npm - kastell - Versions diffs - 2.2.0 → 2.2.1 - Mend

kastell 2.2.0 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (292) hide show

package/.claude-plugin/marketplace.json +18 -0
package/.claude-plugin/plugin.json +39 -0
package/CHANGELOG.md +1266 -1266
package/LICENSE +201 -201
package/NOTICE +5 -5
package/bin/kastell +2 -2
package/bin/kastell-mcp +5 -5
package/dist/adapters/coolify.js +92 -92
package/dist/adapters/dokploy.js +99 -99
package/dist/adapters/shared.d.ts.map +1 -1
package/dist/adapters/shared.js +4 -2
package/dist/adapters/shared.js.map +1 -1
package/dist/commands/add.d.ts.map +1 -1
package/dist/commands/add.js +6 -9
package/dist/commands/add.js.map +1 -1
package/dist/commands/auth.d.ts.map +1 -1
package/dist/commands/auth.js +12 -12
package/dist/commands/auth.js.map +1 -1
package/dist/commands/doctor.js +1 -1
package/dist/commands/doctor.js.map +1 -1
package/dist/commands/evidence.d.ts.map +1 -1
package/dist/commands/evidence.js +8 -9
package/dist/commands/evidence.js.map +1 -1
package/dist/commands/fix.js +3 -3
package/dist/commands/fix.js.map +1 -1
package/dist/commands/init.d.ts.map +1 -1
package/dist/commands/init.js +4 -7
package/dist/commands/init.js.map +1 -1
package/dist/commands/interactive/backup-maintenance.d.ts +8 -0
package/dist/commands/interactive/backup-maintenance.d.ts.map +1 -0
package/dist/commands/interactive/backup-maintenance.js +120 -0
package/dist/commands/interactive/backup-maintenance.js.map +1 -0
package/dist/commands/interactive/index.d.ts +4 -0
package/dist/commands/interactive/index.d.ts.map +1 -0
package/dist/commands/interactive/index.js +94 -0
package/dist/commands/interactive/index.js.map +1 -0
package/dist/commands/interactive/menu.d.ts +23 -0
package/dist/commands/interactive/menu.d.ts.map +1 -0
package/dist/commands/interactive/menu.js +121 -0
package/dist/commands/interactive/menu.js.map +1 -0
package/dist/commands/interactive/monitoring.d.ts +5 -0
package/dist/commands/interactive/monitoring.d.ts.map +1 -0
package/dist/commands/interactive/monitoring.js +96 -0
package/dist/commands/interactive/monitoring.js.map +1 -0
package/dist/commands/interactive/plugins.d.ts +2 -0
package/dist/commands/interactive/plugins.d.ts.map +1 -0
package/dist/commands/interactive/plugins.js +30 -0
package/dist/commands/interactive/plugins.js.map +1 -0
package/dist/commands/interactive/security.d.ts +9 -0
package/dist/commands/interactive/security.d.ts.map +1 -0
package/dist/commands/interactive/security.js +535 -0
package/dist/commands/interactive/security.js.map +1 -0
package/dist/commands/interactive/server-management.d.ts +5 -0
package/dist/commands/interactive/server-management.d.ts.map +1 -0
package/dist/commands/interactive/server-management.js +79 -0
package/dist/commands/interactive/server-management.js.map +1 -0
package/dist/commands/interactive/shared.d.ts +12 -0
package/dist/commands/interactive/shared.d.ts.map +1 -0
package/dist/commands/interactive/shared.js +30 -0
package/dist/commands/interactive/shared.js.map +1 -0
package/dist/commands/lock.js +1 -1
package/dist/commands/lock.js.map +1 -1
package/dist/commands/regression.d.ts.map +1 -1
package/dist/commands/regression.js +1 -2
package/dist/commands/regression.js.map +1 -1
package/dist/commands/restart.d.ts.map +1 -1
package/dist/commands/restart.js +3 -2
package/dist/commands/restart.js.map +1 -1
package/dist/commands/schedule.js +2 -2
package/dist/commands/schedule.js.map +1 -1
package/dist/core/audit/formatters/badge.js +20 -20
package/dist/core/backup.d.ts.map +1 -1
package/dist/core/backup.js +10 -5
package/dist/core/backup.js.map +1 -1
package/dist/core/completions.js +631 -631
package/dist/core/deploy.d.ts.map +1 -1
package/dist/core/deploy.js +7 -4
package/dist/core/deploy.js.map +1 -1
package/dist/core/lock/auth.d.ts +7 -0
package/dist/core/lock/auth.d.ts.map +1 -0
package/dist/core/lock/auth.js +59 -0
package/dist/core/lock/auth.js.map +1 -0
package/dist/core/lock/docker.d.ts +4 -0
package/dist/core/lock/docker.d.ts.map +1 -0
package/dist/core/lock/docker.js +28 -0
package/dist/core/lock/docker.js.map +1 -0
package/dist/core/lock/index.d.ts +11 -0
package/dist/core/lock/index.d.ts.map +1 -0
package/dist/core/lock/index.js +247 -0
package/dist/core/lock/index.js.map +1 -0
package/dist/core/lock/monitoring.d.ts +4 -0
package/dist/core/lock/monitoring.d.ts.map +1 -0
package/dist/core/lock/monitoring.js +55 -0
package/dist/core/lock/monitoring.js.map +1 -0
package/dist/core/lock/network.d.ts +6 -0
package/dist/core/lock/network.d.ts.map +1 -0
package/dist/core/lock/network.js +59 -0
package/dist/core/lock/network.js.map +1 -0
package/dist/core/lock/ssh.d.ts +5 -0
package/dist/core/lock/ssh.d.ts.map +1 -0
package/dist/core/lock/ssh.js +49 -0
