kastell 2.2.4 → 2.2.6

package/dist/utils/cloudInit.js

@@ -1,63 +1,63 @@
 export function getBareCloudInit(serverName) {
     const safeName = serverName.toLowerCase().replace(/[^a-z0-9-]/g, "");
-    return `#!/bin/bash
-set +e
-touch /var/log/kastell-install.log
-chmod 600 /var/log/kastell-install.log
-exec > >(tee /var/log/kastell-install.log) 2>&1
-
-echo "=================================="
-echo "Kastell Bare Server Setup"
-echo "Server: ${safeName}"
-echo "=================================="
-
-# Wait for network connectivity
-echo "Waiting for network connectivity..."
-MAX_ATTEMPTS=30
-ATTEMPTS=0
-while [ $ATTEMPTS -lt $MAX_ATTEMPTS ]; do
-  if curl -s --max-time 5 https://apt.releases.hashicorp.com > /dev/null 2>&1 || curl -s --max-time 5 https://archive.ubuntu.com > /dev/null 2>&1; then
-    echo "Network is ready!"
-    break
-  fi
-  ATTEMPTS=$((ATTEMPTS + 1))
-  echo "Network not ready (attempt $ATTEMPTS/$MAX_ATTEMPTS)..."
-  sleep 2
-done
-
-# Update system packages
-echo "Updating system packages..."
-apt-get update -y
-DEBIAN_FRONTEND=noninteractive apt-get upgrade -y
-
-# Install hardening packages
-echo "Installing hardening packages (fail2ban, ufw, unattended-upgrades)..."
-DEBIAN_FRONTEND=noninteractive apt-get install -y fail2ban ufw unattended-upgrades
-
-# Configure UFW firewall
-echo "Configuring UFW firewall..."
-ufw allow 22/tcp
-ufw allow 80/tcp
-ufw allow 443/tcp
-echo "y" | ufw enable || true
-ufw status
-
-# Configure unattended-upgrades for automatic security updates
-echo "Configuring unattended-upgrades..."
-dpkg-reconfigure -f noninteractive unattended-upgrades
-
-# Enable and start fail2ban
-echo "Enabling fail2ban..."
-systemctl enable fail2ban || true
-systemctl start fail2ban || true
-
-echo "=================================="
-echo "Bare server setup completed!"
-echo "Server: ${safeName}"
-echo "=================================="
-echo ""
-echo "Your server is ready. Connect via SSH:"
-echo "  ssh root@YOUR_SERVER_IP"
+    return `#!/bin/bash
+set +e
+touch /var/log/kastell-install.log
+chmod 600 /var/log/kastell-install.log
+exec > >(tee /var/log/kastell-install.log) 2>&1
+
+echo "=================================="
+echo "Kastell Bare Server Setup"
+echo "Server: ${safeName}"
+echo "=================================="
+
+# Wait for network connectivity
+echo "Waiting for network connectivity..."
+MAX_ATTEMPTS=30
+ATTEMPTS=0
+while [ $ATTEMPTS -lt $MAX_ATTEMPTS ]; do
+  if curl -s --max-time 5 https://apt.releases.hashicorp.com > /dev/null 2>&1 || curl -s --max-time 5 https://archive.ubuntu.com > /dev/null 2>&1; then
+    echo "Network is ready!"
+    break
+  fi
+  ATTEMPTS=$((ATTEMPTS + 1))
+  echo "Network not ready (attempt $ATTEMPTS/$MAX_ATTEMPTS)..."
+  sleep 2
+done
+
+# Update system packages
+echo "Updating system packages..."
+apt-get update -y
+DEBIAN_FRONTEND=noninteractive apt-get upgrade -y
+
+# Install hardening packages
+echo "Installing hardening packages (fail2ban, ufw, unattended-upgrades)..."
+DEBIAN_FRONTEND=noninteractive apt-get install -y fail2ban ufw unattended-upgrades
+
+# Configure UFW firewall
+echo "Configuring UFW firewall..."
+ufw allow 22/tcp
+ufw allow 80/tcp
+ufw allow 443/tcp
+echo "y" | ufw enable || true
+ufw status
+
+# Configure unattended-upgrades for automatic security updates
+echo "Configuring unattended-upgrades..."
+dpkg-reconfigure -f noninteractive unattended-upgrades
+
+# Enable and start fail2ban
+echo "Enabling fail2ban..."
+systemctl enable fail2ban || true
+systemctl start fail2ban || true
+
+echo "=================================="
+echo "Bare server setup completed!"
+echo "Server: ${safeName}"
+echo "=================================="
+echo ""
+echo "Your server is ready. Connect via SSH:"
+echo "  ssh root@YOUR_SERVER_IP"
 `;
 }
 //# sourceMappingURL=cloudInit.js.map

