kastelldev/kastell

v2.2.6 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 18d Server & OS Management

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

automation cli coolify devops digitalocean docker

+10 more

dokploy hetzner linode mcp security-audit self-hosted server-management typescript vps vultr

Summary

AI summary

Windows fileLock crash recovery now detects dead processes and reclaims locks in <100 ms, fixing prolonged stalls.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Plugin SSH batch tier (P135) executes third-party plugin audit checks via dedicated fourth batch tier with configurable timeout KASTELL_PLUGIN_BATCH_TIMEOUT_MS. Plugin SSH batch tier (P135) executes third-party plugin audit checks via dedicated fourth batch tier with configurable timeout KASTELL_PLUGIN_BATCH_TIMEOUT_MS. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	`PluginCheckSchema` runtime validation validates plugin checks at load time using Zod. `PluginCheckSchema` runtime validation validates plugin checks at load time using Zod. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	`probeProcess` helper provides testable PID liveness wrapper for fileLock crash recovery. `probeProcess` helper provides testable PID liveness wrapper for fileLock crash recovery. Source: llm_adapter@2026-05-21 Confidence: high	—
Dependency	Medium	Test infrastructure adds `chmodSync: jest.fn()` to 8 `jest.mock("fs")` blocks, previously masked by silent-fail chmod. Test infrastructure adds `chmodSync: jest.fn()` to 8 `jest.mock("fs")` blocks, previously masked by silent-fail chmod. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	Tests increased from 10422 to 10642 (+220). Tests increased from 10422 to 10642 (+220). Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	Windows fileLock crash recovery (F-001, F-006) now writes owner.pid and recovers dead-PID locks in under 100ms. Windows fileLock crash recovery (F-001, F-006) now writes owner.pid and recovers dead-PID locks in under 100ms. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	`fileLock` 60s hard ceiling (F-001) reclaims locks even when probeProcess reports alive, guarding against clock drift, zombies, and PID reuse. `fileLock` 60s hard ceiling (F-001) reclaims locks even when probeProcess reports alive, guarding against clock drift, zombies, and PID reuse. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Windows `secureWrite.applyPermissions` (F-007, F-017) fixes EPERM issues for snapshots, evidence directories, and audit history with ACL hardening deferred to v2.4. Windows `secureWrite.applyPermissions` (F-007, F-017) fixes EPERM issues for snapshots, evidence directories, and audit history with ACL hardening deferred to v2.4. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	`--include-forbidden` rendering (F-013) now renders FORBIDDEN-tier fixes in a dedicated block during `--dry-run`. `--include-forbidden` rendering (F-013) now renders FORBIDDEN-tier fixes in a dedicated block during `--dry-run`. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Plugin batch parser (P135) replaced `executePluginChecks` with `parsePluginBatchOutput`, sharing plugin checks' batch SSH session. Plugin batch parser (P135) replaced `executePluginChecks` with `parsePluginBatchOutput`, sharing plugin checks' batch SSH session. Source: llm_adapter@2026-05-21 Confidence: high	—
Refactor	Medium	Mutation Testing workflow auto-triggers paused; manual workflow_dispatch only. Mutation Testing workflow auto-triggers paused; manual workflow_dispatch only. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Windows Recovery Hotfix (P136a) + Plugin SSH Batch Tier (P135)

Added

Plugin SSH batch tier (P135) — third-party plugin audit checks now execute via dedicated 4th batch tier with configurable timeout (KASTELL_PLUGIN_BATCH_TIMEOUT_MS)
PluginCheckSchema runtime validation — plugin checks validated at load time with Zod
probeProcess helper — testable PID liveness wrapper for fileLock crash recovery

Fixed

Windows fileLock crash recovery (F-001, F-006) — lock dir now writes owner.pid; subsequent acquires use ESRCH probing to recover dead-PID locks in <100ms instead of waiting 30s
fileLock 60s hard ceiling (F-001) — reclaims locks even when probeProcess reports alive (guards against clock drift, zombies, PID reuse)
Windows secureWrite.applyPermissions (F-007, F-017) — Win32 platform guard; ~/.kastell/snapshots/, ~/.kastell/evidence/ and audit history now create cleanly without EPERM. ACL hardening (icacls) deferred to v2.4
fix --include-forbidden rendering (F-013) — FORBIDDEN-tier fixes now rendered in dedicated block in --dry-run
Plugin batch parser (P135) — replaced executePluginChecks with parsePluginBatchOutput; plugin checks share batch SSH session

Changed

Mutation Testing workflow auto-triggers paused (6h timeout insufficient); manual workflow_dispatch only
Test infrastructure: 8 jest.mock("fs") blocks now include chmodSync: jest.fn() (previously masked by silent-fail chmod)
Tests: 10422 → 10642 (+220)

Install

```bash
npm install -g [email protected]
```

Full changelog: https://github.com/kastelldev/kastell/blob/main/CHANGELOG.md

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kastelldev/kastell

Get notified when new releases ship.

About kastelldev/kastell

Server security auditing and hardening toolkit. 413 security checks across 29 categories (SSH, Firewall, Docker, TLS, HTTP Headers), CIS/PCI-DSS/HIPAA compliance mapping, 19-step production hardening, fleet management, and forensic evidence collection. Supports Hetzner, DigitalOcean, Vultr, and Linode. 13 MCP tools.

All releases →