kastell 2.1.0 → 2.2.1

package/kastell-plugin/README.md

@@ -0,0 +1,113 @@
+# Kastell
+
+Autonomous server security and infrastructure management for Claude Code.
+
+## What You Get
+
+The Kastell plugin bundles 13 MCP tools, 4 skills, 1 agent, and 5 hooks that give Claude Code
+full control over your self-hosted server infrastructure. Use it to provision cloud servers,
+run 457-check security audits across 30 categories, apply 24-step hardening, manage backups,
+and operate entire fleets — all from natural language in Claude Code.
+
+Supported providers: Hetzner Cloud, DigitalOcean, Vultr, Linode.
+Supported platforms: Coolify, Dokploy.
+
+## Prerequisites
+
+- `npm install -g kastell` — the Kastell CLI must be installed globally
+- At least one cloud provider API token (Hetzner, DigitalOcean, Vultr, or Linode)
+- `kastell setup` — run once to configure your API tokens and default provider
+
+## Skills
+
+| Skill | Invocation | Purpose |
+|-------|------------|---------|
+| kastell-ops | Auto-loaded (background) | Architecture reference, patterns, anti-patterns, and decision trees for working in the Kastell codebase or managing Kastell-provisioned servers |
+| kastell-scaffold | `/kastell:scaffold` | Generate new CLI commands, MCP tools, cloud providers, and audit checks following Kastell conventions |
+| kastell-careful | `/kastell:careful` | Intercepts `kastell destroy` and `kastell restore` commands and requires explicit confirmation before proceeding |
+| kastell-research | `/kastell:research` | Read-only codebase exploration with full architecture context — for understanding behavior without making changes |
+
+**kastell-ops** loads automatically as background context whenever you work with the Kastell
+codebase or ask about server provisioning, audit, hardening, or provider management. It does
+not appear in the slash-command menu.
+
+## Agents
+
+**`/agent:kastell-auditor`** — Parallel audit analyzer that groups all 30 audit categories into
+five analysis buckets (critical config, network exposure, access control, monitoring, compliance),
+produces structured findings with severity ratings, and remembers previous audit context across
+sessions using user-scoped memory.
+
+Invoke it with: "Analyze my last audit report" or "Which findings should I fix first?"
+
+Note: `kastell-fixer` is a project-scope agent, not bundled in this plugin. It requires
+`isolation: worktree` which only works when installed at project scope (`.claude/agents/`).
+Install kastell-fixer separately inside your Kastell project directory.
+
+## Hooks
+
+| Hook | Trigger | What It Does |
+|------|---------|--------------|
+| stop-quality-check | Stop | Checks for TypeScript compilation errors, missing CHANGELOG entries, and stale README before ending the session |
+| session-log | PostToolUse (Bash) | Records Bash command outputs to `session.log` for audit trail |
+| session-audit | SessionStart | Runs `kastell audit --silent` on session start and surfaces the current security score |
+| pre-commit-audit-guard | PreToolUse (git commit) | Blocks the commit if the current audit score has dropped below the recorded baseline |
+| destroy-block | PreToolUse (Bash) | Blocks `kastell destroy` and `kastell restore` operations through Claude Code |
+
+## MCP Tools
+
+All 13 tools are available in Claude Code once the plugin is installed. The MCP server starts
+automatically via the bundled `.mcp.json` configuration.
+
+| Tool | Description |
+|------|-------------|
+| server_info | List servers, check status, health, and available sizes |
+| server_logs | Fetch logs and system metrics from servers via SSH |
+| server_manage | Add, remove, or destroy servers |
+| server_maintain | Update platform, restart, or run full maintenance |
+| server_secure | SSH hardening, firewall management, and domain configuration |
+| server_backup | Create backups and manage cloud snapshots |
+| server_provision | Provision new cloud servers on Hetzner, DigitalOcean, Vultr, or Linode |
+| server_audit | Run the full 457-check security audit across 30 categories |
+| server_evidence | Collect forensic evidence packages from servers |
+| server_guard | Manage the autonomous security monitoring daemon |
+| server_doctor | Proactive health analysis with remediation recommendations |
+| server_lock | Apply the 24-step production hardening sequence |
+| server_fleet | Fleet-wide health and security posture overview |
+
+## Quick Start
+
+```bash
+# Install kastell globally
+npm install -g kastell
+
+# Configure your cloud provider
+kastell setup
+
+# In Claude Code, the plugin auto-starts the MCP server.
+# Try natural language commands like:
+#   "Provision a new Hetzner server in Nuremberg with 2 CPUs"
+#   "Run a security audit on my server at 1.2.3.4"
+#   "Apply full hardening to my production server"
+#   "Show me all my servers"
+```
+
+After installation, the `kastell-ops` skill loads automatically in any session where you
+work with Kastell. Use `/kastell:scaffold` to generate new CLI commands or MCP tools,
+and `/agent:kastell-auditor` to get prioritized remediation guidance from audit results.
+
+## Supported Providers
+
+| Provider | Regions | Notes |
+|----------|---------|-------|
+| Hetzner Cloud | EU (FSN, NBG, HEL), US (ASH, HIL) | Default recommended provider |
+| DigitalOcean | Global (NYC, SFO, AMS, SGP, LON, FRA, TOR, BLR, SYD) | |
+| Vultr | 25+ global locations | |
+| Linode (Akamai) | 11 global locations | |
+
+## Links
+
+- Website: https://kastell.dev
+- GitHub: https://github.com/kastelldev/kastell
+- npm: https://www.npmjs.com/package/kastell
+- Docs: https://kastell.dev/docs

