npm - @datasynx/agentic-ai-cartography - Versions diffs - 2.0.0 → 2.3.0 - Mend

@datasynx/agentic-ai-cartography 2.0.0 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

package/AGENTS.md +32 -0
package/README.md +115 -6
package/dist/api-bin.js +24 -0
package/dist/api-bin.js.map +1 -0
package/dist/{bookmarks-VS56KVCO.js → bookmarks-WXHE7GN7.js} +6 -3
package/dist/{chunk-CJ2PITFA.js → chunk-2SZ5QHGH.js} +71 -9
package/dist/chunk-2SZ5QHGH.js.map +1 -0
package/dist/chunk-7QEBFMN4.js +3278 -0
package/dist/chunk-7QEBFMN4.js.map +1 -0
package/dist/chunk-7VZH5PFV.js +1134 -0
package/dist/chunk-7VZH5PFV.js.map +1 -0
package/dist/chunk-B2AKONVW.js +2465 -0
package/dist/chunk-B2AKONVW.js.map +1 -0
package/dist/chunk-WCR47QA2.js +277 -0
package/dist/chunk-WCR47QA2.js.map +1 -0
package/dist/cli.js +2367 -663
package/dist/cli.js.map +1 -1
package/dist/index.cjs +9405 -57913
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +3048 -69
package/dist/index.d.ts +3048 -69
package/dist/index.js +9150 -2607
package/dist/index.js.map +1 -1
package/dist/mcp-bin.js +17 -26
package/dist/mcp-bin.js.map +1 -1
package/dist/types-TJWXAQ2L.js +66 -0
package/llms-full.txt +758 -0
package/llms.txt +24 -0
package/package.json +27 -9
package/scripts/build-llms.mjs +89 -0
package/scripts/build-mcpb.mjs +31 -0
package/scripts/gen-api-schemas.ts +29 -0
package/scripts/gen-docs.ts +123 -0
package/scripts/sync-version.mjs +51 -0
package/scripts/validate-server-json.mjs +54 -0
package/server.json +4 -4
package/dist/chunk-CJ2PITFA.js.map +0 -1
package/dist/chunk-D6SRSLBF.js +0 -48
package/dist/chunk-J6FDZ6HZ.js +0 -142
package/dist/chunk-J6FDZ6HZ.js.map +0 -1
package/dist/chunk-UGSNG3QJ.js +0 -49
package/dist/chunk-UGSNG3QJ.js.map +0 -1
package/dist/chunk-W7YE6AAH.js +0 -1516
package/dist/chunk-W7YE6AAH.js.map +0 -1
package/dist/onnxruntime_binding-6Q6HXASN.node +0 -0
package/dist/onnxruntime_binding-EKZT2NRK.node +0 -0
package/dist/onnxruntime_binding-P6S7V3CI.node +0 -0
package/dist/onnxruntime_binding-PJNNIIUO.node +0 -0
package/dist/onnxruntime_binding-UN6SPTQK.node +0 -0
package/dist/sdk-A6NLO3DJ.js +0 -12294
package/dist/sdk-A6NLO3DJ.js.map +0 -1
package/dist/sdk-G5D4WQZ4.js +0 -12293
package/dist/sdk-G5D4WQZ4.js.map +0 -1
package/dist/sdk-QSTAREST.js +0 -4869
package/dist/sdk-QSTAREST.js.map +0 -1
package/dist/sqlite-vec-EZN67B2V.js +0 -40
package/dist/sqlite-vec-EZN67B2V.js.map +0 -1
package/dist/sqlite-vec-UK5YYE5T.js +0 -39
package/dist/sqlite-vec-UK5YYE5T.js.map +0 -1
package/dist/transformers.node-BTYUTJK5.js +0 -42884
package/dist/transformers.node-BTYUTJK5.js.map +0 -1
package/dist/transformers.node-J6PRTTOX.js +0 -42883
package/dist/transformers.node-J6PRTTOX.js.map +0 -1
package/dist/types-JG27FR3E.js +0 -29
package/dist/types-JG27FR3E.js.map +0 -1
package/scripts/postinstall.mjs +0 -7
/package/dist/{bookmarks-VS56KVCO.js.map → bookmarks-WXHE7GN7.js.map} +0 -0
/package/dist/{chunk-D6SRSLBF.js.map → types-TJWXAQ2L.js.map} +0 -0

package/dist/chunk-7QEBFMN4.js ADDED Viewed

@@ -0,0 +1,3278 @@
+#!/usr/bin/env node
+import {
+  CostEntrySchema,
+  DEFAULT_ANOMALY_THRESHOLDS,
+  DRIFT_FIELDS,
+  EDGE_RELATIONSHIPS,
+  NODE_TYPES,
+  NODE_TYPE_GROUPS,
+  SharingLevelSchema
+} from "./chunk-WCR47QA2.js";
+import {
+  HOME,
+  IS_LINUX,
+  IS_MAC,
+  IS_WIN,
+  PLATFORM,
+  commandExists,
+  dbScanDirs,
+  findFiles,
+  hostname,
+  logDebug,
+  machineId,
+  osUser,
+  run,
+  scanAllBookmarks,
+  scanAllHistory,
+  scanWindowsDbServices,
+  scanWindowsPrograms
+} from "./chunk-2SZ5QHGH.js";
+// src/tools.ts
+import { z } from "zod";
+// src/sanitize.ts
+var STRIP_RANGES = [
+  // C0 controls except 0x09 (tab), 0x0A (LF), 0x0D (CR)
+  [0, 8],
+  [11, 12],
+  [14, 31],
+  [127, 127],
+  // DEL
+  [128, 159],
+  // C1 controls
+  [173, 173],
+  // soft hyphen
+  [8203, 8207],
+  // ZWSP, ZWNJ, ZWJ, LRM, RLM
+  [8234, 8238],
+  // bidi embeddings & overrides
+  [8288, 8292],
+  // word joiner, invisible math operators
+  [8294, 8297],
+  // bidi isolates
+  [8298, 8303],
+  // deprecated format characters
+  [65279, 65279]
+  // BOM / ZWNBSP
+];
+var STRIP = /* @__PURE__ */ new Set();
+for (const [start, end] of STRIP_RANGES) {
+  for (let cp = start; cp <= end; cp++) STRIP.add(cp);
+}
+function sanitizeUntrusted(text) {
+  if (!text) return text;
+  let out = "";
+  for (const ch of text.normalize("NFC")) {
+    if (!STRIP.has(ch.codePointAt(0))) out += ch;
+  }
+  return out;
+}
+function sanitizeValue(value) {
+  if (typeof value === "string") return sanitizeUntrusted(value);
+  if (Array.isArray(value)) return value.map(sanitizeValue);
+  if (value && typeof value === "object") {
+    const out = {};
+    for (const [k, v] of Object.entries(value)) out[k] = sanitizeValue(v);
+    return out;
+  }
+  return value;
+}
+// src/scanners/cloud-util.ts
+function safeJson(raw) {
+  const s = raw.trim();
+  if (!s || s.startsWith("(")) return void 0;
+  try {
+    return JSON.parse(s);
+  } catch {
+    return void 0;
+  }
+}
+var HINT_ARG_KINDS = {
+  namespace: "k8s-namespace",
+  region: "aws-region",
+  profile: "aws-profile",
+  project: "gcp-project",
+  subscription: "azure-subscription",
+  "resource-group": "azure-resource-group"
+};
+function parseScanHint(hint) {
+  const out = { free: "" };
+  const free = [];
+  for (const tok of (hint ?? "").split(/[\s,]+/).filter(Boolean)) {
+    const eq = tok.indexOf("=");
+    if (eq <= 0) {
+      free.push(tok);
+      continue;
+    }
+    const key = tok.slice(0, eq);
+    const value = tok.slice(eq + 1);
+    const kind = HINT_ARG_KINDS[key];
+    if (!kind) {
+      free.push(tok);
+      continue;
+    }
+    assertSafeScanArg(kind, value);
+    if (key === "resource-group") out.resourceGroup = value;
+    else if (key === "namespace") out.namespace = value;
+    else if (key === "region") out.region = value;
+    else if (key === "profile") out.profile = value;
+    else if (key === "project") out.project = value;
+    else if (key === "subscription") out.subscription = value;
+  }
+  out.free = free.join(" ");
+  return out;
+}
+function buildReport(sections) {
+  return sections.map(([k, v]) => `=== ${k} ===
+${v}`).join("\n\n");
+}
+// src/scanners/cloud-aws.ts
+var cloudAwsScanner = {
+  id: "cloud-aws",
+  title: "AWS infrastructure",
+  platforms: "all",
+  allowedCommands: ["aws"],
+  detect: (ctx) => Boolean((ctx.commandExists ?? commandExists)("aws")),
+  async scan(ctx) {
+    const { region, profile } = parseScanHint(ctx.hint);
+    const env = region ? { ...process.env, AWS_DEFAULT_REGION: region } : process.env;
+    const pf = profile ? ` --profile ${profile}` : "";
+    const runA = createScanRunner((c) => ctx.run(c, { timeout: 2e4, env }), { threshold: 3 });
+    const nodes = [];
+    const edges = [];
+    const report = [];
+    report.push(["IDENTITY", runA(`aws sts get-caller-identity${pf} --output json`)]);
+    const ec2Raw = runA(`aws ec2 describe-instances${pf} --output json`);
+    report.push(["EC2", ec2Raw]);
+    const ec2 = safeJson(ec2Raw);
+    for (const r of ec2?.Reservations ?? []) {
+      for (const i of r.Instances ?? []) {
+        const id = String(i.InstanceId ?? "");
+        if (!id) continue;
+        nodes.push({
+          id: `host:aws:${id}`,
+          type: "host",
+          name: id,
+          discoveredVia: "aws-ec2",
+          confidence: 0.95,
+          tags: ["cloud", "aws", "ec2"],
+          metadata: redactValue({ instanceType: i.InstanceType, state: i.State?.Name, privateIp: i.PrivateIpAddress })
+        });
+      }
+    }
+    const rdsRaw = runA(`aws rds describe-db-instances${pf} --output json`);
+    report.push(["RDS", rdsRaw]);
+    const rds = safeJson(rdsRaw);
+    for (const db of rds?.DBInstances ?? []) {
+      const id = String(db.DBInstanceIdentifier ?? "");
+      if (!id) continue;
+      nodes.push({
+        id: `database_server:rds:${id}`,
+        type: "database_server",
+        name: id,
+        discoveredVia: "aws-rds",
+        confidence: 0.95,
+        tags: ["cloud", "aws", "rds"],
+        metadata: redactValue({ engine: db.Engine, status: db.DBInstanceStatus, endpoint: db.Endpoint?.Address, port: db.Endpoint?.Port })
+      });
+    }
+    const cacheRaw = runA(`aws elasticache describe-cache-clusters${pf} --output json`);
+    report.push(["ELASTICACHE", cacheRaw]);
+    const cache = safeJson(cacheRaw);
+    for (const c of cache?.CacheClusters ?? []) {
+      const id = String(c.CacheClusterId ?? "");
+      if (!id) continue;
+      nodes.push({
+        id: `cache_server:aws:${id}`,
+        type: "cache_server",
+        name: id,
+        discoveredVia: "aws-elasticache",
+        confidence: 0.95,
+        tags: ["cloud", "aws", "elasticache"],
+        metadata: redactValue({ engine: c.Engine, status: c.CacheClusterStatus })
+      });
+    }
+    const eksRaw = runA(`aws eks list-clusters${pf} --output json`);
+    report.push(["EKS", eksRaw]);
+    const eks = safeJson(eksRaw);
+    for (const name of eks?.clusters ?? []) {
+      if (!name) continue;
+      nodes.push({
+        id: `k8s_cluster:eks:${name}`,
+        type: "k8s_cluster",
+        name,
+        discoveredVia: "aws-eks",
+        confidence: 0.95,
+        tags: ["cloud", "aws", "eks", "kubernetes"],
+        metadata: { provider: "eks" }
+      });
+    }
+    const elbRaw = runA(`aws elbv2 describe-load-balancers${pf} --output json`);
+    report.push(["ELB_V2", elbRaw]);
+    const elb = safeJson(elbRaw);
+    for (const lb of elb?.LoadBalancers ?? []) {
+      const dns = String(lb.DNSName ?? "");
+      if (!dns) continue;
+      nodes.push({
+        id: `web_service:aws:${dns}`,
+        type: "web_service",
+        name: lb.LoadBalancerName ?? dns,
+        discoveredVia: "aws-elbv2",
+        confidence: 0.9,
+        tags: ["cloud", "aws", "elb"],
+        metadata: redactValue({ dnsName: dns, type: lb.Type, state: lb.State?.Code })
+      });
+    }
+    return { nodes, edges, report: buildReport(report) };
+  }
+};
+// src/scanners/cloud-gcp.ts
+function lastSegment(value) {
+  if (!value) return void 0;
+  const parts = value.split("/");
+  return parts[parts.length - 1] || value;
+}
+var cloudGcpScanner = {
+  id: "cloud-gcp",
+  title: "Google Cloud Platform infrastructure",
+  platforms: "all",
+  allowedCommands: ["gcloud"],
+  detect: (ctx) => Boolean((ctx.commandExists ?? commandExists)("gcloud")),
+  async scan(ctx) {
+    const { project } = parseScanHint(ctx.hint);
+    const pf = project ? ` --project ${project}` : "";
+    const runG = createScanRunner((c) => ctx.run(c, { timeout: 2e4 }), { threshold: 3 });
+    const nodes = [];
+    const edges = [];
+    const report = [];
+    report.push(["IDENTITY", runG(`gcloud config list account --format=json`)]);
+    const computeRaw = runG(`gcloud compute instances list${pf} --format=json`);
+    report.push(["COMPUTE_INSTANCES", computeRaw]);
+    for (const i of safeJson(computeRaw) ?? []) {
+      const name = String(i.name ?? "");
+      if (!name) continue;
+      nodes.push({
+        id: `host:gcp:${name}`,
+        type: "host",
+        name,
+        discoveredVia: "gcp-compute",
+        confidence: 0.95,
+        tags: ["cloud", "gcp", "compute"],
+        metadata: { machineType: lastSegment(i.machineType), status: i.status, zone: lastSegment(i.zone) }
+      });
+    }
+    const sqlRaw = runG(`gcloud sql instances list${pf} --format=json`);
+    report.push(["SQL_INSTANCES", sqlRaw]);
+    for (const s of safeJson(sqlRaw) ?? []) {
+      const name = String(s.name ?? "");
+      if (!name) continue;
+      nodes.push({
+        id: `database_server:gcp-sql:${name}`,
+        type: "database_server",
+        name,
+        discoveredVia: "gcp-sql",
+        confidence: 0.95,
+        tags: ["cloud", "gcp", "cloudsql"],
+        metadata: { engine: s.databaseVersion, state: s.state, region: s.region }
+      });
+    }
+    const gkeRaw = runG(`gcloud container clusters list${pf} --format=json`);
+    report.push(["GKE_CLUSTERS", gkeRaw]);
+    for (const c of safeJson(gkeRaw) ?? []) {
+      const name = String(c.name ?? "");
+      if (!name) continue;
+      nodes.push({
+        id: `k8s_cluster:gke:${name}`,
+        type: "k8s_cluster",
+        name,
+        discoveredVia: "gcp-gke",
+        confidence: 0.95,
+        tags: ["cloud", "gcp", "gke", "kubernetes"],
+        metadata: { status: c.status, location: c.location }
+      });
+    }
+    const redisRaw = runG(`gcloud redis instances list --regions=-${pf} --format=json`);
+    report.push(["REDIS", redisRaw]);
+    for (const r of safeJson(redisRaw) ?? []) {
+      const name = lastSegment(String(r.name ?? ""));
+      if (!name) continue;
+      nodes.push({
+        id: `cache_server:gcp:${name}`,
+        type: "cache_server",
+        name,
+        discoveredVia: "gcp-redis",
+        confidence: 0.95,
+        tags: ["cloud", "gcp", "memorystore"],
+        metadata: { tier: r.tier, state: r.state }
+      });
+    }
+    const runRaw = runG(`gcloud run services list --platform managed${pf} --format=json`);
+    report.push(["CLOUD_RUN", runRaw]);
+    for (const svc of safeJson(runRaw) ?? []) {
+      const name = String(svc.metadata?.name ?? "");
+      if (!name) continue;
+      nodes.push({
+        id: `web_service:gcp-run:${name}`,
+        type: "web_service",
+        name,
+        discoveredVia: "gcp-run",
+        confidence: 0.9,
+        tags: ["cloud", "gcp", "cloudrun"],
+        metadata: redactValue({ url: svc.status?.url })
+      });
+    }
+    const pubsubRaw = runG(`gcloud pubsub topics list${pf} --format=json`);
+    report.push(["PUBSUB", pubsubRaw]);
+    for (const t of safeJson(pubsubRaw) ?? []) {
+      const name = lastSegment(String(t.name ?? ""));
+      if (!name) continue;
+      nodes.push({
+        id: `topic:gcp:${name}`,
+        type: "topic",
+        name,
+        discoveredVia: "gcp-pubsub",
+        confidence: 0.9,
+        tags: ["cloud", "gcp", "pubsub"],
+        metadata: { fullName: t.name }
+      });
+    }
+    return { nodes, edges, report: buildReport(report) };
+  }
+};
+// src/scanners/cloud-azure.ts
+var cloudAzureScanner = {
+  id: "cloud-azure",
+  title: "Azure infrastructure",
+  platforms: "all",
+  allowedCommands: ["az"],
+  detect: (ctx) => Boolean((ctx.commandExists ?? commandExists)("az")),
+  async scan(ctx) {
+    const { subscription, resourceGroup } = parseScanHint(ctx.hint);
+    const sf = subscription ? ` --subscription ${subscription}` : "";
+    const rf = resourceGroup ? ` --resource-group ${resourceGroup}` : "";
+    const scope = `${sf}${rf}`;
+    const runZ = createScanRunner((c) => ctx.run(c, { timeout: 2e4 }), { threshold: 3 });
+    const nodes = [];
+    const edges = [];
+    const report = [];
+    report.push(["IDENTITY", runZ(`az account show --output json${sf}`)]);
+    const vmRaw = runZ(`az vm list${scope} --output json`);
+    report.push(["VMS", vmRaw]);
+    for (const vm of safeJson(vmRaw) ?? []) {
+      const name = String(vm.name ?? "");
+      if (!name) continue;
+      nodes.push({
+        id: `host:azure:${name}`,
+        type: "host",
+        name,
+        discoveredVia: "azure-vm",
+        confidence: 0.95,
+        tags: ["cloud", "azure", "vm"],
+        metadata: { vmSize: vm.hardwareProfile?.vmSize, location: vm.location, powerState: vm.powerState }
+      });
+    }
+    const aksRaw = runZ(`az aks list${scope} --output json`);
+    report.push(["AKS", aksRaw]);
+    for (const aks of safeJson(aksRaw) ?? []) {
+      const name = String(aks.name ?? "");
+      if (!name) continue;
+      nodes.push({
+        id: `k8s_cluster:aks:${name}`,
+        type: "k8s_cluster",
+        name,
+        discoveredVia: "azure-aks",
+        confidence: 0.95,
+        tags: ["cloud", "azure", "aks", "kubernetes"],
+        metadata: { location: aks.location, version: aks.kubernetesVersion, state: aks.provisioningState }
+      });
+    }
+    const sqlRaw = runZ(`az sql server list${scope} --output json`);
+    report.push(["SQL_SERVERS", sqlRaw]);
+    for (const s of safeJson(sqlRaw) ?? []) {
+      const name = String(s.name ?? "");
+      if (!name) continue;
+      nodes.push({
+        id: `database_server:azure-sql:${name}`,
+        type: "database_server",
+        name,
+        discoveredVia: "azure-sql",
+        confidence: 0.95,
+        tags: ["cloud", "azure", "sql"],
+        metadata: { engine: "sqlserver", location: s.location, version: s.version }
+      });
+    }
+    const pgRaw = runZ(`az postgres server list${scope} --output json`);
+    report.push(["POSTGRES", pgRaw]);
+    for (const p of safeJson(pgRaw) ?? []) {
+      const name = String(p.name ?? "");
+      if (!name) continue;
+      nodes.push({
+        id: `database_server:azure-postgres:${name}`,
+        type: "database_server",
+        name,
+        discoveredVia: "azure-postgres",
+        confidence: 0.95,
+        tags: ["cloud", "azure", "postgres"],
+        metadata: { engine: "postgresql", location: p.location, version: p.version }
+      });
+    }
+    const redisRaw = runZ(`az redis list${scope} --output json`);
+    report.push(["REDIS", redisRaw]);
+    for (const r of safeJson(redisRaw) ?? []) {
+      const name = String(r.name ?? "");
+      if (!name) continue;
+      nodes.push({
+        id: `cache_server:azure:${name}`,
+        type: "cache_server",
+        name,
+        discoveredVia: "azure-redis",
+        confidence: 0.95,
+        tags: ["cloud", "azure", "redis"],
+        metadata: { location: r.location, state: r.provisioningState }
+      });
+    }
+    const webRaw = runZ(`az webapp list${scope} --output json`);
+    report.push(["WEBAPPS", webRaw]);
+    for (const w of safeJson(webRaw) ?? []) {
+      const name = String(w.name ?? "");
+      if (!name) continue;
+      nodes.push({
+        id: `web_service:azure:${name}`,
+        type: "web_service",
+        name,
+        discoveredVia: "azure-webapp",
+        confidence: 0.9,
+        tags: ["cloud", "azure", "webapp"],
+        metadata: redactValue({ hostName: w.defaultHostName, state: w.state })
+      });
+    }
+    return { nodes, edges, report: buildReport(report) };
+  }
+};
+// src/scanners/k8s.ts
+var MAX_PODS = 200;
