kastell 2.2.6 → 2.3.0

package/dist/utils/webhookSecurity.js

@@ -0,0 +1,130 @@
+import { lookup as dnsLookup } from "node:dns";
+import { Agent } from "node:https";
+import { BlockList, isIP } from "node:net";
+import { ValidationError } from "./errors.js";
+const RESERVED_ADDRESSES = new BlockList();
+for (const [network, prefix] of [
+    ["0.0.0.0", 8],
+    ["10.0.0.0", 8],
+    ["100.64.0.0", 10],
+    ["127.0.0.0", 8],
+    ["169.254.0.0", 16],
+    ["172.16.0.0", 12],
+    ["192.0.0.0", 24],
+    ["192.0.2.0", 24],
+    ["192.168.0.0", 16],
+    ["198.18.0.0", 15],
+    ["198.51.100.0", 24],
+    ["203.0.113.0", 24],
+    ["224.0.0.0", 4],
+    ["240.0.0.0", 4],
+]) {
+    RESERVED_ADDRESSES.addSubnet(network, prefix, "ipv4");
+}
+for (const [network, prefix] of [
+    ["::", 96],
+    ["64:ff9b:1::", 48],
+    ["100::", 64],
+    ["2001:db8::", 32],
+    ["fc00::", 7],
+    ["fe80::", 10],
+    ["ff00::", 8],
+]) {
+    RESERVED_ADDRESSES.addSubnet(network, prefix, "ipv6");
+}
+function normalizeAddress(address) {
+    if (address.startsWith("[") && address.endsWith("]")) {
+        return address.slice(1, -1);
+    }
+    return address;
+}
+function mappedIpv4Address(address) {
+    const lower = address.toLowerCase();
+    if (!lower.startsWith("::ffff:"))
+        return undefined;
+    const suffix = lower.slice("::ffff:".length);
+    if (isIP(suffix) === 4)
+        return suffix;
+    const groups = suffix.split(":");
+    if (groups.length !== 2)
+        return undefined;
+    const high = Number.parseInt(groups[0], 16);
+    const low = Number.parseInt(groups[1], 16);
+    if (!Number.isInteger(high) ||
+        !Number.isInteger(low) ||
+        high < 0 ||
+        high > 0xffff ||
+        low < 0 ||
+        low > 0xffff) {
+        return undefined;
+    }
+    return [
+        high >> 8,
+        high & 0xff,
+        low >> 8,
+        low & 0xff,
+    ].join(".");
+}
+export function isPublicWebhookAddress(address) {
+    const normalized = normalizeAddress(address);
+    const mappedIpv4 = mappedIpv4Address(normalized);
+    if (mappedIpv4)
+        return isPublicWebhookAddress(mappedIpv4);
+    const family = isIP(normalized);
+    if (family === 0)
+        return false;
+    return !RESERVED_ADDRESSES.check(normalized, family === 4 ? "ipv4" : "ipv6");
+}
+function privateAddressError(hostname) {
+    const error = new Error(`Webhook hostname "${hostname}" resolves to a private or reserved address`);
+    error.code = "ENOTFOUND";
+    return error;
+}
+export function createSafeWebhookLookup(resolver = dnsLookup) {
+    return ((hostname, options, callback) => {
+        resolver(hostname, { all: true, verbatim: true }, (error, addresses) => {
+            if (error) {
+                callback(error, []);
+                return;
+            }
+            const requestedFamily = typeof options === "number" ? options : options.family;
+            const publicAddresses = addresses.filter(({ address, family }) => isPublicWebhookAddress(address) &&
+                (!requestedFamily || requestedFamily === family));
+            if (publicAddresses.length === 0) {
+                callback(privateAddressError(hostname), []);
+                return;
+            }
+            const wantsAll = typeof options === "object" && options.all === true;
+            if (wantsAll) {
+                callback(null, publicAddresses);
+                return;
+            }
+            const selected = publicAddresses[0];
+            callback(null, selected.address, selected.family);
+        });
+    });
+}
+export function assertSafeWebhookUrl(url) {
+    const parsed = new URL(url);
+    if (parsed.protocol !== "https:") {
+        throw new ValidationError("Webhook URL must use HTTPS", {
+            hint: "Webhook URL must start with https://",
+        });
+    }
+    const hostname = normalizeAddress(parsed.hostname);
+    const normalizedHostname = hostname.toLowerCase().replace(/\.$/, "");
+    const isLocalhost = normalizedHostname === "localhost" || normalizedHostname.endsWith(".localhost");
+    if (isLocalhost ||
+        (isIP(normalizedHostname) !== 0 && !isPublicWebhookAddress(normalizedHostname))) {
+        throw new ValidationError("Webhook URL points to a private/reserved address", {
+            hint: "Use a public webhook URL",
+        });
+    }
+}
+export function createSafeWebhookAgent() {
+    return new Agent({
+        keepAlive: false,
+        lookup: createSafeWebhookLookup(),
+    });
+}
+//# sourceMappingURL=webhookSecurity.js.map

