@datasynx/agentic-ai-cartography 2.0.0 → 2.3.0

package/dist/cli.js

@@ -1,39 +1,55 @@
 #!/usr/bin/env node
 import {
-  CartographyDB,
+  getRuleset,
+  isPersonalHost,
+  listRulesets,
+  loadOrgKey,
+  pseudonymize,
+  pseudonymizeString,
+  reversePseudonym,
+  rotateOrgKey,
+  runDrift,
+  runLocalDiscovery,
   startMcp
-} from "./chunk-W7YE6AAH.js";
+} from "./chunk-B2AKONVW.js";
+import {
+  startApi
+} from "./chunk-7VZH5PFV.js";
+import {
+  CartographyDB,
+  buildCartographyToolHandlers,
+  createCartographyTools,
+  deriveSessionName,
+  diffTopology,
+  normalizeTenant,
+  redactValue,
+  stableStringify,
+  stripSensitive
+} from "./chunk-7QEBFMN4.js";
 import {
+  ConfigFileSchema,
+  CostEntrySchema,
   DOMAIN_COLORS,
   DOMAIN_PALETTE,
-  EDGE_RELATIONSHIPS,
-  NODE_TYPES,
+  DriftConfigSchema,
   NODE_TYPE_GROUPS,
+  SharingLevelSchema,
+  centralDbFromEnv,
   defaultConfig
-} from "./chunk-J6FDZ6HZ.js";
+} from "./chunk-WCR47QA2.js";
 import {
-  HOME,
-  IS_LINUX,
   IS_MAC,
   IS_WIN,
   PLATFORM,
   checkReadOnly,
   cleanupTempFiles,
-  commandExists,
-  dbScanDirs,
-  findFiles,
   logDebug,
   logError,
   logInfo,
   logWarn,
   run,
-  scanAllBookmarks,
-  scanAllHistory,
-  scanWindowsDbServices,
-  scanWindowsPrograms,
   setVerbose
-} from "./chunk-CJ2PITFA.js";
-import "./chunk-UGSNG3QJ.js";
+} from "./chunk-2SZ5QHGH.js";
 
 // src/cli.ts
 import { Command } from "commander";
@@ -54,7 +70,30 @@ function isOAuthLoggedIn() {
     return false;
   }
 }
-function checkPrerequisites() {
+function checkPrerequisites(provider = "claude") {
+  if (provider === "openai") {
+    checkOpenAIPrerequisites();
+    return;
+  }
+  if (provider === "ollama") {
+    process.stderr.write(
+      `\u2713 Ollama provider selected (host: ${process.env.OLLAMA_HOST ?? "http://127.0.0.1:11434"})
+`
+    );
+    return;
+  }
+  checkClaudePrerequisites();
+}
+function checkOpenAIPrerequisites() {
+  if (!process.env.OPENAI_API_KEY) {
+    process.stderr.write(
+      "\n\u274C OpenAI provider selected but OPENAI_API_KEY is not set.\n\n   Set your key:\n     export OPENAI_API_KEY=sk-...\n\n   Install the SDK if needed:\n     npm install openai\n\n   Tip: pass a non-Claude model, e.g. --model gpt-4.1\n\n"
+    );
+    process.exitCode = 1;
+    throw new Error("OPENAI_API_KEY not set");
+  }
+}
+function checkClaudePrerequisites() {
   try {
     execSync("claude --version", { stdio: "pipe" });
   } catch {
@@ -75,515 +114,24 @@ function checkPrerequisites() {
   }
 }
 
-// src/tools.ts
-import { z } from "zod";
-function createScanRunner(runFn, opts = {}) {
-  const threshold = opts.threshold ?? 3;
-  let consecutiveFailures = 0;
-  let tripped = false;
-  return (cmd) => {
-    if (tripped) {
-      logDebug(`Circuit breaker: skipping "${cmd}" (${consecutiveFailures} consecutive failures)`);
-      return "(skipped \u2014 circuit breaker: too many consecutive failures)";
-    }
-    const result = runFn(cmd, { timeout: opts.timeout ?? 2e4, env: opts.env });
-    if (!result) {
-      consecutiveFailures++;
-      if (consecutiveFailures >= threshold) {
-        tripped = true;
-        logDebug(`Circuit breaker tripped after ${threshold} failures, last command: "${cmd}"`);
-      }
-      return "(error or not available)";
-    }
-    consecutiveFailures = 0;
-    return result;
-  };
-}
-function stripSensitive(target) {
-  const raw = target.trim();
-  if (!raw) return raw;
-  try {
-    const url = new URL(raw.startsWith("http") ? raw : `tcp://${raw}`);
-    const stripped = `${url.hostname}${url.port ? ":" + url.port : ""}`;
-    return stripped || raw;
-  } catch {
-    const stripped = raw.replace(/\/.*$/, "").replace(/\?.*$/, "").replace(/@.*:/, ":");
-    return stripped || raw;
-  }
-}
-async function createCartographyTools(db, sessionId, opts = {}) {
-  const { tool, createSdkMcpServer } = await import("./sdk-A6NLO3DJ.js");
-  const tools = [
-    tool("save_node", "Save an infrastructure node to the catalog", {
-      id: z.string(),
-      type: z.enum(NODE_TYPES),
-      name: z.string(),
-      discoveredVia: z.string(),
-      confidence: z.number().min(0).max(1),
-      metadata: z.record(z.string(), z.unknown()).optional(),
-      tags: z.array(z.string()).optional(),
-      domain: z.string().optional().describe('Business domain, e.g. "Marketing", "Finance"'),
-      subDomain: z.string().optional().describe('Sub-domain, e.g. "Forecast client orders"'),
-      qualityScore: z.number().min(0).max(100).optional().describe("Data quality score 0\u2013100")
-    }, async (args) => {
-      const node = {
-        id: stripSensitive(args["id"]),
-        type: args["type"],
-        name: args["name"],
-        discoveredVia: args["discoveredVia"],
-        confidence: args["confidence"],
-        metadata: args["metadata"] ?? {},
-        tags: args["tags"] ?? [],
-        domain: args["domain"],
-        subDomain: args["subDomain"],
-        qualityScore: args["qualityScore"]
-      };
-      db.upsertNode(sessionId, node);
-      return { content: [{ type: "text", text: `\u2713 Node: ${node.id}` }] };
-    }),
-    tool("save_edge", "Save a relationship (edge) between two nodes \u2014 ALWAYS save edges when connections are clear", {
-      sourceId: z.string(),
-      targetId: z.string(),
-      relationship: z.enum(EDGE_RELATIONSHIPS),
-      evidence: z.string(),
-      confidence: z.number().min(0).max(1)
-    }, async (args) => {
-      db.insertEdge(sessionId, {
-        sourceId: args["sourceId"],
-        targetId: args["targetId"],
-        relationship: args["relationship"],
-        evidence: args["evidence"],
-        confidence: args["confidence"]
-      });
-      return { content: [{ type: "text", text: `\u2713 ${args["sourceId"]}\u2192${args["targetId"]}` }] };
-    }),
-    tool("get_catalog", "Get the current catalog \u2014 use before save_node to avoid duplicates", {
-      includeEdges: z.boolean().default(true)
-    }, async (args) => {
-      const nodes = db.getNodes(sessionId);
-      const edges = args["includeEdges"] ? db.getEdges(sessionId) : [];
-      return {
-        content: [{
-          type: "text",
-          text: JSON.stringify({
-            count: { nodes: nodes.length, edges: edges.length },
-            nodeIds: nodes.map((n) => n.id)
-          })
-        }]
-      };
-    }),
-    tool("ask_user", "Ask the user a question \u2014 for clarifications, missing context, or consent (e.g. before scanning browser history)", {
-      question: z.string().describe("The question for the user (clear and specific)"),
-      context: z.string().optional().describe("Optional context explaining why this is relevant")
-    }, async (args) => {
-      const question = args["question"];
-      const context = args["context"];
-      if (opts.onAskUser) {
-        const answer = await opts.onAskUser(question, context);
-        return { content: [{ type: "text", text: answer }] };
-      }
-      return {
-        content: [{ type: "text", text: "(Non-interactive mode \u2014 please continue without this information)" }]
-      };
-    }),
-    tool("scan_bookmarks", "Scan all browser bookmarks \u2014 hostnames only, no personal data (Chrome, Chromium, Edge, Brave, Vivaldi, Opera, Firefox)", {
-      minConfidence: z.number().min(0).max(1).default(0.5).optional()
-    }, async () => {
-      const hosts = await scanAllBookmarks();
-      return {
-        content: [{
-          type: "text",
-          text: JSON.stringify({
-            count: hosts.length,
-            hosts: hosts.map((h) => ({
-              hostname: h.hostname,
-              port: h.port,
-              protocol: h.protocol,
-              source: h.source
-            })),
-            note: "Hostnames only \u2014 no paths, no personal data. Classify each as a business tool (save_node) or ignore (social media, news, shopping)."
-          })
-        }]
-      };
-    }),
-    tool("scan_browser_history", "Scan browser history \u2014 anonymized hostnames + visit frequency. ALWAYS call ask_user for consent before using this tool.", {
-      minVisits: z.number().min(1).default(3).optional().describe("Minimum visit count to include a host (filters rarely-visited sites)")
-    }, async (args) => {
-      const minVisits = args["minVisits"] ?? 3;
-      const hosts = await scanAllHistory();
-      const filtered = hosts.filter((h) => h.visitCount >= minVisits);
-      return {
-        content: [{
-          type: "text",
-          text: JSON.stringify({
-            count: filtered.length,
-            note: "Anonymized \u2014 hostnames only, no URLs, no paths, no personal data. Classify business tools as saas_tool nodes.",
-            hosts: filtered.map((h) => ({
-              hostname: h.hostname,
-              visitCount: h.visitCount,
-              protocol: h.protocol,
-              source: h.source
-            }))
-          })
-        }]
-      };
-    }),
-    tool("scan_local_databases", "Scan for local database files and running DB servers \u2014 PostgreSQL databases, MySQL, SQLite files from installed apps", {
-      deep: z.boolean().default(false).optional().describe("Also search home directory recursively for SQLite/DB files (slower)")
-    }, async (args) => {
-      const deep = args["deep"] ?? false;
-      const results = {};
-      results["PLATFORM"] = `${PLATFORM} (${IS_WIN ? "Windows" : IS_MAC ? "macOS" : "Linux"})`;
-      if (IS_WIN) {
-        results["DB_SERVICES"] = scanWindowsDbServices() || "(no database services found)";
-      }
-      if (commandExists("psql")) {
-        if (IS_WIN) {
-          results["POSTGRES_DATABASES"] = run("psql -lqt", { timeout: 1e4 }) || "(psql found but not running or requires auth)";
-        } else {
-          results["POSTGRES_DATABASES"] = run(`psql -lqt 2>/dev/null | grep -v "template0\\|template1" | awk '{print $1}' | grep -v "^$\\|^|"`) || "(psql not running or not available)";
-          results["POSTGRES_CLUSTERS"] = run("pg_lsclusters 2>/dev/null") || "(pg_lsclusters not available)";
-        }
-      } else {
-        results["POSTGRES_DATABASES"] = "(psql not installed)";
-      }
-      if (commandExists("mysql")) {
-        if (IS_WIN) {
-          results["MYSQL_DATABASES"] = run('mysql --connect-timeout=3 -e "SHOW DATABASES;"', { timeout: 1e4 }) || "(mysql not running or requires auth)";
-        } else {
-          results["MYSQL_DATABASES"] = run('mysql --connect-timeout=3 -e "SHOW DATABASES;" 2>/dev/null') || "(mysql not running or requires auth)";
-        }
-      } else {
-        results["MYSQL_DATABASES"] = "(mysql not installed)";
-      }
-      if (commandExists("mongosh")) {
-        if (IS_WIN) {
-          results["MONGODB_DATABASES"] = run(`mongosh --quiet --eval "db.adminCommand({listDatabases:1}).databases.map(d=>d.name).join('\\n')"`, { timeout: 1e4 }) || "(mongosh not available)";
-        } else {
-          results["MONGODB_DATABASES"] = run(`mongosh --quiet --eval "db.adminCommand({listDatabases:1}).databases.map(d=>d.name).join('\\n')" 2>/dev/null`) || "(mongosh not available)";
-        }
-      } else {
-        results["MONGODB_DATABASES"] = "(mongosh not installed)";
-      }
-      if (commandExists("redis-cli")) {
-        if (IS_WIN) {
-          results["REDIS_INFO"] = run("redis-cli info server", { timeout: 1e4 }).split("\n").slice(0, 5).join("\n") || "(redis-cli not available)";
-        } else {
-          results["REDIS_INFO"] = run("redis-cli info server 2>/dev/null | head -5") || "(redis-cli not available)";
-        }
-      } else {
-        results["REDIS_INFO"] = "(redis-cli not installed)";
-      }
-      const appDirs = dbScanDirs();
-      if (appDirs.length > 0) {
-        results["SQLITE_APP_FILES"] = findFiles(appDirs, ["*.sqlite", "*.sqlite3", "*.db"], 4, 80) || "(none found)";
-      }
-      if (deep) {
-        if (IS_WIN) {
-          results["SQLITE_DEEP_SCAN"] = run(
-            `Get-ChildItem -Path '${HOME}' -Recurse -Depth 6 -Include '*.sqlite','*.sqlite3','*.db' -ErrorAction SilentlyContinue | Where-Object { $_.FullName -notmatch 'node_modules|\\.git' } | Select-Object -First 100 -ExpandProperty FullName`,
-            { timeout: 3e4 }
-          ) || "(none found)";
-        } else {
-          results["SQLITE_DEEP_SCAN"] = run(`find "${HOME}" -maxdepth 6 \\( -name "*.sqlite" -o -name "*.sqlite3" -o -name "*.db" \\) -not -path "*/node_modules/*" -not -path "*/.git/*" 2>/dev/null | head -100`) || "(none found)";
-        }
-      }
-      if (IS_WIN) {
-        results["DB_CONFIG_FILES"] = run(
-          `Get-ChildItem -Path '${HOME}' -Recurse -Depth 4 -Include '.env','.env.local','database.yml','database.json','docker-compose.yml' -ErrorAction SilentlyContinue | Select-Object -First 20 -ExpandProperty FullName`,
-          { timeout: 15e3 }
-        ) || "(none found)";
-      } else {
-        results["DB_CONFIG_FILES"] = run(`find "${HOME}" -maxdepth 4 \\( -name ".env" -o -name ".env.local" -o -name "database.yml" -o -name "database.json" -o -name "docker-compose.yml" \\) 2>/dev/null | head -20`) || "(none found)";
-      }
-      const out = Object.entries(results).map(([k, v]) => `=== ${k} ===
-${v}`).join("\n\n");
-      return { content: [{ type: "text", text: out }] };
-    }),
-    tool("scan_k8s_resources", "Scan Kubernetes cluster via kubectl \u2014 100% readonly (get, describe)", {
-      namespace: z.string().optional().describe("Filter by namespace \u2014 empty = all namespaces")
-    }, async (args) => {
-      const ns = args["namespace"];
-      const nsFlag = ns ? `-n ${ns}` : "--all-namespaces";
-      const runK = createScanRunner(run, { timeout: 15e3, threshold: 3 });
-      const sections = IS_WIN ? [
-        ["CONTEXT", "kubectl config current-context"],
-        ["NODES", "kubectl get nodes -o wide"],
-        ["NAMESPACES", "kubectl get namespaces"],
-        ["SERVICES", `kubectl get services ${nsFlag}`],
-        ["DEPLOYMENTS", `kubectl get deployments ${nsFlag}`],
-        ["STATEFULSETS", `kubectl get statefulsets ${nsFlag}`],
-        ["INGRESSES", `kubectl get ingress ${nsFlag}`],
-        ["PODS_RUNNING", `kubectl get pods ${nsFlag} --field-selector=status.phase=Running`],
-        ["CONFIGMAPS_SYSTEM", "kubectl get configmaps -n kube-system"]
-      ] : [
-        ["CONTEXT", 'kubectl config current-context 2>/dev/null || echo "(no context set)"'],
-        ["NODES", "kubectl get nodes -o wide"],
-        ["NAMESPACES", "kubectl get namespaces"],
-        ["SERVICES", `kubectl get services ${nsFlag}`],
-        ["DEPLOYMENTS", `kubectl get deployments ${nsFlag}`],
-        ["STATEFULSETS", `kubectl get statefulsets ${nsFlag}`],
-        ["INGRESSES", `kubectl get ingress ${nsFlag} 2>/dev/null || echo "(none)"`],
-        ["PODS_RUNNING", `kubectl get pods ${nsFlag} --field-selector=status.phase=Running 2>/dev/null | head -60`],
-        ["CONFIGMAPS_SYSTEM", "kubectl get configmaps -n kube-system 2>/dev/null | head -30"]
-      ];
-      const out = sections.map(([l, c]) => `=== ${l} ===
-${runK(c)}`).join("\n\n");
-      return { content: [{ type: "text", text: out }] };
-    }),
-    tool("scan_aws_resources", "Scan AWS infrastructure via AWS CLI \u2014 100% readonly (describe, list)", {
-      region: z.string().optional().describe("AWS Region \u2014 default: AWS_DEFAULT_REGION or profile"),
-      profile: z.string().optional().describe("AWS CLI profile")
-    }, async (args) => {
-      const region = args["region"];
-      const profile = args["profile"];
-      const env = { ...process.env };
-      if (region) env["AWS_DEFAULT_REGION"] = region;
-      const pf = profile ? `--profile ${profile}` : "";
-      const runAws = createScanRunner(run, { timeout: 2e4, env, threshold: 3 });
-      const sections = [
-        ["IDENTITY", `aws sts get-caller-identity ${pf} --output json`],
-        ["EC2", `aws ec2 describe-instances ${pf} --query "Reservations[*].Instances[*].[InstanceId,InstanceType,State.Name,PublicIpAddress,PrivateIpAddress]" --output table`],
-        ["RDS", `aws rds describe-db-instances ${pf} --query "DBInstances[*].[DBInstanceIdentifier,Engine,DBInstanceStatus,Endpoint.Address,Endpoint.Port]" --output table`],
-        ["ELB_V2", `aws elbv2 describe-load-balancers ${pf} --query "LoadBalancers[*].[LoadBalancerName,DNSName,Type,State.Code]" --output table`],
-        ["EKS", `aws eks list-clusters ${pf} --output json`],
-        ["ELASTICACHE", `aws elasticache describe-cache-clusters ${pf} --query "CacheClusters[*].[CacheClusterId,Engine,CacheClusterStatus]" --output table`],
-        ["S3", `aws s3 ls ${pf}`],
-        ["VPC", `aws ec2 describe-vpcs ${pf} --query "Vpcs[*].[VpcId,CidrBlock,IsDefault]" --output table`]
-      ];
-      const out = sections.map(([l, c]) => `=== ${l} ===
-${runAws(c)}`).join("\n\n");
-      return { content: [{ type: "text", text: out }] };
-    }),
-    tool("scan_gcp_resources", "Scan Google Cloud Platform via gcloud CLI \u2014 100% readonly (list, describe)", {
-      project: z.string().optional().describe("GCP Project ID \u2014 default: current gcloud project")
-    }, async (args) => {
-      const project = args["project"];
-      const pf = project ? `--project ${project}` : "";
-      const runGcp = createScanRunner(run, { timeout: 2e4, threshold: 3 });
-      const sections = [
-        ["IDENTITY", `gcloud config list account --format="value(core.account)"`],
-        ["COMPUTE_INSTANCES", `gcloud compute instances list ${pf}`],
-        ["SQL_INSTANCES", `gcloud sql instances list ${pf}`],
-        ["GKE_CLUSTERS", `gcloud container clusters list ${pf}`],
-        ["CLOUD_RUN", `gcloud run services list ${pf} --platform managed`],
-        ["CLOUD_FUNCTIONS", `gcloud functions list ${pf}`],
-        ["REDIS", `gcloud redis instances list ${pf} --regions=-`],
-        ["PUBSUB", `gcloud pubsub topics list ${pf}`],
-        ["SPANNER", `gcloud spanner instances list ${pf}`]
-      ];
-      const out = sections.map(([l, c]) => `=== ${l} ===
-${runGcp(c)}`).join("\n\n");
-      return { content: [{ type: "text", text: out }] };
-    }),
-    tool("scan_azure_resources", "Scan Azure infrastructure via az CLI \u2014 100% readonly (list, show)", {
-      subscription: z.string().optional().describe("Azure Subscription ID"),
-      resourceGroup: z.string().optional().describe("Filter by resource group")
-    }, async (args) => {
-      const sub = args["subscription"];
-      const rg = args["resourceGroup"];
-      const sf = sub ? `--subscription ${sub}` : "";
-      const rf = rg ? `--resource-group ${rg}` : "";
