@datasynx/agentic-ai-cartography 1.1.1 → 2.0.0

package/dist/index.js

@@ -1,3 +1,5 @@
+import "./chunk-D6SRSLBF.js";
+
 // src/db.ts
 import Database from "better-sqlite3";
 import { mkdirSync } from "fs";
@@ -24,6 +26,14 @@ var NODE_TYPES = [
   "saas_tool",
   "unknown"
 ];
+var NODE_TYPE_GROUPS = {
+  saas: ["saas_tool"],
+  web: ["web_service", "api_endpoint"],
+  data: ["database_server", "database", "table", "cache_server"],
+  messaging: ["message_broker", "queue", "topic"],
+  infra: ["host", "container", "pod", "k8s_cluster"],
+  config: ["config_file"]
+};
 var EDGE_RELATIONSHIPS = [
   "connects_to",
   "reads_from",
@@ -33,7 +43,7 @@ var EDGE_RELATIONSHIPS = [
   "depends_on"
 ];
 var NodeSchema = z.object({
-  id: z.string().describe('Format: "{type}:{host}:{port}" oder "{type}:{name}"'),
+  id: z.string().describe('Format: "{type}:{host}:{port}" or "{type}:{name}"'),
   type: z.enum(NODE_TYPES),
   name: z.string(),
   discoveredVia: z.string(),
@@ -295,11 +305,15 @@ CREATE TABLE IF NOT EXISTS node_approvals (
 );
 
 CREATE INDEX IF NOT EXISTS idx_nodes_session ON nodes(session_id);
+CREATE INDEX IF NOT EXISTS idx_nodes_type ON nodes(session_id, type);
 CREATE INDEX IF NOT EXISTS idx_edges_session ON edges(session_id);
+CREATE INDEX IF NOT EXISTS idx_edges_source ON edges(session_id, source_id);
+CREATE INDEX IF NOT EXISTS idx_edges_target ON edges(session_id, target_id);
 CREATE INDEX IF NOT EXISTS idx_events_session ON activity_events(session_id);
 CREATE INDEX IF NOT EXISTS idx_events_task ON activity_events(task_id);
 CREATE INDEX IF NOT EXISTS idx_tasks_session ON tasks(session_id);
 CREATE INDEX IF NOT EXISTS idx_connections_session ON connections(session_id);
+CREATE INDEX IF NOT EXISTS idx_connections_lookup ON connections(session_id, source_asset_id, target_asset_id);
 `;
 var CartographyDB = class {
   db;
@@ -315,7 +329,8 @@ var CartographyDB = class {
     const version = this.db.pragma("user_version", { simple: true });
     if (version === 0) {
       this.db.exec(SCHEMA);
-      this.db.pragma("user_version = 2");
+      this.db.pragma("user_version = 4");
+      return;
     } else if (version === 1) {
       const cols = this.db.prepare("PRAGMA table_info(nodes)").all().map((c) => c.name);
       if (!cols.includes("domain")) this.db.exec("ALTER TABLE nodes ADD COLUMN domain TEXT");
@@ -331,14 +346,36 @@ var CartographyDB = class {
           created_at TEXT NOT NULL
         );
         CREATE INDEX IF NOT EXISTS idx_connections_session ON connections(session_id);
+        CREATE INDEX IF NOT EXISTS idx_connections_lookup ON connections(session_id, source_asset_id, target_asset_id);
+      `);
+      this.db.pragma("user_version = 3");
+    }
+    if (version === 2) {
+      this.db.exec("CREATE INDEX IF NOT EXISTS idx_connections_lookup ON connections(session_id, source_asset_id, target_asset_id)");
+      this.db.pragma("user_version = 3");
+    }
+    const current = this.db.pragma("user_version", { simple: true });
+    if (current < 4) {
+      this.db.exec(`
+        CREATE INDEX IF NOT EXISTS idx_nodes_type ON nodes(session_id, type);
+        CREATE INDEX IF NOT EXISTS idx_edges_source ON edges(session_id, source_id);
+        CREATE INDEX IF NOT EXISTS idx_edges_target ON edges(session_id, target_id);
       `);
-      this.db.pragma("user_version = 2");
+      this.db.pragma("user_version = 4");
     }
   }
   close() {
     this.db.pragma("optimize");
     this.db.close();
   }
+  /**
+   * Advanced: the underlying better-sqlite3 connection. Used by the optional
+   * semantic-search layer to load the `sqlite-vec` extension and manage its
+   * virtual table. Prefer the typed methods above for everything else.
+   */
+  rawConnection() {
+    return this.db;
+  }
   // ── Sessions ────────────────────────────
   createSession(mode, config) {
     const id = crypto.randomUUID();
@@ -395,10 +432,19 @@ var CartographyDB = class {
       node.qualityScore ?? null
     );
   }
-  getNodes(sessionId) {
-    const rows = this.db.prepare("SELECT * FROM nodes WHERE session_id = ?").all(sessionId);
+  getNodes(sessionId, opts) {
+    let sql = "SELECT * FROM nodes WHERE session_id = ?";
+    if (opts?.limit) {
+      sql += ` LIMIT ${opts.limit}`;
+      if (opts.offset) sql += ` OFFSET ${opts.offset}`;
+    }
+    const rows = this.db.prepare(sql).all(sessionId);
     return rows.map((r) => this.mapNode(r));
   }
+  getNodeCount(sessionId) {
+    const row = this.db.prepare("SELECT COUNT(*) as cnt FROM nodes WHERE session_id = ?").get(sessionId);
+    return row.cnt;
+  }
   mapNode(r) {
     const v = NodeRowSchema.parse(r);
     return {
@@ -442,8 +488,13 @@ var CartographyDB = class {
       (/* @__PURE__ */ new Date()).toISOString()
     );
   }
-  getEdges(sessionId) {
-    const rows = this.db.prepare("SELECT * FROM edges WHERE session_id = ?").all(sessionId);
+  getEdges(sessionId, opts) {
+    let sql = "SELECT * FROM edges WHERE session_id = ?";
+    if (opts?.limit) {
+      sql += ` LIMIT ${opts.limit}`;
+      if (opts.offset) sql += ` OFFSET ${opts.offset}`;
+    }
+    const rows = this.db.prepare(sql).all(sessionId);
     return rows.map((r) => {
       const v = EdgeRowSchema.parse(r);
       return {
@@ -645,6 +696,133 @@ var CartographyDB = class {
     }
     return rows.length;
   }
+  // ── Graph queries (read-only context layer) ─────────────────────────────────
+  /** Fetch a single node by id within a session. */
+  getNode(sessionId, nodeId) {
+    const row = this.db.prepare("SELECT * FROM nodes WHERE session_id = ? AND id = ?").get(sessionId, nodeId);
+    return row ? this.mapNode(row) : void 0;
+  }
+  /** Batch-fetch nodes by id, keyed for O(1) lookup. Chunked to stay under SQLite's bind-variable limit. */
+  getNodesByIds(sessionId, ids) {
+    const out = /* @__PURE__ */ new Map();
+    for (let i = 0; i < ids.length; i += 900) {
+      const chunk = ids.slice(i, i + 900);
+      const placeholders = chunk.map(() => "?").join(",");
+      const rows = this.db.prepare(
+        `SELECT * FROM nodes WHERE session_id = ? AND id IN (${placeholders})`
+      ).all(sessionId, ...chunk);
+      for (const r of rows) {
+        const n = this.mapNode(r);
+        out.set(n.id, n);
+      }
+    }
+    return out;
+  }
+  /** Fetch all nodes of one or more types. */
+  getNodesByType(sessionId, types) {
+    if (types.length === 0) return [];
+    const placeholders = types.map(() => "?").join(",");
+    const rows = this.db.prepare(
+      `SELECT * FROM nodes WHERE session_id = ? AND type IN (${placeholders})`
+    ).all(sessionId, ...types);
+    return rows.map((r) => this.mapNode(r));
+  }
+  /**
+   * Lexical search over node id, name, domain, sub-domain and tags.
+   * Case-insensitive substring match — the deterministic fallback for semantic search.
+   */
+  searchNodes(sessionId, query, opts) {
+    const q = `%${query.trim().toLowerCase()}%`;
+    const params = [sessionId, q, q, q, q, q];
+    let sql = `
+      SELECT * FROM nodes
+      WHERE session_id = ?
+        AND (
+          lower(id) LIKE ? OR lower(name) LIKE ?
+          OR lower(COALESCE(domain, '')) LIKE ?
+          OR lower(COALESCE(sub_domain, '')) LIKE ?
+          OR lower(tags) LIKE ?
+        )`;
+    if (opts?.types && opts.types.length > 0) {
+      sql += ` AND type IN (${opts.types.map(() => "?").join(",")})`;
+      params.push(...opts.types);
+    }
+    sql += " ORDER BY confidence DESC";
+    if (opts?.limit) sql += ` LIMIT ${Math.max(1, Math.floor(opts.limit))}`;
+    const rows = this.db.prepare(sql).all(...params);
+    return rows.map((r) => this.mapNode(r));
+  }
+  /**
+   * Traverse the dependency graph from a node using a recursive CTE with a
+   * path-based cycle guard. `downstream` follows source→target (what the node
+   * depends on / points to); `upstream` follows target→source (what depends on it).
+   */
+  getDependencies(sessionId, nodeId, opts = {}) {
+    const direction = opts.direction ?? "downstream";
+    const maxDepth = Math.max(1, Math.min(opts.maxDepth ?? 8, 64));
+    const root = this.getNode(sessionId, nodeId);
+    const depthById = /* @__PURE__ */ new Map();
+    const collect = (dir) => {
+      const [from, to] = dir === "downstream" ? ["source_id", "target_id"] : ["target_id", "source_id"];
+      const sql = `
+        WITH RECURSIVE walk(node_id, depth, path) AS (
+          SELECT ?, 0, char(10) || ? || char(10)
+          UNION ALL
+          SELECT e.${to}, w.depth + 1, w.path || e.${to} || char(10)
+          FROM edges e JOIN walk w ON e.${from} = w.node_id
+          WHERE e.session_id = ?
+            AND w.depth < ?
