/ksshaskpass"] },
     { binary: "lxqt-sudo", candidates: ["/usr/bin/lxqt-sudo"] },
     // ── DNS security ───────────────────────────────────────────────────────

package/build/core/dependency-validator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dependency-validator.d.ts","sourceRoot":"","sources":["../../src/core/dependency-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAgCH;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,oCAAoC;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,kCAAkC;IAClC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,gCAAgC;IAChC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,wCAAwC;IACxC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,sCAAsC;IACtC,aAAa,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACxD,+CAA+C;IAC/C,eAAe,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,eAAe,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IACxE,iDAAiD;IACjD,UAAU,EAAE,MAAM,CAAC;IACnB,uCAAuC;IACvC,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,sDAAsD;IACtD,SAAS,EAAE,OAAO,CAAC;IACnB,qDAAqD;IACrD,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,gCAAgC;IAChC,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,0DAA0D;IAC1D,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,wCAAwC;IACxC,aAAa,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACzD;AAsCD;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AA+CD;;;;;;;;;;GAUG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAqJzE;AAID;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,YAAY,CAAC,CA0EvB;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAIxE;AAID;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAmDvE"}
+{"version":3,"file":"dependency-validator.d.ts","sourceRoot":"","sources":["../../src/core/dependency-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAgCH;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,oCAAoC;IACpC,YAAY,EAAE,MAAM,CAAC;IACrB,kCAAkC;IAClC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,gCAAgC;IAChC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,wCAAwC;IACxC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,sCAAsC;IACtC,aAAa,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACxD,+CAA+C;IAC/C,eAAe,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,eAAe,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IACxE,iDAAiD;IACjD,UAAU,EAAE,MAAM,CAAC;IACnB,uCAAuC;IACvC,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,sDAAsD;IACtD,SAAS,EAAE,OAAO,CAAC;IACnB,qDAAqD;IACrD,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,gCAAgC;IAChC,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,0DAA0D;IAC1D,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,wCAAwC;IACxC,aAAa,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACzD;AAsCD;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C;AA+CD;;;;;;;;;;GAUG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAsJzE;AAID;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,YAAY,CAAC,CA0EvB;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAIxE;AAID;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAmDvE"}

package/build/core/dependency-validator.js

@@ -145,6 +145,7 @@ export async function validateAllDependencies() {
         const updateCmd = pkgMgr.updateCmd();
         console.error(`[dep-validator] Updating package lists via ${distro.packageManager}...`);
         await executeCommand({
+            toolName: "_internal",
             command: "sudo",
             args: updateCmd,
             timeout: 120_000,

package/build/core/distro-adapter.js

@@ -396,7 +396,7 @@ function buildFirewallPersistenceConfig(distro) {
             return {
                 packageName: "iptables-persistent",
                 checkInstalledCmd: ["dpkg", "-l", "iptables-persistent"],
-                installCmd: ["DEBIAN_FRONTEND=noninteractive", "apt-get", "install", "-y", "iptables-persistent"],
+                installCmd: ["apt-get", "install", "-y", "iptables-persistent"],
                 serviceName: "netfilter-persistent",
                 enableCmd: ["systemctl", "enable", "netfilter-persistent"],
                 saveCmd: ["netfilter-persistent", "save"],

package/build/core/distro.js

@@ -21,7 +21,7 @@ function parseOsRelease(content) {
     return result;
 }
 async function binaryExists(name) {
-    const result = await executeCommand({ command: "which", args: [name], timeout: 5000 });
+    const result = await executeCommand({ toolName: "_internal", command: "which", args: [name], timeout: 5000 });
     return result.exitCode === 0;
 }
 async function detectWsl() {
@@ -95,8 +95,8 @@ export async function detectDistro() {
     if (process.platform === "darwin") {
         osFamily = "darwin";
         try {
-            const productResult = await executeCommand({ command: "sw_vers", args: ["-productName"], timeout: 5000 });
-            const versionResult = await executeCommand({ command: "sw_vers", args: ["-productVersion"], timeout: 5000 });
+            const productResult = await executeCommand({ toolName: "_internal", command: "sw_vers", args: ["-productName"], timeout: 5000 });
+            const versionResult = await executeCommand({ toolName: "_internal", command: "sw_vers", args: ["-productVersion"], timeout: 5000 });
             if (productResult.exitCode === 0) {
                 id = "macos";
                 name = productResult.stdout.trim();
@@ -130,7 +130,7 @@ export async function detectDistro() {
     // lsb_release
     if (id === "unknown") {
         try {
-            const result = await executeCommand({ command: "lsb_release", args: ["-a"], timeout: 5000 });
+            const result = await executeCommand({ toolName: "_internal", command: "lsb_release", args: ["-a"], timeout: 5000 });
             if (result.exitCode === 0) {
                 for (const line of result.stdout.split("\n")) {
                     if (line.startsWith("Distributor ID:"))
@@ -442,7 +442,7 @@ export async function hasTPM() {
 }
 export async function hasSecureBoot() {
     return safeCap(async () => {
-        const r = await executeCommand({ command: "mokutil", args: ["--sb-state"], timeout: 5000 });
+        const r = await executeCommand({ toolName: "_internal", command: "mokutil", args: ["--sb-state"], timeout: 5000 });
         return r.exitCode === 0 && r.stdout.toLowerCase().includes("secureboot enabled");
     });
 }