+function selectorMatches(selector, labels) {
+  const keys = Object.keys(selector);
+  if (keys.length === 0) return false;
+  return keys.every((k) => labels[k] === selector[k]);
+}
+var k8sScanner = {
+  id: "k8s",
+  title: "Kubernetes resources",
+  platforms: "all",
+  allowedCommands: ["kubectl"],
+  detect: (ctx) => Boolean((ctx.commandExists ?? commandExists)("kubectl")),
+  async scan(ctx) {
+    const { namespace } = parseScanHint(ctx.hint);
+    const nsFlag = namespace ? `-n ${namespace}` : "--all-namespaces";
+    const runK = createScanRunner((c) => ctx.run(c, { timeout: 15e3 }), { threshold: 3 });
+    const nodes = [];
+    const edges = [];
+    const report = [];
+    const nodeIds = /* @__PURE__ */ new Set();
+    const add = (n) => {
+      if (nodeIds.has(n.id)) return;
+      nodeIds.add(n.id);
+      nodes.push(n);
+    };
+    const contextRaw = runK("kubectl config current-context").trim();
+    report.push(["CONTEXT", contextRaw]);
+    const context = contextRaw.startsWith("(") ? "" : contextRaw;
+    const clusterName = context || "current";
+    const clusterId = `k8s_cluster:${clusterName}`;
+    add({
+      id: clusterId,
+      type: "k8s_cluster",
+      name: clusterName,
+      discoveredVia: "kubectl-context",
+      confidence: 0.95,
+      tags: ["kubernetes", "cluster"],
+      metadata: { context: clusterName }
+    });
+    const nodesRaw = runK("kubectl get nodes -o json");
+    report.push(["NODES", nodesRaw]);
+    for (const item of safeJson(nodesRaw)?.items ?? []) {
+      const name = String(item.metadata?.name ?? "");
+      if (!name) continue;
+      const id = `host:k8s:${name}`;
+      add({
+        id,
+        type: "host",
+        name,
+        discoveredVia: "kubectl-node",
+        confidence: 0.9,
+        tags: ["kubernetes", "node"],
+        metadata: { cluster: clusterName }
+      });
+      edges.push({ sourceId: clusterId, targetId: id, relationship: "contains", evidence: "kubectl get nodes", confidence: 0.9 });
+    }
+    const svcRaw = runK(`kubectl get services ${nsFlag} -o json`);
+    report.push(["SERVICES", svcRaw]);
+    const services = safeJson(svcRaw)?.items ?? [];
+    for (const svc of services) {
+      const name = String(svc.metadata?.name ?? "");
+      const ns = String(svc.metadata?.namespace ?? "default");
+      if (!name) continue;
+      add({
+        id: `web_service:k8s:${ns}/${name}`,
+        type: "web_service",
+        name: `${ns}/${name}`,
+        discoveredVia: "kubectl-service",
+        confidence: 0.9,
+        tags: ["kubernetes", "service"],
+        metadata: { namespace: ns, type: svc.spec?.type, clusterIP: svc.spec?.clusterIP }
+      });
+    }
+    const podsRaw = runK(`kubectl get pods ${nsFlag} --field-selector=status.phase=Running -o json`);
+    report.push(["PODS_RUNNING", podsRaw]);
+    const allPods = safeJson(podsRaw)?.items ?? [];
+    const pods = allPods.slice(0, MAX_PODS);
+    if (allPods.length > MAX_PODS) {
+      report.push(["PODS_OVERFLOW", `${allPods.length} running pods found; first ${MAX_PODS} catalogued`]);
+    }
+    for (const pod of pods) {
+      const name = String(pod.metadata?.name ?? "");
+      const ns = String(pod.metadata?.namespace ?? "default");
+      if (!name) continue;
+      const podId = `pod:${ns}/${name}`;
+      add({
+        id: podId,
+        type: "pod",
+        name: `${ns}/${name}`,
+        discoveredVia: "kubectl-pod",
+        confidence: 0.9,
+        tags: ["kubernetes", "pod"],
+        metadata: { namespace: ns, node: pod.spec?.nodeName }
+      });
+      edges.push({ sourceId: clusterId, targetId: podId, relationship: "contains", evidence: "kubectl get pods", confidence: 0.9 });
+      const labels = pod.metadata?.labels ?? {};
+      for (const svc of services) {
+        const svcNs = String(svc.metadata?.namespace ?? "default");
+        if (svcNs !== ns) continue;
+        const selector = svc.spec?.selector;
+        if (!selector || !selectorMatches(selector, labels)) continue;
+        const svcId = `web_service:k8s:${svcNs}/${String(svc.metadata?.name ?? "")}`;
+        edges.push({ sourceId: svcId, targetId: podId, relationship: "connects_to", evidence: "label selector match", confidence: 0.85 });
+      }
+    }
+    return { nodes, edges, report: buildReport(report) };
+  }
+};
+// src/scanners/databases.ts
+function baseName(path) {
+  const parts = path.split(/[\\/]/);
+  return parts[parts.length - 1] || path;
+}
+var databasesScanner = {
+  id: "databases",
+  title: "Local database servers",
+  platforms: "all",
+  allowedCommands: ["psql", "mysql", "mongosh", "redis-cli", "sqlite3", "pg_lsclusters", "find", "head", "grep", "awk", "Get-Service", "Get-ChildItem", "Select-Object", "Where-Object"],
+  detect: (ctx) => {
+    const exists = ctx.commandExists ?? commandExists;
+    return ["psql", "mysql", "mongosh", "redis-cli"].some((c) => Boolean(exists(c)));
+  },
+  async scan(ctx) {
+    const exists = ctx.commandExists ?? commandExists;
+    const run2 = (cmd, opts) => ctx.run(cmd, { timeout: opts?.timeout ?? 1e4 });
+    const deep = parseScanHint(ctx.hint).free.split(/\s+/).includes("deep");
+    const nodes = [];
+    const edges = [];
+    const report = [];
+    const seen = /* @__PURE__ */ new Set();
+    const add = (n) => {
+      if (seen.has(n.id)) return;
+      seen.add(n.id);
+      nodes.push(n);
+    };
+    if (exists("psql")) {
+      const out = IS_WIN ? run2("psql -lqt") : run2(`psql -lqt 2>/dev/null | grep -v "template0\\|template1" | awk '{print $1}' | grep -v "^$\\|^|"`);
+      report.push(["POSTGRES_DATABASES", out || "(psql not running or requires auth)"]);
+      if (out) {
+        const databases = out.split("\n").map((l) => l.trim()).filter(Boolean);
+        add({
+          id: "database_server:postgresql:localhost",
+          type: "database_server",
+          name: "PostgreSQL (localhost)",
+          discoveredVia: "psql",
+          confidence: 0.9,
+          tags: ["local", "postgresql"],
+          metadata: redactValue({ engine: "postgresql", host: "localhost", databases })
+        });
+      }
+      if (!IS_WIN) {
+        const clusters = run2("pg_lsclusters 2>/dev/null");
+        if (clusters) report.push(["POSTGRES_CLUSTERS", clusters]);
+      }
+    }
+    if (exists("mysql")) {
+      const out = IS_WIN ? run2('mysql --connect-timeout=3 -e "SHOW DATABASES;"') : run2('mysql --connect-timeout=3 -e "SHOW DATABASES;" 2>/dev/null');
+      report.push(["MYSQL_DATABASES", out || "(mysql not running or requires auth)"]);
+      if (out) {
+        const databases = out.split("\n").map((l) => l.trim()).filter((l) => l && l !== "Database");
+        add({
+          id: "database_server:mysql:localhost",
+          type: "database_server",
+          name: "MySQL (localhost)",
+          discoveredVia: "mysql",
+          confidence: 0.9,
+          tags: ["local", "mysql"],
+          metadata: redactValue({ engine: "mysql", host: "localhost", databases })
+        });
+      }
+    }
+    if (exists("mongosh")) {
+      const evalExpr = "JSON.stringify(db.adminCommand({listDatabases:1}))";
+      const out = IS_WIN ? run2(`mongosh --quiet --eval "${evalExpr}"`) : run2(`mongosh --quiet --eval "${evalExpr}" 2>/dev/null`);
+      report.push(["MONGODB_DATABASES", out || "(mongosh not available)"]);
+      if (out) {
+        add({
+          id: "database_server:mongodb:localhost",
+          type: "database_server",
+          name: "MongoDB (localhost)",
+          discoveredVia: "mongosh",
+          confidence: 0.9,
+          tags: ["local", "mongodb"],
+          metadata: { engine: "mongodb", host: "localhost" }
+        });
+      }
+    }
+    if (exists("redis-cli")) {
+      const out = IS_WIN ? run2("redis-cli info server") : run2("redis-cli info server 2>/dev/null | head -5");
+      report.push(["REDIS_INFO", out || "(redis-cli not available)"]);
+      if (out) {
+        add({
+          id: "cache_server:redis:localhost",
+          type: "cache_server",
+          name: "Redis (localhost)",
+          discoveredVia: "redis-cli",
+          confidence: 0.9,
+          tags: ["local", "redis"],
+          metadata: { engine: "redis", host: "localhost" }
+        });
+      }
+    }
+    const appDirs = dbScanDirs();
+    if (appDirs.length > 0) {
+      const out = findFiles(appDirs, ["*.sqlite", "*.sqlite3", "*.db"], 4, 80);
+      report.push(["SQLITE_APP_FILES", out || "(none found)"]);
+      for (const path of out.split("\n").map((l) => l.trim()).filter(Boolean)) {
+        const base = baseName(path);
+        add({
+          id: `database:sqlite:${base}`,
+          type: "database",
+          name: base,
+          discoveredVia: "sqlite-file",
+          confidence: 0.7,
+          tags: ["local", "sqlite"],
+          metadata: redactValue({ path })
+        });
+      }
+    }
+    if (IS_WIN) {
+      report.push(["DB_SERVICES", scanWindowsDbServices() || "(no database services found)"]);
+    }
+    if (deep) {
+      const deepOut = IS_WIN ? run2(
+        `Get-ChildItem -Path '${HOME}' -Recurse -Depth 6 -Include '*.sqlite','*.sqlite3','*.db' -ErrorAction SilentlyContinue | Where-Object { $_.FullName -notmatch 'node_modules|\\.git' } | Select-Object -First 100 -ExpandProperty FullName`
+      ) : run2(`find "${HOME}" -maxdepth 6 \\( -name "*.sqlite" -o -name "*.sqlite3" -o -name "*.db" \\) -not -path "*/node_modules/*" -not -path "*/.git/*" 2>/dev/null | head -100`, { timeout: 3e4 });
+      report.push(["SQLITE_DEEP_SCAN", deepOut || "(none found)"]);
+      for (const path of deepOut.split("\n").map((l) => l.trim()).filter(Boolean)) {
+        const base = baseName(path);
+        add({
+          id: `database:sqlite:${base}`,
+          type: "database",
+          name: base,
+          discoveredVia: "sqlite-deep-scan",
+          confidence: 0.6,
+          tags: ["local", "sqlite", "deep"],
+          metadata: redactValue({ path })
+        });
+      }
+      const configOut = IS_WIN ? run2(
+        `Get-ChildItem -Path '${HOME}' -Recurse -Depth 4 -Include '.env','.env.local','database.yml','database.json','docker-compose.yml' -ErrorAction SilentlyContinue | Select-Object -First 20 -ExpandProperty FullName`,
+        { timeout: 15e3 }
+      ) : run2(`find "${HOME}" -maxdepth 4 \\( -name ".env" -o -name ".env.local" -o -name "database.yml" -o -name "database.json" -o -name "docker-compose.yml" \\) 2>/dev/null | head -20`, { timeout: 15e3 });
+      report.push(["DB_CONFIG_FILES", configOut || "(none found)"]);
+    }
+    return { nodes, edges, report: buildReport(report) };
+  }
+};
+// src/tools.ts
+function createScanRunner(runFn, opts = {}) {
+  const threshold = opts.threshold ?? 3;
+  let consecutiveFailures = 0;
+  let tripped = false;
+  return (cmd) => {
+    if (tripped) {
+      logDebug(`Circuit breaker: skipping "${cmd}" (${consecutiveFailures} consecutive failures)`);
+      return "(skipped \u2014 circuit breaker: too many consecutive failures)";
+    }
+    const result = runFn(cmd, { timeout: opts.timeout ?? 2e4, env: opts.env });
+    if (!result) {
+      consecutiveFailures++;
+      if (consecutiveFailures >= threshold) {
+        tripped = true;
+        logDebug(`Circuit breaker tripped after ${threshold} failures, last command: "${cmd}"`);
+      }
+      return "(error or not available)";
+    }
+    consecutiveFailures = 0;
+    return result;
+  };
+}
+function clampText(raw, max) {
+  const clean = sanitizeUntrusted(raw);
+  if (clean.length <= max) return clean;
+  return clean.slice(0, max) + `
+\u2026 [output truncated: ${clean.length - max} more characters omitted \u2014 narrow the scan (e.g. a namespace/region/hint) or query the catalog instead]`;
+}
+function stripSensitive(target) {
+  const raw = target.trim();
+  if (!raw) return raw;
+  try {
+    const url = new URL(raw.startsWith("http") ? raw : `tcp://${raw}`);
+    const stripped = `${url.hostname}${url.port ? ":" + url.port : ""}`;
+    return stripped || raw;
+  } catch {
+    const stripped = raw.replace(/\/.*$/, "").replace(/\?.*$/, "").replace(/@.*:/, ":");
+    return stripped || raw;
+  }
+}
+var SCAN_ARG_PATTERNS = {
+  "k8s-namespace": /^[a-z0-9]([-a-z0-9]*[a-z0-9])?$/,
+  "aws-region": /^[A-Za-z0-9-]+$/,
+  "aws-profile": /^[A-Za-z0-9_.-]+$/,
+  "gcp-project": /^[a-z0-9][a-z0-9.-]*(:[a-z0-9][a-z0-9-]*)?$/,
+  "azure-subscription": /^[0-9a-fA-F-]+$/,
+  "azure-resource-group": /^[A-Za-z0-9_.()-]+$/
+};
+function assertSafeScanArg(kind, value) {
+  if (!SCAN_ARG_PATTERNS[kind].test(value)) {
+    throw new Error(`Invalid ${kind} "${value}": contains characters that are not allowed`);
+  }
+  return value;
+}
+function redactSecrets(value) {
+  return value.replace(/([a-z][a-z0-9+.-]*:\/\/[^:@/\s]+):[^@/\s]+@/gi, "$1:***@");
+}
+function redactValue(value) {
+  if (typeof value === "string") return redactSecrets(value);
+  if (Array.isArray(value)) return value.map(redactValue);
+  if (value && typeof value === "object") {
+    const out = {};
+    for (const [k, v] of Object.entries(value)) out[k] = redactValue(v);
+    return out;
+  }
+  return value;
+}
+var READ_SCAN = { readOnlyHint: true, openWorldHint: true };
+var READ_LOCAL = { readOnlyHint: true, openWorldHint: false };
+var WRITE_CATALOG = { readOnlyHint: false, destructiveHint: false, idempotentHint: true, openWorldHint: false };
+async function buildCartographyToolHandlers(db, sessionId, opts = {}) {
+  const maxResponseBytes = opts.maxResponseBytes ?? 1e5;
+  const textResult = (raw) => ({ content: [{ type: "text", text: clampText(raw, maxResponseBytes) }] });
+  const runScannerTool = async (scanner, hint) => {
+    const ctx = { hint, platform: PLATFORM, run };
+    if (!await scanner.detect(ctx)) return textResult(`(${scanner.title}: CLI not available)`);
+    const result = await scanner.scan(ctx);
+    const structured = `=== NODES (${result.nodes.length}) / EDGES (${result.edges.length}) ===
+` + JSON.stringify({ nodes: result.nodes, edges: result.edges });
+    return textResult([structured, result.report ?? ""].filter(Boolean).join("\n\n"));
+  };
+  const tool = (name, description, inputShape, handler, extra) => ({ name, description, inputShape, annotations: extra.annotations, handler });
+  const tools = [
+    tool("save_node", "Save an infrastructure node to the catalog", {
+      id: z.string(),
+      type: z.enum(NODE_TYPES),
+      name: z.string(),
+      discoveredVia: z.string(),
+      confidence: z.number().min(0).max(1),
+      metadata: z.record(z.string(), z.unknown()).optional(),
+      tags: z.array(z.string()).optional(),
+      domain: z.string().optional().describe('Business domain, e.g. "Marketing", "Finance"'),
+      subDomain: z.string().optional().describe('Sub-domain, e.g. "Forecast client orders"'),
+      qualityScore: z.number().min(0).max(100).optional().describe("Data quality score 0\u2013100")
+    }, async (args) => {
+      const node = {
+        id: stripSensitive(args["id"]),
+        type: args["type"],
+        name: args["name"],
+        discoveredVia: args["discoveredVia"],
+        confidence: args["confidence"],
+        metadata: redactValue(args["metadata"] ?? {}),
+        tags: args["tags"] ?? [],
+        domain: args["domain"],
+        subDomain: args["subDomain"],
+        qualityScore: args["qualityScore"]
+      };
+      db.upsertNode(sessionId, node);
+      return { content: [{ type: "text", text: `\u2713 Node: ${node.id}` }] };
+    }, { annotations: WRITE_CATALOG }),
+    tool("save_edge", "Save a relationship (edge) between two nodes \u2014 ALWAYS save edges when connections are clear", {
+      sourceId: z.string(),
+      targetId: z.string(),
+      relationship: z.enum(EDGE_RELATIONSHIPS),
+      evidence: z.string(),
+      confidence: z.number().min(0).max(1)
+    }, async (args) => {
+      db.insertEdge(sessionId, {
+        sourceId: args["sourceId"],
+        targetId: args["targetId"],
+        relationship: args["relationship"],
+        evidence: redactSecrets(args["evidence"]),
+        confidence: args["confidence"]
+      });
+      return { content: [{ type: "text", text: `\u2713 ${args["sourceId"]}\u2192${args["targetId"]}` }] };
+    }, { annotations: WRITE_CATALOG }),
+    tool("get_catalog", "Get the current catalog \u2014 use before save_node to avoid duplicates", {
+      includeEdges: z.boolean().default(true)
+    }, async (args) => {
+      const nodes = db.getNodes(sessionId);
+      const edges = args["includeEdges"] ? db.getEdges(sessionId) : [];
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            count: { nodes: nodes.length, edges: edges.length },
+            nodeIds: nodes.map((n) => n.id)
+          })
+        }]
+      };
+    }, { annotations: READ_LOCAL }),
+    tool("ask_user", "Ask the user a question \u2014 for clarifications, missing context, or consent (e.g. before scanning browser history)", {
+      question: z.string().describe("The question for the user (clear and specific)"),
+      context: z.string().optional().describe("Optional context explaining why this is relevant")
+    }, async (args) => {
+      const question = args["question"];
+      const context = args["context"];
+      if (opts.onAskUser) {
+        const answer = await opts.onAskUser(question, context);
+        return { content: [{ type: "text", text: answer }] };
+      }
+      return {
+        content: [{ type: "text", text: "(Non-interactive mode \u2014 please continue without this information)" }]
+      };
+    }, { annotations: READ_LOCAL }),
+    tool("scan_bookmarks", "Scan all browser bookmarks \u2014 hostnames only, no personal data (Chrome, Chromium, Edge, Brave, Vivaldi, Opera, Firefox)", {
+      minConfidence: z.number().min(0).max(1).default(0.5).optional()
+    }, async () => {
+      const hosts = await scanAllBookmarks();
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            count: hosts.length,
+            hosts: hosts.map((h) => ({
+              hostname: h.hostname,
+              port: h.port,
+              protocol: h.protocol,
+              source: h.source
+            })),
+            note: "Hostnames only \u2014 no paths, no personal data. Classify each as a business tool (save_node) or ignore (social media, news, shopping)."
