kastell 2.2.3 → 2.2.5

package/dist/utils/cloudInit.js

@@ -1,63 +1,63 @@
 export function getBareCloudInit(serverName) {
     const safeName = serverName.toLowerCase().replace(/[^a-z0-9-]/g, "");
-    return `#!/bin/bash
-set +e
-touch /var/log/kastell-install.log
-chmod 600 /var/log/kastell-install.log
-exec > >(tee /var/log/kastell-install.log) 2>&1
-
-echo "=================================="
-echo "Kastell Bare Server Setup"
-echo "Server: ${safeName}"
-echo "=================================="
-
-# Wait for network connectivity
-echo "Waiting for network connectivity..."
-MAX_ATTEMPTS=30
-ATTEMPTS=0
-while [ $ATTEMPTS -lt $MAX_ATTEMPTS ]; do
-  if curl -s --max-time 5 https://apt.releases.hashicorp.com > /dev/null 2>&1 || curl -s --max-time 5 https://archive.ubuntu.com > /dev/null 2>&1; then
-    echo "Network is ready!"
-    break
-  fi
-  ATTEMPTS=$((ATTEMPTS + 1))
-  echo "Network not ready (attempt $ATTEMPTS/$MAX_ATTEMPTS)..."
-  sleep 2
-done
-
-# Update system packages
-echo "Updating system packages..."
-apt-get update -y
-DEBIAN_FRONTEND=noninteractive apt-get upgrade -y
-
-# Install hardening packages
-echo "Installing hardening packages (fail2ban, ufw, unattended-upgrades)..."
-DEBIAN_FRONTEND=noninteractive apt-get install -y fail2ban ufw unattended-upgrades
-
-# Configure UFW firewall
-echo "Configuring UFW firewall..."
-ufw allow 22/tcp
-ufw allow 80/tcp
-ufw allow 443/tcp
-echo "y" | ufw enable || true
-ufw status
-
-# Configure unattended-upgrades for automatic security updates
-echo "Configuring unattended-upgrades..."
-dpkg-reconfigure -f noninteractive unattended-upgrades
-
-# Enable and start fail2ban
-echo "Enabling fail2ban..."
-systemctl enable fail2ban || true
-systemctl start fail2ban || true
-
-echo "=================================="
-echo "Bare server setup completed!"
-echo "Server: ${safeName}"
-echo "=================================="
-echo ""
-echo "Your server is ready. Connect via SSH:"
-echo "  ssh root@YOUR_SERVER_IP"
+    return `#!/bin/bash
+set +e
+touch /var/log/kastell-install.log
+chmod 600 /var/log/kastell-install.log
+exec > >(tee /var/log/kastell-install.log) 2>&1
+
+echo "=================================="
+echo "Kastell Bare Server Setup"
+echo "Server: ${safeName}"
+echo "=================================="
+
+# Wait for network connectivity
+echo "Waiting for network connectivity..."
+MAX_ATTEMPTS=30
+ATTEMPTS=0
+while [ $ATTEMPTS -lt $MAX_ATTEMPTS ]; do
+  if curl -s --max-time 5 https://apt.releases.hashicorp.com > /dev/null 2>&1 || curl -s --max-time 5 https://archive.ubuntu.com > /dev/null 2>&1; then
+    echo "Network is ready!"
+    break
+  fi
+  ATTEMPTS=$((ATTEMPTS + 1))
+  echo "Network not ready (attempt $ATTEMPTS/$MAX_ATTEMPTS)..."
+  sleep 2
+done
+
+# Update system packages
+echo "Updating system packages..."
+apt-get update -y
+DEBIAN_FRONTEND=noninteractive apt-get upgrade -y
+
+# Install hardening packages
+echo "Installing hardening packages (fail2ban, ufw, unattended-upgrades)..."
+DEBIAN_FRONTEND=noninteractive apt-get install -y fail2ban ufw unattended-upgrades
+
+# Configure UFW firewall
+echo "Configuring UFW firewall..."
+ufw allow 22/tcp
+ufw allow 80/tcp
+ufw allow 443/tcp
+echo "y" | ufw enable || true
+ufw status
+
+# Configure unattended-upgrades for automatic security updates
+echo "Configuring unattended-upgrades..."
+dpkg-reconfigure -f noninteractive unattended-upgrades
+
+# Enable and start fail2ban
+echo "Enabling fail2ban..."
+systemctl enable fail2ban || true
+systemctl start fail2ban || true
+
+echo "=================================="
+echo "Bare server setup completed!"
+echo "Server: ${safeName}"
+echo "=================================="
+echo ""
+echo "Your server is ready. Connect via SSH:"
+echo "  ssh root@YOUR_SERVER_IP"
 `;
 }
 //# sourceMappingURL=cloudInit.js.map