package/build/core/executor.d.ts

@@ -16,8 +16,8 @@ export interface ExecuteOptions {
     stdin?: string | Buffer;
     /** Maximum output buffer size in bytes */
     maxBuffer?: number;
-    /** Tool name for timeout lookup */
-    toolName?: string;
+    /** Tool name for rate-limiting and timeout lookup (REQUIRED) */
+    toolName: string;
     /** Skip automatic sudo credential injection (used internally) */
     skipSudoInjection?: boolean;
 }

package/build/core/executor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../src/core/executor.ts"],"names":[],"mappings":"AAkFA;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,uCAAuC;IACvC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,0CAA0C;IAC1C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iEAAiE;IACjE,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,QAAQ,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AA0FD;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,aAAa,CAAC,CAmNxB"}
+{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../../src/core/executor.ts"],"names":[],"mappings":"AAkFA;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,oCAAoC;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,uCAAuC;IACvC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,0CAA0C;IAC1C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gEAAgE;IAChE,QAAQ,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,QAAQ,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AA0FD;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,aAAa,CAAC,CAmNxB"}

package/build/core/installer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"installer.d.ts","sourceRoot":"","sources":["../../src/core/installer.ts"],"names":[],"mappings":"AAWA;;GAEG;AACH,MAAM,MAAM,YAAY,GACpB,WAAW,GACX,UAAU,GACV,YAAY,GACZ,YAAY,GACZ,SAAS,GACT,QAAQ,GACR,gBAAgB,GAChB,YAAY,GACZ,WAAW,GACX,SAAS,GACT,WAAW,GACX,WAAW,GACX,YAAY,GACZ,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,+BAA+B;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,qCAAqC;IACrC,QAAQ,EAAE,YAAY,CAAC;IACvB,2BAA2B;IAC3B,QAAQ,EAAE,YAAY,CAAC;IACvB,iDAAiD;IACjD,QAAQ,EAAE,OAAO,CAAC;IAClB,iDAAiD;IACjD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,4BAA4B;IAC5B,IAAI,EAAE,eAAe,CAAC;IACtB,oCAAoC;IACpC,SAAS,EAAE,OAAO,CAAC;IACnB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oCAAoC;IACpC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,4BAA4B;IAC5B,IAAI,EAAE,eAAe,CAAC;IACtB,qCAAqC;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAk6B5C,CAAC;AAYF;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA8ClE;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,QAAQ,CAAC,EAAE,YAAY,GACtB,OAAO,CAAC,eAAe,EAAE,CAAC,CAkB5B;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,aAAa,CAAC,CAwDxB;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,QAAQ,CAAC,EAAE,YAAY,EACvB,MAAM,CAAC,EAAE,OAAO,GACf,OAAO,CAAC,aAAa,EAAE,CAAC,CAgC1B"}
+{"version":3,"file":"installer.d.ts","sourceRoot":"","sources":["../../src/core/installer.ts"],"names":[],"mappings":"AAWA;;GAEG;AACH,MAAM,MAAM,YAAY,GACpB,WAAW,GACX,UAAU,GACV,YAAY,GACZ,YAAY,GACZ,SAAS,GACT,QAAQ,GACR,gBAAgB,GAChB,YAAY,GACZ,WAAW,GACX,SAAS,GACT,WAAW,GACX,WAAW,GACX,YAAY,GACZ,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,+BAA+B;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,qCAAqC;IACrC,QAAQ,EAAE,YAAY,CAAC;IACvB,2BAA2B;IAC3B,QAAQ,EAAE,YAAY,CAAC;IACvB,iDAAiD;IACjD,QAAQ,EAAE,OAAO,CAAC;IAClB,iDAAiD;IACjD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,4BAA4B;IAC5B,IAAI,EAAE,eAAe,CAAC;IACtB,oCAAoC;IACpC,SAAS,EAAE,OAAO,CAAC;IACnB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oCAAoC;IACpC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,4BAA4B;IAC5B,IAAI,EAAE,eAAe,CAAC;IACtB,qCAAqC;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,eAAe,EAk6B5C,CAAC;AAYF;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAgDlE;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,QAAQ,CAAC,EAAE,YAAY,GACtB,OAAO,CAAC,eAAe,EAAE,CAAC,CAkB5B;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,eAAe,GACpB,OAAO,CAAC,aAAa,CAAC,CA0DxB;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,QAAQ,CAAC,EAAE,YAAY,EACvB,MAAM,CAAC,EAAE,OAAO,GACf,OAAO,CAAC,aAAa,EAAE,CAAC,CAgC1B"}

