@datasynx/agentic-ai-cartography 2.10.0 → 2.12.1

package/dist/{chunk-ASCA3UFM.js → chunk-OIDAXUW5.js}

@@ -20,12 +20,13 @@ import {
   k8sScanner,
   keyMetaOf,
   normalizeTenant,
+  redactSecrets,
   redactValue,
   resolvePrincipal,
   sanitizeUntrusted,
   stableStringify,
   stripSensitive
-} from "./chunk-YVV6NIT2.js";
+} from "./chunk-LO6YFS6H.js";
 import {
   EdgeSchema,
   NODE_TYPES,
@@ -653,9 +654,132 @@ var serviceConfigScanner = {
   }
 };
 
+// src/scanners/terraform.ts
+import { readFileSync } from "fs";
+var TYPE_RULES = [
+  [/(db_instance|_rds|sql_database|sql_instance|database_instance|cosmosdb|dynamodb|spanner|bigtable|documentdb|redshift)/, "database_server"],
+  [/(elasticache|_redis|memcached|memorystore)/, "cache_server"],
+  [/(s3_bucket|storage_bucket|gcs_bucket|storage_account|_blob)/, "database"],
+  [/(_sqs|_queue|servicebus_queue)/, "queue"],
+  [/(_sns|_topic|pubsub_topic|servicebus_topic)/, "topic"],
+  [/(kafka|_msk|event_hub|kinesis)/, "message_broker"],
+  [/(_eks|_gke|_aks|kubernetes_cluster|container_cluster)/, "k8s_cluster"],
+  [/(ecs_|_container|fargate)/, "container"],
+  [/(lambda|cloud_function|cloudfunctions|function_app|cloud_run)/, "web_service"],
+  [/(_lb$|load_balancer|_alb|_elb|application_gateway)/, "web_service"],
+  [/(api_gateway|apigateway)/, "api_endpoint"],
+  [/(_instance|virtual_machine|_vm$|compute_instance)/, "host"]
+];
+function terraformTypeToNode(tfType) {
+  const t = tfType.toLowerCase();
+  for (const [re, nt] of TYPE_RULES) if (re.test(t)) return nt;
+  return "unknown";
+}
+var IDENTITY_ATTRS = ["id", "arn", "region", "location", "instance_type", "engine", "machine_type"];
+var OWNER_TAGS = ["Owner", "owner", "Team", "team"];
+var SAFE_TAG_KEYS = /* @__PURE__ */ new Set(["Name", "name", "Owner", "owner", "Team", "team", "Env", "env", "Environment", "environment", "Service", "service", "Component", "component", "App", "app", "Project", "project", "Tier", "tier", "Role", "role"]);
+var SECRET_KEY = /pass|secret|token|key|pwd|cred|private/i;
+function attrTags(tags) {
+  if (!tags || typeof tags !== "object") return [];
+  return Object.entries(tags).filter(([k]) => SAFE_TAG_KEYS.has(k) && !SECRET_KEY.test(k)).map(([k, v]) => `${k}:${redactSecrets(String(v))}`);
+}
+function parseTerraformState(json2) {
+  let state;
+  try {
+    state = JSON.parse(json2);
+  } catch {
+    return { nodes: [], edges: [] };
+  }
+  const resources = Array.isArray(state?.resources) ? state.resources : [];
+  const nodes = [];
+  const edges = [];
+  const addrToId = /* @__PURE__ */ new Map();
+  for (const raw of resources) {
+    const r = raw;
+    if (r.mode && r.mode !== "managed") continue;
+    if (typeof r.type !== "string" || typeof r.name !== "string") continue;
+    const address = `${r.type}.${r.name}`;
+    const nt = terraformTypeToNode(r.type);
+    const id = `${nt}:terraform:${address}`;
+    if (addrToId.has(address)) continue;
+    addrToId.set(address, id);
+    const inst = Array.isArray(r.instances) ? r.instances[0] : void 0;
+    const attrs = inst?.attributes ?? {};
+    const identity = { source: "terraform", tfType: r.type };
+    for (const k of IDENTITY_ATTRS) if (attrs[k] !== void 0) identity[k] = attrs[k];
+    const owner = OWNER_TAGS.map((k) => attrs.tags?.[k]).find((v) => typeof v === "string");
+    nodes.push({
+      id,
+      type: nt,
+      name: address,
+      discoveredVia: "terraform-state",
+      confidence: 0.9,
+      // IaC is authoritative declared intent.