package/dist/core/lock/ssh.js.map +1 -0
package/dist/core/lock/system.d.ts +9 -0
package/dist/core/lock/system.d.ts.map +1 -0
package/dist/core/lock/system.js +80 -0
package/dist/core/lock/system.js.map +1 -0
package/dist/core/lock/types.d.ts +41 -0
package/dist/core/lock/types.d.ts.map +1 -0
package/dist/core/lock/types.js +2 -0
package/dist/core/lock/types.js.map +1 -0
package/dist/core/maintain.d.ts.map +1 -1
package/dist/core/maintain.js +3 -1
package/dist/core/maintain.js.map +1 -1
package/dist/core/manage.d.ts.map +1 -1
package/dist/core/manage.js +5 -3
package/dist/core/manage.js.map +1 -1
package/dist/core/notifyStore.d.ts.map +1 -1
package/dist/core/notifyStore.js +3 -1
package/dist/core/notifyStore.js.map +1 -1
package/dist/core/provision.d.ts.map +1 -1
package/dist/core/provision.js +9 -4
package/dist/core/provision.js.map +1 -1
package/dist/core/scheduleManager.d.ts.map +1 -1
package/dist/core/scheduleManager.js +5 -2
package/dist/core/scheduleManager.js.map +1 -1
package/dist/index.js +1 -1
package/dist/index.js.map +1 -1
package/dist/mcp/schemas/audit.d.ts +34 -0
package/dist/mcp/schemas/audit.d.ts.map +1 -0
package/dist/mcp/schemas/audit.js +23 -0
package/dist/mcp/schemas/audit.js.map +1 -0
package/dist/mcp/schemas/common.d.ts +16 -0
package/dist/mcp/schemas/common.d.ts.map +1 -0
package/dist/mcp/schemas/common.js +14 -0
package/dist/mcp/schemas/common.js.map +1 -0
package/dist/mcp/schemas/health.d.ts +14 -0
package/dist/mcp/schemas/health.d.ts.map +1 -0
package/dist/mcp/schemas/health.js +13 -0
package/dist/mcp/schemas/health.js.map +1 -0
package/dist/mcp/schemas/index.d.ts +5 -0
package/dist/mcp/schemas/index.d.ts.map +1 -0
package/dist/mcp/schemas/index.js +5 -0
package/dist/mcp/schemas/index.js.map +1 -0
package/dist/mcp/schemas/server.d.ts +18 -0
package/dist/mcp/schemas/server.d.ts.map +1 -0
package/dist/mcp/schemas/server.js +16 -0
package/dist/mcp/schemas/server.js.map +1 -0
package/dist/mcp/server.d.ts.map +1 -1
package/dist/mcp/server.js +56 -39
package/dist/mcp/server.js.map +1 -1
package/dist/mcp/tools/serverAudit.d.ts +63 -1
package/dist/mcp/tools/serverAudit.d.ts.map +1 -1
package/dist/mcp/tools/serverAudit.js +63 -6
package/dist/mcp/tools/serverAudit.js.map +1 -1
package/dist/mcp/tools/serverBackup.d.ts +100 -2
package/dist/mcp/tools/serverBackup.d.ts.map +1 -1
package/dist/mcp/tools/serverBackup.handlers.d.ts.map +1 -1
package/dist/mcp/tools/serverBackup.handlers.js +9 -0
package/dist/mcp/tools/serverBackup.handlers.js.map +1 -1
package/dist/mcp/tools/serverBackup.js +74 -0
package/dist/mcp/tools/serverBackup.js.map +1 -1
package/dist/mcp/tools/serverCompare.d.ts +33 -0
package/dist/mcp/tools/serverCompare.d.ts.map +1 -1
package/dist/mcp/tools/serverCompare.js +45 -2
package/dist/mcp/tools/serverCompare.js.map +1 -1
package/dist/mcp/tools/serverDoctor.d.ts +14 -0
package/dist/mcp/tools/serverDoctor.d.ts.map +1 -1
package/dist/mcp/tools/serverDoctor.js +15 -0
package/dist/mcp/tools/serverDoctor.js.map +1 -1
package/dist/mcp/tools/serverEvidence.d.ts +13 -0
package/dist/mcp/tools/serverEvidence.d.ts.map +1 -1
package/dist/mcp/tools/serverEvidence.js +17 -2
package/dist/mcp/tools/serverEvidence.js.map +1 -1
package/dist/mcp/tools/serverExplain.d.ts +17 -0
package/dist/mcp/tools/serverExplain.d.ts.map +1 -1
package/dist/mcp/tools/serverExplain.js +33 -1
package/dist/mcp/tools/serverExplain.js.map +1 -1
package/dist/mcp/tools/serverFix.d.ts +78 -0
package/dist/mcp/tools/serverFix.d.ts.map +1 -1
package/dist/mcp/tools/serverFix.js +84 -0
package/dist/mcp/tools/serverFix.js.map +1 -1
package/dist/mcp/tools/serverFleet.d.ts +24 -1
package/dist/mcp/tools/serverFleet.d.ts.map +1 -1
package/dist/mcp/tools/serverFleet.js +24 -1
package/dist/mcp/tools/serverFleet.js.map +1 -1
package/dist/mcp/tools/serverGuard.d.ts +12 -0
package/dist/mcp/tools/serverGuard.d.ts.map +1 -1
package/dist/mcp/tools/serverGuard.js +16 -0
package/dist/mcp/tools/serverGuard.js.map +1 -1
package/dist/mcp/tools/serverInfo.d.ts +77 -1
package/dist/mcp/tools/serverInfo.d.ts.map +1 -1
package/dist/mcp/tools/serverInfo.js +77 -4
package/dist/mcp/tools/serverInfo.js.map +1 -1
package/dist/mcp/tools/serverLock.d.ts +10 -0
package/dist/mcp/tools/serverLock.d.ts.map +1 -1
package/dist/mcp/tools/serverLock.js +15 -3
package/dist/mcp/tools/serverLock.js.map +1 -1
package/dist/mcp/tools/serverLogs.d.ts +43 -0
package/dist/mcp/tools/serverLogs.d.ts.map +1 -1
package/dist/mcp/tools/serverLogs.js +28 -0
package/dist/mcp/tools/serverLogs.js.map +1 -1
package/dist/mcp/tools/serverMaintain.d.ts +47 -0
package/dist/mcp/tools/serverMaintain.d.ts.map +1 -1
package/dist/mcp/tools/serverMaintain.js +75 -41
package/dist/mcp/tools/serverMaintain.js.map +1 -1
package/dist/mcp/tools/serverManage.d.ts +50 -0