package/dist/utils/version.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../../src/utils/version.ts"],"names":[],"mappings":"AAMA,wBAAgB,iBAAiB,IAAI,MAAM,CAU1C;AAED,eAAO,MAAM,eAAe,QAAsB,CAAC;AAEnD,wBAAgB,iBAAiB,IAAI,IAAI,CAExC"}
+{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../../src/utils/version.ts"],"names":[],"mappings":"AAkBA,wBAAgB,iBAAiB,IAAI,MAAM,CAW1C;AAED,eAAO,MAAM,eAAe,QAAsB,CAAC;AAEnD,wBAAgB,iBAAiB,IAAI,IAAI,CAExC"}

package/dist/utils/version.js

@@ -1,13 +1,28 @@
-import { readFileSync } from "fs";
-import { join } from "path";
+import { readFileSync, existsSync } from "fs";
+import { join, dirname } from "path";
 import { fileURLToPath } from "url";
 let cachedVersion = null;
+function findPackageJson() {
+    let dir = fileURLToPath(new URL(".", import.meta.url));
+    for (let i = 0; i < 5; i++) {
+        const candidate = join(dir, "package.json");
+        if (existsSync(candidate))
+            return candidate;
+        const parent = dirname(dir);
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    return null;
+}
 export function getKastellVersion() {
     if (cachedVersion !== null)
         return cachedVersion;
     try {
-        const __dirname = fileURLToPath(new URL(".", import.meta.url));
-        const pkg = JSON.parse(readFileSync(join(__dirname, "../../package.json"), "utf-8"));
+        const pkgPath = findPackageJson();
+        if (!pkgPath)
+            return "0.0.0";
+        const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
         cachedVersion = pkg.version;
         return cachedVersion;
     }

package/dist/utils/version.js.map

@@ -1 +1 @@
-{"version":3,"file":"version.js","sourceRoot":"","sources":["../../src/utils/version.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AAEpC,IAAI,aAAa,GAAkB,IAAI,CAAC;AAExC,MAAM,UAAU,iBAAiB;IAC/B,IAAI,aAAa,KAAK,IAAI;QAAE,OAAO,aAAa,CAAC;IACjD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,oBAAoB,CAAC,EAAE,OAAO,CAAC,CAAwB,CAAC;QAC5G,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC;QAC5B,OAAO,aAAa,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,eAAe,GAAG,iBAAiB,EAAE,CAAC;AAEnD,MAAM,UAAU,iBAAiB;IAC/B,aAAa,GAAG,IAAI,CAAC;AACvB,CAAC"}
+{"version":3,"file":"version.js","sourceRoot":"","sources":["../../src/utils/version.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAC9C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AAEpC,IAAI,aAAa,GAAkB,IAAI,CAAC;AAExC,SAAS,eAAe;IACtB,IAAI,GAAG,GAAG,aAAa,CAAC,IAAI,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACvD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;QAC5C,IAAI,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,SAAS,CAAC;QAC5C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,MAAM,KAAK,GAAG;YAAE,MAAM;QAC1B,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,IAAI,aAAa,KAAK,IAAI;QAAE,OAAO,aAAa,CAAC;IACjD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAClC,IAAI,CAAC,OAAO;YAAE,OAAO,OAAO,CAAC;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAwB,CAAC;QAC9E,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC;QAC5B,OAAO,aAAa,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,eAAe,GAAG,iBAAiB,EAAE,CAAC;AAEnD,MAAM,UAAU,iBAAiB;IAC/B,aAAa,GAAG,IAAI,CAAC;AACvB,CAAC"}