+          })
+        }]
+      };
+    }, { annotations: READ_SCAN }),
+    tool("scan_browser_history", "Scan browser history \u2014 anonymized hostnames + visit frequency. ALWAYS call ask_user for consent before using this tool.", {
+      minVisits: z.number().min(1).default(3).optional().describe("Minimum visit count to include a host (filters rarely-visited sites)")
+    }, async (args) => {
+      const minVisits = args["minVisits"] ?? 3;
+      const hosts = await scanAllHistory();
+      const filtered = hosts.filter((h) => h.visitCount >= minVisits);
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            count: filtered.length,
+            note: "Anonymized \u2014 hostnames only, no URLs, no paths, no personal data. Classify business tools as saas_tool nodes.",
+            hosts: filtered.map((h) => ({
+              hostname: h.hostname,
+              visitCount: h.visitCount,
+              protocol: h.protocol,
+              source: h.source
+            }))
+          })
+        }]
+      };
+    }, { annotations: READ_SCAN }),
+    tool("scan_local_databases", "Scan for local database files and running DB servers \u2014 PostgreSQL databases, MySQL, SQLite files from installed apps", {
+      deep: z.boolean().default(false).optional().describe("Also search home directory recursively for SQLite/DB files (slower)")
+    }, async (args) => {
+      const deep = args["deep"] ?? false;
+      return runScannerTool(databasesScanner, deep ? "deep" : "");
+    }, { annotations: READ_SCAN }),
+    tool("scan_k8s_resources", "Scan Kubernetes cluster via kubectl \u2014 100% readonly (get, describe)", {
+      namespace: z.string().regex(SCAN_ARG_PATTERNS["k8s-namespace"], "invalid Kubernetes namespace").optional().describe("Filter by namespace \u2014 empty = all namespaces")
+    }, async (args) => {
+      const ns = args["namespace"];
+      if (ns) assertSafeScanArg("k8s-namespace", ns);
+      return runScannerTool(k8sScanner, ns ? `namespace=${ns}` : "");
+    }, { annotations: READ_SCAN }),
+    tool("scan_aws_resources", "Scan AWS infrastructure via AWS CLI \u2014 100% readonly (describe, list)", {
+      region: z.string().regex(SCAN_ARG_PATTERNS["aws-region"], "invalid AWS region").optional().describe("AWS Region \u2014 default: AWS_DEFAULT_REGION or profile"),
+      profile: z.string().regex(SCAN_ARG_PATTERNS["aws-profile"], "invalid AWS profile").optional().describe("AWS CLI profile")
+    }, async (args) => {
+      const region = args["region"];
+      const profile = args["profile"];
+      if (region) assertSafeScanArg("aws-region", region);
+      if (profile) assertSafeScanArg("aws-profile", profile);
+      const hint = [region ? `region=${region}` : "", profile ? `profile=${profile}` : ""].filter(Boolean).join(" ");
+      return runScannerTool(cloudAwsScanner, hint);
+    }, { annotations: READ_SCAN }),
+    tool("scan_gcp_resources", "Scan Google Cloud Platform via gcloud CLI \u2014 100% readonly (list, describe)", {
+      project: z.string().regex(SCAN_ARG_PATTERNS["gcp-project"], "invalid GCP project id").optional().describe("GCP Project ID \u2014 default: current gcloud project")
+    }, async (args) => {
+      const project = args["project"];
+      if (project) assertSafeScanArg("gcp-project", project);
+      return runScannerTool(cloudGcpScanner, project ? `project=${project}` : "");
+    }, { annotations: READ_SCAN }),
+    tool("scan_azure_resources", "Scan Azure infrastructure via az CLI \u2014 100% readonly (list, show)", {
+      subscription: z.string().regex(SCAN_ARG_PATTERNS["azure-subscription"], "invalid Azure subscription id").optional().describe("Azure Subscription ID"),
+      resourceGroup: z.string().regex(SCAN_ARG_PATTERNS["azure-resource-group"], "invalid Azure resource group").optional().describe("Filter by resource group")
+    }, async (args) => {
+      const sub = args["subscription"];
+      const rg = args["resourceGroup"];
+      if (sub) assertSafeScanArg("azure-subscription", sub);
+      if (rg) assertSafeScanArg("azure-resource-group", rg);
+      const hint = [sub ? `subscription=${sub}` : "", rg ? `resource-group=${rg}` : ""].filter(Boolean).join(" ");
+      return runScannerTool(cloudAzureScanner, hint);
+    }, { annotations: READ_SCAN }),
+    tool("scan_installed_apps", "Scan all installed apps and tools \u2014 IDEs, office, dev tools, business apps, databases", {
+      searchHint: z.string().optional().describe('Optional search term to find specific tools (e.g. "hubspot windsurf cursor")')
+    }, async (args) => {
+      const hint = args["searchHint"];
+      const results = {};
+      results["PLATFORM"] = `${PLATFORM} (${IS_WIN ? "Windows" : IS_MAC ? "macOS" : "Linux"})`;
+      if (IS_MAC) {
+        results["APPLICATIONS"] = run("ls /Applications/ 2>/dev/null | head -200") || "(empty)";
+        results["USER_APPLICATIONS"] = run("ls ~/Applications/ 2>/dev/null | head -100") || "(empty)";
+        results["BREW_CASKS"] = run("brew list --cask 2>/dev/null | head -100") || "(brew not installed)";
+        results["BREW_FORMULAE"] = run("brew list --formula 2>/dev/null | head -150") || "(brew not installed)";
+        results["SPOTLIGHT_APPS"] = run(`mdfind "kMDItemKind == 'Application'" 2>/dev/null | grep -v "^/System" | grep -v "^/Library/Apple" | head -100`) || "(Spotlight not available)";
+      } else if (IS_LINUX) {
+        results["DPKG"] = run("dpkg --list 2>/dev/null | awk '{print $2}' | head -200") || "(dpkg not available)";
+        results["SNAP"] = run("snap list 2>/dev/null | head -50") || "(snap not available)";
+        results["FLATPAK"] = run("flatpak list 2>/dev/null | head -50") || "(flatpak not available)";
+        results["DESKTOP_FILES"] = run("ls /usr/share/applications/*.desktop ~/.local/share/applications/*.desktop 2>/dev/null | xargs -I{} basename {} .desktop 2>/dev/null | head -100") || "(no .desktop files)";
+        results["RPM"] = run("rpm -qa 2>/dev/null | head -200") || "(rpm not available)";
+      } else if (IS_WIN) {
+        results["WINGET"] = run("winget list --accept-source-agreements", { timeout: 2e4 }) || "(winget not available)";
+        results["INSTALLED_PROGRAMS"] = scanWindowsPrograms() || "(registry scan failed)";
+        results["CHOCO"] = run("choco list --local-only", { timeout: 15e3 }) || "(chocolatey not installed)";
+        results["SCOOP"] = run("scoop list", { timeout: 15e3 }) || "(scoop not installed)";
+      }
+      const knownTools = [
+        // IDEs & Editors
+        "code",
+        "code-insiders",
+        "cursor",
+        "windsurf",
+        "zed",
+        "vim",
+        "nvim",
+        "emacs",
+        "nano",
+        "sublime_text",
+        "atom",
+        "idea",
+        "webstorm",
+        "pycharm",
+        "goland",
+        "datagrip",
+        "clion",
+        "rider",
+        "phpstorm",
+        "rubymine",
+        "appcode",
+        // Dev Tools
+        "git",
+        "gh",
+        "docker",
+        "docker-compose",
+        "podman",
+        "kubectl",
+        "helm",
+        "terraform",
+        "ansible",
+        "node",
+        "npm",
+        "npx",
+        "yarn",
+        "pnpm",
+        "bun",
+        "deno",
+        "python",
+        "python3",
+        "pip",
+        "pip3",
+        "pipenv",
+        "poetry",
+        "conda",
+        "ruby",
+        "gem",
+        "bundler",
+        "rails",
+        "java",
+        "mvn",
+        "gradle",
+        "kotlin",
+        "go",
+        "cargo",
+        "rustc",
+        "php",
+        "composer",
+        "dotnet",
+        // Databases
+        "psql",
+        "mysql",
+        "mysqladmin",
+        "mongo",
+        "mongosh",
+        "redis-cli",
+        "sqlite3",
+        "clickhouse-client",
+        // Cloud CLIs
+        "aws",
+        "gcloud",
+        "az",
+        "heroku",
+        "fly",
+        "vercel",
+        "netlify",
+        "wrangler",
+        // Infra
+        "vagrant",
+        "packer",
+        "consul",
+        "vault",
+        "nomad",
+        // Communication / SaaS
+        "slack",
+        "discord",
+        "zoom",
+        "teams",
+        "skype",
+        "telegram",
+        "signal",
+        // Browsers
+        "google-chrome",
+        "chromium",
+        "firefox",
+        "safari",
+        "brave",
+        "opera",
+        "edge",
+        // Windows-specific
+        ...IS_WIN ? ["pwsh", "powershell", "wsl", "winget", "choco", "scoop", "notepad++"] : [],
+        // Monitoring / Analytics
+        "datadog-agent",
+        "newrelic-agent",
+        "prometheus",
+        "grafana-cli",
+        // Other tools
+        "ngrok",
+        "stripe",
+        "supabase",
+        "neon"
+      ];
+      const found = [];
+      const notFound = [];
+      for (const t of knownTools) {
+        const r = commandExists(t);
+        if (r) found.push(`${t}: ${r}`);
+        else notFound.push(t);
+      }
+      results["TOOLS_FOUND"] = found.join("\n") || "(none found)";
+      results["TOOLS_NOT_FOUND"] = notFound.join(", ");
+      if (hint) {
+        const terms = hint.split(/[\s,]+/).filter(Boolean);
+        const hintResults = [];
+        for (const term of terms) {
+          const safe = term.replace(/[^a-zA-Z0-9._-]/g, "");
+          if (!safe) continue;
+          const cmdPath = commandExists(safe);
+          if (cmdPath) {
+            hintResults.push(`${term}: ${cmdPath}`);
+            continue;
+          }
+          let fallback = "";
+          if (IS_WIN) {
+            fallback = run(
+              `Get-ChildItem -Path 'C:\\Program Files','C:\\Program Files (x86)','${HOME}\\AppData\\Local\\Programs' -Recurse -Depth 3 -Filter '*${safe}*' -ErrorAction SilentlyContinue | Select-Object -First 5 -ExpandProperty FullName`,
+              { timeout: 1e4 }
+            );
+          } else if (IS_MAC) {
+            fallback = run(`mdfind -name "${safe}" 2>/dev/null | head -5`);
+          } else {
+            fallback = run(`find /usr/bin /usr/local/bin /opt/homebrew/bin ~/.local/bin /Applications ~/Applications 2>/dev/null -iname "*${safe}*" -maxdepth 3 2>/dev/null | head -5`);
+          }
+          hintResults.push(fallback ? `${term}: ${fallback}` : `${term}: (not found)`);
+        }
+        results["HINT_SEARCH"] = hintResults.join("\n");
+      }
+      const out = Object.entries(results).map(([k, v]) => `=== ${k} ===
+${v}`).join("\n\n");
+      return textResult(out);
+    }, { annotations: READ_SCAN })
+  ];
+  return tools;
+}
+async function buildCartographyToolDefinitions(db, sessionId, opts = {}) {
+  const { tool } = await import("@anthropic-ai/claude-agent-sdk");
+  const handlers = await buildCartographyToolHandlers(db, sessionId, opts);
+  return handlers.map(
+    (t) => tool(t.name, t.description, t.inputShape, t.handler, { annotations: t.annotations })
+  );
+}
+async function createCartographyTools(db, sessionId, opts = {}) {
+  const { createSdkMcpServer } = await import("@anthropic-ai/claude-agent-sdk");
+  const tools = await buildCartographyToolDefinitions(db, sessionId, opts);
+  return createSdkMcpServer({ name: "cartography", version: "0.1.0", tools });
+}
+// src/db.ts
+import Database from "better-sqlite3";
+import { mkdirSync } from "fs";
+import { dirname } from "path";
+import { createHash } from "crypto";
+import { z as z3 } from "zod";
+// src/compliance/types.ts
+import { z as z2 } from "zod";
+var NODE_TYPE_GROUP_KEYS = Object.keys(NODE_TYPE_GROUPS);
+var RuleScopeSchema = z2.object({
+  groups: z2.array(z2.enum(NODE_TYPE_GROUP_KEYS)).optional(),
+  types: z2.array(z2.enum(NODE_TYPES)).optional()
+});
+var FieldPathSchema = z2.enum([
+  "type",
+  "name",
+  "domain",
+  "subDomain",
+  "confidence",
+  "qualityScore",
+  "owner",
+  "tags",
+  "metadataKeys",
+  "metadataValues"
+]);
+var PATTERN_NAMES = ["dsn_with_credentials", "owner_key", "public_exposure"];
+var ConditionSchema = z2.object({
+  field: FieldPathSchema,
+  op: z2.enum(["present", "absent", "lt", "lte", "gt", "gte", "eq", "includes", "matches"]),
+  value: z2.union([z2.string(), z2.number()]).optional(),
+  pattern: z2.enum(PATTERN_NAMES).optional()
+});
+var RuleCheckSchema = z2.lazy(
+  () => z2.union([
+    ConditionSchema,
+    z2.object({ all: z2.array(RuleCheckSchema) }),
+    z2.object({ any: z2.array(RuleCheckSchema) }),
+    z2.object({ not: RuleCheckSchema })
+  ])
+);
+var SEVERITIES = ["critical", "high", "medium", "low"];
+var SeveritySchema = z2.enum(SEVERITIES);
+var SEVERITY_WEIGHT = { critical: 4, high: 3, medium: 2, low: 1 };
+var ComplianceRuleSchema = z2.object({
+  id: z2.string(),
+  control: z2.string().describe('External control id, e.g. "CIS-1.4"'),
+  framework: z2.enum(["CIS", "SOC2", "ISO27001", "baseline"]),
+  title: z2.string(),
+  severity: SeveritySchema,
+  rationale: z2.string(),
+  scope: RuleScopeSchema,
+  /**
+   * Optional applicability predicate (decision #7): a scoped node is only counted
+   * when this is absent or evaluates true — so a rule needing a signal that's absent
+   * everywhere becomes `not_applicable` rather than failing on sparse data.
