kastelldev/kastell

v2.2.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 1mo Server & OS Management

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

automation cli coolify devops digitalocean docker

+10 more

dokploy hetzner linode mcp security-audit self-hosted server-management typescript vps vultr

Affected surfaces

auth breaking_upgrade

Summary

AI summary

Added a plugin ecosystem for third‑party audit check plugins.

Full changelog

Kastell v2.2.0 — Plugin Ecosystem + Deferred Completion

Added

Plugin Ecosystem — third-party audit check plugins via kastell-plugin-* npm packages
- kastell plugin install/remove/list/validate CLI commands
- server_plugin MCP tool (list + validate actions)
- Plugin SDK types, manifest validation with Zod + semver compatibility
- Plugin loader with collision detection, cache, and startup integration
- Example plugins: kastell-plugin-wordpress (3 checks), kastell-plugin-auditor (2 checks)
--include-forbidden flag — run FORBIDDEN tier fixes with per-fix confirmation
--auto-fix --schedule pipeline — doctor + fix on a cron schedule (DOC-04)
Fix session logging — per-command execution log (AH-03)
Doctor fix history merge — results persisted to fix-history.json (DOC-02)
FORBIDDEN rawCommand handler — shows commands with confirmation (DOC-03)

Changed

CHECK_IDS constants — all 481 audit check IDs migrated to typed const object
extractReason helper — replaces 18 inline patterns
compliance/mapper.ts split — category-based sub-modules (DEF-06)
buildFirewallSetupCommand merge (DEF-07)

Security

Plugin loader path traversal guard (SEC-08)
Snapshot path traversal guard (SEC-09)
server_lock MCP destructiveHint (SEC-10)
CI expression injection fix (SEC-07)

Stats

10401 tests (267 suites), coverage 96.33%
6 phases (P124-P129), 100 files changed

Full changelog: https://github.com/kastelldev/kastell/blob/main/CHANGELOG.md

Security Fixes

Plugin loader path traversal guard (SEC-08)
Snapshot path traversal guard (SEC-09)
CI expression injection fix (SEC-07)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kastelldev/kastell

Get notified when new releases ship.

About kastelldev/kastell

Server security auditing and hardening toolkit. 413 security checks across 29 categories (SSH, Firewall, Docker, TLS, HTTP Headers), CIS/PCI-DSS/HIPAA compliance mapping, 19-step production hardening, fleet management, and forensic evidence collection. Supports Hetzner, DigitalOcean, Vultr, and Linode. 13 MCP tools.

All releases →