kastell 2.2.4 → 2.2.5

package/kastell-plugin/agents/scripts/bucket_mapper.sh

@@ -1,101 +1,101 @@
-#!/usr/bin/env bash
-# bucket_mapper.sh — Map kastell audit JSON checks to 5 security buckets.
-# Usage: kastell audit --server <name> --json | bash bucket_mapper.sh
-#    OR: bash bucket_mapper.sh < audit-output.json
-#    OR: bash bucket_mapper.sh audit-output.json
-#
-# Output: Per-bucket check list with pass/fail status and severity.
-# Used by kastell-auditor agent for structured analysis.
-#
-# Requires: node
-
-set -euo pipefail
-
-if [[ -n "${1:-}" && -f "$1" ]]; then
-  INPUT=$(cat "$1")
-elif [[ ! -t 0 ]]; then
-  INPUT=$(cat)
-else
-  echo "Usage: kastell audit --server <name> --json | bash bucket_mapper.sh" >&2
-  exit 1
-fi
-
-node -e "
-const data = JSON.parse(process.argv[1]);
-const checks = data.checks || data.results || [];
-
-const BUCKETS = {
-  '1_Perimeter': {
-    match: ['network', 'firewall', 'dns'],
-    checks: []
-  },
-  '2_Authentication': {
-    match: ['ssh', 'auth', 'crypto', 'accounts'],
-    checks: []
-  },
-  '3_Runtime': {
-    match: ['docker', 'services', 'boot', 'scheduling'],
-    checks: []
-  },
-  '4_Internals': {
-    match: ['filesystem', 'logging', 'kernel', 'memory'],
-    checks: []
-  },
-  '5_Compliance': {
-    match: [], // catchall
-    checks: []
-  }
-};
-
-function getBucket(category) {
-  const cat = (category || '').toLowerCase();
-  for (const [name, bucket] of Object.entries(BUCKETS)) {
-    if (name === '5_Compliance') continue;
-    if (bucket.match.some(m => cat.includes(m))) return name;
-  }
-  return '5_Compliance';
-}
-
-// Map checks to buckets
-for (const c of checks) {
-  const bucket = getBucket(c.category);
-  BUCKETS[bucket].checks.push({
-    id: c.id || 'unknown',
-    name: c.name || '',
-    severity: c.severity || 'info',
-    passed: !!c.passed,
-    category: c.category || ''
-  });
-}
-
-// Output
-const score = data.score ?? data.overallScore ?? 'N/A';
-console.log('Score: ' + score + '/100');
-console.log('Total checks: ' + checks.length);
-console.log('');
-
-for (const [name, bucket] of Object.entries(BUCKETS)) {
-  const label = name.replace(/^[0-9]_/, '');
-  const passed = bucket.checks.filter(c => c.passed).length;
-  const total = bucket.checks.length;
-  const critFail = bucket.checks.filter(c => !c.passed && c.severity === 'critical');
-
-  console.log('--- ' + label + ' (' + passed + '/' + total + ') ---');
-
-  // Show failed checks (critical first, then warning)
-  const failed = bucket.checks
-    .filter(c => !c.passed)
-    .sort((a, b) => {
-      const sev = { critical: 0, warning: 1, info: 2 };
-      return (sev[a.severity] ?? 3) - (sev[b.severity] ?? 3);
-    });
-
-  for (const c of failed.slice(0, 5)) {
-    const icon = c.severity === 'critical' ? '!!' : c.severity === 'warning' ? '! ' : '  ';
-    console.log('  [FAIL] ' + icon + c.id + ' — ' + c.name);
-  }
-  if (failed.length > 5) console.log('  ... and ' + (failed.length - 5) + ' more');
-  if (failed.length === 0) console.log('  All checks passed');