+   */
+  applicableWhen: RuleCheckSchema.optional(),
+  check: RuleCheckSchema
+});
+var RulesetSchema = z2.object({
+  name: z2.string(),
+  version: z2.string(),
+  framework: z2.string(),
+  description: z2.string(),
+  rules: z2.array(ComplianceRuleSchema).min(1)
+}).superRefine((rs, ctx) => {
+  const seen = /* @__PURE__ */ new Set();
+  for (const r of rs.rules) {
+    if (seen.has(r.id)) ctx.addIssue({ code: "custom", message: `duplicate rule id: ${r.id}`, path: ["rules"] });
+    seen.add(r.id);
+  }
+});
+var ControlResultSchema = z2.object({
+  ruleId: z2.string(),
+  control: z2.string(),
+  framework: z2.string(),
+  severity: SeveritySchema,
+  status: z2.enum(["pass", "fail", "not_applicable"]),
+  applicableCount: z2.number().int(),
+  passedCount: z2.number().int(),
+  failingNodeIds: z2.array(z2.string())
+});
+var ComplianceReportSchema = z2.object({
+  rulesetName: z2.string(),
+  rulesetVersion: z2.string(),
+  generatedAt: z2.string(),
+  score: z2.number().min(0).max(100).nullable(),
+  status: z2.enum(["pass", "fail", "not_applicable"]),
+  totals: z2.object({
+    rules: z2.number(),
+    applicable: z2.number(),
+    passed: z2.number(),
+    failed: z2.number(),
+    notApplicable: z2.number()
+  }),
+  bySeverity: z2.record(SeveritySchema, z2.object({ passed: z2.number(), failed: z2.number() })),
+  controls: z2.array(ControlResultSchema),
+  gaps: z2.array(z2.object({
+    ruleId: z2.string(),
+    control: z2.string(),
+    severity: SeveritySchema,
+    title: z2.string(),
+    nodeIds: z2.array(z2.string())
+  }))
+});
+// src/compliance/engine.ts
+var OWNER_KEY_RE = /^(owner|team|maintainer|contact|owned[-_]?by)$/i;
+var PUBLIC_EXPOSURE_RE = /(^|[^0-9])0\.0\.0\.0(\/0)?|public|internet|exposed/i;
+function readField(node, field) {
+  switch (field) {
+    case "type":
+      return node.type;
+    case "name":
+      return node.name;
+    case "domain":
+      return node.domain;
+    case "subDomain":
+      return node.subDomain;
+    case "confidence":
+      return node.confidence;
+    case "qualityScore":
+      return node.qualityScore;
+    case "owner":
+      return node.owner;
+    case "tags":
+      return node.tags;
+    case "metadataKeys":
+      return Object.keys(node.metadata ?? {});
+    case "metadataValues":
+      return Object.values(node.metadata ?? {}).map((v) => typeof v === "string" ? v : JSON.stringify(v));
+  }
+}
+function isPresent(value) {
+  if (value === void 0 || value === null) return false;
+  if (Array.isArray(value)) return value.length > 0;
+  if (typeof value === "string") return value.length > 0;
+  return true;
+}
+function matchesPattern(value, pattern) {
+  const test = (s) => {
+    switch (pattern) {
+      case "dsn_with_credentials":
+        return redactSecrets(s) !== s;
+      // a credential was present
+      case "owner_key":
+        return OWNER_KEY_RE.test(s);
+      case "public_exposure":
+        return PUBLIC_EXPOSURE_RE.test(s);
+    }
+  };
+  if (Array.isArray(value)) return value.some((v) => typeof v === "string" && test(v));
+  return typeof value === "string" && test(value);
+}
+function evaluateCondition(node, cond) {
+  const v = readField(node, cond.field);
+  switch (cond.op) {
+    case "present":
+      return isPresent(v);
+    case "absent":
+      return !isPresent(v);
+    case "lt":
+      return typeof v === "number" && typeof cond.value === "number" && v < cond.value;
+    case "lte":
+      return typeof v === "number" && typeof cond.value === "number" && v <= cond.value;
+    case "gt":
+      return typeof v === "number" && typeof cond.value === "number" && v > cond.value;
+    case "gte":
+      return typeof v === "number" && typeof cond.value === "number" && v >= cond.value;
+    case "eq":
+      return v === cond.value;
+    case "includes":
+      return Array.isArray(v) && cond.value !== void 0 && v.includes(cond.value);
+    case "matches":
+      return cond.pattern !== void 0 && matchesPattern(v, cond.pattern);
+  }
+}
+function evaluateCheck(node, check) {
+  if ("all" in check) return check.all.every((c) => evaluateCheck(node, c));
+  if ("any" in check) return check.any.some((c) => evaluateCheck(node, c));
+  if ("not" in check) return !evaluateCheck(node, check.not);
+  return evaluateCondition(node, check);
+}
+function scopedTypes(rule) {
+  const { groups, types } = rule.scope;
+  if ((!groups || groups.length === 0) && (!types || types.length === 0)) return null;
+  const out = /* @__PURE__ */ new Set();
+  for (const g of groups ?? []) for (const t of NODE_TYPE_GROUPS[g]) out.add(t);
+  for (const t of types ?? []) out.add(t);
+  return out;
+}
+function applicableNodes(nodes, rule) {
+  const types = scopedTypes(rule);
+  return nodes.filter(
+    (n) => (types === null || types.has(n.type)) && (rule.applicableWhen === void 0 || evaluateCheck(n, rule.applicableWhen))
+  );
+}
+function evaluateRule(input, rule) {
+  const applicable = applicableNodes(input.nodes, rule);
+  const base = { ruleId: rule.id, control: rule.control, framework: rule.framework, severity: rule.severity };
+  if (applicable.length === 0) {
+    return { ...base, status: "not_applicable", applicableCount: 0, passedCount: 0, failingNodeIds: [] };
+  }
+  const failingNodeIds = applicable.filter((n) => !evaluateCheck(n, rule.check)).map((n) => n.id).sort();
+  return {
+    ...base,
+    status: failingNodeIds.length === 0 ? "pass" : "fail",
+    applicableCount: applicable.length,
+    passedCount: applicable.length - failingNodeIds.length,
+    failingNodeIds
+  };
+}
+function scoreTopology(input, ruleset, opts) {
+  const nodes = [...input.nodes].sort((a, b) => a.id < b.id ? -1 : a.id > b.id ? 1 : 0);
+  const rules = [...ruleset.rules].sort((a, b) => a.id < b.id ? -1 : a.id > b.id ? 1 : 0);
+  const controls = rules.map((r) => evaluateRule({ nodes, edges: input.edges }, r));
+  const bySeverity = Object.fromEntries(SEVERITIES.map((s) => [s, { passed: 0, failed: 0 }]));
+  let applicable = 0, passed = 0, failed = 0, notApplicable = 0;
+  let weightTotal = 0, weightPassed = 0;
+  const gaps = [];
+  for (const c of controls) {
+    const w = SEVERITY_WEIGHT[c.severity];
+    if (c.status === "not_applicable") {
+      notApplicable++;
+      continue;
+    }
+    applicable++;
+    weightTotal += w;
+    if (c.status === "pass") {
+      passed++;
+      weightPassed += w;
+      bySeverity[c.severity].passed++;
+    } else {
+      failed++;
+      bySeverity[c.severity].failed++;
+      const rule = rules.find((r) => r.id === c.ruleId);
+      gaps.push({ ruleId: c.ruleId, control: c.control, severity: c.severity, title: rule.title, nodeIds: c.failingNodeIds });
+    }
+  }
+  const score = applicable === 0 ? null : Math.round(100 * weightPassed / weightTotal);
+  const status = applicable === 0 ? "not_applicable" : failed === 0 ? "pass" : "fail";
+  return {
+    rulesetName: ruleset.name,
+    rulesetVersion: ruleset.version,
+    generatedAt: opts?.now ?? (/* @__PURE__ */ new Date()).toISOString(),
+    score,
+    status,
+    totals: { rules: rules.length, applicable, passed, failed, notApplicable },
+    bySeverity,
+    controls,
+    gaps
+  };
+}
+// src/diff.ts
+var edgeKey = (e) => `${e.sourceId}\0${e.targetId}\0${e.relationship}`;
+function stableStringify(value) {
+  if (value === null || typeof value !== "object") return JSON.stringify(value) ?? "null";
+  if (Array.isArray(value)) return `[${value.map(stableStringify).join(",")}]`;
+  const keys = Object.keys(value).sort();
+  return `{${keys.map((k) => `${JSON.stringify(k)}:${stableStringify(value[k])}`).join(",")}}`;
+}
+function driftedFields(a, b) {
+  const changed = [];
+  for (const f of DRIFT_FIELDS) {
+    if (f === "tags") {
+      if ([...a.tags].sort().join("\0") !== [...b.tags].sort().join("\0")) changed.push(f);
+    } else if (f === "metadata" || f === "cost") {
+      if (stableStringify(a[f]) !== stableStringify(b[f])) changed.push(f);
+    } else if (a[f] !== b[f]) {
+      changed.push(f);
+    }
+  }
+  return changed;
+}
+function diffTopology(base, current) {
+  const baseNodes = new Map(base.nodes.map((n) => [n.id, n]));
+  const curNodes = new Map(current.nodes.map((n) => [n.id, n]));
+  const added = [];
+  const removed = [];
+  const changed = [];
+  let unchangedNodes = 0;
+  for (const [id, after] of curNodes) {
+    const before = baseNodes.get(id);
+    if (!before) {
+      added.push(after);
+      continue;
+    }
+    const fields = driftedFields(before, after);
+    if (fields.length > 0) {
+      changed.push({ id, before, after, changedFields: fields, confidenceDelta: after.confidence - before.confidence });
+    } else {
+      unchangedNodes++;
+    }
+  }
+  for (const [id, before] of baseNodes) {
+    if (!curNodes.has(id)) removed.push(before);
+  }
+  const baseEdges = new Map(base.edges.map((e) => [edgeKey(e), e]));
+  const curEdges = new Map(current.edges.map((e) => [edgeKey(e), e]));
+  const edgesAdded = [];
+  const edgesRemoved = [];
+  let unchangedEdges = 0;
+  for (const [k, e] of curEdges) {
+    if (baseEdges.has(k)) unchangedEdges++;
+    else edgesAdded.push(e);
+  }
+  for (const [k, e] of baseEdges) {
+    if (!curEdges.has(k)) edgesRemoved.push(e);
+  }
+  return {
+    nodes: { added, removed, changed, unchanged: unchangedNodes },
+    edges: { added: edgesAdded, removed: edgesRemoved, unchanged: unchangedEdges },
+    summary: {
+      nodesAdded: added.length,
+      nodesRemoved: removed.length,
+      nodesChanged: changed.length,
+      edgesAdded: edgesAdded.length,
+      edgesRemoved: edgesRemoved.length
+    }
+  };
+}
+// src/anomaly.ts
+var MANAGED_TYPES = new Set(Object.values(NODE_TYPE_GROUPS).flat());
+function hasNoDomain(n) {
+  return n.domain == null || n.domain === "" || n.domain === "(none)";
+}
+function detectOrphans(nodes, degree, thresholds = DEFAULT_ANOMALY_THRESHOLDS) {
+  const out = [];
+  for (const n of nodes) {
+    const d = degree.get(n.id) ?? 0;
+    if (d === 0) {
+      out.push({ nodeId: n.id, kind: "orphan", severity: "high", reason: "zero-degree node (no edges)" });
+    } else if (d <= thresholds.orphanWeakDegree) {
+      out.push({ nodeId: n.id, kind: "orphan", severity: "low", reason: `weakly-connected node (degree ${d})` });
+    }
+  }
+  return out;
+}
+function detectShadowIt(nodes, thresholds = DEFAULT_ANOMALY_THRESHOLDS) {
+  const out = [];
+  for (const n of nodes) {
+    if (!MANAGED_TYPES.has(n.type)) {
+      out.push({ nodeId: n.id, kind: "shadow-it", severity: "medium", reason: `unmanaged node type "${n.type}"` });
+      continue;
+    }
+    if (hasNoDomain(n)) {
+      const lowConf = n.confidence < thresholds.shadowConfidence;
+      const lowQual = n.qualityScore != null && n.qualityScore < thresholds.shadowQuality;
+      if (lowConf || lowQual) {
+        const sev = lowConf && lowQual ? "high" : "medium";
+        const parts = [];
+        if (lowConf) parts.push(`low confidence ${n.confidence.toFixed(2)}`);
+        if (lowQual) parts.push(`low quality ${n.qualityScore}`);
+        out.push({ nodeId: n.id, kind: "shadow-it", severity: sev, reason: `${parts.join(" and ")} with no business domain` });
+      }
+    }
+  }
+  return out;
+}
+function detectAnomalies(nodes, degree, thresholds = DEFAULT_ANOMALY_THRESHOLDS) {
+  return [...detectOrphans(nodes, degree, thresholds), ...detectShadowIt(nodes, thresholds)].sort((a, b) => a.nodeId.localeCompare(b.nodeId) || a.kind.localeCompare(b.kind));
+}
+function newAnomalies(base, current) {
+  const seen = new Set(base.map((a) => `${a.nodeId}|${a.kind}`));
+  return current.filter((a) => !seen.has(`${a.nodeId}|${a.kind}`));
+}
+// src/db.ts
+var DEFAULT_TENANT = "local";
+function normalizeTenant(raw) {
+  if (raw == null) return DEFAULT_TENANT;
+  const cleaned = sanitizeUntrusted(String(raw)).trim().slice(0, 128);
+  return /^[\w.@:+-]{1,128}$/.test(cleaned) ? cleaned : DEFAULT_TENANT;
+}
+var DEFAULT_PORTS = /:(80|443)$/;
+function normalizeId(id) {
+  return id.trim().toLowerCase().replace(/\s+/g, " ").replace(DEFAULT_PORTS, "");
+}
+var KEY_META_KEYS = ["host", "port", "path", "url"];
+function keyMetaOf(metadata) {
+  const out = {};
+  for (const k of KEY_META_KEYS) {
+    if (metadata[k] != null) out[k] = metadata[k];
+  }
+  return out;
+}
+function contentHash(type, name, keyMeta) {
+  const ordered = Object.keys(keyMeta).sort().map((k) => `${k}=${String(keyMeta[k])}`).join("|");
+  const payload = `${type}\u241E${name.trim().toLowerCase()}\u241E${ordered}`;
+  return createHash("sha256").update(payload).digest("hex").slice(0, 32);
+}
+function globalId(organization, id) {
+  const org = organization && organization.trim() ? organization.trim() : "_";
+  return `${org}:${normalizeId(id)}`;
+}
+function safeJsonParse(raw, fallback) {
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return fallback;
+  }
+}
+var SessionRowSchema = z3.object({
+  id: z3.string(),
+  mode: z3.literal("discover"),
+  started_at: z3.string(),
+  completed_at: z3.string().nullable().optional(),
+  config: z3.string(),
+  name: z3.string().nullable().optional(),
+  tenant: z3.string().default(DEFAULT_TENANT),
+  hostname: z3.string().nullable().optional(),
+  user: z3.string().nullable().optional(),
+  machine_id: z3.string().nullable().optional(),
+  organization: z3.string().nullable().optional(),
+  last_scanned_at: z3.string().nullable().optional()
+});
+var NodeRowSchema = z3.object({
+  id: z3.string(),
+  session_id: z3.string(),
+  type: z3.enum(NODE_TYPES),
+  name: z3.string(),
+  discovered_via: z3.string().nullable().optional(),
+  discovered_at: z3.string(),
+  path_id: z3.string().nullable().optional(),
+  depth: z3.number().default(0),
+  confidence: z3.number().default(0.5),
+  metadata: z3.string().default("{}"),
+  tags: z3.string().default("[]"),
+  domain: z3.string().nullable().optional(),
+  sub_domain: z3.string().nullable().optional(),
+  quality_score: z3.number().nullable().optional(),
+  owner: z3.string().nullable().optional(),
+  cost: z3.string().nullable().optional(),
+  global_id: z3.string().nullable().optional(),
+  content_hash: z3.string().nullable().optional()
+});
+var ContributorRowSchema = z3.object({
+  global_id: z3.string(),
+  machine_id: z3.string(),
+  hostname: z3.string(),
+  user: z3.string(),
+  organization: z3.string().nullable().optional(),
+  at: z3.string(),
+  confidence: z3.number().default(0.5)
+});
+var DriftRunRowSchema = z3.object({
+  id: z3.string(),
+  session_id: z3.string(),
+  base_session_id: z3.string().nullable().optional(),
+  ran_at: z3.string(),
+  nodes_added: z3.number(),
+  nodes_removed: z3.number(),
+  nodes_changed: z3.number(),
+  edges_added: z3.number(),
+  edges_removed: z3.number(),
+  delta: z3.string()
+});
+var EdgeRowSchema = z3.object({
+  id: z3.string(),
+  session_id: z3.string(),
+  source_id: z3.string(),
+  target_id: z3.string(),
+  relationship: z3.enum(EDGE_RELATIONSHIPS),
+  evidence: z3.string().nullable().optional(),
+  confidence: z3.number().default(0.5),
+  discovered_at: z3.string()
+});
+var PendingShareRowSchema = z3.object({
+  content_hash: z3.string(),
+  session_id: z3.string(),
+  node_id: z3.string().nullable().optional(),
+  kind: z3.enum(["node", "edge"]),
+  payload: z3.string(),
+  status: z3.enum(["pending", "approved", "shared", "withheld"]),
+  decided_by: z3.enum(["user", "rule"]).nullable().optional(),
+  created_at: z3.string(),
+  decided_at: z3.string().nullable().optional(),
+  shared_at: z3.string().nullable().optional()
+});
+var EventRowSchema = z3.object({
+  id: z3.string(),
+  session_id: z3.string(),
+  task_id: z3.string().nullable().optional(),
+  timestamp: z3.string(),
+  event_type: z3.string(),
+  process: z3.string(),
+  pid: z3.number(),
+  target: z3.string().nullable().optional(),
+  target_type: z3.string().nullable().optional(),
+  port: z3.number().nullable().optional(),
+  duration_ms: z3.number().nullable().optional(),
+  command: z3.string().nullable().optional(),
+  result_bytes: z3.number().nullable().optional()
+});
+var TaskRowSchema = z3.object({
+  id: z3.string(),
+  session_id: z3.string(),
+  description: z3.string().nullable().optional(),
+  started_at: z3.string(),
+  completed_at: z3.string().nullable().optional(),
+  steps: z3.string().default("[]"),
+  involved_services: z3.string().default("[]"),
+  status: z3.enum(["active", "completed", "cancelled"])
+});
+var WorkflowRowSchema = z3.object({
+  id: z3.string(),
+  session_id: z3.string(),
+  name: z3.string().nullable().optional(),
+  pattern: z3.string(),
+  task_ids: z3.string().default("[]"),
+  occurrences: z3.number().default(1),
+  first_seen: z3.string(),
+  last_seen: z3.string(),
+  avg_duration_ms: z3.number().nullable().optional(),
+  involved_services: z3.string().default("[]")
+});
+var ConnectionRowSchema = z3.object({
+  id: z3.string(),
+  session_id: z3.string(),
+  source_asset_id: z3.string(),
+  target_asset_id: z3.string(),
+  type: z3.string().nullable().optional(),
+  created_at: z3.string()
+});
+function typeGroup(type) {
+  for (const [group, types] of Object.entries(NODE_TYPE_GROUPS)) {
+    if (types.includes(type)) return group;
+  }
+  return "other";
+}
+function deriveSessionName(summary, startedAt) {
+  const date = startedAt.slice(0, 10);
+  const count = summary.totals.nodes;
