quicklify 1.0.5 → 1.2.0

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 omrfc
+Copyright (c) 2026 Ömer Faruk CAN
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -1,5 +1,7 @@
 # quicklify
 
+> Your self-hosted PaaS, fully managed. Deploy, secure, back up — one command at a time.
+
 > English | [Türkçe](README.tr.md)
 
 ![Tests](https://github.com/omrfc/quicklify/actions/workflows/ci.yml/badge.svg)
@@ -9,14 +11,11 @@
 ![License](https://img.shields.io/badge/license-MIT-blue)
 ![GitHub stars](https://img.shields.io/github/stars/omrfc/quicklify?style=flat-square)
 [![Socket Badge](https://socket.dev/api/badge/npm/package/quicklify)](https://socket.dev/npm/package/quicklify)
-
-**Self-hosting made simple.**
-
-Deploy, secure, back up, snapshot, and maintain your servers with confidence.
+[![Website](https://img.shields.io/website?url=https%3A%2F%2Fquicklify.omrfc.dev&label=website)](https://quicklify.omrfc.dev)
 
 ## Why Quicklify Exists
 
-Most self-hosted Coolify servers break because:
+Most self-hosted servers break because:
 
 - No backup discipline
 - No update strategy
@@ -24,19 +23,42 @@ Most self-hosted Coolify servers break because:
 - No monitoring
 - No snapshot routine
 
-Stop babysitting your Coolify server. Quicklify was built to fix that.
+Stop babysitting your servers. Quicklify was built to fix that.
 
 ## Quick Start
 
 ```bash
-# 1. Get your API token from Hetzner, DigitalOcean, Vultr, or Linode
-# 2. Run the installer
-npx quicklify init
+# Interactive mode — no commands to memorize
+npx quicklify
+```
+
+Running `quicklify` without any arguments launches an **interactive menu** where you can browse all available actions by category, pick what you need with arrow keys, and configure options step by step — no need to remember any command names or flags.
+
+```
+? What would you like to do?
+  Server Management
+❯   Deploy a new server
+    Add an existing server
+    List all servers
+    Check server status
+    ...
+  Security
+    Harden SSH & fail2ban
+    Manage firewall (UFW)
+    ...
+```
 
-# 3. Access Coolify at http://<your-ip>:8000
+Each action includes sub-options (server mode, template, log source, port number, etc.) and a **← Back** option to return to the main menu at any point.
+
+If you already know the commands, you can still use them directly:
+
+```bash
+quicklify init                    # Deploy a new server
+quicklify status my-server        # Check server status
+quicklify backup --all            # Backup all servers
 ```
 
-That's it. Quicklify handles server provisioning, SSH key setup, firewall configuration, and Coolify installation automatically.
+Quicklify handles server provisioning, SSH key setup, firewall configuration, and platform installation automatically.
 
 ## What Makes Quicklify Different?
 
@@ -47,27 +69,30 @@ That's it. Quicklify handles server provisioning, SSH key setup, firewall config
 | Security is an afterthought? | Firewall, SSH hardening, SSL, and security audits built-in |
 | Backups? Maybe someday... | One-command backup & restore with manifest tracking |
 | Managing multiple servers? | `--all` flag across backup, maintain, status, and health |
-| Existing server not tracked? | `quicklify add` brings any Coolify server under management |
+| Existing server not tracked? | `quicklify add` brings any server under management |
+| Don't want to memorize commands? | Just run `quicklify` — interactive menu guides you |
 
 ## What Can You Do?
 
 ### Deploy
 ```bash
-quicklify init                          # Interactive setup
+quicklify                               # Interactive menu (recommended)
+quicklify init                          # Interactive setup (direct)
 quicklify init --provider hetzner       # Non-interactive
 quicklify init --config quicklify.yml   # From YAML config
 quicklify init --template production    # Use a template
+quicklify init --mode bare              # Generic VPS (no Coolify)
 ```
 
