@blacksandscyber/mcp-server-bursar 0.5.0

package/build/shield/discovery/topologyNormalizer.d.ts

@@ -0,0 +1,109 @@
+/**
+ * Topology normalizer — assembles the FROZEN topology envelope from the raw
+ * macOS environment ({@link scanMacEnvironment}) and the live Shield Broker
+ * state ({@link ShieldClient}).
+ *
+ * The node `type`/`kind`/`status` vocabularies are frozen to match the viz at
+ * overview/container-manager/data.js + index.html `dotFor()`. Do not introduce
+ * new vocabulary here without updating the viz in lock-step.
+ *
+ * TRUST RULE (load-bearing): `metadata.trust.authoritative` is true ONLY when
+ * the Broker is genuinely reachable AND returned data. When the Broker is
+ * unreachable/unauthenticated we emit an EMPTY zt plane, source "none", and we
+ * never synthesize devices/sessions or any `active` data edge.
+ */
+import type { RawEnvironment } from "./environmentScanner";
+export type InfraNodeType = "host" | "network" | "container" | "volume" | "service";
+export type InfraEdgeKind = "host" | "net" | "vol";
+export type ZtNodeType = "manager" | "authorizer" | "receiver" | "device" | "service";
+export type ZtEdgeKind = "ctrl" | "data" | "proxy";
+export type ZtDataState = "active" | "pending" | "denied" | "revoked";
+export interface LayoutHint {
+    tier: number;
+    group: string;
+}
+export interface TopologyNode {
+    id: string;
+    type: InfraNodeType | ZtNodeType;
+    name: string;
+    sub: string;
+    status?: string;
+    cpu?: number;
+    mem?: number;
+    detail: Record<string, unknown>;
+    layoutHint?: LayoutHint;
+}
+export interface TopologyEdge {
+    from: string;
+    to: string;
+    kind: InfraEdgeKind | ZtEdgeKind;
+    state?: ZtDataState;
+    proto?: string;
+}
+export interface TopologyPlane {
+    nodes: TopologyNode[];
+    edges: TopologyEdge[];
+}
+export interface TopologyEnvelope {
+    schemaVersion: "1.0";
+    metadata: {
+        provider: "macos" | "docker" | "aws" | "azure";
+        generatedAt: string;
+        host: string;
+        planes: Array<"infra" | "zt">;
+        trust: {
+            source: "shield-broker" | "none";
+            brokerReachable: boolean;
+            authoritative: boolean;
+        };
+        notes?: string[];
+    };
+    infra: TopologyPlane;
+    zt: TopologyPlane;
+}
+export declare function buildInfraPlane(env: RawEnvironment, provider?: "macos" | "docker" | "aws" | "azure"): TopologyPlane;
+/** Minimal structural contract over ShieldClient — only what this module uses. */
+export interface ZtSource {
+    readonly orgId: string;
+    listReceivers(filters?: {
+        status?: string;
+        organizationId?: string;
+    }): Promise<Record<string, unknown>[]>;
+    listApps(orgId: string): Promise<{
+        data: Array<{
+            id: string;
+            name: string;
+            status: string;
+        }>;
+    }>;
+    listSessions(appId: string): Promise<{
+        data: Array<Record<string, unknown>>;
+    }>;
+    listEndpoints(appId: string): Promise<{
+        data: Array<Record<string, unknown>>;
+    }>;
+}
+export interface ZtBuildResult {
+    plane: TopologyPlane;
+    trust: {
+        source: "shield-broker" | "none";
+        brokerReachable: boolean;
+        authoritative: boolean;
+    };
+    notes: string[];
+}
+/**
+ * Build the ZT plane from live Broker state. If `src` is null (no Shield access
+ * configured) or any reachability/auth check fails, returns an EMPTY plane with
+ * non-authoritative trust. Never throws and never fabricates trust.
+ */
+export declare function buildZtPlane(src: ZtSource | null, appIdScope?: string): Promise<ZtBuildResult>;
+export interface AssembleInput {
+    provider: "macos" | "docker" | "aws" | "azure";
+    planes: Array<"infra" | "zt">;
+    env: RawEnvironment | null;
+    zt: ZtBuildResult | null;
+    extraNotes?: string[];
+}
+export declare function assembleEnvelope(input: AssembleInput): TopologyEnvelope;
+//# sourceMappingURL=topologyNormalizer.d.ts.map

package/build/shield/discovery/topologyNormalizer.js

@@ -0,0 +1,416 @@
+"use strict";
+/**
+ * Topology normalizer — assembles the FROZEN topology envelope from the raw
+ * macOS environment ({@link scanMacEnvironment}) and the live Shield Broker
+ * state ({@link ShieldClient}).
