@datasynx/agentic-ai-cartography 2.10.0 → 2.12.1

package/dist/index.cjs

@@ -31,9 +31,11 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var src_exports = {};
 __export(src_exports, {
   ACTIONS: () => ACTIONS,
+  ANON_TOKEN: () => ANON_TOKEN,
   ActionSchema: () => ActionSchema,
   AuthConfigSchema: () => AuthConfigSchema,
   AuthorizationError: () => AuthorizationError,
+  BARE_INTERNAL_HOST: () => BARE_INTERNAL_HOST,
   CLIENTS: () => CLIENTS,
   CONFIDENCE: () => CONFIDENCE,
   CORRELATION_CONFIDENCE: () => CORRELATION_CONFIDENCE,
@@ -197,11 +199,13 @@ __export(src_exports, {
   hostname: () => hostname,
   ingestEnvelope: () => ingestEnvelope,
   installedAppsScanner: () => installedAppsScanner,
+  isInCluster: () => isInCluster,
   isLoopbackHost: () => isLoopbackHost,
   isPersonalHost: () => isPersonalHost,
   isReadOnlyCommand: () => isReadOnlyCommand,
   isRemembered: () => isRemembered,
   isSecureWebhookUrl: () => isSecureWebhookUrl,
+  k8sRegistry: () => k8sRegistry,
   k8sScanner: () => k8sScanner,
   keyMetaOf: () => keyMetaOf,
   layoutClusters: () => layoutClusters,
@@ -238,6 +242,7 @@ __export(src_exports, {
   parseNginxUpstreams: () => parseNginxUpstreams,
   parseNlQuery: () => parseNlQuery,
   parseScanHint: () => parseScanHint,
+  parseTerraformState: () => parseTerraformState,
   pixelToHex: () => pixelToHex,
   planInstall: () => planInstall,
   portsScanner: () => portsScanner,
@@ -245,6 +250,7 @@ __export(src_exports, {
   previewShare: () => previewShare,
   pseudonymize: () => pseudonymize,
   pseudonymizeFragment: () => pseudonymizeFragment,
+  pseudonymizeId: () => pseudonymizeId,
   pseudonymizeString: () => pseudonymizeString,
   pushDeltas: () => pushDeltas,
   readConfigFile: () => readConfigFile,
@@ -267,6 +273,8 @@ __export(src_exports, {
   runHttp: () => runHttp,
   runLocalDiscovery: () => runLocalDiscovery,
   runOnce: () => runOnce,
+  runOperator: () => runOperator,
+  runOperatorCycle: () => runOperatorCycle,
   runStdio: () => runStdio,
   runSyncClassify: () => runSyncClassify,
   safeEnv: () => safeEnv,
@@ -287,6 +295,8 @@ __export(src_exports, {
   stableStringify: () => stableStringify,
   startApi: () => startApi,
   stripSensitive: () => stripSensitive,
+  terraformScanner: () => terraformScanner,
+  terraformTypeToNode: () => terraformTypeToNode,
   timingSafeEqual: () => timingSafeEqual,
   toBackstageEntities: () => toBackstageEntities,
   validateScanner: () => validateScanner,
@@ -4949,6 +4959,8 @@ function reversalKey(orgKey) {
 // src/anonymize.ts
 var PRIVATE_IP = /\b(?:10(?:\.\d{1,3}){3}|192\.168(?:\.\d{1,3}){2}|172\.(?:1[6-9]|2\d|3[01])(?:\.\d{1,3}){2})\b/g;