package/dist/utils/fileLock.d.ts

@@ -1,4 +1,8 @@
-export declare function withFileLock<T>(filePath: string, fn: () => Promise<T> | T): Promise<T>;
+/** Module-local wrapper for testability — DO NOT inline `process.kill`. */
+export declare function probeProcess(pid: number): "alive" | "dead" | "unknown";
+type ProbeFn = (pid: number) => "alive" | "dead" | "unknown";
+export declare function withFileLock<T>(filePath: string, fn: () => Promise<T> | T, probe?: ProbeFn): Promise<T>;
 /** Warn on stderr if a caught error is a permission issue. Returns true if it was a permission error. */
 export declare function warnIfPermissionError(err: unknown, label: string): boolean;
+export {};
 //# sourceMappingURL=fileLock.d.ts.map

package/dist/utils/fileLock.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fileLock.d.ts","sourceRoot":"","sources":["../../src/utils/fileLock.ts"],"names":[],"mappings":"AAKA,wBAAsB,YAAY,CAAC,CAAC,EAClC,QAAQ,EAAE,MAAM,EAChB,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,GACvB,OAAO,CAAC,CAAC,CAAC,CAyCZ;AAED,yGAAyG;AACzG,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAO1E"}
+{"version":3,"file":"fileLock.d.ts","sourceRoot":"","sources":["../../src/utils/fileLock.ts"],"names":[],"mappings":"AAQA,2EAA2E;AAC3E,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,SAAS,CAStE;AAoBD,KAAK,OAAO,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,GAAG,MAAM,GAAG,SAAS,CAAC;AAsB7D,wBAAsB,YAAY,CAAC,CAAC,EAClC,QAAQ,EAAE,MAAM,EAChB,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,EACxB,KAAK,GAAE,OAAsB,GAC5B,OAAO,CAAC,CAAC,CAAC,CA+CZ;AAED,yGAAyG;AACzG,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAO1E"}