package/dist/mcp/tools/serverManage.d.ts.map +1 -1
package/dist/mcp/tools/serverManage.js +49 -0
package/dist/mcp/tools/serverManage.js.map +1 -1
package/dist/mcp/tools/serverPlugin.d.ts +18 -0
package/dist/mcp/tools/serverPlugin.d.ts.map +1 -1
package/dist/mcp/tools/serverPlugin.js +26 -1
package/dist/mcp/tools/serverPlugin.js.map +1 -1
package/dist/mcp/tools/serverProvision.d.ts +22 -0
package/dist/mcp/tools/serverProvision.d.ts.map +1 -1
package/dist/mcp/tools/serverProvision.js +22 -2
package/dist/mcp/tools/serverProvision.js.map +1 -1
package/dist/mcp/tools/serverSecure.d.ts +120 -0
package/dist/mcp/tools/serverSecure.d.ts.map +1 -1
package/dist/mcp/tools/serverSecure.handlers.d.ts.map +1 -1
package/dist/mcp/tools/serverSecure.handlers.js +39 -98
package/dist/mcp/tools/serverSecure.handlers.js.map +1 -1
package/dist/mcp/tools/serverSecure.js +101 -0
package/dist/mcp/tools/serverSecure.js.map +1 -1
package/dist/mcp/utils.d.ts +1 -0
package/dist/mcp/utils.d.ts.map +1 -1
package/dist/mcp/utils.js +5 -1
package/dist/mcp/utils.js.map +1 -1
package/dist/plugin/registry.d.ts.map +1 -1
package/dist/plugin/registry.js +5 -3
package/dist/plugin/registry.js.map +1 -1
package/dist/providers/linode.d.ts +1 -0
package/dist/providers/linode.d.ts.map +1 -1
package/dist/providers/linode.js +4 -0
package/dist/providers/linode.js.map +1 -1
package/dist/utils/cloudInit.js +58 -58
package/dist/utils/config.d.ts +3 -0
package/dist/utils/config.d.ts.map +1 -1
package/dist/utils/config.js +11 -6
package/dist/utils/config.js.map +1 -1
package/dist/utils/encryption.d.ts.map +1 -1
package/dist/utils/encryption.js +4 -1
package/dist/utils/encryption.js.map +1 -1
package/dist/utils/migration.d.ts.map +1 -1
package/dist/utils/migration.js +25 -14
package/dist/utils/migration.js.map +1 -1
package/dist/utils/safeMode.d.ts.map +1 -1
package/dist/utils/safeMode.js +3 -2
package/dist/utils/safeMode.js.map +1 -1
package/dist/utils/securityLogger.d.ts.map +1 -1
package/dist/utils/securityLogger.js +7 -3
package/dist/utils/securityLogger.js.map +1 -1
package/kastell-plugin/.claude-plugin/plugin.json +20 -0
package/kastell-plugin/.mcp.json +8 -0
package/kastell-plugin/README.md +113 -0
package/kastell-plugin/agents/.gitkeep +0 -0
package/kastell-plugin/agents/kastell-auditor.md +77 -0
package/kastell-plugin/agents/scripts/bucket_mapper.sh +101 -0
package/kastell-plugin/agents/scripts/trend_report.sh +91 -0
package/kastell-plugin/hooks/destroy-block.cjs +31 -0
package/kastell-plugin/hooks/hooks.json +57 -0
package/kastell-plugin/hooks/pre-commit-audit-guard.cjs +75 -0
package/kastell-plugin/hooks/session-audit.cjs +86 -0
package/kastell-plugin/hooks/session-log.cjs +56 -0
package/kastell-plugin/hooks/stop-quality-check.cjs +72 -0
package/kastell-plugin/skills/.gitkeep +0 -0
package/kastell-plugin/skills/kastell-careful/SKILL.md +64 -0
package/kastell-plugin/skills/kastell-ops/SKILL.md +139 -0
package/kastell-plugin/skills/kastell-ops/references/commands.md +45 -0
package/kastell-plugin/skills/kastell-ops/references/mcp-tools.md +50 -0
package/kastell-plugin/skills/kastell-ops/references/patterns.md +145 -0
package/kastell-plugin/skills/kastell-ops/references/pitfalls.md +136 -0
package/kastell-plugin/skills/kastell-ops/scripts/check_coverage.sh +101 -0
package/kastell-plugin/skills/kastell-ops/scripts/fleet_report.sh +73 -0
package/kastell-plugin/skills/kastell-ops/scripts/parse_audit.sh +76 -0
package/kastell-plugin/skills/kastell-research/SKILL.md +90 -0
package/kastell-plugin/skills/kastell-scaffold/SKILL.md +104 -0
package/kastell-plugin/skills/kastell-scaffold/references/template-audit-check.md +150 -0
package/kastell-plugin/skills/kastell-scaffold/references/template-command.md +80 -0
package/kastell-plugin/skills/kastell-scaffold/references/template-mcp-tool.md +72 -0
package/kastell-plugin/skills/kastell-scaffold/references/template-provider.md +67 -0
package/kastell-plugin/skills/kastell-scaffold/scripts/scaffold.sh +180 -0
package/kastell-plugin/skills/kastell-scaffold/templates/check-test.ts.tpl +27 -0
package/kastell-plugin/skills/kastell-scaffold/templates/check.ts.tpl +50 -0
package/kastell-plugin/skills/kastell-scaffold/templates/command-core.ts.tpl +18 -0
package/kastell-plugin/skills/kastell-scaffold/templates/command-test.ts.tpl +17 -0
package/kastell-plugin/skills/kastell-scaffold/templates/command.ts.tpl +25 -0
package/kastell-plugin/skills/kastell-scaffold/templates/mcp-tool-test.ts.tpl +30 -0
package/kastell-plugin/skills/kastell-scaffold/templates/mcp-tool.ts.tpl +29 -0
package/kastell-plugin/skills/kastell-scaffold/templates/provider-test.ts.tpl +34 -0
package/kastell-plugin/skills/kastell-scaffold/templates/provider.ts.tpl +32 -0
package/package.json +122 -115