+ *
+ * The node `type`/`kind`/`status` vocabularies are frozen to match the viz at
+ * overview/container-manager/data.js + index.html `dotFor()`. Do not introduce
+ * new vocabulary here without updating the viz in lock-step.
+ *
+ * TRUST RULE (load-bearing): `metadata.trust.authoritative` is true ONLY when
+ * the Broker is genuinely reachable AND returned data. When the Broker is
+ * unreachable/unauthenticated we emit an EMPTY zt plane, source "none", and we
+ * never synthesize devices/sessions or any `active` data edge.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildInfraPlane = buildInfraPlane;
+exports.buildZtPlane = buildZtPlane;
+exports.assembleEnvelope = assembleEnvelope;
+const logger_1 = require("../../shared/logger");
+// `dotFor()` known vocabulary — keep node.status within these or omit it.
+const GREEN = new Set(["running", "healthy", "active", "compliant", "attested", "reachable", "online", "mounted"]);
+const AMBER = new Set(["pending", "degraded"]);
+const RED = new Set(["stopped", "denied", "blocked", "revoked", "offline"]);
+function safeStatus(s) {
+    if (!s)
+        return undefined;
+    const v = s.toLowerCase();
+    if (GREEN.has(v) || AMBER.has(v) || RED.has(v))
+        return v;
+    return undefined; // unknown → omit so dotFor() falls through cleanly
+}
+// ── infra plane ──────────────────────────────────────────────────────────────
+function netId(name) {
+    return `net-${name}`;
+}
+function ctrId(idOrName) {
+    return `ctr-${idOrName}`;
+}
+function volId(name) {
+    return `vol-${name}`;
+}
+function svcId(address, port) {
+    return `svc-${address}:${port}`.replace(/[*]/g, "any");
+}
+// A container's command line is surfaced into the topology (detail.cmd) and out
+// the local API. argv frequently embeds credentials (e.g. `--password=…`,
+// `mysql -psecret`, `postgres://user:pass@host`, bearer tokens). Redact those
+// before exposing them — this is a security product; the viz only needs the
+// gist of the command, not its secrets.
+function redactSecrets(cmd) {
+    if (!cmd)
+        return cmd;
+    return cmd
+        // postgres://user:pass@host  →  postgres://user:***@host
+        .replace(/(\/\/[^/\s:]+:)[^@\s/]+@/g, "$1***@")
+        // --password=secret / --token foo / -p secret  (flag + value)
+        .replace(/(--?(?:password|passwd|pass|pwd|token|secret|api[-_]?key|apikey|access[-_]?key|auth)[=\s]+)\S+/gi, "$1***")
+        // bare -pSECRET (mysql-style, no space)
+        .replace(/(\s-p)(?=\S)\S+/g, "$1***");
+}
+function buildInfraPlane(env, provider = "macos") {
+    const nodes = [];
+    const edges = [];
+    // Dedupe edges (a container can mount the same volume twice, etc.).
