rackmind-cli 0.2.0 → 0.2.1

package/dist/utils/command-safety.js

@@ -3,20 +3,172 @@
 // ---------------------------------------------------------------------------
 // Shared between `exec` command and AI tool executor to prevent accidental
 // or AI-initiated destructive operations without explicit user consent.
+//
+// The blocklist is intentionally regex-based (not literal-string-match) so
+// that flag reordering (`pct destroy --purge 100` vs `pct destroy 100 --purge`)
+// cannot trivially bypass the gate. Patterns are evaluated in order; the
+// first match wins, so more-specific patterns are listed first when label
+// specificity matters.
 // ---------------------------------------------------------------------------
 /** Patterns that match potentially destructive shell commands */
 export const DANGEROUS_PATTERNS = [
+    // -----------------------------------------------------------------------
+    // Filesystem destruction
+    // -----------------------------------------------------------------------
+    // `rm -rf /` and "rm root" variants — match `rm` with at least one
+    // recursive/force flag AND a path that targets the system root.
+    // Listed BEFORE the generic rm pattern so this more-specific label wins.
     {
-        pattern: /\brm\s+(-[a-zA-Z]*f|-[a-zA-Z]*r|--force|--recursive)/i,
+        pattern: /\brm\s+(?:-[a-zA-Z]*[rfR][a-zA-Z]*|--recursive|--force|--no-preserve-root)(?:\s+(?:-[a-zA-Z-]+|--[a-zA-Z-]+))*\s+\/(?:\s|$|\*|;|&|\||>)/i,
+        label: 'rm -rf / (root filesystem destruction)',
+    },
+    // Generic rm -rf / rm -r / rm -f / rm --force / rm --recursive
+    {
+        pattern: /\brm\s+(?:-[a-zA-Z]*(?:f|r|R)[a-zA-Z]*|--force|--recursive)\b/i,
         label: 'rm with force/recursive',
     },
-    { pattern: /\bmkfs\b/i, label: 'mkfs (format filesystem)' },
+    // find … -delete or find … -exec rm — recursive deletion via find
+    {
+        pattern: /\bfind\b[^|;&]*\s(?:-delete\b|-exec\s+rm\b)/i,
+        label: 'find with -delete or -exec rm (mass deletion)',
+    },
+    // chmod 000 -R / chmod -R 000 / chmod 0 recursive — permission wipe
+    {
+        pattern: /\bchmod\b[^|;&]*\s(?:-R\b|--recursive\b)[^|;&]*\s0{1,4}\b/i,
+        label: 'chmod recursive 000 (permission wipe)',
+    },
+    {
+        pattern: /\bchmod\b[^|;&]*\s0{2,4}\s+(?:-R\b|--recursive\b)/i,
+        label: 'chmod recursive 000 (permission wipe)',
+    },
+    // chown -R … / — recursive ownership change starting at /
+    {
+        pattern: /\bchown\b[^|;&]*\s(?:-R\b|--recursive\b)[^|;&]*\s\/(?:\s|$)/i,
+        label: 'chown -R targeting / (recursive ownership change)',
+    },
+    // -----------------------------------------------------------------------
+    // Disk / partition / filesystem operations
+    // -----------------------------------------------------------------------
+    { pattern: /\bmkfs(?:\.[a-z0-9]+)?\b/i, label: 'mkfs (format filesystem)' },
     { pattern: /\bdd\s+.*of=/i, label: 'dd (raw disk write)' },
     { pattern: /\bfdisk\b/i, label: 'fdisk (partition table)' },
-    { pattern: /:\(\)\s*\{/, label: 'fork bomb' },
-    { pattern: /\b(shutdown|reboot|poweroff|halt)\b/i, label: 'shutdown/reboot/poweroff' },
-    { pattern: /\bsystemctl\s+(stop|disable|mask)\b/i, label: 'systemctl stop/disable/mask' },
+    { pattern: /\bsgdisk\b/i, label: 'sgdisk (partition table)' },