 var HOSTNAME = /\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}\b/gi;
+var BARE_INTERNAL_HOST = /^[a-z0-9]+(?:-[a-z0-9]+)+$|^[a-z]+\d+$|^\d+[a-z]+$/i;
+var ANON_TOKEN = /^anon:(?:host|user|path|ip):[a-z2-7]+$/;
 var POSIX_PATH = /(?:^|(?<=\s|=|:|"|'|\())(\/[A-Za-z0-9._-]+(?:\/[A-Za-z0-9._-]+)+)/g;
 var WIN_PATH = /\b[A-Za-z]:\\[A-Za-z0-9._\\-]+/g;
 var B32_ALPHABET = "abcdefghijklmnopqrstuvwxyz234567";
@@ -5003,8 +5015,18 @@ function pseudonymizeString(s, orgKey, db) {
     (_m, user, host2) => `${pseudonymizeFragment(user, "user", orgKey, db)}@${pseudonymizeFragment(host2, "host", orgKey, db)}`
   );
   out = out.replace(HOSTNAME, (m) => pseudonymizeFragment(m, "host", orgKey, db));
+  const trimmed = out.trim();
+  if (out === s && !ANON_TOKEN.test(trimmed) && BARE_INTERNAL_HOST.test(trimmed)) {
+    out = pseudonymizeFragment(trimmed, "host", orgKey, db);
+  }
   return out;
 }
+function pseudonymizeId(id, orgKey, db) {
+  const segments = id.split(":");
+  if (segments.length <= 1) return pseudonymizeString(id, orgKey, db);
+  const [type, ...rest] = segments;
+  return [type, ...rest.map((seg) => pseudonymizeString(seg, orgKey, db))].join(":");
+}
 function pseudonymize(value, orgKey, db) {
   if (typeof value === "string") return pseudonymizeString(value, orgKey, db);
   if (Array.isArray(value)) return value.map((v) => pseudonymize(v, orgKey, db));
@@ -5031,8 +5053,6 @@ var FQDN = /\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}\b/gi;
 var POSIX_PATH2 = /(?:^|(?<=\s|=|:|"|'|\())(\/[A-Za-z0-9._-]+(?:\/[A-Za-z0-9._-]+)+)/g;
 var WIN_PATH2 = /\b[A-Za-z]:\\[A-Za-z0-9._\\-]+/g;
 var HOME_USER = /(?:\/home\/|\/Users\/|[A-Za-z]:\\Users\\)([A-Za-z0-9._-]+)/g;
-var BARE_INTERNAL_HOST = /^[a-z0-9]+(?:-[a-z0-9]+)+$|^[a-z]+\d+$|^\d+[a-z]+$/i;
-var ANON_TOKEN = /^anon:(?:host|user|path|ip):[a-z2-7]+$/;
 function violationsInString(s, path) {
   const out = [];
   const trimmed = s.trim();
@@ -5422,9 +5442,10 @@ function resolveEffectiveLevel(node, policy) {
 function applySharingLevel(node, level, orgKey, db) {
   if (level === "none") return null;
   if (level === "full") return { ...node, metadata: { ...node.metadata ?? {} }, tags: [...node.tags ?? []] };
+  const { globalId: _g, contentHash: _h, ...rest } = node;
   return {
-    ...node,
-    id: pseudonymizeString(node.id, orgKey, db),
+    ...rest,
+    id: pseudonymizeId(node.id, orgKey, db),
     name: pseudonymizeString(node.name, orgKey, db),
     metadata: pseudonymize(node.metadata ?? {}, orgKey, db),
     tags: (node.tags ?? []).map((t) => pseudonymizeString(t, orgKey, db))
@@ -6276,7 +6297,7 @@ function correlateTopology(nodes, _edges = []) {
 