-      const runAz = createScanRunner(run, { timeout: 2e4, threshold: 3 });
-      const sections = [
-        ["IDENTITY", `az account show --output json ${sf}`],
-        ["VMS", `az vm list ${sf} ${rf} --output table`],
-        ["AKS", `az aks list ${sf} ${rf} --output table`],
-        ["SQL_SERVERS", `az sql server list ${sf} ${rf} --output table`],
-        ["POSTGRES", `az postgres server list ${sf} ${rf} --output table`],
-        ["REDIS", `az redis list ${sf} ${rf} --output table`],
-        ["WEBAPPS", `az webapp list ${sf} ${rf} --output table`],
-        ["CONTAINER_APPS", `az containerapp list ${sf} ${rf} --output table`],
-        ["FUNCTIONS", `az functionapp list ${sf} ${rf} --output table`]
-      ];
-      const out = sections.map(([l, c]) => `=== ${l} ===
-${runAz(c)}`).join("\n\n");
-      return { content: [{ type: "text", text: out }] };
-    }),
-    tool("scan_installed_apps", "Scan all installed apps and tools \u2014 IDEs, office, dev tools, business apps, databases", {
-      searchHint: z.string().optional().describe('Optional search term to find specific tools (e.g. "hubspot windsurf cursor")')
-    }, async (args) => {
-      const hint = args["searchHint"];
-      const results = {};
-      results["PLATFORM"] = `${PLATFORM} (${IS_WIN ? "Windows" : IS_MAC ? "macOS" : "Linux"})`;
-      if (IS_MAC) {
-        results["APPLICATIONS"] = run("ls /Applications/ 2>/dev/null | head -200") || "(empty)";
-        results["USER_APPLICATIONS"] = run("ls ~/Applications/ 2>/dev/null | head -100") || "(empty)";
-        results["BREW_CASKS"] = run("brew list --cask 2>/dev/null | head -100") || "(brew not installed)";
-        results["BREW_FORMULAE"] = run("brew list --formula 2>/dev/null | head -150") || "(brew not installed)";
-        results["SPOTLIGHT_APPS"] = run(`mdfind "kMDItemKind == 'Application'" 2>/dev/null | grep -v "^/System" | grep -v "^/Library/Apple" | head -100`) || "(Spotlight not available)";
-      } else if (IS_LINUX) {
-        results["DPKG"] = run("dpkg --list 2>/dev/null | awk '{print $2}' | head -200") || "(dpkg not available)";
-        results["SNAP"] = run("snap list 2>/dev/null | head -50") || "(snap not available)";
-        results["FLATPAK"] = run("flatpak list 2>/dev/null | head -50") || "(flatpak not available)";
-        results["DESKTOP_FILES"] = run("ls /usr/share/applications/*.desktop ~/.local/share/applications/*.desktop 2>/dev/null | xargs -I{} basename {} .desktop 2>/dev/null | head -100") || "(no .desktop files)";
-        results["RPM"] = run("rpm -qa 2>/dev/null | head -200") || "(rpm not available)";
-      } else if (IS_WIN) {
-        results["WINGET"] = run("winget list --accept-source-agreements", { timeout: 2e4 }) || "(winget not available)";
-        results["INSTALLED_PROGRAMS"] = scanWindowsPrograms() || "(registry scan failed)";
-        results["CHOCO"] = run("choco list --local-only", { timeout: 15e3 }) || "(chocolatey not installed)";
-        results["SCOOP"] = run("scoop list", { timeout: 15e3 }) || "(scoop not installed)";
-      }
-      const knownTools = [
-        // IDEs & Editors
-        "code",
-        "code-insiders",
-        "cursor",
-        "windsurf",
-        "zed",
-        "vim",
-        "nvim",
-        "emacs",
-        "nano",
-        "sublime_text",
-        "atom",
-        "idea",
-        "webstorm",
-        "pycharm",
-        "goland",
-        "datagrip",
-        "clion",
-        "rider",
-        "phpstorm",
-        "rubymine",
-        "appcode",
-        // Dev Tools
-        "git",
-        "gh",
-        "docker",
-        "docker-compose",
-        "podman",
-        "kubectl",
-        "helm",
-        "terraform",
-        "ansible",
-        "node",
-        "npm",
-        "npx",
-        "yarn",
-        "pnpm",
-        "bun",
-        "deno",
-        "python",
-        "python3",
-        "pip",
-        "pip3",
-        "pipenv",
-        "poetry",
-        "conda",
-        "ruby",
-        "gem",
-        "bundler",
-        "rails",
-        "java",
-        "mvn",
-        "gradle",
-        "kotlin",
-        "go",
-        "cargo",
-        "rustc",
-        "php",
-        "composer",
-        "dotnet",
-        // Databases
-        "psql",
-        "mysql",
-        "mysqladmin",
-        "mongo",
-        "mongosh",
-        "redis-cli",
-        "sqlite3",
-        "clickhouse-client",
-        // Cloud CLIs
-        "aws",
-        "gcloud",
-        "az",
-        "heroku",
-        "fly",
-        "vercel",
-        "netlify",
-        "wrangler",
-        // Infra
-        "vagrant",
-        "packer",
-        "consul",
-        "vault",
-        "nomad",
-        // Communication / SaaS
-        "slack",
-        "discord",
-        "zoom",
-        "teams",
-        "skype",
-        "telegram",
-        "signal",
-        // Browsers
-        "google-chrome",
-        "chromium",
-        "firefox",
-        "safari",
-        "brave",
-        "opera",
-        "edge",
-        // Windows-specific
-        ...IS_WIN ? ["pwsh", "powershell", "wsl", "winget", "choco", "scoop", "notepad++"] : [],
-        // Monitoring / Analytics
-        "datadog-agent",
-        "newrelic-agent",
-        "prometheus",
-        "grafana-cli",
-        // Other tools
-        "ngrok",
-        "stripe",
-        "supabase",
-        "neon"
-      ];
-      const found = [];
-      const notFound = [];
-      for (const t of knownTools) {
-        const r = commandExists(t);
-        if (r) found.push(`${t}: ${r}`);
-        else notFound.push(t);
-      }
-      results["TOOLS_FOUND"] = found.join("\n") || "(none found)";
-      results["TOOLS_NOT_FOUND"] = notFound.join(", ");
-      if (hint) {
-        const terms = hint.split(/[\s,]+/).filter(Boolean);
-        const hintResults = [];
-        for (const term of terms) {
-          const safe = term.replace(/[^a-zA-Z0-9._-]/g, "");
-          if (!safe) continue;
-          const cmdPath = commandExists(safe);
-          if (cmdPath) {
-            hintResults.push(`${term}: ${cmdPath}`);
-            continue;
-          }
-          let fallback = "";
-          if (IS_WIN) {
-            fallback = run(
-              `Get-ChildItem -Path 'C:\\Program Files','C:\\Program Files (x86)','${HOME}\\AppData\\Local\\Programs' -Recurse -Depth 3 -Filter '*${safe}*' -ErrorAction SilentlyContinue | Select-Object -First 5 -ExpandProperty FullName`,
-              { timeout: 1e4 }
-            );
-          } else if (IS_MAC) {
-            fallback = run(`mdfind -name "${safe}" 2>/dev/null | head -5`);
-          } else {
-            fallback = run(`find /usr/bin /usr/local/bin /opt/homebrew/bin ~/.local/bin /Applications ~/Applications 2>/dev/null -iname "*${safe}*" -maxdepth 3 2>/dev/null | head -5`);
-          }
-          hintResults.push(fallback ? `${term}: ${fallback}` : `${term}: (not found)`);
-        }
-        results["HINT_SEARCH"] = hintResults.join("\n");
-      }
-      const out = Object.entries(results).map(([k, v]) => `=== ${k} ===
-${v}`).join("\n\n");
-      return { content: [{ type: "text", text: out }] };
-    })
-  ];
-  return createSdkMcpServer({
-    name: "cartography",
-    version: "0.1.0",
-    tools
-  });
-}
+// src/providers/types.ts
+var ProviderRegistry = class {
+  factories = /* @__PURE__ */ new Map();
+  register(name, factory) {
+    this.factories.set(name, factory);
+  }
+  has(name) {
+    return this.factories.has(name);
+  }
+  resolve(name) {
+    const f = this.factories.get(name);
+    if (!f) throw new Error(`Unknown provider "${name}". Available: ${this.names().join(", ")}`);
+    return f();
+  }
+  names() {
+    return [...this.factories.keys()];
+  }
+};
 
 // src/safety.ts
 var safetyHook = async (input, _toolUseID, _options) => {
@@ -611,10 +159,451 @@ var safetyHook = async (input, _toolUseID, _options) => {
   };
 };
 
+// src/audit.ts
+function createAuditHook(db, sessionId) {
+  return async (input) => {
+    try {
+      if (!("tool_name" in input)) return {};
+      const i = input;
+      const command = i.tool_input?.command ?? JSON.stringify(i.tool_input ?? {}).slice(0, 2e3);
+      const response = typeof i.tool_response === "string" ? i.tool_response : JSON.stringify(i.tool_response ?? "");
+      db.insertEvent(sessionId, {
+        eventType: "tool_executed",
+        process: i.tool_name,
+        pid: process.pid,
+        command,
+        resultBytes: Buffer.byteLength(response)
+      });
+    } catch (err) {
+      logDebug(`audit hook failed to record event: ${String(err)}`);
+    }
+    return {};
+  };
+}
+
+// src/providers/claude.ts
+function createClaudeProvider() {
+  return {
+    name: "claude",
+    async ensureAvailable(_config) {
+      try {
+        await import("@anthropic-ai/claude-agent-sdk");
+      } catch {
+        throw new Error(
+          "Claude provider unavailable: the @anthropic-ai/claude-agent-sdk package is not installed.\n  Install: npm install @anthropic-ai/claude-agent-sdk"
+        );
+      }
+    },
+    async *run(ctx) {
+      const { config, db, sessionId, systemPrompt, initialPrompt, onAskUser, deadlineMs } = ctx;
+      const { query } = await import("@anthropic-ai/claude-agent-sdk");
+      const tools = await createCartographyTools(db, sessionId, {
+        onAskUser,
+        maxResponseBytes: config.maxToolResponseBytes
+      });
+      let turnCount = 0;
+      for await (const msg of query({
+        prompt: initialPrompt,
+        options: {
+          model: config.models.lead,
+          maxTurns: config.maxTurns,
+          systemPrompt,
+          mcpServers: { cartography: tools },
+          allowedTools: [
+            "Bash",
+            "mcp__cartography__save_node",
+            "mcp__cartography__save_edge",
+            "mcp__cartography__get_catalog",
+            "mcp__cartography__scan_bookmarks",
+            "mcp__cartography__scan_browser_history",
+            "mcp__cartography__scan_installed_apps",
+            "mcp__cartography__scan_local_databases",
+            "mcp__cartography__scan_k8s_resources",
+            "mcp__cartography__scan_aws_resources",
+            "mcp__cartography__scan_gcp_resources",
+            "mcp__cartography__scan_azure_resources",
+            "mcp__cartography__ask_user"
+          ],
+          hooks: {
+            PreToolUse: [{ matcher: "Bash", hooks: [safetyHook] }],
+            PostToolUse: [{ hooks: [createAuditHook(db, sessionId)] }]
+          },
+          permissionMode: "bypassPermissions"
+        }
+      })) {
+        if (Date.now() > deadlineMs) {
+          yield { kind: "error", text: "Discovery timeout \u2014 wall-clock limit reached" };
+          yield { kind: "done" };
+          return;
+        }
+        if (msg.type === "assistant") {
+          turnCount++;
+          yield { kind: "turn", turn: turnCount };
+          for (const block of msg.message.content) {
+            if (block.type === "text") {
+              yield { kind: "thinking", text: block.text };
+            }
+            if (block.type === "tool_use") {
+              yield {
+                kind: "tool_call",
+                tool: block.name,
+                input: block.input
+              };
+            }
+          }
+        }
+        if (msg.type === "user") {
+          const content = msg.message?.content;
+          if (Array.isArray(content)) {
+            for (const block of content) {
+              if (typeof block === "object" && block !== null && "type" in block && block.type === "tool_result") {
+                const tb = block;
+                const text = typeof tb.content === "string" ? tb.content : "";
+                yield { kind: "tool_result", tool: tb.tool_use_id ?? "", output: text };
+              }
+            }
+          }
+        }
+        if (msg.type === "result") {
+          yield { kind: "done" };
+          return;
+        }
+      }
+    }
+  };
+}
+
+// src/providers/shell.ts
+import { z } from "zod";
+function createBashTool() {
+  const shell = IS_WIN ? "powershell" : "posix";
+  return {
+    name: "Bash",
+    description: "Run a read-only shell command (inspect ports, processes, config). Mutating or destructive commands are blocked by the read-only allowlist.",
+    inputShape: { command: z.string().describe("The read-only shell command to run") },
+    annotations: { readOnlyHint: true, openWorldHint: true },
+    handler: async (args) => {
+      const command = String(args["command"] ?? "").trim();
+      if (!command) return { content: [{ type: "text", text: "" }] };
+      const decision = checkReadOnly(command, { shell });
+      if (!decision.allowed) {
+        return {
+          content: [
+            { type: "text", text: `BLOCKED: ${decision.reason ?? "not read-only"} \u2014 read-only allowlist policy` }
+          ]
+        };
+      }
+      const output = run(command) || "(no output)";
+      return { content: [{ type: "text", text: output }] };
+    }
+  };
+}
+
+// src/providers/zod-schema.ts
+function unwrap(schema) {
+  let current = schema;
+  let required = true;
+  let description = current.description;
+  for (; ; ) {
+    const def = current.def;
+    const typeName = def?.type;
+    if (typeName === "optional" || typeName === "default") {
+      required = false;
+      const inner = def?.innerType;
+      if (!inner) break;
+      current = inner;
+      description = description ?? current.description;
+      continue;
+    }
+    if (typeName === "nullable") {
+      const inner = def?.innerType;
+      if (!inner) break;
+      current = inner;
+      description = description ?? current.description;
+      continue;
+    }
+    break;
+  }
+  return { schema: current, required, description };
+}
+function convert(schema, field) {
+  const def = schema.def;
+  const typeName = def?.["type"];
+  switch (typeName) {
+    case "string":
+      return { type: "string" };
+    case "number": {
+      const out = { type: "number" };
+      const checks = def?.["checks"] ?? [];
+      for (const c of checks) {
+        const cd = c?._zod?.def;
+        if (cd?.check === "greater_than") out["minimum"] = cd.value;
+        if (cd?.check === "less_than") out["maximum"] = cd.value;
+      }
+      return out;
+    }
+    case "boolean":
+      return { type: "boolean" };
+    case "enum": {
+      const entries = def?.["entries"];
+      const values = entries ? Object.values(entries) : [];
+      return { type: "string", enum: values };
+    }
+    case "array": {
+      const element = def?.["element"];
+      return { type: "array", items: element ? convert(unwrap(element).schema, field) : {} };
+    }
+    case "record":
+      return { type: "object", additionalProperties: true };
+    default:
+      throw new Error(
+        `zod-schema: unsupported zod construct "${typeName ?? "unknown"}" on field "${field}". Extend src/providers/zod-schema.ts to support it.`
+      );
+  }
+}
+function shapeToJsonSchema(shape) {
+  const properties = {};
+  const required = [];
+  for (const [key, raw] of Object.entries(shape)) {
+    const { schema, required: isRequired, description } = unwrap(raw);
+    const prop = convert(schema, key);
+    if (description) prop["description"] = description;
+    properties[key] = prop;
+    if (isRequired) required.push(key);
+  }
+  return { type: "object", properties, required, additionalProperties: false };
+}
+
+// src/providers/audit.ts
+function recordToolEvent(db, sessionId, evt) {
+  try {
+    db.insertEvent(sessionId, {
+      eventType: "tool_executed",
+      process: evt.tool,
+      pid: process.pid,
+      command: evt.command,
+      resultBytes: Buffer.byteLength(evt.response)
+    });
+  } catch (err) {
+    logDebug(`audit writer failed to record event: ${String(err)}`);
+  }
+}
+
+// src/providers/loop.ts
+async function dispatchTool(call, tools, db, sessionId) {
+  const tool = tools.find((t) => t.name === call.name);
+  if (!tool) {
+    const text = `ERROR: unknown tool "${call.name}"`;
+    recordToolEvent(db, sessionId, { tool: call.name, command: JSON.stringify(call.args).slice(0, 2e3), response: text });
+    return text;
+  }
+  let output;
+  try {
+    const result = await tool.handler(call.args);
+    output = result.content.map((c) => c.text).join("\n");
+  } catch (err) {
+    output = `ERROR: ${err instanceof Error ? err.message : String(err)}`;
+  }
+  const command = call.name === "Bash" ? String(call.args["command"] ?? "") : JSON.stringify(call.args).slice(0, 2e3);
+  recordToolEvent(db, sessionId, { tool: call.name, command, response: output });
+  return output;
+}
+async function* runToolLoop(opts, chat) {
+  const { db, sessionId, tools, maxTurns, deadlineMs } = opts;
+  let outcomes = [];
+  let turn = 0;
+  try {
+    while (turn < maxTurns) {
+      if (Date.now() > deadlineMs) {
+        yield { kind: "error", text: "Discovery timeout \u2014 wall-clock limit reached" };
+        yield { kind: "done" };
+        return;
+      }
+      const result = await chat(outcomes);
+      turn++;
+      yield { kind: "turn", turn };
+      if (result.text) yield { kind: "thinking", text: result.text };
+      if (result.toolCalls.length === 0) {
+        yield { kind: "done" };
+        return;
+      }
+      const nextOutcomes = [];
+      for (const call of result.toolCalls) {
+        yield { kind: "tool_call", tool: call.name, input: call.args };
+        const output = await dispatchTool(call, tools, db, sessionId);
+        yield { kind: "tool_result", tool: call.name, output };
+        nextOutcomes.push({ id: call.id, name: call.name, output });
+      }
+      outcomes = nextOutcomes;
+    }
+    yield { kind: "done" };
+  } catch (err) {
+    yield { kind: "error", text: `Discovery error: ${err instanceof Error ? err.message : String(err)}` };
+    yield { kind: "done" };
+  }
+}
+
+// src/providers/openai.ts
+function toOpenAITools(tools) {
+  return tools.map((t) => ({
+    type: "function",
+    function: { name: t.name, description: t.description, parameters: shapeToJsonSchema(t.inputShape) }
+  }));
+}
+function createOpenAIProvider() {
+  return {
+    name: "openai",
+    async ensureAvailable(_config) {
+      try {
+        await import("openai");
+      } catch {
+        throw new Error(
+          "OpenAI provider unavailable: the `openai` package is not installed.\n  Install: npm install openai"
+        );
+      }
+      if (!process.env["OPENAI_API_KEY"]) {
+        throw new Error(
+          "OpenAI provider unavailable: OPENAI_API_KEY is not set.\n  Set it: export OPENAI_API_KEY=sk-..."