-  console.log('');
-}
-" "$INPUT"
+#!/usr/bin/env bash
+# bucket_mapper.sh — Map kastell audit JSON checks to 5 security buckets.
+# Usage: kastell audit --server <name> --json | bash bucket_mapper.sh
+#    OR: bash bucket_mapper.sh < audit-output.json
+#    OR: bash bucket_mapper.sh audit-output.json
+#
+# Output: Per-bucket check list with pass/fail status and severity.
+# Used by kastell-auditor agent for structured analysis.
+#
+# Requires: node
+
+set -euo pipefail
+
+if [[ -n "${1:-}" && -f "$1" ]]; then
+  INPUT=$(cat "$1")
+elif [[ ! -t 0 ]]; then
+  INPUT=$(cat)
+else
+  echo "Usage: kastell audit --server <name> --json | bash bucket_mapper.sh" >&2
+  exit 1
+fi
+
+node -e "
+const data = JSON.parse(process.argv[1]);
+const checks = data.checks || data.results || [];
+
+const BUCKETS = {
+  '1_Perimeter': {
+    match: ['network', 'firewall', 'dns'],
+    checks: []
+  },
+  '2_Authentication': {
+    match: ['ssh', 'auth', 'crypto', 'accounts'],
+    checks: []
+  },
+  '3_Runtime': {
+    match: ['docker', 'services', 'boot', 'scheduling'],
+    checks: []
+  },
+  '4_Internals': {
+    match: ['filesystem', 'logging', 'kernel', 'memory'],
+    checks: []
+  },
+  '5_Compliance': {
+    match: [], // catchall
+    checks: []
+  }
+};
+
+function getBucket(category) {
+  const cat = (category || '').toLowerCase();
+  for (const [name, bucket] of Object.entries(BUCKETS)) {
+    if (name === '5_Compliance') continue;
+    if (bucket.match.some(m => cat.includes(m))) return name;
+  }
+  return '5_Compliance';
+}
+
+// Map checks to buckets
+for (const c of checks) {
+  const bucket = getBucket(c.category);
+  BUCKETS[bucket].checks.push({
+    id: c.id || 'unknown',
+    name: c.name || '',
+    severity: c.severity || 'info',
+    passed: !!c.passed,
+    category: c.category || ''
+  });
+}
+
+// Output
+const score = data.score ?? data.overallScore ?? 'N/A';
+console.log('Score: ' + score + '/100');
+console.log('Total checks: ' + checks.length);
+console.log('');
+
+for (const [name, bucket] of Object.entries(BUCKETS)) {
+  const label = name.replace(/^[0-9]_/, '');
+  const passed = bucket.checks.filter(c => c.passed).length;
+  const total = bucket.checks.length;
+  const critFail = bucket.checks.filter(c => !c.passed && c.severity === 'critical');
+
+  console.log('--- ' + label + ' (' + passed + '/' + total + ') ---');
+
+  // Show failed checks (critical first, then warning)
+  const failed = bucket.checks
+    .filter(c => !c.passed)
+    .sort((a, b) => {
+      const sev = { critical: 0, warning: 1, info: 2 };
+      return (sev[a.severity] ?? 3) - (sev[b.severity] ?? 3);
+    });
+
+  for (const c of failed.slice(0, 5)) {
+    const icon = c.severity === 'critical' ? '!!' : c.severity === 'warning' ? '! ' : '  ';
+    console.log('  [FAIL] ' + icon + c.id + ' — ' + c.name);
+  }
+  if (failed.length > 5) console.log('  ... and ' + (failed.length - 5) + ' more');
+  if (failed.length === 0) console.log('  All checks passed');
+  console.log('');
+}
+" "$INPUT"