+      metadata: redactValue(identity),
+      tags: attrTags(attrs.tags),
+      ...owner ? { owner } : {}
+    });
+  }
+  for (const raw of resources) {
+    const r = raw;
+    if (r.mode && r.mode !== "managed") continue;
+    if (typeof r.type !== "string" || typeof r.name !== "string") continue;
+    const srcId = addrToId.get(`${r.type}.${r.name}`);
+    if (!srcId) continue;
+    const inst = Array.isArray(r.instances) ? r.instances[0] : void 0;
+    const deps = Array.isArray(inst?.dependencies) ? inst.dependencies : [];
+    for (const dep of deps) {
+      if (typeof dep !== "string") continue;
+      const tgtId = addrToId.get(dep) ?? addrToId.get(dep.split("[")[0]);
+      if (!tgtId || tgtId === srcId) continue;
+      edges.push({ sourceId: srcId, targetId: tgtId, relationship: "depends_on", evidence: evidenceLine("config-declared", `terraform depends_on ${dep}`), confidence: 0.85 });
+    }
+  }
+  return { nodes, edges };
+}
+function stateDirs() {
+  return [".", "./terraform", "./infra", "./infrastructure", "./deploy", "./terraform/environments"];
+}
+function hintPath(hint) {
+  if (!hint) return void 0;
+  const m = /(?:^|[\s,])tfstate=([^\s,]+)/.exec(hint);
+  return m ? m[1] : void 0;
+}
+function resolveStatePath(ctx) {
+  const explicit = hintPath(ctx.hint);
+  if (explicit) return explicit;
+  const found = (ctx.findFiles ?? findFiles)(stateDirs(), ["*.tfstate"], 4, 20).split(/\r?\n/).map((s) => s.trim()).filter(Boolean);
+  return found[0];
+}
+function readStateFile(path) {
+  try {
+    return readFileSync(path, "utf8");
+  } catch {
+    return "";
+  }
+}
+var terraformScanner = {
+  id: "terraform-state",
+  title: "Terraform state (IaC)",
+  platforms: "all",
+  // No shell commands — the state file is read directly via node:fs, so an
+  // operator-supplied path can never inject a command (no `cat "${path}"` interpolation).
+  detect(ctx) {
+    return resolveStatePath(ctx) !== void 0;
+  },
+  async scan(ctx) {
+    const path = resolveStatePath(ctx);
+    if (!path) return { nodes: [], edges: [] };
+    const json2 = (ctx.readFile ?? readStateFile)(path);
+    if (!json2) return { nodes: [], edges: [] };
+    const result = parseTerraformState(json2);
+    return { ...result, report: `terraform-state: ${result.nodes.length} resources, ${result.edges.length} dependencies from ${path}` };
+  }
+};
+
 // src/scanners/registry.ts
 function defaultRegistry() {
-  return new ScannerRegistry().register(bookmarksScanner).register(installedAppsScanner).register(portsScanner).register(cloudAwsScanner).register(cloudGcpScanner).register(cloudAzureScanner).register(k8sScanner).register(databasesScanner).register(connectionsScanner).register(serviceConfigScanner);
+  return new ScannerRegistry().register(bookmarksScanner).register(installedAppsScanner).register(portsScanner).register(cloudAwsScanner).register(cloudGcpScanner).register(cloudAzureScanner).register(k8sScanner).register(databasesScanner).register(connectionsScanner).register(serviceConfigScanner).register(terraformScanner);
 }
 
 // src/scanners/loader.ts
@@ -764,201 +888,6 @@ function localDiscoveryFn(registry, plugins) {
   };
 }
 
-// src/compliance/rulesets/baseline.ts
-var baseline = RulesetSchema.parse({
-  name: "baseline",
-  version: "1.0.0",
-  framework: "baseline",
-  description: "Deterministic baseline hygiene controls scored against signals available today.",
-  rules: [
-    {
-      id: "BASE-1",
-      control: "BASE-1",
-      framework: "baseline",
