kastell 2.2.4 → 2.2.6

package/kastell-plugin/README.md

@@ -1,113 +1,113 @@
-# Kastell
-
-Autonomous server security and infrastructure management for Claude Code.
-
-## What You Get
-
-The Kastell plugin bundles 13 MCP tools, 4 skills, 1 agent, and 5 hooks that give Claude Code
-full control over your self-hosted server infrastructure. Use it to provision cloud servers,
-run 457-check security audits across 30 categories, apply 24-step hardening, manage backups,
-and operate entire fleets — all from natural language in Claude Code.
-
-Supported providers: Hetzner Cloud, DigitalOcean, Vultr, Linode.
-Supported platforms: Coolify, Dokploy.
-
-## Prerequisites
-
-- `npm install -g kastell` — the Kastell CLI must be installed globally
-- At least one cloud provider API token (Hetzner, DigitalOcean, Vultr, or Linode)
-- `kastell setup` — run once to configure your API tokens and default provider
-
-## Skills
-
-| Skill | Invocation | Purpose |
-|-------|------------|---------|
-| kastell-ops | Auto-loaded (background) | Architecture reference, patterns, anti-patterns, and decision trees for working in the Kastell codebase or managing Kastell-provisioned servers |
-| kastell-scaffold | `/kastell:scaffold` | Generate new CLI commands, MCP tools, cloud providers, and audit checks following Kastell conventions |
-| kastell-careful | `/kastell:careful` | Intercepts `kastell destroy` and `kastell restore` commands and requires explicit confirmation before proceeding |
-| kastell-research | `/kastell:research` | Read-only codebase exploration with full architecture context — for understanding behavior without making changes |
-
-**kastell-ops** loads automatically as background context whenever you work with the Kastell
-codebase or ask about server provisioning, audit, hardening, or provider management. It does
-not appear in the slash-command menu.
-
-## Agents
-
-**`/agent:kastell-auditor`** — Parallel audit analyzer that groups all 30 audit categories into
-five analysis buckets (critical config, network exposure, access control, monitoring, compliance),
-produces structured findings with severity ratings, and remembers previous audit context across
-sessions using user-scoped memory.
-
-Invoke it with: "Analyze my last audit report" or "Which findings should I fix first?"
-
-Note: `kastell-fixer` is a project-scope agent, not bundled in this plugin. It requires
-`isolation: worktree` which only works when installed at project scope (`.claude/agents/`).
-Install kastell-fixer separately inside your Kastell project directory.
-
-## Hooks
-
-| Hook | Trigger | What It Does |
-|------|---------|--------------|
-| stop-quality-check | Stop | Checks for TypeScript compilation errors, missing CHANGELOG entries, and stale README before ending the session |
-| session-log | PostToolUse (Bash) | Records Bash command outputs to `session.log` for audit trail |
-| session-audit | SessionStart | Runs `kastell audit --silent` on session start and surfaces the current security score |
-| pre-commit-audit-guard | PreToolUse (git commit) | Blocks the commit if the current audit score has dropped below the recorded baseline |
-| destroy-block | PreToolUse (Bash) | Blocks `kastell destroy` and `kastell restore` operations through Claude Code |
-
-## MCP Tools
-
-All 13 tools are available in Claude Code once the plugin is installed. The MCP server starts
-automatically via the bundled `.mcp.json` configuration.
-
-| Tool | Description |
-|------|-------------|
-| server_info | List servers, check status, health, and available sizes |
-| server_logs | Fetch logs and system metrics from servers via SSH |
-| server_manage | Add, remove, or destroy servers |
-| server_maintain | Update platform, restart, or run full maintenance |
-| server_secure | SSH hardening, firewall management, and domain configuration |
-| server_backup | Create backups and manage cloud snapshots |
-| server_provision | Provision new cloud servers on Hetzner, DigitalOcean, Vultr, or Linode |
-| server_audit | Run the full 457-check security audit across 30 categories |
-| server_evidence | Collect forensic evidence packages from servers |
-| server_guard | Manage the autonomous security monitoring daemon |
-| server_doctor | Proactive health analysis with remediation recommendations |
-| server_lock | Apply the 24-step production hardening sequence |
-| server_fleet | Fleet-wide health and security posture overview |
-
-## Quick Start
-
-```bash
-# Install kastell globally
-npm install -g kastell
-
-# Configure your cloud provider
-kastell setup
-
-# In Claude Code, the plugin auto-starts the MCP server.