+    { pattern: /\bparted\b/i, label: 'parted (partition table)' },
+    { pattern: /\bwipefs\b/i, label: 'wipefs (wipe filesystem signature)' },
+    { pattern: /\b(?:lvremove|vgremove|pvremove)\b/i, label: 'LVM remove (storage destruction)' },
+    { pattern: /\bzpool\s+destroy\b/i, label: 'zpool destroy (ZFS pool destruction)' },
+    { pattern: /\bzfs\s+destroy\b/i, label: 'zfs destroy (ZFS dataset destruction)' },
+    { pattern: /\bmdadm\s+(?:--stop|--remove|--zero-superblock)\b/i, label: 'mdadm stop/remove' },
+    // -----------------------------------------------------------------------
+    // Container / VM destruction (Proxmox + Docker + libvirt)
+    // -----------------------------------------------------------------------
+    { pattern: /\bpct\s+(?:destroy|delete)\b/i, label: 'pct destroy/delete (LXC destruction)' },
+    { pattern: /\bqm\s+(?:destroy|delete)\b/i, label: 'qm destroy/delete (QEMU VM destruction)' },
+    { pattern: /\bvirsh\s+(?:destroy|undefine)\b/i, label: 'virsh destroy/undefine' },
+    { pattern: /\bdocker\s+(?:system\s+)?prune\b[^|;&]*-[a-z]*a/i, label: 'docker prune -a' },
+    { pattern: /\bdocker\s+rm\s+-f\b/i, label: 'docker rm -f' },
+    { pattern: /\bdocker\s+rmi\s+-f\b/i, label: 'docker rmi -f' },
+    // -----------------------------------------------------------------------
+    // Network blackholing
+    // -----------------------------------------------------------------------
+    {
+        pattern: /\biptables\s+(?:-F|--flush|-X|--delete-chain|-Z|--zero)\b/i,
+        label: 'iptables flush/delete chain (network blackhole)',
+    },
+    {
+        pattern: /\bip6tables\s+(?:-F|--flush|-X|--delete-chain|-Z|--zero)\b/i,
+        label: 'ip6tables flush/delete chain',
+    },
+    { pattern: /\bnft\s+flush\b/i, label: 'nft flush (nftables ruleset wipe)' },
+    {
+        pattern: /\bip\s+link\s+set\s+\S+\s+down\b/i,
+        label: 'ip link set <iface> down (network interface shutdown)',
+    },
+    {
+        pattern: /\bifconfig\s+\S+\s+down\b/i,
+        label: 'ifconfig <iface> down (network interface shutdown)',
+    },
+    { pattern: /\bip\s+route\s+(?:flush|del)\b/i, label: 'ip route flush/del (routing wipe)' },
+    // -----------------------------------------------------------------------
+    // User / authentication destruction
+    // -----------------------------------------------------------------------
+    { pattern: /\buserdel\b/i, label: 'userdel (delete user account)' },
+    { pattern: /\bgroupdel\b/i, label: 'groupdel (delete group)' },
+    { pattern: /\bdeluser\b/i, label: 'deluser (delete user account)' },
+    { pattern: /\bdelgroup\b/i, label: 'delgroup (delete group)' },
+    {
+        pattern: /\bpasswd\s+(?:-l|--lock|-d|--delete)\b/i,
+        label: 'passwd lock/delete (lock or wipe password)',
+    },
+    {
+        pattern: /\bchage\s+(?:-E\s+0|-E0)\b/i,
+        label: 'chage -E 0 (expire account immediately)',
+    },
+    { pattern: /\busermod\s+(?:-L|--lock)\b/i, label: 'usermod --lock (lock account)' },
+    {
+        pattern: />\s*\/etc\/(?:passwd|shadow|sudoers|group|gshadow)\b/i,
+        label: 'write to /etc/passwd|shadow|sudoers (auth file overwrite)',
+    },
+    {
+        pattern: /\brm\b[^|;&]*\/etc\/(?:passwd|shadow|sudoers|group|gshadow)\b/i,
+        label: 'rm /etc/passwd|shadow|sudoers (auth file deletion)',