package/build/core/installer.js

@@ -964,6 +964,7 @@ export async function checkTool(binary) {
     // Try to get version
     let version;
     const versionResult = await executeCommand({
+        toolName: "_internal",
         command: binary,
         args: ["--version"],
         timeout: 5000,
@@ -975,6 +976,7 @@ export async function checkTool(binary) {
     else {
         // Some tools use -v or -V instead
         const altResult = await executeCommand({
+            toolName: "_internal",
             command: binary,
             args: ["-V"],
             timeout: 5000,
@@ -1037,6 +1039,7 @@ export async function installTool(tool) {
     // Run package manager update first
     const updateCmd = getUpdateCommand(pkgManager);
     await executeCommand({
+        toolName: "_internal",
         command: updateCmd[0],
         args: updateCmd.slice(1),
         timeout: 120_000,
@@ -1044,6 +1047,7 @@ export async function installTool(tool) {
     // Install the package
     const installCmd = getInstallCommand(pkgManager, pkgName);
     const result = await executeCommand({
+        toolName: "_internal",
         command: installCmd[0],
         args: installCmd.slice(1),
         timeout: 300_000,

package/build/core/logger.d.ts

@@ -7,6 +7,11 @@
  * Supports standard log levels plus a `security` level for security-relevant
  * events (authentication, privilege escalation, policy violations).
  *
+ * Optional file-based logging with size-based rotation via:
+ *   DEFENSE_MCP_LOG_FILE=/path/to/logfile.json
+ *   DEFENSE_MCP_LOG_MAX_SIZE=10485760  (10 MB default)
+ *   DEFENSE_MCP_LOG_MAX_FILES=5        (keep 5 rotated files)
+ *
  * @module logger
  * @see CICD-027
  */
@@ -33,6 +38,9 @@ export interface LogEntry {
  * Uses stderr so log output doesn't interfere with MCP protocol messages
  * on stdout (StdioServerTransport).
  *
+ * Optionally writes to a file with automatic size-based rotation when
+ * DEFENSE_MCP_LOG_FILE is set.
+ *
  * Usage:
  * ```typescript
  * import { logger } from './logger.js';
@@ -43,6 +51,9 @@ export interface LogEntry {
  */
 export declare class Logger {
     private minLevel;
+    private logFile;
+    private maxFileSize;
+    private maxFiles;
     constructor(minLevel?: LogLevel);
     /**
      * Read the minimum log level from `DEFENSE_MCP_LOG_LEVEL` env var.
@@ -51,6 +62,11 @@ export declare class Logger {
     private parseEnvLevel;
     /** Check whether a message at `level` should be emitted. */
     private shouldLog;
+    /**
+     * Write a log line to the file, with size-based rotation.
+     * This is best-effort — file write failures don't throw.
+     */
+    private writeToFile;
     /**
      * Emit a structured log entry as a single JSON line to stderr.
      *

package/build/core/logger.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/core/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,qEAAqE;AACrE,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,UAAU,CAAC;AAYxE,wDAAwD;AACxD,MAAM,WAAW,QAAQ;IACvB,6BAA6B;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,KAAK,EAAE,QAAQ,CAAC;IAChB,gFAAgF;IAChF,SAAS,EAAE,MAAM,CAAC;IAClB,qEAAqE;IACrE,MAAM,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,2EAA2E;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAID;;;;;;;;;;;;;GAaG;AACH,qBAAa,MAAM;IACjB,OAAO,CAAC,QAAQ,CAAW;gBAEf,QAAQ,CAAC,EAAE,QAAQ;IAI/B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAQrB,4DAA4D;IAC5D,OAAO,CAAC,SAAS;IAIjB;;;;;;;;OAQG;IACH,GAAG,CACD,KAAK,EAAE,QAAQ,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAgBP,iCAAiC;IACjC,KAAK,CACH,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP,iCAAiC;IACjC,IAAI,CACF,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP,mCAAmC;IACnC,IAAI,CACF,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP,kCAAkC;IAClC,KAAK,CACH,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP;;;;;;;;;;OAUG;IACH,QAAQ,CACN,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,QAAQ,GAAG,IAAI;IAI/B,yCAAyC;IACzC,QAAQ,IAAI,QAAQ;CAGrB;AAID;;;;;;;;GAQG;AACH,eAAO,MAAM,MAAM,QAAe,CAAC"}