package/dist/utils/fileLock.js

@@ -1,21 +1,78 @@
-import { mkdirSync, rmdirSync, statSync } from "fs";
-import { dirname } from "path";
-const STALE_THRESHOLD_MS = 30_000; // 30s
-export async function withFileLock(filePath, fn) {
+import { mkdirSync, rmSync, statSync, writeFileSync, readFileSync } from "fs";
+import { dirname, join } from "path";
+import { hostname } from "os";
+const STALE_THRESHOLD_MS = 30_000;
+// Reclaim even when probeProcess reports "alive" (guards against clock drift, zombies, PID reuse).
+const HARD_CEILING_MS = 60_000;
+/** Module-local wrapper for testability — DO NOT inline `process.kill`. */
+export function probeProcess(pid) {
+    try {
+        process.kill(pid, 0);
+        return "alive";
+    }
+    catch (err) {
+        const code = err.code;
+        if (code === "ESRCH")
+            return "dead";
+        return "unknown";
+    }
+}
+function readPidFile(lockDir) {
+    try {
+        const raw = readFileSync(join(lockDir, "owner.pid"), "utf-8");
+        const parts = raw.split("@");
+        if (parts.length !== 3)
+            return null;
+        const pid = parseInt(parts[0], 10);
+        if (isNaN(pid) || pid <= 0)
+            return null;
+        return { pid, host: parts[1] };
+    }
+    catch {
+        return null;
+    }
+}
+function shouldReclaimStaleLock(lockDir, probe) {
+    let mtimeMs;
+    try {
+        mtimeMs = statSync(lockDir).mtimeMs;
+    }
+    catch {
+        return false; // lock disappeared between checks
+    }
+    const age = Date.now() - mtimeMs;
+    const parsed = readPidFile(lockDir);
+    if (parsed && parsed.host === hostname()) {
+        const liveness = probe(parsed.pid);
+        if (liveness === "dead")
+            return true;
+        if (liveness === "alive")
+            return age > HARD_CEILING_MS;
+        // "unknown" → mtime fallback (aggressive: STALE_THRESHOLD_MS)
+    }
+    // farklı hostname, parse fail, PID file yok, veya "unknown" → mtime fallback
+    return age > STALE_THRESHOLD_MS;
+}
+export async function withFileLock(filePath, fn, probe = probeProcess) {
     const lockDir = filePath + ".lock";
     const maxRetries = 10;
     const retryDelay = 200;
-    // Ensure parent directory exists (CI runners may not have ~/.kastell/)
     mkdirSync(dirname(lockDir), { recursive: true });
     for (let i = 0; i < maxRetries; i++) {
         try {
             mkdirSync(lockDir);
             try {
+                try {
+                    writeFileSync(join(lockDir, "owner.pid"), `${process.pid}@${hostname()}@${Date.now()}`, { encoding: "utf-8" });
+                }
+                catch {
+                    /* best effort — if PID write fails, mtime fallback still protects */
+                }
                 return await fn();
             }
             finally {
                 try {
-                    rmdirSync(lockDir);
+                    rmSync(lockDir, { recursive: true, force: true });
                 }
                 catch {
                     /* best effort */
@@ -24,16 +81,14 @@ export async function withFileLock(filePath, fn) {
         }
         catch (err) {
             if (err.code === "EEXIST") {
-                // Stale lock detection
-                try {
-                    const stat = statSync(lockDir);
-                    if (Date.now() - stat.mtimeMs > STALE_THRESHOLD_MS) {
-                        rmdirSync(lockDir);
-                        continue;
+                if (shouldReclaimStaleLock(lockDir, probe)) {
+                    try {
+                        rmSync(lockDir, { recursive: true, force: true });
                     }
-                }
-                catch {
-                    /* lock was released between checks */
+                    catch {
+                        /* best effort, retry */
+                    }
+                    continue;
                 }
                 await new Promise((r) => setTimeout(r, retryDelay));
                 continue;

