kastell 2.2.0 → 2.2.2

package/dist/utils/migration.js

@@ -2,8 +2,9 @@ import { existsSync, cpSync } from "fs";
 import { secureMkdirSync, secureWriteFileSync } from "./secureWrite.js";
 import { homedir } from "os";
 import { join } from "path";
-import chalk from "chalk";
 import { KASTELL_DIR } from "./paths.js";
+import { getServersRaw, atomicWriteServers } from "./config.js";
+import { logger, debugLog } from "./logger.js";
 const OLD_CONFIG_DIR = join(homedir(), ".quicklify");
 const NEW_CONFIG_DIR = KASTELL_DIR;
 const MIGRATED_FLAG = join(NEW_CONFIG_DIR, ".migrated");
@@ -14,23 +15,33 @@ const MIGRATED_FLAG = join(NEW_CONFIG_DIR, ".migrated");
  * - Otherwise copies contents and creates .migrated flag.
  */
 export function migrateConfigIfNeeded() {
-    // If new config dir already exists, skip (no overwrite risk)
-    if (existsSync(NEW_CONFIG_DIR)) {
-        return;
+    // Directory migration: ~/.quicklify → ~/.kastell
+    if (!existsSync(NEW_CONFIG_DIR) && existsSync(OLD_CONFIG_DIR)) {
+        try {
+            secureMkdirSync(NEW_CONFIG_DIR, { recursive: true });
+            cpSync(OLD_CONFIG_DIR, NEW_CONFIG_DIR, { recursive: true });
+            secureWriteFileSync(MIGRATED_FLAG, new Date().toISOString());
+            logger.warning("Migrated config from ~/.quicklify to ~/.kastell. You can safely remove ~/.quicklify.");
+        }
+        catch {
+            logger.warning("Could not migrate config from ~/.quicklify to ~/.kastell. You may need to copy files manually.");
+        }
     }
-    // If old config dir doesn't exist, skip (fresh install)
-    if (!existsSync(OLD_CONFIG_DIR)) {
+    // Mode field migration: v1.x configs may lack "mode" field
+    const SERVERS_FILE_PATH = join(KASTELL_DIR, "servers.json");
+    if (!existsSync(SERVERS_FILE_PATH))
         return;
-    }
     try {
-        secureMkdirSync(NEW_CONFIG_DIR, { recursive: true });
-        cpSync(OLD_CONFIG_DIR, NEW_CONFIG_DIR, { recursive: true });
-        secureWriteFileSync(MIGRATED_FLAG, new Date().toISOString());
-        console.warn(chalk.yellow("Migrated config from ~/.quicklify to ~/.kastell. You can safely remove ~/.quicklify."));
+        const servers = getServersRaw();
+        const needsMode = servers.some((s) => !s.mode);
+        if (needsMode) {
+            const migrated = servers.map((s) => ({ ...s, mode: s.mode || "coolify" }));
+            atomicWriteServers(migrated);
+            debugLog?.("migrated server mode fields to include platform mode");
+        }
     }
-    catch {
-        // If copy fails, log warning and continue -- don't crash the CLI
-        console.warn(chalk.yellow("Warning: Could not migrate config from ~/.quicklify to ~/.kastell. You may need to copy files manually."));
+    catch (error) {
+        debugLog?.("mode field migration failed", { cause: error });
     }
 }
 //# sourceMappingURL=migration.js.map

package/dist/utils/migration.js.map

@@ -1 +1 @@
-{"version":3,"file":"migration.js","sourceRoot":"","sources":["../../src/utils/migration.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;AACxC,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACxE,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,YAAY,CAAC,CAAC;AACrD,MAAM,cAAc,GAAG,WAAW,CAAC;AACnC,MAAM,aAAa,GAAG,IAAI,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;AAExD;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB;IACnC,6DAA6D;IAC7D,IAAI,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAC/B,OAAO;IACT,CAAC;IAED,wDAAwD;IACxD,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAChC,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,eAAe,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACrD,MAAM,CAAC,cAAc,EAAE,cAAc,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5D,mBAAmB,CAAC,aAAa,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;QAC7D,OAAO,CAAC,IAAI,CACV,KAAK,CAAC,MAAM,CACV,sFAAsF,CACvF,CACF,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,iEAAiE;QACjE,OAAO,CAAC,IAAI,CACV,KAAK,CAAC,MAAM,CACV,yGAAyG,CAC1G,CACF,CAAC;IACJ,CAAC;AACH,CAAC"}
+{"version":3,"file":"migration.js","sourceRoot":"","sources":["../../src/utils/migration.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;AACxC,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACxE,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAE/C,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,YAAY,CAAC,CAAC;AACrD,MAAM,cAAc,GAAG,WAAW,CAAC;AACnC,MAAM,aAAa,GAAG,IAAI,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;AAExD;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB;IACnC,iDAAiD;IACjD,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,IAAI,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAC9D,IAAI,CAAC;YACH,eAAe,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACrD,MAAM,CAAC,cAAc,EAAE,cAAc,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC5D,mBAAmB,CAAC,aAAa,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;YAC7D,MAAM,CAAC,OAAO,CAAC,sFAAsF,CAAC,CAAC;QACzG,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,CAAC,OAAO,CAAC,gGAAgG,CAAC,CAAC;QACnH,CAAC;IACH,CAAC;IAED,2DAA2D;IAC3D,MAAM,iBAAiB,GAAG,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IAC5D,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC;QAAE,OAAO;IAC3C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,aAAa,EAAE,CAAC;QAChC,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC,CAAC,CAAC;YAC3E,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YAC7B,QAAQ,EAAE,CAAC,sDAAsD,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,QAAQ,EAAE,CAAC,6BAA6B,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC"}