+        );
+      }
+    },
+    async *run(ctx) {
+      const { config, db, sessionId, systemPrompt, initialPrompt, onAskUser, deadlineMs } = ctx;
+      const mod = await import("openai");
+      const apiKey = process.env["OPENAI_API_KEY"] ?? "";
+      const baseURL = process.env["OPENAI_BASE_URL"];
+      const client = new mod.default({ apiKey, ...baseURL ? { baseURL } : {} });
+      const handlers = await buildCartographyToolHandlers(db, sessionId, {
+        onAskUser,
+        maxResponseBytes: config.maxToolResponseBytes
+      });
+      const tools = [...handlers, createBashTool()];
+      const openaiTools = toOpenAITools(tools);
+      const messages = [
+        { role: "system", content: systemPrompt },
+        { role: "user", content: initialPrompt }
+      ];
+      const chat = async (outcomes) => {
+        for (const oc of outcomes) {
+          messages.push({ role: "tool", tool_call_id: oc.id, content: oc.output });
+        }
+        const completion = await client.chat.completions.create({
+          model: config.models.lead,
+          messages,
+          tools: openaiTools,
+          tool_choice: "auto"
+        });
+        const choice = completion.choices[0]?.message;
+        const text = choice?.content ?? "";
+        const toolCalls = choice?.tool_calls ?? [];
+        messages.push({ role: "assistant", content: text || null, ...toolCalls.length ? { tool_calls: toolCalls } : {} });
+        return {
+          text,
+          toolCalls: toolCalls.map((tc) => ({
+            id: tc.id,
+            name: tc.function.name,
+            args: parseArgs(tc.function.arguments)
+          }))
+        };
+      };
+      yield* runToolLoop({ db, sessionId, tools, maxTurns: config.maxTurns, deadlineMs }, chat);
+    }
+  };
+}
+function parseArgs(raw) {
+  try {
+    const parsed = JSON.parse(raw || "{}");
+    return typeof parsed === "object" && parsed !== null ? parsed : {};
+  } catch {
+    return {};
+  }
+}
+
+// src/providers/ollama.ts
+var DEFAULT_HOST = "http://127.0.0.1:11434";
+function host() {
+  return (process.env["OLLAMA_HOST"] || DEFAULT_HOST).replace(/\/+$/, "");
+}
+function toOllamaTools(tools) {
+  return tools.map((t) => ({
+    type: "function",
+    function: { name: t.name, description: t.description, parameters: shapeToJsonSchema(t.inputShape) }
+  }));
+}
+function createOllamaProvider() {
+  return {
+    name: "ollama",
+    async ensureAvailable(_config) {
+      const base = host();
+      try {
+        const res = await fetch(`${base}/api/tags`, { method: "GET" });
+        if (!res.ok) throw new Error(`HTTP ${res.status}`);
+      } catch {
+        throw new Error(
+          `Ollama provider unavailable: not reachable at ${base}.
+  Start it: ollama serve   (or set OLLAMA_HOST=<url>)`
+        );
+      }
+    },
+    async *run(ctx) {
+      const { config, db, sessionId, systemPrompt, initialPrompt, onAskUser, deadlineMs } = ctx;
+      const base = host();
+      const handlers = await buildCartographyToolHandlers(db, sessionId, {
+        onAskUser,
+        maxResponseBytes: config.maxToolResponseBytes
+      });
+      const tools = [...handlers, createBashTool()];
+      const ollamaTools = toOllamaTools(tools);
+      const messages = [
+        { role: "system", content: systemPrompt },
+        { role: "user", content: initialPrompt }
+      ];
+      const chat = async (outcomes) => {
+        for (const oc of outcomes) {
+          messages.push({ role: "tool", content: oc.output });
+        }
+        const res = await fetch(`${base}/api/chat`, {
+          method: "POST",
+          headers: { "content-type": "application/json" },
+          body: JSON.stringify({ model: config.models.lead, messages, tools: ollamaTools, stream: false })
+        });
+        if (!res.ok) {
+          throw new Error(`Ollama /api/chat returned HTTP ${res.status}`);
+        }
+        const data = await res.json();
+        const text = data.message?.content ?? "";
+        const toolCalls = data.message?.tool_calls ?? [];
+        messages.push({
+          role: "assistant",
+          content: text,
+          ...toolCalls.length ? { tool_calls: toolCalls } : {}
+        });
+        return {
+          text,
+          toolCalls: toolCalls.map((tc, i) => ({
+            id: `${tc.function.name}:${i}`,
+            name: tc.function.name,
+            args: tc.function.arguments ?? {}
+          }))
+        };
+      };
+      yield* runToolLoop({ db, sessionId, tools, maxTurns: config.maxTurns, deadlineMs }, chat);
+    }
+  };
+}
+
+// src/providers/registry.ts
+function createDefaultRegistry() {
+  const r = new ProviderRegistry();
+  r.register("claude", createClaudeProvider);
+  r.register("openai", createOpenAIProvider);
+  r.register("ollama", createOllamaProvider);
+  return r;
+}
+var defaultProviderRegistry = createDefaultRegistry();
+
 // src/agent.ts
 async function runDiscovery(config, db, sessionId, onEvent, onAskUser, hint) {
-  const { query } = await import("./sdk-A6NLO3DJ.js");
-  const tools = await createCartographyTools(db, sessionId, { onAskUser });
   const hintSection = hint ? `
 \u26A1 USER HINT (HIGH PRIORITY): The user wants to find these specific tools: "${hint}"
   \u2192 Run scan_installed_apps(searchHint: "${hint}") IMMEDIATELY and save found tools as saas_tool nodes!
@@ -714,6 +703,7 @@ RULES:
 \u2022 metadata allowed: { description, category, port, version, path } \u2014 no passwords
 \u2022 Call get_catalog before save_node \u2192 avoid duplicates
 \u2022 Save edges whenever connections are clearly identifiable
+\u2022 Max crawl depth: ${config.maxDepth} hops from an entry point \u2014 do not chase leads deeper than this
 
 Entry points: ${config.entryPoints.join(", ")}`;
   const initialPrompt = hint ? `Start discovery with USER HINT: "${hint}".
@@ -728,75 +718,28 @@ Then systematically scan local services, then config files.
 Finally, map all edges (Step 8 \u2014 critical!) before finishing.
 Use ask_user when you need context from the user.`;
   const MAX_DISCOVERY_MS = 30 * 60 * 1e3;
-  let turnCount = 0;
+  const startTime = Date.now();
+  const deadlineMs = startTime + MAX_DISCOVERY_MS;
+  const provider = defaultProviderRegistry.resolve(config.provider ?? "claude");
+  await provider.ensureAvailable(config);
+  const ctx = {
+    config,
+    db,
+    sessionId,
+    systemPrompt,
+    initialPrompt,
+    onAskUser,
+    deadlineMs
+  };
   try {
-    const startTime = Date.now();
-    for await (const msg of query({
-      prompt: initialPrompt,
-      options: {
-        model: config.agentModel,
-        maxTurns: config.maxTurns,
-        systemPrompt,
-        mcpServers: { cartography: tools },
-        allowedTools: [
-          "Bash",
-          "mcp__cartograph__save_node",
-          "mcp__cartograph__save_edge",
-          "mcp__cartograph__get_catalog",
-          "mcp__cartograph__scan_bookmarks",
-          "mcp__cartograph__scan_browser_history",
-          "mcp__cartograph__scan_installed_apps",
-          "mcp__cartograph__scan_local_databases",
-          "mcp__cartograph__scan_k8s_resources",
-          "mcp__cartograph__scan_aws_resources",
-          "mcp__cartograph__scan_gcp_resources",
-          "mcp__cartograph__scan_azure_resources",
-          "mcp__cartograph__ask_user"
-        ],
-        hooks: {
-          PreToolUse: [{ matcher: "Bash", hooks: [safetyHook] }]
-        },
-        permissionMode: "bypassPermissions"
-      }
-    })) {
-      if (Date.now() - startTime > MAX_DISCOVERY_MS) {
+    for await (const event of provider.run(ctx)) {
+      onEvent?.(event);
+      if (event.kind === "done") return;
+      if (Date.now() > deadlineMs) {
         onEvent?.({ kind: "error", text: `Discovery timeout after ${MAX_DISCOVERY_MS / 6e4} minutes` });
         onEvent?.({ kind: "done" });
         return;
       }
-      if (!onEvent) continue;
-      if (msg.type === "assistant") {
-        turnCount++;
-        onEvent({ kind: "turn", turn: turnCount });
-        for (const block of msg.message.content) {
-          if (block.type === "text") {
-            onEvent({ kind: "thinking", text: block.text });
-          }
-          if (block.type === "tool_use") {
-            onEvent({
-              kind: "tool_call",
-              tool: block.name,
-              input: block.input
-            });
-          }
-        }
-      }
-      if (msg.type === "user") {
-        const content = msg.message?.content;
-        if (Array.isArray(content)) {
-          for (const block of content) {
-            if (typeof block === "object" && block !== null && "type" in block && block.type === "tool_result") {
-              const tb = block;
-              const text = typeof tb.content === "string" ? tb.content : "";
-              onEvent({ kind: "tool_result", tool: tb.tool_use_id ?? "", output: text });
-            }
-          }
-        }
-      }
-      if (msg.type === "result") {
-        onEvent({ kind: "done" });
-        return;
-      }
     }
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
@@ -805,6 +748,182 @@ Use ask_user when you need context from the user.`;
   }
 }
 
+// src/config.ts
+import { readFileSync as readFileSync2 } from "fs";
+var ConfigError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ConfigError";
+  }
+};
+function loadConfig(path) {
+  const file = readConfigFile(path);
+  const overrides = {};
+  if (file.organization) overrides.organization = file.organization;
+  const entryPoints = file.schedule?.entryPoints ?? file.entryPoints;
+  if (entryPoints) overrides.entryPoints = [...entryPoints];
+  const dbPath = file.schedule?.dbPath ?? file.dbPath;
+  if (dbPath) overrides.dbPath = dbPath;
+  if (file.schedule) overrides.schedule = file.schedule;
+  if (file.centralDb) {
+    const merged = { ...file.centralDb, ...centralDbFromEnv() };
+    overrides.centralDb = merged;
+  }
+  return defaultConfig(overrides);
+}
+function readConfigFile(path) {
+  let raw;
+  try {
+    raw = readFileSync2(path, "utf-8");
+  } catch (err) {
+    throw new ConfigError(
+      `Cannot read config file ${path}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  let json;
+  try {
+    json = JSON.parse(raw);
+  } catch (err) {
+    throw new ConfigError(
+      `Invalid JSON in ${path}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const parsed = ConfigFileSchema.safeParse(json);
+  if (!parsed.success) {
+    const detail = parsed.error.issues.map((i) => `${i.path.join(".") || "(root)"}: ${i.message}`).join("; ");
+    throw new ConfigError(`Invalid config in ${path}: ${detail}`);
+  }
+  return parsed.data;
+}
+
+// src/schedule.ts
+var FIELD_SPECS = [
+  { name: "minute", min: 0, max: 59 },
+  { name: "hour", min: 0, max: 23 },
+  { name: "dom", min: 1, max: 31 },
+  { name: "month", min: 1, max: 12 },
+  { name: "dow", min: 0, max: 7 }
+  // 7 and 0 both mean Sunday; normalized to 0 below
+];
+function parseField(raw, spec) {
+  const out = /* @__PURE__ */ new Set();
+  const add = (n) => {
+    if (!Number.isInteger(n) || n < spec.min || n > spec.max) {
+      throw new RangeError(`Invalid value "${n}" in cron field "${spec.name}" (allowed ${spec.min}-${spec.max})`);
+    }
+    out.add(spec.name === "dow" && n === 7 ? 0 : n);
+  };
+  for (const part of raw.split(",")) {
+    if (part === "") {
+      throw new RangeError(`Empty term in cron field "${spec.name}"`);
+    }
+    const [rangePart, stepPart, ...rest] = part.split("/");
+    if (rest.length > 0) {
+      throw new RangeError(`Malformed step in cron field "${spec.name}": "${part}"`);
+    }
+    let step = 1;
+    if (stepPart !== void 0) {
+      step = Number(stepPart);
+      if (!Number.isInteger(step) || step < 1) {
+        throw new RangeError(`Invalid step "${stepPart}" in cron field "${spec.name}"`);
+      }
+    }
+    let lo;
+    let hi;
+    if (rangePart === "*") {
+      lo = spec.min;
+      hi = spec.max;
+    } else if (rangePart.includes("-")) {
+      const [a, b, ...extra] = rangePart.split("-");
+      if (extra.length > 0) {
+        throw new RangeError(`Malformed range in cron field "${spec.name}": "${rangePart}"`);
+      }
+      lo = Number(a);
+      hi = Number(b);
+      if (!Number.isInteger(lo) || !Number.isInteger(hi)) {
+        throw new RangeError(`Non-numeric range in cron field "${spec.name}": "${rangePart}"`);
+      }
+      if (lo > hi) {
+        throw new RangeError(`Descending range in cron field "${spec.name}": "${rangePart}"`);
+      }
+    } else {
+      const n = Number(rangePart);
+      if (!Number.isInteger(n)) {
+        throw new RangeError(`Non-numeric value in cron field "${spec.name}": "${rangePart}"`);
+      }
+      lo = n;
+      hi = stepPart !== void 0 ? spec.max : n;
+    }
+    for (let v = lo; v <= hi; v += step) add(v);
+  }
+  if (out.size === 0) {
+    throw new RangeError(`Cron field "${spec.name}" matched no values`);
+  }
+  return out;
+}
+function parseCron(expr) {
+  const fields = expr.trim().split(/\s+/);
+  if (fields.length !== 5) {
+    throw new RangeError(`Cron expression must have 5 fields (got ${fields.length}): "${expr}"`);
+  }
+  const [minute, hour, dom, month, dow] = FIELD_SPECS.map((spec, i) => parseField(fields[i], spec));
+  return { minute, hour, dom, month, dow };
+}
+function matches(fields, date) {
+  if (!fields.minute.has(date.getUTCMinutes())) return false;
+  if (!fields.hour.has(date.getUTCHours())) return false;
+  if (!fields.month.has(date.getUTCMonth() + 1)) return false;
+  const domRestricted = fields.dom.size !== 31;
+  const dowRestricted = fields.dow.size !== 7;
+  const domOk = fields.dom.has(date.getUTCDate());
+  const dowOk = fields.dow.has(date.getUTCDay());
+  if (domRestricted && dowRestricted) return domOk || dowOk;
+  if (domRestricted) return domOk;
+  if (dowRestricted) return dowOk;
+  return true;
+}
+var MAX_SEARCH_MINUTES = 4 * 366 * 24 * 60;
+function nextRun(expr, after) {
+  const fields = parseCron(expr);
+  const cursor2 = new Date(after.getTime());
+  cursor2.setUTCSeconds(0, 0);
+  cursor2.setUTCMinutes(cursor2.getUTCMinutes() + 1);
+  for (let i = 0; i < MAX_SEARCH_MINUTES; i++) {
+    if (matches(fields, cursor2)) return new Date(cursor2.getTime());
+    cursor2.setUTCMinutes(cursor2.getUTCMinutes() + 1);
+  }
+  throw new RangeError(`No cron match for "${expr}" within ~4 years after ${after.toISOString()}`);
+}
+async function runOnce(cfg, db) {
+  const prior = db.getLatestSession("discover");
+  if (prior) {
+    const r = await runLocalDiscovery(db, prior.id, {
+      hint: cfg.entryPoints.join(","),
+      plugins: cfg.plugins,
+      mode: "update",
+      onProgress: (line) => logInfo(`scan: ${line}`)
+    });
+    const delta = r.delta ?? diffTopology({ nodes: [], edges: [] }, { nodes: [], edges: [] });
+    logInfo("scheduled run complete", { sessionId: prior.id, base: prior.id, ...delta.summary });
+    return { sessionId: prior.id, baseSessionId: prior.id, delta, nodes: r.nodes, edges: r.edges, scanners: r.scanners };
+  }
+  const sessionId = db.createSession("discover", cfg);
+  try {
+    const r = await runLocalDiscovery(db, sessionId, {
+      hint: cfg.entryPoints.join(","),
+      plugins: cfg.plugins,
+      mode: "replace",
+      onProgress: (line) => logInfo(`scan: ${line}`)
+    });
+    const current = { nodes: db.getNodes(sessionId), edges: db.getEdges(sessionId) };
+    const delta = diffTopology({ nodes: [], edges: [] }, current);
+    logInfo("scheduled run complete", { sessionId, base: null, ...delta.summary });
+    return { sessionId, baseSessionId: void 0, delta, nodes: r.nodes, edges: r.edges, scanners: r.scanners };
+  } finally {
+    db.endSession(sessionId);
+  }
+}
+
 // src/exporter.ts
 import { mkdirSync, writeFileSync } from "fs";
 import { join as join2 } from "path";
@@ -1171,6 +1290,66 @@ function generateDependencyMermaid(nodes, edges) {
   }
   return lines.join("\n");
 }
+var DIFF_CLASSES = {
+  added: "fill:#0d3d0d,stroke:#22c55e,color:#86efac",
+  removed: "fill:#3d0d0d,stroke:#ef4444,color:#fca5a5",
+  changed: "fill:#3d2f0d,stroke:#f59e0b,color:#fcd34d",
+  context: "fill:#1e1e1e,stroke:#555555,color:#999999"
+};
+function diffNodeLabel(node, suffix) {
+  const icon = MERMAID_ICONS[node.type] ?? "?";
+  const extra = suffix ? `<br/><small>\u0394 ${suffix}</small>` : "";
+  return `["${icon} <b>${node.name}</b><br/><small>${node.type}</small>${extra}"]`;
+}
+function generateDiffMermaid(diff) {
+  const total = diff.summary.nodesAdded + diff.summary.nodesRemoved + diff.summary.nodesChanged + diff.summary.edgesAdded + diff.summary.edgesRemoved;
+  if (total === 0) return 'graph TB\n    nodrift["\u2713 No drift between the two sessions"]';
+  const lines = ["graph TB"];
+  for (const [k, style] of Object.entries(DIFF_CLASSES)) lines.push(`    classDef ${k} ${style}`);
+  lines.push("");
+  const rank = { added: 3, removed: 3, changed: 3, context: 0 };
+  const entries = /* @__PURE__ */ new Map();
+  const place = (node, cls, suffix) => {
+    const prev = entries.get(node.id);
+    if (prev && rank[prev.cls] >= rank[cls]) return;
+    entries.set(node.id, { node, cls, suffix });
+  };
+  for (const n of diff.nodes.added) place(n, "added");
+  for (const n of diff.nodes.removed) place(n, "removed");
+  for (const c of diff.nodes.changed) place(c.after, "changed", c.changedFields.join(", "));
+  const contextNode = (id) => ({
+    id,
+    type: "unknown",
+    name: id,
+    discoveredVia: "diff",
+    confidence: 1,
+    metadata: {},
+    tags: [],
+    sessionId: "",
+    discoveredAt: "",
+    depth: 0
+  });
+  const ensureEndpoint = (id) => {
+    if (!entries.has(id)) place(contextNode(id), "context");
+  };
+  for (const e of [...diff.edges.added, ...diff.edges.removed]) {
+    ensureEndpoint(e.sourceId);
+    ensureEndpoint(e.targetId);
+  }
+  for (const { node, cls, suffix } of entries.values()) {
+    lines.push(`    ${sanitize(node.id)}${diffNodeLabel(node, suffix)}:::${cls}`);
+  }
+  lines.push("");
+  for (const e of diff.edges.added) {
+    const label = EDGE_LABELS[e.relationship] ?? e.relationship;
+    lines.push(`    ${sanitize(e.sourceId)} ==>|"+ ${label}"| ${sanitize(e.targetId)}`);
+  }
+  for (const e of diff.edges.removed) {
+    const label = EDGE_LABELS[e.relationship] ?? e.relationship;
+    lines.push(`    ${sanitize(e.sourceId)} -.->|"- ${label}"| ${sanitize(e.targetId)}`);
+  }
+  return lines.join("\n");
+}
 function exportBackstageYAML(nodes, edges, org) {
   const owner = org ?? "unknown";
   const docs = [];
@@ -1190,7 +1369,7 @@ function exportBackstageYAML(nodes, edges, org) {
       `spec:`,
       `  type: ${node.type}`,
       `  lifecycle: production`,
-      `  owner: ${owner}`,
+      `  owner: ${node.owner ?? owner}`,
       ...deps.length > 0 ? ["  dependsOn:", ...deps] : []
     ].join("\n");
     docs.push(doc);
@@ -2311,11 +2490,85 @@ function exportJGF(nodes, edges) {
   };
   return JSON.stringify(jgf, null, 2);
 }
-function exportAll(db, sessionId, outputDir, formats = ["mermaid", "json", "yaml", "html", "map", "discovery"]) {
-  mkdirSync(outputDir, { recursive: true });
-  const nodes = db.getNodes(sessionId);
-  const edges = db.getEdges(sessionId);
-  const jgfPath = join2(outputDir, "cartography-graph.jgf.json");
+function csvField(v) {
+  let s = String(v);
+  if (/^[=+\-@]/.test(s)) s = `'${s}`;
+  return /[",\n]/.test(s) ? `"${s.replace(/"/g, '""')}"` : s;
+}
+function exportCostCSV(summary) {
+  const rows = ["scope,key,currency,period,total,nodes"];
+  for (const c of summary.costByDomain) {
+    rows.push(["domain", c.domain, c.currency, c.period, c.total, c.nodes].map(csvField).join(","));
+  }
+  for (const c of summary.costByOwner) {
+    rows.push(["owner", c.owner, c.currency, c.period, c.total, c.nodes].map(csvField).join(","));
+  }
+  return rows.join("\n") + "\n";
+}
+function exportCostSummary(summary) {