-      severity: "medium",
-      title: "Asset has an owner",
-      rationale: "Every asset should have a clear owning team/person for accountability.",
-      scope: {},
-      check: { any: [
-        { field: "owner", op: "present" },
-        { field: "domain", op: "present" },
-        { field: "tags", op: "matches", pattern: "owner_key" },
-        { field: "metadataKeys", op: "matches", pattern: "owner_key" }
-      ] }
-    },
-    {
-      id: "BASE-2",
-      control: "BASE-2",
-      framework: "baseline",
-      severity: "low",
-      title: "Service/data asset is assigned a business domain",
-      rationale: "Domain assignment enables blast-radius and ownership analysis.",
-      scope: { groups: ["data", "web"] },
-      check: { field: "domain", op: "present" }
-    },
-    {
-      id: "BASE-3",
-      control: "BASE-3",
-      framework: "baseline",
-      severity: "high",
-      title: "Critical asset is discovered with adequate confidence",
-      rationale: "Low-confidence critical assets indicate incomplete or unreliable discovery.",
-      scope: { groups: ["data", "infra"] },
-      check: { field: "confidence", op: "gte", value: 0.5 }
-    },
-    {
-      id: "BASE-4",
-      control: "BASE-4",
-      framework: "baseline",
-      severity: "critical",
-      title: "No embedded credentials / plaintext DSN in metadata",
-      rationale: "A connection string with embedded credentials is a direct secret-exposure risk.",
-      scope: {},
-      check: { not: { field: "metadataValues", op: "matches", pattern: "dsn_with_credentials" } }
-    },
-    {
-      id: "BASE-5",
-      control: "BASE-5",
-      framework: "baseline",
-      severity: "medium",
-      title: "Data store carries an acceptable quality score",
-      rationale: "Where a quality score exists, a low score flags an under-governed data store.",
-      scope: { groups: ["data"] },
-      applicableWhen: { field: "qualityScore", op: "present" },
-      check: { field: "qualityScore", op: "gte", value: 50 }
-    }
-  ]
-});
-
-// src/compliance/rulesets/cis.ts
-var cis = RulesetSchema.parse({
-  name: "cis",
-  version: "0.1.0",
-  framework: "CIS",
-  description: "CIS starter subset \u2014 illustrative controls, not a certified benchmark.",
-  rules: [
-    {
-      id: "CIS-1.1",
-      control: "CIS-1.1",
-      framework: "CIS",
-      severity: "critical",
-      title: "No plaintext credentials in service configuration",
-      rationale: "CIS hardening forbids embedded secrets in config/metadata.",
-      scope: {},
-      check: { not: { field: "metadataValues", op: "matches", pattern: "dsn_with_credentials" } }
-    },
-    {
-      id: "CIS-2.1",
-      control: "CIS-2.1",
-      framework: "CIS",
-      severity: "high",
-      title: "Data store is not publicly exposed",
-      rationale: "Data stores should not bind to public/0.0.0.0 addresses.",
-      scope: { groups: ["data"] },
-      check: { not: { field: "metadataValues", op: "matches", pattern: "public_exposure" } }
-    },
-    {
-      id: "CIS-3.1",
-      control: "CIS-3.1",
-      framework: "CIS",
-      severity: "medium",
-      title: "Asset inventory has an accountable owner",
-      rationale: "CIS asset management requires an assigned owner.",
-      scope: {},
-      check: { any: [{ field: "owner", op: "present" }, { field: "metadataKeys", op: "matches", pattern: "owner_key" }] }
-    }
-  ]
-});
-
-// src/compliance/rulesets/soc2.ts
-var soc2 = RulesetSchema.parse({