package/dist/utils/safeMode.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"safeMode.d.ts","sourceRoot":"","sources":["../../src/utils/safeMode.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAkB/D,wBAAgB,UAAU,IAAI,OAAO,CAwBpC;AA2BD;;;;GAIG;AACH,8CAA8C;AAC9C,wBAAgB,iBAAiB,IAAI,IAAI,CAExC;AAED,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,mBAAmB,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,EAAE,CAAC,EAAE,MAAM,CAAC;CACb,GACA,IAAI,CAcN"}
+{"version":3,"file":"safeMode.d.ts","sourceRoot":"","sources":["../../src/utils/safeMode.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAmB/D,wBAAgB,UAAU,IAAI,OAAO,CAwBpC;AA2BD;;;;GAIG;AACH,8CAA8C;AAC9C,wBAAgB,iBAAiB,IAAI,IAAI,CAExC;AAED,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,mBAAmB,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,EAAE,CAAC,EAAE,MAAM,CAAC;CACb,GACA,IAAI,CAcN"}

package/dist/utils/safeMode.js

@@ -4,6 +4,7 @@ import yaml from "js-yaml";
 import chalk from "chalk";
 import { logSecurityEvent } from "./securityLogger.js";
 import { KASTELL_DIR } from "./paths.js";
+import { debugLog } from "./logger.js";
 let _safeModeWarningShown = false;
 const TRUTHY = new Set(["true", "1", "yes", "on"]);
 const FALSY = new Set(["false", "0", "no", "off"]);
@@ -55,8 +56,8 @@ function getSecurityLogMaxBytes() {
             }
         }
     }
-    catch {
-        // Config read failure — use default
+    catch (error) {
+        debugLog?.("config read failed, using default safe mode", { cause: error });
     }
     _cachedMaxBytes = undefined;
     return undefined;