+  if (count === 0) return `empty \xB7 0 nodes \xB7 ${date}`;
+  const byGroup = /* @__PURE__ */ new Map();
+  for (const [type, n] of Object.entries(summary.nodesByType)) {
+    const g = typeGroup(type);
+    byGroup.set(g, (byGroup.get(g) ?? 0) + n);
+  }
+  const topGroups = [...byGroup.entries()].sort((a, b) => b[1] - a[1] || a[0].localeCompare(b[0])).slice(0, 2).map(([g]) => g);
+  const noun = count === 1 ? "node" : "nodes";
+  return `${topGroups.join("+")} \xB7 ${count} ${noun} \xB7 ${date}`;
+}
+var SCHEMA = `
+PRAGMA journal_mode = WAL;
+PRAGMA foreign_keys = ON;
+PRAGMA busy_timeout = 5000;
+CREATE TABLE IF NOT EXISTS sessions (
+  id TEXT PRIMARY KEY,
+  mode TEXT NOT NULL CHECK (mode IN ('discover')),
+  started_at TEXT NOT NULL,
+  completed_at TEXT,
+  config TEXT NOT NULL DEFAULT '{}',
+  name TEXT,
+  tenant TEXT NOT NULL DEFAULT 'local',
+  hostname TEXT,
+  user TEXT,
+  machine_id TEXT,
+  organization TEXT,
+  last_scanned_at TEXT
+);
+CREATE TABLE IF NOT EXISTS nodes (
+  id TEXT NOT NULL,
+  session_id TEXT NOT NULL REFERENCES sessions(id),
+  type TEXT NOT NULL,
+  name TEXT NOT NULL,
+  discovered_via TEXT,
+  discovered_at TEXT NOT NULL,
+  path_id TEXT,
+  depth INTEGER DEFAULT 0,
+  confidence REAL DEFAULT 0.5,
+  metadata TEXT NOT NULL DEFAULT '{}',
+  tags TEXT NOT NULL DEFAULT '[]',
+  domain TEXT,
+  sub_domain TEXT,
+  quality_score REAL,
+  owner TEXT,
+  cost TEXT,
+  tenant TEXT NOT NULL DEFAULT 'local',
+  global_id TEXT,
+  content_hash TEXT,
+  PRIMARY KEY (id, session_id)
+);
+CREATE TABLE IF NOT EXISTS connections (
+  id TEXT PRIMARY KEY,
+  session_id TEXT NOT NULL REFERENCES sessions(id),
+  source_asset_id TEXT NOT NULL,
+  target_asset_id TEXT NOT NULL,
+  type TEXT,
+  created_at TEXT NOT NULL,
+  tenant TEXT NOT NULL DEFAULT 'local'
+);
+CREATE TABLE IF NOT EXISTS edges (
+  id TEXT PRIMARY KEY,
+  session_id TEXT NOT NULL REFERENCES sessions(id),
+  source_id TEXT NOT NULL,
+  target_id TEXT NOT NULL,
+  relationship TEXT NOT NULL,
+  evidence TEXT,
+  confidence REAL DEFAULT 0.5,
+  discovered_at TEXT NOT NULL,
+  tenant TEXT NOT NULL DEFAULT 'local'
+);
+CREATE TABLE IF NOT EXISTS activity_events (
+  id TEXT PRIMARY KEY,
+  session_id TEXT NOT NULL REFERENCES sessions(id),
+  task_id TEXT,
+  timestamp TEXT NOT NULL,
+  event_type TEXT NOT NULL,
+  process TEXT NOT NULL,
+  pid INTEGER NOT NULL,
+  target TEXT,
+  target_type TEXT,
+  port INTEGER,
+  duration_ms INTEGER,
+  command TEXT,
+  result_bytes INTEGER,
+  tenant TEXT NOT NULL DEFAULT 'local'
+);
+CREATE TABLE IF NOT EXISTS tasks (
+  id TEXT PRIMARY KEY,
+  session_id TEXT NOT NULL REFERENCES sessions(id),
+  description TEXT,
+  started_at TEXT NOT NULL,
+  completed_at TEXT,
+  steps TEXT NOT NULL DEFAULT '[]',
+  involved_services TEXT NOT NULL DEFAULT '[]',
+  status TEXT DEFAULT 'active' CHECK (status IN ('active','completed','cancelled')),
+  tenant TEXT NOT NULL DEFAULT 'local'
+);
+CREATE TABLE IF NOT EXISTS workflows (
+  id TEXT PRIMARY KEY,
+  session_id TEXT NOT NULL REFERENCES sessions(id),
+  name TEXT,
+  pattern TEXT NOT NULL,
+  task_ids TEXT NOT NULL DEFAULT '[]',
+  occurrences INTEGER DEFAULT 1,
+  first_seen TEXT NOT NULL,
+  last_seen TEXT NOT NULL,
+  avg_duration_ms INTEGER,
+  involved_services TEXT NOT NULL DEFAULT '[]',
+  tenant TEXT NOT NULL DEFAULT 'local'
+);
+CREATE TABLE IF NOT EXISTS node_approvals (
+  pattern TEXT PRIMARY KEY,
+  action TEXT NOT NULL CHECK (action IN ('save','ignore','auto')),
+  created_at TEXT NOT NULL
+);
+CREATE TABLE IF NOT EXISTS sharing_policy (
+  pattern    TEXT PRIMARY KEY,                              -- '*' row holds the global default
+  level      TEXT NOT NULL CHECK (level IN ('none','anonymized','full')),
+  created_at TEXT NOT NULL
+);
+CREATE TABLE IF NOT EXISTS pseudonym_reversal (
+  token      TEXT PRIMARY KEY,
+  ciphertext TEXT NOT NULL,                                 -- base64(iv \u2016 tag \u2016 AES-256-GCM(plaintext)) under reversalKey(orgKey)
+  created_at TEXT NOT NULL
+);
+CREATE TABLE IF NOT EXISTS pending_shares (
+  content_hash TEXT PRIMARY KEY,                            -- sha256 over the policy-transformed payload (stable dedup key)
+  session_id   TEXT NOT NULL REFERENCES sessions(id),
+  node_id      TEXT,                                        -- original node id (NULL for edge rows)
+  kind         TEXT NOT NULL CHECK (kind IN ('node','edge')),
+  payload      TEXT NOT NULL,                               -- JSON of the already-anonymized projection (exactly what would leave)
+  status       TEXT NOT NULL CHECK (status IN ('pending','approved','shared','withheld')),
+  decided_by   TEXT CHECK (decided_by IN ('user','rule')),
+  created_at   TEXT NOT NULL,
+  decided_at   TEXT,
+  shared_at    TEXT
+);
+CREATE TABLE IF NOT EXISTS node_contributors (
+  global_id TEXT NOT NULL,
+  machine_id TEXT NOT NULL,
+  hostname TEXT NOT NULL,
+  user TEXT NOT NULL,
+  organization TEXT,
+  at TEXT NOT NULL,
+  confidence REAL NOT NULL DEFAULT 0.5,
+  PRIMARY KEY (global_id, machine_id)
+);
+CREATE TABLE IF NOT EXISTS drift_runs (
+  id TEXT PRIMARY KEY,
+  session_id TEXT NOT NULL REFERENCES sessions(id),
+  base_session_id TEXT,
+  ran_at TEXT NOT NULL,
+  nodes_added INTEGER NOT NULL,
+  nodes_removed INTEGER NOT NULL,
+  nodes_changed INTEGER NOT NULL,
+  edges_added INTEGER NOT NULL,
+  edges_removed INTEGER NOT NULL,
+  delta TEXT NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_nodes_session ON nodes(session_id);
+CREATE INDEX IF NOT EXISTS idx_nodes_type ON nodes(session_id, type);
+CREATE INDEX IF NOT EXISTS idx_edges_session ON edges(session_id);
+CREATE INDEX IF NOT EXISTS idx_edges_source ON edges(session_id, source_id);
+CREATE INDEX IF NOT EXISTS idx_edges_target ON edges(session_id, target_id);
+CREATE INDEX IF NOT EXISTS idx_events_session ON activity_events(session_id);
+CREATE INDEX IF NOT EXISTS idx_events_task ON activity_events(task_id);
+CREATE INDEX IF NOT EXISTS idx_tasks_session ON tasks(session_id);
+CREATE INDEX IF NOT EXISTS idx_connections_session ON connections(session_id);
+CREATE INDEX IF NOT EXISTS idx_connections_lookup ON connections(session_id, source_asset_id, target_asset_id);
+CREATE INDEX IF NOT EXISTS idx_sessions_tenant ON sessions(tenant);
+CREATE INDEX IF NOT EXISTS idx_nodes_tenant_session ON nodes(tenant, session_id);
+CREATE INDEX IF NOT EXISTS idx_edges_tenant_session ON edges(tenant, session_id);
+CREATE INDEX IF NOT EXISTS idx_nodes_global ON nodes(global_id);
+CREATE INDEX IF NOT EXISTS idx_nodes_content ON nodes(content_hash);
+CREATE INDEX IF NOT EXISTS idx_contrib_global ON node_contributors(global_id);
+CREATE INDEX IF NOT EXISTS idx_drift_runs_session ON drift_runs(session_id);
+CREATE INDEX IF NOT EXISTS idx_drift_runs_ran_at ON drift_runs(ran_at);
+CREATE INDEX IF NOT EXISTS idx_pending_status ON pending_shares(status);
+CREATE INDEX IF NOT EXISTS idx_pending_session ON pending_shares(session_id);
+CREATE INDEX IF NOT EXISTS idx_nodes_tenant_global ON nodes(tenant, global_id);
+CREATE INDEX IF NOT EXISTS idx_nodes_tenant_content ON nodes(tenant, content_hash);
+CREATE INDEX IF NOT EXISTS idx_contrib_org ON node_contributors(organization, global_id);
+CREATE INDEX IF NOT EXISTS idx_nodes_owner ON nodes(session_id, owner);
+`;
+var CartographyDB = class {
+  db;
+  /** 3.6 anomaly settings; defaults apply when no `anomaly` config is supplied. */
+  anomalyEnabled;
+  anomalyThresholds;
+  constructor(dbPath, opts) {
+    mkdirSync(dirname(dbPath), { recursive: true });
+    this.db = new Database(dbPath);
+    this.db.pragma("journal_mode = WAL");
+    this.db.pragma("foreign_keys = ON");
+    this.db.pragma("busy_timeout = 5000");
+    this.anomalyEnabled = opts?.anomaly?.enabled ?? true;
+    this.anomalyThresholds = opts?.anomaly ?? DEFAULT_ANOMALY_THRESHOLDS;
+    this.migrate();
+  }
+  migrate() {
+    const version = this.db.pragma("user_version", { simple: true });
+    if (version === 0) {
+      this.db.exec(SCHEMA);
+      this.db.pragma("user_version = 14");
+      return;
+    } else if (version === 1) {
+      const cols = this.db.prepare("PRAGMA table_info(nodes)").all().map((c) => c.name);
+      if (!cols.includes("domain")) this.db.exec("ALTER TABLE nodes ADD COLUMN domain TEXT");
+      if (!cols.includes("sub_domain")) this.db.exec("ALTER TABLE nodes ADD COLUMN sub_domain TEXT");
+      if (!cols.includes("quality_score")) this.db.exec("ALTER TABLE nodes ADD COLUMN quality_score REAL");
+      this.db.exec(`
+        CREATE TABLE IF NOT EXISTS connections (
+          id TEXT PRIMARY KEY,
+          session_id TEXT NOT NULL REFERENCES sessions(id),
+          source_asset_id TEXT NOT NULL,
+          target_asset_id TEXT NOT NULL,
+          type TEXT,
+          created_at TEXT NOT NULL
+        );
+        CREATE INDEX IF NOT EXISTS idx_connections_session ON connections(session_id);
+        CREATE INDEX IF NOT EXISTS idx_connections_lookup ON connections(session_id, source_asset_id, target_asset_id);
+      `);
+      this.db.pragma("user_version = 3");
+    }
+    if (version === 2) {
+      this.db.exec("CREATE INDEX IF NOT EXISTS idx_connections_lookup ON connections(session_id, source_asset_id, target_asset_id)");
+      this.db.pragma("user_version = 3");
+    }
+    const current = this.db.pragma("user_version", { simple: true });
+    if (current < 4) {
+      this.db.exec(`
+        CREATE INDEX IF NOT EXISTS idx_nodes_type ON nodes(session_id, type);
+        CREATE INDEX IF NOT EXISTS idx_edges_source ON edges(session_id, source_id);
+        CREATE INDEX IF NOT EXISTS idx_edges_target ON edges(session_id, target_id);
+      `);
+      this.db.pragma("user_version = 4");
+    }
+    const v4 = this.db.pragma("user_version", { simple: true });
+    if (v4 < 5) {
+      const cols = this.db.prepare("PRAGMA table_info(sessions)").all().map((c) => c.name);
+      if (!cols.includes("name")) this.db.exec("ALTER TABLE sessions ADD COLUMN name TEXT");
+      this.db.pragma("user_version = 5");
+    }
+    const v5 = this.db.pragma("user_version", { simple: true });
+    if (v5 < 6) {
+      const cols = this.db.prepare("PRAGMA table_info(activity_events)").all().map((c) => c.name);
+      if (!cols.includes("command")) this.db.exec("ALTER TABLE activity_events ADD COLUMN command TEXT");
+      if (!cols.includes("result_bytes")) this.db.exec("ALTER TABLE activity_events ADD COLUMN result_bytes INTEGER");
+      this.db.pragma("user_version = 6");
+    }
+    const v6 = this.db.pragma("user_version", { simple: true });
+    if (v6 < 7) {
+      const tables = ["sessions", "nodes", "edges", "connections", "activity_events", "tasks", "workflows"];
+      for (const t of tables) {
+        const cols = this.db.prepare(`PRAGMA table_info(${t})`).all().map((c) => c.name);
+        if (cols.length > 0 && !cols.includes("tenant")) {
+          this.db.exec(`ALTER TABLE ${t} ADD COLUMN tenant TEXT NOT NULL DEFAULT '${DEFAULT_TENANT}'`);
+        }
+      }
+      const hasTable = (name) => this.db.prepare(`PRAGMA table_info(${name})`).all().length > 0;
+      if (hasTable("sessions")) this.db.exec("CREATE INDEX IF NOT EXISTS idx_sessions_tenant ON sessions(tenant)");
+      if (hasTable("nodes")) this.db.exec("CREATE INDEX IF NOT EXISTS idx_nodes_tenant_session ON nodes(tenant, session_id)");
+      if (hasTable("edges")) this.db.exec("CREATE INDEX IF NOT EXISTS idx_edges_tenant_session ON edges(tenant, session_id)");
+      this.db.pragma("user_version = 7");
+    }
+    const v7 = this.db.pragma("user_version", { simple: true });
+    if (v7 < 8) {
+      const sc = this.db.prepare("PRAGMA table_info(sessions)").all().map((c) => c.name);
+      if (sc.length > 0) {
+        for (const col of ["hostname", "user", "machine_id", "organization"]) {
+          if (!sc.includes(col)) this.db.exec(`ALTER TABLE sessions ADD COLUMN ${col} TEXT`);
+        }
+      }
+      const nc = this.db.prepare("PRAGMA table_info(nodes)").all().map((c) => c.name);
+      if (nc.length > 0) {
+        if (!nc.includes("global_id")) this.db.exec("ALTER TABLE nodes ADD COLUMN global_id TEXT");
+        if (!nc.includes("content_hash")) this.db.exec("ALTER TABLE nodes ADD COLUMN content_hash TEXT");
+      }
+      this.db.exec(`
+        CREATE TABLE IF NOT EXISTS node_contributors (
+          global_id TEXT NOT NULL,
+          machine_id TEXT NOT NULL,
+          hostname TEXT NOT NULL,
+          user TEXT NOT NULL,
+          organization TEXT,
+          at TEXT NOT NULL,
+          confidence REAL NOT NULL DEFAULT 0.5,
+          PRIMARY KEY (global_id, machine_id)
+        );
+        CREATE INDEX IF NOT EXISTS idx_contrib_global ON node_contributors(global_id);
+      `);
+      if (nc.length > 0) {
+        this.db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_nodes_global ON nodes(global_id);
+          CREATE INDEX IF NOT EXISTS idx_nodes_content ON nodes(content_hash);
+        `);
+      }
+      this.db.pragma("user_version = 8");
+    }
+    const v8 = this.db.pragma("user_version", { simple: true });
+    if (v8 < 9) {
+      const sc = this.db.prepare("PRAGMA table_info(sessions)").all().map((c) => c.name);
+      if (sc.length > 0 && !sc.includes("last_scanned_at")) {
+        this.db.exec("ALTER TABLE sessions ADD COLUMN last_scanned_at TEXT");
+      }
+      this.db.pragma("user_version = 9");
+    }
+    const v9 = this.db.pragma("user_version", { simple: true });
+    if (v9 < 10) {
+      this.db.exec(`
+        CREATE TABLE IF NOT EXISTS drift_runs (
+          id TEXT PRIMARY KEY,
+          session_id TEXT NOT NULL REFERENCES sessions(id),
+          base_session_id TEXT,
+          ran_at TEXT NOT NULL,
+          nodes_added INTEGER NOT NULL,
+          nodes_removed INTEGER NOT NULL,
+          nodes_changed INTEGER NOT NULL,
+          edges_added INTEGER NOT NULL,
+          edges_removed INTEGER NOT NULL,
+          delta TEXT NOT NULL
+        );
+        CREATE INDEX IF NOT EXISTS idx_drift_runs_session ON drift_runs(session_id);
+        CREATE INDEX IF NOT EXISTS idx_drift_runs_ran_at ON drift_runs(ran_at);
+      `);
+      this.db.pragma("user_version = 10");
+    }
+    const v10 = this.db.pragma("user_version", { simple: true });
+    if (v10 < 11) {
+      this.db.exec(`
+        CREATE TABLE IF NOT EXISTS sharing_policy (
+          pattern    TEXT PRIMARY KEY,
+          level      TEXT NOT NULL CHECK (level IN ('none','anonymized','full')),
+          created_at TEXT NOT NULL
+        );
+        CREATE TABLE IF NOT EXISTS pseudonym_reversal (
+          token      TEXT PRIMARY KEY,
+          ciphertext TEXT NOT NULL,
+          created_at TEXT NOT NULL
+        );
+      `);
+      this.db.pragma("user_version = 11");
+    }
+    const v11 = this.db.pragma("user_version", { simple: true });
+    if (v11 < 12) {
+      this.db.exec(`
+        CREATE TABLE IF NOT EXISTS pending_shares (
+          content_hash TEXT PRIMARY KEY,
+          session_id   TEXT NOT NULL REFERENCES sessions(id),
+          node_id      TEXT,
+          kind         TEXT NOT NULL CHECK (kind IN ('node','edge')),
+          payload      TEXT NOT NULL,
+          status       TEXT NOT NULL CHECK (status IN ('pending','approved','shared','withheld')),
+          decided_by   TEXT CHECK (decided_by IN ('user','rule')),
+          created_at   TEXT NOT NULL,
+          decided_at   TEXT,
+          shared_at    TEXT
+        );
+        CREATE INDEX IF NOT EXISTS idx_pending_status ON pending_shares(status);
+        CREATE INDEX IF NOT EXISTS idx_pending_session ON pending_shares(session_id);
+      `);
+      this.db.pragma("user_version = 12");
+    }
+    const v12 = this.db.pragma("user_version", { simple: true });
+    if (v12 < 13) {
+      const hasNodes = this.db.prepare("PRAGMA table_info(nodes)").all().length > 0;
+      if (hasNodes) {
+        this.db.exec(`
+          CREATE INDEX IF NOT EXISTS idx_nodes_tenant_global ON nodes(tenant, global_id);
+          CREATE INDEX IF NOT EXISTS idx_nodes_tenant_content ON nodes(tenant, content_hash);
+        `);
+      }
+      const hasContrib = this.db.prepare("PRAGMA table_info(node_contributors)").all().length > 0;
+      if (hasContrib) {
+        this.db.exec("CREATE INDEX IF NOT EXISTS idx_contrib_org ON node_contributors(organization, global_id)");
+      }
+      this.db.pragma("user_version = 13");
+    }
+    const v13 = this.db.pragma("user_version", { simple: true });
+    if (v13 < 14) {
+      const hasNodes = this.db.prepare("PRAGMA table_info(nodes)").all();
+      if (hasNodes.length > 0) {
+        const cols = hasNodes.map((c) => c.name);
+        if (!cols.includes("owner")) this.db.exec("ALTER TABLE nodes ADD COLUMN owner TEXT");
+        if (!cols.includes("cost")) this.db.exec("ALTER TABLE nodes ADD COLUMN cost TEXT");
+        this.db.exec("CREATE INDEX IF NOT EXISTS idx_nodes_owner ON nodes(session_id, owner)");
+      }
+      this.db.pragma("user_version = 14");
+    }
+  }
+  close() {
+    this.db.pragma("optimize");
+    this.db.close();
+  }
+  /**
+   * Advanced: the underlying better-sqlite3 connection. Used by the optional
+   * semantic-search layer to load the `sqlite-vec` extension and manage its
+   * virtual table. Prefer the typed methods above for everything else.