package/dist/utils/fileLock.js.map

@@ -1 +1 @@
-{"version":3,"file":"fileLock.js","sourceRoot":"","sources":["../../src/utils/fileLock.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAE/B,MAAM,kBAAkB,GAAG,MAAM,CAAC,CAAC,MAAM;AAEzC,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,EAAwB;IAExB,MAAM,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC;IACnC,MAAM,UAAU,GAAG,EAAE,CAAC;IACtB,MAAM,UAAU,GAAG,GAAG,CAAC;IAEvB,uEAAuE;IACvE,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEjD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,IAAI,CAAC;YACH,SAAS,CAAC,OAAO,CAAC,CAAC;YACnB,IAAI,CAAC;gBACH,OAAO,MAAM,EAAE,EAAE,CAAC;YACpB,CAAC;oBAAS,CAAC;gBACT,IAAI,CAAC;oBACH,SAAS,CAAC,OAAO,CAAC,CAAC;gBACrB,CAAC;gBAAC,MAAM,CAAC;oBACP,iBAAiB;gBACnB,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACrD,uBAAuB;gBACvB,IAAI,CAAC;oBACH,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAC/B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,GAAG,kBAAkB,EAAE,CAAC;wBACnD,SAAS,CAAC,OAAO,CAAC,CAAC;wBACnB,SAAS;oBACX,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,sCAAsC;gBACxC,CAAC;gBACD,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;gBACpD,SAAS;YACX,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IACD,MAAM,IAAI,KAAK,CACb,6BAA6B,QAAQ,UAAU,UAAU,UAAU,CACpE,CAAC;AACJ,CAAC;AAED,yGAAyG;AACzG,MAAM,UAAU,qBAAqB,CAAC,GAAY,EAAE,KAAa;IAC/D,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,CAAC;IACjD,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QAC1C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,wBAAwB,KAAK,MAAM,IAAI,IAAI,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}
+{"version":3,"file":"fileLock.js","sourceRoot":"","sources":["../../src/utils/fileLock.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAC9E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AAE9B,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAClC,mGAAmG;AACnG,MAAM,eAAe,GAAG,MAAM,CAAC;AAE/B,2EAA2E;AAC3E,MAAM,UAAU,YAAY,CAAC,GAAW;IACtC,IAAI,CAAC;QACH,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACrB,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,CAAC;QACjD,IAAI,IAAI,KAAK,OAAO;YAAE,OAAO,MAAM,CAAC;QACpC,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAOD,SAAS,WAAW,CAAC,OAAe;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,EAAE,OAAO,CAAC,CAAC;QAC9D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACpC,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACnC,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACxC,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAID,SAAS,sBAAsB,CAAC,OAAe,EAAE,KAAc;IAC7D,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC,CAAC,kCAAkC;IAClD,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC;IACjC,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAEpC,IAAI,MAAM,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,EAAE,CAAC;QACzC,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QACrC,IAAI,QAAQ,KAAK,OAAO;YAAE,OAAO,GAAG,GAAG,eAAe,CAAC;QACvD,8DAA8D;IAChE,CAAC;IACD,6EAA6E;IAC7E,OAAO,GAAG,GAAG,kBAAkB,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,EAAwB,EACxB,QAAiB,YAAY;IAE7B,MAAM,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC;IACnC,MAAM,UAAU,GAAG,EAAE,CAAC;IACtB,MAAM,UAAU,GAAG,GAAG,CAAC;IAEvB,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEjD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,IAAI,CAAC;YACH,SAAS,CAAC,OAAO,CAAC,CAAC;YACnB,IAAI,CAAC;gBACH,IAAI,CAAC;oBACH,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,EAC1B,GAAG,OAAO,CAAC,GAAG,IAAI,QAAQ,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,EAC5C,EAAE,QAAQ,EAAE,OAAO,EAAE,CACtB,CAAC;gBACJ,CAAC;gBAAC,MAAM,CAAC;oBACP,qEAAqE;gBACvE,CAAC;gBACD,OAAO,MAAM,EAAE,EAAE,CAAC;YACpB,CAAC;oBAAS,CAAC;gBACT,IAAI,CAAC;oBACH,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;gBACpD,CAAC;gBAAC,MAAM,CAAC;oBACP,iBAAiB;gBACnB,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACrD,IAAI,sBAAsB,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;oBAC3C,IAAI,CAAC;wBACH,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;oBACpD,CAAC;oBAAC,MAAM,CAAC;wBACP,wBAAwB;oBAC1B,CAAC;oBACD,SAAS;gBACX,CAAC;gBACD,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;gBACpD,SAAS;YACX,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IACD,MAAM,IAAI,KAAK,CACb,6BAA6B,QAAQ,UAAU,UAAU,UAAU,CACpE,CAAC;AACJ,CAAC;AAED,yGAAyG;AACzG,MAAM,UAAU,qBAAqB,CAAC,GAAY,EAAE,KAAa;IAC/D,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,CAAC;IACjD,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QAC1C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,wBAAwB,KAAK,MAAM,IAAI,IAAI,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/utils/paths.d.ts

@@ -1,4 +1,3 @@
-/** Canonical Kastell config directory: ~/.kastell */
 export declare const KASTELL_DIR: string;
 /** Backups directory: ~/.kastell/backups */
 export declare const BACKUPS_DIR: string;

package/dist/utils/paths.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../../src/utils/paths.ts"],"names":[],"mappings":"AAGA,qDAAqD;AACrD,eAAO,MAAM,WAAW,QAA8B,CAAC;AAEvD,4CAA4C;AAC5C,eAAO,MAAM,WAAW,QAA+B,CAAC;AAExD,kDAAkD;AAClD,eAAO,MAAM,YAAY,QAAoC,CAAC;AAE9D,oDAAoD;AACpD,eAAO,MAAM,WAAW,QAA+B,CAAC;AAExD,2DAA2D;AAC3D,eAAO,MAAM,oBAAoB,QAAoC,CAAC"}
+{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../../src/utils/paths.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,WAAW,QAAyD,CAAC;AAElF,4CAA4C;AAC5C,eAAO,MAAM,WAAW,QAA+B,CAAC;AAExD,kDAAkD;AAClD,eAAO,MAAM,YAAY,QAAoC,CAAC;AAE9D,oDAAoD;AACpD,eAAO,MAAM,WAAW,QAA+B,CAAC;AAExD,2DAA2D;AAC3D,eAAO,MAAM,oBAAoB,QAAoC,CAAC"}