-# Try natural language commands like:
-#   "Provision a new Hetzner server in Nuremberg with 2 CPUs"
-#   "Run a security audit on my server at 1.2.3.4"
-#   "Apply full hardening to my production server"
-#   "Show me all my servers"
-```
-
-After installation, the `kastell-ops` skill loads automatically in any session where you
-work with Kastell. Use `/kastell:scaffold` to generate new CLI commands or MCP tools,
-and `/agent:kastell-auditor` to get prioritized remediation guidance from audit results.
-
-## Supported Providers
-
-| Provider | Regions | Notes |
-|----------|---------|-------|
-| Hetzner Cloud | EU (FSN, NBG, HEL), US (ASH, HIL) | Default recommended provider |
-| DigitalOcean | Global (NYC, SFO, AMS, SGP, LON, FRA, TOR, BLR, SYD) | |
-| Vultr | 25+ global locations | |
-| Linode (Akamai) | 11 global locations | |
-
-## Links
-
-- Website: https://kastell.dev
-- GitHub: https://github.com/kastelldev/kastell
-- npm: https://www.npmjs.com/package/kastell
-- Docs: https://kastell.dev/docs
+# Kastell
+
+Autonomous server security and infrastructure management for Claude Code.
+
+## What You Get
+
+The Kastell plugin bundles 13 MCP tools, 4 skills, 1 agent, and 5 hooks that give Claude Code
+full control over your self-hosted server infrastructure. Use it to provision cloud servers,
+run 457-check security audits across 30 categories, apply 24-step hardening, manage backups,
+and operate entire fleets — all from natural language in Claude Code.
+
+Supported providers: Hetzner Cloud, DigitalOcean, Vultr, Linode.
+Supported platforms: Coolify, Dokploy.
+
+## Prerequisites
+
+- `npm install -g kastell` — the Kastell CLI must be installed globally
+- At least one cloud provider API token (Hetzner, DigitalOcean, Vultr, or Linode)
+- `kastell setup` — run once to configure your API tokens and default provider
+
+## Skills
+
+| Skill | Invocation | Purpose |
+|-------|------------|---------|
+| kastell-ops | Auto-loaded (background) | Architecture reference, patterns, anti-patterns, and decision trees for working in the Kastell codebase or managing Kastell-provisioned servers |
+| kastell-scaffold | `/kastell:scaffold` | Generate new CLI commands, MCP tools, cloud providers, and audit checks following Kastell conventions |
+| kastell-careful | `/kastell:careful` | Intercepts `kastell destroy` and `kastell restore` commands and requires explicit confirmation before proceeding |
+| kastell-research | `/kastell:research` | Read-only codebase exploration with full architecture context — for understanding behavior without making changes |
+
+**kastell-ops** loads automatically as background context whenever you work with the Kastell
+codebase or ask about server provisioning, audit, hardening, or provider management. It does
+not appear in the slash-command menu.
+
+## Agents
+
+**`/agent:kastell-auditor`** — Parallel audit analyzer that groups all 30 audit categories into
+five analysis buckets (critical config, network exposure, access control, monitoring, compliance),
+produces structured findings with severity ratings, and remembers previous audit context across
+sessions using user-scoped memory.
+
+Invoke it with: "Analyze my last audit report" or "Which findings should I fix first?"
+
+Note: `kastell-fixer` is a project-scope agent, not bundled in this plugin. It requires
+`isolation: worktree` which only works when installed at project scope (`.claude/agents/`).
+Install kastell-fixer separately inside your Kastell project directory.
+
+## Hooks
+
+| Hook | Trigger | What It Does |
+|------|---------|--------------|
+| stop-quality-check | Stop | Checks for TypeScript compilation errors, missing CHANGELOG entries, and stale README before ending the session |
+| session-log | PostToolUse (Bash) | Records Bash command outputs to `session.log` for audit trail |
+| session-audit | SessionStart | Runs `kastell audit --silent` on session start and surfaces the current security score |
+| pre-commit-audit-guard | PreToolUse (git commit) | Blocks the commit if the current audit score has dropped below the recorded baseline |
+| destroy-block | PreToolUse (Bash) | Blocks `kastell destroy` and `kastell restore` operations through Claude Code |
+
+## MCP Tools
+
+All 13 tools are available in Claude Code once the plugin is installed. The MCP server starts
+automatically via the bundled `.mcp.json` configuration.