+            AND instr(w.path, char(10) || e.${to} || char(10)) = 0
+        )
+        SELECT node_id, MIN(depth) AS depth FROM walk WHERE node_id != ? GROUP BY node_id`;
+      const rows = this.db.prepare(sql).all(nodeId, nodeId, sessionId, maxDepth, nodeId);
+      for (const r of rows) {
+        const prev = depthById.get(r.node_id);
+        if (prev === void 0 || r.depth < prev) depthById.set(r.node_id, r.depth);
+      }
+    };
+    if (direction === "both") {
+      collect("downstream");
+      collect("upstream");
+    } else collect(direction);
+    const byId = this.getNodesByIds(sessionId, [...depthById.keys()]);
+    const nodes = [...depthById.entries()].map(([id, depth]) => {
+      const n = byId.get(id);
+      return n ? { ...n, depth } : void 0;
+    }).filter((n) => n !== void 0).sort((a, b) => a.depth - b.depth);
+    const reachable = /* @__PURE__ */ new Set([nodeId, ...depthById.keys()]);
+    const edges = this.getEdges(sessionId).filter((e) => reachable.has(e.sourceId) && reachable.has(e.targetId));
+    return { root, direction, maxDepth, nodes, edges };
+  }
+  /** Lightweight aggregate index of the whole topology — the progressive-disclosure summary. */
+  getGraphSummary(sessionId) {
+    const totals = {
+      nodes: this.db.prepare("SELECT COUNT(*) c FROM nodes WHERE session_id = ?").get(sessionId).c,
+      edges: this.db.prepare("SELECT COUNT(*) c FROM edges WHERE session_id = ?").get(sessionId).c
+    };
+    const byType = {};
+    for (const r of this.db.prepare("SELECT type, COUNT(*) c FROM nodes WHERE session_id = ? GROUP BY type").all(sessionId)) {
+      byType[r.type] = r.c;
+    }
+    const byDomain = {};
+    for (const r of this.db.prepare("SELECT COALESCE(domain, '(none)') d, COUNT(*) c FROM nodes WHERE session_id = ? GROUP BY d").all(sessionId)) {
+      byDomain[r.d] = r.c;
+    }
+    const byRelationship = {};
+    for (const r of this.db.prepare("SELECT relationship rel, COUNT(*) c FROM edges WHERE session_id = ? GROUP BY rel").all(sessionId)) {
+      byRelationship[r.rel] = r.c;
+    }
+    const topConnected = this.db.prepare(`
+      SELECT n.id, n.name, n.type, COUNT(e.id) AS degree
+      FROM nodes n
+      LEFT JOIN edges e ON e.session_id = n.session_id AND (e.source_id = n.id OR e.target_id = n.id)
+      WHERE n.session_id = ?
+      GROUP BY n.id, n.name, n.type
+      ORDER BY degree DESC, n.confidence DESC
+      LIMIT 10
+    `).all(sessionId);
+    return { sessionId, totals, nodesByType: byType, nodesByDomain: byDomain, edgesByRelationship: byRelationship, topConnected };
+  }
   // ── Stats ───────────────────────────────
   getStats(sessionId) {
     const nodes = this.db.prepare("SELECT COUNT(*) as c FROM nodes WHERE session_id = ?").get(sessionId).c;
@@ -655,8 +833,354 @@ var CartographyDB = class {
   }
 };
 
-// src/tools.ts
+// src/mcp/server.ts
+import { McpServer, ResourceTemplate } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z as z3 } from "zod";
+var SERVER_NAME = "cartography";
+var SERVER_VERSION = "2.0.0";
+var SERVICE_TYPES = NODE_TYPE_GROUPS.web;
+var DATA_TYPES = NODE_TYPE_GROUPS.data;
+var lexicalSearch = async (db, sessionId, query, opts) => db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));
+function compactNode(n) {
+  return {
+    id: n.id,
+    type: n.type,
+    name: n.name,
+    confidence: n.confidence,
+    ...n.domain ? { domain: n.domain } : {},
+    ...n.tags.length ? { tags: n.tags } : {}
+  };
+}
+function json(data) {
+  return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }] };
+}
+function summaryText(s) {
+  const lines = [
+    `# Infrastructure topology \u2014 session ${s.sessionId}`,
+    ``,
+    `Totals: ${s.totals.nodes} nodes, ${s.totals.edges} edges`,
+    ``,
+    `Nodes by type:`,
+    ...Object.entries(s.nodesByType).sort((a, b) => b[1] - a[1]).map(([t, c]) => `  - ${t}: ${c}`),
+    ``,
+    `Nodes by domain:`,
+    ...Object.entries(s.nodesByDomain).sort((a, b) => b[1] - a[1]).map(([d, c]) => `  - ${d}: ${c}`),
+    ``,
+    `Edges by relationship:`,
+    ...Object.entries(s.edgesByRelationship).sort((a, b) => b[1] - a[1]).map(([r, c]) => `  - ${r}: ${c}`),
+    ``,
+    `Most connected:`,
+    ...s.topConnected.map((n) => `  - ${n.id} (${n.type}) \u2014 degree ${n.degree}`),
+    ``,
+    `Read cartography://nodes/{id} or cartography://dependencies/{id} for detail.`
+  ];
+  return lines.join("\n");
+}
+function createMcpServer(opts = {}) {
+  const db = opts.db ?? new CartographyDB(opts.dbPath ?? defaultConfig().dbPath);
+  const search = opts.search ?? lexicalSearch;
+  const resolveSession = () => {
+    if (opts.session && opts.session !== "latest") return opts.session;
+    return db.getLatestSession("discover")?.id ?? db.getLatestSession()?.id;
+  };
+  const server = new McpServer(
+    { name: SERVER_NAME, version: SERVER_VERSION },
+    {
+      capabilities: { resources: { subscribe: true, listChanged: true }, tools: {}, prompts: {}, logging: {} },
+      instructions: "Cartography exposes a discovered infrastructure/SaaS topology. Start by reading cartography://graph/summary for a low-token overview, then drill into specific nodes via cartography://nodes/{id} or query with the query_infrastructure / get_dependencies tools."
+    }
+  );
+  server.registerResource(
+    "graph-summary",
+    "cartography://graph/summary",
+    { title: "Topology summary", description: "Low-token aggregate index of the whole landscape \u2014 read this first.", mimeType: "text/markdown" },
+    (uri) => {
+      const sid = resolveSession();
+      if (!sid) return { contents: [{ uri: uri.href, mimeType: "text/markdown", text: "No discovery session found. Run discovery first." }] };
+      return { contents: [{ uri: uri.href, mimeType: "text/markdown", text: summaryText(db.getGraphSummary(sid)) }] };
+    }
+  );
+  server.registerResource(
+    "nodes-index",
+    "cartography://nodes",
+    { title: "Node index", description: "Lightweight list of all nodes (id, type, name only).", mimeType: "application/json" },
+    (uri) => {
+      const sid = resolveSession();
+      const nodes = sid ? db.getNodes(sid) : [];
+      return { contents: [{ uri: uri.href, mimeType: "application/json", text: JSON.stringify({ count: nodes.length, nodes: nodes.map((n) => ({ id: n.id, type: n.type, name: n.name })) }, null, 2) }] };
+    }
+  );
+  server.registerResource(
+    "node-detail",
+    new ResourceTemplate("cartography://nodes/{id}", { list: void 0 }),
+    { title: "Node detail", description: "Full node record plus its incident edges.", mimeType: "application/json" },
+    (uri, variables) => {
+      const sid = resolveSession();
+      const id = decodeURIComponent(String(variables["id"]));
+      const node = sid ? db.getNode(sid, id) : void 0;
+      if (!node) return { contents: [{ uri: uri.href, mimeType: "application/json", text: JSON.stringify({ error: `node not found: ${id}` }) }] };
+      const edges = db.getEdges(sid).filter((e) => e.sourceId === id || e.targetId === id);
+      return { contents: [{ uri: uri.href, mimeType: "application/json", text: JSON.stringify({ node, edges }, null, 2) }] };
+    }
+  );
+  const typedListResource = (name, uri, title, types) => server.registerResource(name, uri, { title, description: `Nodes of type: ${types.join(", ")}.`, mimeType: "application/json" }, (u) => {
+    const sid = resolveSession();
+    const nodes = sid ? db.getNodesByType(sid, types) : [];
+    return { contents: [{ uri: u.href, mimeType: "application/json", text: JSON.stringify({ count: nodes.length, nodes: nodes.map(compactNode) }, null, 2) }] };
+  });
+  typedListResource("services", "cartography://services", "Services", SERVICE_TYPES);
+  typedListResource("databases", "cartography://databases", "Data stores", DATA_TYPES);
+  server.registerResource(
+    "dependencies",
+    new ResourceTemplate("cartography://dependencies/{id}", { list: void 0 }),
+    { title: "Dependencies", description: "Transitive downstream dependencies of a node.", mimeType: "application/json" },
+    (uri, variables) => {
+      const sid = resolveSession();
+      const id = decodeURIComponent(String(variables["id"]));
+      if (!sid) return { contents: [{ uri: uri.href, mimeType: "application/json", text: JSON.stringify({ error: "no session" }) }] };
+      const r = db.getDependencies(sid, id, { direction: "downstream", maxDepth: 8 });
+      return { contents: [{ uri: uri.href, mimeType: "application/json", text: JSON.stringify({ root: id, count: r.nodes.length, nodes: r.nodes.map((n) => ({ ...compactNode(n), depth: n.depth })) }, null, 2) }] };
+    }
+  );
+  server.registerResource(
+    "sessions",
+    "cartography://sessions",
+    { title: "Discovery sessions", description: "All discovery sessions in the catalog.", mimeType: "application/json" },
+    (uri) => ({ contents: [{ uri: uri.href, mimeType: "application/json", text: JSON.stringify(db.getSessions(), null, 2) }] })
+  );
+  server.registerTool(
+    "get_summary",
+    { title: "Get topology summary", description: "Low-token overview of the whole landscape (counts, types, domains, most-connected).", inputSchema: {} },
+    () => {
+      const sid = resolveSession();
+      if (!sid) return json({ error: "No discovery session found." });
+      return json(db.getGraphSummary(sid));
+    }
+  );
+  server.registerTool(
+    "query_infrastructure",
+    {
+      title: "Query infrastructure",
+      description: "Search the topology by name/id/domain (optionally filtered by node type). Returns compact node records.",
+      inputSchema: {
+        query: z3.string().describe('Free-text query, e.g. "postgres", "auth", "github"'),
