kastell 2.2.4 → 2.2.5

package/kastell-plugin/skills/kastell-ops/scripts/check_coverage.sh

@@ -1,101 +1,101 @@
-#!/usr/bin/env bash
-# check_coverage.sh — Compare audit check count vs test count.
-# Usage: bash check_coverage.sh [project-root]
-#
-# Counts audit checks defined in src/core/audit/checks/ and matching tests.
-# Requires: node
-
-set -euo pipefail
-
-PROJECT_ROOT="${1:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"
-
-node -e "
-const fs = require('fs');
-const path = require('path');
-
-const root = process.argv[1];
-const checksDir = path.join(root, 'src', 'core', 'audit', 'checks');
-
-if (!fs.existsSync(checksDir)) {
-  console.error('Error: ' + checksDir + ' not found');
-  process.exit(1);
-}
-
-// Read all .ts files in checks dir (excluding index.ts)
-const checkFiles = fs.readdirSync(checksDir)
-  .filter(f => f.endsWith('.ts') && f !== 'index.ts');
-
-let totalChecks = 0;
-const uniqueIds = new Set();
-const perFile = [];
-
-for (const file of checkFiles) {
-  const content = fs.readFileSync(path.join(checksDir, file), 'utf8');
-  const ids = [...content.matchAll(/id:\s*['\"]([^'\"]+)['\"]/g)].map(m => m[1]);
-  totalChecks += ids.length;
-  ids.forEach(id => uniqueIds.add(id));
-  perFile.push({ name: file.replace('.ts', ''), checks: ids.length });
-}
-
-// Count categories from index.ts
-let categories = 0;
-const indexPath = path.join(checksDir, 'index.ts');
-if (fs.existsSync(indexPath)) {
-  const indexContent = fs.readFileSync(indexPath, 'utf8');
-  categories = (indexContent.match(/sectionName/g) || []).length;
-}
-
-// Find audit test files recursively
-function findTests(dir) {
-  let count = 0;
-  if (!fs.existsSync(dir)) return 0;
-  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
-    const full = path.join(dir, entry.name);
-    if (entry.isDirectory()) count += findTests(full);
-    else if (entry.name.endsWith('.test.ts') && entry.name.includes('audit') ||
-             full.includes('audit') && entry.name.endsWith('.test.ts')) {
-      count++;
-    }
-  }
-  return count;
-}
-const testCount = findTests(path.join(root, 'src'));
-
-// Pre-index all test file contents once (avoids N+1 file reads)
-const testIndex = new Set();
-function indexTests(dir) {
-  try {
-    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
-      const full = path.join(dir, entry.name);
-      if (entry.isDirectory()) indexTests(full);
-      else if (entry.name.endsWith('.test.ts')) {
-        const content = fs.readFileSync(full, 'utf8');
-        // Extract referenced module names from imports and test descriptions
-        for (const match of content.matchAll(/['\"]([^'\"]*audit[^'\"]*)['\"]|from\s+['\"]([^'\"]+)['\"]/g)) {
-          const ref = match[1] || match[2] || '';
-          ref.split('/').forEach(part => testIndex.add(part.replace('.js', '').replace('.ts', '')));
-        }
-      }
-    }
-  } catch {}
-}
-indexTests(path.join(root, 'src'));
-function hasTestFor(name) { return testIndex.has(name); }
-
-console.log('=== Audit Check Coverage ===');
-console.log('Project: ' + root);
-console.log('');
-console.log('Check source files: ' + checkFiles.length);
-console.log('Categories:         ' + categories);
-console.log('Checks defined:     ' + totalChecks);
-console.log('Unique check IDs:   ' + uniqueIds.size);
-console.log('Audit test files:   ' + testCount);
-console.log('');
-console.log('Per-file breakdown:');
-
-perFile.sort((a, b) => a.name.localeCompare(b.name));
-for (const f of perFile) {
-  const tested = hasTestFor(f.name) ? '✓' : '✗';
-  console.log('  ' + tested + ' ' + f.name.padEnd(20) + ' ' + String(f.checks).padStart(3) + ' checks');
-}
-" "$PROJECT_ROOT"
+#!/usr/bin/env bash
+# check_coverage.sh — Compare audit check count vs test count.