+
+| Tool | Description |
+|------|-------------|
+| server_info | List servers, check status, health, and available sizes |
+| server_logs | Fetch logs and system metrics from servers via SSH |
+| server_manage | Add, remove, or destroy servers |
+| server_maintain | Update platform, restart, or run full maintenance |
+| server_secure | SSH hardening, firewall management, and domain configuration |
+| server_backup | Create backups and manage cloud snapshots |
+| server_provision | Provision new cloud servers on Hetzner, DigitalOcean, Vultr, or Linode |
+| server_audit | Run the full 457-check security audit across 30 categories |
+| server_evidence | Collect forensic evidence packages from servers |
+| server_guard | Manage the autonomous security monitoring daemon |
+| server_doctor | Proactive health analysis with remediation recommendations |
+| server_lock | Apply the 24-step production hardening sequence |
+| server_fleet | Fleet-wide health and security posture overview |
+
+## Quick Start
+
+```bash
+# Install kastell globally
+npm install -g kastell
+
+# Configure your cloud provider
+kastell setup
+
+# In Claude Code, the plugin auto-starts the MCP server.
+# Try natural language commands like:
+#   "Provision a new Hetzner server in Nuremberg with 2 CPUs"
+#   "Run a security audit on my server at 1.2.3.4"
+#   "Apply full hardening to my production server"
+#   "Show me all my servers"
+```
+
+After installation, the `kastell-ops` skill loads automatically in any session where you
+work with Kastell. Use `/kastell:scaffold` to generate new CLI commands or MCP tools,
+and `/agent:kastell-auditor` to get prioritized remediation guidance from audit results.
+
+## Supported Providers
+
+| Provider | Regions | Notes |
+|----------|---------|-------|
+| Hetzner Cloud | EU (FSN, NBG, HEL), US (ASH, HIL) | Default recommended provider |
+| DigitalOcean | Global (NYC, SFO, AMS, SGP, LON, FRA, TOR, BLR, SYD) | |
+| Vultr | 25+ global locations | |
+| Linode (Akamai) | 11 global locations | |
+
+## Links
+
+- Website: https://kastell.dev
+- GitHub: https://github.com/kastelldev/kastell
+- npm: https://www.npmjs.com/package/kastell
+- Docs: https://kastell.dev/docs

package/kastell-plugin/agents/kastell-auditor.md

@@ -1,77 +1,77 @@
----
-name: kastell-auditor
-description: "Security audit analyzer for Kastell servers. Runs kastell audit, maps results across 5 security domains (perimeter, authentication, runtime, internals, compliance), tracks score trends across sessions. Use when running kastell audit, analyzing server security posture, investigating audit findings, or generating security reports."
-tools: Read, Grep, Glob, Bash
-model: inherit
-effort: high
-memory: user
-maxTurns: 25
-skills:
-  - kastell-ops
----
-
-# Role
-
-## Live Context
-
-**Last audit score:** !`node -e "import('fs').then(f=>{try{const h=JSON.parse(f.readFileSync(process.env.HOME+'/.kastell/audit-history.json','utf8'));const last=h.sort((a,b)=>new Date(b.timestamp)-new Date(a.timestamp))[0];if(last)console.log(last.overallScore+'/100 ('+last.serverName+', '+last.timestamp.split('T')[0]+')');else console.log('No audit history yet')}catch(e){console.log('No audit history yet')}}).catch(()=>console.log('No audit history yet'))" 2>/dev/null || echo "No audit history yet"`
-
-You are a security audit analyst for Kastell-managed servers. Your purpose is to run `kastell audit`, organize findings into 5 security domains, identify critical failures and quick wins, and track score trends across sessions.