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/core/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAOH,qEAAqE;AACrE,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,UAAU,CAAC;AAYxE,wDAAwD;AACxD,MAAM,WAAW,QAAQ;IACvB,6BAA6B;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,KAAK,EAAE,QAAQ,CAAC;IAChB,gFAAgF;IAChF,SAAS,EAAE,MAAM,CAAC;IAClB,qEAAqE;IACrE,MAAM,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,2EAA2E;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AA6CD;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,MAAM;IACjB,OAAO,CAAC,QAAQ,CAAW;IAC3B,OAAO,CAAC,OAAO,CAAgB;IAC/B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,QAAQ,CAAS;gBAEb,QAAQ,CAAC,EAAE,QAAQ;IAmB/B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAQrB,4DAA4D;IAC5D,OAAO,CAAC,SAAS;IAIjB;;;OAGG;IACH,OAAO,CAAC,WAAW;IAkBnB;;;;;;;;OAQG;IACH,GAAG,CACD,KAAK,EAAE,QAAQ,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAoBP,iCAAiC;IACjC,KAAK,CACH,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP,iCAAiC;IACjC,IAAI,CACF,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP,mCAAmC;IACnC,IAAI,CACF,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP,kCAAkC;IAClC,KAAK,CACH,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP;;;;;;;;;;OAUG;IACH,QAAQ,CACN,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,IAAI;IAIP;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,QAAQ,GAAG,IAAI;IAI/B,yCAAyC;IACzC,QAAQ,IAAI,QAAQ;CAGrB;AAID;;;;;;;;GAQG;AACH,eAAO,MAAM,MAAM,QAAe,CAAC"}

package/build/core/logger.js

@@ -7,9 +7,16 @@
  * Supports standard log levels plus a `security` level for security-relevant
  * events (authentication, privilege escalation, policy violations).
  *
+ * Optional file-based logging with size-based rotation via:
+ *   DEFENSE_MCP_LOG_FILE=/path/to/logfile.json
+ *   DEFENSE_MCP_LOG_MAX_SIZE=10485760  (10 MB default)
+ *   DEFENSE_MCP_LOG_MAX_FILES=5        (keep 5 rotated files)
+ *
  * @module logger
  * @see CICD-027
  */
+import { appendFileSync, statSync, renameSync, existsSync, unlinkSync, mkdirSync } from "node:fs";
+import { dirname } from "node:path";
 /** Numeric severity for each log level (used for filtering). */
 const LOG_LEVEL_SEVERITY = {
     debug: 0,
@@ -19,6 +26,43 @@ const LOG_LEVEL_SEVERITY = {
     /** Security events always log regardless of level (severity 999). */
     security: 999,
 };
+// ── Log Rotation ─────────────────────────────────────────────────────────────
+/** Default max log file size: 10 MB */
+const DEFAULT_MAX_SIZE = 10 * 1024 * 1024;
+/** Default number of rotated files to keep */
+const DEFAULT_MAX_FILES = 5;
+/**
+ * Rotate a log file using numbered suffixes: log.json → log.json.1 → log.json.2 etc.
+ * Oldest files beyond maxFiles are deleted.
+ *
+ * @param filePath - The active log file path
+ * @param maxFiles - Maximum number of rotated files to keep
+ */
+function rotateLogFile(filePath, maxFiles) {
+    try {
+        // Delete the oldest file if it would exceed maxFiles
+        const oldest = `${filePath}.${maxFiles}`;
+        if (existsSync(oldest)) {
+            unlinkSync(oldest);
+        }
+        // Shift existing rotated files: .4 → .5, .3 → .4, etc.
+        for (let i = maxFiles - 1; i >= 1; i--) {