package/kastell-plugin/skills/kastell-scaffold/SKILL.md ADDED Viewed

@@ -0,0 +1,104 @@
+---
+name: kastell-scaffold
+description: Generate new Kastell components from templates. Creates boilerplate for CLI commands, audit checks, providers, and MCP tools following current architecture (commands thin, core fat, adapters dispatch).
+context: fork
+disable-model-invocation: true
+effort: medium
+allowed-tools: Read, Edit, Write, Bash, Glob, Grep
+argument-hint: "[check|command|provider|mcp-tool] [name]"
+---
+# Kastell Scaffold
+## Purpose
+Generate boilerplate files for new Kastell components. Each template follows the post-P63/P64 architecture: commands are thin wrappers, business logic lives in core/, providers handle cloud API, adapters abstract platform ops.
+## Usage
+```
+/kastell:scaffold command server-migrate     # creates command + core + test files
+/kastell:scaffold check filesystem-perms     # creates audit check + catalog update
+/kastell:scaffold provider ovhcloud          # creates provider + registry entry + test
+/kastell:scaffold mcp-tool server_migrate    # creates MCP tool + registration + test
+```
+`$ARGUMENTS[0]` is the component type. `$ARGUMENTS[1]` is the component name.
+## Architecture Rules
+These rules apply in every generated file. The forked subagent does not automatically have kastell-ops context — enforce these rules explicitly.
+| Layer    | Path              | Rule                                                         |
+|----------|-------------------|--------------------------------------------------------------|
+| Commands | src/commands/     | Parse args + delegate. ZERO business logic.                  |
+| Core     | src/core/         | ALL business logic. No chalk/ora/UI imports.                 |
+| Providers| src/providers/    | Cloud API per provider. Extends BaseProvider.                |
+| Adapters | src/adapters/     | Platform ops via PlatformAdapter. Access via getAdapter().   |
+| MCP      | src/mcp/tools/    | Zod schema + handler. Delegates to core.                     |
+**Critical:** Never import CoolifyAdapter or DokployAdapter directly. Always use `getAdapter(platform)` from `src/adapters/factory.ts`.
+**ESM:** `"type": "module"` — use `import`, not `require`. All imports use `.js` extension.
+## Existing Components
+**Commands:**
+!`node -e "import('fs').then(f=>console.log(f.readdirSync('src/commands').filter(x=>x.endsWith('.ts')).map(x=>x.replace('.ts','')).join(', '))).catch(()=>console.log('commands dir not found'))"`
+**Providers:**
+!`node -e "import('fs').then(f=>console.log(f.readdirSync('src/providers').filter(x=>x.endsWith('.ts')&&x!=='base.ts').map(x=>x.replace('.ts','')).join(', '))).catch(()=>console.log('providers dir not found'))"`
+**MCP tools:**
+!`node -e "import('fs').then(f=>console.log(f.readdirSync('src/mcp/tools').filter(x=>x.endsWith('.ts')).map(x=>x.replace('.ts','')).join(', '))).catch(()=>console.log('mcp/tools dir not found'))"`
+**Audit categories:**
+!`node -e "import('fs').then(f=>console.log(f.readdirSync('src/core/audit',{withFileTypes:true}).filter(d=>d.isDirectory()).map(d=>d.name).join(', '))).catch(()=>console.log('audit dir not found'))"`
+## Script (Deterministic)
+Run the scaffold script to generate boilerplate files:
+```bash
+bash scripts/scaffold.sh $ARGUMENTS[0] $ARGUMENTS[1]
+```
+The script reads `.tpl` templates from `templates/`, replaces `__NAME__`/`__NAME_PASCAL__`/`__NAME_CAMEL__`/`__NAME_UPPER__` placeholders, and creates files in the project. Add `--dry-run` to preview without writing.
+**Files generated per type:**
+- `command` → 3 files: `src/commands/`, `src/core/`, `src/__tests__/core/`
+- `check` → 2 files: `src/core/audit/checks/`, `src/__tests__/core/audit/checks/`
+- `provider` → 2 files: `src/providers/`, `src/__tests__/providers/`
+- `mcp-tool` → 2 files: `src/mcp/tools/`, `src/__tests__/mcp/`
+## Template Reference (Context for LLM)
+After running the script, read the matching reference for registration details:
+| Type       | Reference File                                 |
+|------------|------------------------------------------------|
+| `command`  | references/template-command.md                 |
+| `check`    | references/template-audit-check.md             |
+| `provider` | references/template-provider.md                |
+| `mcp-tool` | references/template-mcp-tool.md                |
+## After Generation
+Perform these steps after creating the boilerplate files:
+- [ ] Write tests first (TDD preferred — test core, not command)
+- [ ] Register the component:
+  - Commands: add import in `src/index.ts`
+  - MCP tools: `registerTool()` in `src/mcp/server.ts`
+  - Providers: add to `PROVIDER_REGISTRY` in `src/constants.ts`
+  - Audit checks: add entry to `src/core/audit/catalog.ts`
+- [ ] Run `npm run build && npm test && npm run lint`
+- [ ] Update README.md
+## Skill/Agent Oluşturma Kuralları (Yeni skill/agent scaffold ediliyorsa)
+Yeni skill veya agent oluşturulurken aşağıdaki koşullar ZORUNLU:
+- [ ] **Ersin kriteri:** scripts/ klasörü oluştur — deterministik iş LLM'e bırakılmayacak
+- [ ] **Progressive disclosure:** SKILL.md < 500 satır, detaylar references/ klasöründe
+- [ ] **Frontmatter:** `effort` + `allowed-tools` ekle (minimum zorunlu)
+- [ ] **Yan etki varsa:** `disable-model-invocation: true` ekle
+- [ ] **Agent ise:** `maxTurns` belirle, `memory` scope tanımla
+- [ ] **Script dili:** Shell (sh/bash) tercih et — Node.js ekosistemiyle uyumlu
+- [ ] **Evaluation:** Gerçek task'ta test et, struggle noktalarını gözlemle

package/kastell-plugin/skills/kastell-scaffold/references/template-audit-check.md ADDED Viewed