 ### Manage
 ```bash
 quicklify list                  # List all servers
-quicklify status my-server      # Check server & Coolify status
+quicklify status my-server      # Check server status
 quicklify status --all          # Check all servers
 quicklify ssh my-server         # SSH into server
 quicklify restart my-server     # Restart server
 quicklify destroy my-server     # Destroy cloud server entirely
-quicklify add                   # Add existing Coolify server
+quicklify add                   # Add existing server
 quicklify remove my-server      # Remove from local config
 quicklify config set key value  # Manage default configuration
 quicklify export                # Export server list to JSON
@@ -76,7 +101,7 @@ quicklify import servers.json   # Import servers from JSON
 
 ### Update & Maintain
 ```bash
-quicklify update my-server      # Update Coolify
+quicklify update my-server      # Update Coolify (Coolify servers)
 quicklify maintain my-server    # Full maintenance (snapshot + update + health + reboot)
 quicklify maintain --all        # Maintain all servers
 ```
@@ -101,14 +126,14 @@ quicklify snapshot delete my-server   # Delete a snapshot
 quicklify firewall status my-server   # Check firewall
 quicklify firewall setup my-server    # Configure UFW
 quicklify secure audit my-server      # Security audit
-quicklify secure harden my-server     # SSH hardening + fail2ban
+quicklify secure setup my-server      # SSH hardening + fail2ban
 quicklify domain add my-server --domain example.com  # Set domain + SSL
 ```
 
 ### Monitor & Debug
 ```bash
 quicklify monitor my-server             # CPU, RAM, disk usage
-quicklify logs my-server                 # View Coolify logs
+quicklify logs my-server                 # View server logs
 quicklify logs my-server -f              # Follow logs
 quicklify health                         # Health check all servers
 quicklify doctor                         # Check local environment
@@ -157,16 +182,18 @@ quicklify init --template production --provider hetzner
 
 ## Security
 
-Quicklify is built with security as a priority — **1,300+ tests** across 55 suites, including dedicated security test suites.
+Quicklify is built with security as a priority — **2,047 tests** across 76 suites, including dedicated security test suites.
 
 - API tokens are never stored on disk — prompted at runtime or via environment variables
 - SSH keys are auto-generated if needed (Ed25519)
-- All SSH connections use `StrictHostKeyChecking=accept-new` with IP validation and environment filtering
-- Shell injection protection on all user-facing inputs
+- All SSH connections use `StrictHostKeyChecking=accept-new` with IP validation (octet range) and environment filtering
+- Shell injection protection on all user-facing inputs (`spawn`/`spawnSync`, no `execSync`)
 - Provider error messages are sanitized to prevent token leakage
+- stderr sanitization redacts IPs, home paths, tokens, and secrets from error output
 - Config file token detection (22+ key patterns, case-insensitive, nested)
-- Import/export operations strip sensitive fields and enforce strict file permissions
+- Import/export operations strip sensitive fields and enforce strict file permissions (`0o600`)
 - `--full-setup` enables UFW firewall and SSH hardening automatically
+- MCP: SAFE_MODE (default: on) blocks all destructive operations, Zod schema validation on all inputs, path traversal protection on backup restore
 