package/kastell-plugin/agents/kastell-auditor.md

@@ -0,0 +1,77 @@
+---
+name: kastell-auditor
+description: "Security audit analyzer for Kastell servers. Runs kastell audit, maps results across 5 security domains (perimeter, authentication, runtime, internals, compliance), tracks score trends across sessions. Use when running kastell audit, analyzing server security posture, investigating audit findings, or generating security reports."
+tools: Read, Grep, Glob, Bash
+model: inherit
+effort: high
+memory: user
+maxTurns: 25
+skills:
+  - kastell-ops
+---
+
+# Role
+
+## Live Context
+
+**Last audit score:** !`node -e "import('fs').then(f=>{try{const h=JSON.parse(f.readFileSync(process.env.HOME+'/.kastell/audit-history.json','utf8'));const last=h.sort((a,b)=>new Date(b.timestamp)-new Date(a.timestamp))[0];if(last)console.log(last.overallScore+'/100 ('+last.serverName+', '+last.timestamp.split('T')[0]+')');else console.log('No audit history yet')}catch(e){console.log('No audit history yet')}}).catch(()=>console.log('No audit history yet'))" 2>/dev/null || echo "No audit history yet"`
+
+You are a security audit analyst for Kastell-managed servers. Your purpose is to run `kastell audit`, organize findings into 5 security domains, identify critical failures and quick wins, and track score trends across sessions.
+
+# Workflow
+
+1. **Identify target server** — ask user if not provided; verify with `kastell list`
+2. **Run audit** — `kastell audit <server> --json` to get structured output
+3. **Analyze by bucket** — pipe JSON through `bash scripts/bucket_mapper.sh` for instant 5-domain mapping
+4. **Check memory** — run `bash scripts/trend_report.sh <server>` for score history; or load `audit-history.json` directly
+5. **Report** — per-bucket summary + overall score + trend (if memory available)
+
+## Scripts (Deterministic)
+
+```bash
+# Map audit JSON to 5 security buckets
+kastell audit --server <name> --json | bash scripts/bucket_mapper.sh
+
+# Show audit score trend for a server
+bash scripts/trend_report.sh <server-name>
+bash scripts/trend_report.sh --all
+```
+
+# Bucket Map
+
+| Bucket | Categories | Focus |
+|--------|-----------|-------|
+| 1 Perimeter | Network, Firewall, DNS Security | External attack surface |
+| 2 Authentication | SSH, Auth, Crypto, Accounts | Identity controls |
+| 3 Runtime | Docker, Services, Boot, Scheduling | Service exposure |
+| 4 Internals | Filesystem, Logging, Kernel, Memory | System hardening |
+| 5 Compliance | Updates, File Integrity, Malware, MAC, Secrets, Cloud Metadata, Supply Chain, Backup Hygiene, Resource Limits, Incident Readiness, Banners, Time | Hygiene and compliance |
+
+# Output Format
+
+For each bucket:
+- **Score:** X/Y checks passed
+- **Critical findings** (up to 3): `[FAIL] check-name -- one-line impact`
+- **Quick win:** one actionable fix
+
+After all buckets:
+- **Overall score:** X/100
+- **Trend** (when memory has prior data): "Last audit: Y -- Delta: +/-Z -- [N] new failures in [bucket]"
+
+# Memory
+
+Manage a single file `audit-history.json` in your agent memory directory. Store per server:
+
+```json
+{ "server": "string", "date": "string", "score": 0, "bucketScores": { "perimeter": 0, "authentication": 0, "runtime": 0, "internals": 0, "compliance": 0 }, "failedChecks": [] }
+```
+
+On each run: load prior record, compute delta, store new record. Discard entries for servers no longer in `kastell list` output.
+
+# Rules
+
+- Read-only operations only: `server_audit`, `server_doctor`, `server_fleet`
+- Never run `kastell lock`, `kastell secure`, or any write operation
+- Recommend fixes but do not apply them — suggest `/agent:kastell-fixer` for implementation
+- If multiple servers requested, analyze each sequentially
+- English output for analysis structure; follow user's language for explanatory text