+  return JSON.stringify({
+    costByDomain: summary.costByDomain,
+    costByOwner: summary.costByOwner,
+    costCoverage: summary.costCoverage
+  }, null, 2);
+}
+var SEVERITY_RANK = { critical: 0, high: 1, medium: 2, low: 3 };
+function exportComplianceReport(report, format) {
+  if (format === "json") return JSON.stringify(report, null, 2);
+  if (format === "markdown") {
+    const scoreStr = report.score === null ? "n/a" : `${report.score}/100`;
+    const out = [
+      `# Compliance \u2014 ${report.rulesetName} v${report.rulesetVersion}`,
+      ``,
+      `**Status:** ${report.status.toUpperCase()} \xB7 **Score:** ${scoreStr}`,
+      ``,
+      `| Controls | Count |`,
+      `|----------|-------|`,
+      `| Passed | ${report.totals.passed} |`,
+      `| Failed | ${report.totals.failed} |`,
+      `| Not applicable | ${report.totals.notApplicable} |`,
+      `| Total | ${report.totals.rules} |`,
+      ``,
+      `| Severity | Failed | Passed |`,
+      `|----------|--------|--------|`,
+      ...["critical", "high", "medium", "low"].map(
+        (s) => `| ${s} | ${report.bySeverity[s].failed} | ${report.bySeverity[s].passed} |`
+      )
+    ];
+    if (report.gaps.length === 0) {
+      out.push(``, `\u2713 No compliance gaps.`);
+    } else {
+      out.push(``, `## Gaps`);
+      for (const g of [...report.gaps].sort((a, b) => SEVERITY_RANK[a.severity] - SEVERITY_RANK[b.severity])) {
+        out.push(``, `### [${g.severity}] ${g.control} \u2014 ${g.title}`, ...g.nodeIds.map((id) => `- \`${id}\``));
+      }
+    }
+    return out.join("\n");
+  }
+  const lines = [
+    "graph TB",
+    "  classDef critical fill:#7f1d1d,stroke:#ef4444,color:#fff;",
+    "  classDef high fill:#7c2d12,stroke:#f97316,color:#fff;",
+    "  classDef medium fill:#713f12,stroke:#eab308,color:#fff;",
+    "  classDef low fill:#1e3a5f,stroke:#3b82f6,color:#fff;"
+  ];
+  if (report.gaps.length === 0) {
+    lines.push('  ok["\u2713 No compliance gaps"]');
+    return lines.join("\n");
+  }
+  const mmSafe = (s) => s.replace(/["\]\r\n]/g, "'");
+  let i = 0;
+  for (const g of [...report.gaps].sort((a, b) => SEVERITY_RANK[a.severity] - SEVERITY_RANK[b.severity])) {
+    const gid = `g${i++}`;
+    lines.push(`  ${gid}["${mmSafe(g.control)}: ${mmSafe(g.title)} (${g.nodeIds.length})"]:::${g.severity}`);
+  }
+  return lines.join("\n");
+}
+function exportAll(db, sessionId, outputDir, formats = ["mermaid", "json", "yaml", "html", "map", "discovery"]) {
+  mkdirSync(outputDir, { recursive: true });
+  const nodes = db.getNodes(sessionId);
+  const edges = db.getEdges(sessionId);
+  const jgfPath = join2(outputDir, "cartography-graph.jgf.json");
   writeFileSync(jgfPath, exportJGF(nodes, edges));
   if (formats.includes("mermaid")) {
     writeFileSync(join2(outputDir, "topology.mermaid"), generateTopologyMermaid(nodes, edges));
@@ -2330,13 +2583,777 @@ function exportAll(db, sessionId, outputDir, formats = ["mermaid", "json", "yaml
   if (formats.includes("html") || formats.includes("map") || formats.includes("discovery")) {
     writeFileSync(join2(outputDir, "discovery.html"), exportDiscoveryApp(nodes, edges));
   }
+  if (formats.includes("cost")) {
+    const summary = db.getGraphSummary(sessionId);
+    writeFileSync(join2(outputDir, "cost-by-domain.csv"), exportCostCSV(summary));
+    writeFileSync(join2(outputDir, "cost-summary.json"), exportCostSummary(summary));
+  }
+}
+
+// src/compliance/report.ts
+var NODE_CAP = 50;
+function formatComplianceText(report) {
+  const scoreStr = report.score === null ? "n/a" : `${report.score}/100`;
+  const lines = [
+    `Compliance: ${report.rulesetName} v${report.rulesetVersion} \u2014 ${report.status.toUpperCase()} (score ${scoreStr})`,
+    `Controls: ${report.totals.passed} passed, ${report.totals.failed} failed, ${report.totals.notApplicable} n/a (of ${report.totals.rules})`,
+    "",
+    "By severity (failed/passed):",
+    ...["critical", "high", "medium", "low"].map(
+      (s) => `  - ${s}: ${report.bySeverity[s].failed} failed / ${report.bySeverity[s].passed} passed`
+    )
+  ];
+  if (report.gaps.length === 0) {
+    lines.push("", "\u2713 No compliance gaps.");
+    return lines.join("\n");
+  }
+  lines.push("", `Gaps (${report.gaps.length}):`);
+  for (const g of report.gaps) {
+    lines.push(`  \u2717 [${g.severity}] ${g.control} \u2014 ${g.title}`);
+    const shown = g.nodeIds.slice(0, NODE_CAP);
+    for (const id of shown) lines.push(`      ${id}`);
+    if (g.nodeIds.length > NODE_CAP) lines.push(`      \u2026 +${g.nodeIds.length - NODE_CAP} more`);
+  }
+  return lines.join("\n");
+}
+
+// src/cost.ts
+import { readFileSync as readFileSync3 } from "fs";
+import { resolve } from "path";
+function splitCsvLine(line) {
+  const out = [];
+  let cur = "";
+  let inQuotes = false;
+  for (let i = 0; i < line.length; i++) {
+    const ch = line[i];
+    if (inQuotes) {
+      if (ch === '"') {
+        if (line[i + 1] === '"') {
+          cur += '"';
+          i++;
+        } else {
+          inQuotes = false;
+        }
+      } else cur += ch;
+    } else if (ch === '"') {
+      inQuotes = true;
+    } else if (ch === ",") {
+      out.push(cur);
+      cur = "";
+    } else cur += ch;
+  }
+  out.push(cur);
+  return out.map((s) => s.trim());
+}
+function parseCostCsv(text) {
+  const lines = text.split(/\r?\n/).filter((l) => l.trim().length > 0);
+  if (lines.length === 0) return [];
+  const header = splitCsvLine(lines[0]).map((h) => h.toLowerCase());
+  const col = (name) => header.indexOf(name);
+  const iNode = col("nodeid");
+  const iOwner = col("owner");
+  const iAmount = col("amount");
+  const iCurrency = col("currency");
+  const iPeriod = col("period");
+  const iSource = col("source");
+  if (iNode < 0) {
+    logWarn('cost csv: missing required "nodeId" header column');
+    return [];
+  }
+  const records = [];
+  for (let r = 1; r < lines.length; r++) {
+    const f = splitCsvLine(lines[r]);
+    const nodeId = f[iNode];
+    if (!nodeId) {
+      logWarn(`cost csv: row ${r + 1} skipped (empty nodeId)`);
+      continue;
+    }
+    const rec = { nodeId };
+    if (iOwner >= 0 && f[iOwner]) rec.owner = f[iOwner];
+    const amountRaw = iAmount >= 0 ? f[iAmount] : "";
+    if (amountRaw) {
+      const parsed = CostEntrySchema.safeParse({
+        amount: Number(amountRaw),
+        currency: iCurrency >= 0 ? f[iCurrency] : void 0,
+        period: iPeriod >= 0 ? f[iPeriod] : void 0,
+        ...iSource >= 0 && f[iSource] ? { source: f[iSource] } : {}
+      });
+      if (!parsed.success) {
+        logWarn(`cost csv: row ${r + 1} skipped (invalid cost fields)`);
+        if (!rec.owner) continue;
+      } else {
+        rec.cost = parsed.data;
+      }
+    }
+    if (rec.owner || rec.cost) records.push(rec);
+  }
+  return records;
+}
+var CsvCostSource = class {
+  constructor(opts) {
+    this.opts = opts;
+    const base = opts.filePath.split(/[\\/]/).pop() ?? opts.filePath;
+    this.id = `csv:${base}`;
+  }
+  id;
+  async fetch() {
+    const text = readFileSync3(resolve(this.opts.filePath), "utf-8");
+    const records = parseCostCsv(text);
+    const match = this.opts.match ?? "nodeId";
+    const out = /* @__PURE__ */ new Map();
+    if (match === "nodeId") {
+      for (const rec of records) out.set(rec.nodeId, rec);
+      return out;
+    }
+    if (!this.opts.db || !this.opts.sessionId) {
+      logWarn(`cost csv: match '${match}' requires db + sessionId; falling back to nodeId`);
+      for (const rec of records) out.set(rec.nodeId, rec);
+      return out;
+    }
+    const nodes = this.opts.db.getNodes(this.opts.sessionId);
+    const index = /* @__PURE__ */ new Map();
+    for (const n of nodes) {
+      if (match === "name") index.set(n.name, n.id);
+      else for (const t of n.tags) index.set(t, n.id);
+    }
+    for (const rec of records) {
+      const resolved = index.get(rec.nodeId);
+      out.set(resolved ?? rec.nodeId, { ...rec, nodeId: resolved ?? rec.nodeId });
+    }
+    return out;
+  }
+};
+async function enrichCosts(db, sessionId, source) {
+  const records = await source.fetch();
+  let matched = 0;
+  const unmatchedIds = [];
+  for (const [nodeId, rec] of records) {
+    const ok = db.enrichNodeAttribution(sessionId, nodeId, {
+      owner: rec.owner ?? void 0,
+      cost: rec.cost ?? void 0
+    });
+    if (ok) matched++;
+    else unmatchedIds.push(nodeId);
+  }
+  return { source: source.id, total: records.size, matched, unmatched: unmatchedIds.length, unmatchedIds };
 }
 
 // src/cli.ts
-import { readFileSync as readFileSync2, existsSync as existsSync2 } from "fs";
-import { resolve, dirname } from "path";
+import { readFileSync as readFileSync5, existsSync as existsSync3, writeFileSync as writeFileSync3 } from "fs";
+import { resolve as resolve2, dirname as dirname2 } from "path";
 import { fileURLToPath } from "url";
 import { createInterface } from "readline";
+
+// src/sharing.ts
+function wildcardCount(pattern) {
+  return (pattern.match(/\*/g) ?? []).length;
+}
+function globMatch(pattern, id) {
+  let re = "^";
+  for (let i = 0; i < pattern.length; i++) {
+    const c = pattern[i];
+    if (c === "*") {
+      if (pattern[i + 1] === "*") {
+        re += ".*";
+        i++;
+      } else re += "[^:]*";
+    } else {
+      re += c.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
+    }
+  }
+  re += "$";
+  return new RegExp(re).test(id);
+}
+function resolveSharingLevel(nodeId, policy) {
+  const matches2 = policy.overrides.filter((o) => o.pattern !== "*" && o.pattern !== "**" && globMatch(o.pattern, nodeId)).sort(
+    (a, b) => wildcardCount(a.pattern) - wildcardCount(b.pattern) || b.pattern.length - a.pattern.length
+  );
+  return matches2.length ? matches2[0].level : policy.defaultLevel;
+}
+function nodeHosts(node) {
+  const out = [node.id, node.name];
+  const meta = node.metadata ?? {};
+  for (const k of ["host", "url", "domain"]) {
+    const v = meta[k];
+    if (typeof v === "string") out.push(v);
+  }
+  if (node.domain) out.push(node.domain);
+  return out;
+}
+function resolveEffectiveLevel(node, policy) {
+  if (nodeHosts(node).some((h) => isPersonalHost(h))) return "none";
+  return resolveSharingLevel(node.id, policy);
+}
+function applySharingLevel(node, level, orgKey, db) {
+  if (level === "none") return null;
+  if (level === "full") return { ...node, metadata: { ...node.metadata ?? {} }, tags: [...node.tags ?? []] };
+  return {
+    ...node,
+    id: pseudonymizeString(node.id, orgKey, db),
+    name: pseudonymizeString(node.name, orgKey, db),
+    metadata: pseudonymize(node.metadata ?? {}, orgKey, db),
+    tags: (node.tags ?? []).map((t) => pseudonymizeString(t, orgKey, db))
+  };
+}
+function previewShare(db, sessionId, orgKey, policy, opts = {}) {
+  const persist = opts.persistReversal ? db : void 0;
+  const nodes = db.getNodes(sessionId);
+  const edges = db.getEdges(sessionId);
+  const entries = [];
+  const idMap = /* @__PURE__ */ new Map();
+  const droppedNodeIds = [];
+  for (const node of nodes) {
+    const level = resolveEffectiveLevel(node, policy);
+    const payload = applySharingLevel(node, level, orgKey, persist);
+    entries.push({ node, level, payload });
+    if (payload === null) {
+      idMap.set(node.id, null);
+      droppedNodeIds.push(node.id);
+    } else {
+      idMap.set(node.id, payload.id);
+    }
+  }
+  const outEdges = [];
+  for (const e of edges) {
+    const src = idMap.get(e.sourceId);
+    const tgt = idMap.get(e.targetId);
+    if (src == null || tgt == null) continue;
+    outEdges.push({ sourceId: src, targetId: tgt, relationship: e.relationship });
+  }
+  return { nodes: entries, edges: outEdges, droppedNodeIds };
+}
+function isRemembered(policy, nodeId) {
+  const matched = policy.overrides.some((o) => o.pattern !== "*" && o.pattern !== "**" && globMatch(o.pattern, nodeId));
+  return matched || policy.defaultLevel !== "none";
+}
+
+// src/sync/hash.ts
+import { createHash } from "crypto";
+function shareHash(kind, payload) {
+  return createHash("sha256").update(stableStringify({ kind, payload })).digest("hex");
+}
+
+// src/sync/classify.ts
+function classify(input) {
+  const { preview, policy, sharedHashes } = input;
+  const result = { share: [], withhold: [], pending: [] };
+  const sharedNodeIds = /* @__PURE__ */ new Set();
+  for (const entry of preview.nodes) {
+    if (entry.payload === null) {
+      result.withhold.push({ contentHash: "", kind: "node", nodeId: entry.node.id, payload: null });
+      continue;
+    }
+    const contentHash = shareHash("node", entry.payload);
+    if (sharedHashes.has(contentHash)) continue;
+    const item = { contentHash, kind: "node", nodeId: entry.node.id, payload: entry.payload };
+    if (isRemembered(policy, entry.node.id)) {
+      result.share.push(item);
+      sharedNodeIds.add(entry.node.id);
+    } else {
+      result.pending.push(item);
+    }
+  }
+  const sharedRemappedIds = /* @__PURE__ */ new Set();
+  for (const entry of preview.nodes) {
+    if (entry.payload !== null && sharedNodeIds.has(entry.node.id)) {
+      sharedRemappedIds.add(entry.payload.id);
+    }
+  }
+  for (const e of preview.edges) {
+    const payload = { sourceId: e.sourceId, targetId: e.targetId, relationship: e.relationship };
+    const contentHash = shareHash("edge", payload);
+    const bothShared = sharedRemappedIds.has(e.sourceId) && sharedRemappedIds.has(e.targetId);
+    if (!bothShared) {
+      result.withhold.push({ contentHash: "", kind: "edge", payload });
+      continue;
+    }
+    if (sharedHashes.has(contentHash)) continue;
+    result.share.push({ contentHash, kind: "edge", payload });
+  }
+  return result;
+}
+
+// src/sync/push.ts
+import { createHash as createHash2 } from "crypto";
+var PUSH_SCHEMA_VERSION = 1;
+var DEFAULT_BATCH = 100;
+var DEFAULT_RETRIES = 4;
+var DEFAULT_TIMEOUT_MS = 15e3;
+function defaultLog(line) {
+  process.stderr.write(`[cartography-sync] ${line}
+`);
+}
+function defaultSleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+function batchKey(items) {
+  const hashes = items.map((i) => i.contentHash).sort();
+  return createHash2("sha256").update(stableStringify(hashes)).digest("hex");
+}
+async function pushDeltas(config, items, opts = {}) {
+  const central = config.centralDb;
+  if (!central?.url || !central.token) {
+    throw new Error("sync push: centralDb not configured (set centralDb.url + token)");
+  }
+  let parsed;
+  try {
+    parsed = new URL(central.url);
+  } catch {
+    throw new Error("sync push: centralDb.url is not a valid URL");
+  }
+  const insecureAllowed = process.env.CARTOGRAPHY_ALLOW_INSECURE_SYNC === "1";
+  if (parsed.protocol !== "https:" && !insecureAllowed) {
+    throw new Error(
+      `sync push: refusing to send over insecure ${parsed.protocol}// \u2014 use https:// (or set CARTOGRAPHY_ALLOW_INSECURE_SYNC=1 for local testing only)`
+    );
+  }
+  const log = opts.log ?? defaultLog;
+  const sleep = opts.sleep ?? defaultSleep;
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const batchSize = Math.max(1, opts.batchSize ?? central.batchSize ?? DEFAULT_BATCH);
+  const maxRetries = Math.max(0, opts.maxRetries ?? DEFAULT_RETRIES);
+  const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const safeUrl = stripSensitive(central.url);
+  if (items.length === 0) {
+    log("nothing to push (0 approved items)");
+    return { sent: 0, batches: 0, failed: 0, sentHashes: [] };
+  }
+  const batches = [];
+  for (let i = 0; i < items.length; i += batchSize) {
+    batches.push(items.slice(i, i + batchSize).map((it) => ({ ...it, payload: redactValue(it.payload) })));
+  }
+  let sent = 0;
+  let failed = 0;
+  const sentHashes = [];
+  for (const batch of batches) {
+    const key = batchKey(batch);
+    const body = JSON.stringify({
+      schemaVersion: PUSH_SCHEMA_VERSION,
+      ...central.org ? { org: central.org } : {},
+      items: batch.map((b) => ({ contentHash: b.contentHash, kind: b.kind, payload: b.payload }))
+    });
+    if (opts.dryRun) {
+      log(`dry-run: would POST ${batch.length} item(s) to ${safeUrl} (idempotency ${key.slice(0, 12)}\u2026)`);
+      sent += batch.length;
+      sentHashes.push(...batch.map((b) => b.contentHash));
+      continue;
+    }
+    let ok = false;
+    for (let attempt = 0; attempt <= maxRetries; attempt++) {
+      const controller = new AbortController();
+      const timer = setTimeout(() => controller.abort(), timeoutMs);
+      const startedAt = Date.now();
+      try {
+        const res = await fetchImpl(central.url, {
+          method: "POST",
+          headers: {
+            "authorization": `Bearer ${central.token}`,
+            "content-type": "application/json",
+            "x-idempotency-key": key
+          },
+          body,
+          signal: controller.signal
+        });
+        const elapsed = Date.now() - startedAt;
+        if (res.ok) {
+          log(`pushed ${batch.length} item(s) \u2192 ${safeUrl} [${res.status}] ${elapsed}ms (attempt ${attempt + 1})`);
+          ok = true;
+          break;
+        }
+        if (res.status >= 400 && res.status < 500) {
+          log(`batch rejected \u2192 ${safeUrl} [${res.status}] (no retry)`);
+          break;
+        }
+        log(`batch failed \u2192 ${safeUrl} [${res.status}] (attempt ${attempt + 1}/${maxRetries + 1})`);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        log(`batch error \u2192 ${safeUrl}: ${msg.replace(/https?:\/\/[^\s]+/g, (u) => stripSensitive(u))} (attempt ${attempt + 1}/${maxRetries + 1})`);
+      } finally {
+        clearTimeout(timer);
+      }
+      if (attempt < maxRetries) {
+        const base = Math.min(2 ** attempt * 250, 4e3);
+        await sleep(base + Math.floor(Math.random() * 100));
+      }
+    }
+    if (ok) {
+      sent += batch.length;
+      sentHashes.push(...batch.map((b) => b.contentHash));
+    } else {
+      failed += batch.length;
+    }
+  }
+  return { sent, batches: batches.length, failed, sentHashes };
+}
+
+// src/sync/index.ts
+function runSyncClassify(db, sessionId, config, opts = {}) {
+  if (!config.centralDb?.url) return { enqueued: 0, autoShared: 0, withheld: 0 };
+  const orgKey = opts.orgKey ?? loadOrgKey({ organization: config.organization });
+  const policy = db.getSharingPolicy();
+  const preview = previewShare(db, sessionId, orgKey, policy, { persistReversal: true });
+  const sharedHashes = db.getSharedHashes();
+  const { share, pending, withhold } = classify({ preview, policy, sharedHashes });
+  const writeAll = db.rawConnection().transaction(() => {
+    for (const item of share) {
+      db.enqueuePending({
+        contentHash: item.contentHash,
+        sessionId,
+        nodeId: item.nodeId,
+        kind: item.kind,
+        payload: item.payload,
+        status: "approved",
+        decidedBy: "rule"
+      });
+    }
+    for (const item of pending) {
+      db.enqueuePending({
+        contentHash: item.contentHash,
+        sessionId,
+        nodeId: item.nodeId,
+        kind: item.kind,
+        payload: item.payload,
+        status: "pending"
+      });
+    }
+    for (const item of withhold) {
+      if (!item.contentHash) continue;
+      db.enqueuePending({
+        contentHash: item.contentHash,
+        sessionId,
+        nodeId: item.nodeId,
+        kind: item.kind,
+        payload: item.payload,
+        status: "withheld",
+        decidedBy: "rule"
+      });
+    }
+  });
+  writeAll();
+  return { enqueued: pending.length, autoShared: share.length, withheld: withhold.length };
+}
+
+// src/installer/format.ts
+import { parse as parseToml, stringify as stringifyToml } from "smol-toml";
+import { parse as parseYaml, stringify as stringifyYaml } from "yaml";
+function parseConfig(text, format) {
+  if (!text.trim()) return {};
+  try {
+    switch (format) {
+      case "json":
+        return JSON.parse(text);
+      case "toml":