+        types: z3.array(z3.enum(NODE_TYPES)).optional().describe("Restrict to these node types"),
+        limit: z3.number().int().min(1).max(200).default(25).optional()
+      }
+    },
+    async (args) => {
+      const sid = resolveSession();
+      if (!sid) return json({ error: "No discovery session found." });
+      const results = await search(db, sid, args.query, { types: args.types, limit: args.limit ?? 25 });
+      return json({ count: results.length, results: results.map((r) => ({ ...compactNode(r.node), ...r.score !== void 0 ? { score: r.score } : {} })) });
+    }
+  );
+  server.registerTool(
+    "search_topology",
+    {
+      title: "Search topology (semantic)",
+      description: "Find nodes related to a concept by meaning (semantic search when available, lexical otherwise).",
+      inputSchema: { query: z3.string(), limit: z3.number().int().min(1).max(100).default(10).optional() }
+    },
+    async (args) => {
+      const sid = resolveSession();
+      if (!sid) return json({ error: "No discovery session found." });
+      const results = await search(db, sid, args.query, { limit: args.limit ?? 10 });
+      return json({ count: results.length, results: results.map((r) => ({ ...compactNode(r.node), ...r.score !== void 0 ? { score: r.score } : {} })) });
+    }
+  );
+  server.registerTool(
+    "list_services",
+    {
+      title: "List services",
+      description: "List discovered services or data stores.",
+      inputSchema: { kind: z3.enum(["services", "databases", "all"]).default("all").optional() }
+    },
+    (args) => {
+      const sid = resolveSession();
+      if (!sid) return json({ error: "No discovery session found." });
+      const kind = args.kind ?? "all";
+      const types = kind === "services" ? SERVICE_TYPES : kind === "databases" ? DATA_TYPES : [...SERVICE_TYPES, ...DATA_TYPES];
+      return json(db.getNodesByType(sid, types).map(compactNode));
+    }
+  );
+  server.registerTool(
+    "get_node",
+    { title: "Get node", description: "Fetch a single node with its incident edges.", inputSchema: { id: z3.string() } },
+    (args) => {
+      const sid = resolveSession();
+      if (!sid) return json({ error: "No discovery session found." });
+      const node = db.getNode(sid, args.id);
+      if (!node) return json({ error: `node not found: ${args.id}` });
+      const edges = db.getEdges(sid).filter((e) => e.sourceId === args.id || e.targetId === args.id);
+      return json({ node, edges });
+    }
+  );
+  server.registerTool(
+    "get_dependencies",
+    {
+      title: "Get dependencies",
+      description: "Traverse the dependency graph from a node (downstream/upstream/both) with a depth limit.",
+      inputSchema: {
+        id: z3.string(),
+        direction: z3.enum(["downstream", "upstream", "both"]).default("downstream").optional(),
+        maxDepth: z3.number().int().min(1).max(64).default(8).optional()
+      }
+    },
+    (args) => {
+      const sid = resolveSession();
+      if (!sid) return json({ error: "No discovery session found." });
+      const r = db.getDependencies(sid, args.id, { direction: args.direction ?? "downstream", maxDepth: args.maxDepth ?? 8 });
+      return json({
+        root: r.root ? compactNode(r.root) : null,
+        direction: r.direction,
+        count: r.nodes.length,
+        nodes: r.nodes.map((n) => ({ ...compactNode(n), depth: n.depth })),
+        edges: r.edges.map((e) => ({ from: e.sourceId, to: e.targetId, rel: e.relationship }))
+      });
+    }
+  );
+  if (opts.discovery) {
+    const discovery = opts.discovery;
+    server.registerTool(
+      "run_discovery",
+      {
+        title: "Run discovery",
+        description: "Scan the local system (read-only) and update the catalog. Returns counts of nodes/edges found.",
+        inputSchema: { hint: z3.string().optional().describe("Optional focus, e.g. tool names to look for") }
+      },
+      async (args) => {
+        let sid = resolveSession();
+        if (!sid) sid = db.createSession("discover", defaultConfig());
+        const result = await discovery(db, sid, { hint: args.hint });
+        server.server.sendResourceUpdated({ uri: "cartography://graph/summary" }).catch(() => {
+        });
+        server.server.sendResourceListChanged?.();
+        return json({ session: sid, ...result });
+      }
+    );
+  }
+  server.registerPrompt(
+    "audit-attack-surface",
+    { title: "Audit attack surface", description: "Review the discovered topology for externally-reachable services and risky dependencies." },
+    () => ({
+      messages: [{
+        role: "user",
+        content: { type: "text", text: "Read cartography://graph/summary and cartography://services. Identify externally-reachable services, data stores with broad inbound dependencies, and any node with low confidence that warrants verification. Use get_dependencies to assess blast radius. Summarize the attack surface and concrete hardening recommendations." }
+      }]
+    })
+  );
+  server.registerPrompt(
+    "map-service-dependencies",
+    {
+      title: "Map service dependencies",
+      description: "Produce a dependency map for a given service.",
+      argsSchema: { service: z3.string().describe("Service node id or name") }
+    },
+    (args) => ({
+      messages: [{
+        role: "user",
+        content: { type: "text", text: `Use query_infrastructure to locate "${args.service}", then get_dependencies (direction=both) to map everything it depends on and everything that depends on it. Present the result as a clear dependency tree and call out single points of failure.` }
+      }]
+    })
+  );
+  server.registerPrompt(
+    "onboard-to-system",
+    { title: "Onboard to system", description: "Explain the system landscape to a new engineer." },
+    () => ({
+      messages: [{
+        role: "user",
+        content: { type: "text", text: "Read cartography://graph/summary, then cartography://services and cartography://databases. Write a concise onboarding briefing for a new engineer: what the major systems are, how they connect, which data stores are central, and where to look first." }
+      }]
+    })
+  );
+  return server;
+}
+
+// src/mcp/transports.ts
+import { randomUUID } from "crypto";
+import http from "http";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+async function runStdio(server) {
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+async function readJsonBody(req) {
+  const chunks = [];
+  for await (const chunk of req) chunks.push(chunk);
+  if (chunks.length === 0) return void 0;
+  try {
+    return JSON.parse(Buffer.concat(chunks).toString("utf8"));
+  } catch {
+    return void 0;
+  }
+}
+async function runHttp(factory, opts = {}) {
+  const host = opts.host ?? "127.0.0.1";
+  const port = opts.port ?? 3737;
+  const allowedHosts = opts.allowedHosts ?? [`${host}:${port}`, `localhost:${port}`, `127.0.0.1:${port}`];
+  const transports = /* @__PURE__ */ new Map();
+  const httpServer = http.createServer(async (req, res) => {
+    try {
+      const url = req.url ?? "";
+      if (!url.startsWith("/mcp")) {
+        res.writeHead(404, { "content-type": "application/json" }).end('{"error":"not found"}');
+        return;
+      }
+      const sessionId = req.headers["mcp-session-id"];
+      const existing = sessionId ? transports.get(sessionId) : void 0;
+      if (existing) {
+        const body2 = req.method === "POST" ? await readJsonBody(req) : void 0;
+        await existing.handleRequest(req, res, body2);
+        return;
+      }
+      if (req.method !== "POST") {
+        res.writeHead(400, { "content-type": "application/json" }).end('{"error":"missing or unknown mcp-session-id"}');
+        return;
+      }
+      const body = await readJsonBody(req);
+      const transport = new StreamableHTTPServerTransport({
+        sessionIdGenerator: () => randomUUID(),
+        enableDnsRebindingProtection: true,
+        allowedHosts,
+        ...opts.allowedOrigins ? { allowedOrigins: opts.allowedOrigins } : {},
+        onsessioninitialized: (id) => {
+          transports.set(id, transport);
+        }
+      });
+      transport.onclose = () => {
+        if (transport.sessionId) transports.delete(transport.sessionId);
+      };
+      await factory().connect(transport);
+      await transport.handleRequest(req, res, body);
+    } catch {
+      if (!res.headersSent) res.writeHead(500, { "content-type": "application/json" }).end('{"error":"internal error"}');
+    }
+  });
+  await new Promise((resolve) => httpServer.listen(port, host, resolve));
+  return httpServer;
+}
+
+// src/scanners/types.ts
+var ScannerRegistry = class {
+  scanners = /* @__PURE__ */ new Map();
+  register(scanner) {
+    if (this.scanners.has(scanner.id)) throw new Error(`scanner already registered: ${scanner.id}`);
+    this.scanners.set(scanner.id, scanner);
+    return this;
+  }
+  get(id) {
+    return this.scanners.get(id);
+  }
+  list() {
+    return [...this.scanners.values()];
+  }
+  /** Scanners whose `platforms` include the given platform. */
+  forPlatform(platform) {
+    return this.list().filter((s) => s.platforms === "all" || s.platforms.includes(platform));
+  }
+};
 
 // src/bookmarks.ts
 import { tmpdir } from "os";
@@ -668,6 +1192,340 @@ import { homedir } from "os";
 import { join } from "path";
 import { execSync } from "child_process";
 import { existsSync } from "fs";
+
+// src/allowlist.ts
+var READONLY_BINARIES = /* @__PURE__ */ new Set([
+  // shell & text utilities
+  "echo",
+  "printf",
+  "true",
+  "false",
+  "test",
+  "cat",
+  "head",
+  "tail",
+  "grep",
+  "egrep",