package/kastell-plugin/.claude-plugin/plugin.json

@@ -1,20 +1,20 @@
-{
-  "name": "kastell",
-  "version": "2.2.0",
-  "description": "Autonomous server security and infrastructure management. Provides 13 MCP tools for cloud server provisioning, security auditing (457 checks), hardening, backup, and fleet management across Hetzner, DigitalOcean, Vultr, and Linode.",
-  "author": {
-    "name": "kastelldev"
-  },
-  "homepage": "https://kastell.dev",
-  "repository": "https://github.com/kastelldev/kastell",
-  "keywords": [
-    "server",
-    "security",
-    "infrastructure",
-    "mcp",
-    "audit",
-    "hardening",
-    "vps",
-    "cloud"
-  ]
-}
+{
+  "name": "kastell",
+  "version": "2.2.5",
+  "description": "Autonomous server security and infrastructure management. Provides 17 MCP tools for cloud server provisioning, security auditing (457 checks), hardening, backup, and fleet management across Hetzner, DigitalOcean, Vultr, and Linode.",
+  "author": {
+    "name": "kastelldev"
+  },
+  "homepage": "https://kastell.dev",
+  "repository": "https://github.com/kastelldev/kastell",
+  "keywords": [
+    "server",
+    "security",
+    "infrastructure",
+    "mcp",
+    "audit",
+    "hardening",
+    "vps",
+    "cloud"
+  ]
+}

package/kastell-plugin/.mcp.json

@@ -1,8 +1,15 @@
-{
-  "mcpServers": {
-    "kastell": {
-      "command": "node",
-      "args": ["${CLAUDE_PLUGIN_ROOT}/../../bin/kastell-mcp"]
-    }
-  }
-}
+{
+  "mcpServers": {
+    "kastell": {
+      "command": "node",
+      "args": ["${CLAUDE_PLUGIN_ROOT}/../../dist/mcp-bundle.mjs"],
+      "env": {
+        "HETZNER_TOKEN": "${HETZNER_TOKEN}",
+        "DIGITALOCEAN_TOKEN": "${DIGITALOCEAN_TOKEN}",
+        "VULTR_TOKEN": "${VULTR_TOKEN}",
+        "LINODE_TOKEN": "${LINODE_TOKEN}",
+        "KASTELL_SAFE_MODE": "true"
+      }
+    }
+  }
+}