package/kastell-plugin/agents/scripts/bucket_mapper.sh

@@ -0,0 +1,101 @@
+#!/usr/bin/env bash
+# bucket_mapper.sh — Map kastell audit JSON checks to 5 security buckets.
+# Usage: kastell audit --server <name> --json | bash bucket_mapper.sh
+#    OR: bash bucket_mapper.sh < audit-output.json
+#    OR: bash bucket_mapper.sh audit-output.json
+#
+# Output: Per-bucket check list with pass/fail status and severity.
+# Used by kastell-auditor agent for structured analysis.
+#
+# Requires: node
+
+set -euo pipefail
+
+if [[ -n "${1:-}" && -f "$1" ]]; then
+  INPUT=$(cat "$1")
+elif [[ ! -t 0 ]]; then
+  INPUT=$(cat)
+else
+  echo "Usage: kastell audit --server <name> --json | bash bucket_mapper.sh" >&2
+  exit 1
+fi
+
+node -e "
+const data = JSON.parse(process.argv[1]);
+const checks = data.checks || data.results || [];
+
+const BUCKETS = {
+  '1_Perimeter': {
+    match: ['network', 'firewall', 'dns'],
+    checks: []
+  },
+  '2_Authentication': {
+    match: ['ssh', 'auth', 'crypto', 'accounts'],
+    checks: []
+  },
+  '3_Runtime': {
+    match: ['docker', 'services', 'boot', 'scheduling'],
+    checks: []
+  },
+  '4_Internals': {
+    match: ['filesystem', 'logging', 'kernel', 'memory'],
+    checks: []
+  },
+  '5_Compliance': {
+    match: [], // catchall
+    checks: []
+  }
+};
+
+function getBucket(category) {
+  const cat = (category || '').toLowerCase();
+  for (const [name, bucket] of Object.entries(BUCKETS)) {
+    if (name === '5_Compliance') continue;
+    if (bucket.match.some(m => cat.includes(m))) return name;
+  }
+  return '5_Compliance';
+}
+
+// Map checks to buckets
+for (const c of checks) {
+  const bucket = getBucket(c.category);
+  BUCKETS[bucket].checks.push({
+    id: c.id || 'unknown',
+    name: c.name || '',
+    severity: c.severity || 'info',
+    passed: !!c.passed,
+    category: c.category || ''
+  });
+}
+
+// Output
+const score = data.score ?? data.overallScore ?? 'N/A';
+console.log('Score: ' + score + '/100');
+console.log('Total checks: ' + checks.length);
+console.log('');
+
+for (const [name, bucket] of Object.entries(BUCKETS)) {
+  const label = name.replace(/^[0-9]_/, '');
+  const passed = bucket.checks.filter(c => c.passed).length;
+  const total = bucket.checks.length;
+  const critFail = bucket.checks.filter(c => !c.passed && c.severity === 'critical');
+
+  console.log('--- ' + label + ' (' + passed + '/' + total + ') ---');
+
+  // Show failed checks (critical first, then warning)
+  const failed = bucket.checks
+    .filter(c => !c.passed)
+    .sort((a, b) => {
+      const sev = { critical: 0, warning: 1, info: 2 };
+      return (sev[a.severity] ?? 3) - (sev[b.severity] ?? 3);
+    });
+
+  for (const c of failed.slice(0, 5)) {
+    const icon = c.severity === 'critical' ? '!!' : c.severity === 'warning' ? '! ' : '  ';
+    console.log('  [FAIL] ' + icon + c.id + ' — ' + c.name);
+  }
+  if (failed.length > 5) console.log('  ... and ' + (failed.length - 5) + ' more');
+  if (failed.length === 0) console.log('  All checks passed');
+  console.log('');
+}
+" "$INPUT"