+    },
+    // -----------------------------------------------------------------------
+    // Process disruption — kill init / PID 1
+    // -----------------------------------------------------------------------
+    { pattern: /\bkill\s+(?:-[a-zA-Z0-9]+\s+)?-?1\b(?!\d)/i, label: 'kill PID 1 (init kill)' },
+    { pattern: /\bkillall\s+(?:-[a-zA-Z0-9]+\s+)?init\b/i, label: 'killall init' },
+    { pattern: /\bkillall\s+(?:-[a-zA-Z0-9]+\s+)?systemd\b/i, label: 'killall systemd' },
+    { pattern: /\bpkill\b[^|;&]*\s-1\b(?!\d)/i, label: 'pkill -1 (signal all processes)' },
+    { pattern: /\bpkill\s+(?:-[a-zA-Z0-9]+\s+)?init\b/i, label: 'pkill init' },
+    { pattern: /\bpkill\s+(?:-[a-zA-Z0-9]+\s+)?systemd\b/i, label: 'pkill systemd' },
+    // -----------------------------------------------------------------------
+    // System shutdown / reboot
+    // -----------------------------------------------------------------------
+    { pattern: /\b(?:shutdown|reboot|poweroff|halt)\b/i, label: 'shutdown/reboot/poweroff' },
+    {
+        pattern: /\bsystemctl\s+(?:stop|disable|mask|isolate)\b/i,
+        label: 'systemctl stop/disable/mask',
+    },
+    {
+        pattern: /\bsystemctl\s+(?:reboot|poweroff|halt|emergency|rescue)\b/i,
+        label: 'systemctl reboot/poweroff/halt',
+    },
+    { pattern: /\binit\s+0\b/i, label: 'init 0 (shutdown)' },
+    { pattern: /\binit\s+6\b/i, label: 'init 6 (reboot)' },
+    { pattern: /\btelinit\s+(?:0|6)\b/i, label: 'telinit 0/6 (shutdown/reboot)' },
+    // -----------------------------------------------------------------------
+    // Raw device writes
+    // -----------------------------------------------------------------------
     { pattern: />\s*\/dev\//i, label: 'write to /dev/' },
+    // -----------------------------------------------------------------------
+    // Fork bomb
+    // -----------------------------------------------------------------------
+    // Matches the classic `:(){ :|:& };:` shape — a function named `:` that
+    // pipes itself into itself recursively in the background. Tolerates
+    // whitespace and minor formatting variation.
+    {
+        pattern: /:\s*\(\s*\)\s*\{[^}]*:\s*\|\s*:[^}]*&[^}]*\}\s*;\s*:/,
+        label: 'fork bomb',
+    },
+    // Backstop: matches the bare function-definition shape that pipes itself
+    // in background. Catches variants where the inner body is condensed.
+    { pattern: /:\(\)\s*\{[\s\S]{0,40}:\|:&/, label: 'fork bomb' },
+    // -----------------------------------------------------------------------
+    // Curl/wget piped to a shell — remote code execution
+    // -----------------------------------------------------------------------
+    {
+        pattern: /\b(?:curl|wget)\b[^|;&]*\|\s*(?:sudo\s+)?(?:bash|sh|zsh|ksh|dash|python|perl)\b/i,
+        label: 'curl|wget piped to shell (remote code execution)',
+    },
+    // -----------------------------------------------------------------------
+    // Crypto / key destruction
+    // -----------------------------------------------------------------------
+    { pattern: /\brm\b[^|;&]*~\/\.ssh\b/i, label: 'rm ~/.ssh (SSH key destruction)' },
+    {
+        pattern: /\brm\b[^|;&]*\/root\/\.ssh\b/i,
+        label: 'rm /root/.ssh (root SSH key destruction)',
+    },
 ];
 /**
  * Check a command string against the dangerous patterns blocklist.