 ## Installation
 
@@ -196,17 +223,51 @@ Use `quicklify status my-server --autostart` to check and auto-restart if needed
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, testing, and contribution guidelines.
 
+## MCP Server (AI Integration)
+
+Quicklify includes a built-in [Model Context Protocol](https://modelcontextprotocol.io/) server for AI-powered server management. Works with Claude Code, Cursor, Windsurf, and other MCP-compatible clients.
+
+```json
+{
+  "mcpServers": {
+    "quicklify": {
+      "command": "npx",
+      "args": ["-y", "-p", "quicklify", "quicklify-mcp"],
+      "env": {
+        "HETZNER_TOKEN": "your-token",
+        "DIGITALOCEAN_TOKEN": "your-token",
+        "VULTR_TOKEN": "your-token",
+        "LINODE_TOKEN": "your-token"
+      }
+    }
+  }
+}
+```
+
+Available tools:
+
+| Tool | Actions | Description |
+|------|---------|-------------|
+| `server_info` | list, status, health | Query server information, check cloud provider & Coolify status |
+| `server_logs` | logs, monitor | Fetch Coolify/Docker logs and system metrics via SSH |
+| `server_manage` | add, remove, destroy | Register, unregister, or destroy cloud servers |
+| `server_maintain` | update, restart, maintain | Update Coolify, restart servers, run full maintenance |
+| `server_secure` | secure, firewall, domain | SSH hardening, firewall rules, domain/SSL management (10 subcommands) |
+| `server_backup` | backup, snapshot | Backup/restore databases and create/manage VPS snapshots |
+| `server_provision` | create | Provision new servers on cloud providers |
+
+> All destructive operations (destroy, restore, snapshot-delete, provision, restart, maintain, snapshot-create) require `SAFE_MODE=false` to execute.
+
 ## What's Next
 
 - Scheduled maintenance (cron-based automatic upkeep)
-- Generic server management (non-Coolify servers)
-- Interactive TUI dashboard
+- Dokploy platform support (`--platform dokploy`)
 
 ## Philosophy
 
 > Infrastructure should be boring, predictable, and safe.
 
-Quicklify is not a script. It's your DevOps safety layer for Coolify.
+Quicklify is not a script. It's your DevOps safety layer for self-hosted infrastructure.
 
 ## License
 

package/README.tr.md

@@ -1,5 +1,7 @@
 # quicklify
 
+> Self-hosted PaaS'ınız, tamamen yönetilen. Deploy, güvenlik, yedekleme — tek komutla.
+
 > [English](README.md) | Türkçe
 
 ![Tests](https://github.com/omrfc/quicklify/actions/workflows/ci.yml/badge.svg)
@@ -9,14 +11,11 @@
 ![License](https://img.shields.io/badge/license-MIT-blue)
 ![GitHub stars](https://img.shields.io/github/stars/omrfc/quicklify?style=flat-square)
 [![Socket Badge](https://socket.dev/api/badge/npm/package/quicklify)](https://socket.dev/npm/package/quicklify)
-
-**Self-hosting basitleştirildi.**
-
-Sunucularınızı deploy edin, güvence altına alın, yedekleyin, snapshot alın ve bakımını yapın — güvenle.
+[![Website](https://img.shields.io/website?url=https%3A%2F%2Fquicklify.omrfc.dev&label=website)](https://quicklify.omrfc.dev)
 
 ## Quicklify Neden Var?
 
-Self-hosted Coolify sunucularının çoğu şu nedenlerle çöker:
+Self-hosted sunucuların çoğu şu nedenlerle çöker:
 
 - Yedekleme disiplini yok
 - Güncelleme stratejisi yok
@@ -24,19 +23,42 @@ Self-hosted Coolify sunucularının çoğu şu nedenlerle çöker:
 - İzleme yok
 - Snapshot rutini yok
 
-Coolify sunucunuza çocuk bakıcılığı yapmayı bırakın. Quicklify bunu çözmek için yapıldı.
+Sunucularınıza çocuk bakıcılığı yapmayı bırakın. Quicklify bunu çözmek için yapıldı.
 
 ## Hızlı Başlangıç
 