package/dist/utils/safeMode.js.map

@@ -1 +1 @@
-{"version":3,"file":"safeMode.js","sourceRoot":"","sources":["../../src/utils/safeMode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,IAAI,MAAM,SAAS,CAAC;AAC3B,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAEvD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzC,IAAI,qBAAqB,GAAG,KAAK,CAAC;AAElC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;AACnD,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;AAEnD,SAAS,YAAY,CAAC,KAAa,EAAE,OAAe;IAClD,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAClC,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACnC,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,YAAY,OAAO,KAAK,KAAK,kFAAkF,CAChH,CAAC;IACF,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,8DAA8D;IAC9D,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC9C,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,YAAY,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACpD,CAAC;IAED,yEAAyE;IACzE,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAClD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAC3B,qBAAqB,GAAG,IAAI,CAAC;YAC7B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,KAAK,CAAC,MAAM,CACV,qEAAqE,CACtE,CACF,CAAC;QACJ,CAAC;QACD,OAAO,YAAY,CAAC,SAAS,EAAE,qBAAqB,CAAC,CAAC;IACxD,CAAC;IAED,gFAAgF;IAChF,qEAAqE;IACrE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,iGAAiG;AACjG,IAAI,eAAe,GAA8B,IAAI,CAAC,CAAC,sBAAsB;AAC7E,SAAS,sBAAsB;IAC7B,IAAI,eAAe,KAAK,IAAI;QAAE,OAAO,eAAe,CAAC;IACrD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE,aAAa,CAAC,EAAE,OAAO,CAAC,CAAC;QACxE,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAC7D,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACnE,MAAM,GAAG,GAAG,GAA8B,CAAC;YAC3C,MAAM,MAAM,GAAG,GAAG,CAAC,aAAa,CAAC,CAAC;YAClC,IAAI,MAAM,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC5E,MAAM,GAAG,GAAI,MAAkC,CAAC,UAAU,CAAC,CAAC;gBAC5D,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;oBAC/D,eAAe,GAAG,GAAG,CAAC;oBACtB,OAAO,GAAG,CAAC;gBACb,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,oCAAoC;IACtC,CAAC;IACD,eAAe,GAAG,SAAS,CAAC;IAC5B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,8CAA8C;AAC9C,MAAM,UAAU,iBAAiB;IAC/B,eAAe,GAAG,IAAI,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,MAAc,EACd,OAIC;IAED,MAAM,QAAQ,GAAG,sBAAsB,EAAE,CAAC;IAC1C,gBAAgB,CACd;QACE,KAAK,EAAE,MAAM;QACb,MAAM;QACN,QAAQ,EAAE,OAAO,EAAE,QAAQ,IAAI,aAAa;QAC5C,MAAM,EAAE,OAAO,EAAE,MAAM;QACvB,EAAE,EAAE,OAAO,EAAE,EAAE;QACf,MAAM,EAAE,OAAO;QACf,MAAM,EAAE,wBAAwB;KACjC,EACD,EAAE,QAAQ,EAAE,CACb,CAAC;AACJ,CAAC"}
+{"version":3,"file":"safeMode.js","sourceRoot":"","sources":["../../src/utils/safeMode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,IAAI,MAAM,SAAS,CAAC;AAC3B,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAEvD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,IAAI,qBAAqB,GAAG,KAAK,CAAC;AAElC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;AACnD,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;AAEnD,SAAS,YAAY,CAAC,KAAa,EAAE,OAAe;IAClD,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAClC,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACnC,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,YAAY,OAAO,KAAK,KAAK,kFAAkF,CAChH,CAAC;IACF,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,8DAA8D;IAC9D,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC9C,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,YAAY,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACpD,CAAC;IAED,yEAAyE;IACzE,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAClD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAC3B,qBAAqB,GAAG,IAAI,CAAC;YAC7B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,KAAK,CAAC,MAAM,CACV,qEAAqE,CACtE,CACF,CAAC;QACJ,CAAC;QACD,OAAO,YAAY,CAAC,SAAS,EAAE,qBAAqB,CAAC,CAAC;IACxD,CAAC;IAED,gFAAgF;IAChF,qEAAqE;IACrE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,iGAAiG;AACjG,IAAI,eAAe,GAA8B,IAAI,CAAC,CAAC,sBAAsB;AAC7E,SAAS,sBAAsB;IAC7B,IAAI,eAAe,KAAK,IAAI;QAAE,OAAO,eAAe,CAAC;IACrD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE,aAAa,CAAC,EAAE,OAAO,CAAC,CAAC;QACxE,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAC7D,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACnE,MAAM,GAAG,GAAG,GAA8B,CAAC;YAC3C,MAAM,MAAM,GAAG,GAAG,CAAC,aAAa,CAAC,CAAC;YAClC,IAAI,MAAM,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC5E,MAAM,GAAG,GAAI,MAAkC,CAAC,UAAU,CAAC,CAAC;gBAC5D,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;oBAC/D,eAAe,GAAG,GAAG,CAAC;oBACtB,OAAO,GAAG,CAAC;gBACb,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,QAAQ,EAAE,CAAC,6CAA6C,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9E,CAAC;IACD,eAAe,GAAG,SAAS,CAAC;IAC5B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,8CAA8C;AAC9C,MAAM,UAAU,iBAAiB;IAC/B,eAAe,GAAG,IAAI,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,MAAc,EACd,OAIC;IAED,MAAM,QAAQ,GAAG,sBAAsB,EAAE,CAAC;IAC1C,gBAAgB,CACd;QACE,KAAK,EAAE,MAAM;QACb,MAAM;QACN,QAAQ,EAAE,OAAO,EAAE,QAAQ,IAAI,aAAa;QAC5C,MAAM,EAAE,OAAO,EAAE,MAAM;QACvB,EAAE,EAAE,OAAO,EAAE,EAAE;QACf,MAAM,EAAE,OAAO;QACf,MAAM,EAAE,wBAAwB;KACjC,EACD,EAAE,QAAQ,EAAE,CACb,CAAC;AACJ,CAAC"}