package/dist/utils/command-safety.js.map

@@ -1 +1 @@
-{"version":3,"file":"command-safety.js","sourceRoot":"","sources":["../../src/utils/command-safety.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,yDAAyD;AACzD,8EAA8E;AAC9E,2EAA2E;AAC3E,wEAAwE;AACxE,8EAA8E;AAE9E,iEAAiE;AACjE,MAAM,CAAC,MAAM,kBAAkB,GAAyC;IACpE;QACI,OAAO,EAAE,uDAAuD;QAChE,KAAK,EAAE,yBAAyB;KACnC;IACD,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,0BAA0B,EAAE;IAC3D,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,qBAAqB,EAAE;IAC1D,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,yBAAyB,EAAE;IAC3D,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,WAAW,EAAE;IAC7C,EAAE,OAAO,EAAE,sCAAsC,EAAE,KAAK,EAAE,0BAA0B,EAAE;IACtF,EAAE,OAAO,EAAE,sCAAsC,EAAE,KAAK,EAAE,6BAA6B,EAAE;IACzF,EAAE,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,gBAAgB,EAAE;CACvD,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAe;IACjD,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,kBAAkB,EAAE,CAAC;QAClD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACxB,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IACD,OAAO,IAAI,CAAC;AAChB,CAAC"}
+{"version":3,"file":"command-safety.js","sourceRoot":"","sources":["../../src/utils/command-safety.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,yDAAyD;AACzD,8EAA8E;AAC9E,2EAA2E;AAC3E,wEAAwE;AACxE,EAAE;AACF,2EAA2E;AAC3E,gFAAgF;AAChF,yEAAyE;AACzE,0EAA0E;AAC1E,uBAAuB;AACvB,8EAA8E;AAE9E,iEAAiE;AACjE,MAAM,CAAC,MAAM,kBAAkB,GAAyC;IACpE,0EAA0E;IAC1E,yBAAyB;IACzB,0EAA0E;IAC1E,mEAAmE;IACnE,gEAAgE;IAChE,yEAAyE;IACzE;QACI,OAAO,EACH,0IAA0I;QAC9I,KAAK,EAAE,wCAAwC;KAClD;IACD,+DAA+D;IAC/D;QACI,OAAO,EAAE,gEAAgE;QACzE,KAAK,EAAE,yBAAyB;KACnC;IACD,kEAAkE;IAClE;QACI,OAAO,EAAE,8CAA8C;QACvD,KAAK,EAAE,+CAA+C;KACzD;IACD,oEAAoE;IACpE;QACI,OAAO,EAAE,4DAA4D;QACrE,KAAK,EAAE,uCAAuC;KACjD;IACD;QACI,OAAO,EAAE,oDAAoD;QAC7D,KAAK,EAAE,uCAAuC;KACjD;IACD,0DAA0D;IAC1D;QACI,OAAO,EAAE,8DAA8D;QACvE,KAAK,EAAE,mDAAmD;KAC7D;IAED,0EAA0E;IAC1E,2CAA2C;IAC3C,0EAA0E;IAC1E,EAAE,OAAO,EAAE,2BAA2B,EAAE,KAAK,EAAE,0BAA0B,EAAE;IAC3E,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,qBAAqB,EAAE;IAC1D,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,yBAAyB,EAAE;IAC3D,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,0BAA0B,EAAE;IAC7D,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,0BAA0B,EAAE;IAC7D,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,oCAAoC,EAAE;IACvE,EAAE,OAAO,EAAE,qCAAqC,EAAE,KAAK,EAAE,kCAAkC,EAAE;IAC7F,EAAE,OAAO,EAAE,sBAAsB,EAAE,KAAK,EAAE,sCAAsC,EAAE;IAClF,EAAE,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAE,uCAAuC,EAAE;IACjF,EAAE,OAAO,EAAE,oDAAoD,EAAE,KAAK,EAAE,mBAAmB,EAAE;IAE7F,0EAA0E;IAC1E,0DAA0D;IAC1D,0EAA0E;IAC1E,EAAE,OAAO,EAAE,+BAA+B,EAAE,KAAK,EAAE,sCAAsC,EAAE;IAC3F,EAAE,OAAO,EAAE,8BAA8B,EAAE,KAAK,EAAE,yCAAyC,EAAE;IAC7F,EAAE,OAAO,EAAE,mCAAmC,EAAE,KAAK,EAAE,wBAAwB,EAAE;IACjF,EAAE,OAAO,EAAE,kDAAkD,EAAE,KAAK,EAAE,iBAAiB,EAAE;IACzF,EAAE,OAAO,EAAE,uBAAuB,EAAE,KAAK,EAAE,cAAc,EAAE;IAC3D,EAAE,OAAO,EAAE,wBAAwB,EAAE,KAAK,EAAE,eAAe,EAAE;IAE7D,0EAA0E;IAC1E,sBAAsB;IACtB,0EAA0E;IAC1E;QACI,OAAO,EAAE,4DAA4D;QACrE,KAAK,EAAE,iDAAiD;KAC3D;IACD;QACI,OAAO,EAAE,6DAA6D;QACtE,KAAK,EAAE,8BAA8B;KACxC;IACD,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,mCAAmC,EAAE;IAC3E;QACI,OAAO,EAAE,mCAAmC;QAC5C,KAAK,EAAE,uDAAuD;KACjE;IACD;QACI,OAAO,EAAE,4BAA4B;QACrC,KAAK,EAAE,oDAAoD;KAC9D;IACD,EAAE,OAAO,EAAE,iCAAiC,EAAE,KAAK,EAAE,mCAAmC,EAAE;IAE1F,0EAA0E;IAC1E,oCAAoC;IACpC,0EAA0E;IAC1E,EAAE,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,+BAA+B,EAAE;IACnE,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,yBAAyB,EAAE;IAC9D,EAAE,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,+BAA+B,EAAE;IACnE,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,yBAAyB,EAAE;IAC9D;QACI,OAAO,EAAE,yCAAyC;QAClD,KAAK,EAAE,4CAA4C;KACtD;IACD;QACI,OAAO,EAAE,6BAA6B;QACtC,KAAK,EAAE,yCAAyC;KACnD;IACD,EAAE,OAAO,EAAE,8BAA8B,EAAE,KAAK,EAAE,+BAA+B,EAAE;IACnF;QACI,OAAO,EAAE,uDAAuD;QAChE,KAAK,EAAE,2DAA2D;KACrE;IACD;QACI,OAAO,EAAE,gEAAgE;QACzE,KAAK,EAAE,oDAAoD;KAC9D;IAED,0EAA0E;IAC1E,yCAAyC;IACzC,0EAA0E;IAC1E,EAAE,OAAO,EAAE,4CAA4C,EAAE,KAAK,EAAE,wBAAwB,EAAE;IAC1F,EAAE,OAAO,EAAE,0CAA0C,EAAE,KAAK,EAAE,cAAc,EAAE;IAC9E,EAAE,OAAO,EAAE,6CAA6C,EAAE,KAAK,EAAE,iBAAiB,EAAE;IACpF,EAAE,OAAO,EAAE,+BAA+B,EAAE,KAAK,EAAE,iCAAiC,EAAE;IACtF,EAAE,OAAO,EAAE,wCAAwC,EAAE,KAAK,EAAE,YAAY,EAAE;IAC1E,EAAE,OAAO,EAAE,2CAA2C,EAAE,KAAK,EAAE,eAAe,EAAE;IAEhF,0EAA0E;IAC1E,2BAA2B;IAC3B,0EAA0E;IAC1E,EAAE,OAAO,EAAE,wCAAwC,EAAE,KAAK,EAAE,0BAA0B,EAAE;IACxF;QACI,OAAO,EAAE,gDAAgD;QACzD,KAAK,EAAE,6BAA6B;KACvC;IACD;QACI,OAAO,EAAE,4DAA4D;QACrE,KAAK,EAAE,gCAAgC;KAC1C;IACD,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,mBAAmB,EAAE;IACxD,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,iBAAiB,EAAE;IACtD,EAAE,OAAO,EAAE,wBAAwB,EAAE,KAAK,EAAE,+BAA+B,EAAE;IAE7E,0EAA0E;IAC1E,oBAAoB;IACpB,0EAA0E;IAC1E,EAAE,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,gBAAgB,EAAE;IAEpD,0EAA0E;IAC1E,YAAY;IACZ,0EAA0E;IAC1E,wEAAwE;IACxE,oEAAoE;IACpE,6CAA6C;IAC7C;QACI,OAAO,EAAE,sDAAsD;QAC/D,KAAK,EAAE,WAAW;KACrB;IACD,yEAAyE;IACzE,qEAAqE;IACrE,EAAE,OAAO,EAAE,6BAA6B,EAAE,KAAK,EAAE,WAAW,EAAE;IAE9D,0EAA0E;IAC1E,qDAAqD;IACrD,0EAA0E;IAC1E;QACI,OAAO,EAAE,kFAAkF;QAC3F,KAAK,EAAE,kDAAkD;KAC5D;IAED,0EAA0E;IAC1E,2BAA2B;IAC3B,0EAA0E;IAC1E,EAAE,OAAO,EAAE,0BAA0B,EAAE,KAAK,EAAE,iCAAiC,EAAE;IACjF;QACI,OAAO,EAAE,+BAA+B;QACxC,KAAK,EAAE,0CAA0C;KACpD;CACJ,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAe;IACjD,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,kBAAkB,EAAE,CAAC;QAClD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACxB,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IACD,OAAO,IAAI,CAAC;AAChB,CAAC"}

package/dist/utils/logger.d.ts

@@ -1,3 +1,16 @@
+declare function getLogFile(): string;
+/**
+ * Rotate `logFile` if it exceeds MAX_FILE_BYTES.