package/kastell-plugin/agents/scripts/trend_report.sh

@@ -1,91 +1,91 @@
-#!/usr/bin/env bash
-# trend_report.sh — Generate audit score trend from audit-history.json.
-# Usage: bash trend_report.sh [server-name]
-#    OR: bash trend_report.sh --all
-#
-# Reads ~/.kastell/audit-history.json (maintained by kastell-auditor agent).
-# Shows score over time with delta indicators.
-#
-# Requires: node
-
-set -euo pipefail
-
-HISTORY_FILE="${KASTELL_HOME:-$HOME/.kastell}/audit-history.json"
-SERVER="${1:-}"
-
-if [[ ! -f "$HISTORY_FILE" ]]; then
-  echo "No audit history found at: $HISTORY_FILE"
-  echo "Run 'kastell audit --server <name>' to generate data."
-  exit 0
-fi
-
-node -e "
-const fs = require('fs');
-const data = JSON.parse(fs.readFileSync(process.argv[1], 'utf8'));
-const server = process.argv[2] || '';
-const showAll = server === '--all';
-
-if (!Array.isArray(data) || data.length === 0) {
-  console.log('No audit history entries found.');
-  process.exit(0);
-}
-
-// Filter by server if specified
-let entries = showAll ? data : server
-  ? data.filter(e => e.serverName === server || e.server === server)
-  : data;
-
-if (entries.length === 0) {
-  console.log('No audit history for server: ' + server);
-  console.log('Available servers: ' + [...new Set(data.map(e => e.serverName || e.server))].join(', '));
-  process.exit(0);
-}
-
-// Sort by date
-entries.sort((a, b) => new Date(a.timestamp || a.date) - new Date(b.timestamp || b.date));
-
-// Group by server
-const byServer = {};
-for (const e of entries) {
-  const name = e.serverName || e.server || 'unknown';
-  if (!byServer[name]) byServer[name] = [];
-  byServer[name].push(e);
-}
-
-console.log('=== Audit Score Trend ===');
-console.log('');
-
-for (const [name, history] of Object.entries(byServer)) {
-  console.log('Server: ' + name);
-  console.log('-'.repeat(50));
-
-  let prev = null;
-  for (const e of history) {
-    const score = e.overallScore ?? e.score ?? 0;
-    const date = (e.timestamp || e.date || '').split('T')[0];
-    let delta = '';
-    if (prev !== null) {
-      const diff = score - prev;
-      delta = diff > 0 ? ' (+' + diff + ')' : diff < 0 ? ' (' + diff + ')' : ' (=)';
-    }
-
-    // Visual bar
-    const filled = Math.round(score / 5);
-    const bar = '█'.repeat(filled) + '░'.repeat(20 - filled);
-
-    console.log('  ' + date + '  ' + String(score).padStart(3) + '/100 ' + bar + delta);
-    prev = score;
-  }
-
-  // Latest bucket scores if available
-  const latest = history[history.length - 1];
-  if (latest.bucketScores) {
-    console.log('');
-    console.log('  Latest bucket breakdown:');
-    for (const [bucket, score] of Object.entries(latest.bucketScores)) {
-      console.log('    ' + bucket.padEnd(15) + ': ' + score);
-    }
-  }
-  console.log('');
-}
-" "$HISTORY_FILE" "$SERVER"
+#!/usr/bin/env bash
+# trend_report.sh — Generate audit score trend from audit-history.json.
+# Usage: bash trend_report.sh [server-name]
+#    OR: bash trend_report.sh --all
+#
+# Reads ~/.kastell/audit-history.json (maintained by kastell-auditor agent).
+# Shows score over time with delta indicators.
+#
+# Requires: node
+
+set -euo pipefail
+
+HISTORY_FILE="${KASTELL_HOME:-$HOME/.kastell}/audit-history.json"
+SERVER="${1:-}"
+
+if [[ ! -f "$HISTORY_FILE" ]]; then
+  echo "No audit history found at: $HISTORY_FILE"
+  echo "Run 'kastell audit --server <name>' to generate data."
+  exit 0
+fi
+
+node -e "
+const fs = require('fs');
+const data = JSON.parse(fs.readFileSync(process.argv[1], 'utf8'));
+const server = process.argv[2] || '';
+const showAll = server === '--all';
+
+if (!Array.isArray(data) || data.length === 0) {
+  console.log('No audit history entries found.');
+  process.exit(0);
+}
+
+// Filter by server if specified
+let entries = showAll ? data : server
+  ? data.filter(e => e.serverName === server || e.server === server)
+  : data;
+
+if (entries.length === 0) {
+  console.log('No audit history for server: ' + server);
+  console.log('Available servers: ' + [...new Set(data.map(e => e.serverName || e.server))].join(', '));
+  process.exit(0);
+}
+
+// Sort by date
+entries.sort((a, b) => new Date(a.timestamp || a.date) - new Date(b.timestamp || b.date));
+
+// Group by server
+const byServer = {};
+for (const e of entries) {
+  const name = e.serverName || e.server || 'unknown';
+  if (!byServer[name]) byServer[name] = [];
+  byServer[name].push(e);
+}
+
+console.log('=== Audit Score Trend ===');
+console.log('');
+
+for (const [name, history] of Object.entries(byServer)) {
+  console.log('Server: ' + name);
+  console.log('-'.repeat(50));
+
+  let prev = null;
+  for (const e of history) {
+    const score = e.overallScore ?? e.score ?? 0;
+    const date = (e.timestamp || e.date || '').split('T')[0];
+    let delta = '';
+    if (prev !== null) {
+      const diff = score - prev;
+      delta = diff > 0 ? ' (+' + diff + ')' : diff < 0 ? ' (' + diff + ')' : ' (=)';
+    }
+
+    // Visual bar
+    const filled = Math.round(score / 5);
+    const bar = '█'.repeat(filled) + '░'.repeat(20 - filled);
+
+    console.log('  ' + date + '  ' + String(score).padStart(3) + '/100 ' + bar + delta);
+    prev = score;
+  }
+
+  // Latest bucket scores if available
+  const latest = history[history.length - 1];
+  if (latest.bucketScores) {
+    console.log('');
+    console.log('  Latest bucket breakdown:');
+    for (const [bucket, score] of Object.entries(latest.bucketScores)) {
+      console.log('    ' + bucket.padEnd(15) + ': ' + score);
+    }
+  }
+  console.log('');
+}
+" "$HISTORY_FILE" "$SERVER"