+        return parseToml(text);
+      case "yaml":
+        return parseYaml(text) ?? {};
+    }
+  } catch (err) {
+    const detail = err instanceof Error ? err.message : String(err);
+    throw new Error(`Failed to parse existing ${format.toUpperCase()} config: ${detail}`);
+  }
+}
+function serializeConfig(obj, format) {
+  switch (format) {
+    case "json":
+      return JSON.stringify(obj, null, 2) + "\n";
+    case "toml":
+      return stringifyToml(obj) + "\n";
+    case "yaml":
+      return stringifyYaml(obj);
+  }
+}
+
+// src/installer/merge.ts
+function isPlainObject(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function deepMerge(target, source) {
+  const out = { ...target };
+  for (const [key, value] of Object.entries(source)) {
+    const existing = out[key];
+    if (isPlainObject(existing) && isPlainObject(value)) {
+      out[key] = deepMerge(existing, value);
+    } else {
+      out[key] = value;
+    }
+  }
+  return out;
+}
+
+// src/installer/shapes.ts
+function mcpServerObject(entry) {
+  if (entry.url) {
+    return { type: "http", url: entry.url, ...entry.env ? { env: entry.env } : {} };
+  }
+  return {
+    command: entry.command,
+    args: entry.args ?? [],
+    ...entry.env ? { env: entry.env } : {}
+  };
+}
+
+// src/installer/entry.ts
+var PACKAGE_NAME = "@datasynx/agentic-ai-cartography";
+var MCP_BIN = "cartography-mcp";
+var DEFAULT_SERVER_NAME = "cartography";
+function defaultServerEntry(opts = {}) {
+  if (opts.transport === "http") {
+    return { url: opts.url ?? "http://127.0.0.1:3737/mcp", ...opts.env ? { env: opts.env } : {} };
+  }
+  const args = ["-y", "--package", PACKAGE_NAME, MCP_BIN, ...opts.packageArgs ?? []];
+  return { command: "npx", args, ...opts.env ? { env: opts.env } : {} };
+}
+
+// src/installer/install.ts
+import { mkdirSync as mkdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync2, existsSync as existsSync2 } from "fs";
+import { dirname } from "path";
+import { homedir } from "os";
+function currentOs() {
+  if (process.platform === "win32") return "win";
+  if (process.platform === "darwin") return "mac";
+  return "linux";
+}
+function defaultContext(scope) {
+  return { scope, os: currentOs(), home: homedir(), cwd: process.cwd(), env: process.env };
+}
+function planInstall(spec, ctx, opts) {
+  const path = spec.path(ctx);
+  if (!path) {
+    throw new Error(`${spec.label} does not support the "${ctx.scope}" scope.`);
+  }
+  const fileExists = existsSync2(path);
+  const before = fileExists ? readFileSync4(path, "utf8") : "";
+  const existing = parseConfig(before, spec.format);
+  const merged = spec.apply(existing, opts.serverName ?? DEFAULT_SERVER_NAME, opts.entry);
+  const after = serializeConfig(merged, spec.format);
+  return {
+    client: spec.id,
+    label: spec.label,
+    path,
+    format: spec.format,
+    before,
+    after,
+    fileExists,
+    changed: after !== before,
+    ...spec.note ? { note: spec.note } : {}
+  };
+}
+function applyInstall(plan) {
+  mkdirSync2(dirname(plan.path), { recursive: true });
+  writeFileSync2(plan.path, plan.after, "utf8");
+}
+function renderDiff(before, after) {
+  if (before === after) return "  (no changes)";
+  const b = before.length ? before.split("\n") : [];
+  const a = after.split("\n");
+  const out = [];
+  const max = Math.max(b.length, a.length);
+  for (let i = 0; i < max; i++) {
+    if (b[i] === a[i]) {
+      if (a[i] !== void 0) out.push(`  ${a[i]}`);
+    } else {
+      if (b[i] !== void 0) out.push(`- ${b[i]}`);
+      if (a[i] !== void 0) out.push(`+ ${a[i]}`);
+    }
+  }
+  return out.join("\n");
+}
+
+// src/installer/registry.ts
+import { join as join3 } from "path";
+function jsonKeyedClient(args) {
+  return {
+    id: args.id,
+    label: args.label,
+    format: "json",
+    note: args.note,
+    path: (ctx) => ctx.scope === "project" ? args.projectPath?.(ctx) : args.globalPath(ctx),
+    apply: (existing, name, entry) => deepMerge(existing, { [args.key]: { [name]: mcpServerObject(entry) } })
+  };
+}
+var claudeCode = jsonKeyedClient({
+  id: "claude-code",
+  label: "Claude Code",
+  key: "mcpServers",
+  globalPath: (ctx) => join3(ctx.home, ".claude.json"),
+  projectPath: (ctx) => join3(ctx.cwd, ".mcp.json")
+});
+var cursor = jsonKeyedClient({
+  id: "cursor",
+  label: "Cursor",
+  key: "mcpServers",
+  globalPath: (ctx) => join3(ctx.home, ".cursor", "mcp.json"),
+  projectPath: (ctx) => join3(ctx.cwd, ".cursor", "mcp.json")
+});
+function vscodeServerObject(entry) {
+  if (entry.url) return { type: "http", url: entry.url, ...entry.env ? { env: entry.env } : {} };
+  return { type: "stdio", command: entry.command, args: entry.args ?? [], ...entry.env ? { env: entry.env } : {} };
+}
+function vscodeUserDir(ctx) {
+  if (ctx.os === "win") return join3(ctx.env.APPDATA ?? join3(ctx.home, "AppData", "Roaming"), "Code", "User");
+  if (ctx.os === "mac") return join3(ctx.home, "Library", "Application Support", "Code", "User");
+  return join3(ctx.home, ".config", "Code", "User");
+}
+var vscode = {
+  id: "vscode",
+  label: "VS Code (Copilot)",
+  format: "json",
+  note: "Uses the `servers` key (not `mcpServers`) \u2014 the most common copy-paste mistake.",
+  path: (ctx) => ctx.scope === "project" ? join3(ctx.cwd, ".vscode", "mcp.json") : join3(vscodeUserDir(ctx), "mcp.json"),
+  apply: (existing, name, entry) => deepMerge(existing, { servers: { [name]: vscodeServerObject(entry) } })
+};
+var codex = {
+  id: "codex",
+  label: "Codex CLI",
+  format: "toml",
+  note: 'Project scope only loads in "trusted" projects.',
+  path: (ctx) => ctx.scope === "project" ? join3(ctx.cwd, ".codex", "config.toml") : join3(ctx.home, ".codex", "config.toml"),
+  apply: (existing, name, entry) => deepMerge(existing, { mcp_servers: { [name]: mcpServerObject(entry) } })
+};
+var windsurf = jsonKeyedClient({
+  id: "windsurf",
+  label: "Windsurf",
+  key: "mcpServers",
+  globalPath: (ctx) => join3(ctx.home, ".codeium", "windsurf", "mcp_config.json")
+});
+function codeGlobalStorage(ctx, extensionId) {
+  return join3(vscodeUserDir(ctx), "globalStorage", extensionId, "settings", "cline_mcp_settings.json");
+}
+var cline = {
+  id: "cline",
+  label: "Cline",
+  format: "json",
+  path: (ctx) => ctx.scope === "project" ? void 0 : codeGlobalStorage(ctx, "saoudrizwan.claude-dev"),
+  // Cline augments the standard object with its own auto-approve/disable flags.
+  apply: (existing, name, entry) => deepMerge(existing, { mcpServers: { [name]: { ...mcpServerObject(entry), alwaysAllow: [], disabled: false } } })
+};
+var roo = {
+  id: "roo",
+  label: "Roo Code",
+  format: "json",
+  note: "Project .roo/mcp.json takes precedence over the global settings.",
+  path: (ctx) => ctx.scope === "project" ? join3(ctx.cwd, ".roo", "mcp.json") : codeGlobalStorage(ctx, "rooveterinaryinc.roo-cline"),
+  apply: (existing, name, entry) => deepMerge(existing, { mcpServers: { [name]: mcpServerObject(entry) } })
+};
+var zed = {
+  id: "zed",
+  label: "Zed",
+  format: "json",
+  note: 'Manual servers need "source": "custom"; remote uses an mcp-remote bridge.',
+  path: (ctx) => {
+    if (ctx.scope === "project") return join3(ctx.cwd, ".zed", "settings.json");
+    if (ctx.os === "win") return join3(ctx.env.APPDATA ?? join3(ctx.home, "AppData", "Roaming"), "Zed", "settings.json");
+    return join3(ctx.home, ".config", "zed", "settings.json");
+  },
+  apply: (existing, name, entry) => {
+    const inner = entry.url ? { source: "custom", url: entry.url } : { source: "custom", command: entry.command, args: entry.args ?? [], ...entry.env ? { env: entry.env } : {} };
+    return deepMerge(existing, { context_servers: { [name]: inner } });
+  }
+};
+var junie = {
+  id: "junie",
+  label: "JetBrains / Junie",
+  format: "json",
+  path: (ctx) => ctx.scope === "project" ? join3(ctx.cwd, ".junie", "mcp", "mcp.json") : join3(ctx.home, ".junie", "mcp", "mcp.json"),
+  apply: (existing, name, entry) => deepMerge(existing, { mcpServers: { [name]: mcpServerObject(entry) } })
+};
+var gemini = {
+  id: "gemini",
+  label: "Gemini CLI",
+  format: "json",
+  path: (ctx) => ctx.scope === "project" ? join3(ctx.cwd, ".gemini", "settings.json") : join3(ctx.home, ".gemini", "settings.json"),
+  apply: (existing, name, entry) => {
+    const inner = entry.url ? { httpUrl: entry.url, ...entry.env ? { env: entry.env } : {} } : mcpServerObject(entry);
+    return deepMerge(existing, { mcpServers: { [name]: inner } });
+  }
+};
+var goose = {
+  id: "goose",
+  label: "Goose",
+  format: "yaml",
+  note: "Verify the extension shape against current Goose docs; built-ins are left untouched.",
+  path: (ctx) => {
+    if (ctx.os === "win") return join3(ctx.env.APPDATA ?? join3(ctx.home, "AppData", "Roaming"), "Block", "goose", "config", "config.yaml");
+    return join3(ctx.home, ".config", "goose", "config.yaml");
+  },
+  apply: (existing, name, entry) => {
+    const inner = entry.url ? { name, type: "streamable_http", enabled: true, uri: entry.url, ...entry.env ? { env: entry.env } : {} } : { name, type: "stdio", enabled: true, command: entry.command, args: entry.args ?? [], ...entry.env ? { env: entry.env } : {} };
+    return deepMerge(existing, { extensions: { [name]: inner } });
+  }
+};
+function isObj(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+var openhands = {
+  id: "openhands",
+  label: "OpenHands",
+  format: "toml",
+  note: "SHTTP is preferred; SSE is legacy. Only api_key is supported (no arbitrary headers).",
+  path: (ctx) => ctx.scope === "project" ? join3(ctx.cwd, "config.toml") : join3(ctx.home, ".openhands", "config.toml"),
+  apply: (existing, name, entry) => {
+    const mcp = isObj(existing.mcp) ? { ...existing.mcp } : {};
+    const key = entry.url ? "shttp_servers" : "stdio_servers";
+    const arr = Array.isArray(mcp[key]) ? [...mcp[key]] : [];
+    const item = entry.url ? { url: entry.url, ...entry.env ? { env: entry.env } : {} } : { name, command: entry.command, args: entry.args ?? [], ...entry.env ? { env: entry.env } : {} };
+    const matches2 = (s) => entry.url ? s.url === entry.url : s.name === name;
+    const idx = arr.findIndex(matches2);
+    if (idx >= 0) arr[idx] = item;
+    else arr.push(item);
+    mcp[key] = arr;
+    return { ...existing, mcp };
+  }
+};
+var claudeDesktop = {
+  id: "claude-desktop",
+  label: "Claude Desktop",
+  format: "json",
+  note: "One-click install is also available via the .mcpb bundle (npm run build:mcpb).",
+  path: (ctx) => {
+    if (ctx.scope === "project") return void 0;
+    if (ctx.os === "win") return join3(ctx.env.APPDATA ?? join3(ctx.home, "AppData", "Roaming"), "Claude", "claude_desktop_config.json");
+    if (ctx.os === "mac") return join3(ctx.home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
+    return join3(ctx.home, ".config", "Claude", "claude_desktop_config.json");
+  },
+  apply: (existing, name, entry) => deepMerge(existing, { mcpServers: { [name]: mcpServerObject(entry) } })
+};
+var CLIENTS = [
+  claudeCode,
+  cursor,
+  vscode,
+  codex,
+  windsurf,
+  cline,
+  roo,
+  zed,
+  junie,
+  gemini,
+  goose,
+  openhands,
+  claudeDesktop
+];
+function getClient(id) {
+  return CLIENTS.find((c) => c.id === id);
+}
+function listClients() {
+  return CLIENTS.map(({ id, label, format, note }) => ({ id, label, format, note }));
+}
+
+// src/installer/deeplinks.ts
+function cursorDeeplink(name, entry) {
+  const config = Buffer.from(JSON.stringify(mcpServerObject(entry))).toString("base64");
+  const params = new URLSearchParams({ name, config });
+  return `cursor://anysphere.cursor-deeplink/mcp/install?${params.toString()}`;
+}
+function vscodeDeeplink(name, entry, opts = {}) {
+  const scheme = opts.insiders ? "vscode-insiders" : "vscode";
+  const payload = encodeURIComponent(JSON.stringify({ name, ...mcpServerObject(entry) }));
+  return `${scheme}://mcp/install?${payload}`;
+}
+function codeAddMcpCommand(name, entry) {
+  return `code --add-mcp '${JSON.stringify({ name, ...mcpServerObject(entry) })}'`;
+}
+
+// src/cli.ts
 var bold = (s) => `\x1B[1m${s}\x1B[0m`;
 var dim = (s) => `\x1B[2m${s}\x1B[0m`;
 var cyan = (s) => `\x1B[36m${s}\x1B[0m`;
@@ -2344,6 +3361,46 @@ var green = (s) => `\x1B[32m${s}\x1B[0m`;
 var yellow = (s) => `\x1B[33m${s}\x1B[0m`;
 var magenta = (s) => `\x1B[35m${s}\x1B[0m`;
 var red = (s) => `\x1B[31m${s}\x1B[0m`;
+function renderDiffText(d) {
+  const out = [];
+  out.push(`${bold("Topology diff")}  ${dim(d.base.sessionId.slice(0, 8))} \u2192 ${dim(d.current.sessionId.slice(0, 8))}`);
+  out.push(`  base:    ${d.base.nodeCount} nodes, ${d.base.edgeCount} edges  ${dim(d.base.startedAt)}`);
+  out.push(`  current: ${d.current.nodeCount} nodes, ${d.current.edgeCount} edges  ${dim(d.current.startedAt)}`);
+  out.push("");
+  out.push(`  nodes: ${green("+" + d.summary.nodesAdded)} ${red("-" + d.summary.nodesRemoved)} ${yellow("~" + d.summary.nodesChanged)}    edges: ${green("+" + d.summary.edgesAdded)} ${red("-" + d.summary.edgesRemoved)}`);
+  if (d.summary.nodesAdded + d.summary.nodesRemoved + d.summary.nodesChanged + d.summary.edgesAdded + d.summary.edgesRemoved === 0) {
+    out.push("");
+    out.push(`  ${green("\u2713")} No drift between the two sessions.`);
+    return out.join("\n");
+  }
+  out.push("");
+  for (const n of d.nodes.added) out.push(`  ${green("+")} ${n.id} ${dim("(" + n.type + ")")}`);
+  for (const n of d.nodes.removed) out.push(`  ${red("-")} ${n.id} ${dim("(" + n.type + ")")}`);
+  for (const c of d.nodes.changed) out.push(`  ${yellow("~")} ${c.id} ${dim("[" + c.changedFields.join(", ") + "]")}`);
+  for (const e of d.edges.added) out.push(`  ${green("+")} edge ${e.sourceId} ${dim("\u2500" + e.relationship + "\u2192")} ${e.targetId}`);
+  for (const e of d.edges.removed) out.push(`  ${red("-")} edge ${e.sourceId} ${dim("\u2500" + e.relationship + "\u2192")} ${e.targetId}`);
+  return out.join("\n");
+}
+function renderDriftSummaryText(r) {
+  const s = r.delta.summary;
+  const base = r.baseSessionId ? r.baseSessionId.slice(0, 8) : "\u2205";
+  return `${green("+" + s.nodesAdded)}/${red("-" + s.nodesRemoved)}/${yellow("~" + s.nodesChanged)} nodes, ${green("+" + s.edgesAdded)}/${red("-" + s.edgesRemoved)} edges ${dim("(session " + r.sessionId.slice(0, 8) + ", base " + base + ")")}`;
+}
+function maybeQueueForSync(db, sessionId, config, w) {
+  if (!config.centralDb?.url) return;
+  try {
+    const r = runSyncClassify(db, sessionId, config);
+    if (r.enqueued > 0) {
+      w(`  ${cyan("\u21EA")}  ${bold(String(r.enqueued))} item(s) queued for review \u2014 run ${bold("'datasynx-cartography sync review'")}
+`);
+    } else if (r.autoShared > 0) {
+      w(`  ${cyan("\u21EA")}  ${bold(String(r.autoShared))} item(s) auto-approved by policy \u2014 run ${bold("'datasynx-cartography sync push'")}
+`);
+    }
+  } catch (err) {
+    logWarn(`central-DB sync classify skipped: ${err instanceof Error ? err.message : String(err)}`);
+  }
+}
 main();
 function main() {
   let activeDb = null;
@@ -2356,18 +3413,35 @@ function main() {
       }
       activeDb = null;
     }
-    process.exit(signal === "SIGINT" ? 130 : 0);
+    process.removeListener("SIGTERM", shutdown);
+    process.removeListener("SIGINT", shutdown);
+    process.kill(process.pid, signal);
   };
-  process.on("SIGTERM", () => shutdown("SIGTERM"));
-  process.on("SIGINT", () => shutdown("SIGINT"));
+  process.on("SIGTERM", shutdown);
+  process.on("SIGINT", shutdown);
   cleanupTempFiles();
   const program = new Command();
   const CMD = "datasynx-cartography";
-  const __dirname = import.meta.dirname ?? dirname(fileURLToPath(import.meta.url));
-  const { version: VERSION } = JSON.parse(readFileSync2(resolve(__dirname, "..", "package.json"), "utf-8"));
+  const __dirname = import.meta.dirname ?? dirname2(fileURLToPath(import.meta.url));
+  let VERSION = "0.0.0";
+  try {
+    VERSION = JSON.parse(readFileSync5(resolve2(__dirname, "..", "package.json"), "utf-8")).version ?? VERSION;
+  } catch {
+    logWarn("Could not read package.json version; falling back to 0.0.0");
+  }
   program.name(CMD).description("AI-powered Infrastructure Discovery & Agentic AI Cartography").version(VERSION);
-  program.command("discover").description("Scan and map your infrastructure").option("--entry <hosts...>", "Entry points", ["localhost"]).option("--depth <n>", "Max crawl depth", "8").option("--max-turns <n>", "Max agent turns", "50").option("--model <m>", "Agent model", "claude-sonnet-4-5-20250929").option("--org <name>", "Organization name (for Backstage)").option("-o, --output <dir>", "Output directory", "./datasynx-output").option("--db <path>", "DB path").option("-v, --verbose", "Show agent reasoning", false).action(async (opts) => {
-    checkPrerequisites();
+  program.command("discover").description("Scan and map your infrastructure").option("--entry <hosts...>", "Entry points", ["localhost"]).option("--depth <n>", "Max crawl depth", "8").option("--max-turns <n>", "Max agent turns", "50").option("--provider <name>", "Agent provider: claude, openai, ollama (or CARTOGRAPHY_PROVIDER)").option("--model <m>", "Agent model", "claude-sonnet-4-5-20250929").option("--org <name>", "Organization name (for Backstage)").option("-o, --output <dir>", "Output directory", "./datasynx-output").option("--db <path>", "DB path").option("--name <name>", "Custom session name (default: auto-derived from the topology)").option("--update [sessionId]", "Re-scan an existing session in place (deterministic local scan; default: latest discover session)").option("--output-format <fmt>", "Progress/result format: text, json, stream-json", "text").option("-v, --verbose", "Show agent reasoning", false).action(async (opts) => {
+    const providerName = opts.provider ?? process.env.CARTOGRAPHY_PROVIDER ?? "claude";
+    if (!defaultProviderRegistry.has(providerName)) {
+      process.stderr.write(
+        `\u274C Unknown provider "${providerName}" (valid: ${defaultProviderRegistry.names().join(", ")})
+`
+      );
+      process.exitCode = 2;
+      return;
+    }
+    const provider = providerName;
+    checkPrerequisites(provider);
     const parsedDepth = parseInt(opts.depth, 10);
     const parsedMaxTurns = parseInt(opts.maxTurns, 10);
     if (Number.isNaN(parsedDepth) || parsedDepth < 1 || parsedDepth > 50) {
@@ -2382,11 +3456,20 @@ function main() {
       process.exitCode = 2;
       return;
     }
+    const fmt = opts.outputFormat ?? "text";
+    if (!["text", "json", "stream-json"].includes(fmt)) {
+      process.stderr.write(`\u274C Invalid --output-format: "${opts.outputFormat}" (must be text, json, or stream-json)
+`);
+      process.exitCode = 2;
+      return;
+    }
+    const isText = fmt === "text";
     setVerbose(opts.verbose);
     const config = defaultConfig({
       entryPoints: opts.entry,
       maxDepth: parsedDepth,
       maxTurns: parsedMaxTurns,
+      provider,
       agentModel: opts.model,
       organization: opts.org,
       outputDir: opts.output,
@@ -2395,14 +3478,63 @@ function main() {
     });
     logInfo("Discovery started", {
       entryPoints: config.entryPoints,
+      provider: config.provider,
       model: config.agentModel,
       maxTurns: config.maxTurns,
       maxDepth: config.maxDepth
     });
     const db = new CartographyDB(config.dbPath);
     activeDb = db;
-    const sessionId = db.createSession("discover", config);
     const w = process.stderr.write.bind(process.stderr);
+    if (opts.update) {
+      const tenantId = normalizeTenant(opts.org);
+      const targetId = typeof opts.update === "string" ? opts.update : db.getLatestSession("discover", tenantId)?.id;
+      const targetSession = targetId ? db.getSession(targetId) : void 0;
+      if (!targetId || !targetSession) {
+        process.stderr.write(
+          `\u274C No discover session to update${typeof opts.update === "string" ? ` (id "${opts.update}")` : ""}; run \`discover\` first.