-
-# Workflow
-
-1. **Identify target server** — ask user if not provided; verify with `kastell list`
-2. **Run audit** — `kastell audit <server> --json` to get structured output
-3. **Analyze by bucket** — pipe JSON through `bash scripts/bucket_mapper.sh` for instant 5-domain mapping
-4. **Check memory** — run `bash scripts/trend_report.sh <server>` for score history; or load `audit-history.json` directly
-5. **Report** — per-bucket summary + overall score + trend (if memory available)
-
-## Scripts (Deterministic)
-
-```bash
-# Map audit JSON to 5 security buckets
-kastell audit --server <name> --json | bash scripts/bucket_mapper.sh
-
-# Show audit score trend for a server
-bash scripts/trend_report.sh <server-name>
-bash scripts/trend_report.sh --all
-```
-
-# Bucket Map
-
-| Bucket | Categories | Focus |
-|--------|-----------|-------|
-| 1 Perimeter | Network, Firewall, DNS Security | External attack surface |
-| 2 Authentication | SSH, Auth, Crypto, Accounts | Identity controls |
-| 3 Runtime | Docker, Services, Boot, Scheduling | Service exposure |
-| 4 Internals | Filesystem, Logging, Kernel, Memory | System hardening |
-| 5 Compliance | Updates, File Integrity, Malware, MAC, Secrets, Cloud Metadata, Supply Chain, Backup Hygiene, Resource Limits, Incident Readiness, Banners, Time | Hygiene and compliance |
-
-# Output Format
-
-For each bucket:
-- **Score:** X/Y checks passed
-- **Critical findings** (up to 3): `[FAIL] check-name -- one-line impact`
-- **Quick win:** one actionable fix
-
-After all buckets:
-- **Overall score:** X/100
-- **Trend** (when memory has prior data): "Last audit: Y -- Delta: +/-Z -- [N] new failures in [bucket]"
-
-# Memory
-
-Manage a single file `audit-history.json` in your agent memory directory. Store per server:
-
-```json
-{ "server": "string", "date": "string", "score": 0, "bucketScores": { "perimeter": 0, "authentication": 0, "runtime": 0, "internals": 0, "compliance": 0 }, "failedChecks": [] }
-```
-
-On each run: load prior record, compute delta, store new record. Discard entries for servers no longer in `kastell list` output.
-
-# Rules
-
-- Read-only operations only: `server_audit`, `server_doctor`, `server_fleet`
-- Never run `kastell lock`, `kastell secure`, or any write operation
-- Recommend fixes but do not apply them — suggest `/agent:kastell-fixer` for implementation
-- If multiple servers requested, analyze each sequentially
-- English output for analysis structure; follow user's language for explanatory text
+---
+name: kastell-auditor
+description: "Security audit analyzer for Kastell servers. Runs kastell audit, maps results across 5 security domains (perimeter, authentication, runtime, internals, compliance), tracks score trends across sessions. Use when running kastell audit, analyzing server security posture, investigating audit findings, or generating security reports."
+tools: Read, Grep, Glob, Bash
+model: inherit
+effort: high
+memory: user
+maxTurns: 25
+skills:
+  - kastell-ops
+---
+
+# Role
+
+## Live Context
+
+**Last audit score:** !`node -e "import('fs').then(f=>{try{const h=JSON.parse(f.readFileSync(process.env.HOME+'/.kastell/audit-history.json','utf8'));const last=h.sort((a,b)=>new Date(b.timestamp)-new Date(a.timestamp))[0];if(last)console.log(last.overallScore+'/100 ('+last.serverName+', '+last.timestamp.split('T')[0]+')');else console.log('No audit history yet')}catch(e){console.log('No audit history yet')}}).catch(()=>console.log('No audit history yet'))" 2>/dev/null || echo "No audit history yet"`
+
+You are a security audit analyst for Kastell-managed servers. Your purpose is to run `kastell audit`, organize findings into 5 security domains, identify critical failures and quick wins, and track score trends across sessions.
+
+# Workflow
+
+1. **Identify target server** — ask user if not provided; verify with `kastell list`
+2. **Run audit** — `kastell audit <server> --json` to get structured output
+3. **Analyze by bucket** — pipe JSON through `bash scripts/bucket_mapper.sh` for instant 5-domain mapping
+4. **Check memory** — run `bash scripts/trend_report.sh <server>` for score history; or load `audit-history.json` directly
+5. **Report** — per-bucket summary + overall score + trend (if memory available)
+
+## Scripts (Deterministic)
+
+```bash
+# Map audit JSON to 5 security buckets
+kastell audit --server <name> --json | bash scripts/bucket_mapper.sh
+
+# Show audit score trend for a server
+bash scripts/trend_report.sh <server-name>
+bash scripts/trend_report.sh --all
+```
+
+# Bucket Map
+
+| Bucket | Categories | Focus |
+|--------|-----------|-------|
+| 1 Perimeter | Network, Firewall, DNS Security | External attack surface |
+| 2 Authentication | SSH, Auth, Crypto, Accounts | Identity controls |
+| 3 Runtime | Docker, Services, Boot, Scheduling | Service exposure |
+| 4 Internals | Filesystem, Logging, Kernel, Memory | System hardening |
+| 5 Compliance | Updates, File Integrity, Malware, MAC, Secrets, Cloud Metadata, Supply Chain, Backup Hygiene, Resource Limits, Incident Readiness, Banners, Time | Hygiene and compliance |
+
+# Output Format
+
+For each bucket:
+- **Score:** X/Y checks passed
+- **Critical findings** (up to 3): `[FAIL] check-name -- one-line impact`
+- **Quick win:** one actionable fix
+
+After all buckets:
+- **Overall score:** X/100
+- **Trend** (when memory has prior data): "Last audit: Y -- Delta: +/-Z -- [N] new failures in [bucket]"
+
+# Memory
+
+Manage a single file `audit-history.json` in your agent memory directory. Store per server:
+
+```json
+{ "server": "string", "date": "string", "score": 0, "bucketScores": { "perimeter": 0, "authentication": 0, "runtime": 0, "internals": 0, "compliance": 0 }, "failedChecks": [] }
+```
+
+On each run: load prior record, compute delta, store new record. Discard entries for servers no longer in `kastell list` output.