+# Usage: bash check_coverage.sh [project-root]
+#
+# Counts audit checks defined in src/core/audit/checks/ and matching tests.
+# Requires: node
+
+set -euo pipefail
+
+PROJECT_ROOT="${1:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"
+
+node -e "
+const fs = require('fs');
+const path = require('path');
+
+const root = process.argv[1];
+const checksDir = path.join(root, 'src', 'core', 'audit', 'checks');
+
+if (!fs.existsSync(checksDir)) {
+  console.error('Error: ' + checksDir + ' not found');
+  process.exit(1);
+}
+
+// Read all .ts files in checks dir (excluding index.ts)
+const checkFiles = fs.readdirSync(checksDir)
+  .filter(f => f.endsWith('.ts') && f !== 'index.ts');
+
+let totalChecks = 0;
+const uniqueIds = new Set();
+const perFile = [];
+
+for (const file of checkFiles) {
+  const content = fs.readFileSync(path.join(checksDir, file), 'utf8');
+  const ids = [...content.matchAll(/id:\s*['\"]([^'\"]+)['\"]/g)].map(m => m[1]);
+  totalChecks += ids.length;
+  ids.forEach(id => uniqueIds.add(id));
+  perFile.push({ name: file.replace('.ts', ''), checks: ids.length });
+}
+
+// Count categories from index.ts
+let categories = 0;
+const indexPath = path.join(checksDir, 'index.ts');
+if (fs.existsSync(indexPath)) {
+  const indexContent = fs.readFileSync(indexPath, 'utf8');
+  categories = (indexContent.match(/sectionName/g) || []).length;
+}
+
+// Find audit test files recursively
+function findTests(dir) {
+  let count = 0;
+  if (!fs.existsSync(dir)) return 0;
+  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) count += findTests(full);
+    else if (entry.name.endsWith('.test.ts') && entry.name.includes('audit') ||
+             full.includes('audit') && entry.name.endsWith('.test.ts')) {
+      count++;
+    }
+  }
+  return count;
+}
+const testCount = findTests(path.join(root, 'src'));
+
+// Pre-index all test file contents once (avoids N+1 file reads)
+const testIndex = new Set();
+function indexTests(dir) {
+  try {
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) indexTests(full);
+      else if (entry.name.endsWith('.test.ts')) {
+        const content = fs.readFileSync(full, 'utf8');
+        // Extract referenced module names from imports and test descriptions
+        for (const match of content.matchAll(/['\"]([^'\"]*audit[^'\"]*)['\"]|from\s+['\"]([^'\"]+)['\"]/g)) {
+          const ref = match[1] || match[2] || '';
+          ref.split('/').forEach(part => testIndex.add(part.replace('.js', '').replace('.ts', '')));
+        }
+      }
+    }
+  } catch {}
+}
+indexTests(path.join(root, 'src'));
+function hasTestFor(name) { return testIndex.has(name); }
+
+console.log('=== Audit Check Coverage ===');
+console.log('Project: ' + root);
+console.log('');
+console.log('Check source files: ' + checkFiles.length);
+console.log('Categories:         ' + categories);
+console.log('Checks defined:     ' + totalChecks);
+console.log('Unique check IDs:   ' + uniqueIds.size);
+console.log('Audit test files:   ' + testCount);
+console.log('');
+console.log('Per-file breakdown:');
+
+perFile.sort((a, b) => a.name.localeCompare(b.name));
+for (const f of perFile) {
+  const tested = hasTestFor(f.name) ? '✓' : '✗';
+  console.log('  ' + tested + ' ' + f.name.padEnd(20) + ' ' + String(f.checks).padStart(3) + ' checks');
+}
+" "$PROJECT_ROOT"

package/kastell-plugin/skills/kastell-ops/scripts/fleet_report.sh

@@ -1,73 +1,73 @@
-#!/usr/bin/env bash
-# fleet_report.sh — Generate a fleet-wide server score table.