 ```bash
-# 1. Hetzner, DigitalOcean, Vultr veya Linode'dan API token'ınızı alın
-# 2. Kurulumu başlatın
-npx quicklify init
+# İnteraktif mod — komut ezberlemeye gerek yok
+npx quicklify
+```
+
+`quicklify` komutunu argümansız çalıştırdığınızda **interaktif bir menü** açılır. Tüm işlemleri kategorilere göre görebilir, ok tuşlarıyla seçim yapabilir ve alt seçenekleri adım adım yapılandırabilirsiniz — komut adı veya flag ezberlemek zorunda değilsiniz.
+
+```
+? What would you like to do?
+  Server Management
+❯   Deploy a new server
+    Add an existing server
+    List all servers
+    Check server status
+    ...
+  Security
+    Harden SSH & fail2ban
+    Manage firewall (UFW)
+    ...
+```
 
-# 3. Coolify'a http://<sunucu-ip>:8000 adresinden erişin
+Her işlem alt seçenekler (sunucu modu, şablon, log kaynağı, port numarası vb.) içerir ve istediğiniz noktada ana menüye dönmek için **← Back** seçeneği sunar.
+
+Komutları zaten biliyorsanız, doğrudan da kullanabilirsiniz:
+
+```bash
+quicklify init                    # Yeni sunucu kur
+quicklify status sunucum          # Sunucu durumunu kontrol et
+quicklify backup --all            # Tüm sunucuları yedekle
 ```
 
-Hepsi bu kadar. Quicklify sunucu oluşturma, SSH anahtar kurulumu, güvenlik duvarı yapılandırması ve Coolify kurulumunu otomatik yapar.
+Quicklify sunucu oluşturma, SSH anahtar kurulumu, güvenlik duvarı yapılandırması ve platform kurulumunu otomatik yapar.
 
 ## Quicklify'ı Farklı Kılan Ne?
 
@@ -47,27 +69,30 @@ Hepsi bu kadar. Quicklify sunucu oluşturma, SSH anahtar kurulumu, güvenlik duv
 | Güvenlik sonradan mı düşünülüyor? | Güvenlik duvarı, SSH sıkılaştırma, SSL ve güvenlik denetimi hazır |
 | Yedekleme? Belki bir gün... | Tek komutla yedekleme ve geri yükleme, manifest takibiyle |
 | Birden fazla sunucu mu yönetiyorsunuz? | Yedekleme, bakım, durum ve sağlıkta `--all` desteği |
-| Mevcut sunucu takip dışı mı? | `quicklify add` ile her Coolify sunucusunu yönetime alın |
+| Mevcut sunucu takip dışı mı? | `quicklify add` ile her sunucuyu yönetime alın |
+| Komutları ezberlemek mi? | `quicklify` yazın — interaktif menü sizi yönlendirir |
 
 ## Neler Yapabilirsiniz?
 
 ### Kurulum
 ```bash
-quicklify init                          # İnteraktif kurulum
+quicklify                               # İnteraktif menü (önerilen)
+quicklify init                          # İnteraktif kurulum (doğrudan)
 quicklify init --provider hetzner       # Otomatik kurulum
 quicklify init --config quicklify.yml   # YAML ile kurulum
 quicklify init --template production    # Şablon kullanarak
+quicklify init --mode bare              # Genel VPS (Coolify olmadan)
 ```
 
 ### Yönetim
 ```bash
 quicklify list                  # Sunucuları listele
-quicklify status sunucum        # Sunucu ve Coolify durumu
+quicklify status sunucum        # Sunucu durumu
 quicklify status --all          # Tüm sunucuları kontrol et
 quicklify ssh sunucum           # Sunucuya SSH bağlantısı
 quicklify restart sunucum       # Sunucuyu yeniden başlat
 quicklify destroy sunucum       # Bulut sunucusunu tamamen sil
-quicklify add                   # Mevcut Coolify sunucusu ekle
+quicklify add                   # Mevcut sunucu ekle
 quicklify remove sunucum        # Yerel yapılandırmadan kaldır
 quicklify config set key value  # Varsayılan yapılandırma yönet
 quicklify export                # Sunucu listesini JSON'a aktar
@@ -76,7 +101,7 @@ quicklify import servers.json   # JSON'dan sunucuları içe aktar
 
 ### Güncelleme ve Bakım
 ```bash
-quicklify update sunucum        # Coolify'ı güncelle
+quicklify update sunucum        # Coolify güncelle (Coolify sunucuları)
 quicklify maintain sunucum      # Tam bakım (snapshot + güncelleme + sağlık + yeniden başlatma)
 quicklify maintain --all        # Tüm sunucuları bakıma al
 ```
@@ -101,14 +126,14 @@ quicklify snapshot delete sunucum   # Snapshot sil
 quicklify firewall status sunucum   # Güvenlik duvarı durumu
 quicklify firewall setup sunucum    # UFW yapılandırması
 quicklify secure audit sunucum      # Güvenlik denetimi
-quicklify secure harden sunucum     # SSH sıkılaştırma + fail2ban
+quicklify secure setup sunucum      # SSH sıkılaştırma + fail2ban
 quicklify domain add sunucum --domain ornek.com  # Domain + SSL ayarla
 ```
 
 ### İzleme ve Hata Ayıklama
 ```bash
 quicklify monitor sunucum             # CPU, RAM, disk kullanımı
-quicklify logs sunucum                 # Coolify logları
+quicklify logs sunucum                 # Sunucu logları
 quicklify logs sunucum -f              # Logları canlı takip et
 quicklify health                       # Tüm sunucuların sağlık kontrolü
 quicklify doctor                       # Yerel ortam kontrolü
@@ -157,16 +182,18 @@ quicklify init --template production --provider hetzner
 
 ## Güvenlik
 
-Quicklify güvenlik öncelikli olarak geliştirilmektedir — 55 test suite'inde **1.300+ test**, özel güvenlik test suite'leri dahil.
+Quicklify güvenlik öncelikli olarak geliştirilmektedir — 76 test suite'inde **2.047 test**, özel güvenlik test suite'leri dahil.
 