+            const src = `${filePath}.${i}`;
+            const dst = `${filePath}.${i + 1}`;
+            if (existsSync(src)) {
+                renameSync(src, dst);
+            }
+        }
+        // Move the current log file to .1
+        if (existsSync(filePath)) {
+            renameSync(filePath, `${filePath}.1`);
+        }
+    }
+    catch {
+        // Best-effort rotation — don't crash the server if rotation fails
+        process.stderr.write(`[logger] WARNING: Log rotation failed for ${filePath}\n`);
+    }
+}
 // ── Logger Class ─────────────────────────────────────────────────────────────
 /**
  * Structured logger that outputs JSON to stderr.
@@ -26,6 +70,9 @@ const LOG_LEVEL_SEVERITY = {
  * Uses stderr so log output doesn't interfere with MCP protocol messages
  * on stdout (StdioServerTransport).
  *
+ * Optionally writes to a file with automatic size-based rotation when
+ * DEFENSE_MCP_LOG_FILE is set.
+ *
  * Usage:
  * ```typescript
  * import { logger } from './logger.js';
@@ -36,8 +83,26 @@ const LOG_LEVEL_SEVERITY = {
  */
 export class Logger {
     minLevel;
+    logFile;
+    maxFileSize;
+    maxFiles;
     constructor(minLevel) {
         this.minLevel = minLevel ?? this.parseEnvLevel();
+        this.logFile = process.env.DEFENSE_MCP_LOG_FILE || null;
+        this.maxFileSize = parseInt(process.env.DEFENSE_MCP_LOG_MAX_SIZE || "", 10) || DEFAULT_MAX_SIZE;
+        this.maxFiles = parseInt(process.env.DEFENSE_MCP_LOG_MAX_FILES || "", 10) || DEFAULT_MAX_FILES;
+        // Ensure log directory exists if file logging is enabled
+        if (this.logFile) {
+            try {
+                const dir = dirname(this.logFile);
+                mkdirSync(dir, { recursive: true });
+            }
+            catch {
+                // Fall back to stderr-only if directory creation fails
+                process.stderr.write(`[logger] WARNING: Cannot create log directory for ${this.logFile}, falling back to stderr-only\n`);
+                this.logFile = null;
+            }
+        }
     }
     /**
      * Read the minimum log level from `DEFENSE_MCP_LOG_LEVEL` env var.
@@ -54,6 +119,27 @@ export class Logger {
     shouldLog(level) {
         return LOG_LEVEL_SEVERITY[level] >= LOG_LEVEL_SEVERITY[this.minLevel];
     }
+    /**
+     * Write a log line to the file, with size-based rotation.
+     * This is best-effort — file write failures don't throw.
+     */
+    writeToFile(line) {
+        if (!this.logFile)
+            return;
+        try {
+            // Check if rotation is needed before writing
+            if (existsSync(this.logFile)) {
+                const stats = statSync(this.logFile);
+                if (stats.size >= this.maxFileSize) {
+                    rotateLogFile(this.logFile, this.maxFiles);
+                }
+            }
+            appendFileSync(this.logFile, line, { encoding: "utf-8" });
+        }
+        catch {
+            // Best-effort — don't crash the server on write failure
+        }
+    }
     /**
      * Emit a structured log entry as a single JSON line to stderr.
      *
@@ -75,7 +161,10 @@ export class Logger {
             ...(details !== undefined ? { details } : {}),
         };
         // Single-line JSON to stderr — safe for MCP stdio transport
-        process.stderr.write(JSON.stringify(entry) + "\n");
+        const line = JSON.stringify(entry) + "\n";
+        process.stderr.write(line);
+        // Also write to file if configured (with rotation)
+        this.writeToFile(line);
     }
     /** Log a debug-level message. */
     debug(component, action, message, details) {