-# Usage: kastell fleet --json | bash fleet_report.sh
-#    OR: bash fleet_report.sh < fleet-output.json
-#    OR: bash fleet_report.sh fleet-output.json
-#
-# Requires: node
-
-set -euo pipefail
-
-if [[ -n "${1:-}" && -f "$1" ]]; then
-  INPUT=$(cat "$1")
-elif [[ ! -t 0 ]]; then
-  INPUT=$(cat)
-else
-  echo "Usage: kastell fleet --json | bash fleet_report.sh" >&2
-  exit 1
-fi
-
-node -e "
-const data = JSON.parse(process.argv[1]);
-const servers = data.servers || data.fleet || data || [];
-
-if (!Array.isArray(servers) || servers.length === 0) {
-  console.log('No servers found in fleet data.');
-  process.exit(0);
-}
-
-// Header
-const cols = { name: 20, ip: 16, provider: 12, mode: 8, score: 6, health: 10 };
-const pad = (s, n) => String(s || '-').slice(0, n).padEnd(n);
-const sep = '-'.repeat(Object.values(cols).reduce((a, b) => a + b + 3, 0));
-
-console.log('=== Kastell Fleet Report ===');
-console.log('Servers: ' + servers.length);
-console.log('');
-console.log(
-  pad('Name', cols.name) + ' | ' +
-  pad('IP', cols.ip) + ' | ' +
-  pad('Provider', cols.provider) + ' | ' +
-  pad('Mode', cols.mode) + ' | ' +
-  pad('Score', cols.score) + ' | ' +
-  pad('Health', cols.health)
-);
-console.log(sep);
-
-// Sort by score (lowest first = needs attention)
-const sorted = [...servers].sort((a, b) => (a.score ?? 0) - (b.score ?? 0));
-
-for (const s of sorted) {
-  const score = s.score ?? s.auditScore ?? '-';
-  const health = s.health ?? s.status ?? '-';
-  const icon = health === 'ONLINE' ? '●' : health === 'DEGRADED' ? '◐' : '○';
-  console.log(
-    pad(s.name, cols.name) + ' | ' +
-    pad(s.ip, cols.ip) + ' | ' +
-    pad(s.provider, cols.provider) + ' | ' +
-    pad(s.mode, cols.mode) + ' | ' +
-    pad(score, cols.score) + ' | ' +
-    icon + ' ' + pad(health, cols.health - 2)
-  );
-}
-
-// Summary
-const scores = sorted.map(s => s.score ?? s.auditScore).filter(s => typeof s === 'number');
-if (scores.length > 0) {
-  const avg = Math.round(scores.reduce((a, b) => a + b, 0) / scores.length);
-  const min = Math.min(...scores);
-  const max = Math.max(...scores);
-  console.log('');
-  console.log('Avg: ' + avg + ' | Min: ' + min + ' | Max: ' + max);
-}
-" "$INPUT"
+#!/usr/bin/env bash
+# fleet_report.sh — Generate a fleet-wide server score table.
+# Usage: kastell fleet --json | bash fleet_report.sh
+#    OR: bash fleet_report.sh < fleet-output.json
+#    OR: bash fleet_report.sh fleet-output.json
+#
+# Requires: node
+
+set -euo pipefail
+
+if [[ -n "${1:-}" && -f "$1" ]]; then
+  INPUT=$(cat "$1")
+elif [[ ! -t 0 ]]; then
+  INPUT=$(cat)
+else
+  echo "Usage: kastell fleet --json | bash fleet_report.sh" >&2
+  exit 1
+fi
+
+node -e "
+const data = JSON.parse(process.argv[1]);
+const servers = data.servers || data.fleet || data || [];
+
+if (!Array.isArray(servers) || servers.length === 0) {
+  console.log('No servers found in fleet data.');
+  process.exit(0);
+}
+
+// Header
+const cols = { name: 20, ip: 16, provider: 12, mode: 8, score: 6, health: 10 };
+const pad = (s, n) => String(s || '-').slice(0, n).padEnd(n);
+const sep = '-'.repeat(Object.values(cols).reduce((a, b) => a + b + 3, 0));
+
+console.log('=== Kastell Fleet Report ===');
+console.log('Servers: ' + servers.length);
+console.log('');
+console.log(
+  pad('Name', cols.name) + ' | ' +
+  pad('IP', cols.ip) + ' | ' +
+  pad('Provider', cols.provider) + ' | ' +
+  pad('Mode', cols.mode) + ' | ' +
+  pad('Score', cols.score) + ' | ' +
+  pad('Health', cols.health)
+);
+console.log(sep);
+
+// Sort by score (lowest first = needs attention)
+const sorted = [...servers].sort((a, b) => (a.score ?? 0) - (b.score ?? 0));
+
+for (const s of sorted) {
+  const score = s.score ?? s.auditScore ?? '-';