 - API token'ları asla diske kaydedilmez — çalışma zamanında sorulur veya ortam değişkenlerinden alınır
 - SSH anahtarları gerekirse otomatik oluşturulur (Ed25519)
-- Tüm SSH bağlantıları `StrictHostKeyChecking=accept-new` ile IP doğrulama ve ortam filtreleme kullanır
-- Tüm kullanıcı girdilerinde shell injection koruması
+- Tüm SSH bağlantıları `StrictHostKeyChecking=accept-new` ile IP doğrulama (oktet aralığı) ve ortam filtreleme kullanır
+- Tüm kullanıcı girdilerinde shell injection koruması (`spawn`/`spawnSync`, `execSync` yok)
 - Provider hata mesajları token sızıntısını önlemek için temizlenir
+- stderr temizleme — hata çıktısından IP'ler, home dizinleri, token'lar ve gizli veriler otomatik redakte edilir
 - Yapılandırma dosyasında token tespiti (22+ anahtar pattern, büyük/küçük harf duyarsız, iç içe yapılar)
-- İçe/dışa aktarma işlemleri hassas alanları temizler ve dosya izinlerini sıkılaştırır
+- İçe/dışa aktarma işlemleri hassas alanları temizler ve dosya izinlerini sıkılaştırır (`0o600`)
 - `--full-setup` güvenlik duvarı ve SSH sıkılaştırmasını otomatik etkinleştirir
+- MCP: SAFE_MODE (varsayılan: açık) tüm yıkıcı işlemleri engeller, tüm girdilerde Zod şema doğrulaması, yedek geri yüklemede path traversal koruması
 
 ## Kurulum
 
@@ -196,17 +223,51 @@ Durumu kontrol edip gerekirse otomatik yeniden başlatmak için `quicklify statu
 
 Geliştirme ortamı kurulumu, test ve katkı rehberi için [CONTRIBUTING.md](CONTRIBUTING.md) dosyasına bakın.
 
+## MCP Sunucusu (Yapay Zeka Entegrasyonu)
+
+Quicklify, yapay zeka destekli sunucu yönetimi için yerleşik bir [Model Context Protocol](https://modelcontextprotocol.io/) sunucusu içerir. Claude Code, Cursor, Windsurf ve diğer MCP uyumlu istemcilerle çalışır.
+
+```json
+{
+  "mcpServers": {
+    "quicklify": {
+      "command": "npx",
+      "args": ["-y", "-p", "quicklify", "quicklify-mcp"],
+      "env": {
+        "HETZNER_TOKEN": "token-buraya",
+        "DIGITALOCEAN_TOKEN": "token-buraya",
+        "VULTR_TOKEN": "token-buraya",
+        "LINODE_TOKEN": "token-buraya"
+      }
+    }
+  }
+}
+```
+
+Mevcut araçlar:
+
+| Araç | Eylemler | Açıklama |
+|------|----------|----------|
+| `server_info` | list, status, health | Sunucu bilgilerini sorgula, bulut sağlayıcı ve Coolify durumunu kontrol et |
+| `server_logs` | logs, monitor | SSH ile Coolify/Docker loglarını ve sistem metriklerini getir |
+| `server_manage` | add, remove, destroy | Sunucuları kaydet, kaldır veya bulut sunucusunu sil |
+| `server_maintain` | update, restart, maintain | Coolify güncelle, sunucuları yeniden başlat, tam bakım yap |
+| `server_secure` | secure, firewall, domain | SSH sıkılaştırma, güvenlik duvarı kuralları, domain/SSL yönetimi (10 alt komut) |
+| `server_backup` | backup, snapshot | Veritabanı yedekle/geri yükle ve VPS snapshot oluştur/yönet |
+| `server_provision` | create | Bulut sağlayıcılarda yeni sunucu oluştur |
+
+> Tüm yıkıcı işlemler (destroy, restore, snapshot-delete, provision, restart, maintain, snapshot-create) çalıştırılmak için `SAFE_MODE=false` gerektirir.
+
 ## Gelecek Planlar
 
 - Zamanlanmış bakım (cron tabanlı otomatik bakım)
-- Genel sunucu yönetimi (Coolify olmayan sunucular)
-- İnteraktif TUI arayüzü
+- Dokploy platform desteği (`--platform dokploy`)
 
 ## Felsefe
 
 > Altyapı sıkıcı, öngörülebilir ve güvenli olmalıdır.
 
-Quicklify bir script değildir. Coolify için DevOps güvenlik katmanınızdır.
+Quicklify bir script değildir. Self-hosted altyapınız için DevOps güvenlik katmanınızdır.
 