package/kastell-plugin/README.md

@@ -1,113 +1,113 @@
-# Kastell
-
-Autonomous server security and infrastructure management for Claude Code.
-
-## What You Get
-
-The Kastell plugin bundles 13 MCP tools, 4 skills, 1 agent, and 5 hooks that give Claude Code
-full control over your self-hosted server infrastructure. Use it to provision cloud servers,
-run 457-check security audits across 30 categories, apply 24-step hardening, manage backups,
-and operate entire fleets — all from natural language in Claude Code.
-
-Supported providers: Hetzner Cloud, DigitalOcean, Vultr, Linode.
-Supported platforms: Coolify, Dokploy.
-
-## Prerequisites
-
-- `npm install -g kastell` — the Kastell CLI must be installed globally
-- At least one cloud provider API token (Hetzner, DigitalOcean, Vultr, or Linode)
-- `kastell setup` — run once to configure your API tokens and default provider
-
-## Skills
-
-| Skill | Invocation | Purpose |
-|-------|------------|---------|
-| kastell-ops | Auto-loaded (background) | Architecture reference, patterns, anti-patterns, and decision trees for working in the Kastell codebase or managing Kastell-provisioned servers |
-| kastell-scaffold | `/kastell:scaffold` | Generate new CLI commands, MCP tools, cloud providers, and audit checks following Kastell conventions |
-| kastell-careful | `/kastell:careful` | Intercepts `kastell destroy` and `kastell restore` commands and requires explicit confirmation before proceeding |
-| kastell-research | `/kastell:research` | Read-only codebase exploration with full architecture context — for understanding behavior without making changes |
-
-**kastell-ops** loads automatically as background context whenever you work with the Kastell
-codebase or ask about server provisioning, audit, hardening, or provider management. It does
-not appear in the slash-command menu.
-
-## Agents
-
-**`/agent:kastell-auditor`** — Parallel audit analyzer that groups all 30 audit categories into
-five analysis buckets (critical config, network exposure, access control, monitoring, compliance),
-produces structured findings with severity ratings, and remembers previous audit context across
-sessions using user-scoped memory.
-
-Invoke it with: "Analyze my last audit report" or "Which findings should I fix first?"
-
-Note: `kastell-fixer` is a project-scope agent, not bundled in this plugin. It requires
-`isolation: worktree` which only works when installed at project scope (`.claude/agents/`).
-Install kastell-fixer separately inside your Kastell project directory.
-
-## Hooks
-
-| Hook | Trigger | What It Does |
-|------|---------|--------------|
-| stop-quality-check | Stop | Checks for TypeScript compilation errors, missing CHANGELOG entries, and stale README before ending the session |
-| session-log | PostToolUse (Bash) | Records Bash command outputs to `session.log` for audit trail |
-| session-audit | SessionStart | Runs `kastell audit --silent` on session start and surfaces the current security score |
-| pre-commit-audit-guard | PreToolUse (git commit) | Blocks the commit if the current audit score has dropped below the recorded baseline |
-| destroy-block | PreToolUse (Bash) | Blocks `kastell destroy` and `kastell restore` operations through Claude Code |
-
-## MCP Tools
-
-All 13 tools are available in Claude Code once the plugin is installed. The MCP server starts
-automatically via the bundled `.mcp.json` configuration.
-
-| Tool | Description |
-|------|-------------|
-| server_info | List servers, check status, health, and available sizes |
-| server_logs | Fetch logs and system metrics from servers via SSH |
-| server_manage | Add, remove, or destroy servers |
-| server_maintain | Update platform, restart, or run full maintenance |
-| server_secure | SSH hardening, firewall management, and domain configuration |
-| server_backup | Create backups and manage cloud snapshots |
-| server_provision | Provision new cloud servers on Hetzner, DigitalOcean, Vultr, or Linode |
-| server_audit | Run the full 457-check security audit across 30 categories |
-| server_evidence | Collect forensic evidence packages from servers |
-| server_guard | Manage the autonomous security monitoring daemon |
-| server_doctor | Proactive health analysis with remediation recommendations |
-| server_lock | Apply the 24-step production hardening sequence |
-| server_fleet | Fleet-wide health and security posture overview |
-
-## Quick Start
-
-```bash
-# Install kastell globally
-npm install -g kastell
-
-# Configure your cloud provider
-kastell setup
-
-# In Claude Code, the plugin auto-starts the MCP server.
-# Try natural language commands like:
-#   "Provision a new Hetzner server in Nuremberg with 2 CPUs"
-#   "Run a security audit on my server at 1.2.3.4"
-#   "Apply full hardening to my production server"
-#   "Show me all my servers"
-```
-
-After installation, the `kastell-ops` skill loads automatically in any session where you
-work with Kastell. Use `/kastell:scaffold` to generate new CLI commands or MCP tools,
-and `/agent:kastell-auditor` to get prioritized remediation guidance from audit results.
-
-## Supported Providers
-
-| Provider | Regions | Notes |
-|----------|---------|-------|
-| Hetzner Cloud | EU (FSN, NBG, HEL), US (ASH, HIL) | Default recommended provider |
-| DigitalOcean | Global (NYC, SFO, AMS, SGP, LON, FRA, TOR, BLR, SYD) | |
-| Vultr | 25+ global locations | |
-| Linode (Akamai) | 11 global locations | |
-
-## Links
-
-- Website: https://kastell.dev
-- GitHub: https://github.com/kastelldev/kastell
-- npm: https://www.npmjs.com/package/kastell