+   */
+  rawConnection() {
+    return this.db;
+  }
+  // ── Sessions ────────────────────────────
+  /**
+   * Create a discovery session, stamping its tenant from (in precedence order)
+   * the explicit `tenantId` arg → `config.organization` → DEFAULT_TENANT. The
+   * tenant is normalized once here; every child row written under this session
+   * inherits it via {@link tenantOf}.
+   */
+  createSession(mode, config, tenantId) {
+    const id = crypto.randomUUID();
+    const tenant = normalizeTenant(tenantId ?? config.organization);
+    this.db.prepare(
+      `INSERT INTO sessions (id, mode, started_at, config, tenant, hostname, user, machine_id, organization)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      id,
+      mode,
+      (/* @__PURE__ */ new Date()).toISOString(),
+      JSON.stringify(config),
+      tenant,
+      hostname(),
+      osUser(),
+      machineId(),
+      config.organization ?? null
+    );
+    return id;
+  }
+  /** The tenant that owns a session (DEFAULT_TENANT if the session is unknown). */
+  tenantOf(sessionId) {
+    const r = this.db.prepare("SELECT tenant FROM sessions WHERE id = ?").get(sessionId);
+    return r?.tenant ?? DEFAULT_TENANT;
+  }
+  endSession(id) {
+    this.db.prepare("UPDATE sessions SET completed_at = ? WHERE id = ?").run((/* @__PURE__ */ new Date()).toISOString(), id);
+  }
+  getSession(id) {
+    const row = this.db.prepare("SELECT * FROM sessions WHERE id = ?").get(id);
+    return row ? this.mapSession(row) : void 0;
+  }
+  /**
+   * Resolve the newest session, optionally constrained to a `mode` and/or
+   * `tenantId`. Omitting `tenantId` preserves the original (unscoped) behavior;
+   * passing one returns only that tenant's sessions, which is how the tenant
+   * boundary is enforced at session resolution.
+   */
+  getLatestSession(mode, tenantId) {
+    const clauses = [];
+    const params = [];
+    if (mode) {
+      clauses.push("mode = ?");
+      params.push(mode);
+    }
+    if (tenantId !== void 0) {
+      clauses.push("tenant = ?");
+      params.push(tenantId);
+    }
+    const where = clauses.length ? `WHERE ${clauses.join(" AND ")} ` : "";
+    const row = this.db.prepare(`SELECT * FROM sessions ${where}ORDER BY rowid DESC LIMIT 1`).get(...params);
+    return row ? this.mapSession(row) : void 0;
+  }
+  getSessions(tenantId) {
+    const rows = tenantId !== void 0 ? this.db.prepare("SELECT * FROM sessions WHERE tenant = ? ORDER BY rowid DESC").all(tenantId) : this.db.prepare("SELECT * FROM sessions ORDER BY rowid DESC").all();
+    return rows.map((r) => this.mapSession(r));
+  }
+  mapSession(r) {
+    const v = SessionRowSchema.parse(r);
+    return {
+      id: v.id,
+      mode: v.mode,
+      startedAt: v.started_at,
+      completedAt: v.completed_at ?? void 0,
+      config: v.config,
+      name: v.name ?? void 0,
+      tenant: v.tenant,
+      hostname: v.hostname ?? void 0,
+      user: v.user ?? void 0,
+      machineId: v.machine_id ?? void 0,
+      organization: v.organization ?? void 0,
+      lastScannedAt: v.last_scanned_at ?? void 0
+    };
+  }
+  /** Record that a session was (re-)scanned now (ISO 8601 UTC). */
+  touchSession(id) {
+    this.db.prepare("UPDATE sessions SET last_scanned_at = ? WHERE id = ?").run((/* @__PURE__ */ new Date()).toISOString(), id);
+  }
+  /** Set (or clear) a session's human-friendly name. */
+  setSessionName(id, name) {
+    this.db.prepare("UPDATE sessions SET name = ? WHERE id = ?").run(name, id);
+  }
+  /**
+   * Compare two discovery sessions and report drift (added/removed/changed nodes
+   * and added/removed edges). Read-only; no schema changes. Throws if either
+   * session id does not exist.
+   */
+  diffSessions(baseId, currentId) {
+    const base = this.getSession(baseId);
+    if (!base) throw new Error(`Base session not found: ${baseId}`);
+    const current = this.getSession(currentId);
+    if (!current) throw new Error(`Current session not found: ${currentId}`);
+    const baseData = { nodes: this.getNodes(baseId), edges: this.getEdges(baseId) };
+    const curData = { nodes: this.getNodes(currentId), edges: this.getEdges(currentId) };
+    const delta = diffTopology(baseData, curData);
+    const baseAnoms = this.getGraphSummary(baseId).anomalies;
+    const curAnoms = this.getGraphSummary(currentId).anomalies;
+    return {
+      base: { sessionId: baseId, startedAt: base.startedAt, nodeCount: baseData.nodes.length, edgeCount: baseData.edges.length },
+      current: { sessionId: currentId, startedAt: current.startedAt, nodeCount: curData.nodes.length, edgeCount: curData.edges.length },
+      ...delta,
+      anomalies: { base: baseAnoms, current: curAnoms, added: newAnomalies(baseAnoms, curAnoms) }
+    };
+  }
+  /**
+   * Score a session against a compliance ruleset (3.4) — a thin wrapper over the
+   * pure `scoreTopology` engine (mirrors `diffSessions`). Throws only when the
+   * session id is unknown; the engine never throws on data shape.
+   */
+  scoreSession(sessionId, ruleset, opts) {
+    if (!this.getSession(sessionId)) throw new Error(`Session not found: ${sessionId}`);
+    return scoreTopology({ nodes: this.getNodes(sessionId), edges: this.getEdges(sessionId) }, ruleset, opts);
+  }
+  // ── Scheduled discovery: prior-session selection + drift runs (2.5) ──────────
+  /**
+   * The most recent session of `mode` (and optionally `tenantId`) other than
+   * `excludeId`. Used by scheduled discovery to pick an unambiguous diff base
+   * (newest-first by `rowid`), avoiding the `getLatestSession` just-created-session
+   * ambiguity. Returns `undefined` when no such prior session exists.
+   */
+  getPreviousSession(excludeId, mode, tenantId) {
+    const clauses = ["id != ?"];
+    const params = [excludeId];
+    if (mode) {
+      clauses.push("mode = ?");
+      params.push(mode);
+    }
+    if (tenantId !== void 0) {
+      clauses.push("tenant = ?");
+      params.push(tenantId);
+    }
+    const row = this.db.prepare(`SELECT * FROM sessions WHERE ${clauses.join(" AND ")} ORDER BY rowid DESC LIMIT 1`).get(...params);
+    return row ? this.mapSession(row) : void 0;
+  }
+  /**
+   * Persist one scheduled-discovery drift run: the summary counts plus the full
+   * {@link TopologyDelta} (for audit/replay). Returns the generated row id.
+   * `ranAt` is stamped now (ISO 8601 UTC).
+   */
+  recordDriftRun(sessionId, baseSessionId, delta) {
+    const id = crypto.randomUUID();
+    const s = delta.summary;
+    this.db.prepare(`
+      INSERT INTO drift_runs
+        (id, session_id, base_session_id, ran_at,
+         nodes_added, nodes_removed, nodes_changed, edges_added, edges_removed, delta)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(
+      id,
+      sessionId,
+      baseSessionId ?? null,
+      (/* @__PURE__ */ new Date()).toISOString(),
+      s.nodesAdded,
+      s.nodesRemoved,
+      s.nodesChanged,
+      s.edgesAdded,
+      s.edgesRemoved,
+      JSON.stringify(delta)
+    );
+    return id;
+  }
+  /** Recent drift runs, newest-first (`LIMIT`, default 50). */
+  getDriftRuns(limit = 50) {
+    const rows = this.db.prepare("SELECT * FROM drift_runs ORDER BY rowid DESC LIMIT ?").all(Math.max(1, Math.floor(limit)));
+    return rows.map((r) => this.mapDriftRun(r));
+  }
+  /** The most recent drift run, or `undefined` when none has been recorded. */
+  getLatestDriftRun() {
+    const row = this.db.prepare("SELECT * FROM drift_runs ORDER BY rowid DESC LIMIT 1").get();
+    return row ? this.mapDriftRun(row) : void 0;
+  }
+  mapDriftRun(r) {
+    const v = DriftRunRowSchema.parse(r);
+    const emptyDelta = {
+      nodes: { added: [], removed: [], changed: [], unchanged: 0 },
+      edges: { added: [], removed: [], unchanged: 0 },
+      summary: { nodesAdded: 0, nodesRemoved: 0, nodesChanged: 0, edgesAdded: 0, edgesRemoved: 0 }
+    };
+    return {
+      id: v.id,
+      sessionId: v.session_id,
+      baseSessionId: v.base_session_id ?? void 0,
+      ranAt: v.ran_at,
+      summary: {
+        nodesAdded: v.nodes_added,
+        nodesRemoved: v.nodes_removed,
+        nodesChanged: v.nodes_changed,
+        edgesAdded: v.edges_added,
+        edgesRemoved: v.edges_removed
+      },
+      delta: safeJsonParse(v.delta, emptyDelta)
+    };
+  }
+  // ── Nodes ───────────────────────────────
+  upsertNode(sessionId, node, depth = 0, attribution) {
+    const tenant = this.tenantOf(sessionId);
+    const ch = contentHash(node.type, node.name, keyMetaOf(node.metadata ?? {}));
+    const drift = this.db.prepare(
+      `SELECT global_id FROM nodes
+         WHERE content_hash = ? AND COALESCE(global_id, '') LIKE ?
+         LIMIT 1`
+    ).get(ch, `${globalId(tenant, "")}%`);
+    const gid = drift?.global_id ?? globalId(tenant, node.id);
+    this.db.prepare(`
+      INSERT OR REPLACE INTO nodes
+        (id, session_id, type, name, discovered_via, discovered_at, depth, confidence, metadata, tags,
+         domain, sub_domain, quality_score, owner, cost, tenant, global_id, content_hash)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(
+      node.id,
+      sessionId,
+      node.type,
+      sanitizeUntrusted(node.name),
+      node.discoveredVia,
+      (/* @__PURE__ */ new Date()).toISOString(),
+      depth,
+      node.confidence,
+      JSON.stringify(sanitizeValue(node.metadata ?? {})),
+      JSON.stringify((node.tags ?? []).map(sanitizeUntrusted)),
+      node.domain != null ? sanitizeUntrusted(node.domain) : null,
+      node.subDomain != null ? sanitizeUntrusted(node.subDomain) : null,
+      node.qualityScore ?? null,
+      node.owner != null ? sanitizeUntrusted(node.owner) : null,
+      node.cost ? JSON.stringify(CostEntrySchema.parse(node.cost)) : null,
+      tenant,
+      gid,
+      ch
+    );
+    if (attribution) {
+      this.db.prepare(`
+        INSERT INTO node_contributors (global_id, machine_id, hostname, user, organization, at, confidence)
+        VALUES (?, ?, ?, ?, ?, ?, ?)
+        ON CONFLICT(global_id, machine_id) DO UPDATE SET
+          confidence = MAX(confidence, excluded.confidence),
+          at = excluded.at,
+          hostname = excluded.hostname,
+          user = excluded.user,
+          organization = excluded.organization
+      `).run(
+        gid,
+        attribution.machineId,
+        sanitizeUntrusted(attribution.hostname),
+        sanitizeUntrusted(attribution.user),
+        attribution.organization != null ? sanitizeUntrusted(attribution.organization) : null,
+        attribution.at,
+        attribution.confidence
+      );
+    }
+  }
+  /** All contributors that observed a logical node, ordered by observation time. */
+  getContributors(globalId2) {
+    const rows = this.db.prepare(
+      "SELECT * FROM node_contributors WHERE global_id = ? ORDER BY at"
+    ).all(globalId2);
+    return rows.map((r) => {
+      const v = ContributorRowSchema.parse(r);
+      return {
+        machineId: v.machine_id,
+        hostname: v.hostname,
+        user: v.user,
+        organization: v.organization ?? void 0,
+        at: v.at,
+        confidence: v.confidence
+      };
+    });
+  }
+  getNodes(sessionId, opts) {
+    let sql = "SELECT * FROM nodes WHERE session_id = ?";
+    if (opts?.limit) {
+      sql += ` LIMIT ${opts.limit}`;
+      if (opts.offset) sql += ` OFFSET ${opts.offset}`;
+    }
+    const rows = this.db.prepare(sql).all(sessionId);
+    return rows.map((r) => this.mapNode(r));
+  }
+  getNodeCount(sessionId) {
+    const row = this.db.prepare("SELECT COUNT(*) as cnt FROM nodes WHERE session_id = ?").get(sessionId);
+    return row.cnt;
+  }
+  mapNode(r) {
+    const v = NodeRowSchema.parse(r);
+    return {
+      id: v.id,
+      sessionId: v.session_id,
+      type: v.type,
+      name: v.name,
+      discoveredVia: v.discovered_via ?? "",
+      discoveredAt: v.discovered_at,
+      depth: v.depth,
+      confidence: v.confidence,
+      metadata: safeJsonParse(v.metadata, {}),
+      tags: safeJsonParse(v.tags, []),
+      pathId: v.path_id ?? void 0,
+      domain: v.domain ?? void 0,
+      subDomain: v.sub_domain ?? void 0,
+      qualityScore: v.quality_score ?? void 0,
+      owner: v.owner ?? void 0,
+      cost: v.cost ? safeJsonParse(v.cost, void 0) : void 0,
+      globalId: v.global_id ?? void 0,
+      contentHash: v.content_hash ?? void 0
+    };
+  }
+  /**
+   * Update only the cost/owner of an existing node, without touching any other
+   * field (unlike upsertNode's INSERT OR REPLACE) — the idempotent enrichment
+   * primitive (3.3). `undefined` leaves a field unchanged; `null` clears it.
+   * No-op (returns false) if the node is absent. Cost is re-validated before write.
+   */
+  enrichNodeAttribution(sessionId, nodeId, attr) {
+    const sets = [];
+    const vals = [];
+    if (attr.owner !== void 0) {
+      sets.push("owner = ?");
+      vals.push(attr.owner == null ? null : sanitizeUntrusted(attr.owner));
+    }
+    if (attr.cost !== void 0) {
+      sets.push("cost = ?");
+      vals.push(attr.cost == null ? null : JSON.stringify(CostEntrySchema.parse(attr.cost)));
+    }
+    if (sets.length === 0) return false;
+    const info = this.db.prepare(
+      `UPDATE nodes SET ${sets.join(", ")} WHERE session_id = ? AND id = ?`
+    ).run(...vals, sessionId, nodeId);
+    return info.changes > 0;
+  }
+  deleteNode(sessionId, nodeId) {
+    this.db.prepare("DELETE FROM nodes WHERE session_id = ? AND id = ?").run(sessionId, nodeId);
+    this.db.prepare(
+      "DELETE FROM edges WHERE session_id = ? AND (source_id = ? OR target_id = ?)"
+    ).run(sessionId, nodeId, nodeId);
+  }
+  // ── Edges ───────────────────────────────
+  insertEdge(sessionId, edge) {
+    const id = crypto.randomUUID();
+    const tenant = this.tenantOf(sessionId);
+    this.db.prepare(`
+      INSERT OR IGNORE INTO edges
+        (id, session_id, source_id, target_id, relationship, evidence, confidence, discovered_at, tenant)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(
+      id,
+      sessionId,
+      edge.sourceId,
+      edge.targetId,
+      edge.relationship,
+      sanitizeUntrusted(edge.evidence),
+      edge.confidence,
+      (/* @__PURE__ */ new Date()).toISOString(),
+      tenant
+    );
+  }
+  /**
+   * Delete every edge matching the logical key (source, target, relationship)
+   * within a session. `insertEdge` writes a random PK, so logical identity is the
+   * only way to prune an edge that disappeared while both endpoints survived.
+   */
+  deleteEdgeByKey(sessionId, sourceId, targetId, relationship) {
+    this.db.prepare(
+      "DELETE FROM edges WHERE session_id = ? AND source_id = ? AND target_id = ? AND relationship = ?"