 ## Lisans
 

package/SECURITY.md

@@ -4,8 +4,8 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 0.4.x   | :white_check_mark: |
-| < 0.4   | :x:                |
+| 1.x     | :white_check_mark: |
+| < 1.0   | :x:                |
 
 ## Reporting a Vulnerability
 
@@ -21,32 +21,94 @@ If you discover a security vulnerability in Quicklify:
 
 Response time: Within 48 hours
 
-## Security Measures
+## Security Architecture
 
-- All dependencies scanned with Socket.dev
-- No credentials stored in code
-- API tokens can be provided via environment variables (`HETZNER_TOKEN`, `DIGITALOCEAN_TOKEN`) to avoid shell history exposure
+### Token Handling (A2 — Sensitive Data Exposure)
+- API tokens are **never stored on disk** — runtime prompt or environment variables only
+- Supported env vars: `HETZNER_TOKEN`, `DIGITALOCEAN_TOKEN`, `VULTR_TOKEN`, `LINODE_TOKEN`
 - API tokens collected via interactive secure prompts (masked input) when env vars are not set
-- Config directory created with restrictive permissions (`0o700`)
+- `sanitizedEnv()` strips all keys containing TOKEN, SECRET, PASSWORD, CREDENTIAL from child process environments before every `spawn`/`spawnSync`/`exec` call
+- Provider errors sanitized via `stripSensitiveData()` — removes Authorization headers from axios errors before they reach error messages
+
+### Input Validation (A1 — Injection)
+- All shell execution uses `spawn`/`spawnSync` with array arguments (never string interpolation into shell commands)
+- `assertValidIp()` — IPv4 format and octet range (0-255) validation applied before every SSH/SCP connection and before ssh-keygen calls (defense-in-depth)
+- `assertSafePath()` — rejects remote SCP paths containing shell metacharacters (`;`, `|`, `&`, `$`, `` ` ``, `(`, `)`, `<`, `>`, newlines, spaces)
+- Server name validation: 3-63 chars, lowercase alphanumeric + hyphens, must start with letter
+- `buildHardeningCommand()` — SSH port option validated as integer in range 1-65535 before interpolation into sed command
+- YAML config: 22+ security key patterns detected and warned
+- MCP tools: Zod schema validation on all inputs (port ranges, provider enums, backup ID regex)
+
+### SSH & Network Security
+- `StrictHostKeyChecking=accept-new` for initial connections (first connect accepts key, subsequent connections verify)
+- `BatchMode=yes` on non-interactive SSH (prevents stdin hijacking — critical for MCP mode)
+- `ConnectTimeout=10` and 30s exec timeout prevent hanging connections
+- Stale host key auto-removal with IP re-validation before `ssh-keygen -R` calls
+- SSRF defense: `assertValidIp()` on all Coolify health check targets
+
+### File System Security (A5 — Security Misconfiguration)
+- Config directory (`~/.quicklify/`) created with `0o700` permissions (owner only)
 - Server config file written with `0o600` permissions (owner read/write only)
+- Backup directories created with `0o700` permissions
+- Backup manifest files written with `0o600` permissions
+- Export files written with `0o600` permissions
 - Cloud-init install log restricted to `chmod 600` (root only)
-- Server name validation: 3-63 chars, lowercase alphanumeric + hyphens, must start with letter
-- Input validation on all user inputs
-- Automated security checks via GitHub Actions
 
-## HTTP Usage
+### Error Handling & Data Exposure
+- `getErrorMessage()` returns only `error.message` — never exposes stack traces to users
+- `sanitizeStderr()` redacts home directory paths, IP addresses, `password=`, `token=`, `secret=` patterns from SSH stderr output (200 char limit)
+- MCP error responses use `getErrorMessage()` — no stack trace disclosure
 
-Quicklify accesses Coolify at `http://IP:8000` during initial setup. This is expected because SSL/TLS is not configured on a fresh Coolify installation. Users are warned to set up a domain and enable SSL for production use.
+### Path Traversal Protection (A5)
+- Backup restore: `backupId` regex validation + `path.resolve()` guard ensures backup path stays within the server's backup directory
+- Remote SCP paths validated by `assertSafePath()` before use
+
+### Access Control (A3 — Broken Access Control)
+- **SAFE_MODE** (`QUICKLIFY_SAFE_MODE=true`, default enabled for MCP) blocks destructive operations: `destroy`, `restore`, `snapshot-delete`, `provision`, `restart`, `maintain`, `snapshot-create`
+- Mode guard (`requireCoolifyMode()`) prevents Coolify-specific operations on bare servers
 