-  name: "soc2",
-  version: "0.1.0",
-  framework: "SOC2",
-  description: "SOC 2 starter subset \u2014 illustrative controls, not a certified control set.",
-  rules: [
-    {
-      id: "CC6.1",
-      control: "CC6.1",
-      framework: "SOC2",
-      severity: "critical",
-      title: "Logical access \u2014 no embedded credentials",
-      rationale: "CC6.1 logical access controls preclude plaintext secrets in config.",
-      scope: {},
-      check: { not: { field: "metadataValues", op: "matches", pattern: "dsn_with_credentials" } }
-    },
-    {
-      id: "CC6.6",
-      control: "CC6.6",
-      framework: "SOC2",
-      severity: "high",
-      title: "Boundary protection \u2014 data stores not public",
-      rationale: "CC6.6 requires protection of system boundaries from external access.",
-      scope: { groups: ["data"] },
-      check: { not: { field: "metadataValues", op: "matches", pattern: "public_exposure" } }
-    },
-    {
-      id: "CC1.2",
-      control: "CC1.2",
-      framework: "SOC2",
-      severity: "medium",
-      title: "Accountability \u2014 asset has an owner",
-      rationale: "CC1.2 establishes accountability; assets need an assigned owner.",
-      scope: {},
-      check: { any: [{ field: "owner", op: "present" }, { field: "domain", op: "present" }] }
-    }
-  ]
-});
-
-// src/compliance/rulesets/iso27001.ts
-var iso27001 = RulesetSchema.parse({
-  name: "iso27001",
-  version: "0.1.0",
-  framework: "ISO27001",
-  description: "ISO/IEC 27001 Annex A starter subset \u2014 illustrative, not certified.",
-  rules: [
-    {
-      id: "A.8.1",
-      control: "A.8.1",
-      framework: "ISO27001",
-      severity: "medium",
-      title: "Inventory of assets \u2014 ownership assigned",
-      rationale: "A.8.1 requires an inventory of assets each with an identified owner.",
-      scope: {},
-      check: { any: [{ field: "owner", op: "present" }, { field: "metadataKeys", op: "matches", pattern: "owner_key" }] }
-    },
-    {
-      id: "A.8.12",
-      control: "A.8.12",
-      framework: "ISO27001",
-      severity: "critical",
-      title: "Data leakage prevention \u2014 no embedded secrets",
-      rationale: "A.8.12 mandates measures against data leakage such as exposed credentials.",
-      scope: {},
-      check: { not: { field: "metadataValues", op: "matches", pattern: "dsn_with_credentials" } }
-    },
-    {
-      id: "A.8.20",
-      control: "A.8.20",
-      framework: "ISO27001",
-      severity: "high",
-      title: "Network security \u2014 data stores not publicly exposed",
-      rationale: "A.8.20 requires networks to be secured; data stores should not be public.",
-      scope: { groups: ["data"] },
-      check: { not: { field: "metadataValues", op: "matches", pattern: "public_exposure" } }
-    }
-  ]
-});
-
-// src/compliance/rulesets/registry.ts
-var RULESETS = { baseline, cis, soc2, iso27001 };
-function getRuleset(name) {
-  return RULESETS[name];
-}
-function listRulesets() {
-  return Object.values(RULESETS).map((r) => ({ name: r.name, version: r.version, framework: r.framework, ruleCount: r.rules.length }));
-}
-
 // src/sinks/stdout.ts
 var StdoutSink = class {
   name = "stdout";
@@ -1315,9 +1244,204 @@ async function runDrift(db, config, opts = {}) {
   return alert;
 }
 
+// src/compliance/rulesets/baseline.ts
+var baseline = RulesetSchema.parse({
+  name: "baseline",
+  version: "1.0.0",
+  framework: "baseline",
+  description: "Deterministic baseline hygiene controls scored against signals available today.",