package/dist/utils/webhookSecurity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhookSecurity.js","sourceRoot":"","sources":["../../src/utils/webhookSecurity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,SAAS,EAAsB,MAAM,UAAU,CAAC;AACnE,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAuB,MAAM,UAAU,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAc9C,MAAM,kBAAkB,GAAG,IAAI,SAAS,EAAE,CAAC;AAE3C,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI;IAC9B,CAAC,SAAS,EAAE,CAAC,CAAC;IACd,CAAC,UAAU,EAAE,CAAC,CAAC;IACf,CAAC,YAAY,EAAE,EAAE,CAAC;IAClB,CAAC,WAAW,EAAE,CAAC,CAAC;IAChB,CAAC,aAAa,EAAE,EAAE,CAAC;IACnB,CAAC,YAAY,EAAE,EAAE,CAAC;IAClB,CAAC,WAAW,EAAE,EAAE,CAAC;IACjB,CAAC,WAAW,EAAE,EAAE,CAAC;IACjB,CAAC,aAAa,EAAE,EAAE,CAAC;IACnB,CAAC,YAAY,EAAE,EAAE,CAAC;IAClB,CAAC,cAAc,EAAE,EAAE,CAAC;IACpB,CAAC,aAAa,EAAE,EAAE,CAAC;IACnB,CAAC,WAAW,EAAE,CAAC,CAAC;IAChB,CAAC,WAAW,EAAE,CAAC,CAAC;CACR,EAAE,CAAC;IACX,kBAAkB,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AACxD,CAAC;AAED,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI;IAC9B,CAAC,IAAI,EAAE,EAAE,CAAC;IACV,CAAC,aAAa,EAAE,EAAE,CAAC;IACnB,CAAC,OAAO,EAAE,EAAE,CAAC;IACb,CAAC,YAAY,EAAE,EAAE,CAAC;IAClB,CAAC,QAAQ,EAAE,CAAC,CAAC;IACb,CAAC,QAAQ,EAAE,EAAE,CAAC;IACd,CAAC,QAAQ,EAAE,CAAC,CAAC;CACL,EAAE,CAAC;IACX,kBAAkB,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe;IACvC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACrD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAe;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IACpC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,SAAS,CAAC;IAEnD,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAEtC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAC1C,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC3C,IACE,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC;QACvB,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC;QACtB,IAAI,GAAG,CAAC;QACR,IAAI,GAAG,MAAM;QACb,GAAG,GAAG,CAAC;QACP,GAAG,GAAG,MAAM,EACZ,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO;QACL,IAAI,IAAI,CAAC;QACT,IAAI,GAAG,IAAI;QACX,GAAG,IAAI,CAAC;QACR,GAAG,GAAG,IAAI;KACX,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IACjD,IAAI,UAAU;QAAE,OAAO,sBAAsB,CAAC,UAAU,CAAC,CAAC;IAE1D,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;IAChC,IAAI,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,OAAO,CAAC,kBAAkB,CAAC,KAAK,CAAC,UAAU,EAAE,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,MAAM,KAAK,GAAG,IAAI,KAAK,CACrB,qBAAqB,QAAQ,6CAA6C,CAClD,CAAC;IAC3B,KAAK,CAAC,IAAI,GAAG,WAAW,CAAC;IACzB,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,WAAwB,SAAwB;IAEhD,OAAO,CAAC,CACN,QAAgB,EAChB,OAAoD,EACpD,QAA4B,EACtB,EAAE;QACR,QAAQ,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE;YACrE,IAAI,KAAK,EAAE,CAAC;gBACV,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACpB,OAAO;YACT,CAAC;YAED,MAAM,eAAe,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;YAC/E,MAAM,eAAe,GAAG,SAAS,CAAC,MAAM,CACtC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,CACtB,sBAAsB,CAAC,OAAO,CAAC;gBAC/B,CAAC,CAAC,eAAe,IAAI,eAAe,KAAK,MAAM,CAAC,CACnD,CAAC;YAEF,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjC,QAAQ,CAAC,mBAAmB,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC5C,OAAO;YACT,CAAC;YAED,MAAM,QAAQ,GAAG,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC;YACrE,IAAI,QAAQ,EAAE,CAAC;gBACb,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;gBAChC,OAAO;YACT,CAAC;YAED,MAAM,QAAQ,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;YACpC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;IACL,CAAC,CAAmB,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,GAAW;IAC9C,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,eAAe,CAAC,4BAA4B,EAAE;YACtD,IAAI,EAAE,sCAAsC;SAC7C,CAAC,CAAC;IACL,CAAC;IAED,MAAM,QAAQ,GAAG,gBAAgB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACnD,MAAM,kBAAkB,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACrE,MAAM,WAAW,GACf,kBAAkB,KAAK,WAAW,IAAI,kBAAkB,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;IAClF,IACE,WAAW;QACX,CAAC,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,kBAAkB,CAAC,CAAC,EAC/E,CAAC;QACD,MAAM,IAAI,eAAe,CAAC,kDAAkD,EAAE;YAC5E,IAAI,EAAE,0BAA0B;SACjC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,MAAM,UAAU,sBAAsB;IACpC,OAAO,IAAI,KAAK,CAAC;QACf,SAAS,EAAE,KAAK;QAChB,MAAM,EAAE,uBAAuB,EAAE;KAClC,CAAC,CAAC;AACL,CAAC"}