package/dist/utils/securityLogger.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"securityLogger.d.ts","sourceRoot":"","sources":["../../src/utils/securityLogger.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AACzD,MAAM,MAAM,mBAAmB,GAAG,aAAa,GAAG,MAAM,GAAG,KAAK,GAAG,KAAK,GAAG,QAAQ,CAAC;AACpF,MAAM,MAAM,iBAAiB,GAAG,KAAK,GAAG,KAAK,CAAC;AAC9C,MAAM,MAAM,iBAAiB,GAAG,OAAO,GAAG,OAAO,GAAG,SAAS,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,gBAAgB,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,mBAAmB,CAAC;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,iBAAiB,CAAC;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,iBAAiB,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAeD,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,IAAI,CAAC,gBAAgB,EAAE,IAAI,GAAG,QAAQ,CAAC,EAC9C,OAAO,CAAC,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GAC9B,IAAI,CAkBN;AAED,wBAAgB,YAAY,IAAI,iBAAiB,CAEhD;AAED,qBAAa,cAAc;IACzB,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;CAQtE"}
+{"version":3,"file":"securityLogger.d.ts","sourceRoot":"","sources":["../../src/utils/securityLogger.ts"],"names":[],"mappings":"AAIA,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AACzD,MAAM,MAAM,mBAAmB,GAAG,aAAa,GAAG,MAAM,GAAG,KAAK,GAAG,KAAK,GAAG,QAAQ,CAAC;AACpF,MAAM,MAAM,iBAAiB,GAAG,KAAK,GAAG,KAAK,CAAC;AAC9C,MAAM,MAAM,iBAAiB,GAAG,OAAO,GAAG,OAAO,GAAG,SAAS,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,gBAAgB,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,mBAAmB,CAAC;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,iBAAiB,CAAC;IAC1B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,iBAAiB,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAgBD,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,IAAI,CAAC,gBAAgB,EAAE,IAAI,GAAG,QAAQ,CAAC,EAC9C,OAAO,CAAC,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GAC9B,IAAI,CAmBN;AAED,wBAAgB,YAAY,IAAI,iBAAiB,CAEhD;AAED,qBAAa,cAAc;IACzB,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;CAStE"}

package/dist/utils/securityLogger.js

@@ -1,5 +1,6 @@
 import { appendFileSync, statSync, renameSync, mkdirSync } from "fs";
 import { KASTELL_DIR, SECURITY_LOG } from "./paths.js";
+import { debugLog } from "./logger.js";
 const DEFAULT_MAX_BYTES = 10 * 1024 * 1024; // 10MB
 function rotateIfNeeded(maxBytes) {
     try {
@@ -8,8 +9,9 @@ function rotateIfNeeded(maxBytes) {
             renameSync(SECURITY_LOG, SECURITY_LOG + ".1");
         }
     }
-    catch {
+    catch (error) {
         // File doesn't exist yet — no rotation needed
+        debugLog?.("security log rotation check failed", { cause: error });
     }
 }
 export function logSecurityEvent(entry, options) {
@@ -26,8 +28,9 @@ export function logSecurityEvent(entry, options) {
             mode: 0o600,
         });
     }
-    catch {
+    catch (error) {
         // Security log failure MUST NOT crash the main operation — silent fail
+        debugLog?.("security log write failed", { cause: error });
     }
 }
 export function detectCaller() {
@@ -39,8 +42,9 @@ export class SecurityLogger {
         try {
             console.warn(`[SECURITY] ${message}`, context ?? {});
         }
-        catch {
+        catch (error) {
             // Silent fail - security logging must never crash the main operation
+            debugLog?.("security log flush failed", { cause: error });
         }
     }
 }

package/dist/utils/securityLogger.js.map

@@ -1 +1 @@
-{"version":3,"file":"securityLogger.js","sourceRoot":"","sources":["../../src/utils/securityLogger.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAoBvD,MAAM,iBAAiB,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO;AAEnD,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC;QACpC,IAAI,IAAI,CAAC,IAAI,IAAI,QAAQ,EAAE,CAAC;YAC1B,UAAU,CAAC,YAAY,EAAE,YAAY,GAAG,IAAI,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,8CAA8C;IAChD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,KAA8C,EAC9C,OAA+B;IAE/B,IAAI,CAAC;QACH,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5C,cAAc,CAAC,OAAO,EAAE,QAAQ,IAAI,iBAAiB,CAAC,CAAC;QAEvD,MAAM,SAAS,GAAqB;YAClC,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAC5B,MAAM,EAAE,YAAY,EAAE;YACtB,GAAG,KAAK;SACT,CAAC;QAEF,cAAc,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE;YAC7D,QAAQ,EAAE,MAAM;YAChB,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;IACzE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC;AACjE,CAAC;AAED,MAAM,OAAO,cAAc;IACzB,MAAM,CAAC,IAAI,CAAC,OAAe,EAAE,OAAiC;QAC5D,4DAA4D;QAC5D,IAAI,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,cAAc,OAAO,EAAE,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,qEAAqE;QACvE,CAAC;IACH,CAAC;CACF"}
+{"version":3,"file":"securityLogger.js","sourceRoot":"","sources":["../../src/utils/securityLogger.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAoBvC,MAAM,iBAAiB,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO;AAEnD,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC;QACpC,IAAI,IAAI,CAAC,IAAI,IAAI,QAAQ,EAAE,CAAC;YAC1B,UAAU,CAAC,YAAY,EAAE,YAAY,GAAG,IAAI,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,8CAA8C;QAC9C,QAAQ,EAAE,CAAC,oCAAoC,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IACrE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,KAA8C,EAC9C,OAA+B;IAE/B,IAAI,CAAC;QACH,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5C,cAAc,CAAC,OAAO,EAAE,QAAQ,IAAI,iBAAiB,CAAC,CAAC;QAEvD,MAAM,SAAS,GAAqB;YAClC,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAC5B,MAAM,EAAE,YAAY,EAAE;YACtB,GAAG,KAAK;SACT,CAAC;QAEF,cAAc,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE;YAC7D,QAAQ,EAAE,MAAM;YAChB,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,uEAAuE;QACvE,QAAQ,EAAE,CAAC,2BAA2B,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC;AACjE,CAAC;AAED,MAAM,OAAO,cAAc;IACzB,MAAM,CAAC,IAAI,CAAC,OAAe,EAAE,OAAiC;QAC5D,4DAA4D;QAC5D,IAAI,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,cAAc,OAAO,EAAE,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qEAAqE;YACrE,QAAQ,EAAE,CAAC,2BAA2B,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;CACF"}