+  rules: [
+    {
+      id: "BASE-1",
+      control: "BASE-1",
+      framework: "baseline",
+      severity: "medium",
+      title: "Asset has an owner",
+      rationale: "Every asset should have a clear owning team/person for accountability.",
+      scope: {},
+      check: { any: [
+        { field: "owner", op: "present" },
+        { field: "domain", op: "present" },
+        { field: "tags", op: "matches", pattern: "owner_key" },
+        { field: "metadataKeys", op: "matches", pattern: "owner_key" }
+      ] }
+    },
+    {
+      id: "BASE-2",
+      control: "BASE-2",
+      framework: "baseline",
+      severity: "low",
+      title: "Service/data asset is assigned a business domain",
+      rationale: "Domain assignment enables blast-radius and ownership analysis.",
+      scope: { groups: ["data", "web"] },
+      check: { field: "domain", op: "present" }
+    },
+    {
+      id: "BASE-3",
+      control: "BASE-3",
+      framework: "baseline",
+      severity: "high",
+      title: "Critical asset is discovered with adequate confidence",
+      rationale: "Low-confidence critical assets indicate incomplete or unreliable discovery.",
+      scope: { groups: ["data", "infra"] },
+      check: { field: "confidence", op: "gte", value: 0.5 }
+    },
+    {
+      id: "BASE-4",
+      control: "BASE-4",
+      framework: "baseline",
+      severity: "critical",
+      title: "No embedded credentials / plaintext DSN in metadata",
+      rationale: "A connection string with embedded credentials is a direct secret-exposure risk.",
+      scope: {},
+      check: { not: { field: "metadataValues", op: "matches", pattern: "dsn_with_credentials" } }
+    },
+    {
+      id: "BASE-5",
+      control: "BASE-5",
+      framework: "baseline",
+      severity: "medium",
+      title: "Data store carries an acceptable quality score",
+      rationale: "Where a quality score exists, a low score flags an under-governed data store.",
+      scope: { groups: ["data"] },
+      applicableWhen: { field: "qualityScore", op: "present" },
+      check: { field: "qualityScore", op: "gte", value: 50 }
+    }
+  ]
+});
+
+// src/compliance/rulesets/cis.ts
+var cis = RulesetSchema.parse({
+  name: "cis",
+  version: "0.1.0",
+  framework: "CIS",
+  description: "CIS starter subset \u2014 illustrative controls, not a certified benchmark.",
+  rules: [
+    {
+      id: "CIS-1.1",
+      control: "CIS-1.1",
+      framework: "CIS",
+      severity: "critical",
+      title: "No plaintext credentials in service configuration",
+      rationale: "CIS hardening forbids embedded secrets in config/metadata.",
+      scope: {},
+      check: { not: { field: "metadataValues", op: "matches", pattern: "dsn_with_credentials" } }
+    },
+    {
+      id: "CIS-2.1",
+      control: "CIS-2.1",
+      framework: "CIS",
+      severity: "high",
+      title: "Data store is not publicly exposed",
+      rationale: "Data stores should not bind to public/0.0.0.0 addresses.",
+      scope: { groups: ["data"] },
+      check: { not: { field: "metadataValues", op: "matches", pattern: "public_exposure" } }
+    },
+    {
+      id: "CIS-3.1",
+      control: "CIS-3.1",
+      framework: "CIS",
+      severity: "medium",
+      title: "Asset inventory has an accountable owner",
+      rationale: "CIS asset management requires an assigned owner.",
+      scope: {},
+      check: { any: [{ field: "owner", op: "present" }, { field: "metadataKeys", op: "matches", pattern: "owner_key" }] }