+`
+        );
+        process.exitCode = 2;
+        db.close();
+        activeDb = null;
+        return;
+      }
+      const baseNodeCount = db.getNodes(targetId).length;
+      const baseEdgeCount = db.getEdges(targetId).length;
+      if (isText) {
+        w("\n");
+        w(`  ${bold("CARTOGRAPHY")}  ${dim("incremental rescan \xB7 " + targetId.slice(0, 8))}
+`);
+        w(dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n"));
+      }
+      try {
+        const r = await runLocalDiscovery(db, targetId, { mode: "update" });
+        const updated = db.getSession(targetId);
+        const diff = {
+          base: { sessionId: targetId, startedAt: targetSession.startedAt, nodeCount: baseNodeCount, edgeCount: baseEdgeCount },
+          current: { sessionId: targetId, startedAt: updated?.lastScannedAt ?? (/* @__PURE__ */ new Date()).toISOString(), nodeCount: r.nodes, edgeCount: r.edges },
+          nodes: r.delta?.nodes ?? { added: [], removed: [], changed: [], unchanged: 0 },
+          edges: r.delta?.edges ?? { added: [], removed: [], unchanged: 0 },
+          summary: r.delta?.summary ?? { nodesAdded: 0, nodesRemoved: 0, nodesChanged: 0, edgesAdded: 0, edgesRemoved: 0 },
+          anomalies: { base: [], current: [], added: [] }
+        };
+        if (fmt === "text") w(renderDiffText(diff) + "\n\n");
+        else process.stdout.write(JSON.stringify(diff, null, 2) + "\n");
+        logInfo("Incremental rescan complete", { sessionId: targetId, ...diff.summary });
+      } catch (err) {
+        const errMsg = err instanceof Error ? err.message : String(err);
+        logError("Incremental rescan failed", { sessionId: targetId, error: errMsg });
+        w(`
+  ${bold(red("\u2717"))}  Rescan failed: ${errMsg}
+`);
+        process.exitCode = 1;
+      }
+      db.close();
+      activeDb = null;
+      return;
+    }
+    const sessionId = db.createSession("discover", config, opts.org);
     const SPINNER = ["\u280B", "\u2819", "\u2839", "\u2838", "\u283C", "\u2834", "\u2826", "\u2827", "\u2807", "\u280F"];
     let spinIdx = 0;
     let spinnerTimer = null;
@@ -2427,13 +3559,15 @@ function main() {
     let turnNum = 0;
     let nodeCount = 0;
     let edgeCount = 0;
-    w("\n");
-    w(`  ${bold("CARTOGRAPHY")}  ${dim(config.entryPoints.join(", "))}
+    if (isText) {
+      w("\n");
+      w(`  ${bold("CARTOGRAPHY")}  ${dim(config.entryPoints.join(", "))}
 `);
-    w(`  ${dim("Model: " + config.agentModel + " | MaxTurns: " + config.maxTurns)}
+      w(`  ${dim("Model: " + config.agentModel + " | MaxTurns: " + config.maxTurns)}
 `);
-    w(dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"));
-    w("\n");
+      w(dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"));
+      w("\n");
+    }
     const logLine = (icon, msg) => {
       stopSpinner();
       const elapsed = ((Date.now() - startTime) / 1e3).toFixed(1);
@@ -2441,6 +3575,10 @@ function main() {
 `);
     };
     const handleEvent = (event) => {
+      if (!isText) {
+        if (fmt === "stream-json") process.stdout.write(JSON.stringify(event) + "\n");
+        return;
+      }
       switch (event.kind) {
         case "turn":
           turnNum = event.turn;
@@ -2457,7 +3595,7 @@ function main() {
           }
           break;
         case "tool_call": {
-          const toolName = event.tool.replace("mcp__cartograph__", "");
+          const toolName = event.tool.replace("mcp__cartography__", "");
           if (toolName === "Bash") {
             const cmd = (event.input["command"] ?? "").substring(0, 70);
             startSpinner(`${yellow("$")} ${cmd}`);
@@ -2505,6 +3643,7 @@ function main() {
       }
     };
     const onAskUser = async (question, context) => {
+      if (!isText) return "(Non-interactive mode \u2014 please continue without this information)";
       stopSpinner();
       w("\n");
       w(dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"));
@@ -2519,7 +3658,7 @@ function main() {
         return "(Non-interactive mode \u2014 please continue without this information)";
       }
       const rl = createInterface({ input: process.stdin, output: process.stderr });
-      const answer = await new Promise((resolve2) => rl.question(`  ${cyan("\u2192")} `, resolve2));
+      const answer = await new Promise((resolve3) => rl.question(`  ${cyan("\u2192")} `, resolve3));
       rl.close();
       w("\n");
       return answer || "(No answer \u2014 please continue)";
@@ -2541,6 +3680,9 @@ function main() {
     }
     stopSpinner();
     db.endSession(sessionId);
+    maybeQueueForSync(db, sessionId, config, w);
+    const sessionName = opts.name?.trim() || deriveSessionName(db.getGraphSummary(sessionId), db.getSession(sessionId)?.startedAt ?? (/* @__PURE__ */ new Date()).toISOString());
+    db.setSessionName(sessionId, sessionName);
     const stats = db.getStats(sessionId);
     const totalSec = ((Date.now() - startTime) / 1e3).toFixed(1);
     logInfo("Discovery completed", {
@@ -2549,6 +3691,22 @@ function main() {
       edges: stats.edges,
       durationSec: parseFloat(totalSec)
     });
+    if (!isText) {
+      const durationMs = Date.now() - startTime;
+      if (fmt === "stream-json") {
+        process.stdout.write(JSON.stringify({ kind: "result", sessionId, nodes: stats.nodes, edges: stats.edges, durationMs }) + "\n");
+      } else {
+        process.stdout.write(JSON.stringify(
+          { sessionId, stats, nodes: db.getNodes(sessionId), edges: db.getEdges(sessionId), durationMs },
+          null,
+          2
+        ) + "\n");
+      }
+      exportAll(db, sessionId, config.outputDir, ["discovery"]);
+      db.close();
+      activeDb = null;
+      return;
+    }
     w("\n");
     w(dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"));
     w(`  ${green(bold("DONE"))}  ${bold(String(stats.nodes))} nodes, ${bold(String(stats.edges))} edges  ${dim("in " + totalSec + "s")}
@@ -2588,7 +3746,7 @@ function main() {
       w("\n");
       const rl = createInterface({ input: process.stdin, output: process.stderr });
       const answer = await new Promise(
-        (resolve2) => rl.question(`  ${yellow("?")}  Remove nodes (numbers, empty = keep all): `, resolve2)
+        (resolve3) => rl.question(`  ${yellow("?")}  Remove nodes (numbers, empty = keep all): `, resolve3)
       );
       rl.close();
       const toRemove = answer.trim().split(/[\s,]+/).map(Number).filter((n) => n >= 1 && n <= allNodes.length);
@@ -2607,9 +3765,9 @@ function main() {
       }
     }
     exportAll(db, sessionId, config.outputDir, ["discovery"]);
-    const discoveryPath = resolve(config.outputDir, "discovery.html");
+    const discoveryPath = resolve2(config.outputDir, "discovery.html");
     w("\n");
-    if (existsSync2(discoveryPath)) {
+    if (existsSync3(discoveryPath)) {
       w(`  ${green("\u2713")}  ${bold("discovery.html")}  ${dim("\u2190 Enterprise Map")}
 `);
     }
@@ -2626,7 +3784,7 @@ function main() {
       while (continueDiscovery) {
         const rlFollowup = createInterface({ input: process.stdin, output: process.stderr });
         const followupHint = await new Promise(
-          (resolve2) => rlFollowup.question(`  ${yellow("\u2192")}  Search for (Enter = finish): `, resolve2)
+          (resolve3) => rlFollowup.question(`  ${yellow("\u2192")}  Search for (Enter = finish): `, resolve3)
         );
         rlFollowup.close();
         if (!followupHint.trim()) {
@@ -2654,7 +3812,7 @@ function main() {
 `);
         w("\n");
         exportAll(db, sessionId, config.outputDir, ["discovery"]);
-        if (existsSync2(discoveryPath)) {
+        if (existsSync3(discoveryPath)) {
           w(`  ${green("\u2713")}  ${bold("discovery.html updated")}
 `);
         }
@@ -2663,7 +3821,7 @@ function main() {
     }
     db.close();
   });
-  program.command("export [session-id]").description("Generate all output files").option("-o, --output <dir>", "Output directory", "./datasynx-output").option("--format <fmt...>", "Formats: mermaid,json,yaml,html,map").action((sessionId, opts) => {
+  program.command("export [session-id]").description("Generate all output files").option("-o, --output <dir>", "Output directory", "./datasynx-output").option("--format <fmt...>", "Formats: mermaid,json,yaml,html,map,cost").action((sessionId, opts) => {
     const config = defaultConfig({ outputDir: opts.output });
     const db = new CartographyDB(config.dbPath);
     const session = sessionId ? db.getSession(sessionId) : db.getLatestSession();
@@ -2679,6 +3837,216 @@ function main() {
 `);
     db.close();
   });
+  program.command("diff [base] [current]").description("Compare two discovery sessions (drift detection). Defaults to the two most recent.").option("--format <fmt>", "Output format: text, json, mermaid", "text").option("-o, --output <file>", "Write to a file instead of stdout").option("--db <path>", "DB path").action((base, current, opts) => {
+    const config = defaultConfig(opts.db ? { dbPath: opts.db } : {});
+    const db = new CartographyDB(config.dbPath);
+    activeDb = db;
+    try {
+      const sessions = db.getSessions();
+      const currentId = current ?? sessions[0]?.id;
+      const baseId = base ?? sessions[1]?.id;
+      if (!baseId || !currentId) {
+        process.stderr.write("\u274C Need at least two discovery sessions to diff\n");
+        process.exitCode = 1;
+        return;
+      }
+      if (baseId === currentId) {
+        process.stderr.write("\u274C Base and current session are the same\n");
+        process.exitCode = 1;
+        return;
+      }
+      const d = db.diffSessions(baseId, currentId);
+      const out = opts.format === "json" ? JSON.stringify(d, null, 2) : opts.format === "mermaid" ? generateDiffMermaid(d) : renderDiffText(d);
+      if (opts.output) {
+        writeFileSync3(opts.output, out + "\n");
+        process.stderr.write(`\u2713 Wrote diff to: ${opts.output}
+`);
+      } else {
+        process.stdout.write(out + "\n");
+      }
+    } catch (err) {
+      process.stderr.write(`\u274C ${err instanceof Error ? err.message : String(err)}
+`);
+      process.exitCode = 1;
+    } finally {
+      db.close();
+      activeDb = null;
+    }
+  });
+  program.command("compliance [session-id]").description("Score a session against a compliance ruleset (CIS/SOC2/ISO 27001 starter sets)").option("--ruleset <name>", "Ruleset: baseline, cis, soc2, iso27001", "baseline").option("--format <fmt>", "Output format: text, json, markdown, mermaid", "text").option("-o, --output <file>", "Write to a file instead of stdout").option("--db <path>", "DB path").action((sessionId, opts) => {
+    const config = defaultConfig(opts.db ? { dbPath: opts.db } : {});
+    const db = new CartographyDB(config.dbPath);
+    activeDb = db;
+    try {
+      const ruleset = getRuleset(opts.ruleset);
+      if (!ruleset) {
+        process.stderr.write(`\u274C Unknown ruleset: "${opts.ruleset}" (available: ${listRulesets().map((r) => r.name).join(", ")})
+`);
+        process.exitCode = 1;
+        return;
+      }
+      const sid = sessionId ?? db.getLatestSession()?.id;
+      if (!sid) {
+        process.stderr.write("\u274C No session to score (run discovery first or pass a session id)\n");
+        process.exitCode = 1;
+        return;
+      }
+      const report = db.scoreSession(sid, ruleset);
+      const out = opts.format === "json" || opts.format === "markdown" || opts.format === "mermaid" ? exportComplianceReport(report, opts.format) : formatComplianceText(report);
+      if (opts.output) {
+        writeFileSync3(opts.output, out + "\n");
+        process.stderr.write(`\u2713 Wrote compliance report to: ${opts.output}
+`);
+      } else {
+        process.stdout.write(out + "\n");
+      }
+    } catch (err) {
+      process.stderr.write(`\u274C ${err instanceof Error ? err.message : String(err)}
+`);
+      process.exitCode = 1;
+    } finally {
+      db.close();
+      activeDb = null;
+    }
+  });
+  program.command("drift [base] [current]").description("Classify drift between two sessions and emit to configured sinks (default: stdout). Defaults to the two most recent.").option("--min-severity <s>", "Minimum severity to emit: info|warning|critical", "info").option("--webhook <url>", "Outbound webhook URL (overrides config; token via CARTOGRAPHY_DRIFT_TOKEN)").option("--db <path>", "DB path").action(async (base, current, opts) => {
+    let drift;
+    try {
+      drift = DriftConfigSchema.parse({
+        minSeverity: opts.minSeverity,
+        sinks: opts.webhook ? [{ type: "webhook", url: opts.webhook }] : [{ type: "stdout" }]
+      });
+    } catch (err) {
+      process.stderr.write(`\u274C ${err instanceof Error ? err.message : String(err)}
+`);
+      process.exitCode = 1;
+      return;
+    }
+    const config = defaultConfig({ ...opts.db ? { dbPath: opts.db } : {}, drift });
+    const db = new CartographyDB(config.dbPath);
+    activeDb = db;
+    try {
+      const alert = await runDrift(db, config, { base, current, minSeverity: drift.minSeverity });
+      if (!alert) {
+        process.stderr.write("\u2139 Need at least two discovery sessions for drift; nothing to do.\n");
+        return;
+      }
+      process.stderr.write(`\u2713 drift severity=${alert.severity} items=${alert.items.length}
+`);
+    } catch (err) {
+      process.stderr.write(`\u274C ${err instanceof Error ? err.message : String(err)}
+`);
+      process.exitCode = 1;
+    } finally {
+      db.close();
+      activeDb = null;
+    }
+  });
+  program.command("schedule").description("Run discovery recurringly and record per-run topology drift").requiredOption("--config <file>", "Path to a JSON config file with a schedule block").option("--once", "Run a single pass and exit (cron-driver friendly; default)", false).option("--watch", "Run continuously on the configured cron schedule", false).option("--output-format <fmt>", "Result format: text, json, stream-json (overrides config)").option("--db <path>", "DB path (overrides config)").action(async (opts) => {
+    let cfg;
+    try {
+      cfg = loadConfig(opts.config);
+    } catch (err) {
+      process.stderr.write(`\u274C ${err instanceof ConfigError ? err.message : String(err)}
+`);
+      process.exitCode = 2;
+      return;
+    }
+    if (opts.db) cfg = defaultConfig({ ...cfg, dbPath: opts.db });
+    const fmt = opts.outputFormat ?? cfg.schedule?.outputFormat ?? "json";
+    if (!["text", "json", "stream-json"].includes(fmt)) {
+      process.stderr.write(`\u274C Invalid --output-format: "${fmt}" (must be text, json, or stream-json)
+`);
+      process.exitCode = 2;
+      return;
+    }
+    if (opts.once && opts.watch) {
+      process.stderr.write("\u274C --once and --watch are mutually exclusive\n");
+      process.exitCode = 2;
+      return;
+    }
+    const cron = cfg.schedule?.cron;
+    if (opts.watch && !cron) {
+      process.stderr.write("\u274C --watch requires a `schedule.cron` in the config file\n");
+      process.exitCode = 2;
+      return;
+    }
+    if (cron) {
+      try {
+        nextRun(cron, /* @__PURE__ */ new Date());
+      } catch (err) {
+        process.stderr.write(`\u274C Invalid cron "${cron}": ${err instanceof Error ? err.message : String(err)}
+`);
+        process.exitCode = 2;
+        return;
+      }
+    }
+    const db = new CartographyDB(cfg.dbPath);
+    activeDb = db;
+    const emit = (r) => {
+      if (fmt === "text") {
+        process.stdout.write(renderDriftSummaryText(r) + "\n");
+      } else {
+        const payload = { sessionId: r.sessionId, baseSessionId: r.baseSessionId ?? null, summary: r.delta.summary };
+        process.stdout.write(JSON.stringify(payload) + "\n");
+      }
+    };
+    const doRun = async () => {
+      const r = await runOnce(cfg, db);
+      db.recordDriftRun(r.sessionId, r.baseSessionId, r.delta);
+      maybeQueueForSync(db, r.sessionId, cfg, (s) => process.stderr.write(s));
+      emit(r);
+    };
+    if (opts.watch) {
+      let stopped = false;
+      let timer = null;
+      const MAX_DELAY_MS = 24 * 60 * 60 * 1e3;
+      let nextAnnounced = null;
+      const schedule = () => {
+        if (stopped) return;
+        const next = nextRun(cron, /* @__PURE__ */ new Date());
+        const targetMs = next.getTime();
+        if (next.toISOString() !== nextAnnounced) {
+          logInfo(`next scheduled run at ${next.toISOString()}`);
+          nextAnnounced = next.toISOString();
+        }
+        const remaining = targetMs - Date.now();
+        if (remaining > MAX_DELAY_MS) {
+          timer = setTimeout(schedule, MAX_DELAY_MS);
+          return;
+        }
+        timer = setTimeout(() => {
+          void (async () => {
+            try {
+              await doRun();
+            } catch (err) {
+              logError(`scheduled run failed: ${err instanceof Error ? err.message : String(err)}`);
+            }
+            nextAnnounced = null;
+            schedule();
+          })();
+        }, Math.max(0, remaining));
+      };
+      const stop = () => {
+        stopped = true;
+        if (timer) clearTimeout(timer);
+      };
+      process.once("SIGINT", stop);
+      process.once("SIGTERM", stop);
+      schedule();
+      return;
+    }
+    try {
+      await doRun();
+    } catch (err) {