+    const seenEdge = new Set();
+    const pushEdge = (e) => {
+        const k = `${e.from}::${e.to}::${e.kind}`;
+        if (seenEdge.has(k))
+            return;
+        seenEdge.add(k);
+        edges.push(e);
+    };
+    // host (tier 0)
+    const hostNodeId = "host";
+    const runningCount = env.containers.filter((c) => c.running).length;
+    nodes.push({
+        id: hostNodeId,
+        type: "host",
+        name: env.host.hostname,
+        sub: provider === "docker" ? "Docker Engine" : "Apple Containerization",
+        status: "healthy",
+        detail: {
+            arch: env.host.arch,
+            platform: env.host.platform,
+            kernel: env.host.release,
+            cpu: env.host.cpuModel,
+            vcpu: env.host.vcpu,
+            memory: env.host.totalMemGB,
+            running: runningCount,
+            stopped: env.containers.length - runningCount,
+            containerCliPresent: env.host.containerCliPresent,
+            interfaces: env.host.interfaces,
+        },
+        layoutHint: { tier: 0, group: "host" },
+    });
+    // networks (tier 1) — edge host→network kind "host"
+    const knownNetworks = new Set(env.networks.map((n) => n.name));
+    for (const n of env.networks) {
+        nodes.push({
+            id: netId(n.name),
+            type: "network",
+            name: n.name,
+            sub: n.subnet ?? n.driver ?? "network",
+            status: undefined,
+            detail: { subnet: n.subnet, gateway: n.gateway, driver: n.driver },
+            layoutHint: { tier: 1, group: "network" },
+        });
+        pushEdge({ from: hostNodeId, to: netId(n.name), kind: "host" });
+    }
+    // containers (tier 2) — edge network→container kind "net"
+    for (const c of env.containers) {
+        const status = safeStatus(c.status) ?? (c.running ? "running" : "stopped");
+        const node = {
+            id: ctrId(c.id),
+            type: "container",
+            name: c.name,
+            sub: c.image ?? "container",
+            status,
+            detail: {
+                image: c.image,
+                ip: c.ip,
+                ports: c.ports,
+                networks: c.networks,
+                volumes: c.volumes,
+                cmd: redactSecrets(c.command),
+                rawStatus: c.status,
+            },
+            layoutHint: { tier: 2, group: "container" },
+        };
+        // Only running containers carry live cpu/mem. The macOS scanner has no live
+        // metrics (omitted, not fabricated); the Docker scanner attaches them from
+        // `docker stats`. Surface them on the node when present so the viz metric
+        // bars are live.
+        if (c.running && typeof c.cpu === "number")
+            node.cpu = c.cpu;
+        if (c.running && typeof c.mem === "number")
+            node.mem = c.mem;
+        nodes.push(node);
+        for (const netName of c.networks) {
+            if (knownNetworks.has(netName)) {
+                pushEdge({ from: netId(netName), to: ctrId(c.id), kind: "net" });
+            }
+        }
+        // If a container references no known network, attach it to the host so the
+        // viz still places it (degraded-but-visible).
+        if (!c.networks.some((nm) => knownNetworks.has(nm))) {
+            pushEdge({ from: hostNodeId, to: ctrId(c.id), kind: "host" });
+        }
+    }
+    // volumes (tier 3) — edge container→volume kind "vol"
+    const declaredVolumes = new Map();
+    for (const v of env.volumes) {
+        const node = {
+            id: volId(v.name),
+            type: "volume",
+            name: v.name,
+            sub: v.driver ?? "local",
+            status: "mounted",
+            detail: { driver: v.driver, source: v.source, usedBy: [] },
+            layoutHint: { tier: 3, group: "volume" },
+        };
+        declaredVolumes.set(v.name, node);
+        nodes.push(node);
+    }
+    for (const c of env.containers) {
+        for (const vname of c.volumes) {
+            let target = declaredVolumes.get(vname);
+            if (!target) {
+                // Container references a volume the `volume ls` didn't list — synthesize
+                // a node from the reference so the edge isn't dangling.
+                target = {
+                    id: volId(vname),
+                    type: "volume",
+                    name: vname,
+                    sub: "local",
+                    status: "mounted",
+                    detail: { usedBy: [] },
+                    layoutHint: { tier: 3, group: "volume" },
+                };
+                declaredVolumes.set(vname, target);
+                nodes.push(target);
+            }
+            target.detail.usedBy.push(c.name);
+            pushEdge({ from: ctrId(c.id), to: volId(vname), kind: "vol" });
+        }
+    }
+    // candidate service nodes from listening ports (tier 2, alongside containers).
+    // These are infra-plane `service` nodes (optional per contract), attached to
+    // the host. We dedupe and skip noise.
+    for (const p of env.listeningPorts) {
+        const id = svcId(p.address, p.port);
+        if (nodes.some((n) => n.id === id))
+            continue;
+        nodes.push({
+            id,
+            type: "service",
+            name: `${p.process ?? "service"}:${p.port}`,
+            sub: `${p.proto} · ${p.address === "*" ? "0.0.0.0" : p.address}:${p.port}`,
+            status: "online",
+            detail: { port: p.port, proto: p.proto, address: p.address, process: p.process, pid: p.pid },
+            layoutHint: { tier: 2, group: "service" },
+        });
+        pushEdge({ from: hostNodeId, to: id, kind: "host" });
+    }
+    return { nodes, edges };
+}
+function str(rec, ...keys) {
+    for (const k of keys) {
+        const v = rec[k];
+        if (typeof v === "string" && v)
+            return v;
+        if (typeof v === "number")
+            return String(v);
+    }
+    return null;
+}
+function mapSessionState(raw) {
+    switch ((raw ?? "").toLowerCase()) {
+        case "active":
+            return "active";
+        case "pending":
+            return "pending";
+        case "revoked":
+            return "revoked";
+        case "expired":
+        case "denied":
+            return "denied";
+        default:
+            return "pending"; // conservative: never default to "active"
+    }
+}
+/**
+ * Build the ZT plane from live Broker state. If `src` is null (no Shield access
+ * configured) or any reachability/auth check fails, returns an EMPTY plane with
+ * non-authoritative trust. Never throws and never fabricates trust.