@@ -0,0 +1,150 @@
+# Template: Audit Check — $1
+## Files to Create/Modify
+1. `src/core/audit/checks/$1.ts` — check definitions + parser
+2. `src/core/audit/commands.ts` — SSH batch section
+3. `src/core/audit/checks/index.ts` — registry entry
+4. `src/core/audit/compliance/mapper.ts` — compliance mapping (optional)
+5. `src/__tests__/core/audit/checks/$1.test.ts` — test file
+## Step 1: Check File
+```typescript
+// src/core/audit/checks/$1.ts
+import type { AuditCheck, CheckParser } from "../../types.js";
+interface $1CheckDef {
+  id: string;           // "CATEGORY-CHECK-NAME" (uppercase, hyphen-separated)
+  name: string;         // Human-readable description
+  severity: "critical" | "warning" | "info";
+  check: (output: string) => { passed: boolean; currentValue: string };
+  expectedValue: string;
+  fixCommand: string;
+  explain: string;
+}
+const $1_CHECKS: $1CheckDef[] = [
+  {
+    id: "CAT-CHECK-ONE",
+    name: "Check description",
+    severity: "warning",
+    check: (output) => {
+      const match = output.includes("SENTINEL_PASS");
+      return { passed: match, currentValue: match ? "configured" : "not found" };
+    },
+    expectedValue: "configured",
+    fixCommand: "command to fix",
+    explain: "Why this matters and what the fix does.",
+  },
+];
+export const parse$1Checks: CheckParser = (
+  sectionOutput: string,
+  _platform: string,
+): AuditCheck[] => {
+  // Conditional category: return [] if not applicable (excluded from score)
+  if (!sectionOutput || sectionOutput.includes("SKIP_MARKER")) {
+    return [];
+  }
+  return $1_CHECKS.map((def) => {
+    const { passed, currentValue } = def.check(sectionOutput);
+    return {
+      id: def.id,
+      category: "Category Name",  // MUST match CHECK_REGISTRY.name exactly
+      name: def.name,
+      severity: def.severity,
+      passed,
+      currentValue,
+      expectedValue: def.expectedValue,
+      fixCommand: def.fixCommand,
+      explain: def.explain,
+    };
+  });
+};
+```
+## Step 2: SSH Batch Section
+`src/core/audit/commands.ts` — add bash commands that run on the server.
+```typescript
+function new$1Section(): string {
+  return [
+    NAMED_SEP("$1UPPER"),  // MUST match CHECK_REGISTRY.sectionName exactly
+    `command1 || echo 'N/A'`,
+    `command2 || echo 'N/A'`,
+  ].join("\n");
+}
+```
+Add to the correct batch array:
+- `BATCH_FAST` — fast commands (<1s)
+- `BATCH_MEDIUM` — medium commands (1-5s)
+- `BATCH_SLOW` — slow commands (5s+, e.g., `nginx -T`)
+**Sentinel matching is critical:** `NAMED_SEP("FOO")` produces `---SECTION:FOO---`. This string MUST match `CHECK_REGISTRY.sectionName` exactly.
+For conditional categories, add a skip marker as first command:
+```bash
+command -v nginx >/dev/null 2>&1 || echo 'NGINX_NOT_INSTALLED'
+```
+## Step 3: Registry
+```typescript
+// src/core/audit/checks/index.ts
+import { parse$1Checks } from "./$1.js";
+export const CHECK_REGISTRY: CategoryEntry[] = [
+  // ... existing categories ...
+  { name: "Category Name", sectionName: "$1UPPER", parser: parse$1Checks },
+];
+```
+**Triple-check:**
+- [ ] `sectionName` === `NAMED_SEP()` parameter
+- [ ] `name` === check file's `category` string
+- [ ] Import path has `.js` extension (ESM)
+## Step 4: Compliance Mapping (Optional)
+```typescript
+// src/core/audit/compliance/mapper.ts
+export const COMPLIANCE_MAP: Record<string, ComplianceRef[]> = {
+  // ─── $1 ────────────────────────────────────────
+  "CAT-CHECK-ONE": [
+    cis("5.x.x", "Control description", "full"),
+    pci("x.x.x", "PCI control", "partial"),
+  ],
+};
+```
+Helpers: `cis()`, `pci()`, `hipaa()`. Coverage: `"full"` or `"partial"`.
+## Severity Guide
+| Severity | When | Score weight |
+|----------|------|-------------|
+| `critical` | Exploitable, immediate fix required | 3x |
+| `warning` | Risk exists but not urgent | 2x |
+| `info` | Best practice, informational | 1x |
+## Anti-Patterns
+- **DON'T:** Typo in sentinel strings — parser silently returns empty array, no error
+- **DON'T:** Throw exceptions in `check()` — no try/catch wrapper, entire category breaks
+- **DON'T:** Reuse check ID across categories — compliance mapping will conflict
+- **DON'T:** Multi-step scripts in `fixCommand` — keep it one-line, reference `kastell` command if needed
+- **DON'T:** Forget `|| echo 'N/A'` fallback in SSH commands — parser breaks if command missing
+## Next Steps
+- [ ] Choose correct audit category (30 categories exist)
+- [ ] Assign unique check key: `<CATEGORY>-NN` pattern
+- [ ] Verify `passed` logic matches `currentValue` evaluation
+- [ ] Add SSH command to category batch (avoid extra SSH round-trips)
+- [ ] Write test: mock SSH output, verify correct passed/failed
+- [ ] Run: `npm test -- --testPathPattern=audit`
+- [ ] Verify check count: `kastell audit --json | jq '.summary.totalChecks'`

package/kastell-plugin/skills/kastell-scaffold/references/template-command.md ADDED Viewed