+    ).run(sessionId, sourceId, targetId, relationship);
+  }
+  /**
+   * Apply a precomputed {@link TopologyDelta} to one session in a single
+   * transaction (2.1 incremental discovery): prune removed nodes (cascading their
+   * edges via {@link deleteNode}), upsert added/changed nodes, delete removed edges
+   * by logical key, insert added edges, and stamp `last_scanned_at`. Unchanged rows
+   * are left untouched (stable `discovered_at`).
+   *
+   * `attribution` (2.9) is forwarded to every added/changed node's upsert so a
+   * rescan keeps/appends the running machine's contributor instead of leaving it
+   * out. Unchanged nodes are not re-upserted, so their existing contributors
+   * survive the rescan. `NodeRow extends DiscoveryNode`, so the delta rows pass
+   * straight into `upsertNode` with no mapper.
+   */
+  applyTopologyDelta(sessionId, delta, attribution) {
+    const apply = this.db.transaction(() => {
+      for (const n of delta.nodes.removed) this.deleteNode(sessionId, n.id);
+      for (const n of delta.nodes.added) {
+        this.upsertNode(sessionId, n, n.depth, attribution ? { ...attribution, confidence: n.confidence } : void 0);
+      }
+      for (const c of delta.nodes.changed) {
+        this.upsertNode(sessionId, c.after, c.after.depth, attribution ? { ...attribution, confidence: c.after.confidence } : void 0);
+      }
+      for (const e of delta.edges.removed) this.deleteEdgeByKey(sessionId, e.sourceId, e.targetId, e.relationship);
+      for (const e of delta.edges.added) this.insertEdge(sessionId, e);
+      this.touchSession(sessionId);
+    });
+    apply();
+  }
+  getEdges(sessionId, opts) {
+    let sql = "SELECT * FROM edges WHERE session_id = ?";
+    if (opts?.limit) {
+      sql += ` LIMIT ${opts.limit}`;
+      if (opts.offset) sql += ` OFFSET ${opts.offset}`;
+    }
+    const rows = this.db.prepare(sql).all(sessionId);
+    return rows.map((r) => {
+      const v = EdgeRowSchema.parse(r);
+      return {
+        id: v.id,
+        sessionId: v.session_id,
+        sourceId: v.source_id,
+        targetId: v.target_id,
+        relationship: v.relationship,
+        evidence: v.evidence ?? "",
+        confidence: v.confidence,
+        discoveredAt: v.discovered_at
+      };
+    });
+  }
+  // ── Events ──────────────────────────────
+  insertEvent(sessionId, event, taskId) {
+    const id = crypto.randomUUID();
+    const tenant = this.tenantOf(sessionId);
+    this.db.prepare(`
+      INSERT INTO activity_events
+        (id, session_id, task_id, timestamp, event_type, process, pid, target, target_type, port, command, result_bytes, tenant)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(
+      id,
+      sessionId,
+      taskId ?? null,
+      (/* @__PURE__ */ new Date()).toISOString(),
+      event.eventType,
+      event.process,
+      event.pid,
+      event.target ?? null,
+      event.targetType ?? null,
+      event.port ?? null,
+      event.command ?? null,
+      event.resultBytes ?? null,
+      tenant
+    );
+  }
+  getEvents(sessionId, since) {
+    const rows = since ? this.db.prepare("SELECT * FROM activity_events WHERE session_id = ? AND timestamp > ? ORDER BY timestamp").all(sessionId, since) : this.db.prepare("SELECT * FROM activity_events WHERE session_id = ? ORDER BY timestamp").all(sessionId);
+    return rows.map((r) => {
+      const v = EventRowSchema.parse(r);
+      return {
+        id: v.id,
+        sessionId: v.session_id,
+        taskId: v.task_id ?? void 0,
+        timestamp: v.timestamp,
+        eventType: v.event_type,
+        process: v.process,
+        pid: v.pid,
+        target: v.target ?? void 0,
+        targetType: v.target_type ?? void 0,
+        port: v.port ?? void 0,
+        durationMs: v.duration_ms ?? void 0,
+        command: v.command ?? void 0,
+        resultBytes: v.result_bytes ?? void 0
+      };
+    });
+  }
+  // ── Tasks ───────────────────────────────
+  startTask(sessionId, description) {
+    const id = crypto.randomUUID();
+    const tenant = this.tenantOf(sessionId);
+    this.db.prepare(`
+      INSERT INTO tasks (id, session_id, description, started_at, steps, involved_services, status, tenant)
+      VALUES (?, ?, ?, ?, '[]', '[]', 'active', ?)
+    `).run(id, sessionId, description ?? null, (/* @__PURE__ */ new Date()).toISOString(), tenant);
+    return id;
+  }
+  endCurrentTask(sessionId) {
+    this.db.prepare(`
+      UPDATE tasks SET status = 'completed', completed_at = ?
+      WHERE session_id = ? AND status = 'active'
+    `).run((/* @__PURE__ */ new Date()).toISOString(), sessionId);
+  }
+  updateTaskDescription(sessionId, description) {
+    this.db.prepare(`
+      UPDATE tasks SET description = ?
+      WHERE session_id = ? AND status = 'active'
+    `).run(description, sessionId);
+  }
+  getActiveTask(sessionId) {
+    const row = this.db.prepare(
+      "SELECT * FROM tasks WHERE session_id = ? AND status = 'active' LIMIT 1"
+    ).get(sessionId);
+    return row ? this.mapTask(row) : void 0;
+  }
+  getTasks(sessionId) {
+    const rows = this.db.prepare("SELECT * FROM tasks WHERE session_id = ? ORDER BY started_at").all(sessionId);
+    return rows.map((r) => this.mapTask(r));
+  }
+  mapTask(r) {
+    const v = TaskRowSchema.parse(r);
+    return {
+      id: v.id,
+      sessionId: v.session_id,
+      description: v.description ?? void 0,
+      startedAt: v.started_at,
+      completedAt: v.completed_at ?? void 0,
+      steps: v.steps,
+      involvedServices: v.involved_services,
+      status: v.status
+    };
+  }
+  // ── Workflows ───────────────────────────
+  insertWorkflow(sessionId, data) {
+    const id = crypto.randomUUID();
+    const tenant = this.tenantOf(sessionId);
+    this.db.prepare(`
+      INSERT INTO workflows
+        (id, session_id, name, pattern, task_ids, occurrences,
+         first_seen, last_seen, avg_duration_ms, involved_services, tenant)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(
+      id,
+      sessionId,
+      data.name ?? null,
+      data.pattern,
+      data.taskIds,
+      data.occurrences,
+      data.firstSeen,
+      data.lastSeen,
+      data.avgDurationMs,
+      data.involvedServices,
+      tenant
+    );
+  }
+  getWorkflows(sessionId) {
+    const rows = this.db.prepare("SELECT * FROM workflows WHERE session_id = ?").all(sessionId);
+    return rows.map((r) => {
+      const v = WorkflowRowSchema.parse(r);
+      return {
+        id: v.id,
+        sessionId: v.session_id,
+        name: v.name ?? void 0,
+        pattern: v.pattern,
+        taskIds: v.task_ids,
+        occurrences: v.occurrences,
+        firstSeen: v.first_seen,
+        lastSeen: v.last_seen,
+        avgDurationMs: v.avg_duration_ms ?? 0,
+        involvedServices: v.involved_services
+      };
+    });
+  }
+  // ── Connections (user-created hex map links) ─────────────────────────────
+  upsertConnection(sessionId, conn) {
+    const existing = this.db.prepare(
+      "SELECT id FROM connections WHERE session_id = ? AND source_asset_id = ? AND target_asset_id = ?"
+    ).get(sessionId, conn.sourceAssetId, conn.targetAssetId);
+    if (existing) return existing.id;
+    const id = crypto.randomUUID();
+    const tenant = this.tenantOf(sessionId);
+    this.db.prepare(`
+      INSERT INTO connections (id, session_id, source_asset_id, target_asset_id, type, created_at, tenant)
+      VALUES (?, ?, ?, ?, ?, ?, ?)
+    `).run(id, sessionId, conn.sourceAssetId, conn.targetAssetId, conn.type ?? null, (/* @__PURE__ */ new Date()).toISOString(), tenant);
+    return id;
+  }
+  getConnections(sessionId) {
+    const rows = this.db.prepare("SELECT * FROM connections WHERE session_id = ?").all(sessionId);
+    return rows.map((r) => {
+      const v = ConnectionRowSchema.parse(r);
+      return {
+        id: v.id,
+        sessionId: v.session_id,
+        sourceAssetId: v.source_asset_id,
+        targetAssetId: v.target_asset_id,
+        type: v.type ?? void 0,
+        createdAt: v.created_at
+      };
+    });
+  }
+  deleteConnection(sessionId, connectionId) {
+    this.db.prepare("DELETE FROM connections WHERE session_id = ? AND id = ?").run(sessionId, connectionId);
+  }
+  // ── Approvals ───────────────────────────
+  setApproval(pattern, action) {
+    this.db.prepare(`
+      INSERT OR REPLACE INTO node_approvals (pattern, action, created_at) VALUES (?, ?, ?)
+    `).run(pattern, action, (/* @__PURE__ */ new Date()).toISOString());
+  }
+  getApproval(pattern) {
+    const row = this.db.prepare("SELECT action FROM node_approvals WHERE pattern = ?").get(pattern);
+    return row?.action;
+  }
+  // ── Sharing policy (2.10 consent) ───────────────────────────────────────────
+  /**
+   * Set (or replace) the sharing level for a pattern. The `'*'` pattern is the
+   * global default; any other pattern is an override (glob over the node id).
+   * Validated via {@link SharingLevelSchema} before write; `created_at` is ISO UTC.
+   */
+  setSharingLevel(pattern, level) {
+    const valid = SharingLevelSchema.parse(level);
+    this.db.prepare(
+      "INSERT OR REPLACE INTO sharing_policy (pattern, level, created_at) VALUES (?, ?, ?)"
+    ).run(pattern, valid, (/* @__PURE__ */ new Date()).toISOString());
+  }
+  /**
+   * The full sharing policy: the `'*'` row resolves to `defaultLevel` (`'none'`
+   * when absent — the opt-in floor), every other row becomes an override. The
+   * glob-precedence resolution itself lives in `src/sharing.ts` so it is unit
+   * testable in isolation; this returns the raw policy it consumes.
+   */
+  getSharingPolicy() {
+    const rows = this.db.prepare("SELECT pattern, level FROM sharing_policy").all();
+    let defaultLevel = "none";
+    const overrides = [];
+    for (const r of rows) {
+      const level = SharingLevelSchema.parse(r.level);
+      if (r.pattern === "*") defaultLevel = level;
+      else overrides.push({ pattern: r.pattern, level });
+    }
+    return { defaultLevel, overrides };
+  }
+  /** Remove a pattern override. The global default (`'*'`) cannot be cleared this way. */
+  clearSharingOverride(pattern) {
+    this.db.prepare("DELETE FROM sharing_policy WHERE pattern = ? AND pattern != '*'").run(pattern);
+  }
+  // ── Pseudonym reversal map (2.10 admin-reversible anonymization) ─────────────
+  /**
+   * Persist the encrypted plaintext behind a pseudonym token. Idempotent: the
+   * token is deterministic, so repeated writes `INSERT OR REPLACE` and never grow
+   * the table. `ciphertext` is base64(iv ‖ tag ‖ AES-256-GCM(plaintext)).
+   */
+  saveReversal(token, ciphertext) {
+    this.db.prepare(
+      "INSERT OR REPLACE INTO pseudonym_reversal (token, ciphertext, created_at) VALUES (?, ?, ?)"
+    ).run(token, ciphertext, (/* @__PURE__ */ new Date()).toISOString());
+  }
+  /** Read the stored ciphertext for a pseudonym token (admin reversal path). */
+  getReversal(token) {
+    const row = this.db.prepare("SELECT ciphertext FROM pseudonym_reversal WHERE token = ?").get(token);
+    return row?.ciphertext;
+  }
+  // ── Pending-review share queue (2.11 central-DB sync) ────────────────────────
+  /**
+   * Enqueue one proposed share item. Idempotent via `INSERT OR IGNORE` on the
+   * `content_hash` PK: re-classifying the same (transformed) item never duplicates
+   * a row nor resets an existing decision. `payload` is the already-policy-
+   * transformed projection (the exact bytes a push would send) — never raw node
+   * data for `anonymized`/`none` items.
+   */
+  enqueuePending(item) {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const decided = item.status === "pending" ? null : now;
+    this.db.prepare(`
+      INSERT OR IGNORE INTO pending_shares
+        (content_hash, session_id, node_id, kind, payload, status, decided_by, created_at, decided_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(
+      item.contentHash,
+      item.sessionId,
+      item.nodeId ?? null,
+      item.kind,
+      JSON.stringify(item.payload),
+      item.status,
+      item.decidedBy ?? null,
+      now,
+      decided
+    );
+  }
+  /** Queued share items, optionally filtered by status and/or session. */
+  getPendingShares(filter) {
+    const clauses = [];
+    const params = [];
+    if (filter?.status) {
+      clauses.push("status = ?");
+      params.push(filter.status);
+    }
+    if (filter?.sessionId) {
+      clauses.push("session_id = ?");
+      params.push(filter.sessionId);
+    }
+    const where = clauses.length ? `WHERE ${clauses.join(" AND ")} ` : "";
+    const rows = this.db.prepare(`SELECT * FROM pending_shares ${where}ORDER BY rowid`).all(...params);
+    return rows.map((r) => this.mapPendingShare(r));
+  }
+  /** Queue size by status (every status key present, zero-filled). */
+  countPendingByStatus() {
+    const out = { pending: 0, approved: 0, shared: 0, withheld: 0 };
+    const rows = this.db.prepare("SELECT status, COUNT(*) c FROM pending_shares GROUP BY status").all();
+    for (const r of rows) {
+      if (r.status in out) out[r.status] = r.c;
+    }
+    return out;
+  }
+  /** `content_hash` values already pushed (status `shared`) — for re-share suppression. */
+  getSharedHashes() {
+    const rows = this.db.prepare("SELECT content_hash FROM pending_shares WHERE status = 'shared'").all();
+    return new Set(rows.map((r) => r.content_hash));
+  }
+  /**
+   * Transition one queued item. Stamps `decided_at` on any non-`pending` status and
+   * `shared_at` when moving to `shared`. `decidedBy` records the actor (`'user'` or
+   * `'rule'`) for the audit trail.
+   */
+  setPendingStatus(contentHash2, status, decidedBy) {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const sharedAt = status === "shared" ? now : null;
+    this.db.prepare(`
+      UPDATE pending_shares
+         SET status = ?, decided_by = COALESCE(?, decided_by), decided_at = ?, shared_at = COALESCE(?, shared_at)
+       WHERE content_hash = ?
+    `).run(status, decidedBy ?? null, now, sharedAt, contentHash2);
+  }
+  /** Approved items cleared to push (FIFO), optionally capped by `limit`. */
+  getApprovedShares(limit) {
+    let sql = "SELECT * FROM pending_shares WHERE status = 'approved' ORDER BY rowid";
+    if (limit) sql += ` LIMIT ${Math.max(1, Math.floor(limit))}`;
+    const rows = this.db.prepare(sql).all();
+    return rows.map((r) => this.mapPendingShare(r));
+  }
+  mapPendingShare(r) {
+    const v = PendingShareRowSchema.parse(r);
+    return {
+      contentHash: v.content_hash,
+      sessionId: v.session_id,
+      nodeId: v.node_id ?? void 0,
+      kind: v.kind,
+      payload: safeJsonParse(v.payload, null),
+      status: v.status,
+      decidedBy: v.decided_by ?? void 0,
+      createdAt: v.created_at,
+      decidedAt: v.decided_at ?? void 0,
+      sharedAt: v.shared_at ?? void 0
+    };
+  }
+  // ── Pruning ──────────────────────────────
+  /**
+   * Delete a session and all its associated data (nodes, edges, events, tasks, workflows, connections).
+   */
+  deleteSession(sessionId) {
+    this.db.prepare("DELETE FROM connections WHERE session_id = ?").run(sessionId);
+    this.db.prepare("DELETE FROM workflows WHERE session_id = ?").run(sessionId);
+    this.db.prepare("DELETE FROM activity_events WHERE session_id = ?").run(sessionId);
+    this.db.prepare("DELETE FROM tasks WHERE session_id = ?").run(sessionId);
+    this.db.prepare("DELETE FROM edges WHERE session_id = ?").run(sessionId);
+    this.db.prepare("DELETE FROM nodes WHERE session_id = ?").run(sessionId);
+    this.db.prepare("DELETE FROM sessions WHERE id = ?").run(sessionId);
+  }
+  /**
+   * Prune sessions older than the given ISO date string. Returns count of deleted sessions.
+   */
+  pruneSessions(olderThan) {
+    const rows = this.db.prepare(
+      "SELECT id FROM sessions WHERE started_at < ?"
+    ).all(olderThan);
+    for (const row of rows) {
+      this.deleteSession(row.id);
+    }
+    return rows.length;
+  }
+  // ── Graph queries (read-only context layer) ─────────────────────────────────
+  /** Fetch a single node by id within a session. */
+  getNode(sessionId, nodeId) {
+    const row = this.db.prepare("SELECT * FROM nodes WHERE session_id = ? AND id = ?").get(sessionId, nodeId);
+    return row ? this.mapNode(row) : void 0;
+  }
+  /** Batch-fetch nodes by id, keyed for O(1) lookup. Chunked to stay under SQLite's bind-variable limit. */
+  getNodesByIds(sessionId, ids) {
+    const out = /* @__PURE__ */ new Map();
+    for (let i = 0; i < ids.length; i += 900) {
+      const chunk = ids.slice(i, i + 900);
+      const placeholders = chunk.map(() => "?").join(",");
+      const rows = this.db.prepare(
+        `SELECT * FROM nodes WHERE session_id = ? AND id IN (${placeholders})`
+      ).all(sessionId, ...chunk);
+      for (const r of rows) {
+        const n = this.mapNode(r);
+        out.set(n.id, n);
+      }
+    }
+    return out;
+  }
+  /** Fetch all nodes of one or more types. */
+  getNodesByType(sessionId, types) {
+    if (types.length === 0) return [];
+    const placeholders = types.map(() => "?").join(",");
+    const rows = this.db.prepare(
+      `SELECT * FROM nodes WHERE session_id = ? AND type IN (${placeholders})`
+    ).all(sessionId, ...types);
+    return rows.map((r) => this.mapNode(r));
+  }
+  /**
+   * Lexical search over node id, name, domain, sub-domain and tags.
+   * Case-insensitive substring match — the deterministic fallback for semantic search.