 // src/mcp/server.ts
 var SERVER_NAME = "cartography";
-var SERVER_VERSION = "2.10.0";
+var SERVER_VERSION = "2.12.1";
 var SERVICE_TYPES = NODE_TYPE_GROUPS.web;
 var DATA_TYPES = NODE_TYPE_GROUPS.data;
 var lexicalSearch = async (db, sessionId, query, opts) => db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));
@@ -7686,9 +7707,132 @@ var serviceConfigScanner = {
   }
 };
 
+// src/scanners/terraform.ts
+var import_node_fs5 = require("fs");
+var TYPE_RULES = [
+  [/(db_instance|_rds|sql_database|sql_instance|database_instance|cosmosdb|dynamodb|spanner|bigtable|documentdb|redshift)/, "database_server"],
+  [/(elasticache|_redis|memcached|memorystore)/, "cache_server"],
+  [/(s3_bucket|storage_bucket|gcs_bucket|storage_account|_blob)/, "database"],
+  [/(_sqs|_queue|servicebus_queue)/, "queue"],
+  [/(_sns|_topic|pubsub_topic|servicebus_topic)/, "topic"],
+  [/(kafka|_msk|event_hub|kinesis)/, "message_broker"],
+  [/(_eks|_gke|_aks|kubernetes_cluster|container_cluster)/, "k8s_cluster"],
+  [/(ecs_|_container|fargate)/, "container"],
+  [/(lambda|cloud_function|cloudfunctions|function_app|cloud_run)/, "web_service"],
+  [/(_lb$|load_balancer|_alb|_elb|application_gateway)/, "web_service"],
+  [/(api_gateway|apigateway)/, "api_endpoint"],
+  [/(_instance|virtual_machine|_vm$|compute_instance)/, "host"]
+];
+function terraformTypeToNode(tfType) {
+  const t = tfType.toLowerCase();
+  for (const [re, nt] of TYPE_RULES) if (re.test(t)) return nt;
+  return "unknown";
+}
+var IDENTITY_ATTRS = ["id", "arn", "region", "location", "instance_type", "engine", "machine_type"];
+var OWNER_TAGS = ["Owner", "owner", "Team", "team"];
+var SAFE_TAG_KEYS = /* @__PURE__ */ new Set(["Name", "name", "Owner", "owner", "Team", "team", "Env", "env", "Environment", "environment", "Service", "service", "Component", "component", "App", "app", "Project", "project", "Tier", "tier", "Role", "role"]);
+var SECRET_KEY = /pass|secret|token|key|pwd|cred|private/i;
+function attrTags(tags) {
+  if (!tags || typeof tags !== "object") return [];
+  return Object.entries(tags).filter(([k]) => SAFE_TAG_KEYS.has(k) && !SECRET_KEY.test(k)).map(([k, v]) => `${k}:${redactSecrets(String(v))}`);
+}
+function parseTerraformState(json2) {
+  let state;
+  try {
+    state = JSON.parse(json2);
+  } catch {
+    return { nodes: [], edges: [] };
+  }
+  const resources = Array.isArray(state?.resources) ? state.resources : [];
+  const nodes = [];
+  const edges = [];
+  const addrToId = /* @__PURE__ */ new Map();
+  for (const raw of resources) {
+    const r = raw;
+    if (r.mode && r.mode !== "managed") continue;
+    if (typeof r.type !== "string" || typeof r.name !== "string") continue;
+    const address = `${r.type}.${r.name}`;
+    const nt = terraformTypeToNode(r.type);
+    const id = `${nt}:terraform:${address}`;
+    if (addrToId.has(address)) continue;
+    addrToId.set(address, id);
+    const inst = Array.isArray(r.instances) ? r.instances[0] : void 0;
+    const attrs = inst?.attributes ?? {};
+    const identity = { source: "terraform", tfType: r.type };
+    for (const k of IDENTITY_ATTRS) if (attrs[k] !== void 0) identity[k] = attrs[k];
+    const owner = OWNER_TAGS.map((k) => attrs.tags?.[k]).find((v) => typeof v === "string");