package/dist/utils/paths.js

@@ -1,7 +1,6 @@
 import { homedir } from "os";
 import { join } from "path";
-/** Canonical Kastell config directory: ~/.kastell */
-export const KASTELL_DIR = join(homedir(), ".kastell");
+export const KASTELL_DIR = process.env.KASTELL_DIR || join(homedir(), ".kastell");
 /** Backups directory: ~/.kastell/backups */
 export const BACKUPS_DIR = join(KASTELL_DIR, "backups");
 /** Security audit log: ~/.kastell/security.log */

package/dist/utils/paths.js.map

@@ -1 +1 @@
-{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/utils/paths.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,qDAAqD;AACrD,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;AAEvD,4CAA4C;AAC5C,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;AAExD,kDAAkD;AAClD,MAAM,CAAC,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;AAE9D,oDAAoD;AACpD,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;AAExD,2DAA2D;AAC3D,MAAM,CAAC,MAAM,oBAAoB,GAAG,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC"}
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/utils/paths.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,MAAM,CAAC,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;AAElF,4CAA4C;AAC5C,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;AAExD,kDAAkD;AAClD,MAAM,CAAC,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;AAE9D,oDAAoD;AACpD,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;AAExD,2DAA2D;AAC3D,MAAM,CAAC,MAAM,oBAAoB,GAAG,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC"}

package/dist/utils/secureWrite.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"secureWrite.d.ts","sourceRoot":"","sources":["../../src/utils/secureWrite.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAUD,wBAAgB,UAAU,IAAI,IAAI,CAGjC;AA8BD,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAMrD;AAED,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,gBAAgB,GACzB,IAAI,CAGN;AAED,wBAAgB,eAAe,CAC7B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;IAAE,SAAS,CAAC,EAAE,OAAO,CAAA;CAAE,GAChC,IAAI,CAGN"}
+{"version":3,"file":"secureWrite.d.ts","sourceRoot":"","sources":["../../src/utils/secureWrite.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAID,wBAAgB,UAAU,IAAI,IAAI,CAEjC;AAOD,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAMrD;AAED,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,gBAAgB,GACzB,IAAI,CAGN;AAED,wBAAgB,eAAe,CAC7B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;IAAE,SAAS,CAAC,EAAE,OAAO,CAAA;CAAE,GAChC,IAAI,CAGN"}

package/dist/utils/secureWrite.js

@@ -1,47 +1,12 @@
-import { spawnSync } from "child_process";
 import { writeFileSync, mkdirSync, chmodSync } from "fs";
-import { userInfo } from "os";
-import { SecurityLogger } from "./securityLogger.js";
-import { extractReason } from "./errors.js";
-let cachedUsername;
-function getUsername() {
-    if (!cachedUsername)
-        cachedUsername = userInfo().username;
-    return cachedUsername;
-}
 const securedDirs = new Set();
 export function clearCache() {
     securedDirs.clear();
-    cachedUsername = undefined;
 }
 function applyPermissions(targetPath, mode) {
-    if (process.platform === "win32") {
-        const result = spawnSync("icacls", [
-            targetPath,
-            "/inheritance:r",
-            "/grant:r",
-            `${getUsername()}:F`,
-        ]);
-        if (result.status !== 0) {
-            SecurityLogger.warn("ACL operation failed", {
-                path: targetPath,
-                platform: process.platform,
-                error: result.stderr?.toString() ?? "unknown",
-            });
-        }
-    }
-    else {
-        try {
-            chmodSync(targetPath, mode);
-        }
-        catch (error) {
-            SecurityLogger.warn("chmod operation failed", {
-                path: targetPath,
-                platform: process.platform,
-                error: extractReason(error),
-            });
-        }
-    }
+    if (process.platform === "win32")
+        return; // ACL hardening → v2.4 backlog
+    chmodSync(targetPath, mode);
 }
 export function ensureSecureDir(dirPath) {
     if (securedDirs.has(dirPath)) {

