kastelldev/kastell

v1.2.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 2mo Server & OS Management

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

automation cli coolify devops digitalocean docker

+10 more

dokploy hetzner linode mcp security-audit self-hosted server-management typescript vps vultr

Affected surfaces

auth rce_ssrf

Summary

AI summary

Bare Mode adds generic VPS support without Coolify and introduces an Interactive Menu for categorized CLI actions.

Full changelog

Added

Bare Mode — Generic VPS support without Coolify (--mode bare on init/add)
- ServerRecord.mode field: "coolify" (default) or "bare"
- requireCoolifyMode() guard blocks Coolify-only operations on bare servers
- getBareCloudInit() — hardening-only cloud-init script (UFW + system updates)
- Bare mode support across all 23 CLI commands and 7 MCP tools
- 2GB RAM minimum removed for bare mode provisioning
- Backward compatibility: legacy records without mode field default to "coolify"
Interactive Menu — Run quicklify without arguments for a categorized menu
- 6 categories: Server Management, Security, Monitoring & Logs, Backup & Snapshots, Maintenance, Configuration
- Sub-option prompts for each action (mode, template, log source, port, etc.)
- ← Back navigation to return to main menu at any point
- 49 new tests (interactive.test.ts)
MCP sizes action — server_info tool now supports listing available server types with prices per provider/region
MCP shared utilities — src/mcp/utils.ts with resolveServerForMcp, mcpSuccess, mcpError
SSH host key auto-fix — removeStaleHostKey() helper auto-removes stale known_hosts entries
- Health command detects host key mismatch and suggests fix
- SSH retry mechanism after stale key removal
UX improvements (6 enhancements):
- Better dpkg lock messaging during provisioning
- Token source display (env var vs prompt)
- Firewall status shows current rules inline
- Domain info shows current FQDN
- Orphan backup cleanup
- Backup/restore shows provider + IP context

Security

OWASP hardening: assertSafePath() for SCP paths (shell metacharacter check including <>)
Port validation: MCP port range restricted to 1-65535
Token isolation: sanitizedEnv() applied to all spawn/exec/spawnSync calls including openBrowser, sshKey, and removeStaleHostKey
SECURITY.md: Added OWASP Top 10 compliance table with detailed mitigation descriptions

Fixed

Init --full-setup crash on bare mode servers
Domain --name flag ignored on bare mode
Cloud-init completion wait missing
Bare mode showing incorrect port information
Health command missing query argument
Restart bare mode "command not found" message
MCP SSH path incorrect during provision

Changed

Test count: 1,758 → 2,047 (+289 new tests)
Test suites: 64 → 76 (+12 new suites)
Banner slogan updated to "Self-hosting, fully managed"
README interactive menu documentation with example output
LICENSE name correction: "omrfc" → "Ömer Faruk CAN"
.gitignore: added servers.json

Security Fixes

OWASP hardening added via `assertSafePath()` for SCP paths preventing shell metacharacter injection.
Port validation restricted MCP port range to 1-65535.
Token isolation enforced by applying `sanitizedEnv()` to all `spawn`/`exec`/`spawnSync` calls (including `openBrowser`, `sshKey`, `removeStaleHostKey`).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kastelldev/kastell

Get notified when new releases ship.

About kastelldev/kastell

Server security auditing and hardening toolkit. 413 security checks across 29 categories (SSH, Firewall, Docker, TLS, HTTP Headers), CIS/PCI-DSS/HIPAA compliance mapping, 19-step production hardening, fleet management, and forensic evidence collection. Supports Hetzner, DigitalOcean, Vultr, and Linode. 13 MCP tools.

All releases →