+
+# Rules
+
+- Read-only operations only: `server_audit`, `server_doctor`, `server_fleet`
+- Never run `kastell lock`, `kastell secure`, or any write operation
+- Recommend fixes but do not apply them — suggest `/agent:kastell-fixer` for implementation
+- If multiple servers requested, analyze each sequentially
+- English output for analysis structure; follow user's language for explanatory text

package/kastell-plugin/agents/scripts/bucket_mapper.sh

@@ -1,101 +1,101 @@
-#!/usr/bin/env bash
-# bucket_mapper.sh — Map kastell audit JSON checks to 5 security buckets.
-# Usage: kastell audit --server <name> --json | bash bucket_mapper.sh
-#    OR: bash bucket_mapper.sh < audit-output.json
-#    OR: bash bucket_mapper.sh audit-output.json
-#
-# Output: Per-bucket check list with pass/fail status and severity.
-# Used by kastell-auditor agent for structured analysis.
-#
-# Requires: node
-
-set -euo pipefail
-
-if [[ -n "${1:-}" && -f "$1" ]]; then
-  INPUT=$(cat "$1")
-elif [[ ! -t 0 ]]; then
-  INPUT=$(cat)
-else
-  echo "Usage: kastell audit --server <name> --json | bash bucket_mapper.sh" >&2
-  exit 1
-fi
-
-node -e "
-const data = JSON.parse(process.argv[1]);
-const checks = data.checks || data.results || [];
-
-const BUCKETS = {
-  '1_Perimeter': {
-    match: ['network', 'firewall', 'dns'],
-    checks: []
-  },
-  '2_Authentication': {
-    match: ['ssh', 'auth', 'crypto', 'accounts'],
-    checks: []
-  },
-  '3_Runtime': {
-    match: ['docker', 'services', 'boot', 'scheduling'],
-    checks: []
-  },
-  '4_Internals': {
-    match: ['filesystem', 'logging', 'kernel', 'memory'],
-    checks: []
-  },
-  '5_Compliance': {
-    match: [], // catchall
-    checks: []
-  }
-};
-
-function getBucket(category) {
-  const cat = (category || '').toLowerCase();
-  for (const [name, bucket] of Object.entries(BUCKETS)) {
-    if (name === '5_Compliance') continue;
-    if (bucket.match.some(m => cat.includes(m))) return name;
-  }
-  return '5_Compliance';
-}
-
-// Map checks to buckets
-for (const c of checks) {
-  const bucket = getBucket(c.category);
-  BUCKETS[bucket].checks.push({
-    id: c.id || 'unknown',
-    name: c.name || '',
-    severity: c.severity || 'info',
-    passed: !!c.passed,
-    category: c.category || ''
-  });
-}
-
-// Output
-const score = data.score ?? data.overallScore ?? 'N/A';
-console.log('Score: ' + score + '/100');
-console.log('Total checks: ' + checks.length);
-console.log('');
-
-for (const [name, bucket] of Object.entries(BUCKETS)) {
-  const label = name.replace(/^[0-9]_/, '');
-  const passed = bucket.checks.filter(c => c.passed).length;
-  const total = bucket.checks.length;
-  const critFail = bucket.checks.filter(c => !c.passed && c.severity === 'critical');
-
-  console.log('--- ' + label + ' (' + passed + '/' + total + ') ---');
-
-  // Show failed checks (critical first, then warning)
-  const failed = bucket.checks
-    .filter(c => !c.passed)
-    .sort((a, b) => {
-      const sev = { critical: 0, warning: 1, info: 2 };
-      return (sev[a.severity] ?? 3) - (sev[b.severity] ?? 3);
-    });
-
-  for (const c of failed.slice(0, 5)) {
-    const icon = c.severity === 'critical' ? '!!' : c.severity === 'warning' ? '! ' : '  ';
-    console.log('  [FAIL] ' + icon + c.id + ' — ' + c.name);
-  }
-  if (failed.length > 5) console.log('  ... and ' + (failed.length - 5) + ' more');
-  if (failed.length === 0) console.log('  All checks passed');
-  console.log('');
-}
-" "$INPUT"
+#!/usr/bin/env bash
+# bucket_mapper.sh — Map kastell audit JSON checks to 5 security buckets.