package/dist/utils/secureWrite.js.map

@@ -1 +1 @@
-{"version":3,"file":"secureWrite.js","sourceRoot":"","sources":["../../src/utils/secureWrite.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AACzD,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AAC9B,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAO5C,IAAI,cAAkC,CAAC;AACvC,SAAS,WAAW;IAClB,IAAI,CAAC,cAAc;QAAE,cAAc,GAAG,QAAQ,EAAE,CAAC,QAAQ,CAAC;IAC1D,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;AAEtC,MAAM,UAAU,UAAU;IACxB,WAAW,CAAC,KAAK,EAAE,CAAC;IACpB,cAAc,GAAG,SAAS,CAAC;AAC7B,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,IAAmB;IAC/D,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,EAAE;YACjC,UAAU;YACV,gBAAgB;YAChB,UAAU;YACV,GAAG,WAAW,EAAE,IAAI;SACrB,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,cAAc,CAAC,IAAI,CAAC,sBAAsB,EAAE;gBAC1C,IAAI,EAAE,UAAU;gBAChB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE,IAAI,SAAS;aAC9C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,cAAc,CAAC,IAAI,CAAC,wBAAwB,EAAE;gBAC5C,IAAI,EAAE,UAAU;gBAChB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,KAAK,EAAE,aAAa,CAAC,KAAK,CAAC;aAC5B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,IAAI,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO;IACT,CAAC;IACD,gBAAgB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACjC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,QAAgB,EAChB,IAAY,EACZ,OAA0B;IAE1B,aAAa,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACvC,gBAAgB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,OAAe,EACf,OAAiC;IAEjC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,IAAI,IAAI,EAAE,CAAC,CAAC;IAC9D,eAAe,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC"}
+{"version":3,"file":"secureWrite.js","sourceRoot":"","sources":["../../src/utils/secureWrite.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAOzD,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;AAEtC,MAAM,UAAU,UAAU;IACxB,WAAW,CAAC,KAAK,EAAE,CAAC;AACtB,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,IAAmB;IAC/D,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO;QAAE,OAAO,CAAC,+BAA+B;IACzE,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,IAAI,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO;IACT,CAAC;IACD,gBAAgB,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACjC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,QAAgB,EAChB,IAAY,EACZ,OAA0B;IAE1B,aAAa,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACvC,gBAAgB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,OAAe,EACf,OAAiC;IAEjC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,IAAI,IAAI,EAAE,CAAC,CAAC;IAC9D,eAAe,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC"}

package/dist/utils/version.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../../src/utils/version.ts"],"names":[],"mappings":"AAMA,wBAAgB,iBAAiB,IAAI,MAAM,CAU1C;AAED,eAAO,MAAM,eAAe,QAAsB,CAAC;AAEnD,wBAAgB,iBAAiB,IAAI,IAAI,CAExC"}
+{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../../src/utils/version.ts"],"names":[],"mappings":"AAkBA,wBAAgB,iBAAiB,IAAI,MAAM,CAW1C;AAED,eAAO,MAAM,eAAe,QAAsB,CAAC;AAEnD,wBAAgB,iBAAiB,IAAI,IAAI,CAExC"}

package/dist/utils/version.js

@@ -1,13 +1,28 @@
-import { readFileSync } from "fs";
-import { join } from "path";
+import { readFileSync, existsSync } from "fs";
+import { join, dirname } from "path";
 import { fileURLToPath } from "url";
 let cachedVersion = null;
+function findPackageJson() {
+    let dir = fileURLToPath(new URL(".", import.meta.url));
+    for (let i = 0; i < 5; i++) {
+        const candidate = join(dir, "package.json");
+        if (existsSync(candidate))
+            return candidate;
+        const parent = dirname(dir);
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    return null;
+}
 export function getKastellVersion() {
     if (cachedVersion !== null)
         return cachedVersion;
     try {
-        const __dirname = fileURLToPath(new URL(".", import.meta.url));
-        const pkg = JSON.parse(readFileSync(join(__dirname, "../../package.json"), "utf-8"));
+        const pkgPath = findPackageJson();
+        if (!pkgPath)
+            return "0.0.0";
+        const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
         cachedVersion = pkg.version;
         return cachedVersion;
     }