+  "fgrep",
+  "awk",
+  "sed",
+  "cut",
+  "sort",
+  "uniq",
+  "wc",
+  "tr",
+  "xargs",
+  "tee",
+  "ls",
+  "find",
+  "which",
+  "command",
+  "type",
+  "basename",
+  "dirname",
+  "realpath",
+  "readlink",
+  "stat",
+  "file",
+  "printenv",
+  "date",
+  "hostname",
+  "uname",
+  "whoami",
+  "id",
+  "pwd",
+  "expr",
+  "seq",
+  "tac",
+  "rev",
+  "column",
+  "paste",
+  // network & process inspection (read-only)
+  "ss",
+  "netstat",
+  "lsof",
+  "ps",
+  "ip",
+  "ifconfig",
+  "arp",
+  "dig",
+  "nslookup",
+  "host",
+  // database clients (read-only usage is enforced separately for risky verbs)
+  "psql",
+  "mysql",
+  "mysqladmin",
+  "mongosh",
+  "redis-cli",
+  "sqlite3",
+  "pg_lsclusters",
+  "clickhouse-client",
+  // macOS
+  "mdfind"
+]);
+var CONDITIONAL_BINARIES = /* @__PURE__ */ new Set(["tee"]);
+var PKG_MANAGERS = /* @__PURE__ */ new Set(["dpkg", "rpm", "snap", "flatpak", "brew", "winget", "choco", "scoop", "apt-cache"]);
+var MUTATING_PKG = /^(install|uninstall|reinstall|remove|purge|erase|upgrade|update|add|delete|pin|enable|disable|-i|--install|-r|--remove|-P|--purge|-e|--erase|-U|--upgrade|-F|--freshen)$/i;
+var COMMAND_RUNNERS = /* @__PURE__ */ new Set(["xargs", "env", "nice", "nohup", "timeout", "time", "stdbuf", "watch", "sudo"]);
+var DANGEROUS_PS = /\b(Remove-Item|Remove-ItemProperty|Move-Item|Copy-Item|Rename-Item|New-Item|New-Service|Set-Content|Add-Content|Clear-Content|Out-File|Set-ItemProperty|Set-Service|Stop-Process|Stop-Service|Start-Service|Restart-Service|Stop-Computer|Restart-Computer|Format-Volume|Clear-Disk|Remove-\w+|Uninstall-\w+|Install-\w+|Set-\w+|New-\w+|Start-\w+|Stop-\w+|Restart-\w+|Invoke-Expression|iex|Invoke-WebRequest|Invoke-RestMethod|Invoke-Command|Start-Process|Register-\w+|Unregister-\w+|Disable-\w+|Enable-\w+|Reset-\w+|del|rmdir|rd)\b/i;
+var DANGEROUS_POSIX = /\b(rm|rmdir|mv|dd|mkfs|chmod|chown|chgrp|kill|killall|pkill|reboot|shutdown|poweroff|halt|truncate|shred|fdisk|parted)\b/i;
+var SUBCOMMAND_RULES = {
+  kubectl: (t) => allowFirstVerb(t, ["get", "describe", "top", "logs", "explain", "config", "version", "cluster-info", "api-resources", "api-versions", "auth"]),
+  docker: (t) => allowFirstVerb(t, ["ps", "images", "inspect", "version", "info", "logs", "stats", "top", "port", "history", "diff", "system", "context", "volume", "network", "image", "container"]) && !hasMutatingDockerVerb(t),
+  podman: (t) => SUBCOMMAND_RULES["docker"](t),
+  helm: (t) => allowFirstVerb(t, ["list", "ls", "status", "get", "show", "history", "version", "repo", "search", "env"]),
+  systemctl: (t) => allowFirstVerb(t, ["status", "show", "list-units", "list-unit-files", "list-sockets", "list-timers", "list-dependencies", "is-active", "is-enabled", "is-failed", "cat", "get-default", "show-environment"]),
+  service: (t) => t.some((x) => /^status$/i.test(x)),
+  // cloud CLIs: read-only actions only — must contain a read verb, never a mutating one
+  aws: (t) => containsAwsReadAction(t) && !hasMutatingCloudVerb(t),
+  gcloud: (t) => (hasToken(t, ["list", "describe"]) || isInfoOnly(t)) && !hasMutatingCloudVerb(t),
+  az: (t) => (hasToken(t, ["list", "show"]) || isInfoOnly(t)) && !hasMutatingCloudVerb(t),
+  // version control (read-only verbs only)
+  git: (t) => allowFirstVerb(t, ["status", "log", "show", "diff", "branch", "remote", "config", "rev-parse", "ls-files", "ls-remote", "describe", "tag", "shortlog", "cat-file", "symbolic-ref"]),
+  gh: (t) => allowFirstVerb(t, ["repo", "pr", "issue", "release", "api", "auth", "status"]) && hasToken(t, ["list", "view", "status", "get"])
+};
+var FETCH_RULES = {
+  curl: (t) => !t.some((x) => /^-X$/i.test(x) || /^--request$/i.test(x) || /^-[dF]$/.test(x) || /^--data/i.test(x) || /^--form$/i.test(x) || /^-[oO]$/.test(x) || /^--output$/i.test(x) || /^--upload-file$/i.test(x)),
+  wget: (t) => !t.some((x) => /^-O$/.test(x) || /^--output-document/i.test(x) || /^--post-data/i.test(x) || /^--method/i.test(x) || /^-i$/.test(x))
+};
+var READONLY_PS_VERBS = /* @__PURE__ */ new Set([
+  "get",
+  "select",
+  "where",
+  "measure",
+  "sort",
+  "format",
+  "out",
+  "convertto",
+  "convertfrom",
+  "compare",
+  "test",
+  "resolve",
+  "split",
+  "join",
+  "group",
+  "foreach",
+  "write",
+  "read",
+  "show",
+  "find",
+  "search",
+  "tee"
+]);
+var READONLY_PS_BARE = /* @__PURE__ */ new Set(["where", "select", "sort", "foreach", "ft", "fl", "gci", "gc", "gm", "gps", "gsv", "echo", "write-host", "write-output"]);
+function allowFirstVerb(tokens, verbs) {
+  const verb = tokens.find((t) => !t.startsWith("-"));
+  return verb !== void 0 && verbs.includes(verb.toLowerCase());
+}
+function hasToken(tokens, any) {
+  const lower = tokens.map((t) => t.toLowerCase());
+  return any.some((a) => lower.includes(a));
+}
+function isInfoOnly(tokens) {
+  return hasToken(tokens, ["config", "account", "version", "info"]);
+}
+var MUTATING_CLOUD = /^(create|delete|update|put|set|add|remove|deploy|run|start|stop|restart|reboot|terminate|modify|attach|detach|associate|disassociate|enable|disable|invoke|exec|apply|destroy|scale|patch|register|deregister|import|copy|move|rename|reset|rotate|revoke|grant)([-_].*)?$/i;
+function hasMutatingCloudVerb(tokens) {
+  return tokens.some((t) => !t.startsWith("-") && MUTATING_CLOUD.test(t));
+}
+function containsAwsReadAction(tokens) {
+  return tokens.some((t) => /^(describe|list|get|lookup|search|scan|view|ls)[-_a-z0-9]*$/i.test(t) || t.toLowerCase() === "ls");
+}
+function hasMutatingDockerVerb(tokens) {
+  return tokens.some((t) => /^(run|rm|rmi|exec|build|push|pull|start|stop|kill|create|commit|cp|save|load|tag|login|logout|prune|kill|restart|pause|unpause|rename|update|export|import)$/i.test(t));
+}
+function splitSegments(cmd) {
+  const segments = [];
+  let buf = "";
+  let quote = null;
+  for (let i = 0; i < cmd.length; i++) {
+    const c = cmd[i];
+    const next = cmd[i + 1];
+    if (quote) {
+      buf += c;
+      if (c === quote) quote = null;
+      continue;
+    }
+    if (c === '"' || c === "'") {
+      quote = c;
+      buf += c;
+      continue;
+    }
+    if (c === "|" && next === "|" || c === "&" && next === "&") {
+      segments.push(buf);
+      buf = "";
+      i++;
+      continue;
+    }
+    if (c === "|" || c === ";" || c === "\n") {
+      segments.push(buf);
+      buf = "";
+      continue;
+    }
+    buf += c;
+  }
+  segments.push(buf);
+  return segments.map((s) => s.trim()).filter(Boolean);
+}
+function tokenize(segment) {
+  const tokens = [];
+  let buf = "";
+  let quote = null;
+  let started = false;
+  const push = () => {
+    if (started) {
+      tokens.push(buf);
+      buf = "";
+      started = false;
+    }
+  };
+  for (let i = 0; i < segment.length; i++) {
+    const c = segment[i];
+    if (quote) {
+      if (c === quote) quote = null;
+      else buf += c;
+      started = true;
+      continue;
+    }
+    if (c === '"' || c === "'") {
+      quote = c;
+      started = true;
+      continue;
+    }
+    if (c === " " || c === "	") {
+      push();
+      continue;
+    }
+    buf += c;
+    started = true;
+  }
+  push();
+  return tokens;
+}
+function baseName(executable) {
+  const noPath = executable.split(/[\\/]/).pop() ?? executable;
+  return noPath.toLowerCase();
+}
+function findIsReadOnly(rest) {
+  return !rest.some((t) => /^-(exec|execdir|ok|okdir|delete|fprintf|fprint|fls)$/i.test(t));
+}
+function awkSedIsReadOnly(exe, rest) {
+  const program = rest.join(" ");
+  if (exe === "awk") return !/\bsystem\s*\(/.test(program) && !/\|\s*["']/.test(program) && !/print\s*>/.test(program);
+  return !/(^|;|\{|\s)e\b/.test(program) && !/s[^\s]*\/[a-z]*e[a-z]*\b/i.test(program) && !/\bw\s+\S/.test(program);
+}
+function isWriteRedirect(segment) {
+  const stripped = segment.replace(/\d?>>?\s*\/dev\/null/g, "").replace(/\d?>\s*&\s*\d/g, "").replace(/\d?>\s*\$null/gi, "");
+  return /(^|[^0-9&])>>?/.test(stripped);
+}
+function checkReadOnly(command, opts = {}) {
+  const cmd = command.trim();
+  if (!cmd) return { allowed: false, reason: "empty command" };
+  if (opts.shell === "powershell") {
+    if (isWriteRedirect(cmd)) return { allowed: false, reason: "file-writing redirect is not allowed" };
+    if (DANGEROUS_PS.test(cmd)) return { allowed: false, reason: "mutating PowerShell cmdlet is not allowed" };
+    if (DANGEROUS_POSIX.test(cmd)) return { allowed: false, reason: "destructive command is not allowed" };
+    return { allowed: true };
+  }
+  if (/\$\(|`/.test(cmd)) return { allowed: false, reason: "command substitution is not allowed" };
+  if (isWriteRedirect(cmd)) return { allowed: false, reason: "file-writing redirect is not allowed" };
+  for (const segment of splitSegments(cmd)) {
+    const r = checkSegment(segment);
+    if (!r.allowed) return r;
+  }
+  return { allowed: true };
+}
+function checkSegment(segment) {
+  let tokens = tokenize(segment).filter((t) => !/^[A-Za-z_][A-Za-z0-9_]*=/.test(t)).filter((t) => t !== "{" && t !== "}" && t !== "(" && t !== ")");
+  if (tokens.length === 0) return { allowed: true };
+  let exe = baseName(tokens[0]);
+  let rest = tokens.slice(1);
+  while (COMMAND_RUNNERS.has(exe)) {
+    const inner = [];
+    let i = 0;
+    for (; i < rest.length; i++) {
+      const t = rest[i];
+      if (t.startsWith("-")) {
+        if (/^-(I|n|L|P|d|s|E|u|g)$/.test(t)) i++;
+        continue;
+      }
+      inner.push(...rest.slice(i));
+      break;
+    }
+    if (inner.length === 0) return { allowed: true };
+    exe = baseName(inner[0]);
+    rest = inner.slice(1);
+  }
+  if (exe === "find") {
+    if (!findIsReadOnly(rest)) return { allowed: false, reason: "find: -exec/-delete is not allowed" };