+ *
+ * Strategy: shift `.N -> .N+1`, then rename the live file to `.1`. The next
+ * write to `logFile` will create a fresh, empty file.
+ *
+ * This is intentionally synchronous (CLI hot path, rare event, tiny rename
+ * cost) and best-effort — any failure here must NOT throw, so that a broken
+ * filesystem state cannot crash the CLI or the MCP. We swallow errors and let
+ * the caller fall back to appending to the (possibly oversized) file.
+ */
+declare function rotateIfNeeded(logFile: string): void;
 export type LogLevel = 'debug' | 'info' | 'warn' | 'error';
 export declare function setLogLevel(level: LogLevel): void;
 export declare const logger: {
@@ -6,4 +19,11 @@ export declare const logger: {
     warn: (message: string, meta?: Record<string, unknown>) => void;
     error: (message: string, meta?: Record<string, unknown>) => void;
 };
+export declare const __testing: {
+    MAX_FILE_BYTES: number;
+    MAX_BACKUPS: number;
+    rotateIfNeeded: typeof rotateIfNeeded;
+    getLogFile: typeof getLogFile;
+};
+export {};
 //# sourceMappingURL=logger.d.ts.map

package/dist/utils/logger.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/utils/logger.ts"],"names":[],"mappings":"AAmBA,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AAW3D,wBAAgB,WAAW,CAAC,KAAK,EAAE,QAAQ,GAAG,IAAI,CAEjD;AAuBD,eAAO,MAAM,MAAM;qBACE,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;oBACvC,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;oBACtC,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;qBACrC,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAC1D,CAAC"}
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/utils/logger.ts"],"names":[],"mappings":"AAmBA,iBAAS,UAAU,IAAI,MAAM,CAG5B;AAMD;;;;;;;;;;GAUG;AACH,iBAAS,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAmC7C;AAED,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AAW3D,wBAAgB,WAAW,CAAC,KAAK,EAAE,QAAQ,GAAG,IAAI,CAEjD;AAyBD,eAAO,MAAM,MAAM;qBACE,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;oBACvC,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;oBACtC,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;qBACrC,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAC1D,CAAC;AAIF,eAAO,MAAM,SAAS;;;;;CAKrB,CAAC"}

package/dist/utils/logger.js

@@ -2,6 +2,14 @@ import fs from 'node:fs';
 import path from 'node:path';
 import os from 'node:os';
 const LOG_DIR = path.join(os.homedir(), '.rackmind', 'logs');
+// Rotation policy: cap each log file at MAX_FILE_BYTES, keep MAX_BACKUPS rotated
+// copies (`<file>.1` is the most recent rotation, `<file>.<MAX_BACKUPS>` is the
+// oldest and is deleted on the next rotation).
+// One file maxed out + N backups bounds disk usage at roughly
+//   MAX_FILE_BYTES * (MAX_BACKUPS + 1)
+// = 10 MB * 6 = 60 MB per log basename.
+const MAX_FILE_BYTES = 10 * 1024 * 1024;
+const MAX_BACKUPS = 5;
 function ensureLogDir() {
     fs.mkdirSync(LOG_DIR, { recursive: true });
 }
@@ -12,6 +20,55 @@ function getLogFile() {
 function formatTimestamp() {
     return new Date().toISOString();
 }
+/**
+ * Rotate `logFile` if it exceeds MAX_FILE_BYTES.
+ *
+ * Strategy: shift `.N -> .N+1`, then rename the live file to `.1`. The next
+ * write to `logFile` will create a fresh, empty file.
+ *
+ * This is intentionally synchronous (CLI hot path, rare event, tiny rename
+ * cost) and best-effort — any failure here must NOT throw, so that a broken
+ * filesystem state cannot crash the CLI or the MCP. We swallow errors and let
+ * the caller fall back to appending to the (possibly oversized) file.
+ */
+function rotateIfNeeded(logFile) {
+    try {
+        const stat = fs.statSync(logFile);
+        if (stat.size <= MAX_FILE_BYTES)
+            return;
+    }
+    catch {
+        // File doesn't exist yet — nothing to rotate.