@@ -0,0 +1,80 @@
+# Template: CLI Command — $1
+## Files to Create
+1. `src/commands/$1.ts` — thin wrapper (parse args, call core, display result)
+2. `src/core/$1.ts` — all business logic (no UI imports)
+3. `src/__tests__/core/$1.test.ts` — test the core function, not the command
+## Command File (thin wrapper)
+```typescript
+// src/commands/$1.ts
+import { program } from 'commander';
+import chalk from 'chalk';
+import ora from 'ora';
+import { $1Core } from '../core/$1.js';
+program
+  .command('$1')
+  .description('TODO: describe what this command does')
+  .option('--server <name>', 'Target server name or IP')
+  .option('--json', 'Output as JSON')
+  .action(async (options) => {
+    const spinner = ora('Running $1...').start();
+    try {
+      const result = await $1Core(options);
+      spinner.succeed('Done');
+      if (options.json) {
+        console.log(JSON.stringify(result, null, 2));
+      } else {
+        console.log(chalk.green(result.message));
+      }
+    } catch (error) {
+      spinner.fail(error instanceof Error ? error.message : 'Unknown error');
+      process.exitCode = 1;
+    }
+  });
+```
+## Core File (all logic here)
+```typescript
+// src/core/$1.ts
+export interface $1Options { server?: string; json?: boolean; }
+export interface $1Result { success: boolean; message: string; }
+export async function $1Core(options: $1Options): Promise<$1Result> {
+  // ALL business logic here. NO chalk/ora/UI imports.
+  // assertValidIp() before SSH. getAdapter(platform) for platform ops.
+  // withProviderErrorHandling() for provider calls.
+  throw new Error('Not implemented');
+}
+```
+## Test File
+```typescript
+// src/__tests__/core/$1.test.ts
+import { $1Core } from '../../core/$1.js';
+jest.mock('../../utils/ssh.js');
+describe('$1Core', () => {
+  beforeEach(() => jest.resetAllMocks());
+  it('should TODO: describe expected behavior', async () => {
+    const result = await $1Core({ server: 'test-server' });
+    expect(result.success).toBe(true);
+  });
+});
+```
+## Next Steps
+- [ ] Register command in `src/index.ts`
+- [ ] Write tests first (TDD: test core function, not command)
+- [ ] Add `isSafeMode()` check if operation is destructive
+- [ ] Add `assertValidIp()` before any SSH operation
+- [ ] Use `getAdapter(platform)` for platform-specific operations (never import adapters directly)
+- [ ] Run `npm run build && npm test && npm run lint`
+- [ ] Update README.md command table

package/kastell-plugin/skills/kastell-scaffold/references/template-mcp-tool.md ADDED Viewed

@@ -0,0 +1,72 @@
+# Template: MCP Tool — $1
+## Files to Create
+1. `src/mcp/tools/$1.ts` — Zod schema + handler
+2. Update `src/mcp/server.ts` — import + registerTool()
+3. `src/__tests__/mcp/$1.test.ts` — test handler function
+## Tool File (Zod schema + handler)
+```typescript
+// src/mcp/tools/$1.ts
+import { z } from 'zod';
+import type { McpResponse } from '../types.js';
+// IMPORTANT: Schema is a flat object, NOT wrapped in z.object()
+// The SDK wraps it automatically
+export const $1Schema = {
+  server: z.string().optional().describe('Server name or IP. Auto-selected if only one server exists.'),
+  action: z.enum(['TODO']).describe('TODO: describe actions'),
+};
+export async function handle$1(params: {
+  server?: string;
+  action: string;
+}): Promise<McpResponse> {
+  // Delegate to core function (NOT direct SSH/provider calls)
+  // Example: const result = await someCoreFunction(params);
+  return {
+    content: [
+      {
+        type: 'text' as const,
+        text: JSON.stringify({ success: true }, null, 2),
+      },
+    ],
+  };
+}
+```
+## Server Registration
+```typescript
+// In src/mcp/server.ts
+import { $1Schema, handle$1 } from './tools/$1.js';
+server.registerTool('$1', {
+  description: 'TODO: 50-150 tokens. What it does. Actions. Constraints. Requirements.',
+  inputSchema: $1Schema,
+  annotations: {
+    title: 'TODO: Human-readable title',
+    readOnlyHint: false,    // true if read-only
+    destructiveHint: false, // true if destructive
+    idempotentHint: false,  // true if idempotent
+    openWorldHint: true,
+  },
+}, async (params) => {
+  return handle$1(params);
+});
+```
+## Next Steps
+- [ ] Define Zod schema as flat object (NOT z.object() wrapper)
+- [ ] Handler delegates to core/ functions (not direct SSH/provider)
+- [ ] Add `server` param as `.optional()` with standard description
+- [ ] Set annotations correctly (readOnlyHint, destructiveHint)
+- [ ] Write description: "What it does. Actions: 'x' does Y. Constraints. For Z, use other_tool instead."
+- [ ] Add SAFE_MODE check if destructive: `if (isSafeMode()) throw ...`
+- [ ] Write test: call handler directly with mock params
+- [ ] Run `npm run build && npm test && npm run lint`
+- [ ] Update README.md MCP tools table

package/kastell-plugin/skills/kastell-scaffold/references/template-provider.md ADDED Viewed