package/kastell-plugin/.claude-plugin/plugin.json

@@ -0,0 +1,20 @@
+{
+  "name": "kastell",
+  "version": "2.2.0",
+  "description": "Autonomous server security and infrastructure management. Provides 13 MCP tools for cloud server provisioning, security auditing (457 checks), hardening, backup, and fleet management across Hetzner, DigitalOcean, Vultr, and Linode.",
+  "author": {
+    "name": "kastelldev"
+  },
+  "homepage": "https://kastell.dev",
+  "repository": "https://github.com/kastelldev/kastell",
+  "keywords": [
+    "server",
+    "security",
+    "infrastructure",
+    "mcp",
+    "audit",
+    "hardening",
+    "vps",
+    "cloud"
+  ]
+}

package/kastell-plugin/.mcp.json

@@ -0,0 +1,8 @@
+{
+  "mcpServers": {
+    "kastell": {
+      "command": "node",
+      "args": ["${CLAUDE_PLUGIN_ROOT}/../../bin/kastell-mcp"]
+    }
+  }
+}

package/kastell-plugin/README.md

@@ -0,0 +1,113 @@
+# Kastell
+
+Autonomous server security and infrastructure management for Claude Code.
+
+## What You Get
+
+The Kastell plugin bundles 13 MCP tools, 4 skills, 1 agent, and 5 hooks that give Claude Code
+full control over your self-hosted server infrastructure. Use it to provision cloud servers,
+run 457-check security audits across 30 categories, apply 24-step hardening, manage backups,
+and operate entire fleets — all from natural language in Claude Code.
+
+Supported providers: Hetzner Cloud, DigitalOcean, Vultr, Linode.
+Supported platforms: Coolify, Dokploy.
+
+## Prerequisites
+
+- `npm install -g kastell` — the Kastell CLI must be installed globally
+- At least one cloud provider API token (Hetzner, DigitalOcean, Vultr, or Linode)
+- `kastell setup` — run once to configure your API tokens and default provider
+
+## Skills
+
+| Skill | Invocation | Purpose |
+|-------|------------|---------|
+| kastell-ops | Auto-loaded (background) | Architecture reference, patterns, anti-patterns, and decision trees for working in the Kastell codebase or managing Kastell-provisioned servers |
+| kastell-scaffold | `/kastell:scaffold` | Generate new CLI commands, MCP tools, cloud providers, and audit checks following Kastell conventions |
+| kastell-careful | `/kastell:careful` | Intercepts `kastell destroy` and `kastell restore` commands and requires explicit confirmation before proceeding |
+| kastell-research | `/kastell:research` | Read-only codebase exploration with full architecture context — for understanding behavior without making changes |
+
+**kastell-ops** loads automatically as background context whenever you work with the Kastell
+codebase or ask about server provisioning, audit, hardening, or provider management. It does
+not appear in the slash-command menu.
+
+## Agents
+
+**`/agent:kastell-auditor`** — Parallel audit analyzer that groups all 30 audit categories into
+five analysis buckets (critical config, network exposure, access control, monitoring, compliance),
+produces structured findings with severity ratings, and remembers previous audit context across
+sessions using user-scoped memory.
+
+Invoke it with: "Analyze my last audit report" or "Which findings should I fix first?"
+
+Note: `kastell-fixer` is a project-scope agent, not bundled in this plugin. It requires
+`isolation: worktree` which only works when installed at project scope (`.claude/agents/`).
+Install kastell-fixer separately inside your Kastell project directory.
+
+## Hooks
+
+| Hook | Trigger | What It Does |
+|------|---------|--------------|
+| stop-quality-check | Stop | Checks for TypeScript compilation errors, missing CHANGELOG entries, and stale README before ending the session |
+| session-log | PostToolUse (Bash) | Records Bash command outputs to `session.log` for audit trail |
+| session-audit | SessionStart | Runs `kastell audit --silent` on session start and surfaces the current security score |
+| pre-commit-audit-guard | PreToolUse (git commit) | Blocks the commit if the current audit score has dropped below the recorded baseline |
+| destroy-block | PreToolUse (Bash) | Blocks `kastell destroy` and `kastell restore` operations through Claude Code |
+
+## MCP Tools
+
+All 13 tools are available in Claude Code once the plugin is installed. The MCP server starts
+automatically via the bundled `.mcp.json` configuration.
+
+| Tool | Description |
+|------|-------------|
+| server_info | List servers, check status, health, and available sizes |
+| server_logs | Fetch logs and system metrics from servers via SSH |
+| server_manage | Add, remove, or destroy servers |
+| server_maintain | Update platform, restart, or run full maintenance |
+| server_secure | SSH hardening, firewall management, and domain configuration |
+| server_backup | Create backups and manage cloud snapshots |
+| server_provision | Provision new cloud servers on Hetzner, DigitalOcean, Vultr, or Linode |
+| server_audit | Run the full 457-check security audit across 30 categories |
+| server_evidence | Collect forensic evidence packages from servers |
+| server_guard | Manage the autonomous security monitoring daemon |
+| server_doctor | Proactive health analysis with remediation recommendations |
+| server_lock | Apply the 24-step production hardening sequence |
+| server_fleet | Fleet-wide health and security posture overview |
+
+## Quick Start
+
+```bash
+# Install kastell globally
+npm install -g kastell
+
+# Configure your cloud provider
+kastell setup
+
+# In Claude Code, the plugin auto-starts the MCP server.
+# Try natural language commands like:
+#   "Provision a new Hetzner server in Nuremberg with 2 CPUs"
+#   "Run a security audit on my server at 1.2.3.4"
+#   "Apply full hardening to my production server"
+#   "Show me all my servers"
+```
+
+After installation, the `kastell-ops` skill loads automatically in any session where you
+work with Kastell. Use `/kastell:scaffold` to generate new CLI commands or MCP tools,
+and `/agent:kastell-auditor` to get prioritized remediation guidance from audit results.
+
+## Supported Providers
+
+| Provider | Regions | Notes |
+|----------|---------|-------|
+| Hetzner Cloud | EU (FSN, NBG, HEL), US (ASH, HIL) | Default recommended provider |
+| DigitalOcean | Global (NYC, SFO, AMS, SGP, LON, FRA, TOR, BLR, SYD) | |
+| Vultr | 25+ global locations | |
+| Linode (Akamai) | 11 global locations | |
+
+## Links
+
+- Website: https://kastell.dev
+- GitHub: https://github.com/kastelldev/kastell
+- npm: https://www.npmjs.com/package/kastell
+- Docs: https://kastell.dev/docs