+        return;
+    }
+    try {
+        // Drop the oldest backup if it exists.
+        const oldest = `${logFile}.${MAX_BACKUPS}`;
+        try {
+            fs.unlinkSync(oldest);
+        }
+        catch {
+            // ignore — may not exist
+        }
+        // Shift .N -> .N+1, starting from the second-oldest.
+        for (let i = MAX_BACKUPS - 1; i >= 1; i--) {
+            const src = `${logFile}.${i}`;
+            const dest = `${logFile}.${i + 1}`;
+            try {
+                fs.renameSync(src, dest);
+            }
+            catch {
+                // ignore — backup at this index doesn't exist
+            }
+        }
+        // Live file -> .1. Atomic rename on POSIX.
+        fs.renameSync(logFile, `${logFile}.1`);
+    }
+    catch {
+        // Rotation failed — fall through, caller will append to the existing
+        // file. Bounded growth is preferred to a crashed CLI.
+    }
+}
 const LOG_LEVELS = {
     debug: 0,
     info: 1,
@@ -30,13 +87,15 @@ function writeLog(level, message, meta) {
         return;
     try {
         ensureLogDir();
+        const file = getLogFile();
+        rotateIfNeeded(file);
         const entry = {
             timestamp: formatTimestamp(),
             level,
             message,
             ...(meta ? { meta } : {}),
         };
-        fs.appendFileSync(getLogFile(), JSON.stringify(entry) + '\n');
+        fs.appendFileSync(file, JSON.stringify(entry) + '\n');
     }
     catch {
         // Silently fail — logging should never crash the CLI
@@ -48,4 +107,12 @@ export const logger = {
     warn: (message, meta) => writeLog('warn', message, meta),
     error: (message, meta) => writeLog('error', message, meta),
 };
+// Exported for tests only. Keep undocumented in public README — the rotation
+// policy is an implementation detail.
+export const __testing = {
+    MAX_FILE_BYTES,
+    MAX_BACKUPS,
+    rotateIfNeeded,
+    getLogFile,
+};
 //# sourceMappingURL=logger.js.map

package/dist/utils/logger.js.map

@@ -1 +1 @@
-{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/utils/logger.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AAEzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;AAE7D,SAAS,YAAY;IACjB,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,UAAU;IACf,MAAM,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACpD,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,IAAI,MAAM,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,eAAe;IACpB,OAAO,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AACpC,CAAC;AAID,MAAM,UAAU,GAA6B;IACzC,KAAK,EAAE,CAAC;IACR,IAAI,EAAE,CAAC;IACP,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;CACX,CAAC;AAEF,IAAI,YAAY,GAAa,MAAM,CAAC;AAEpC,MAAM,UAAU,WAAW,CAAC,KAAe;IACvC,YAAY,GAAG,KAAK,CAAC;AACzB,CAAC;AAED,SAAS,SAAS,CAAC,KAAe;IAC9B,OAAO,UAAU,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,YAAY,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,QAAQ,CAAC,KAAe,EAAE,OAAe,EAAE,IAA8B;IAC9E,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;QAAE,OAAO;IAE9B,IAAI,CAAC;QACD,YAAY,EAAE,CAAC;QACf,MAAM,KAAK,GAAG;YACV,SAAS,EAAE,eAAe,EAAE;YAC5B,KAAK;YACL,OAAO;YACP,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC5B,CAAC;QACF,EAAE,CAAC,cAAc,CAAC,UAAU,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACL,qDAAqD;IACzD,CAAC;AACL,CAAC;AAED,MAAM,CAAC,MAAM,MAAM,GAAG;IAClB,KAAK,EAAE,CAAC,OAAe,EAAE,IAA8B,EAAE,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC;IAC5F,IAAI,EAAE,CAAC,OAAe,EAAE,IAA8B,EAAE,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC;IAC1F,IAAI,EAAE,CAAC,OAAe,EAAE,IAA8B,EAAE,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC;IAC1F,KAAK,EAAE,CAAC,OAAe,EAAE,IAA8B,EAAE,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC;CAC/F,CAAC"}