+    }
+  ]
+});
+
+// src/compliance/rulesets/soc2.ts
+var soc2 = RulesetSchema.parse({
+  name: "soc2",
+  version: "0.1.0",
+  framework: "SOC2",
+  description: "SOC 2 starter subset \u2014 illustrative controls, not a certified control set.",
+  rules: [
+    {
+      id: "CC6.1",
+      control: "CC6.1",
+      framework: "SOC2",
+      severity: "critical",
+      title: "Logical access \u2014 no embedded credentials",
+      rationale: "CC6.1 logical access controls preclude plaintext secrets in config.",
+      scope: {},
+      check: { not: { field: "metadataValues", op: "matches", pattern: "dsn_with_credentials" } }
+    },
+    {
+      id: "CC6.6",
+      control: "CC6.6",
+      framework: "SOC2",
+      severity: "high",
+      title: "Boundary protection \u2014 data stores not public",
+      rationale: "CC6.6 requires protection of system boundaries from external access.",
+      scope: { groups: ["data"] },
+      check: { not: { field: "metadataValues", op: "matches", pattern: "public_exposure" } }
+    },
+    {
+      id: "CC1.2",
+      control: "CC1.2",
+      framework: "SOC2",
+      severity: "medium",
+      title: "Accountability \u2014 asset has an owner",
+      rationale: "CC1.2 establishes accountability; assets need an assigned owner.",
+      scope: {},
+      check: { any: [{ field: "owner", op: "present" }, { field: "domain", op: "present" }] }
+    }
+  ]
+});
+
+// src/compliance/rulesets/iso27001.ts
+var iso27001 = RulesetSchema.parse({
+  name: "iso27001",
+  version: "0.1.0",
+  framework: "ISO27001",
+  description: "ISO/IEC 27001 Annex A starter subset \u2014 illustrative, not certified.",
+  rules: [
+    {
+      id: "A.8.1",
+      control: "A.8.1",
+      framework: "ISO27001",
+      severity: "medium",
+      title: "Inventory of assets \u2014 ownership assigned",
+      rationale: "A.8.1 requires an inventory of assets each with an identified owner.",
+      scope: {},
+      check: { any: [{ field: "owner", op: "present" }, { field: "metadataKeys", op: "matches", pattern: "owner_key" }] }
+    },
+    {
+      id: "A.8.12",
+      control: "A.8.12",
+      framework: "ISO27001",
+      severity: "critical",
+      title: "Data leakage prevention \u2014 no embedded secrets",
+      rationale: "A.8.12 mandates measures against data leakage such as exposed credentials.",
+      scope: {},
+      check: { not: { field: "metadataValues", op: "matches", pattern: "dsn_with_credentials" } }
+    },
+    {
+      id: "A.8.20",
+      control: "A.8.20",
+      framework: "ISO27001",
+      severity: "high",
+      title: "Network security \u2014 data stores not publicly exposed",
+      rationale: "A.8.20 requires networks to be secured; data stores should not be public.",
+      scope: { groups: ["data"] },
+      check: { not: { field: "metadataValues", op: "matches", pattern: "public_exposure" } }
+    }
+  ]
+});
+
+// src/compliance/rulesets/registry.ts
+var RULESETS = { baseline, cis, soc2, iso27001 };
+function getRuleset(name) {
+  return RULESETS[name];
+}
+function listRulesets() {
+  return Object.values(RULESETS).map((r) => ({ name: r.name, version: r.version, framework: r.framework, ruleCount: r.rules.length }));
+}
+
 // src/orgkey.ts
 import { randomBytes, hkdfSync } from "crypto";
-import { existsSync, mkdirSync, readFileSync, writeFileSync, statSync } from "fs";
+import { existsSync, mkdirSync, readFileSync as readFileSync2, writeFileSync, statSync } from "fs";