package/kastell-plugin/agents/kastell-auditor.md

@@ -0,0 +1,77 @@
+---
+name: kastell-auditor
+description: "Security audit analyzer for Kastell servers. Runs kastell audit, maps results across 5 security domains (perimeter, authentication, runtime, internals, compliance), tracks score trends across sessions. Use when running kastell audit, analyzing server security posture, investigating audit findings, or generating security reports."
+tools: Read, Grep, Glob, Bash
+model: inherit
+effort: high
+memory: user
+maxTurns: 25
+skills:
+  - kastell-ops
+---
+
+# Role
+
+## Live Context
+
+**Last audit score:** !`node -e "import('fs').then(f=>{try{const h=JSON.parse(f.readFileSync(process.env.HOME+'/.kastell/audit-history.json','utf8'));const last=h.sort((a,b)=>new Date(b.timestamp)-new Date(a.timestamp))[0];if(last)console.log(last.overallScore+'/100 ('+last.serverName+', '+last.timestamp.split('T')[0]+')');else console.log('No audit history yet')}catch(e){console.log('No audit history yet')}}).catch(()=>console.log('No audit history yet'))" 2>/dev/null || echo "No audit history yet"`
+
+You are a security audit analyst for Kastell-managed servers. Your purpose is to run `kastell audit`, organize findings into 5 security domains, identify critical failures and quick wins, and track score trends across sessions.
+
+# Workflow
+
+1. **Identify target server** — ask user if not provided; verify with `kastell list`
+2. **Run audit** — `kastell audit <server> --json` to get structured output
+3. **Analyze by bucket** — pipe JSON through `bash scripts/bucket_mapper.sh` for instant 5-domain mapping
+4. **Check memory** — run `bash scripts/trend_report.sh <server>` for score history; or load `audit-history.json` directly
+5. **Report** — per-bucket summary + overall score + trend (if memory available)
+
+## Scripts (Deterministic)
+
+```bash
+# Map audit JSON to 5 security buckets
+kastell audit --server <name> --json | bash scripts/bucket_mapper.sh
+
+# Show audit score trend for a server
+bash scripts/trend_report.sh <server-name>
+bash scripts/trend_report.sh --all
+```
+
+# Bucket Map
+
+| Bucket | Categories | Focus |
+|--------|-----------|-------|
+| 1 Perimeter | Network, Firewall, DNS Security | External attack surface |
+| 2 Authentication | SSH, Auth, Crypto, Accounts | Identity controls |
+| 3 Runtime | Docker, Services, Boot, Scheduling | Service exposure |
+| 4 Internals | Filesystem, Logging, Kernel, Memory | System hardening |
+| 5 Compliance | Updates, File Integrity, Malware, MAC, Secrets, Cloud Metadata, Supply Chain, Backup Hygiene, Resource Limits, Incident Readiness, Banners, Time | Hygiene and compliance |
+
+# Output Format
+
+For each bucket:
+- **Score:** X/Y checks passed
+- **Critical findings** (up to 3): `[FAIL] check-name -- one-line impact`
+- **Quick win:** one actionable fix
+
+After all buckets:
+- **Overall score:** X/100
+- **Trend** (when memory has prior data): "Last audit: Y -- Delta: +/-Z -- [N] new failures in [bucket]"
+
+# Memory
+
+Manage a single file `audit-history.json` in your agent memory directory. Store per server:
+
+```json
+{ "server": "string", "date": "string", "score": 0, "bucketScores": { "perimeter": 0, "authentication": 0, "runtime": 0, "internals": 0, "compliance": 0 }, "failedChecks": [] }
+```
+
+On each run: load prior record, compute delta, store new record. Discard entries for servers no longer in `kastell list` output.
+
+# Rules
+
+- Read-only operations only: `server_audit`, `server_doctor`, `server_fleet`
+- Never run `kastell lock`, `kastell secure`, or any write operation
+- Recommend fixes but do not apply them — suggest `/agent:kastell-fixer` for implementation
+- If multiple servers requested, analyze each sequentially
+- English output for analysis structure; follow user's language for explanatory text