+    return { allowed: true };
+  }
+  if (exe === "awk" || exe === "sed") {
+    if (!awkSedIsReadOnly(exe, rest)) return { allowed: false, reason: `${exe}: program may not shell out or write files` };
+    return { allowed: true };
+  }
+  if (PKG_MANAGERS.has(exe)) {
+    if (rest.some((t) => MUTATING_PKG.test(t))) return { allowed: false, reason: `${exe}: only list/query sub-commands are allowed` };
+    return { allowed: true };
+  }
+  if (FETCH_RULES[exe]) {
+    if (!FETCH_RULES[exe](rest)) return { allowed: false, reason: `${exe}: only read-only GET requests are allowed` };
+    return { allowed: true };
+  }
+  if (SUBCOMMAND_RULES[exe]) {
+    if (!SUBCOMMAND_RULES[exe](rest)) return { allowed: false, reason: `${exe}: sub-command is not read-only` };
+    return { allowed: true };
+  }
+  if (CONDITIONAL_BINARIES.has(exe)) {
+    if (rest.some((t) => !t.startsWith("-") && t !== "/dev/null")) return { allowed: false, reason: "tee may only write to /dev/null" };
+    return { allowed: true };
+  }
+  if (READONLY_BINARIES.has(exe)) return { allowed: true };
+  if (READONLY_PS_BARE.has(exe)) return { allowed: true };
+  if (exe.includes("-") && /^[a-z]+-[a-z]/.test(exe)) {
+    const verb = exe.split("-")[0];
+    if (READONLY_PS_VERBS.has(verb)) return { allowed: true };
+    return { allowed: false, reason: `PowerShell cmdlet not read-only: ${exe}` };
+  }
+  return { allowed: false, reason: `command not on read-only allowlist: ${exe}` };
+}
+function isReadOnlyCommand(command) {
+  return checkReadOnly(command).allowed;
+}
+function assertReadOnly(command) {
+  const r = checkReadOnly(command);
+  if (!r.allowed) throw new Error(`Blocked by read-only allowlist: ${r.reason}`);
+}
+
+// src/logger.ts
+var verboseMode = false;
+function setVerbose(v) {
+  verboseMode = v;
+}
+function log(level, message, context) {
+  if (level === "DEBUG" && !verboseMode) return;
+  const entry = {
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    level,
+    message,
+    ...context && Object.keys(context).length > 0 ? { context } : {}
+  };
+  process.stderr.write(JSON.stringify(entry) + "\n");
+}
+function logDebug(message, context) {
+  log("DEBUG", message, context);
+}
+function logInfo(message, context) {
+  log("INFO", message, context);
+}
+function logWarn(message, context) {
+  log("WARN", message, context);
+}
+function logError(message, context) {
+  log("ERROR", message, context);
+}
+
+// src/platform.ts
 var PLATFORM = process.platform;
 var IS_WIN = PLATFORM === "win32";
 var IS_MAC = PLATFORM === "darwin";
@@ -717,6 +1575,11 @@ function safeEnv() {
   return env;
 }
 function run(cmd, opts = {}) {
+  const policy = checkReadOnly(cmd, { shell: IS_WIN ? "powershell" : "posix" });
+  if (!policy.allowed) {
+    logWarn(`Blocked non-read-only command: ${policy.reason}`);
+    return "";
+  }
   try {
     return execSync(cmd, {
       stdio: "pipe",
@@ -820,6 +1683,18 @@ function findFiles(dirs, patterns, maxDepth, limit) {
   const findCmds = dirs.map((d) => `find "${d}" -maxdepth ${maxDepth} \\( ${nameArgs} \\) 2>/dev/null`).join("; ");
   return run(`{ ${findCmds}; } | head -${limit}`, { timeout: 15e3 });
 }
+function scanListeningPorts() {
+  if (IS_WIN) {
+    return run(
+      `Get-NetTCPConnection -State Listen -ErrorAction SilentlyContinue | ForEach-Object { $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue; "$($_.LocalAddress):$($_.LocalPort) PID=$($_.OwningProcess) $($p.ProcessName)" } | Sort-Object -Unique`,
+      { timeout: 15e3 }
+    );
+  }
+  if (IS_MAC) {
+    return run("sudo lsof -iTCP -sTCP:LISTEN -n -P 2>/dev/null || lsof -iTCP -sTCP:LISTEN -n -P 2>/dev/null", { timeout: 15e3 });
+  }
+  return run("ss -tlnp 2>/dev/null", { timeout: 1e4 });
+}
 function scanWindowsPrograms() {
   if (!IS_WIN) return "";
   return run(
@@ -888,92 +1763,62 @@ function readChromeLike(filePath, source) {
     return [];
   }
 }
-async function readFirefoxBookmarks(profileDir) {
-  const src = join2(profileDir, "places.sqlite");
-  if (!existsSync2(src)) return [];
-  const tmp = join2(tmpdir(), `cartograph_ff_bm_${Date.now()}.sqlite`);
+async function queryBrowserDb(srcPath, tmpPrefix, query) {
+  if (!existsSync2(srcPath)) return [];
+  const tmp = join2(tmpdir(), `cartograph_${tmpPrefix}_${Date.now()}.sqlite`);
   try {
-    copyFileSync(src, tmp);
+    copyFileSync(srcPath, tmp);
     const { default: Database2 } = await import("better-sqlite3");
     const db = new Database2(tmp, { readonly: true, fileMustExist: true });
-    const rows = db.prepare(`
-      SELECT DISTINCT p.url
-      FROM moz_places p
-      JOIN moz_bookmarks b ON b.fk = p.id
-      WHERE b.type = 1 AND p.url NOT LIKE 'place:%'
-      LIMIT 3000
-    `).all();
-    db.close();
-    return rows.map((r) => extractHost(r.url, "firefox")).filter((h) => h !== null);
-  } catch {
-    return [];
-  } finally {
     try {
-      (await import("fs")).unlinkSync(tmp);
-    } catch {
+      return db.prepare(query).all();
+    } finally {
+      db.close();
     }
-  }
-}
-async function readFirefoxHistory(profileDir) {
-  const src = join2(profileDir, "places.sqlite");
-  if (!existsSync2(src)) return [];
-  const tmp = join2(tmpdir(), `cartograph_ff_hist_${Date.now()}.sqlite`);
-  try {
-    copyFileSync(src, tmp);
-    const { default: Database2 } = await import("better-sqlite3");
-    const db = new Database2(tmp, { readonly: true, fileMustExist: true });
-    const rows = db.prepare(`
-      SELECT url, visit_count
-      FROM moz_places
-      WHERE url NOT LIKE 'place:%'
-        AND visit_count > 0
-      ORDER BY visit_count DESC
-      LIMIT 5000
-    `).all();
-    db.close();
-    return rows.map((r) => {
-      const h = extractHost(r.url, "firefox");
-      if (!h) return null;
-      return { ...h, visitCount: r.visit_count };
-    }).filter((h) => h !== null);
   } catch {
     return [];
   } finally {
     try {
-      (await import("fs")).unlinkSync(tmp);
+      unlinkSync(tmp);
     } catch {
     }
   }
 }
+async function readFirefoxBookmarks(profileDir) {
+  const rows = await queryBrowserDb(
+    join2(profileDir, "places.sqlite"),
+    "ff_bm",
+    `SELECT DISTINCT p.url FROM moz_places p
+     JOIN moz_bookmarks b ON b.fk = p.id
+     WHERE b.type = 1 AND p.url NOT LIKE 'place:%' LIMIT 3000`
+  );
+  return rows.map((r) => extractHost(r.url, "firefox")).filter((h) => h !== null);
+}
+async function readFirefoxHistory(profileDir) {
+  const rows = await queryBrowserDb(
+    join2(profileDir, "places.sqlite"),
+    "ff_hist",
+    `SELECT url, visit_count FROM moz_places
+     WHERE url NOT LIKE 'place:%' AND visit_count > 0
+     ORDER BY visit_count DESC LIMIT 5000`
+  );
+  return rows.map((r) => {
+    const h = extractHost(r.url, "firefox");
+    return h ? { ...h, visitCount: r.visit_count } : null;
+  }).filter((h) => h !== null);
+}
 async function readChromiumHistory(historyPath, source) {
-  if (!existsSync2(historyPath)) return [];
-  const tmp = join2(tmpdir(), `cartograph_ch_hist_${Date.now()}.sqlite`);
-  try {
-    copyFileSync(historyPath, tmp);
-    const { default: Database2 } = await import("better-sqlite3");
-    const db = new Database2(tmp, { readonly: true, fileMustExist: true });
-    const rows = db.prepare(`
-      SELECT url, visit_count
-      FROM urls
-      WHERE hidden = 0
-        AND visit_count > 0
-      ORDER BY visit_count DESC
-      LIMIT 5000
-    `).all();
-    db.close();
-    return rows.map((r) => {
-      const h = extractHost(r.url, source);
-      if (!h) return null;
-      return { ...h, visitCount: r.visit_count };
-    }).filter((h) => h !== null);
-  } catch {
-    return [];
-  } finally {
-    try {
-      (await import("fs")).unlinkSync(tmp);
-    } catch {
-    }
-  }
+  const rows = await queryBrowserDb(
+    historyPath,
+    "ch_hist",
+    `SELECT url, visit_count FROM urls
+     WHERE hidden = 0 AND visit_count > 0
+     ORDER BY visit_count DESC LIMIT 5000`
+  );
+  return rows.map((r) => {
+    const h = extractHost(r.url, source);
+    return h ? { ...h, visitCount: r.visit_count } : null;
+  }).filter((h) => h !== null);
 }
 var IS_LINUX2 = !IS_MAC && !IS_WIN;
 function chromeLikePaths(base) {
@@ -1097,17 +1942,474 @@ async function scanAllHistory() {
   return [...byHost.values()].sort((a, b) => b.visitCount - a.visitCount);
 }
 
+// src/scanners/bookmarks.ts
+var PERSONAL = [
+  "facebook.",
+  "instagram.",
+  "twitter.",
+  "x.com",
+  "tiktok.",
+  "reddit.",
+  "youtube.",
+  "netflix.",
+  "spotify.",
+  "twitch.",
+  "pinterest.",
+  "snapchat.",
+  "whatsapp.",
+  "amazon.",
+  "ebay.",
+  "aliexpress.",
+  "cnn.",
+  "bbc.",
+  "nytimes.",
+  "espn.",
+  "booking.",
+  "airbnb.",
+  "tripadvisor.",
+  "wikipedia."
+];
+var BUSINESS = [
+  "github.",
+  "gitlab.",
+  "bitbucket.",
+  "atlassian.",
+  "jira.",
+  "confluence.",
+  "notion.",
+  "linear.",
+  "slack.",
+  "zoom.",
+  "figma.",
+  "miro.",
+  "vercel.",
+  "netlify.",
+  "heroku.",
+  "datadog",
+  "sentry.",
+  "grafana.",
+  "pagerduty.",
+  "aws.amazon.",
+  "console.cloud.google",
+  "portal.azure",
+  "cloudflare.",
+  "hubspot.",
+  "salesforce.",
+  "stripe.",
+  "twilio.",
+  "sendgrid.",
+  "mailchimp.",
+  "segment.",
+  "mixpanel.",
+  "amplitude.",
+  "looker.",
+  "tableau.",
+  "snowflake.",
+  "databricks.",
+  "mongodb.",
+  "redis.",
+  "elastic.",
+  "openai.",
+  "anthropic.",
+  "huggingface.",
+  "docker.",
+  "npmjs.",
+  "pypi.",
+  "circleci.",
+  "travis-ci.",
+  "jenkins.",
+  "terraform.",
+  "hashicorp.",
+  "okta.",
+  "auth0.",
+  "1password.",
+  "asana.",
+  "trello.",
+  "monday."