+ */
+async function buildZtPlane(src, appIdScope) {
+    const empty = () => ({
+        plane: { nodes: [], edges: [] },
+        trust: { source: "none", brokerReachable: false, authoritative: false },
+        notes: ["ZT plane empty: Broker unreachable or unauthenticated — trust not authoritative"],
+    });
+    if (!src) {
+        return empty();
+    }
+    const notes = [];
+    let receivers = [];
+    let reachable = false;
+    // The Manager node = the Broker connection itself. Reachability is proven by
+    // a real call returning data, not by a flag.
+    try {
+        receivers = await src.listReceivers({ organizationId: src.orgId || undefined });
+        reachable = true;
+    }
+    catch (err) {
+        logger_1.logger.info("buildZtPlane: Broker unreachable — emitting empty ZT plane", { err: String(err) });
+        return empty();
+    }
+    const nodes = [];
+    const edges = [];
+    // manager (tier 0)
+    const mgrId = "zt-mgr";
+    nodes.push({
+        id: mgrId,
+        type: "manager",
+        name: "Shield Broker",
+        sub: "Control plane",
+        status: "healthy",
+        detail: { role: "Manager · control plane", orgId: src.orgId || null, mtls: "root of trust", source: "shield-broker" },
+        layoutHint: { tier: 0, group: "manager" },
+    });
+    // receivers (tier 2) — ctrl edge manager→receiver
+    for (const r of receivers) {
+        const uid = str(r, "receiverUID", "receiverUid", "uid", "id");
+        if (!uid)
+            continue;
+        const rawStatus = str(r, "status", "state");
+        nodes.push({
+            id: `zt-rcv-${uid}`,
+            type: "receiver",
+            name: str(r, "name", "hostname", "receiverUID") ?? uid,
+            sub: str(r, "region", "location") ?? "receiver",
+            status: safeStatus(rawStatus) ?? "healthy",
+            detail: { receiverUID: uid, region: str(r, "region"), upstream: "Shield Broker", rawStatus },
+            layoutHint: { tier: 2, group: "receiver" },
+        });
+        edges.push({ from: mgrId, to: `zt-rcv-${uid}`, kind: "ctrl" });
+    }
+    // Apps in scope → enrich with sessions + endpoints (devices/services).
+    let apps = [];
+    if (src.orgId) {
+        try {
+            const resp = await src.listApps(src.orgId);
+            apps = resp.data ?? [];
+        }
+        catch (err) {
+            notes.push(`listApps failed (${String(err)}); ZT plane limited to Manager + Receivers`);
+        }
+    }
+    else {
+        notes.push("No org context (SHIELD_ORG_ID unset); skipping session/endpoint enrichment");
+    }
+    if (appIdScope) {
+        apps = apps.filter((a) => a.id === appIdScope);
+        if (!apps.length)
+            notes.push(`appId ${appIdScope} not found in org ${src.orgId}`);
+    }
+    const deviceIds = new Set();
+    for (const app of apps) {
+        // services (tier 4) from endpoints
+        try {
+            const eps = await src.listEndpoints(app.id);
+            for (const e of eps.data ?? []) {
+                const epId = str(e, "id");
+                if (!epId)
+                    continue;
+                const id = `zt-svc-${epId}`;
+                nodes.push({
+                    id,
+                    type: "service",
+                    name: str(e, "host") ?? `endpoint ${epId}`,
+                    sub: `${str(e, "protocol") ?? "tcp"} · :${str(e, "port") ?? "?"}`,
+                    status: (str(e, "status") ?? "").toLowerCase() === "active" ? "reachable" : undefined,
+                    detail: { appId: app.id, host: str(e, "host"), port: str(e, "port"), protocol: str(e, "protocol"), exposure: "receiver-only" },
+                    layoutHint: { tier: 4, group: "service" },
+                });
+            }
+        }
+        catch (err) {
+            notes.push(`listEndpoints(${app.id}) failed (${String(err)})`);
+        }
+        // devices (tier 1) + data edges from sessions
+        try {
+            const sessions = await src.listSessions(app.id);
+            for (const s of sessions.data ?? []) {
+                const sid = str(s, "id");