-## Third-party Dependencies
+### Import/Export Security
+- Sensitive field stripping on import
+- Strict file permissions on export
+- Format validation with field-level checking
+- Duplicate detection by server ID
 
-Quicklify uses audited dependencies:
+## OWASP Top 10 Compliance Summary
+
+| Category | Status | Implementation |
+|----------|--------|----------------|
+| A1 - Injection | Mitigated | `spawn` array args, `assertValidIp`, `assertSafePath`, port integer validation |
+| A2 - Sensitive Data Exposure | Mitigated | `sanitizedEnv()` on all child processes, `stripSensitiveData()` on provider errors, tokens never on disk |
+| A3 - Broken Access Control | Mitigated | SAFE_MODE blocks destructive ops, mode guard on Coolify-only ops |
+| A4 - Insecure Design | N/A | CLI tool, minimal attack surface |
+| A5 - Security Misconfiguration | Mitigated | Restrictive file permissions (0o600/0o700), timeout limits, buffer caps |
+| A6 - Vulnerable Components | See below | Production: 0 vulnerabilities |
+| A7 - XSS | N/A | CLI tool, no web UI |
+| A8 - Insecure Deserialization | Mitigated | JSON.parse wrapped in try/catch with safe defaults |
+| A9 - Logging & Monitoring | Partial | `sanitizeStderr()` prevents sensitive data in logs |
+| A10 - SSRF | Mitigated | `assertValidIp()` on all outbound SSH/HTTP targets |
+
+## Dependency Security
+
+### Production Dependencies (0 known vulnerabilities)
+```
+npm audit --omit=dev → found 0 vulnerabilities
+```
+
+All production dependencies use audited, versioned packages:
 - Hetzner Cloud API v1 (via Axios, HTTPS)
 - DigitalOcean API v2 (via Axios, HTTPS)
+- Vultr API v2 (via Axios, HTTPS)
+- Linode API v4 (via Axios, HTTPS)
+- Model Context Protocol SDK (`@modelcontextprotocol/sdk`) for MCP server
+- Zod for runtime input validation
 - Coolify installed via `curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash` (official method, HTTPS)
-- All dependencies regularly updated
-- Socket.dev security monitoring enabled
 
-**Note:** The `curl | bash` installation method is the official Coolify installation procedure. The script is fetched over HTTPS from Coolify's CDN.
+### Dev Dependencies
+One moderate-severity ReDoS vulnerability remains in `test-exclude` → `glob` → `minimatch@10.0.0-10.2.2` (jest code coverage toolchain). This is a dev-only dependency not present in production builds. Remediation is blocked by the dependency chain — `npm audit fix --force` would cause lock file breakage per project policy. Risk accepted as dev-only, not exploitable in production.
 
 Security scan: https://socket.dev/npm/package/quicklify
+
+## HTTP Usage
+
+Quicklify accesses Coolify at `http://IP:8000` during initial setup. This is expected because SSL/TLS is not configured on a fresh Coolify installation. Users are warned to set up a domain and enable SSL for production use.

package/bin/quicklify-mcp

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+import('../dist/mcp/index.js').catch((err) => {
+  process.stderr.write(`quicklify-mcp: ${err}\n`);
+  process.exit(1);
+});

package/dist/commands/add.d.ts

@@ -3,6 +3,7 @@ interface AddOptions {
     ip?: string;
     name?: string;
     skipVerify?: boolean;
+    mode?: string;
 }
 export declare function addCommand(options?: AddOptions): Promise<void>;
 export {};

package/dist/commands/add.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"add.d.ts","sourceRoot":"","sources":["../../src/commands/add.ts"],"names":[],"mappings":"AAUA,UAAU,UAAU;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,wBAAsB,UAAU,CAAC,OAAO,GAAE,UAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAyJxE"}
+{"version":3,"file":"add.d.ts","sourceRoot":"","sources":["../../src/commands/add.ts"],"names":[],"mappings":"AAQA,UAAU,UAAU;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,wBAAsB,UAAU,CAAC,OAAO,GAAE,UAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CA6HxE"}