+      process.stderr.write(`\u274C ${err instanceof Error ? err.message : String(err)}
+`);
+      process.exitCode = 1;
+    } finally {
+      db.close();
+      activeDb = null;
+    }
+  });
   program.command("show [session-id]").description("Show session details").action((sessionId) => {
     const config = defaultConfig();
     const db = new CartographyDB(config.dbPath);
@@ -2693,6 +4061,8 @@ function main() {
     const nodes = db.getNodes(session.id);
     process.stdout.write(`
 Session: ${session.id}
+`);
+    if (session.name) process.stdout.write(`  Name:    ${session.name}
 `);
     process.stdout.write(`  Mode:    ${session.mode}
 `);
@@ -2708,6 +4078,15 @@ Session: ${session.id}
 `);
     process.stdout.write(`  Tasks:   ${stats.tasks}
 `);
+    const events = db.getEvents(session.id);
+    if (events.length > 0) {
+      process.stdout.write("\n  Recent activity:\n");
+      for (const e of events.slice(-15)) {
+        const kb = e.resultBytes != null ? ` (${(e.resultBytes / 1024).toFixed(1)} KB)` : "";
+        process.stdout.write(`    ${e.timestamp}  ${e.process}  ${(e.command ?? "").slice(0, 60)}${kb}
+`);
+      }
+    }
     if (nodes.length > 0) {
       process.stdout.write("\n  Discovered nodes:\n");
       for (const node of nodes.slice(0, 20)) {
@@ -2735,7 +4114,7 @@ Session: ${session.id}
       const stats = db.getStats(session.id);
       const status = session.completedAt ? "\u2713" : "\u25CF";
       process.stdout.write(
-        `${status} ${session.id.substring(0, 8)}  [${session.mode}]  ${session.startedAt.substring(0, 19)}  nodes:${stats.nodes} edges:${stats.edges}
+        `${status} ${session.id.substring(0, 8)}  [${session.mode}]  ${session.startedAt.substring(0, 19)}  nodes:${stats.nodes} edges:${stats.edges}${session.name ? `  ${session.name}` : ""}
 `
       );
     }
@@ -2774,7 +4153,7 @@ Session: ${session.id}
       const status = session.completedAt ? green("\u2713") : yellow("\u25CF");
       const age = session.startedAt.substring(0, 16).replace("T", " ");
       const sid = cyan(session.id.substring(0, 8));
-      w(`  ${status} ${sid}  ${b("[" + session.mode + "]")}  ${d(age)}
+      w(`  ${status} ${sid}  ${b("[" + session.mode + "]")}  ${d(age)}${session.name ? `  ${d(session.name)}` : ""}
 `);
       w(`    ${d("Nodes: " + stats.nodes + "  Edges: " + stats.edges)}
 `);
@@ -2792,8 +4171,9 @@ Session: ${session.id}
     }
     db.close();
   });
-  program.command("chat [session-id]").description("Interactive chat about your mapped infrastructure").option("--db <path>", "DB path").option("--model <m>", "Model", "claude-sonnet-4-5-20250929").action(async (sessionIdArg, opts) => {
+  program.command("chat [session-id]").description("Interactive chat about your mapped infrastructure").option("--db <path>", "DB path").option("--model <m>", "Model (defaults to the fast helper model)").action(async (sessionIdArg, opts) => {
     const config = defaultConfig();
+    const model = opts.model ?? config.models.fast;
     const db = new CartographyDB(opts.db ?? config.dbPath);
     const sessions = db.getSessions();
     const session = sessionIdArg ? sessions.find((s) => s.id.startsWith(sessionIdArg)) : sessions.filter((s) => s.completedAt).at(-1) ?? sessions.at(-1);
@@ -2815,7 +4195,7 @@ Session: ${session.id}
     w(dim(`  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
 `));
     w(`  ${dim("Ask anything about your infrastructure. exit = quit.\n\n")}`);
-    const Anthropic = (await import("./sdk-QSTAREST.js")).default;
+    const Anthropic = (await import("@anthropic-ai/sdk")).default;
     const client = new Anthropic();
     const infraSummary = JSON.stringify({
       nodes: nodes.map((n) => ({
@@ -2837,7 +4217,7 @@ INFRASTRUCTURE SNAPSHOT (${nodes.length} nodes, ${edges.length} edges):
 ${infraSummary.substring(0, 12e3)}`;
     const history = [];
     const rl = createInterface({ input: process.stdin, output: process.stdout });
-    const ask = () => new Promise((resolve2) => rl.question(`  ${cyan(">")} `, resolve2));
+    const ask = () => new Promise((resolve3) => rl.question(`  ${cyan(">")} `, resolve3));
     while (true) {
       let userInput;
       try {
@@ -2850,7 +4230,7 @@ ${infraSummary.substring(0, 12e3)}`;
       history.push({ role: "user", content: userInput });
       try {
         const resp = await client.messages.create({
-          model: opts.model,
+          model,
           max_tokens: 1024,
           system: systemPrompt,
           messages: history
@@ -2919,9 +4299,9 @@ ${infraSummary.substring(0, 12e3)}`;
     out("\n");
     out(`  ${green("datasynx-cartography discover")}
 `);
-    out(`    Scans your local infrastructure (Claude Sonnet).
+    out(`    Scans your local infrastructure (provider-agnostic: claude, openai, ollama).
 `);
-    out(`    Claude autonomously runs ${IS_WIN ? "Get-NetTCPConnection, Get-Process" : IS_MAC ? "lsof, ps" : "ss, ps"}, curl, docker inspect, kubectl get
+    out(`    The agent autonomously runs ${IS_WIN ? "Get-NetTCPConnection, Get-Process" : IS_MAC ? "lsof, ps" : "ss, ps"}, curl, docker inspect, kubectl get
 `);
     out(`    and stores everything in SQLite.
 `);
@@ -2944,7 +4324,7 @@ ${infraSummary.substring(0, 12e3)}`;
     out("\n");
     out(`  ${green("datasynx-cartography export [session-id]")}
 `);
-    out(dim("    --format <fmt...>   mermaid, json, yaml, html, map  (default: all)\n"));
+    out(dim("    --format <fmt...>   mermaid, json, yaml, html, map, cost  (default: all but cost)\n"));
     out(dim("    -o, --output <dir>  Output directory\n"));
     out("\n");
     out(`  ${green("datasynx-cartography show [session-id]")}    ${dim("Session details + node list")}
@@ -2968,7 +4348,7 @@ ${infraSummary.substring(0, 12e3)}`;
     out(dim("        \u2514\u2500\u2500 Platform Detection (platform.ts)\n"));
     out(dim("            \u2514\u2500\u2500 Shell: /bin/sh (Unix) | PowerShell (Windows)\n"));
     out(dim("            \u2514\u2500\u2500 Agent Orchestrator (agent.ts)\n"));
-    out(dim("                \u2514\u2500\u2500 runDiscovery() \u2192 Claude Sonnet + Bash + MCP Tools\n"));
+    out(dim("                \u2514\u2500\u2500 runDiscovery() \u2192 AgentProvider (claude|openai|ollama) + Bash + MCP Tools\n"));
     out(dim("                    \u2514\u2500\u2500 Custom MCP Tools (tools.ts)\n"));
     out(dim("                        save_node, save_edge,\n"));
     out(dim("                        scan_bookmarks, scan_browser_history,\n"));
@@ -3005,10 +4385,10 @@ ${infraSummary.substring(0, 12e3)}`;
     out("\n");
   });
   program.command("bookmarks").description("View all browser bookmarks (Chrome, Chromium, Edge, Brave, Vivaldi, Opera, Firefox)").action(async () => {
-    const { scanAllBookmarks: scanAllBookmarks2 } = await import("./bookmarks-VS56KVCO.js");
+    const { scanAllBookmarks } = await import("./bookmarks-WXHE7GN7.js");
     const out = (s) => process.stdout.write(s);
     process.stderr.write("  Scanning bookmarks...\n\n");
-    const hosts = await scanAllBookmarks2();
+    const hosts = await scanAllBookmarks();
     if (hosts.length === 0) {
       out("  (No bookmarks found \u2014 Chrome, Edge, Brave, Vivaldi, Opera and Firefox are supported)\n\n");
       return;
@@ -3035,16 +4415,52 @@ ${infraSummary.substring(0, 12e3)}`;
 `));
     out(dim("  Tip: ") + "datasynx-cartography discover" + dim(" \u2014 scans + classifies all bookmarks automatically\n\n"));
   });
-  program.command("seed").description("Manually add known infrastructure (tools, DBs, APIs, etc.)").option("--file <path>", "JSON file with node definitions").option("--session <id>", "Add to existing session (default: new session)").option("--db <path>", "DB path").action(async (opts) => {
-    const config = defaultConfig({ ...opts.db ? { dbPath: opts.db } : {} });
+  program.command("cost").description("Import cost/owner attribution from a CSV and enrich a session (FinOps)").requiredOption("--file <path>", "CSV: nodeId,owner,amount,currency,period[,source]").option("--session <id>", "Session to enrich (default: latest)").option("--match <strategy>", "Row\u2192node match: nodeId | name | tag", "nodeId").option("--db <path>", "DB path").action(async (opts) => {
+    const config = defaultConfig(opts.db ? { dbPath: opts.db } : {});
+    const db = new CartographyDB(config.dbPath);
+    activeDb = db;
+    try {
+      const sessionId = opts.session ?? db.getLatestSession("discover")?.id;
+      if (!sessionId) {
+        process.stderr.write("\u274C No session to enrich (run discovery first or pass --session)\n");
+        process.exitCode = 1;
+        return;
+      }
+      const match = opts.match;
+      if (!["nodeId", "name", "tag"].includes(match)) {
+        process.stderr.write(`\u274C Invalid --match: "${match}" (nodeId | name | tag)
+`);
+        process.exitCode = 1;
+        return;
+      }
+      const source = new CsvCostSource({ filePath: opts.file, match, db, sessionId });
+      const r = await enrichCosts(db, sessionId, source);
+      process.stderr.write(`\u2713 cost: ${r.matched} matched, ${r.unmatched} unmatched (of ${r.total}) from ${r.source}
+`);
+      if (r.unmatchedIds.length > 0) {
+        process.stderr.write(`  unmatched ids: ${r.unmatchedIds.slice(0, 20).join(", ")}${r.unmatchedIds.length > 20 ? " \u2026" : ""}
+`);
+      }
+      if (r.matched === 0 && r.total > 0) process.exitCode = 1;
+    } catch (err) {
+      process.stderr.write(`\u274C ${err instanceof Error ? err.message : String(err)}
+`);
+      process.exitCode = 1;
+    } finally {
+      db.close();
+      activeDb = null;
+    }
+  });
+  program.command("seed").description("Manually add known infrastructure (tools, DBs, APIs, etc.)").option("--file <path>", "JSON file with node definitions").option("--session <id>", "Add to existing session (default: new session)").option("--org <name>", "Tenant/organization to scope the session to (default: local)").option("--db <path>", "DB path").action(async (opts) => {
+    const config = defaultConfig({ ...opts.db ? { dbPath: opts.db } : {}, ...opts.org ? { organization: opts.org } : {} });
     const db = new CartographyDB(config.dbPath);
-    const sessionId = opts.session ?? db.createSession("discover", config);
+    const sessionId = opts.session ?? db.createSession("discover", config, opts.org);
     const out = (s) => process.stdout.write(s);
     const w = (s) => process.stderr.write(s);
     if (opts.file) {
       let raw;
       try {
-        raw = JSON.parse(readFileSync2(resolve(opts.file), "utf8"));
+        raw = JSON.parse(readFileSync5(resolve2(opts.file), "utf8"));
       } catch (e) {
         w(red(`
   \u2717  Could not read file: ${e}
@@ -3062,7 +4478,7 @@ ${infraSummary.substring(0, 12e3)}`;
       for (const entry of raw) {
         const type = entry["type"];
         const name = entry["name"];
-        const host = entry["host"];
+        const host2 = entry["host"];
         const port = entry["port"];
         const tags = entry["tags"] ?? [];
         const metadata = entry["metadata"] ?? {};
@@ -3071,14 +4487,14 @@ ${infraSummary.substring(0, 12e3)}`;
 `));
           continue;
         }
-        const id = host ? `${type}:${host}${port ? ":" + port : ""}` : `${type}:${name.toLowerCase().replace(/\s+/g, "-")}`;
+        const id = host2 ? `${type}:${host2}${port ? ":" + port : ""}` : `${type}:${name.toLowerCase().replace(/\s+/g, "-")}`;
         db.upsertNode(sessionId, {
           id,
           type,
           name,
           discoveredVia: "manual",
           confidence: 1,
-          metadata: { ...metadata, ...host ? { host } : {}, ...port ? { port } : {} },
+          metadata: { ...metadata, ...host2 ? { host: host2 } : {}, ...port ? { port } : {} },
           tags
         });
         out(`  ${green("+")}  ${cyan(id)}  ${dim("(" + type + ")")}
@@ -3092,7 +4508,7 @@ ${infraSummary.substring(0, 12e3)}`;
 `);
       return;
     }
-    const { NODE_TYPES: NODE_TYPES2 } = await import("./types-JG27FR3E.js");
+    const { NODE_TYPES } = await import("./types-TJWXAQ2L.js");
     if (!process.stdin.isTTY) {
       w(red("\n  \u2717  Interactive mode requires a terminal (use --file for non-interactive)\n\n"));
       process.exitCode = 1;
@@ -3107,7 +4523,7 @@ ${infraSummary.substring(0, 12e3)}`;
     const rl = createInterface({ input: process.stdin, output: process.stderr });
     const ask = (q) => new Promise((res) => rl.question(q, res));
     let saved = 0;
-    const typeList = NODE_TYPES2.map((t, i) => `${dim((i + 1).toString().padStart(2))}  ${t}`).join("\n  ");
+    const typeList = NODE_TYPES.map((t, i) => `${dim((i + 1).toString().padStart(2))}  ${t}`).join("\n  ");
     while (true) {
       w("\n");
       w(dim("  Node types:\n"));
@@ -3118,9 +4534,9 @@ ${infraSummary.substring(0, 12e3)}`;
       if (!typeInput) break;
       let nodeType;
       const asNum = parseInt(typeInput, 10);
-      if (!isNaN(asNum) && asNum >= 1 && asNum <= NODE_TYPES2.length) {
-        nodeType = NODE_TYPES2[asNum - 1];
-      } else if (NODE_TYPES2.includes(typeInput)) {
+      if (!isNaN(asNum) && asNum >= 1 && asNum <= NODE_TYPES.length) {
+        nodeType = NODE_TYPES[asNum - 1];
+      } else if (NODE_TYPES.includes(typeInput)) {
         nodeType = typeInput;
       } else {
         w(yellow(`  \u26A0  Unknown type: "${typeInput}"
@@ -3135,17 +4551,17 @@ ${infraSummary.substring(0, 12e3)}`;
       const hostRaw = (await ask(`  ${cyan("Host / IP")} ${dim("[optional, Enter=skip]")}: `)).trim();
       const portRaw = (await ask(`  ${cyan("Port")} ${dim("[optional]")}: `)).trim();
       const tagsRaw = (await ask(`  ${cyan("Tags")} ${dim("[comma-separated, optional]")}: `)).trim();
-      const host = hostRaw || void 0;
+      const host2 = hostRaw || void 0;
       const port = portRaw ? parseInt(portRaw, 10) : void 0;
       const tags = tagsRaw ? tagsRaw.split(",").map((t) => t.trim()).filter(Boolean) : [];
-      const id = host ? `${nodeType}:${host}${port ? ":" + port : ""}` : `${nodeType}:${name.toLowerCase().replace(/\s+/g, "-")}`;
+      const id = host2 ? `${nodeType}:${host2}${port ? ":" + port : ""}` : `${nodeType}:${name.toLowerCase().replace(/\s+/g, "-")}`;
       db.upsertNode(sessionId, {
         id,
         type: nodeType,
         name,
         discoveredVia: "manual",
         confidence: 1,
-        metadata: { ...host ? { host } : {}, ...port ? { port } : {} },
+        metadata: { ...host2 ? { host: host2 } : {}, ...port ? { port } : {} },
         tags
       });
       out(`  ${green("+")}  ${cyan(id)}
@@ -3168,8 +4584,8 @@ ${infraSummary.substring(0, 12e3)}`;
   });
   program.command("doctor").description("Check all requirements and cloud CLIs").action(async () => {
     const { execSync: execSync2 } = await import("child_process");
-    const { existsSync: existsSync3, readFileSync: readFileSync3 } = await import("fs");
-    const { join: join3 } = await import("path");
+    const { existsSync: existsSync4, readFileSync: readFileSync6 } = await import("fs");
+    const { join: join4 } = await import("path");
     const out = (s) => process.stdout.write(s);
     const ok = (msg) => out(`  \x1B[32m\u2713\x1B[0m  ${msg}
 `);
@@ -3183,10 +4599,10 @@ ${infraSummary.substring(0, 12e3)}`;
     out(dim2("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"));
     const nodeVer = process.versions.node;
     const [major] = nodeVer.split(".").map(Number);
-    if ((major ?? 0) >= 18) {
+    if ((major ?? 0) >= 20) {
       ok(`Node.js ${nodeVer}`);
     } else {
-      err(`Node.js ${nodeVer} \u2014 requires >=18`);
+      err(`Node.js ${nodeVer} \u2014 requires >=20`);
       allGood = false;
     }
     try {
@@ -3200,7 +4616,7 @@ ${infraSummary.substring(0, 12e3)}`;
     const home = process.env.HOME ?? process.env.USERPROFILE ?? "/tmp";
     let hasOAuth = false;
     try {
-      const creds = JSON.parse(readFileSync3(join3(home, ".claude", ".credentials.json"), "utf8"));
+      const creds = JSON.parse(readFileSync6(join4(home, ".claude", ".credentials.json"), "utf8"));
       const oauth = creds["claudeAiOauth"];
       hasOAuth = typeof oauth?.["accessToken"] === "string" && oauth["accessToken"].length > 0;
     } catch {
@@ -3250,8 +4666,8 @@ ${infraSummary.substring(0, 12e3)}`;
         warn(`${name} not found  ${dim2("\u2014 discovery without " + name + " will be limited")}`);
       }
     }
-    const dbDir = join3(home, ".cartography");
-    if (existsSync3(dbDir)) {
+    const dbDir = join4(home, ".cartography");
+    if (existsSync4(dbDir)) {
       ok(`~/.cartography  ${dim2("(data directory exists)")}`);
     } else {
       warn("~/.cartography does not exist yet  " + dim2("\u2014 will be created on first run"));
@@ -3298,15 +4714,303 @@ ${infraSummary.substring(0, 12e3)}`;
     }
     db.close();
   });
-  program.command("mcp").description("Run the Model Context Protocol server (stdio by default) \u2014 the primary interface for AI agents").option("--http", "Use Streamable HTTP transport instead of stdio", false).option("--port <n>", "HTTP port", "3737").option("--host <h>", "HTTP host", "127.0.0.1").option("--db <path>", "DB path").option("--session <id>", 'Session to serve (id or "latest")', "latest").option("--no-semantic", "Disable semantic (vector) search").action(async (opts) => {