+                const userId = str(s, "userId", "user", "identity") ?? sid;
+                if (!userId)
+                    continue;
+                const devId = `zt-dev-${userId}`;
+                const state = mapSessionState(str(s, "status", "state"));
+                if (!deviceIds.has(devId)) {
+                    deviceIds.add(devId);
+                    nodes.push({
+                        id: devId,
+                        type: "device",
+                        name: userId,
+                        sub: "Shield identity",
+                        // device status derives from session: active→compliant, else pending
+                        status: state === "active" ? "compliant" : state === "revoked" || state === "denied" ? "blocked" : "pending",
+                        detail: { identity: userId, appId: app.id, mtls: "device cert" },
+                        layoutHint: { tier: 1, group: "device" },
+                    });
+                    // ctrl edge device→manager (auth path)
+                    edges.push({ from: devId, to: mgrId, kind: "ctrl" });
+                }
+                // data edge device→receiver, ONLY with a real session-derived state.
+                // We attach to the first receiver if present; the session has no
+                // receiver binding in the public shape, so this is a coarse link.
+                const firstReceiver = receivers.length ? str(receivers[0], "receiverUID", "uid", "id") : null;
+                if (firstReceiver) {
+                    edges.push({
+                        from: devId,
+                        to: `zt-rcv-${firstReceiver}`,
+                        kind: "data",
+                        state,
+                        proto: str(s, "protocol") ?? "mTLS",
+                    });
+                }
+            }
+        }
+        catch (err) {
+            notes.push(`listSessions(${app.id}) failed (${String(err)})`);
+        }
+    }
+    // Authoritative ONLY when the Broker was reachable AND returned data.
+    const hasData = receivers.length > 0 || apps.length > 0;
+    const authoritative = reachable && hasData;
+    if (reachable && !hasData) {
+        notes.push("Broker reachable but returned no receivers/apps for this org; trust authoritative=false (no data)");
+    }
+    return {
+        plane: { nodes, edges },
+        trust: { source: "shield-broker", brokerReachable: reachable, authoritative },
+        notes,
+    };
+}
+function assembleEnvelope(input) {
+    const wantInfra = input.planes.includes("infra");
+    const wantZt = input.planes.includes("zt");
+    const infra = wantInfra && input.env ? buildInfraPlane(input.env, input.provider) : { nodes: [], edges: [] };
+    const zt = wantZt && input.zt ? input.zt.plane : { nodes: [], edges: [] };
+    const trust = input.zt
+        ? input.zt.trust
+        : { source: "none", brokerReachable: false, authoritative: false };
+    const notes = [
+        ...(input.env?.notes ?? []),
+        ...(input.zt?.notes ?? []),
+        ...(input.extraNotes ?? []),
+    ];
+    return {
+        schemaVersion: "1.0",
+        metadata: {
+            provider: input.provider,
+            generatedAt: new Date().toISOString(),
+            host: input.env?.host.hostname ?? "unknown",
+            planes: input.planes,
+            trust,
+            ...(notes.length ? { notes } : {}),
+        },
+        infra,
+        zt,
+    };
+}
+//# sourceMappingURL=topologyNormalizer.js.map

package/build/shield/identity.d.ts

@@ -0,0 +1,53 @@
+/**
+ * MCP-side identity helper.
+ *
+ * Wraps GET /v1/mcp/identity (added in the role-RBAC commit on the Shield
+ * API side). The MCP server's broker_get_my_identity tool calls this so
+ * the LLM can introspect:
+ *   - which cert it's authenticated as
+ *   - what role that cert has (master | consumer)
+ *   - what org it belongs to
+ *
+ * Same Shield API request shape as every other call — fetched lazily through
+ * the BrokerConnector / ShieldClient so the broker handshake is reused.
+ *
+ * Why a separate module from src/shield/client.ts:
+ *   client.ts is the canonical Shield API client (45 admin tool methods).