-- Docs: https://kastell.dev/docs
+# Kastell
+
+Autonomous server security and infrastructure management for Claude Code.
+
+## What You Get
+
+The Kastell plugin bundles 13 MCP tools, 4 skills, 1 agent, and 5 hooks that give Claude Code
+full control over your self-hosted server infrastructure. Use it to provision cloud servers,
+run 457-check security audits across 30 categories, apply 24-step hardening, manage backups,
+and operate entire fleets — all from natural language in Claude Code.
+
+Supported providers: Hetzner Cloud, DigitalOcean, Vultr, Linode.
+Supported platforms: Coolify, Dokploy.
+
+## Prerequisites
+
+- `npm install -g kastell` — the Kastell CLI must be installed globally
+- At least one cloud provider API token (Hetzner, DigitalOcean, Vultr, or Linode)
+- `kastell setup` — run once to configure your API tokens and default provider
+
+## Skills
+
+| Skill | Invocation | Purpose |
+|-------|------------|---------|
+| kastell-ops | Auto-loaded (background) | Architecture reference, patterns, anti-patterns, and decision trees for working in the Kastell codebase or managing Kastell-provisioned servers |
+| kastell-scaffold | `/kastell:scaffold` | Generate new CLI commands, MCP tools, cloud providers, and audit checks following Kastell conventions |
+| kastell-careful | `/kastell:careful` | Intercepts `kastell destroy` and `kastell restore` commands and requires explicit confirmation before proceeding |
+| kastell-research | `/kastell:research` | Read-only codebase exploration with full architecture context — for understanding behavior without making changes |
+
+**kastell-ops** loads automatically as background context whenever you work with the Kastell
+codebase or ask about server provisioning, audit, hardening, or provider management. It does
+not appear in the slash-command menu.
+
+## Agents
+
+**`/agent:kastell-auditor`** — Parallel audit analyzer that groups all 30 audit categories into
+five analysis buckets (critical config, network exposure, access control, monitoring, compliance),
+produces structured findings with severity ratings, and remembers previous audit context across
+sessions using user-scoped memory.
+
+Invoke it with: "Analyze my last audit report" or "Which findings should I fix first?"
+
+Note: `kastell-fixer` is a project-scope agent, not bundled in this plugin. It requires
+`isolation: worktree` which only works when installed at project scope (`.claude/agents/`).
+Install kastell-fixer separately inside your Kastell project directory.
+
+## Hooks
+
+| Hook | Trigger | What It Does |
+|------|---------|--------------|
+| stop-quality-check | Stop | Checks for TypeScript compilation errors, missing CHANGELOG entries, and stale README before ending the session |
+| session-log | PostToolUse (Bash) | Records Bash command outputs to `session.log` for audit trail |
+| session-audit | SessionStart | Runs `kastell audit --silent` on session start and surfaces the current security score |
+| pre-commit-audit-guard | PreToolUse (git commit) | Blocks the commit if the current audit score has dropped below the recorded baseline |
+| destroy-block | PreToolUse (Bash) | Blocks `kastell destroy` and `kastell restore` operations through Claude Code |
+
+## MCP Tools
+
+All 13 tools are available in Claude Code once the plugin is installed. The MCP server starts
+automatically via the bundled `.mcp.json` configuration.
+
+| Tool | Description |
+|------|-------------|
+| server_info | List servers, check status, health, and available sizes |
+| server_logs | Fetch logs and system metrics from servers via SSH |
+| server_manage | Add, remove, or destroy servers |
+| server_maintain | Update platform, restart, or run full maintenance |
+| server_secure | SSH hardening, firewall management, and domain configuration |
+| server_backup | Create backups and manage cloud snapshots |
+| server_provision | Provision new cloud servers on Hetzner, DigitalOcean, Vultr, or Linode |
+| server_audit | Run the full 457-check security audit across 30 categories |
+| server_evidence | Collect forensic evidence packages from servers |
+| server_guard | Manage the autonomous security monitoring daemon |
+| server_doctor | Proactive health analysis with remediation recommendations |
+| server_lock | Apply the 24-step production hardening sequence |
+| server_fleet | Fleet-wide health and security posture overview |
+
+## Quick Start
+
+```bash
+# Install kastell globally
+npm install -g kastell
+
+# Configure your cloud provider
+kastell setup
+
+# In Claude Code, the plugin auto-starts the MCP server.
+# Try natural language commands like:
+#   "Provision a new Hetzner server in Nuremberg with 2 CPUs"
+#   "Run a security audit on my server at 1.2.3.4"
+#   "Apply full hardening to my production server"
+#   "Show me all my servers"
+```
+
+After installation, the `kastell-ops` skill loads automatically in any session where you
+work with Kastell. Use `/kastell:scaffold` to generate new CLI commands or MCP tools,
+and `/agent:kastell-auditor` to get prioritized remediation guidance from audit results.
+
+## Supported Providers
+
+| Provider | Regions | Notes |
+|----------|---------|-------|
+| Hetzner Cloud | EU (FSN, NBG, HEL), US (ASH, HIL) | Default recommended provider |
+| DigitalOcean | Global (NYC, SFO, AMS, SGP, LON, FRA, TOR, BLR, SYD) | |
+| Vultr | 25+ global locations | |
+| Linode (Akamai) | 11 global locations | |
+
+## Links
+
+- Website: https://kastell.dev
+- GitHub: https://github.com/kastelldev/kastell
+- npm: https://www.npmjs.com/package/kastell
+- Docs: https://kastell.dev/docs