@@ -0,0 +1,67 @@
+# Template: Provider — $1
+## Files to Create
+1. `src/providers/$1.ts` — provider implementation (extends BaseProvider)
+2. Update `src/constants.ts` — add to PROVIDER_REGISTRY
+3. `src/__tests__/providers/$1.test.ts` — test with mocked API calls
+## Provider Implementation
+```typescript
+// src/providers/$1.ts
+import {
+  BaseProvider,
+  type ProviderServer,
+  type CreateServerParams,
+  type ProviderResponse,
+} from './base.js';
+export class $1Provider extends BaseProvider {
+  constructor(token: string) {
+    super(token, 'https://api.$1.com/v1'); // adjust API base URL
+  }
+  async listServers(): Promise<ProviderResponse<ProviderServer[]>> {
+    return this.request<ProviderServer[]>('GET', '/servers');
+  }
+  async createServer(params: CreateServerParams): Promise<ProviderResponse<ProviderServer>> {
+    return this.request<ProviderServer>('POST', '/servers', { body: params });
+  }
+  async deleteServer(serverId: string): Promise<ProviderResponse<void>> {
+    return this.request<void>('DELETE', `/servers/${serverId}`);
+  }
+  async getServer(serverId: string): Promise<ProviderResponse<ProviderServer>> {
+    return this.request<ProviderServer>('GET', `/servers/${serverId}`);
+  }
+}
+```
+## PROVIDER_REGISTRY Entry
+```typescript
+// In src/constants.ts — add to PROVIDER_REGISTRY (single source of truth)
+import { $1Provider } from './providers/$1.js';
+export const PROVIDER_REGISTRY = {
+  // ... existing providers
+  $1: {
+    name: '$1',
+    envKey: '$1_TOKEN', // e.g., 'OVHCLOUD_TOKEN'
+    class: $1Provider,
+  },
+};
+```
+## Next Steps
+- [ ] Register in `PROVIDER_REGISTRY` (src/constants.ts) — single source of truth
+- [ ] Implement `stripSensitiveData()` to remove API tokens from error responses
+- [ ] Use `assertValidIp()` before any SSH operation
+- [ ] Use `withProviderErrorHandling()` HOF for API error consistency
+- [ ] Write tests with mocked axios (mock `axios.create()` → `jest.fn(() => axios)`)
+- [ ] Add "Getting Your API Token" section to README.md
+- [ ] Run `npm run build && npm test && npm run lint`