+ *   Identity introspection is a different concern: it's used by ONE MCP
+ *   tool, doesn't fit the existing taxonomy, and is small enough that a
+ *   separate file improves discoverability.
+ */
+import type { ShieldClient } from "./client";
+export type Role = "master" | "consumer";
+export interface ClientIdentity {
+    /** Common Name from the cert presented to the broker handshake. */
+    cn: string | null;
+    /** RBAC role. Drives MCP tool filtering and Shield API requireMcpRole checks. */
+    role: Role;
+    /** Organization the cert is registered to. May be null for service accounts. */
+    orgId: string | null;
+    /** Friendly client name (e.g. "claude-desktop-userx2"). */
+    clientName: string | null;
+    /** Service tier (essentials | professional | enterprise). */
+    tier: string | null;
+    /** True for Blacksands-internal trusted backends (Overwatch, Architect, etc.). */
+    isServiceAccount: boolean;
+}
+/**
+ * Fetch the calling cert's identity from Shield API.
+ *
+ * Throws on:
+ *   - broker handshake failure
+ *   - non-200 from /v1/mcp/identity
+ *   - malformed response shape
+ */
+export declare function fetchClientIdentity(client: ShieldClient): Promise<ClientIdentity>;
+/**
+ * Synthetic identity used when the MCP server is in local-only mode
+ * (no broker connection possible). Always Consumer — the prototypical
+ * use case for local-only is "developer ran npx -y @blacksandscyber/
+ * mcp-server-shield with no token", which is exactly the Consumer
+ * persona.
+ */
+export declare function localOnlyIdentity(): ClientIdentity;
+//# sourceMappingURL=identity.d.ts.map

package/build/shield/identity.js

@@ -0,0 +1,70 @@
+"use strict";
+/**
+ * MCP-side identity helper.
+ *
+ * Wraps GET /v1/mcp/identity (added in the role-RBAC commit on the Shield
+ * API side). The MCP server's broker_get_my_identity tool calls this so
+ * the LLM can introspect:
+ *   - which cert it's authenticated as
+ *   - what role that cert has (master | consumer)
+ *   - what org it belongs to
+ *
+ * Same Shield API request shape as every other call — fetched lazily through
+ * the BrokerConnector / ShieldClient so the broker handshake is reused.
+ *
+ * Why a separate module from src/shield/client.ts:
+ *   client.ts is the canonical Shield API client (45 admin tool methods).
+ *   Identity introspection is a different concern: it's used by ONE MCP
+ *   tool, doesn't fit the existing taxonomy, and is small enough that a
+ *   separate file improves discoverability.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchClientIdentity = fetchClientIdentity;
+exports.localOnlyIdentity = localOnlyIdentity;
+/**
+ * Fetch the calling cert's identity from Shield API.
+ *
+ * Throws on:
+ *   - broker handshake failure
+ *   - non-200 from /v1/mcp/identity
+ *   - malformed response shape
+ */
+async function fetchClientIdentity(client) {
+    // ShieldClient.request() handles the broker handshake + URL resolution +
+    // session-token attachment. We just need to GET the right path. Returned
+    // shape is the Shield API envelope { success, identity }.
+    const env = await client.request("GET", "/mcp/identity");
+    if (!env || typeof env !== "object") {
+        throw new Error("Shield API /v1/mcp/identity returned a non-object response");
+    }
+    if (env.success !== true || !env.identity) {
+        throw new Error(`Shield API /v1/mcp/identity rejected the call: ${env.message || "no identity returned"}`);
+    }
+    const i = env.identity;
+    return {
+        cn: i.cn ?? null,
+        role: (i.role === "consumer" ? "consumer" : "master"),
+        orgId: i.orgId ?? null,
+        clientName: i.clientName ?? null,
+        tier: i.tier ?? null,
+        isServiceAccount: i.isServiceAccount ?? false,
+    };
+}
+/**
+ * Synthetic identity used when the MCP server is in local-only mode
+ * (no broker connection possible). Always Consumer — the prototypical
+ * use case for local-only is "developer ran npx -y @blacksandscyber/
+ * mcp-server-shield with no token", which is exactly the Consumer
+ * persona.
+ */
+function localOnlyIdentity() {
+    return {
+        cn: null,
+        role: "consumer",
+        orgId: null,
+        clientName: null,
+        tier: null,
+        isServiceAccount: false,
+    };
+}
+//# sourceMappingURL=identity.js.map