package/kastell-plugin/agents/scripts/trend_report.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+# trend_report.sh — Generate audit score trend from audit-history.json.
+# Usage: bash trend_report.sh [server-name]
+#    OR: bash trend_report.sh --all
+#
+# Reads ~/.kastell/audit-history.json (maintained by kastell-auditor agent).
+# Shows score over time with delta indicators.
+#
+# Requires: node
+
+set -euo pipefail
+
+HISTORY_FILE="${KASTELL_HOME:-$HOME/.kastell}/audit-history.json"
+SERVER="${1:-}"
+
+if [[ ! -f "$HISTORY_FILE" ]]; then
+  echo "No audit history found at: $HISTORY_FILE"
+  echo "Run 'kastell audit --server <name>' to generate data."
+  exit 0
+fi
+
+node -e "
+const fs = require('fs');
+const data = JSON.parse(fs.readFileSync(process.argv[1], 'utf8'));
+const server = process.argv[2] || '';
+const showAll = server === '--all';
+
+if (!Array.isArray(data) || data.length === 0) {
+  console.log('No audit history entries found.');
+  process.exit(0);
+}
+
+// Filter by server if specified
+let entries = showAll ? data : server
+  ? data.filter(e => e.serverName === server || e.server === server)
+  : data;
+
+if (entries.length === 0) {
+  console.log('No audit history for server: ' + server);
+  console.log('Available servers: ' + [...new Set(data.map(e => e.serverName || e.server))].join(', '));
+  process.exit(0);
+}
+
+// Sort by date
+entries.sort((a, b) => new Date(a.timestamp || a.date) - new Date(b.timestamp || b.date));
+
+// Group by server
+const byServer = {};
+for (const e of entries) {
+  const name = e.serverName || e.server || 'unknown';
+  if (!byServer[name]) byServer[name] = [];
+  byServer[name].push(e);
+}
+
+console.log('=== Audit Score Trend ===');
+console.log('');
+
+for (const [name, history] of Object.entries(byServer)) {
+  console.log('Server: ' + name);
+  console.log('-'.repeat(50));
+
+  let prev = null;
+  for (const e of history) {
+    const score = e.overallScore ?? e.score ?? 0;
+    const date = (e.timestamp || e.date || '').split('T')[0];
+    let delta = '';
+    if (prev !== null) {
+      const diff = score - prev;
+      delta = diff > 0 ? ' (+' + diff + ')' : diff < 0 ? ' (' + diff + ')' : ' (=)';
+    }
+
+    // Visual bar
+    const filled = Math.round(score / 5);
+    const bar = '█'.repeat(filled) + '░'.repeat(20 - filled);
+
+    console.log('  ' + date + '  ' + String(score).padStart(3) + '/100 ' + bar + delta);
+    prev = score;
+  }
+
+  // Latest bucket scores if available
+  const latest = history[history.length - 1];
+  if (latest.bucketScores) {
+    console.log('');
+    console.log('  Latest bucket breakdown:');
+    for (const [bucket, score] of Object.entries(latest.bucketScores)) {
+      console.log('    ' + bucket.padEnd(15) + ': ' + score);
+    }
+  }
+  console.log('');
+}
+" "$HISTORY_FILE" "$SERVER"