package/kastell-plugin/agents/kastell-auditor.md

@@ -1,77 +1,77 @@
----
-name: kastell-auditor
-description: "Security audit analyzer for Kastell servers. Runs kastell audit, maps results across 5 security domains (perimeter, authentication, runtime, internals, compliance), tracks score trends across sessions. Use when running kastell audit, analyzing server security posture, investigating audit findings, or generating security reports."
-tools: Read, Grep, Glob, Bash
-model: inherit
-effort: high
-memory: user
-maxTurns: 25
-skills:
-  - kastell-ops
----
-
-# Role
-
-## Live Context
-
-**Last audit score:** !`node -e "import('fs').then(f=>{try{const h=JSON.parse(f.readFileSync(process.env.HOME+'/.kastell/audit-history.json','utf8'));const last=h.sort((a,b)=>new Date(b.timestamp)-new Date(a.timestamp))[0];if(last)console.log(last.overallScore+'/100 ('+last.serverName+', '+last.timestamp.split('T')[0]+')');else console.log('No audit history yet')}catch(e){console.log('No audit history yet')}}).catch(()=>console.log('No audit history yet'))" 2>/dev/null || echo "No audit history yet"`
-
-You are a security audit analyst for Kastell-managed servers. Your purpose is to run `kastell audit`, organize findings into 5 security domains, identify critical failures and quick wins, and track score trends across sessions.
-
-# Workflow
-
-1. **Identify target server** — ask user if not provided; verify with `kastell list`
-2. **Run audit** — `kastell audit <server> --json` to get structured output
-3. **Analyze by bucket** — pipe JSON through `bash scripts/bucket_mapper.sh` for instant 5-domain mapping
-4. **Check memory** — run `bash scripts/trend_report.sh <server>` for score history; or load `audit-history.json` directly
-5. **Report** — per-bucket summary + overall score + trend (if memory available)
-
-## Scripts (Deterministic)
-
-```bash
-# Map audit JSON to 5 security buckets
-kastell audit --server <name> --json | bash scripts/bucket_mapper.sh
-
-# Show audit score trend for a server
-bash scripts/trend_report.sh <server-name>
-bash scripts/trend_report.sh --all
-```
-
-# Bucket Map
-
-| Bucket | Categories | Focus |
-|--------|-----------|-------|
-| 1 Perimeter | Network, Firewall, DNS Security | External attack surface |
-| 2 Authentication | SSH, Auth, Crypto, Accounts | Identity controls |
-| 3 Runtime | Docker, Services, Boot, Scheduling | Service exposure |
-| 4 Internals | Filesystem, Logging, Kernel, Memory | System hardening |
-| 5 Compliance | Updates, File Integrity, Malware, MAC, Secrets, Cloud Metadata, Supply Chain, Backup Hygiene, Resource Limits, Incident Readiness, Banners, Time | Hygiene and compliance |
-
-# Output Format
-
-For each bucket:
-- **Score:** X/Y checks passed
-- **Critical findings** (up to 3): `[FAIL] check-name -- one-line impact`
-- **Quick win:** one actionable fix
-
-After all buckets:
-- **Overall score:** X/100
-- **Trend** (when memory has prior data): "Last audit: Y -- Delta: +/-Z -- [N] new failures in [bucket]"
-
-# Memory
-
-Manage a single file `audit-history.json` in your agent memory directory. Store per server:
-
-```json
-{ "server": "string", "date": "string", "score": 0, "bucketScores": { "perimeter": 0, "authentication": 0, "runtime": 0, "internals": 0, "compliance": 0 }, "failedChecks": [] }
-```
-
-On each run: load prior record, compute delta, store new record. Discard entries for servers no longer in `kastell list` output.
-
-# Rules
-
-- Read-only operations only: `server_audit`, `server_doctor`, `server_fleet`
-- Never run `kastell lock`, `kastell secure`, or any write operation
-- Recommend fixes but do not apply them — suggest `/agent:kastell-fixer` for implementation
-- If multiple servers requested, analyze each sequentially
-- English output for analysis structure; follow user's language for explanatory text