package/kastell-plugin/agents/scripts/bucket_mapper.sh

@@ -0,0 +1,101 @@
+#!/usr/bin/env bash
+# bucket_mapper.sh — Map kastell audit JSON checks to 5 security buckets.
+# Usage: kastell audit --server <name> --json | bash bucket_mapper.sh
+#    OR: bash bucket_mapper.sh < audit-output.json
+#    OR: bash bucket_mapper.sh audit-output.json
+#
+# Output: Per-bucket check list with pass/fail status and severity.
+# Used by kastell-auditor agent for structured analysis.
+#
+# Requires: node
+
+set -euo pipefail
+
+if [[ -n "${1:-}" && -f "$1" ]]; then
+  INPUT=$(cat "$1")
+elif [[ ! -t 0 ]]; then
+  INPUT=$(cat)
+else
+  echo "Usage: kastell audit --server <name> --json | bash bucket_mapper.sh" >&2
+  exit 1
+fi
+
+node -e "
+const data = JSON.parse(process.argv[1]);
+const checks = data.checks || data.results || [];
+
+const BUCKETS = {
+  '1_Perimeter': {
+    match: ['network', 'firewall', 'dns'],
+    checks: []
+  },
+  '2_Authentication': {
+    match: ['ssh', 'auth', 'crypto', 'accounts'],
+    checks: []
+  },
+  '3_Runtime': {
+    match: ['docker', 'services', 'boot', 'scheduling'],
+    checks: []
+  },
+  '4_Internals': {
+    match: ['filesystem', 'logging', 'kernel', 'memory'],
+    checks: []
+  },
+  '5_Compliance': {
+    match: [], // catchall
+    checks: []
+  }
+};
+
+function getBucket(category) {
+  const cat = (category || '').toLowerCase();
+  for (const [name, bucket] of Object.entries(BUCKETS)) {
+    if (name === '5_Compliance') continue;
+    if (bucket.match.some(m => cat.includes(m))) return name;
+  }
+  return '5_Compliance';
+}
+
+// Map checks to buckets
+for (const c of checks) {
+  const bucket = getBucket(c.category);
+  BUCKETS[bucket].checks.push({
+    id: c.id || 'unknown',
+    name: c.name || '',
+    severity: c.severity || 'info',
+    passed: !!c.passed,
+    category: c.category || ''
+  });
+}
+
+// Output
+const score = data.score ?? data.overallScore ?? 'N/A';
+console.log('Score: ' + score + '/100');
+console.log('Total checks: ' + checks.length);
+console.log('');
+
+for (const [name, bucket] of Object.entries(BUCKETS)) {
+  const label = name.replace(/^[0-9]_/, '');
+  const passed = bucket.checks.filter(c => c.passed).length;
+  const total = bucket.checks.length;
+  const critFail = bucket.checks.filter(c => !c.passed && c.severity === 'critical');
+
+  console.log('--- ' + label + ' (' + passed + '/' + total + ') ---');
+
+  // Show failed checks (critical first, then warning)
+  const failed = bucket.checks
+    .filter(c => !c.passed)
+    .sort((a, b) => {
+      const sev = { critical: 0, warning: 1, info: 2 };
+      return (sev[a.severity] ?? 3) - (sev[b.severity] ?? 3);
+    });
+
+  for (const c of failed.slice(0, 5)) {
+    const icon = c.severity === 'critical' ? '!!' : c.severity === 'warning' ? '! ' : '  ';
+    console.log('  [FAIL] ' + icon + c.id + ' — ' + c.name);
+  }
+  if (failed.length > 5) console.log('  ... and ' + (failed.length - 5) + ' more');
+  if (failed.length === 0) console.log('  All checks passed');
+  console.log('');
+}
+" "$INPUT"