package/kastell-plugin/hooks/destroy-block.cjs

@@ -0,0 +1,31 @@
+#!/usr/bin/env node
+// PreToolUse hook: Block kastell destroy / server-delete commands (hard block)
+
+// MANDATORY stdin guard — exit silently if stdin unavailable (e.g. after /clear)
+if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
+  process.exit(0);
+}
+
+let input = '';
+const stdinTimeout = setTimeout(() => process.exit(0), 1500);
+process.stdin.setEncoding('utf8');
+process.stdin.on('error', () => process.exit(0));
+process.stdin.on('data', chunk => { input += chunk; });
+process.stdin.on('end', () => {
+  clearTimeout(stdinTimeout);
+  try {
+    const data = JSON.parse(input);
+    const cmd = (data.tool_input && data.tool_input.command) || '';
+
+    if (/\bkastell\s+(destroy|server-delete)\b/.test(cmd)) {
+      process.stdout.write(JSON.stringify({
+        decision: 'block',
+        reason: 'Destructive kastell operation detected. Use kastell destroy with --force flag directly in terminal, not through Claude Code.',
+      }));
+      process.exit(2);
+    }
+  } catch {}
+
+  // Not destructive or parse error — allow
+  process.exit(0);
+});

package/kastell-plugin/hooks/hooks.json

@@ -0,0 +1,57 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "if": "Bash(*kastell*)",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/destroy-block.cjs"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "if": "Bash(*git commit*)",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/pre-commit-audit-guard.cjs"
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/session-log.cjs"
+          }
+        ]
+      }
+    ],
+    "SessionStart": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/session-audit.cjs"
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/stop-quality-check.cjs"
+          }
+        ]
+      }
+    ]
+  }
+}

package/kastell-plugin/hooks/pre-commit-audit-guard.cjs

@@ -0,0 +1,75 @@
+#!/usr/bin/env node
+// PreToolUse hook: Block git commit if audit score dropped since previous audit run
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const HISTORY_FILE = path.join(os.homedir(), '.kastell', 'audit-history.json');
+
+// MANDATORY stdin guard — exit silently if stdin unavailable
+if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
+  process.exit(0);
+}
+
+let input = '';
+const stdinTimeout = setTimeout(() => process.exit(0), 1500);
+process.stdin.setEncoding('utf8');
+process.stdin.on('error', () => process.exit(0));
+process.stdin.on('data', chunk => { input += chunk; });
+process.stdin.on('end', () => {
+  clearTimeout(stdinTimeout);
+  try {
+    const cwd = process.cwd();
+
+    // Kastell project guard (two-phase: directory structure + package.json name)
+    const isKastell = fs.existsSync(path.join(cwd, 'src', 'mcp')) &&
+                      fs.existsSync(path.join(cwd, 'package.json'));
+    if (!isKastell) {
+      try {
+        const pkg = JSON.parse(fs.readFileSync(path.join(cwd, 'package.json'), 'utf8'));
+        if (pkg.name !== 'kastell') process.exit(0);
+      } catch { process.exit(0); }
+    }
+
+    // Parse tool input — only act on git commit commands
+    const data = JSON.parse(input);
+    const cmd = (data.tool_input && data.tool_input.command) || '';
+
+    if (!/\bgit\s+commit\b/.test(cmd)) {
+      process.exit(0);
+    }
+
+    // Read audit history — fail-open if unavailable
+    let history;
+    try {
+      history = JSON.parse(fs.readFileSync(HISTORY_FILE, 'utf8'));
+    } catch {
+      // History missing or unreadable — allow commit
+      process.exit(0);
+    }
+
+    // Check each server for score regression between last two audit runs
+    for (const serverIp of Object.keys(history)) {
+      const entries = history[serverIp];
+      if (!Array.isArray(entries) || entries.length < 2) continue;
+
+      const current = entries[entries.length - 1].overallScore;
+      const previous = entries[entries.length - 2].overallScore;
+
+      if (typeof current !== 'number' || typeof previous !== 'number') continue;
+      if (current < previous) {
+        process.stdout.write(JSON.stringify({
+          decision: 'block',
+          reason: `Audit score dropped: ${previous} -> ${current} (${entries[entries.length - 1].serverName}). Run \`kastell audit\` to investigate before committing.`,
+        }));
+        process.exit(0);
+      }
+    }
+
+    // No score drop detected — allow commit
+  } catch {}
+
+  // Fail-open: any unexpected error allows the commit through
+  process.exit(0);
+});