+    nodes.push({
+      id,
+      type: nt,
+      name: address,
+      discoveredVia: "terraform-state",
+      confidence: 0.9,
+      // IaC is authoritative declared intent.
+      metadata: redactValue(identity),
+      tags: attrTags(attrs.tags),
+      ...owner ? { owner } : {}
+    });
+  }
+  for (const raw of resources) {
+    const r = raw;
+    if (r.mode && r.mode !== "managed") continue;
+    if (typeof r.type !== "string" || typeof r.name !== "string") continue;
+    const srcId = addrToId.get(`${r.type}.${r.name}`);
+    if (!srcId) continue;
+    const inst = Array.isArray(r.instances) ? r.instances[0] : void 0;
+    const deps = Array.isArray(inst?.dependencies) ? inst.dependencies : [];
+    for (const dep of deps) {
+      if (typeof dep !== "string") continue;
+      const tgtId = addrToId.get(dep) ?? addrToId.get(dep.split("[")[0]);
+      if (!tgtId || tgtId === srcId) continue;
+      edges.push({ sourceId: srcId, targetId: tgtId, relationship: "depends_on", evidence: evidenceLine("config-declared", `terraform depends_on ${dep}`), confidence: 0.85 });
+    }
+  }
+  return { nodes, edges };
+}
+function stateDirs() {
+  return [".", "./terraform", "./infra", "./infrastructure", "./deploy", "./terraform/environments"];
+}
+function hintPath(hint) {
+  if (!hint) return void 0;
+  const m = /(?:^|[\s,])tfstate=([^\s,]+)/.exec(hint);
+  return m ? m[1] : void 0;
+}
+function resolveStatePath(ctx) {
+  const explicit = hintPath(ctx.hint);
+  if (explicit) return explicit;
+  const found = (ctx.findFiles ?? findFiles)(stateDirs(), ["*.tfstate"], 4, 20).split(/\r?\n/).map((s) => s.trim()).filter(Boolean);
+  return found[0];
+}
+function readStateFile(path) {
+  try {
+    return (0, import_node_fs5.readFileSync)(path, "utf8");
+  } catch {
+    return "";
+  }
+}
+var terraformScanner = {
+  id: "terraform-state",
+  title: "Terraform state (IaC)",
+  platforms: "all",
+  // No shell commands — the state file is read directly via node:fs, so an
+  // operator-supplied path can never inject a command (no `cat "${path}"` interpolation).
+  detect(ctx) {
+    return resolveStatePath(ctx) !== void 0;
+  },
+  async scan(ctx) {
+    const path = resolveStatePath(ctx);
+    if (!path) return { nodes: [], edges: [] };
+    const json2 = (ctx.readFile ?? readStateFile)(path);
+    if (!json2) return { nodes: [], edges: [] };
+    const result = parseTerraformState(json2);
+    return { ...result, report: `terraform-state: ${result.nodes.length} resources, ${result.edges.length} dependencies from ${path}` };
+  }
+};
+
 // src/scanners/registry.ts
 function defaultRegistry() {
-  return new ScannerRegistry().register(bookmarksScanner).register(installedAppsScanner).register(portsScanner).register(cloudAwsScanner).register(cloudGcpScanner).register(cloudAzureScanner).register(k8sScanner).register(databasesScanner).register(connectionsScanner).register(serviceConfigScanner);
+  return new ScannerRegistry().register(bookmarksScanner).register(installedAppsScanner).register(portsScanner).register(cloudAwsScanner).register(cloudGcpScanner).register(cloudAzureScanner).register(k8sScanner).register(databasesScanner).register(connectionsScanner).register(serviceConfigScanner).register(terraformScanner);
 }
 