+];
+function classify(hostname) {
+  const h = hostname.toLowerCase();
+  if (PERSONAL.some((p) => h.includes(p))) return null;
+  if (BUSINESS.some((b) => h.includes(b))) return { type: "saas_tool", confidence: 0.7 };
+  if (/^\d+\.\d+\.\d+\.\d+$/.test(h) || /\.(internal|local|corp|lan)\b/.test(h)) {
+    return { type: "web_service", confidence: 0.6 };
+  }
+  return null;
+}
+var bookmarksScanner = {
+  id: "bookmarks",
+  title: "Browser bookmarks",
+  platforms: "all",
+  detect: () => true,
+  async scan() {
+    const hosts = await scanAllBookmarks();
+    const seen = /* @__PURE__ */ new Set();
+    const nodes = [];
+    for (const host of hosts) {
+      const klass = classify(host.hostname);
+      if (!klass) continue;
+      const id = `${klass.type}:${host.hostname}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      nodes.push({
+        id,
+        type: klass.type,
+        name: host.hostname,
+        discoveredVia: "bookmark",
+        confidence: klass.confidence,
+        tags: ["bookmark"],
+        metadata: { protocol: host.protocol, ...host.port ? { port: host.port } : {} }
+      });
+    }
+    return { nodes, edges: [] };
+  }
+};
+
+// src/scanners/installed-apps.ts
+var KNOWN_TOOLS = {
+  ide: ["code", "code-insiders", "cursor", "windsurf", "zed", "nvim", "vim", "emacs", "idea", "webstorm", "pycharm", "goland", "datagrip", "clion", "rider", "phpstorm"],
+  "dev-tool": ["git", "gh", "docker", "docker-compose", "podman", "kubectl", "helm", "terraform", "ansible", "vagrant", "packer", "consul", "vault", "nomad"],
+  runtime: ["node", "npm", "pnpm", "yarn", "bun", "deno", "python", "python3", "pip", "poetry", "ruby", "rails", "java", "mvn", "gradle", "go", "cargo", "rustc", "php", "composer", "dotnet"],
+  database: ["psql", "mysql", "mongosh", "redis-cli", "sqlite3", "clickhouse-client"],
+  cloud: ["aws", "gcloud", "az", "heroku", "fly", "vercel", "netlify", "wrangler", "supabase"],
+  browser: ["google-chrome", "chromium", "firefox", "brave", "opera"],
+  observability: ["prometheus", "grafana-cli", "datadog-agent", "newrelic-agent"]
+};
+var installedAppsScanner = {
+  id: "installed-apps",
+  title: "Installed apps & developer tools",
+  platforms: "all",
+  allowedCommands: ["which", "command", "Get-Command"],
+  detect: () => true,
+  async scan(ctx) {
+    const nodes = [];
+    const hintTerms = (ctx.hint ?? "").toLowerCase().split(/[\s,]+/).filter(Boolean);
+    for (const [category, tools] of Object.entries(KNOWN_TOOLS)) {
+      for (const tool of tools) {
+        const path = commandExists(tool);
+        if (!path) continue;
+        const boosted = hintTerms.some((t) => tool.includes(t));
+        nodes.push({
+          id: `saas_tool:${tool}`,
+          type: "saas_tool",
+          name: tool,
+          discoveredVia: "installed-app",
+          confidence: boosted ? 0.95 : 0.9,
+          tags: [category],
+          metadata: { category, path }
+        });
+      }
+    }
+    return { nodes, edges: [] };
+  }
+};
+
+// src/scanners/ports.ts
+var PORT_MAP = {
+  5432: { type: "database_server", service: "postgresql" },
+  3306: { type: "database_server", service: "mysql" },
+  1433: { type: "database_server", service: "sqlserver" },
+  27017: { type: "database_server", service: "mongodb" },
+  9200: { type: "database_server", service: "elasticsearch" },
+  6379: { type: "cache_server", service: "redis" },
+  11211: { type: "cache_server", service: "memcached" },
+  9092: { type: "message_broker", service: "kafka" },
+  5672: { type: "message_broker", service: "rabbitmq" },
+  4222: { type: "message_broker", service: "nats" },
+  9090: { type: "web_service", service: "prometheus" },
+  3e3: { type: "web_service", service: "http-app" },
+  8080: { type: "web_service", service: "http-app" },
+  8e3: { type: "web_service", service: "http-app" },
+  80: { type: "web_service", service: "http" },
+  443: { type: "web_service", service: "https" },
+  8200: { type: "web_service", service: "vault" },
+  8500: { type: "web_service", service: "consul" },
+  2379: { type: "web_service", service: "etcd" },
+  5601: { type: "web_service", service: "kibana" },
+  15672: { type: "web_service", service: "rabbitmq-management" }
+};
+function extractListeningPorts(raw) {
+  const ports = /* @__PURE__ */ new Set();
+  for (const m of raw.matchAll(/[:.](\d{2,5})\b/g)) {
+    const p = Number(m[1]);
+    if (p in PORT_MAP) ports.add(p);
+  }
+  return [...ports];
+}
+var portsScanner = {
+  id: "local-ports",
+  title: "Local listening ports",
+  platforms: "all",
+  allowedCommands: ["ss", "lsof", "Get-NetTCPConnection"],
+  detect: () => true,
+  async scan() {
+    const raw = scanListeningPorts();
+    const nodes = [];
+    for (const port of extractListeningPorts(raw)) {
+      const { type, service } = PORT_MAP[port];
+      nodes.push({
+        id: `${type}:localhost:${port}`,
+        type,
+        name: `${service} (:${port})`,
+        discoveredVia: "listening-port",
+        confidence: 0.9,
+        tags: ["local", service],
+        metadata: { port, service, host: "localhost" }
+      });
+    }
+    return { nodes, edges: [] };
+  }
+};
+
+// src/scanners/registry.ts
+function defaultRegistry() {
+  return new ScannerRegistry().register(bookmarksScanner).register(installedAppsScanner).register(portsScanner);
+}
+
+// src/discovery/local.ts
+async function runLocalDiscovery(db, sessionId, opts = {}) {
+  const registry = opts.registry ?? defaultRegistry();
+  const ctx = { hint: opts.hint, platform: PLATFORM, run };
+  const nodes = /* @__PURE__ */ new Map();
+  const edges = [];
+  const ran = [];
+  for (const scanner of registry.forPlatform(PLATFORM)) {
+    try {
+      if (!await scanner.detect(ctx)) continue;
+      const result = await scanner.scan(ctx);
+      ran.push(scanner.id);
+      for (const node of result.nodes) {
+        const prev = nodes.get(node.id);
+        if (!prev || node.confidence > prev.confidence) nodes.set(node.id, node);
+      }
+      edges.push(...result.edges);
+      opts.onProgress?.(`${scanner.title}: +${result.nodes.length} nodes`);
+    } catch (err) {
+      opts.onProgress?.(`${scanner.title}: failed (${err instanceof Error ? err.message : String(err)})`);
+    }
+  }
+  for (const node of nodes.values()) db.upsertNode(sessionId, node);
+  for (const edge of edges) {
+    if (nodes.has(edge.sourceId) && nodes.has(edge.targetId)) db.insertEdge(sessionId, edge);
+  }
+  return { nodes: nodes.size, edges: edges.length, scanners: ran };
+}
+function localDiscoveryFn(registry) {
+  return async (db, sessionId, opts) => {
+    const r = await runLocalDiscovery(db, sessionId, { hint: opts.hint, registry });
+    return { nodes: r.nodes, edges: r.edges };
+  };
+}
+
+// src/semantic/hash.ts
+function fnv1a(s) {
+  let h = 2166136261;
+  for (let i = 0; i < s.length; i++) {
+    h ^= s.charCodeAt(i);
+    h = Math.imul(h, 16777619);
+  }
+  return h >>> 0;
+}
+
+// src/semantic/embeddings.ts
+async function createLocalEmbedder(model = "Xenova/all-MiniLM-L6-v2") {
+  try {
+    const tf = await import("./transformers.node-J6PRTTOX.js");
+    const extractor = await tf.pipeline("feature-extraction", model);
+    return {
+      id: `local:${model}`,
+      dimensions: 384,
+      async embed(texts) {
+        const out = [];
+        for (const text of texts) {
+          const tensor = await extractor(text, { pooling: "mean", normalize: true });
+          out.push(Float32Array.from(tensor.data));
+        }
+        return out;
+      }
+    };
+  } catch {
+    return void 0;
+  }
+}
+function createHashEmbedder(dimensions = 256) {
+  return {
+    id: `hash:${dimensions}`,
+    dimensions,
+    async embed(texts) {
+      return texts.map((text) => hashEmbed(text, dimensions));
+    }
+  };
+}
+function hashEmbed(text, dim) {
+  const v = new Float32Array(dim);
+  const tokens = text.toLowerCase().match(/[a-z0-9]+/g) ?? [];
+  for (const tok of tokens) {
+    for (const gram of [tok, ...trigrams(tok)]) {
+      const h = fnv1a(gram);
+      v[h % dim] += 1;
+    }
+  }
+  let norm = 0;
+  for (const x of v) norm += x * x;
+  norm = Math.sqrt(norm) || 1;
+  for (let i = 0; i < dim; i++) v[i] = v[i] / norm;
+  return v;
+}
+function trigrams(s) {
+  if (s.length < 3) return [];
+  const out = [];
+  for (let i = 0; i <= s.length - 3; i++) out.push(s.slice(i, i + 3));
+  return out;
+}
+
+// src/semantic/store.ts
+function nodeText(n) {
+  const desc = typeof n.metadata?.["description"] === "string" ? n.metadata["description"] : "";
+  const category = typeof n.metadata?.["category"] === "string" ? n.metadata["category"] : "";
+  return [n.name, n.id.replace(/[:_]/g, " "), `type ${n.type}`, n.domain ?? "", n.subDomain ?? "", category, n.tags.join(" "), desc].filter(Boolean).join(" \u2014 ");
+}
+function hash(s) {
+  return fnv1a(s).toString(16);
+}
+function toBuffer(v) {
+  return Buffer.from(v.buffer, v.byteOffset, v.byteLength);
+}
+var VectorStore = class {
+  constructor(db, embedder) {
+    this.db = db;
+    this.embedder = embedder;
+  }
+  loaded = false;
+  /** Load sqlite-vec and ensure the schema exists. Returns false if unavailable. */
+  async init() {
+    if (this.loaded) return true;
+    try {
+      const conn = this.db.rawConnection();
+      const sqliteVec = await import("./sqlite-vec-UK5YYE5T.js");
+      sqliteVec.load(conn);
+      conn.exec(`
+        CREATE TABLE IF NOT EXISTS vec_index (
+          rowid INTEGER PRIMARY KEY AUTOINCREMENT,
+          session_id TEXT NOT NULL,
+          node_id TEXT NOT NULL,
+          hash TEXT NOT NULL,
+          UNIQUE(session_id, node_id)
+        );
+        CREATE TABLE IF NOT EXISTS vec_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL);
+      `);
+      const dimRow = conn.prepare("SELECT value FROM vec_meta WHERE key = 'dims'").get();
+      const dims = this.embedder.dimensions;
+      if (dimRow && Number(dimRow.value) !== dims) {
+        conn.exec("DROP TABLE IF EXISTS vec_nodes; DELETE FROM vec_index;");
+      }
+      conn.exec(`CREATE VIRTUAL TABLE IF NOT EXISTS vec_nodes USING vec0(embedding float[${dims}])`);
+      conn.prepare("INSERT OR REPLACE INTO vec_meta(key, value) VALUES (?, ?)").run("dims", String(dims));
+      conn.prepare("INSERT OR REPLACE INTO vec_meta(key, value) VALUES (?, ?)").run("embedder", this.embedder.id);
+      this.loaded = true;
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /** Incrementally embed and index any new/changed nodes for a session. */
+  async index(sessionId) {
+    if (!await this.init()) return { embedded: 0, total: 0 };
+    const conn = this.db.rawConnection();
+    const nodes = this.db.getNodes(sessionId);
+    const getRow = conn.prepare("SELECT rowid, hash FROM vec_index WHERE session_id = ? AND node_id = ?");
+    const insIndex = conn.prepare("INSERT INTO vec_index (session_id, node_id, hash) VALUES (?, ?, ?)");
+    const updHash = conn.prepare("UPDATE vec_index SET hash = ? WHERE rowid = ?");
+    const delVec = conn.prepare("DELETE FROM vec_nodes WHERE rowid = ?");
+    const insVec = conn.prepare("INSERT INTO vec_nodes (rowid, embedding) VALUES (?, ?)");
+    const pending = [];
+    for (const n of nodes) {
+      const text = nodeText(n);
+      const h = hash(`${this.embedder.id}:${text}`);
+      const existing = getRow.get(sessionId, n.id);
+      if (existing) {
+        if (existing.hash === h) continue;
+        updHash.run(h, existing.rowid);
+        delVec.run(BigInt(existing.rowid));
+        pending.push({ rowid: BigInt(existing.rowid), text });
+      } else {
+        const info = insIndex.run(sessionId, n.id, h);
+        pending.push({ rowid: BigInt(info.lastInsertRowid), text });
+      }
+    }
+    if (pending.length > 0) {
+      const vectors = await this.embedder.embed(pending.map((p) => p.text));
+      const tx = conn.transaction(() => {
+        pending.forEach((p, i) => insVec.run(p.rowid, toBuffer(vectors[i])));
+      });
+      tx();
+    }
+    return { embedded: pending.length, total: nodes.length };
+  }
+  /** k-nearest-neighbour search within a session. Returns node ids + distances. */
+  async search(sessionId, query, k) {
+    if (!await this.init()) return [];
+    await this.index(sessionId);
+    const conn = this.db.rawConnection();
+    const [qv] = await this.embedder.embed([query]);
+    if (!qv) return [];
+    const overfetch = Math.max(k * 5, k);
+    const knn = conn.prepare(
+      "SELECT rowid, distance FROM vec_nodes WHERE embedding MATCH ? ORDER BY distance LIMIT ?"