package/kastell-plugin/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "kastell",
-  "version": "2.2.5",
-  "description": "Autonomous server security and infrastructure management. Provides 17 MCP tools for cloud server provisioning, security auditing (457 checks), hardening, backup, and fleet management across Hetzner, DigitalOcean, Vultr, and Linode.",
+  "version": "2.3.0",
+  "description": "Autonomous server security and infrastructure management. Provides 17 MCP tools for cloud server provisioning, security auditing (470+ checks), hardening, backup, and fleet management across Hetzner, DigitalOcean, Vultr, and Linode.",
   "author": {
     "name": "kastelldev"
   },

package/kastell-plugin/README.md

@@ -105,6 +105,12 @@ and `/agent:kastell-auditor` to get prioritized remediation guidance from audit
 | Vultr | 25+ global locations | |
 | Linode (Akamai) | 11 global locations | |
 
+## Plugin SDK v2
+
+Kastell v2.3.0 introduces the Plugin SDK v2 audit command contract. Plugin manifests use `apiVersion: "2"`, and audit checks declare `checkCommand` as `{ kind, cmd }` instead of a plain string.
+
+See [Plugin SDK v2 Migration Guide](../docs/plugin-sdk-migration-v2.md).
+
 ## Links
 
 - Website: https://kastell.dev

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kastell",
-  "version": "2.2.6",
+  "version": "2.3.0",
   "description": "CLI toolkit for provisioning, securing, and managing self-hosted servers",
   "type": "module",
   "main": "dist/index.js",
@@ -83,14 +83,13 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "1.27.1",
     "@napi-rs/keyring": "1.2.0",
-    "axios": "1.15.2",
+    "axios": "1.16.0",
     "chalk": "5.6.2",
     "commander": "14.0.3",
     "grammy": "1.41.1",
     "inquirer": "12.11.1",
     "js-yaml": "4.1.1",
     "ora": "9.3.0",
-    "p-limit": "7.3.0",
     "semver": "7.7.2",
     "zod": "4.3.6"
   },
@@ -106,7 +105,7 @@
     "@types/inquirer": "^9.0.7",
     "@types/jest": "^30.0.0",
     "@types/js-yaml": "^4.0.9",
-    "@types/node": "^22.12.0",
+    "@types/node": "^25.9.2",
     "@types/semver": "7.7.0",
     "esbuild": "^0.28.0",
     "eslint": "^10.0.2",