 import { homedir } from "os";
 import { dirname, join } from "path";
 function orgKeyPath(home = homedir()) {
@@ -1333,7 +1457,7 @@ function loadFileSecret(path) {
       }
     } catch {
     }
-    const hex = readFileSync(path, "utf8").trim();
+    const hex = readFileSync2(path, "utf8").trim();
     const buf = Buffer.from(hex, "hex");
     if (buf.length === KEY_BYTES) return buf;
     logWarn("org-key file was malformed \u2014 regenerating a fresh org key");
@@ -1370,6 +1494,8 @@ function reversalKey(orgKey) {
 import { createHmac, createCipheriv, createDecipheriv, randomBytes as randomBytes2 } from "crypto";
 var PRIVATE_IP = /\b(?:10(?:\.\d{1,3}){3}|192\.168(?:\.\d{1,3}){2}|172\.(?:1[6-9]|2\d|3[01])(?:\.\d{1,3}){2})\b/g;
 var HOSTNAME = /\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}\b/gi;
+var BARE_INTERNAL_HOST = /^[a-z0-9]+(?:-[a-z0-9]+)+$|^[a-z]+\d+$|^\d+[a-z]+$/i;
+var ANON_TOKEN = /^anon:(?:host|user|path|ip):[a-z2-7]+$/;
 var POSIX_PATH = /(?:^|(?<=\s|=|:|"|'|\())(\/[A-Za-z0-9._-]+(?:\/[A-Za-z0-9._-]+)+)/g;
 var WIN_PATH = /\b[A-Za-z]:\\[A-Za-z0-9._\\-]+/g;
 var B32_ALPHABET = "abcdefghijklmnopqrstuvwxyz234567";
@@ -1424,8 +1550,18 @@ function pseudonymizeString(s, orgKey, db) {
     (_m, user, host) => `${pseudonymizeFragment(user, "user", orgKey, db)}@${pseudonymizeFragment(host, "host", orgKey, db)}`
   );
   out = out.replace(HOSTNAME, (m) => pseudonymizeFragment(m, "host", orgKey, db));
+  const trimmed = out.trim();
+  if (out === s && !ANON_TOKEN.test(trimmed) && BARE_INTERNAL_HOST.test(trimmed)) {
+    out = pseudonymizeFragment(trimmed, "host", orgKey, db);
+  }
   return out;
 }
+function pseudonymizeId(id, orgKey, db) {
+  const segments = id.split(":");
+  if (segments.length <= 1) return pseudonymizeString(id, orgKey, db);
+  const [type, ...rest] = segments;
+  return [type, ...rest.map((seg) => pseudonymizeString(seg, orgKey, db))].join(":");
+}
 function pseudonymize(value, orgKey, db) {
   if (typeof value === "string") return pseudonymizeString(value, orgKey, db);
   if (Array.isArray(value)) return value.map((v) => pseudonymize(v, orgKey, db));
@@ -1676,7 +1812,7 @@ function correlateTopology(nodes, _edges = []) {
 
 // src/mcp/server.ts
 var SERVER_NAME = "cartography";
-var SERVER_VERSION = "2.10.0";
+var SERVER_VERSION = "2.12.1";
 var SERVICE_TYPES = NODE_TYPE_GROUPS.web;
 var DATA_TYPES = NODE_TYPE_GROUPS.data;
 var lexicalSearch = async (db, sessionId, query, opts) => db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));
@@ -2688,8 +2824,6 @@ var FQDN = /\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}\b/gi;
 var POSIX_PATH2 = /(?:^|(?<=\s|=|:|"|'|\())(\/[A-Za-z0-9._-]+(?:\/[A-Za-z0-9._-]+)+)/g;
 var WIN_PATH2 = /\b[A-Za-z]:\\[A-Za-z0-9._\\-]+/g;
 var HOME_USER = /(?:\/home\/|\/Users\/|[A-Za-z]:\\Users\\)([A-Za-z0-9._-]+)/g;
-var BARE_INTERNAL_HOST = /^[a-z0-9]+(?:-[a-z0-9]+)+$|^[a-z]+\d+$|^\d+[a-z]+$/i;
-var ANON_TOKEN = /^anon:(?:host|user|path|ip):[a-z2-7]+$/;
 function violationsInString(s, path) {
   const out = [];
   const trimmed = s.trim();
@@ -3015,17 +3149,19 @@ async function startMcp(opts = {}) {
 }
 
 export {
+  ScannerRegistry,
   isPersonalHost,
   runLocalDiscovery,
+  runDrift,
   getRuleset,
   listRulesets,
-  runDrift,
   loadOrgKey,
   rotateOrgKey,
   pseudonymizeString,
+  pseudonymizeId,
   pseudonymize,
   reversePseudonym,
   parseMcpArgs,
   startMcp
 };
-//# sourceMappingURL=chunk-ASCA3UFM.js.map
+//# sourceMappingURL=chunk-OIDAXUW5.js.map