package/kastell-plugin/hooks/session-audit.cjs

@@ -0,0 +1,86 @@
+#!/usr/bin/env node
+// SessionStart hook: Show last audit score from cache (no SSH, instant)
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const HISTORY_FILE = path.join(os.homedir(), '.kastell', 'audit-history.json');
+
+// MANDATORY stdin guard — exit silently if stdin unavailable (e.g. after /clear)
+if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
+  process.exit(0);
+}
+
+let input = '';
+const stdinTimeout = setTimeout(() => process.exit(0), 1500);
+process.stdin.setEncoding('utf8');
+process.stdin.on('error', () => process.exit(0));
+process.stdin.on('data', chunk => { input += chunk; });
+process.stdin.on('end', () => {
+  clearTimeout(stdinTimeout);
+  try {
+    const cwd = process.cwd();
+
+    // Kastell project guard
+    const isKastell = fs.existsSync(path.join(cwd, 'src', 'mcp')) &&
+                      fs.existsSync(path.join(cwd, 'package.json'));
+    if (!isKastell) {
+      try {
+        const pkg = JSON.parse(fs.readFileSync(path.join(cwd, 'package.json'), 'utf8'));
+        if (pkg.name !== 'kastell') process.exit(0);
+      } catch { process.exit(0); }
+    }
+
+    // Read audit history from cache — no SSH needed
+    let history;
+    try {
+      history = JSON.parse(fs.readFileSync(HISTORY_FILE, 'utf8'));
+    } catch {
+      // No history file — exit silently
+      process.exit(0);
+    }
+
+    // Find the most recent audit entry across all servers
+    let latest = null;
+    let latestTime = 0;
+
+    if (typeof history === 'object' && !Array.isArray(history)) {
+      // Format: { "ip": [ { overallScore, serverName, timestamp } ] }
+      for (const entries of Object.values(history)) {
+        if (!Array.isArray(entries)) continue;
+        for (const entry of entries) {
+          const ts = new Date(entry.timestamp || entry.date || 0).getTime();
+          if (ts > latestTime) {
+            latestTime = ts;
+            latest = entry;
+          }
+        }
+      }
+    } else if (Array.isArray(history)) {
+      // Format: [ { overallScore, serverName, timestamp } ]
+      for (const entry of history) {
+        const ts = new Date(entry.timestamp || entry.date || 0).getTime();
+        if (ts > latestTime) {
+          latestTime = ts;
+          latest = entry;
+        }
+      }
+    }
+
+    if (latest && typeof latest.overallScore === 'number') {
+      const serverName = latest.serverName || latest.server || 'unknown';
+      const date = (latest.timestamp || latest.date || '').split('T')[0];
+      const ageMs = Date.now() - latestTime;
+      const ageDays = Math.floor(ageMs / (1000 * 60 * 60 * 24));
+      const stale = ageDays > 7 ? ` (${ageDays} days ago — consider re-running)` : '';
+
+      process.stdout.write(JSON.stringify({
+        hookSpecificOutput: `[Kastell Audit] Last score: ${latest.overallScore}/100 (${serverName}, ${date})${stale}`,
+      }));
+    }
+  } catch {}
+
+  // Always exit 0 — SessionStart MUST NOT fail
+  process.exit(0);
+});