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/utils/logger.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AAEzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;AAE7D,iFAAiF;AACjF,gFAAgF;AAChF,+CAA+C;AAC/C,8DAA8D;AAC9D,uCAAuC;AACvC,wCAAwC;AACxC,MAAM,cAAc,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AACxC,MAAM,WAAW,GAAG,CAAC,CAAC;AAEtB,SAAS,YAAY;IACjB,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,UAAU;IACf,MAAM,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACpD,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,IAAI,MAAM,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,eAAe;IACpB,OAAO,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AACpC,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,cAAc,CAAC,OAAe;IACnC,IAAI,CAAC;QACD,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,IAAI,CAAC,IAAI,IAAI,cAAc;YAAE,OAAO;IAC5C,CAAC;IAAC,MAAM,CAAC;QACL,8CAA8C;QAC9C,OAAO;IACX,CAAC;IAED,IAAI,CAAC;QACD,uCAAuC;QACvC,MAAM,MAAM,GAAG,GAAG,OAAO,IAAI,WAAW,EAAE,CAAC;QAC3C,IAAI,CAAC;YACD,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACL,yBAAyB;QAC7B,CAAC;QAED,qDAAqD;QACrD,KAAK,IAAI,CAAC,GAAG,WAAW,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YACxC,MAAM,GAAG,GAAG,GAAG,OAAO,IAAI,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,GAAG,GAAG,OAAO,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,IAAI,CAAC;gBACD,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YAC7B,CAAC;YAAC,MAAM,CAAC;gBACL,8CAA8C;YAClD,CAAC;QACL,CAAC;QAED,2CAA2C;QAC3C,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,OAAO,IAAI,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACL,qEAAqE;QACrE,sDAAsD;IAC1D,CAAC;AACL,CAAC;AAID,MAAM,UAAU,GAA6B;IACzC,KAAK,EAAE,CAAC;IACR,IAAI,EAAE,CAAC;IACP,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;CACX,CAAC;AAEF,IAAI,YAAY,GAAa,MAAM,CAAC;AAEpC,MAAM,UAAU,WAAW,CAAC,KAAe;IACvC,YAAY,GAAG,KAAK,CAAC;AACzB,CAAC;AAED,SAAS,SAAS,CAAC,KAAe;IAC9B,OAAO,UAAU,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,YAAY,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,QAAQ,CAAC,KAAe,EAAE,OAAe,EAAE,IAA8B;IAC9E,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;QAAE,OAAO;IAE9B,IAAI,CAAC;QACD,YAAY,EAAE,CAAC;QACf,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;QAC1B,cAAc,CAAC,IAAI,CAAC,CAAC;QACrB,MAAM,KAAK,GAAG;YACV,SAAS,EAAE,eAAe,EAAE;YAC5B,KAAK;YACL,OAAO;YACP,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC5B,CAAC;QACF,EAAE,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACL,qDAAqD;IACzD,CAAC;AACL,CAAC;AAED,MAAM,CAAC,MAAM,MAAM,GAAG;IAClB,KAAK,EAAE,CAAC,OAAe,EAAE,IAA8B,EAAE,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC;IAC5F,IAAI,EAAE,CAAC,OAAe,EAAE,IAA8B,EAAE,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC;IAC1F,IAAI,EAAE,CAAC,OAAe,EAAE,IAA8B,EAAE,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC;IAC1F,KAAK,EAAE,CAAC,OAAe,EAAE,IAA8B,EAAE,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC;CAC/F,CAAC;AAEF,6EAA6E;AAC7E,sCAAsC;AACtC,MAAM,CAAC,MAAM,SAAS,GAAG;IACrB,cAAc;IACd,WAAW;IACX,cAAc;IACd,UAAU;CACb,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "rackmind-cli",
-    "version": "0.2.0",
+    "version": "0.2.1",
     "description": "CLI interface for RackMind — Claude Code-style terminal experience for managing Proxmox servers, LXC containers, and QEMU VMs from your terminal.",
     "type": "module",
     "main": "dist/index.js",
@@ -74,6 +74,7 @@
         "format:check": "prettier --check .",
         "type-check": "tsc --noEmit -p tsconfig.typecheck.json",
         "test": "vitest run",
+        "test:homelab": "./scripts/test-against-homelab.sh",
         "check": "npm run lint && npm run format:check && npm run type-check && npm test",
         "prepare": "husky || true",
         "prepublishOnly": "npm run check && npm run build"