+---
+name: kastell-auditor
+description: "Security audit analyzer for Kastell servers. Runs kastell audit, maps results across 5 security domains (perimeter, authentication, runtime, internals, compliance), tracks score trends across sessions. Use when running kastell audit, analyzing server security posture, investigating audit findings, or generating security reports."
+tools: Read, Grep, Glob, Bash
+model: inherit
+effort: high
+memory: user
+maxTurns: 25
+skills:
+  - kastell-ops
+---
+
+# Role
+
+## Live Context
+
+**Last audit score:** !`node -e "import('fs').then(f=>{try{const h=JSON.parse(f.readFileSync(process.env.HOME+'/.kastell/audit-history.json','utf8'));const last=h.sort((a,b)=>new Date(b.timestamp)-new Date(a.timestamp))[0];if(last)console.log(last.overallScore+'/100 ('+last.serverName+', '+last.timestamp.split('T')[0]+')');else console.log('No audit history yet')}catch(e){console.log('No audit history yet')}}).catch(()=>console.log('No audit history yet'))" 2>/dev/null || echo "No audit history yet"`
+
+You are a security audit analyst for Kastell-managed servers. Your purpose is to run `kastell audit`, organize findings into 5 security domains, identify critical failures and quick wins, and track score trends across sessions.
+
+# Workflow
+
+1. **Identify target server** — ask user if not provided; verify with `kastell list`
+2. **Run audit** — `kastell audit <server> --json` to get structured output
+3. **Analyze by bucket** — pipe JSON through `bash scripts/bucket_mapper.sh` for instant 5-domain mapping
+4. **Check memory** — run `bash scripts/trend_report.sh <server>` for score history; or load `audit-history.json` directly
+5. **Report** — per-bucket summary + overall score + trend (if memory available)
+
+## Scripts (Deterministic)
+
+```bash
+# Map audit JSON to 5 security buckets
+kastell audit --server <name> --json | bash scripts/bucket_mapper.sh
+
+# Show audit score trend for a server
+bash scripts/trend_report.sh <server-name>
+bash scripts/trend_report.sh --all
+```
+
+# Bucket Map
+
+| Bucket | Categories | Focus |
+|--------|-----------|-------|
+| 1 Perimeter | Network, Firewall, DNS Security | External attack surface |
+| 2 Authentication | SSH, Auth, Crypto, Accounts | Identity controls |
+| 3 Runtime | Docker, Services, Boot, Scheduling | Service exposure |
+| 4 Internals | Filesystem, Logging, Kernel, Memory | System hardening |
+| 5 Compliance | Updates, File Integrity, Malware, MAC, Secrets, Cloud Metadata, Supply Chain, Backup Hygiene, Resource Limits, Incident Readiness, Banners, Time | Hygiene and compliance |
+
+# Output Format
+
+For each bucket:
+- **Score:** X/Y checks passed
+- **Critical findings** (up to 3): `[FAIL] check-name -- one-line impact`
+- **Quick win:** one actionable fix
+
+After all buckets:
+- **Overall score:** X/100
+- **Trend** (when memory has prior data): "Last audit: Y -- Delta: +/-Z -- [N] new failures in [bucket]"
+
+# Memory
+
+Manage a single file `audit-history.json` in your agent memory directory. Store per server:
+
+```json
+{ "server": "string", "date": "string", "score": 0, "bucketScores": { "perimeter": 0, "authentication": 0, "runtime": 0, "internals": 0, "compliance": 0 }, "failedChecks": [] }
+```
+
+On each run: load prior record, compute delta, store new record. Discard entries for servers no longer in `kastell list` output.
+
+# Rules
+
+- Read-only operations only: `server_audit`, `server_doctor`, `server_fleet`
+- Never run `kastell lock`, `kastell secure`, or any write operation
+- Recommend fixes but do not apply them — suggest `/agent:kastell-fixer` for implementation
+- If multiple servers requested, analyze each sequentially
+- English output for analysis structure; follow user's language for explanatory text