 // src/scanners/loader.ts
@@ -9056,14 +9200,14 @@ var AuthConfigSchema = import_zod9.z.object({
 });
 
 // src/api/start.ts
-var import_node_fs5 = require("fs");
+var import_node_fs6 = require("fs");
 var import_node_path5 = require("path");
 var import_node_url = require("url");
 var import_meta = {};
 function readVersion() {
   try {
     const dir = import_meta.dirname ?? (0, import_node_path5.dirname)((0, import_node_url.fileURLToPath)(import_meta.url));
-    return JSON.parse((0, import_node_fs5.readFileSync)((0, import_node_path5.resolve)(dir, "..", "package.json"), "utf-8")).version ?? "0.0.0";
+    return JSON.parse((0, import_node_fs6.readFileSync)((0, import_node_path5.resolve)(dir, "..", "package.json"), "utf-8")).version ?? "0.0.0";
   } catch {
     return "0.0.0";
   }
@@ -9194,7 +9338,7 @@ function defaultServerEntry(opts = {}) {
 }
 
 // src/installer/install.ts
-var import_node_fs6 = require("fs");
+var import_node_fs7 = require("fs");
 var import_node_path6 = require("path");
 var import_node_os4 = require("os");
 function currentOs() {
@@ -9210,8 +9354,8 @@ function planInstall(spec, ctx, opts) {
   if (!path) {
     throw new Error(`${spec.label} does not support the "${ctx.scope}" scope.`);
   }
-  const fileExists = (0, import_node_fs6.existsSync)(path);
-  const before = fileExists ? (0, import_node_fs6.readFileSync)(path, "utf8") : "";
+  const fileExists = (0, import_node_fs7.existsSync)(path);
+  const before = fileExists ? (0, import_node_fs7.readFileSync)(path, "utf8") : "";
   const existing = parseConfig(before, spec.format);
   const merged = spec.apply(existing, opts.serverName ?? DEFAULT_SERVER_NAME, opts.entry);
   const after = serializeConfig(merged, spec.format);
@@ -9228,8 +9372,8 @@ function planInstall(spec, ctx, opts) {
   };
 }
 function applyInstall(plan) {
-  (0, import_node_fs6.mkdirSync)((0, import_node_path6.dirname)(plan.path), { recursive: true });
-  (0, import_node_fs6.writeFileSync)(plan.path, plan.after, "utf8");
+  (0, import_node_fs7.mkdirSync)((0, import_node_path6.dirname)(plan.path), { recursive: true });
+  (0, import_node_fs7.writeFileSync)(plan.path, plan.after, "utf8");
 }
 function renderDiff(before, after) {
   if (before === after) return "  (no changes)";
@@ -10076,8 +10220,65 @@ Use ask_user when you need context from the user.`;
   }
 }
 