package/kastell-plugin/agents/scripts/trend_report.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+# trend_report.sh — Generate audit score trend from audit-history.json.
+# Usage: bash trend_report.sh [server-name]
+#    OR: bash trend_report.sh --all
+#
+# Reads ~/.kastell/audit-history.json (maintained by kastell-auditor agent).
+# Shows score over time with delta indicators.
+#
+# Requires: node
+
+set -euo pipefail
+
+HISTORY_FILE="${KASTELL_HOME:-$HOME/.kastell}/audit-history.json"
+SERVER="${1:-}"
+
+if [[ ! -f "$HISTORY_FILE" ]]; then
+  echo "No audit history found at: $HISTORY_FILE"
+  echo "Run 'kastell audit --server <name>' to generate data."
+  exit 0
+fi
+
+node -e "
+const fs = require('fs');
+const data = JSON.parse(fs.readFileSync(process.argv[1], 'utf8'));
+const server = process.argv[2] || '';
+const showAll = server === '--all';
+
+if (!Array.isArray(data) || data.length === 0) {
+  console.log('No audit history entries found.');
+  process.exit(0);
+}
+
+// Filter by server if specified
+let entries = showAll ? data : server
+  ? data.filter(e => e.serverName === server || e.server === server)
+  : data;
+
+if (entries.length === 0) {
+  console.log('No audit history for server: ' + server);
+  console.log('Available servers: ' + [...new Set(data.map(e => e.serverName || e.server))].join(', '));
+  process.exit(0);
+}
+
+// Sort by date
+entries.sort((a, b) => new Date(a.timestamp || a.date) - new Date(b.timestamp || b.date));
+
+// Group by server
+const byServer = {};
+for (const e of entries) {
+  const name = e.serverName || e.server || 'unknown';
+  if (!byServer[name]) byServer[name] = [];
+  byServer[name].push(e);
+}
+
+console.log('=== Audit Score Trend ===');
+console.log('');
+
+for (const [name, history] of Object.entries(byServer)) {
+  console.log('Server: ' + name);
+  console.log('-'.repeat(50));
+
+  let prev = null;
+  for (const e of history) {
+    const score = e.overallScore ?? e.score ?? 0;
+    const date = (e.timestamp || e.date || '').split('T')[0];
+    let delta = '';
+    if (prev !== null) {
+      const diff = score - prev;
+      delta = diff > 0 ? ' (+' + diff + ')' : diff < 0 ? ' (' + diff + ')' : ' (=)';
+    }
+
+    // Visual bar
+    const filled = Math.round(score / 5);
+    const bar = '█'.repeat(filled) + '░'.repeat(20 - filled);
+
+    console.log('  ' + date + '  ' + String(score).padStart(3) + '/100 ' + bar + delta);
+    prev = score;
+  }
+
+  // Latest bucket scores if available
+  const latest = history[history.length - 1];
+  if (latest.bucketScores) {
+    console.log('');
+    console.log('  Latest bucket breakdown:');
+    for (const [bucket, score] of Object.entries(latest.bucketScores)) {
+      console.log('    ' + bucket.padEnd(15) + ': ' + score);
+    }
+  }
+  console.log('');
+}
+" "$HISTORY_FILE" "$SERVER"

package/kastell-plugin/hooks/destroy-block.cjs

@@ -0,0 +1,31 @@
+#!/usr/bin/env node
+// PreToolUse hook: Block kastell destroy / server-delete commands (hard block)
+
+// MANDATORY stdin guard — exit silently if stdin unavailable (e.g. after /clear)
+if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
+  process.exit(0);
+}
+
+let input = '';
+const stdinTimeout = setTimeout(() => process.exit(0), 1500);
+process.stdin.setEncoding('utf8');
+process.stdin.on('error', () => process.exit(0));
+process.stdin.on('data', chunk => { input += chunk; });
+process.stdin.on('end', () => {
+  clearTimeout(stdinTimeout);
+  try {
+    const data = JSON.parse(input);
+    const cmd = (data.tool_input && data.tool_input.command) || '';
+
+    if (/\bkastell\s+(destroy|server-delete)\b/.test(cmd)) {
+      process.stdout.write(JSON.stringify({
+        decision: 'block',
+        reason: 'Destructive kastell operation detected. Use kastell destroy with --force flag directly in terminal, not through Claude Code.',
+      }));
+      process.exit(2);
+    }
+  } catch {}
+
+  // Not destructive or parse error — allow
+  process.exit(0);
+});