-    await startMcp({
+  program.command("list-clients").description("List the AI hosts the installer can configure").action(() => {
+    o("\n" + bold("  Supported MCP hosts:") + "\n\n");
+    for (const c of listClients()) {
+      o(`  ${green(c.id.padEnd(16))} ${bold(c.label.padEnd(20))} ${dim(c.format)}
+`);
+      if (c.note) o(`  ${" ".repeat(16)} ${dim("\u21B3 " + c.note)}
+`);
+    }
+    o("\n" + dim(`  Install:  ${CMD} install --client <id>  [--project] [--dry-run]`) + "\n\n");
+  });
+  program.command("install").description("Register the Cartography MCP server into an AI host's config (parse-merge, never clobber)").requiredOption("--client <id>", "Target host id (see `list-clients`)").option("--global", "Write the global/user config (default)", false).option("--project", "Write the project-local config instead", false).option("--dry-run", "Show the merge diff without writing", false).option("--deeplink", "Print a one-click install deeplink instead of writing (Cursor / VS Code)", false).option("--name <name>", "Server name to register", DEFAULT_SERVER_NAME).option("--http", "Register the Streamable HTTP endpoint instead of stdio", false).option("--url <url>", "HTTP endpoint (with --http)").option("--db <path>", "Pass --db <path> to the server").option("--session <id>", "Pass --session <id> to the server").action((opts) => {
+    const spec = getClient(opts.client);
+    if (!spec) {
+      logError(`Unknown client "${opts.client}". Run \`${CMD} list-clients\` to see options.`);
+      process.exitCode = 1;
+      return;
+    }
+    const scope = opts.project ? "project" : "global";
+    const packageArgs = [];
+    if (opts.db) packageArgs.push("--db", opts.db);
+    if (opts.session) packageArgs.push("--session", opts.session);
+    const entry = defaultServerEntry({
       transport: opts.http ? "http" : "stdio",
-      port: parseInt(opts.port, 10),
-      host: opts.host,
-      dbPath: opts.db,
-      session: opts.session,
-      semantic: opts.semantic
+      ...opts.url ? { url: opts.url } : {},
+      ...packageArgs.length ? { packageArgs } : {}
     });
+    if (opts.deeplink) {
+      if (opts.client === "cursor") {
+        o("\n" + bold("  Cursor one-click:") + "\n  " + cyan(cursorDeeplink(opts.name, entry)) + "\n\n");
+      } else if (opts.client === "vscode") {
+        o("\n" + bold("  VS Code one-click:") + "\n  " + cyan(vscodeDeeplink(opts.name, entry)) + "\n");
+        o("  " + dim("or: ") + codeAddMcpCommand(opts.name, entry) + "\n\n");
+      } else {
+        logWarn(`No deeplink available for "${opts.client}". Deeplinks exist for: cursor, vscode.`);
+      }
+      return;
+    }
+    try {
+      const plan = planInstall(spec, defaultContext(scope), { serverName: opts.name, entry });
+      o("\n" + bold(`  ${plan.label}`) + dim(` (${plan.format}, ${scope})`) + "\n");
+      o(dim(`  ${plan.path}`) + "\n");
+      if (plan.note) o(yellow(`  \u26A0 ${plan.note}`) + "\n");
+      o("\n" + renderDiff(plan.before, plan.after) + "\n\n");
+      if (!plan.changed) {
+        o(green("  \u2713 Already up to date \u2014 nothing to write.") + "\n\n");
+        return;
+      }
+      if (opts.dryRun) {
+        o(yellow("  Dry run \u2014 no file written.") + "\n\n");
+        return;
+      }
+      applyInstall(plan);
+      o(green(`  \u2713 Wrote ${plan.fileExists ? "updated" : "new"} config.`) + " " + dim("Restart the host to pick it up.") + "\n\n");
+    } catch (err) {
+      logError(err instanceof Error ? err.message : String(err));
+      process.exitCode = 1;
+    }
+  });
+  program;
+  const consent = program.command("consent").description("Manage the per-employee data-sharing policy (none|anonymized|full) + admin anonymization");
+  consent.command("default <level>").description("Set the global default sharing level (none|anonymized|full)").option("--db <path>", "DB path").action((level, opts) => {
+    const parsed = SharingLevelSchema.safeParse(level);
+    if (!parsed.success) {
+      logError(`Invalid level "${level}" \u2014 expected one of: none, anonymized, full`);
+      process.exitCode = 1;
+      return;
+    }
+    const config = defaultConfig(opts.db ? { dbPath: opts.db } : {});
+    const db = new CartographyDB(config.dbPath);
+    try {
+      db.setSharingLevel("*", parsed.data);
+      logInfo(`default sharing level set to "${parsed.data}"`);
+    } finally {
+      db.close();
+    }
+  });
+  consent.command("set <pattern> <level>").description("Set a pattern override (glob over the node id; * = within-segment, ** = any)").option("--db <path>", "DB path").action((pattern, level, opts) => {
+    const parsed = SharingLevelSchema.safeParse(level);
+    if (!parsed.success) {
+      logError(`Invalid level "${level}" \u2014 expected one of: none, anonymized, full`);
+      process.exitCode = 1;
+      return;
+    }
+    if (pattern === "*" || pattern === "**") {
+      logError("Use `consent default <level>` to set the global default; `set` is for narrower overrides");
+      process.exitCode = 1;
+      return;
+    }
+    const config = defaultConfig(opts.db ? { dbPath: opts.db } : {});
+    const db = new CartographyDB(config.dbPath);
+    try {
+      db.setSharingLevel(pattern, parsed.data);
+      logInfo(`override "${pattern}" \u2192 "${parsed.data}"`);
+    } finally {
+      db.close();
+    }
+  });
+  consent.command("clear <pattern>").description("Remove a pattern override (the global default cannot be cleared)").option("--db <path>", "DB path").action((pattern, opts) => {
+    const config = defaultConfig(opts.db ? { dbPath: opts.db } : {});
+    const db = new CartographyDB(config.dbPath);
+    try {
+      db.clearSharingOverride(pattern);
+      logInfo(`override "${pattern}" cleared`);
+    } finally {
+      db.close();
+    }
+  });
+  consent.command("list").description("Show the global default + every pattern override").option("--db <path>", "DB path").action((opts) => {
+    const config = defaultConfig(opts.db ? { dbPath: opts.db } : {});
+    const db = new CartographyDB(config.dbPath);
+    try {
+      const policy = db.getSharingPolicy();
+      process.stdout.write(JSON.stringify(policy, null, 2) + "\n");
+    } finally {
+      db.close();
+    }
+  });
+  consent.command("preview [session]").description("Show exactly what would leave the machine for a session (default: latest)").option("--db <path>", "DB path").option("--org <name>", "Organization namespace for the org key").action((session, opts) => {
+    const config = defaultConfig(opts.db ? { dbPath: opts.db } : {});
+    const db = new CartographyDB(config.dbPath);
+    try {
+      const sid = session && session !== "latest" ? session : db.getLatestSession("discover")?.id;
+      if (!sid) {
+        logError("No session found to preview");
+        process.exitCode = 1;
+        return;
+      }
+      const orgKey = loadOrgKey({ organization: opts.org });
+      const policy = db.getSharingPolicy();
+      const preview = previewShare(db, sid, orgKey, policy);
+      process.stdout.write(JSON.stringify(preview, null, 2) + "\n");
+    } finally {
+      db.close();
+    }
+  });
+  const consentKey = consent.command("key").description("Org-key administration");
+  consentKey.command("rotate").description("Rotate the org key (prior reversal entries become unrecoverable)").option("--org <name>", "Organization namespace for the org key").action((opts) => {
+    rotateOrgKey({ organization: opts.org });
+    logInfo("org key rotated");
+  });
+  consent.command("reverse <token>").description("Admin: recover the original plaintext behind a pseudonym token").option("--db <path>", "DB path").option("--org <name>", "Organization namespace for the org key").action((token, opts) => {
+    const config = defaultConfig(opts.db ? { dbPath: opts.db } : {});
+    const db = new CartographyDB(config.dbPath);
+    try {
+      const orgKey = loadOrgKey({ organization: opts.org });
+      const plaintext = reversePseudonym(token, orgKey, db);
+      if (plaintext === void 0) {
+        logError(`Could not reverse "${token}" (unknown token or wrong/rotated org key)`);
+        process.exitCode = 1;
+        return;
+      }
+      process.stdout.write(plaintext + "\n");
+    } finally {
+      db.close();
+    }
+  });
+  const sync = program.command("sync").description("Central-DB outbound sync: review queued items and push approved deltas (opt-in)");
+  sync.command("status").description("Show the pending-review queue (counts by status + pending items)").option("--db <path>", "DB path").action((opts) => {
+    const config = defaultConfig(opts.db ? { dbPath: opts.db } : {});
+    const db = new CartographyDB(config.dbPath);
+    try {
+      if (!config.centralDb?.url) {
+        logWarn("centralDb is not configured \u2014 sync is inert (set centralDb in ~/.cartography/config.json or CARTOGRAPHY_CENTRAL_URL/TOKEN)");
+      }
+      const counts = db.countPendingByStatus();
+      process.stdout.write(JSON.stringify(counts, null, 2) + "\n");
+      const pending = db.getPendingShares({ status: "pending" });
+      for (const p of pending.slice(0, 50)) {
+        process.stdout.write(`  ${p.kind === "node" ? "\u25CF" : "\u2192"} ${p.nodeId ?? p.contentHash.slice(0, 12)} ${dim("(" + p.kind + ")")}
+`);
+      }
+      if (pending.length > 50) process.stdout.write(`  ${dim("\u2026 and " + (pending.length - 50) + " more")}
+`);
+    } finally {
+      db.close();
+    }
+  });
+  sync.command("review").description("Interactively approve/withhold each pending item (decisions are remembered)").option("--db <path>", "DB path").action(async (opts) => {
+    const config = defaultConfig(opts.db ? { dbPath: opts.db } : {});
+    const db = new CartographyDB(config.dbPath);
+    try {
+      const pending = db.getPendingShares({ status: "pending" });
+      if (pending.length === 0) {
+        logInfo("no pending items to review");
+        return;
+      }
+      if (!process.stdin.isTTY) {
+        logWarn(`${pending.length} pending item(s); run \`sync review\` in an interactive terminal to decide them`);
+        return;
+      }
+      const w = process.stderr.write.bind(process.stderr);
+      const patternFor = (p) => p.nodeId;
+      for (const p of pending) {
+        w("\n");
+        w(`  ${yellow(bold("?"))}  Share ${p.kind} ${bold(p.nodeId ?? p.contentHash.slice(0, 12))}?
+`);
+        w(`     ${dim(JSON.stringify(p.payload))}
+`);
+        const rl = createInterface({ input: process.stdin, output: process.stderr });
+        const ans = (await new Promise((res) => rl.question(`  ${cyan("\u2192")} [s]hare / [w]ithhold / [a]lways / [n]ever / [q]uit: `, res))).trim().toLowerCase();
+        rl.close();
+        const pat = patternFor(p);
+        if (ans === "q") break;
+        if (ans === "s") {
+          db.setPendingStatus(p.contentHash, "approved", "user");
+        } else if (ans === "w") {
+          db.setPendingStatus(p.contentHash, "withheld", "user");
+        } else if (ans === "a") {
+          if (pat) db.setSharingLevel(pat, "full");
+          db.setPendingStatus(p.contentHash, "approved", "user");
+        } else if (ans === "n") {
+          if (pat) db.setSharingLevel(pat, "none");
+          db.setPendingStatus(p.contentHash, "withheld", "user");
+        } else {
+          w(`  ${dim("skipped (left pending)")}
+`);
+        }
+      }
+      const counts = db.countPendingByStatus();
+      logInfo(`review done \u2014 approved ${counts.approved}, withheld ${counts.withheld}, pending ${counts.pending}`);
+    } finally {
+      db.close();
+    }
+  });
+  sync.command("push").description("Push approved deltas to the central ingest endpoint (bearer-auth HTTPS)").option("--db <path>", "DB path").option("--dry-run", "Preview the batches without sending", false).action(async (opts) => {
+    const config = defaultConfig(opts.db ? { dbPath: opts.db } : {});
+    if (!config.centralDb?.url) {
+      logError("centralDb is not configured \u2014 nothing to push (set centralDb.url + token)");
+      process.exitCode = 1;
+      return;
+    }
+    const db = new CartographyDB(config.dbPath);
+    try {
+      const approved = db.getApprovedShares();
+      const items = approved.map((p) => ({ contentHash: p.contentHash, kind: p.kind, payload: p.payload }));
+      const result = await pushDeltas(config, items, { dryRun: opts.dryRun });
+      if (!opts.dryRun) {
+        for (const hash of result.sentHashes) db.setPendingStatus(hash, "shared");
+      }
+      logInfo(`sync push: sent ${result.sent}, batches ${result.batches}, failed ${result.failed}${opts.dryRun ? " (dry-run)" : ""}`);
+    } catch (err) {
+      logError(`sync push failed: ${err instanceof Error ? err.message : String(err)}`);
+      process.exitCode = 1;
+    } finally {
+      db.close();
+    }
+  });
+  program.command("mcp").description("Run the Model Context Protocol server (stdio by default) \u2014 the primary interface for AI agents").option("--http", "Use Streamable HTTP transport instead of stdio", false).option("--port <n>", "HTTP port", "3737").option("--host <h>", "HTTP host", "127.0.0.1").option("--allowed-hosts <list>", "Comma-separated Host allowlist (required for non-loopback --host)").option("--token <secret>", "Bearer token required on HTTP requests (or CARTOGRAPHY_HTTP_TOKEN); mandatory for non-loopback --host").option("--db <path>", "DB path").option("--session <id>", 'Session to serve (id or "latest")', "latest").option("--tenant <id>", "Tenant/organization whose topology to serve (alias: --org; default: local)").option("--org <id>", "Alias for --tenant").option("--no-semantic", "Disable semantic (vector) search").option("--plugins <list>", "Comma-separated scanner plugin package names to load (opt-in; or CARTOGRAPHY_PLUGINS)").option("--server-mode", "Run as a central collector: enable the authenticated POST /ingest write route + org-wide summary (implies --http; opt-in)", false).option("--anon-mode <mode>", "On ingest, reject|strip un-anonymized identifying fragments (server-mode)", "reject").action(async (opts) => {
+    try {
+      const anonMode = opts.anonMode;
+      if (anonMode !== "reject" && anonMode !== "strip") {
+        process.stderr.write(`
+error: --anon-mode must be 'reject' or 'strip' (got '${anonMode}')
+`);
+        process.exitCode = 1;
+        return;
+      }
+      await startMcp({
+        transport: opts.http ? "http" : "stdio",
+        port: parseInt(opts.port, 10),
+        host: opts.host,
+        allowedHosts: opts.allowedHosts ? String(opts.allowedHosts).split(",").map((h) => h.trim()).filter(Boolean) : void 0,
+        token: opts.token,
+        dbPath: opts.db,
+        session: opts.session,
+        tenant: opts.tenant ?? opts.org,
+        semantic: opts.semantic,
+        plugins: opts.plugins ? String(opts.plugins).split(",").map((p) => p.trim()).filter(Boolean) : void 0,
+        serverMode: opts.serverMode === true,
+        anonMode
+      });
+    } catch (err) {
+      process.stderr.write(`
+error: ${err instanceof Error ? err.message : String(err)}
+`);
+      process.exitCode = 1;
+    }
+  });
+  program.command("api").description("Run the read-only REST/GraphQL API server over the topology store (4.2)").option("--http", "Use HTTP transport (default; kept for symmetry with mcp)", true).option("--port <n>", "HTTP port", "3737").option("--host <h>", "HTTP host", "127.0.0.1").option("--allowed-hosts <list>", "Comma-separated Host allowlist (required for non-loopback --host)").option("--allowed-origins <list>", "Comma-separated CORS Origin allowlist (default: same-origin only)").option("--token <secret>", "Bearer token required on requests (or CARTOGRAPHY_HTTP_TOKEN); mandatory for non-loopback --host").option("--db <path>", "DB path").option("--session <id>", 'Session to serve (id or "latest")', "latest").option("--tenant <id>", "Default tenant whose topology to serve (alias: --org; default: local)").option("--org <id>", "Alias for --tenant").option("--no-graphql", "Disable the /graphql endpoint (REST only)").action(async (opts) => {
+    try {
+      await startApi({
+        port: parseInt(opts.port, 10),
+        host: opts.host,
+        allowedHosts: opts.allowedHosts ? String(opts.allowedHosts).split(",").map((h) => h.trim()).filter(Boolean) : void 0,
+        allowedOrigins: opts.allowedOrigins ? String(opts.allowedOrigins).split(",").map((o2) => o2.trim()).filter(Boolean) : void 0,
+        token: opts.token,
+        dbPath: opts.db,
+        session: opts.session,
+        tenant: opts.tenant ?? opts.org,
+        graphql: opts.graphql
+      });
+    } catch (err) {
+      process.stderr.write(`
+error: ${err instanceof Error ? err.message : String(err)}
+`);
+      process.exitCode = 1;
+    }
   });
   const o = (s) => process.stderr.write(s);
   o("\n");
@@ -3326,7 +5030,7 @@ ${infraSummary.substring(0, 12e3)}`;
     o("\n");
     o(bold("  Commands:\n"));
     o("\n");
-    o(`  ${green("discover")}             ${dim("Scan infrastructure (Claude Sonnet)")}
+    o(`  ${green("discover")}             ${dim("Scan infrastructure (provider: claude|openai|ollama)")}
 `);
     o(`  ${green("seed")}                 ${dim("Manually add known tools/DBs/APIs")}
 `);