package/dist/utils/version.js.map

@@ -1 +1 @@
-{"version":3,"file":"version.js","sourceRoot":"","sources":["../../src/utils/version.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AAEpC,IAAI,aAAa,GAAkB,IAAI,CAAC;AAExC,MAAM,UAAU,iBAAiB;IAC/B,IAAI,aAAa,KAAK,IAAI;QAAE,OAAO,aAAa,CAAC;IACjD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,oBAAoB,CAAC,EAAE,OAAO,CAAC,CAAwB,CAAC;QAC5G,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC;QAC5B,OAAO,aAAa,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,eAAe,GAAG,iBAAiB,EAAE,CAAC;AAEnD,MAAM,UAAU,iBAAiB;IAC/B,aAAa,GAAG,IAAI,CAAC;AACvB,CAAC"}
+{"version":3,"file":"version.js","sourceRoot":"","sources":["../../src/utils/version.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAC9C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AAEpC,IAAI,aAAa,GAAkB,IAAI,CAAC;AAExC,SAAS,eAAe;IACtB,IAAI,GAAG,GAAG,aAAa,CAAC,IAAI,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACvD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;QAC5C,IAAI,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,SAAS,CAAC;QAC5C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,MAAM,KAAK,GAAG;YAAE,MAAM;QAC1B,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,IAAI,aAAa,KAAK,IAAI;QAAE,OAAO,aAAa,CAAC;IACjD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAClC,IAAI,CAAC,OAAO;YAAE,OAAO,OAAO,CAAC;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAwB,CAAC;QAC9E,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC;QAC5B,OAAO,aAAa,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,eAAe,GAAG,iBAAiB,EAAE,CAAC;AAEnD,MAAM,UAAU,iBAAiB;IAC/B,aAAa,GAAG,IAAI,CAAC;AACvB,CAAC"}

package/kastell-plugin/.claude-plugin/plugin.json

@@ -1,20 +1,20 @@
-{
-  "name": "kastell",
-  "version": "2.2.0",
-  "description": "Autonomous server security and infrastructure management. Provides 13 MCP tools for cloud server provisioning, security auditing (457 checks), hardening, backup, and fleet management across Hetzner, DigitalOcean, Vultr, and Linode.",
-  "author": {
-    "name": "kastelldev"
-  },
-  "homepage": "https://kastell.dev",
-  "repository": "https://github.com/kastelldev/kastell",
-  "keywords": [
-    "server",
-    "security",
-    "infrastructure",
-    "mcp",
-    "audit",
-    "hardening",
-    "vps",
-    "cloud"
-  ]
-}
+{
+  "name": "kastell",
+  "version": "2.2.5",
+  "description": "Autonomous server security and infrastructure management. Provides 17 MCP tools for cloud server provisioning, security auditing (457 checks), hardening, backup, and fleet management across Hetzner, DigitalOcean, Vultr, and Linode.",
+  "author": {
+    "name": "kastelldev"
+  },
+  "homepage": "https://kastell.dev",
+  "repository": "https://github.com/kastelldev/kastell",
+  "keywords": [
+    "server",
+    "security",
+    "infrastructure",
+    "mcp",
+    "audit",
+    "hardening",
+    "vps",
+    "cloud"
+  ]
+}

package/kastell-plugin/.mcp.json

@@ -1,8 +1,15 @@
-{
-  "mcpServers": {
-    "kastell": {
-      "command": "node",
-      "args": ["${CLAUDE_PLUGIN_ROOT}/../../bin/kastell-mcp"]
-    }
-  }
-}
+{
+  "mcpServers": {
+    "kastell": {
+      "command": "node",
+      "args": ["${CLAUDE_PLUGIN_ROOT}/../../dist/mcp-bundle.mjs"],
+      "env": {
+        "HETZNER_TOKEN": "${HETZNER_TOKEN}",
+        "DIGITALOCEAN_TOKEN": "${DIGITALOCEAN_TOKEN}",
+        "VULTR_TOKEN": "${VULTR_TOKEN}",
+        "LINODE_TOKEN": "${LINODE_TOKEN}",
+        "KASTELL_SAFE_MODE": "true"
+      }
+    }
+  }
+}