+  const health = s.health ?? s.status ?? '-';
+  const icon = health === 'ONLINE' ? '●' : health === 'DEGRADED' ? '◐' : '○';
+  console.log(
+    pad(s.name, cols.name) + ' | ' +
+    pad(s.ip, cols.ip) + ' | ' +
+    pad(s.provider, cols.provider) + ' | ' +
+    pad(s.mode, cols.mode) + ' | ' +
+    pad(score, cols.score) + ' | ' +
+    icon + ' ' + pad(health, cols.health - 2)
+  );
+}
+
+// Summary
+const scores = sorted.map(s => s.score ?? s.auditScore).filter(s => typeof s === 'number');
+if (scores.length > 0) {
+  const avg = Math.round(scores.reduce((a, b) => a + b, 0) / scores.length);
+  const min = Math.min(...scores);
+  const max = Math.max(...scores);
+  console.log('');
+  console.log('Avg: ' + avg + ' | Min: ' + min + ' | Max: ' + max);
+}
+" "$INPUT"

package/kastell-plugin/skills/kastell-ops/scripts/parse_audit.sh

@@ -1,76 +1,76 @@
-#!/usr/bin/env bash
-# parse_audit.sh — Parse kastell audit JSON into 5 security domain summaries.
-# Usage: kastell audit --server <name> --json | bash parse_audit.sh
-#    OR: bash parse_audit.sh < audit-output.json
-#    OR: bash parse_audit.sh audit-output.json
-#
-# Requires: node (uses inline JS for JSON parsing — no jq dependency)
-
-set -euo pipefail
-
-# Read JSON from file arg, stdin, or pipe
-if [[ -n "${1:-}" && -f "$1" ]]; then
-  INPUT=$(cat "$1")
-elif [[ ! -t 0 ]]; then
-  INPUT=$(cat)
-else
-  echo "Usage: kastell audit --server <name> --json | bash parse_audit.sh" >&2
-  echo "   OR: bash parse_audit.sh <audit-json-file>" >&2
-  exit 1
-fi
-
-node -e "
-const data = JSON.parse(process.argv[1]);
-const checks = data.checks || data.results || [];
-
-// 5 security domain mapping
-const DOMAINS = {
-  'Perimeter':       ['Network', 'Firewall', 'DNS Security'],
-  'Authentication':  ['SSH', 'Auth', 'Crypto', 'Accounts'],
-  'Runtime':         ['Docker', 'Services', 'Boot', 'Scheduling'],
-  'Internals':       ['Filesystem', 'Logging', 'Kernel', 'Memory'],
-  'Compliance':      ['Updates', 'File Integrity', 'Malware', 'MAC', 'Secrets',
-                      'Cloud Metadata', 'Supply Chain', 'Backup Hygiene',
-                      'Resource Limits', 'Incident Readiness', 'Banners', 'Time',
-                      'TLS', 'HTTP Security Headers'],
-};
-
-// Map categories to domains
-const catToDomain = {};
-for (const [domain, cats] of Object.entries(DOMAINS)) {
-  for (const cat of cats) catToDomain[cat.toLowerCase()] = domain;
-}
-
-// Bucket checks
-const buckets = {};
-for (const d of Object.keys(DOMAINS)) buckets[d] = { passed: 0, failed: 0, critical: [] };
-
-for (const c of checks) {
-  const cat = (c.category || '').toLowerCase();
-  let domain = 'Compliance'; // default
-  for (const [key, val] of Object.entries(catToDomain)) {
-    if (cat.includes(key)) { domain = val; break; }
-  }
-  if (c.passed) buckets[domain].passed++;
-  else {
-    buckets[domain].failed++;
-    if (c.severity === 'critical') buckets[domain].critical.push(c.id || c.name);
-  }
-}
-
-// Output
-const score = data.score ?? data.overallScore ?? 'N/A';
-console.log('=== Kastell Audit Domain Summary ===');
-console.log('Overall Score: ' + score + '/100');
-console.log('');
-
-for (const [domain, b] of Object.entries(buckets)) {
-  const total = b.passed + b.failed;
-  const pct = total > 0 ? Math.round(b.passed / total * 100) : 0;
-  const bar = '█'.repeat(Math.round(pct / 5)) + '░'.repeat(20 - Math.round(pct / 5));
-  console.log(domain + ': ' + b.passed + '/' + total + ' (' + pct + '%) ' + bar);
-  if (b.critical.length > 0) {
-    console.log('  Critical: ' + b.critical.slice(0, 3).join(', '));
-  }
-}
-" "$INPUT"
+#!/usr/bin/env bash
+# parse_audit.sh — Parse kastell audit JSON into 5 security domain summaries.
