Skip to content

kastelldev/kastell

v2.1.0 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 1mo Server & OS Management
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

automation cli coolify devops digitalocean docker
+10 more
dokploy hetzner linode mcp security-audit self-hosted server-management typescript vps vultr

Affected surfaces

deps

Summary

AI summary

Added interactive kastell init wizard and deep-dive explain command with multiple output formats.

Full changelog

Added

  • kastell init 3-way wizard — interactive setup with three paths: provision a new server, register an existing server, or configure defaults (compliance framework, notification channels)
  • kastell explain <check-id> — deep-dive into any audit check: why it matters, fix command, fix tier (SAFE/GUARDED/FORBIDDEN), CIS/PCI-DSS/HIPAA compliance references. Supports --format terminal|json|md
  • audit --ci flag — CI mode with JSON output, no spinner, requires --threshold for exit code gating
  • fleet --categories — shows weakest audit category per server in fleet dashboard
  • audit --compare enhancements--fresh flag for live audit (skip snapshots), --detail for check-level diff instead of category summary
  • server_compare MCP tool — side-by-side server comparison with snapshot fallback and detail mode (16th MCP tool)
  • Doctor scorecomputeDoctorScore with severity-weighted findings, wired into CLI and MCP
  • Regression gating — pre-fix regression check with --force bypass, conditional baseline save, kastell regression status/reset commands
  • Substring fuzzy matchkastell explain ssh-password resolves to SSH-PASSWORD-AUTH (single match returns result, multiple returns suggestions)
  • defaults.json supportloadDefaults/saveDefaults with Zod validation for threshold/framework fallback

Changed

  • Regression wiringsaveBaseline/checkRegression integrated into all 4 callers (CLI audit, CLI fix, MCP serverAudit, MCP serverFix)
  • confirmOrCancel helper — extracted to prompts.ts with DI pattern, replacing inline confirm logic in fix and regression flows
  • hasRegression() helper — single source of truth for regression detection, replaces 3 inline copies
  • resolveAuditPair extraction — DRY compare logic with exit code bug fix
  • formatRegressionSummary — typed DRY helper for consistent regression display across CLI and MCP
  • runPostFixReAudit — returns full AuditResult for accurate post-fix baseline
  • scoreRegressed removed from interface — derived inline via hasRegression(), 8 test fixtures updated
  • Discriminated union for AddServerResult — type-safe success/failure branching in init wizard
  • providerConfig.ts renameutils/defaults.ts renamed for clarity
  • formatSuggestions DRY helper — shared between explain command and MCP tool
  • Index-based listSnapshots — O(1) read instead of O(N) file parse
  • Firewall port deduplication — uses adapter.platformPorts as single source

Security

  • Dependency updates — actions/checkout v6, actions/setup-node v6, actions/upload-artifact v7

Tests

  • 255 suites, 10265 tests, 12 snapshots (up from 240 suites, 10127 tests in v2.0.0)
  • Coverage threshold: 90% global, 95% audit, 90% provider, 90% MCP
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kastelldev/kastell

Get notified when new releases ship.

Sign up free

About kastelldev/kastell

Server security auditing and hardening toolkit. 413 security checks across 29 categories (SSH, Firewall, Docker, TLS, HTTP Headers), CIS/PCI-DSS/HIPAA compliance mapping, 19-step production hardening, fleet management, and forensic evidence collection. Supports Hetzner, DigitalOcean, Vultr, and Linode. 13 MCP tools.

All releases →

Related context

Beta — feedback welcome: [email protected]