package/kastell-plugin/hooks/destroy-block.cjs

@@ -1,31 +1,31 @@
-#!/usr/bin/env node
-// PreToolUse hook: Block kastell destroy / server-delete commands (hard block)
-
-// MANDATORY stdin guard — exit silently if stdin unavailable (e.g. after /clear)
-if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
-  process.exit(0);
-}
-
-let input = '';
-const stdinTimeout = setTimeout(() => process.exit(0), 1500);
-process.stdin.setEncoding('utf8');
-process.stdin.on('error', () => process.exit(0));
-process.stdin.on('data', chunk => { input += chunk; });
-process.stdin.on('end', () => {
-  clearTimeout(stdinTimeout);
-  try {
-    const data = JSON.parse(input);
-    const cmd = (data.tool_input && data.tool_input.command) || '';
-
-    if (/\bkastell\s+(destroy|server-delete)\b/.test(cmd)) {
-      process.stdout.write(JSON.stringify({
-        decision: 'block',
-        reason: 'Destructive kastell operation detected. Use kastell destroy with --force flag directly in terminal, not through Claude Code.',
-      }));
-      process.exit(2);
-    }
-  } catch {}
-
-  // Not destructive or parse error — allow
-  process.exit(0);
-});
+#!/usr/bin/env node
+// PreToolUse hook: Block kastell destroy / server-delete commands (hard block)
+
+// MANDATORY stdin guard — exit silently if stdin unavailable (e.g. after /clear)
+if (!process.stdin || process.stdin.destroyed || !process.stdin.readable) {
+  process.exit(0);
+}
+
+let input = '';
+const stdinTimeout = setTimeout(() => process.exit(0), 1500);
+process.stdin.setEncoding('utf8');
+process.stdin.on('error', () => process.exit(0));
+process.stdin.on('data', chunk => { input += chunk; });
+process.stdin.on('end', () => {
+  clearTimeout(stdinTimeout);
+  try {
+    const data = JSON.parse(input);
+    const cmd = (data.tool_input && data.tool_input.command) || '';
+
+    if (/\bkastell\s+(destroy|server-delete)\b/.test(cmd)) {
+      process.stdout.write(JSON.stringify({
+        decision: 'block',
+        reason: 'Destructive kastell operation detected. Use kastell destroy with --force flag directly in terminal, not through Claude Code.',
+      }));
+      process.exit(2);
+    }
+  } catch {}
+
+  // Not destructive or parse error — allow
+  process.exit(0);
+});

package/kastell-plugin/hooks/hooks.json

@@ -1,57 +1,57 @@
-{
-  "hooks": {
-    "PreToolUse": [
-      {
-        "matcher": "Bash",
-        "if": "Bash(*kastell*)",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/destroy-block.cjs"
-          }
-        ]
-      },
-      {
-        "matcher": "Bash",
-        "if": "Bash(*git commit*)",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/pre-commit-audit-guard.cjs"
-          }
-        ]
-      }
-    ],
-    "PostToolUse": [
-      {
-        "matcher": "Bash",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/session-log.cjs"
-          }
-        ]
-      }
-    ],
-    "SessionStart": [
-      {
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/session-audit.cjs"
-          }
-        ]
-      }
-    ],
-    "Stop": [
-      {
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node ${CLAUDE_PLUGIN_ROOT}/hooks/stop-quality-check.cjs"
-          }
-        ]
-      }
-    ]
-  }
-}
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "if": "Bash(*kastell*)",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node ${CLAUDE_PLUGIN_ROOT}/kastell-plugin/hooks/destroy-block.cjs"
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "if": "Bash(*git commit*)",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node ${CLAUDE_PLUGIN_ROOT}/kastell-plugin/hooks/pre-commit-audit-guard.cjs"
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node ${CLAUDE_PLUGIN_ROOT}/kastell-plugin/hooks/session-log.cjs"
+          }
+        ]
+      }
+    ],
+    "SessionStart": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node ${CLAUDE_PLUGIN_ROOT}/kastell-plugin/hooks/session-audit.cjs"
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node ${CLAUDE_PLUGIN_ROOT}/kastell-plugin/hooks/stop-quality-check.cjs"
+          }
+        ]
+      }
+    ]
+  }
+}