+# Usage: kastell audit --server <name> --json | bash parse_audit.sh
+#    OR: bash parse_audit.sh < audit-output.json
+#    OR: bash parse_audit.sh audit-output.json
+#
+# Requires: node (uses inline JS for JSON parsing — no jq dependency)
+
+set -euo pipefail
+
+# Read JSON from file arg, stdin, or pipe
+if [[ -n "${1:-}" && -f "$1" ]]; then
+  INPUT=$(cat "$1")
+elif [[ ! -t 0 ]]; then
+  INPUT=$(cat)
+else
+  echo "Usage: kastell audit --server <name> --json | bash parse_audit.sh" >&2
+  echo "   OR: bash parse_audit.sh <audit-json-file>" >&2
+  exit 1
+fi
+
+node -e "
+const data = JSON.parse(process.argv[1]);
+const checks = data.checks || data.results || [];
+
+// 5 security domain mapping
+const DOMAINS = {
+  'Perimeter':       ['Network', 'Firewall', 'DNS Security'],
+  'Authentication':  ['SSH', 'Auth', 'Crypto', 'Accounts'],
+  'Runtime':         ['Docker', 'Services', 'Boot', 'Scheduling'],
+  'Internals':       ['Filesystem', 'Logging', 'Kernel', 'Memory'],
+  'Compliance':      ['Updates', 'File Integrity', 'Malware', 'MAC', 'Secrets',
+                      'Cloud Metadata', 'Supply Chain', 'Backup Hygiene',
+                      'Resource Limits', 'Incident Readiness', 'Banners', 'Time',
+                      'TLS', 'HTTP Security Headers'],
+};
+
+// Map categories to domains
+const catToDomain = {};
+for (const [domain, cats] of Object.entries(DOMAINS)) {
+  for (const cat of cats) catToDomain[cat.toLowerCase()] = domain;
+}
+
+// Bucket checks
+const buckets = {};
+for (const d of Object.keys(DOMAINS)) buckets[d] = { passed: 0, failed: 0, critical: [] };
+
+for (const c of checks) {
+  const cat = (c.category || '').toLowerCase();
+  let domain = 'Compliance'; // default
+  for (const [key, val] of Object.entries(catToDomain)) {
+    if (cat.includes(key)) { domain = val; break; }
+  }
+  if (c.passed) buckets[domain].passed++;
+  else {
+    buckets[domain].failed++;
+    if (c.severity === 'critical') buckets[domain].critical.push(c.id || c.name);
+  }
+}
+
+// Output
+const score = data.score ?? data.overallScore ?? 'N/A';
+console.log('=== Kastell Audit Domain Summary ===');
+console.log('Overall Score: ' + score + '/100');
+console.log('');
+
+for (const [domain, b] of Object.entries(buckets)) {
+  const total = b.passed + b.failed;
+  const pct = total > 0 ? Math.round(b.passed / total * 100) : 0;
+  const bar = '█'.repeat(Math.round(pct / 5)) + '░'.repeat(20 - Math.round(pct / 5));
+  console.log(domain + ': ' + b.passed + '/' + total + ' (' + pct + '%) ' + bar);
+  if (b.critical.length > 0) {
+    console.log('  Critical: ' + b.critical.slice(0, 3).join(', '));
+  }
+}
+" "$INPUT"