package/kastell-plugin/skills/kastell-scaffold/scripts/scaffold.sh ADDED Viewed

@@ -0,0 +1,180 @@
+#!/usr/bin/env bash
+# scaffold.sh — Generate Kastell component boilerplate from templates.
+# Usage: scaffold.sh <type> <name> [--dry-run]
+#   type: command | check | provider | mcp-tool
+#   name: kebab-case component name (e.g., server-migrate, filesystem-perms)
+#
+# Ersin criterion: This script runs without an LLM. Deterministic file generation.
+set -euo pipefail
+# ── Resolve script directory (works in symlink/Git Bash/etc) ──
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+TEMPLATE_DIR="$SCRIPT_DIR/../templates"
+PROJECT_ROOT="${PROJECT_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"
+# ── Colors ──
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m' # No Color
+info()  { echo -e "${CYAN}ℹ${NC} $*"; }
+ok()    { echo -e "${GREEN}✓${NC} $*"; }
+warn()  { echo -e "${YELLOW}⚠${NC} $*"; }
+err()   { echo -e "${RED}✗${NC} $*" >&2; }
+# ── Args ──
+TYPE="${1:-}"
+NAME="${2:-}"
+DRY_RUN=false
+for arg in "$@"; do [[ "$arg" == "--dry-run" ]] && DRY_RUN=true; done
+if [[ -z "$TYPE" || -z "$NAME" ]]; then
+  echo "Usage: scaffold.sh <type> <name> [--dry-run]"
+  echo "  type: command | check | provider | mcp-tool"
+  echo "  name: kebab-case (e.g., server-migrate)"
+  exit 1
+fi
+# Validate type
+case "$TYPE" in
+  command|check|provider|mcp-tool) ;;
+  *) err "Unknown type: $TYPE (valid: command, check, provider, mcp-tool)"; exit 1 ;;
+esac
+# Validate name (kebab-case or snake_case, lowercase)
+if [[ ! "$NAME" =~ ^[a-z][a-z0-9_-]*$ ]]; then
+  err "Invalid name: $NAME (must be lowercase kebab-case or snake_case)"
+  exit 1
+fi
+# ── Name transformations ──
+to_pascal() {
+  echo "$1" | sed 's/[-_]/ /g' | awk '{for(i=1;i<=NF;i++) $i=toupper(substr($i,1,1)) substr($i,2)}1' | tr -d ' '
+}
+to_camel() {
+  local pascal
+  pascal=$(to_pascal "$1")
+  echo "$(echo "${pascal:0:1}" | tr 'A-Z' 'a-z')${pascal:1}"
+}
+to_upper() {
+  echo "$1" | tr '[:lower:]' '[:upper:]' | tr '-' '_'
+}
+NAME_PASCAL=$(to_pascal "$NAME")
+NAME_CAMEL=$(to_camel "$NAME")
+NAME_UPPER=$(to_upper "$NAME")
+info "Scaffolding $TYPE: $NAME"
+info "  PascalCase: $NAME_PASCAL"
+info "  camelCase:  $NAME_CAMEL"
+info "  UPPER:      $NAME_UPPER"
+echo ""
+# ── Template processing ──
+process_template() {
+  local tpl_file="$1"
+  local output_file="$2"
+  if [[ ! -f "$tpl_file" ]]; then
+    err "Template not found: $tpl_file"
+    return 1
+  fi
+  if [[ -f "$output_file" ]] && [[ "$DRY_RUN" == false ]]; then
+    err "File already exists: $output_file (won't overwrite)"
+    return 1
+  fi
+  local content
+  content=$(sed \
+    -e "s/__NAME__/$NAME/g" \
+    -e "s/__NAME_PASCAL__/$NAME_PASCAL/g" \
+    -e "s/__NAME_CAMEL__/$NAME_CAMEL/g" \
+    -e "s/__NAME_UPPER__/$NAME_UPPER/g" \
+    "$tpl_file")
+  if [[ "$DRY_RUN" == true ]]; then
+    warn "[dry-run] Would create: $output_file"
+    echo "$content"
+    echo "---"
+  else
+    mkdir -p "$(dirname "$output_file")"
+    echo "$content" > "$output_file"
+    ok "Created: $output_file"
+  fi
+}
+# ── File mapping per type ──
+CREATED=0
+case "$TYPE" in
+  command)
+    process_template "$TEMPLATE_DIR/command.ts.tpl"      "$PROJECT_ROOT/src/commands/$NAME.ts"         && ((CREATED++)) || true
+    process_template "$TEMPLATE_DIR/command-core.ts.tpl"  "$PROJECT_ROOT/src/core/$NAME.ts"             && ((CREATED++)) || true
+    process_template "$TEMPLATE_DIR/command-test.ts.tpl"  "$PROJECT_ROOT/src/__tests__/core/$NAME.test.ts" && ((CREATED++)) || true
+    echo ""
+    warn "Next steps:"
+    echo "  1. Register command in src/index.ts"
+    echo "  2. Implement core logic in src/core/$NAME.ts"
+    echo "  3. Add isSafeMode() check if destructive"
+    echo "  4. Run: npm run build && npm test && npm run lint"
+    echo "  5. Update README.md command table"
+    ;;
+  check)
+    process_template "$TEMPLATE_DIR/check.ts.tpl"         "$PROJECT_ROOT/src/core/audit/checks/$NAME.ts"         && ((CREATED++)) || true
+    process_template "$TEMPLATE_DIR/check-test.ts.tpl"    "$PROJECT_ROOT/src/__tests__/core/audit/checks/$NAME.test.ts" && ((CREATED++)) || true
+    echo ""
+    warn "Next steps:"
+    echo "  1. Add SSH section in src/core/audit/commands.ts:"
+    echo "     NAMED_SEP(\"${NAME_UPPER}\") + bash commands"
+    echo "  2. Register in src/core/audit/checks/index.ts:"
+    echo "     { name: \"$NAME_PASCAL\", sectionName: \"$NAME_UPPER\", parser: parse${NAME_PASCAL}Checks }"
+    echo "  3. Add compliance mapping in src/core/audit/compliance/mapper.ts (optional)"
+    echo "  4. Run: npm run build && npm test && npm run lint"
+    echo "  5. Test: kastell audit --list-checks | grep $NAME_UPPER"
+    ;;
+  provider)
+    process_template "$TEMPLATE_DIR/provider.ts.tpl"      "$PROJECT_ROOT/src/providers/$NAME.ts"         && ((CREATED++)) || true
+    process_template "$TEMPLATE_DIR/provider-test.ts.tpl"  "$PROJECT_ROOT/src/__tests__/providers/$NAME.test.ts" && ((CREATED++)) || true
+    echo ""
+    warn "Next steps:"
+    echo "  1. Add to PROVIDER_REGISTRY in src/constants.ts:"
+    echo "     $NAME: { name: \"$NAME_PASCAL\", envKey: \"${NAME_UPPER}_TOKEN\", class: ${NAME_PASCAL}Provider }"
+    echo "  2. Implement API methods (adjust base URL)"
+    echo "  3. Add stripSensitiveData() token cleanup"
+    echo "  4. Run: npm run build && npm test && npm run lint"
+    echo "  5. Add 'Getting Your API Token' to README.md"
+    ;;
+  mcp-tool)
+    process_template "$TEMPLATE_DIR/mcp-tool.ts.tpl"      "$PROJECT_ROOT/src/mcp/tools/$NAME.ts"         && ((CREATED++)) || true
+    process_template "$TEMPLATE_DIR/mcp-tool-test.ts.tpl"  "$PROJECT_ROOT/src/__tests__/mcp/$NAME.test.ts" && ((CREATED++)) || true
+    echo ""
+    warn "Next steps:"
+    echo "  1. Register in src/mcp/server.ts:"
+    echo "     registerTool('$NAME', { schema: ${NAME_CAMEL}Schema, handler: handle${NAME_PASCAL} })"
+    echo "  2. Define Zod schema (flat object, NOT z.object() wrapper)"
+    echo "  3. Handler delegates to core/ (NOT direct SSH/provider)"
+    echo "  4. Add SAFE_MODE check if destructive"
+    echo "  5. Run: npm run build && npm test && npm run lint"
+    echo "  6. Update README.md MCP tools table"
+    ;;
+esac
+echo ""
+if [[ "$DRY_RUN" == true ]]; then
+  info "[dry-run] No files were created."
+else
+  ok "Scaffolded $CREATED file(s) for $TYPE: $NAME"
+fi

package/kastell-plugin/skills/kastell-scaffold/templates/check-test.ts.tpl ADDED Viewed

@@ -0,0 +1,27 @@
+import { parse__NAME_PASCAL__Checks } from "../../core/audit/checks/__NAME__.js";
+describe("parse__NAME_PASCAL__Checks", () => {
+  beforeEach(() => jest.resetAllMocks());
+  it("returns checks when section output is valid", () => {
+    const result = parse__NAME_PASCAL__Checks("TODO_SENTINEL present", "linux");
+    expect(result.length).toBeGreaterThan(0);
+    expect(result[0].passed).toBe(true);
+  });
+  it("returns empty array when section output is empty", () => {
+    const result = parse__NAME_PASCAL__Checks("", "linux");
+    expect(result).toEqual([]);
+  });
+  it("returns empty array when skip marker present", () => {
+    const result = parse__NAME_PASCAL__Checks("SKIP_MARKER", "linux");
+    expect(result).toEqual([]);
+  });
+  it("returns failed check when sentinel missing", () => {
+    const result = parse__NAME_PASCAL__Checks("some other output", "linux");
+    expect(result.length).toBeGreaterThan(0);
+    expect(result[0].passed).toBe(false);
+  });
+});