+// src/k8s/operator.ts
+function k8sRegistry() {
+  return new ScannerRegistry().register(k8sScanner);
+}
+function isInCluster(env = process.env) {
+  return typeof env["KUBERNETES_SERVICE_HOST"] === "string" && env["KUBERNETES_SERVICE_HOST"].length > 0;
+}
+function pruneToRetention(db, keep, tenant) {
+  const stale = db.getSessions(tenant).slice(Math.max(1, keep));
+  for (const s of stale) db.deleteSession(s.id);
+  return stale.length;
+}
+async function runOperatorCycle(db, config, opts = {}) {
+  const sessionId = db.createSession("discover", config);
+  const discover = opts.discover ?? ((d, s) => runLocalDiscovery(d, s, { registry: k8sRegistry() }));
+  const res = await discover(db, sessionId);
+  const sess = db.getSession(sessionId);
+  if (sess && !sess.name) db.setSessionName(sessionId, deriveSessionName(db.getGraphSummary(sessionId), sess.startedAt));
+  const driftFn = opts.drift ?? ((d, c) => runDrift(d, c));
+  const drift = await driftFn(db, config);
+  pruneToRetention(db, opts.retain ?? 10, normalizeTenant(config.organization));
+  return { sessionId, nodes: res.nodes, edges: res.edges, drift };
+}
+async function runOperator(db, config, opts = {}) {
+  const log2 = opts.log ?? ((m) => process.stderr.write(m + "\n"));
+  const intervalMs = opts.intervalMs ?? 5 * 6e4;
+  const sleep = opts.sleep ?? ((ms) => new Promise((resolve3) => {
+    if (opts.signal?.aborted) {
+      resolve3();
+      return;
+    }
+    const t = setTimeout(() => {
+      opts.signal?.removeEventListener?.("abort", onAbort);
+      resolve3();
+    }, ms);
+    const onAbort = () => {
+      clearTimeout(t);
+      resolve3();
+    };
+    opts.signal?.addEventListener?.("abort", onAbort, { once: true });
+  }));
+  log2(`Cartograph Kubernetes operator (in-cluster: ${isInCluster()}, interval: ${Math.round(intervalMs / 1e3)}s${opts.once ? ", single pass" : ""})`);
+  for (; ; ) {
+    try {
+      const c = await runOperatorCycle(db, config, opts);
+      log2(
+        `reconcile: session ${c.sessionId} \u2014 ${c.nodes} nodes, ${c.edges} edges` + (c.drift ? `, drift ${c.drift.severity} (${c.drift.items.length} change${c.drift.items.length === 1 ? "" : "s"})` : ", no drift")
+      );
+    } catch (err) {
+      log2(`reconcile failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    if (opts.once || opts.signal?.aborted) return;
+    await sleep(intervalMs);
+    if (opts.signal?.aborted) return;
+  }
+}
+
 // src/cost.ts
-var import_node_fs7 = require("fs");
+var import_node_fs8 = require("fs");
 var import_node_path8 = require("path");
 function splitCsvLine(line) {
   const out = [];
@@ -10156,7 +10357,7 @@ var CsvCostSource = class {
   }
   id;
   async fetch() {
-    const text = (0, import_node_fs7.readFileSync)((0, import_node_path8.resolve)(this.opts.filePath), "utf-8");
+    const text = (0, import_node_fs8.readFileSync)((0, import_node_path8.resolve)(this.opts.filePath), "utf-8");
     const records = parseCostCsv(text);
     const match = this.opts.match ?? "nodeId";
     const out = /* @__PURE__ */ new Map();
@@ -10198,7 +10399,7 @@ async function enrichCosts(db, sessionId, source) {
 }
 
 // src/exporter.ts
-var import_node_fs8 = require("fs");
+var import_node_fs9 = require("fs");
 var import_node_path9 = require("path");
 
 // src/hex.ts
@@ -11868,28 +12069,28 @@ function exportComplianceReport(report, format) {
   return lines.join("\n");
 }
 function exportAll(db, sessionId, outputDir, formats = ["mermaid", "json", "yaml", "html", "map", "discovery"]) {
-  (0, import_node_fs8.mkdirSync)(outputDir, { recursive: true });
+  (0, import_node_fs9.mkdirSync)(outputDir, { recursive: true });
   const nodes = db.getNodes(sessionId);
   const edges = db.getEdges(sessionId);
   const jgfPath = (0, import_node_path9.join)(outputDir, "cartography-graph.jgf.json");
-  (0, import_node_fs8.writeFileSync)(jgfPath, exportJGF(nodes, edges));
+  (0, import_node_fs9.writeFileSync)(jgfPath, exportJGF(nodes, edges));
   if (formats.includes("mermaid")) {
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "topology.mermaid"), generateTopologyMermaid(nodes, edges));
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "dependencies.mermaid"), generateDependencyMermaid(nodes, edges));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "topology.mermaid"), generateTopologyMermaid(nodes, edges));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "dependencies.mermaid"), generateDependencyMermaid(nodes, edges));
   }
   if (formats.includes("json")) {
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "catalog.json"), exportJSON(db, sessionId));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "catalog.json"), exportJSON(db, sessionId));
   }
   if (formats.includes("yaml")) {
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "catalog-info.yaml"), exportBackstageYAML(nodes, edges));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "catalog-info.yaml"), exportBackstageYAML(nodes, edges));
   }
   if (formats.includes("html") || formats.includes("map") || formats.includes("discovery")) {
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "discovery.html"), exportDiscoveryApp(nodes, edges));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "discovery.html"), exportDiscoveryApp(nodes, edges));
   }
   if (formats.includes("cost")) {
     const summary = db.getGraphSummary(sessionId);
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "cost-by-domain.csv"), exportCostCSV(summary));
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "cost-summary.json"), exportCostSummary(summary));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "cost-by-domain.csv"), exportCostCSV(summary));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "cost-summary.json"), exportCostSummary(summary));
   }
 }
 