+# Usage: kastell audit --server <name> --json | bash bucket_mapper.sh
+#    OR: bash bucket_mapper.sh < audit-output.json
+#    OR: bash bucket_mapper.sh audit-output.json
+#
+# Output: Per-bucket check list with pass/fail status and severity.
+# Used by kastell-auditor agent for structured analysis.
+#
+# Requires: node
+
+set -euo pipefail
+
+if [[ -n "${1:-}" && -f "$1" ]]; then
+  INPUT=$(cat "$1")
+elif [[ ! -t 0 ]]; then
+  INPUT=$(cat)
+else
+  echo "Usage: kastell audit --server <name> --json | bash bucket_mapper.sh" >&2
+  exit 1
+fi
+
+node -e "
+const data = JSON.parse(process.argv[1]);
+const checks = data.checks || data.results || [];
+
+const BUCKETS = {
+  '1_Perimeter': {
+    match: ['network', 'firewall', 'dns'],
+    checks: []
+  },
+  '2_Authentication': {
+    match: ['ssh', 'auth', 'crypto', 'accounts'],
+    checks: []
+  },
+  '3_Runtime': {
+    match: ['docker', 'services', 'boot', 'scheduling'],
+    checks: []
+  },
+  '4_Internals': {
+    match: ['filesystem', 'logging', 'kernel', 'memory'],
+    checks: []
+  },
+  '5_Compliance': {
+    match: [], // catchall
+    checks: []
+  }
+};
+
+function getBucket(category) {
+  const cat = (category || '').toLowerCase();
+  for (const [name, bucket] of Object.entries(BUCKETS)) {
+    if (name === '5_Compliance') continue;
+    if (bucket.match.some(m => cat.includes(m))) return name;
+  }
+  return '5_Compliance';
+}
+
+// Map checks to buckets
+for (const c of checks) {
+  const bucket = getBucket(c.category);
+  BUCKETS[bucket].checks.push({
+    id: c.id || 'unknown',
+    name: c.name || '',
+    severity: c.severity || 'info',
+    passed: !!c.passed,
+    category: c.category || ''
+  });
+}
+
+// Output
+const score = data.score ?? data.overallScore ?? 'N/A';
+console.log('Score: ' + score + '/100');
+console.log('Total checks: ' + checks.length);
+console.log('');
+
+for (const [name, bucket] of Object.entries(BUCKETS)) {
+  const label = name.replace(/^[0-9]_/, '');
+  const passed = bucket.checks.filter(c => c.passed).length;
+  const total = bucket.checks.length;
+  const critFail = bucket.checks.filter(c => !c.passed && c.severity === 'critical');
+
+  console.log('--- ' + label + ' (' + passed + '/' + total + ') ---');
+
+  // Show failed checks (critical first, then warning)
+  const failed = bucket.checks
+    .filter(c => !c.passed)
+    .sort((a, b) => {
+      const sev = { critical: 0, warning: 1, info: 2 };
+      return (sev[a.severity] ?? 3) - (sev[b.severity] ?? 3);
+    });
+
+  for (const c of failed.slice(0, 5)) {
+    const icon = c.severity === 'critical' ? '!!' : c.severity === 'warning' ? '! ' : '  ';
+    console.log('  [FAIL] ' + icon + c.id + ' — ' + c.name);
+  }
+  if (failed.length > 5) console.log('  ... and ' + (failed.length - 5) + ' more');
+  if (failed.length === 0) console.log('  All checks passed');
+  console.log('');
+}
+" "$INPUT"