+    ).all(toBuffer(qv), overfetch);
+    const meta = conn.prepare("SELECT node_id AS nodeId, session_id AS sessionId FROM vec_index WHERE rowid = ?");
+    const out = [];
+    for (const row of knn) {
+      const m = meta.get(row.rowid);
+      if (m && m.sessionId === sessionId) out.push({ nodeId: m.nodeId, distance: row.distance });
+      if (out.length >= k) break;
+    }
+    return out;
+  }
+};
+
+// src/semantic/search.ts
+var lexical = (db, sessionId, query, opts) => db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));
+var lexicalSearch2 = () => async (d, sid, q, opts) => lexical(d, sid, q, opts);
+async function createSemanticSearch(db, embedder) {
+  const provider = embedder ?? await createLocalEmbedder();
+  if (!provider) return lexicalSearch2();
+  const store = new VectorStore(db, provider);
+  const ok = await store.init();
+  if (!ok) return lexicalSearch2();
+  return async (d, sid, query, opts) => {
+    const hits = await store.search(sid, query, opts.limit);
+    if (hits.length === 0) return lexical(d, sid, query, opts);
+    const byId = d.getNodesByIds(sid, hits.map((h) => h.nodeId));
+    const results = [];
+    for (const h of hits) {
+      const node = byId.get(h.nodeId);
+      if (!node) continue;
+      if (opts.types && opts.types.length > 0 && !opts.types.includes(node.type)) continue;
+      results.push({ node, score: Math.max(0, 1 - h.distance / 2) });
+    }
+    return results.length > 0 ? results : lexical(d, sid, query, opts);
+  };
+}
+
 // src/tools.ts
+import { z as z4 } from "zod";
 function createScanRunner(runFn, opts = {}) {
   const threshold = opts.threshold ?? 3;
   let consecutiveFailures = 0;
   let tripped = false;
   return (cmd) => {
-    if (tripped) return "(skipped \u2014 circuit breaker: too many consecutive failures)";
+    if (tripped) {
+      logDebug(`Circuit breaker: skipping "${cmd}" (${consecutiveFailures} consecutive failures)`);
+      return "(skipped \u2014 circuit breaker: too many consecutive failures)";
+    }
     const result = runFn(cmd, { timeout: opts.timeout ?? 2e4, env: opts.env });
     if (!result) {
       consecutiveFailures++;
-      if (consecutiveFailures >= threshold) tripped = true;
+      if (consecutiveFailures >= threshold) {
+        tripped = true;
+        logDebug(`Circuit breaker tripped after ${threshold} failures, last command: "${cmd}"`);
+      }
       return "(error or not available)";
     }
     consecutiveFailures = 0;
@@ -1115,27 +2417,31 @@ function createScanRunner(runFn, opts = {}) {
   };
 }
 function stripSensitive(target) {
+  const raw = target.trim();
+  if (!raw) return raw;
   try {
-    const url = new URL(target.startsWith("http") ? target : `tcp://${target}`);
-    return `${url.hostname}${url.port ? ":" + url.port : ""}`;
+    const url = new URL(raw.startsWith("http") ? raw : `tcp://${raw}`);
+    const stripped = `${url.hostname}${url.port ? ":" + url.port : ""}`;
+    return stripped || raw;
   } catch {
-    return target.replace(/\/.*$/, "").replace(/\?.*$/, "").replace(/@.*:/, ":");
+    const stripped = raw.replace(/\/.*$/, "").replace(/\?.*$/, "").replace(/@.*:/, ":");
+    return stripped || raw;
   }
 }
 async function createCartographyTools(db, sessionId, opts = {}) {
-  const { tool, createSdkMcpServer } = await import("@anthropic-ai/claude-agent-sdk");
+  const { tool, createSdkMcpServer } = await import("./sdk-G5D4WQZ4.js");
   const tools = [
     tool("save_node", "Save an infrastructure node to the catalog", {
-      id: z3.string(),
-      type: z3.enum(NODE_TYPES),
-      name: z3.string(),
-      discoveredVia: z3.string(),
-      confidence: z3.number().min(0).max(1),
-      metadata: z3.record(z3.string(), z3.unknown()).optional(),
-      tags: z3.array(z3.string()).optional(),
-      domain: z3.string().optional().describe('Business domain, e.g. "Marketing", "Finance"'),
-      subDomain: z3.string().optional().describe('Sub-domain, e.g. "Forecast client orders"'),
-      qualityScore: z3.number().min(0).max(100).optional().describe("Data quality score 0\u2013100")
+      id: z4.string(),
+      type: z4.enum(NODE_TYPES),
+      name: z4.string(),
+      discoveredVia: z4.string(),
+      confidence: z4.number().min(0).max(1),
+      metadata: z4.record(z4.string(), z4.unknown()).optional(),
+      tags: z4.array(z4.string()).optional(),
+      domain: z4.string().optional().describe('Business domain, e.g. "Marketing", "Finance"'),
+      subDomain: z4.string().optional().describe('Sub-domain, e.g. "Forecast client orders"'),
+      qualityScore: z4.number().min(0).max(100).optional().describe("Data quality score 0\u2013100")
     }, async (args) => {
       const node = {
         id: stripSensitive(args["id"]),
@@ -1153,11 +2459,11 @@ async function createCartographyTools(db, sessionId, opts = {}) {
       return { content: [{ type: "text", text: `\u2713 Node: ${node.id}` }] };
     }),
     tool("save_edge", "Save a relationship (edge) between two nodes \u2014 ALWAYS save edges when connections are clear", {
-      sourceId: z3.string(),
-      targetId: z3.string(),
-      relationship: z3.enum(EDGE_RELATIONSHIPS),
-      evidence: z3.string(),
-      confidence: z3.number().min(0).max(1)
+      sourceId: z4.string(),
+      targetId: z4.string(),
+      relationship: z4.enum(EDGE_RELATIONSHIPS),
+      evidence: z4.string(),
+      confidence: z4.number().min(0).max(1)
     }, async (args) => {
       db.insertEdge(sessionId, {
         sourceId: args["sourceId"],
@@ -1169,7 +2475,7 @@ async function createCartographyTools(db, sessionId, opts = {}) {
       return { content: [{ type: "text", text: `\u2713 ${args["sourceId"]}\u2192${args["targetId"]}` }] };
     }),
     tool("get_catalog", "Get the current catalog \u2014 use before save_node to avoid duplicates", {
-      includeEdges: z3.boolean().default(true)
+      includeEdges: z4.boolean().default(true)
     }, async (args) => {
       const nodes = db.getNodes(sessionId);
       const edges = args["includeEdges"] ? db.getEdges(sessionId) : [];
@@ -1184,8 +2490,8 @@ async function createCartographyTools(db, sessionId, opts = {}) {
       };
     }),
     tool("ask_user", "Ask the user a question \u2014 for clarifications, missing context, or consent (e.g. before scanning browser history)", {
-      question: z3.string().describe("The question for the user (clear and specific)"),
-      context: z3.string().optional().describe("Optional context explaining why this is relevant")
+      question: z4.string().describe("The question for the user (clear and specific)"),
+      context: z4.string().optional().describe("Optional context explaining why this is relevant")
     }, async (args) => {
       const question = args["question"];
       const context = args["context"];
@@ -1198,7 +2504,7 @@ async function createCartographyTools(db, sessionId, opts = {}) {
       };
     }),
     tool("scan_bookmarks", "Scan all browser bookmarks \u2014 hostnames only, no personal data (Chrome, Chromium, Edge, Brave, Vivaldi, Opera, Firefox)", {
-      minConfidence: z3.number().min(0).max(1).default(0.5).optional()
+      minConfidence: z4.number().min(0).max(1).default(0.5).optional()
     }, async () => {
       const hosts = await scanAllBookmarks();
       return {
@@ -1218,7 +2524,7 @@ async function createCartographyTools(db, sessionId, opts = {}) {
       };
     }),
     tool("scan_browser_history", "Scan browser history \u2014 anonymized hostnames + visit frequency. ALWAYS call ask_user for consent before using this tool.", {
-      minVisits: z3.number().min(1).default(3).optional().describe("Minimum visit count to include a host (filters rarely-visited sites)")
+      minVisits: z4.number().min(1).default(3).optional().describe("Minimum visit count to include a host (filters rarely-visited sites)")
     }, async (args) => {
       const minVisits = args["minVisits"] ?? 3;
       const hosts = await scanAllHistory();
@@ -1240,7 +2546,7 @@ async function createCartographyTools(db, sessionId, opts = {}) {
       };
     }),
     tool("scan_local_databases", "Scan for local database files and running DB servers \u2014 PostgreSQL databases, MySQL, SQLite files from installed apps", {
-      deep: z3.boolean().default(false).optional().describe("Also search home directory recursively for SQLite/DB files (slower)")
+      deep: z4.boolean().default(false).optional().describe("Also search home directory recursively for SQLite/DB files (slower)")
     }, async (args) => {
       const deep = args["deep"] ?? false;
       const results = {};
@@ -1312,7 +2618,7 @@ ${v}`).join("\n\n");
       return { content: [{ type: "text", text: out }] };
     }),
     tool("scan_k8s_resources", "Scan Kubernetes cluster via kubectl \u2014 100% readonly (get, describe)", {
-      namespace: z3.string().optional().describe("Filter by namespace \u2014 empty = all namespaces")
+      namespace: z4.string().optional().describe("Filter by namespace \u2014 empty = all namespaces")
     }, async (args) => {
       const ns = args["namespace"];
       const nsFlag = ns ? `-n ${ns}` : "--all-namespaces";
@@ -1343,8 +2649,8 @@ ${runK(c)}`).join("\n\n");
       return { content: [{ type: "text", text: out }] };
     }),
     tool("scan_aws_resources", "Scan AWS infrastructure via AWS CLI \u2014 100% readonly (describe, list)", {
-      region: z3.string().optional().describe("AWS Region \u2014 default: AWS_DEFAULT_REGION or profile"),