+   */
+  searchNodes(sessionId, query, opts) {
+    const q = `%${query.trim().toLowerCase()}%`;
+    const params = [sessionId, q, q, q, q, q];
+    let sql = `
+      SELECT * FROM nodes
+      WHERE session_id = ?
+        AND (
+          lower(id) LIKE ? OR lower(name) LIKE ?
+          OR lower(COALESCE(domain, '')) LIKE ?
+          OR lower(COALESCE(sub_domain, '')) LIKE ?
+          OR lower(tags) LIKE ?
+        )`;
+    if (opts?.types && opts.types.length > 0) {
+      sql += ` AND type IN (${opts.types.map(() => "?").join(",")})`;
+      params.push(...opts.types);
+    }
+    sql += " ORDER BY confidence DESC";
+    if (opts?.limit) sql += ` LIMIT ${Math.max(1, Math.floor(opts.limit))}`;
+    const rows = this.db.prepare(sql).all(...params);
+    return rows.map((r) => this.mapNode(r));
+  }
+  /**
+   * Traverse the dependency graph from a node using a recursive CTE with a
+   * path-based cycle guard. `downstream` follows source→target (what the node
+   * depends on / points to); `upstream` follows target→source (what depends on it).
+   */
+  getDependencies(sessionId, nodeId, opts = {}) {
+    const direction = opts.direction ?? "downstream";
+    const maxDepth = Math.max(1, Math.min(opts.maxDepth ?? 8, 64));
+    const root = this.getNode(sessionId, nodeId);
+    const depthById = /* @__PURE__ */ new Map();
+    const collect = (dir) => {
+      const [from, to] = dir === "downstream" ? ["source_id", "target_id"] : ["target_id", "source_id"];
+      const sql = `
+        WITH RECURSIVE walk(node_id, depth, path) AS (
+          SELECT ?, 0, char(10) || ? || char(10)
+          UNION ALL
+          SELECT e.${to}, w.depth + 1, w.path || e.${to} || char(10)
+          FROM edges e JOIN walk w ON e.${from} = w.node_id
+          WHERE e.session_id = ?
+            AND w.depth < ?
+            AND instr(w.path, char(10) || e.${to} || char(10)) = 0
+        )
+        SELECT node_id, MIN(depth) AS depth FROM walk WHERE node_id != ? GROUP BY node_id`;
+      const rows = this.db.prepare(sql).all(nodeId, nodeId, sessionId, maxDepth, nodeId);
+      for (const r of rows) {
+        const prev = depthById.get(r.node_id);
+        if (prev === void 0 || r.depth < prev) depthById.set(r.node_id, r.depth);
+      }
+    };
+    if (direction === "both") {
+      collect("downstream");
+      collect("upstream");
+    } else collect(direction);
+    const byId = this.getNodesByIds(sessionId, [...depthById.keys()]);
+    const nodes = [...depthById.entries()].map(([id, depth]) => {
+      const n = byId.get(id);
+      return n ? { ...n, depth } : void 0;
+    }).filter((n) => n !== void 0).sort((a, b) => a.depth - b.depth);
+    const reachable = /* @__PURE__ */ new Set([nodeId, ...depthById.keys()]);
+    const edges = this.getEdges(sessionId).filter((e) => reachable.has(e.sourceId) && reachable.has(e.targetId));
+    return { root, direction, maxDepth, nodes, edges };
+  }
+  /** Lightweight aggregate index of the whole topology — the progressive-disclosure summary. */
+  getGraphSummary(sessionId) {
+    const totals = {
+      nodes: this.db.prepare("SELECT COUNT(*) c FROM nodes WHERE session_id = ?").get(sessionId).c,
+      edges: this.db.prepare("SELECT COUNT(*) c FROM edges WHERE session_id = ?").get(sessionId).c
+    };
+    const byType = {};
+    for (const r of this.db.prepare("SELECT type, COUNT(*) c FROM nodes WHERE session_id = ? GROUP BY type").all(sessionId)) {
+      byType[r.type] = r.c;
+    }
+    const byDomain = {};
+    for (const r of this.db.prepare("SELECT COALESCE(domain, '(none)') d, COUNT(*) c FROM nodes WHERE session_id = ? GROUP BY d").all(sessionId)) {
+      byDomain[r.d] = r.c;
+    }
+    const byRelationship = {};
+    for (const r of this.db.prepare("SELECT relationship rel, COUNT(*) c FROM edges WHERE session_id = ? GROUP BY rel").all(sessionId)) {
+      byRelationship[r.rel] = r.c;
+    }
+    const degreeRows = this.db.prepare(`
+      SELECT n.id, n.name, n.type, n.confidence, COUNT(e.id) AS degree
+      FROM nodes n
+      LEFT JOIN edges e ON e.session_id = n.session_id AND (e.source_id = n.id OR e.target_id = n.id)
+      WHERE n.session_id = ?
+      GROUP BY n.id, n.name, n.type
+    `).all(sessionId);
+    const degree = /* @__PURE__ */ new Map();
+    for (const r of degreeRows) degree.set(r.id, r.degree);
+    const topConnected = [...degreeRows].sort((a, b) => b.degree - a.degree || b.confidence - a.confidence || a.id.localeCompare(b.id)).slice(0, 10).map(({ id, name, type, degree: degree2 }) => ({ id, name, type, degree: degree2 }));
+    const anomalies = this.anomalyEnabled ? detectAnomalies(this.getNodes(sessionId), degree, this.anomalyThresholds) : [];
+    const contributors = this.db.prepare(`
+      SELECT COUNT(DISTINCT c.machine_id) AS n
+      FROM node_contributors c
+      JOIN nodes n ON n.global_id = c.global_id
+      WHERE n.session_id = ?
+    `).get(sessionId).n;
+    const costByDomain = this.db.prepare(`
+      SELECT COALESCE(domain, '(none)') domain,
+             json_extract(cost, '$.currency') currency,
+             json_extract(cost, '$.period')   period,
+             SUM(json_extract(cost, '$.amount')) total,
+             COUNT(*) nodes
+      FROM nodes
+      WHERE session_id = ? AND cost IS NOT NULL
+      GROUP BY domain, currency, period
+      ORDER BY total DESC
+    `).all(sessionId);
+    const costByOwner = this.db.prepare(`
+      SELECT COALESCE(owner, '(unowned)') owner,
+             json_extract(cost, '$.currency') currency,
+             json_extract(cost, '$.period')   period,
+             SUM(json_extract(cost, '$.amount')) total,
+             COUNT(*) nodes
+      FROM nodes
+      WHERE session_id = ? AND cost IS NOT NULL
+      GROUP BY owner, currency, period
+      ORDER BY total DESC
+    `).all(sessionId);
+    const withCost = this.db.prepare(
+      "SELECT COUNT(*) c FROM nodes WHERE session_id = ? AND cost IS NOT NULL"
+    ).get(sessionId).c;
+    return {
+      sessionId,
+      totals,
+      nodesByType: byType,
+      nodesByDomain: byDomain,
+      edgesByRelationship: byRelationship,
+      topConnected,
+      anomalies,
+      contributors,
+      costByDomain,
+      costByOwner,
+      costCoverage: { withCost, total: totals.nodes }
+    };
+  }
+  // ── Central collector store (2.12) ──────────────────────────────────────────
+  /**
+   * Resolve (creating once) the synthetic collector session that owns every
+   * central node/edge for a tenant. Central nodes are merged by `(org, global_id)`,
+   * not by session, so they live under a single deterministic session id
+   * (`central:{org}`) — this satisfies the existing `(id, session_id)` node PK and
+   * the `session_id` foreign key without a destructive schema change. Idempotent.
+   */
+  ensureCentralSession(org) {
+    const tenant = normalizeTenant(org);
+    const id = `central:${tenant}`;
+    const existing = this.db.prepare("SELECT id FROM sessions WHERE id = ?").get(id);
+    if (existing) return id;
+    this.db.prepare(
+      `INSERT INTO sessions (id, mode, started_at, config, tenant, organization)
+       VALUES (?, 'discover', ?, '{}', ?, ?)`
+    ).run(id, (/* @__PURE__ */ new Date()).toISOString(), tenant, org);
+    return id;
+  }
+  /**
+   * Find an existing central node within a tenant by its primary identity
+   * (`global_id`), returning its stored `id` so a merge keeps a single row.
+   */
+  findCentralNodeIdByGlobalId(org, gid) {
+    const tenant = normalizeTenant(org);
+    const row = this.db.prepare(
+      "SELECT id FROM nodes WHERE tenant = ? AND global_id = ? LIMIT 1"
+    ).get(tenant, gid);
+    return row?.id;
+  }
+  /**
+   * Secondary merge lookup: an existing central node in the tenant whose
+   * `content_hash` matches (catches `id` drift between machines for the same
+   * logical resource). Returns its stored `id` and `global_id`.
+   */
+  findCentralNodeByContentHash(org, ch) {
+    const tenant = normalizeTenant(org);
+    const row = this.db.prepare(
+      "SELECT id, global_id FROM nodes WHERE tenant = ? AND content_hash = ? LIMIT 1"
+    ).get(tenant, ch);
+    if (!row || row.global_id == null) return void 0;
+    return { id: row.id, globalId: row.global_id };
+  }
+  /**
+   * Merge one incoming node into the central store for a tenant and append the
+   * contributor (2.12). Resolves identity by `(tenant, global_id)` primary, then
+   * `(tenant, content_hash)` secondary; on a hit it keeps the existing row's id
+   * (so the logical node stays a single row), unions tags, keeps the higher
+   * confidence, and merges metadata (incoming values win on key conflict). The
+   * incoming `globalId`/`contentHash` are precomputed by the merge core so they
+   * are consistent with what the lookups used. Returns whether a new row was
+   * created or an existing one was merged. Runs in one transaction.
+   */
+  upsertCentralNode(org, node, identity, contributor) {
+    const tenant = normalizeTenant(org);
+    const sessionId = this.ensureCentralSession(tenant);
+    const txn = this.db.transaction(() => {
+      let targetId = this.findCentralNodeIdByGlobalId(tenant, identity.globalId);
+      let outcome = "merged";
+      if (!targetId) {
+        const byHash = this.findCentralNodeByContentHash(tenant, identity.contentHash);
+        targetId = byHash?.id;
+      }
+      if (!targetId) {
+        targetId = node.id;
+        outcome = "created";
+      }
+      const existing = this.getCentralNode(tenant, sessionId, targetId);
+      const mergedTags = Array.from(/* @__PURE__ */ new Set([...existing?.tags ?? [], ...node.tags ?? []]));
+      const mergedMeta = { ...existing?.metadata ?? {}, ...node.metadata ?? {} };
+      const confidence = Math.max(existing?.confidence ?? 0, node.confidence);
+      this.db.prepare(`
+        INSERT OR REPLACE INTO nodes
+          (id, session_id, type, name, discovered_via, discovered_at, depth, confidence, metadata, tags,
+           domain, sub_domain, quality_score, tenant, global_id, content_hash)
+        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      `).run(
+        targetId,
+        sessionId,
+        node.type,
+        sanitizeUntrusted(node.name),
+        node.discoveredVia,
+        existing?.discoveredAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+        0,
+        confidence,
+        JSON.stringify(sanitizeValue(mergedMeta)),
+        JSON.stringify(mergedTags.map(sanitizeUntrusted)),
+        node.domain != null ? sanitizeUntrusted(node.domain) : existing?.domain ?? null,
+        node.subDomain != null ? sanitizeUntrusted(node.subDomain) : existing?.subDomain ?? null,
+        node.qualityScore ?? existing?.qualityScore ?? null,
+        tenant,
+        identity.globalId,
+        identity.contentHash
+      );
+      this.db.prepare(`
+        INSERT INTO node_contributors (global_id, machine_id, hostname, user, organization, at, confidence)
+        VALUES (?, ?, ?, ?, ?, ?, ?)
+        ON CONFLICT(global_id, machine_id) DO UPDATE SET
+          confidence = MAX(confidence, excluded.confidence),
+          at = excluded.at,
+          hostname = excluded.hostname,
+          user = excluded.user,
+          organization = excluded.organization
+      `).run(
+        identity.globalId,
+        contributor.machineId,
+        sanitizeUntrusted(contributor.hostname),
+        sanitizeUntrusted(contributor.user),
+        contributor.organization != null ? sanitizeUntrusted(contributor.organization) : tenant,
+        contributor.at,
+        contributor.confidence
+      );
+      return outcome;
+    });
+    return txn();
+  }
+  /** Insert an edge into the central store for a tenant (idempotent on logical key). */
+  insertCentralEdge(org, edge) {
+    const tenant = normalizeTenant(org);
+    const sessionId = this.ensureCentralSession(tenant);
+    const dup = this.db.prepare(
+      "SELECT 1 FROM edges WHERE tenant = ? AND source_id = ? AND target_id = ? AND relationship = ? LIMIT 1"
+    ).get(tenant, edge.sourceId, edge.targetId, edge.relationship);
+    if (dup) return;
+    this.insertEdge(sessionId, edge);
+  }
+  /** A central node by tenant + stored id (the merge target after identity resolution). */
+  getCentralNode(org, sessionId, nodeId) {
+    const tenant = normalizeTenant(org);
+    const row = this.db.prepare(
+      "SELECT * FROM nodes WHERE tenant = ? AND session_id = ? AND id = ?"
+    ).get(tenant, sessionId, nodeId);
+    return row ? this.mapNode(row) : void 0;
+  }
+  /** All contributors for a logical (global_id) node across an org. */
+  getContributorsByGlobalId(gid) {
+    return this.getContributors(gid);
+  }
+  /**
+   * Org-wide aggregate summary (2.12) — the central analogue of
+   * {@link getGraphSummary}, scoped `WHERE tenant = ?` so it merges every machine's
+   * contribution into one organization-wide view. Cross-tenant isolation is
+   * structural: org A's rows never appear in org B's counts.
+   */
+  getOrgSummary(org) {
+    const tenant = normalizeTenant(org);
+    const totals = {
+      nodes: this.db.prepare("SELECT COUNT(*) c FROM nodes WHERE tenant = ?").get(tenant).c,
+      edges: this.db.prepare("SELECT COUNT(*) c FROM edges WHERE tenant = ?").get(tenant).c
+    };
+    const byType = {};
+    for (const r of this.db.prepare("SELECT type, COUNT(*) c FROM nodes WHERE tenant = ? GROUP BY type").all(tenant)) {
+      byType[r.type] = r.c;
+    }
+    const byDomain = {};
+    for (const r of this.db.prepare("SELECT COALESCE(domain, '(none)') d, COUNT(*) c FROM nodes WHERE tenant = ? GROUP BY d").all(tenant)) {
+      byDomain[r.d] = r.c;
+    }
+    const byRelationship = {};
+    for (const r of this.db.prepare("SELECT relationship rel, COUNT(*) c FROM edges WHERE tenant = ? GROUP BY rel").all(tenant)) {
+      byRelationship[r.rel] = r.c;
+    }
+    const topConnected = this.db.prepare(`
+      SELECT n.id, n.name, n.type, COUNT(e.id) AS degree
+      FROM nodes n
+      LEFT JOIN edges e ON e.tenant = n.tenant AND (e.source_id = n.id OR e.target_id = n.id)
+      WHERE n.tenant = ?
+      GROUP BY n.id, n.name, n.type
+      ORDER BY degree DESC, n.confidence DESC
+      LIMIT 10
+    `).all(tenant);
+    const contributors = this.db.prepare(`
+      SELECT COUNT(DISTINCT c.machine_id) AS n
+      FROM node_contributors c
+      JOIN nodes n ON n.global_id = c.global_id
+      WHERE n.tenant = ?
+    `).get(tenant).n;
+    return { org: tenant, totals, nodesByType: byType, nodesByDomain: byDomain, edgesByRelationship: byRelationship, topConnected, contributors };
+  }
+  // ── Stats ───────────────────────────────
+  getStats(sessionId) {
+    const nodes = this.db.prepare("SELECT COUNT(*) as c FROM nodes WHERE session_id = ?").get(sessionId).c;
+    const edges = this.db.prepare("SELECT COUNT(*) as c FROM edges WHERE session_id = ?").get(sessionId).c;
+    const events = this.db.prepare("SELECT COUNT(*) as c FROM activity_events WHERE session_id = ?").get(sessionId).c;
+    const tasks = this.db.prepare("SELECT COUNT(*) as c FROM tasks WHERE session_id = ?").get(sessionId).c;
+    return { nodes, edges, events, tasks };
+  }
+};
+// src/api/auth.ts
+var LOOPBACK_HOSTS = /* @__PURE__ */ new Set(["127.0.0.1", "localhost", "::1", "[::1]"]);
+function isLoopbackHost(host) {
+  return LOOPBACK_HOSTS.has(host);
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  return diff === 0;
+}
+function bearerToken(header) {
+  if (!header) return void 0;
+  const trimmed = header.trim();
+  if (trimmed.length < 7 || trimmed.slice(0, 6).toLowerCase() !== "bearer") return void 0;
+  const rest = trimmed.slice(6);
+  if (!/^\s/.test(rest)) return void 0;
+  const token = rest.trimStart();
+  return token.length > 0 ? token : void 0;
+}
+function checkBearer(authorizationHeader, token) {
+  if (!token) return true;
+  const provided = bearerToken(authorizationHeader);
+  return provided !== void 0 && timingSafeEqual(provided, token);
+}
+function assertSafeBind(opts) {
+  if (isLoopbackHost(opts.host)) return;
+  if (opts.allowedHosts === void 0) {
+    throw new Error(
+      `Refusing to bind a non-loopback host (${opts.host}) without an explicit allowedHosts allowlist. Pass { allowedHosts: ['your.public.host:port'] } to opt in, or bind 127.0.0.1 for local-only use.`
+    );
+  }
+  if (!opts.token) {
+    throw new Error(
+      `Refusing to bind a non-loopback host (${opts.host}) without an auth token. Pass { token } (or --token / CARTOGRAPHY_HTTP_TOKEN) so requests must carry 'Authorization: Bearer <token>'.`
+    );
+  }
+}
+function defaultAllowedHosts(host, port) {
+  return [`${host}:${port}`, `localhost:${port}`, `127.0.0.1:${port}`];
+}
+export {
+  sanitizeUntrusted,
+  cloudAwsScanner,
+  cloudGcpScanner,
+  cloudAzureScanner,
+  k8sScanner,
+  databasesScanner,
+  stripSensitive,
+  redactValue,
+  buildCartographyToolHandlers,
+  createCartographyTools,
+  RulesetSchema,
+  stableStringify,
+  diffTopology,
+  DEFAULT_TENANT,
+  normalizeTenant,
+  keyMetaOf,
+  contentHash,
+  globalId,
+  deriveSessionName,
+  CartographyDB,
+  checkBearer,
+  assertSafeBind,
+  defaultAllowedHosts
+};
+//# sourceMappingURL=chunk-7QEBFMN4.js.map