-      profile: z3.string().optional().describe("AWS CLI profile")
+      region: z4.string().optional().describe("AWS Region \u2014 default: AWS_DEFAULT_REGION or profile"),
+      profile: z4.string().optional().describe("AWS CLI profile")
     }, async (args) => {
       const region = args["region"];
       const profile = args["profile"];
@@ -1367,7 +2673,7 @@ ${runAws(c)}`).join("\n\n");
       return { content: [{ type: "text", text: out }] };
     }),
     tool("scan_gcp_resources", "Scan Google Cloud Platform via gcloud CLI \u2014 100% readonly (list, describe)", {
-      project: z3.string().optional().describe("GCP Project ID \u2014 default: current gcloud project")
+      project: z4.string().optional().describe("GCP Project ID \u2014 default: current gcloud project")
     }, async (args) => {
       const project = args["project"];
       const pf = project ? `--project ${project}` : "";
@@ -1388,8 +2694,8 @@ ${runGcp(c)}`).join("\n\n");
       return { content: [{ type: "text", text: out }] };
     }),
     tool("scan_azure_resources", "Scan Azure infrastructure via az CLI \u2014 100% readonly (list, show)", {
-      subscription: z3.string().optional().describe("Azure Subscription ID"),
-      resourceGroup: z3.string().optional().describe("Filter by resource group")
+      subscription: z4.string().optional().describe("Azure Subscription ID"),
+      resourceGroup: z4.string().optional().describe("Filter by resource group")
     }, async (args) => {
       const sub = args["subscription"];
       const rg = args["resourceGroup"];
@@ -1412,7 +2718,7 @@ ${runAz(c)}`).join("\n\n");
       return { content: [{ type: "text", text: out }] };
     }),
     tool("scan_installed_apps", "Scan all installed apps and tools \u2014 IDEs, office, dev tools, business apps, databases", {
-      searchHint: z3.string().optional().describe('Optional search term to find specific tools (e.g. "hubspot windsurf cursor")')
+      searchHint: z4.string().optional().describe('Optional search term to find specific tools (e.g. "hubspot windsurf cursor")')
     }, async (args) => {
       const hint = args["searchHint"];
       const results = {};
@@ -1597,18 +2903,20 @@ ${v}`).join("\n\n");
 }
 
 // src/safety.ts
-var BLOCKED_CMDS = /\b(rm|mv|cp|dd|mkfs|chmod|chown|chgrp|kill|killall|pkill|reboot|shutdown|poweroff|halt|systemctl\s+(start|stop|restart|enable|disable)|service\s+(start|stop|restart)|docker\s+(rm|rmi|stop|kill|exec|run|build|push)|kubectl\s+(delete|apply|edit|exec|run|create|patch)|apt|yum|dnf|pacman|pip\s+install|npm\s+(install|uninstall)|curl\s+.*-X\s*(POST|PUT|DELETE|PATCH)|wget\s+-O|tee\s|Remove-Item|Move-Item|Copy-Item|Stop-Process|Stop-Service|Restart-Service|Start-Service|Set-Service|Invoke-WebRequest\s+.*-Method\s+(POST|PUT|DELETE|PATCH)|del\s|rmdir\s|Format-Volume|Clear-Disk|Stop-Computer|Restart-Computer|Uninstall-Package|Install-Package|Install-Module)\b/i;
-var BLOCKED_REDIRECTS = />>|>[^>]|Out-File|Set-Content|Add-Content/;
 var safetyHook = async (input, _toolUseID, _options) => {
   if (!("tool_name" in input)) return {};
   if (input.tool_name !== "Bash") return {};
-  const cmd = input.tool_input?.command ?? "";
-  if (BLOCKED_CMDS.test(cmd) || BLOCKED_REDIRECTS.test(cmd)) {
+  const cmd = (input.tool_input?.command ?? "").trim();
+  if (!cmd) {
+    return { hookSpecificOutput: { hookEventName: "PreToolUse", permissionDecision: "allow" } };
+  }
+  const decision = checkReadOnly(cmd);
+  if (!decision.allowed) {
     return {
       hookSpecificOutput: {
         hookEventName: "PreToolUse",
         permissionDecision: "deny",
-        permissionDecisionReason: `BLOCKED: "${cmd}" \u2014 read-only policy`
+        permissionDecisionReason: `BLOCKED: ${decision.reason} \u2014 read-only allowlist policy`
       }
     };
   }
@@ -1622,7 +2930,7 @@ var safetyHook = async (input, _toolUseID, _options) => {
 
 // src/agent.ts
 async function runDiscovery(config, db, sessionId, onEvent, onAskUser, hint) {
-  const { query } = await import("@anthropic-ai/claude-agent-sdk");
+  const { query } = await import("./sdk-G5D4WQZ4.js");
   const tools = await createCartographyTools(db, sessionId, { onAskUser });
   const hintSection = hint ? `
 \u26A1 USER HINT (HIGH PRIORITY): The user wants to find these specific tools: "${hint}"
@@ -1964,6 +3272,11 @@ function layoutClusters(groups, hexSize) {
 }
 function findFreeOrigin(occupied, count, gap) {
   const key = (q, r) => `${q},${r}`;
+  const parsedOccupied = [];
+  for (const oKey of occupied) {
+    const [oq, or] = oKey.split(",").map(Number);
+    parsedOccupied.push({ q: oq, r: or });
+  }
   for (let searchRadius = 1; searchRadius < 100; searchRadius++) {
     const candidates = hexSpiral({ q: 0, r: 0 }, 1 + 6 * searchRadius * (searchRadius + 1) / 2);
     for (const candidate of candidates) {
@@ -1974,9 +3287,8 @@ function findFreeOrigin(occupied, count, gap) {
           fits = false;
           break;
         }
-        for (const oKey of occupied) {
-          const [oq, or] = oKey.split(",").map(Number);
-          if (hexDistance(tp, { q: oq, r: or }) < gap) {
+        for (const oc of parsedOccupied) {
+          if (hexDistance(tp, oc) < gap) {
             fits = false;
             break;
           }
@@ -2086,12 +3398,9 @@ function buildMapData(nodes, edges, options) {
 
 // src/exporter.ts
 function nodeLayer(type) {
-  if (type === "saas_tool") return "saas";
-  if (["web_service", "api_endpoint"].includes(type)) return "web";
-  if (["database_server", "database", "table", "cache_server"].includes(type)) return "data";
-  if (["message_broker", "queue", "topic"].includes(type)) return "messaging";
-  if (["host", "container", "pod", "k8s_cluster"].includes(type)) return "infra";
-  if (type === "config_file") return "config";
+  for (const [layer, types] of Object.entries(NODE_TYPE_GROUPS)) {
+    if (types.includes(type)) return layer;
+  }
   return "other";
 }
 var LAYER_LABELS = {
@@ -3414,7 +4723,7 @@ function checkPrerequisites() {
     execSync2("claude --version", { stdio: "pipe" });
   } catch {
     process.stderr.write(
-      "\n\u274C Claude CLI nicht gefunden.\n   Datasynx Cartography braucht die Claude CLI als Runtime-Dependency.\n\n   Installieren:\n     npm install -g @anthropic-ai/claude-code\n     # oder\n     curl -fsSL https://claude.ai/install.sh | bash\n\n   Danach: claude login\n\n"
+      "\n\u274C Claude CLI not found.\n   Datasynx Cartography requires the Claude CLI as a runtime dependency.\n\n   Install:\n     npm install -g @anthropic-ai/claude-code\n     # or\n     curl -fsSL https://claude.ai/install.sh | bash\n\n   Then: claude login\n\n"
     );
     process.exitCode = 1;
     throw new Error("Claude CLI not found");
@@ -3423,57 +4732,40 @@ function checkPrerequisites() {
   const hasOAuth = isOAuthLoggedIn();
   if (!hasApiKey && !hasOAuth) {
     process.stderr.write(
-      "\u26A0 Keine Authentifizierung gefunden. Bitte eine der folgenden Optionen:\n\n  Option A \u2014 claude.ai Subscription (empfohlen):\n    claude login\n\n  Option B \u2014 API Key:\n    export ANTHROPIC_API_KEY=sk-ant-...\n\n"
+      "\u26A0 No authentication found. Please choose one of the following options:\n\n  Option A \u2014 claude.ai Subscription (recommended):\n    claude login\n\n  Option B \u2014 API Key:\n    export ANTHROPIC_API_KEY=sk-ant-...\n\n"
     );
   } else if (hasOAuth && !hasApiKey) {
-    process.stderr.write("\u2713 Eingeloggt via claude login (Subscription)\n");
+    process.stderr.write("\u2713 Logged in via claude login (Subscription)\n");
   }
 }
-
-// src/logger.ts
-var verboseMode = false;
-function setVerbose(v) {
-  verboseMode = v;
-}
-function log(level, message, context) {
-  if (level === "DEBUG" && !verboseMode) return;
-  const entry = {
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    level,
-    message,
-    ...context && Object.keys(context).length > 0 ? { context } : {}
-  };
-  process.stderr.write(JSON.stringify(entry) + "\n");
-}
-function logDebug(message, context) {
-  log("DEBUG", message, context);
-}
-function logInfo(message, context) {
-  log("INFO", message, context);
-}
-function logWarn(message, context) {
-  log("WARN", message, context);
-}
-function logError(message, context) {
-  log("ERROR", message, context);
-}
 export {
   CartographyDB,
+  ScannerRegistry,
+  VectorStore,
+  assertReadOnly,
   assignColors,
+  bookmarksScanner,
   buildMapData,
   checkPrerequisites,
+  checkReadOnly,
   cleanupTempFiles,
   computeCentroid,
   computeClusterBounds,
   createCartographyTools,
-  CartographyDB as default,
+  createHashEmbedder,
+  createLocalEmbedder,
+  createMcpServer,
+  createScanRunner,
+  createSemanticSearch,
   defaultConfig,
+  defaultRegistry,
   edgesToConnections,
   exportAll,
   exportBackstageYAML,
   exportDiscoveryApp,
   exportJGF,
   exportJSON,
+  extractListeningPorts,
   generateDependencyMermaid,
   generateTopologyMermaid,
   groupByDomain,
@@ -3483,7 +4775,10 @@ export {
   hexRing,
   hexSpiral,
   hexToPixel,
+  installedAppsScanner,
+  isReadOnlyCommand,
   layoutClusters,
+  localDiscoveryFn,
   log,
   logDebug,
   logError,
@@ -3491,10 +4786,16 @@ export {
   logWarn,
   nodesToAssets,
   pixelToHex,
+  portsScanner,
   runDiscovery,
+  runHttp,
+  runLocalDiscovery,
+  runStdio,
+  safeEnv,
   safetyHook,
   setVerbose,
   shadeVariant,
+  splitSegments,
   stripSensitive
 };
 //# sourceMappingURL=index.js.map