@@ -11921,7 +12122,7 @@ function formatComplianceText(report) {
 }
 
 // src/config.ts
-var import_node_fs9 = require("fs");
+var import_node_fs10 = require("fs");
 var ConfigError = class extends Error {
   constructor(message) {
     super(message);
@@ -11946,7 +12147,7 @@ function loadConfig(path) {
 function readConfigFile(path) {
   let raw;
   try {
-    raw = (0, import_node_fs9.readFileSync)(path, "utf-8");
+    raw = (0, import_node_fs10.readFileSync)(path, "utf-8");
   } catch (err) {
     throw new ConfigError(
       `Cannot read config file ${path}: ${err instanceof Error ? err.message : String(err)}`
@@ -12304,14 +12505,14 @@ function runSyncClassify(db, sessionId, config, opts = {}) {
 
 // src/preflight.ts
 var import_node_child_process2 = require("child_process");
-var import_node_fs10 = require("fs");
+var import_node_fs11 = require("fs");
 var import_node_path10 = require("path");
 function isOAuthLoggedIn() {
   const home = process.env.HOME ?? process.env.USERPROFILE ?? "/tmp";
   const credFile = (0, import_node_path10.join)(home, ".claude", ".credentials.json");
-  if (!(0, import_node_fs10.existsSync)(credFile)) return false;
+  if (!(0, import_node_fs11.existsSync)(credFile)) return false;
   try {
-    const creds = JSON.parse((0, import_node_fs10.readFileSync)(credFile, "utf8"));
+    const creds = JSON.parse((0, import_node_fs11.readFileSync)(credFile, "utf8"));
     const oauth = creds["claudeAiOauth"];
     return typeof oauth?.["accessToken"] === "string" && oauth["accessToken"].length > 0;
   } catch {
@@ -12364,9 +12565,11 @@ function checkClaudePrerequisites() {
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ACTIONS,
+  ANON_TOKEN,
   ActionSchema,
   AuthConfigSchema,
   AuthorizationError,
+  BARE_INTERNAL_HOST,
   CLIENTS,
   CONFIDENCE,
   CORRELATION_CONFIDENCE,
@@ -12530,11 +12733,13 @@ function checkClaudePrerequisites() {
   hostname,
   ingestEnvelope,
   installedAppsScanner,
+  isInCluster,
   isLoopbackHost,
   isPersonalHost,
   isReadOnlyCommand,
   isRemembered,
   isSecureWebhookUrl,
+  k8sRegistry,
   k8sScanner,
   keyMetaOf,
   layoutClusters,
@@ -12571,6 +12776,7 @@ function checkClaudePrerequisites() {
   parseNginxUpstreams,
   parseNlQuery,
   parseScanHint,
+  parseTerraformState,
   pixelToHex,
   planInstall,
   portsScanner,
@@ -12578,6 +12784,7 @@ function checkClaudePrerequisites() {
   previewShare,
   pseudonymize,
   pseudonymizeFragment,
+  pseudonymizeId,
   pseudonymizeString,
   pushDeltas,
   readConfigFile,
@@ -12600,6 +12807,8 @@ function checkClaudePrerequisites() {
   runHttp,
   runLocalDiscovery,
   runOnce,
+  runOperator,
+  runOperatorCycle,
   runStdio,
   runSyncClassify,
   safeEnv,
@@ -12620,6 +12829,8 @@ function checkClaudePrerequisites() {
   stableStringify,
   startApi,
   stripSensitive,
+  terraformScanner,
+  terraformTypeToNode,
   timingSafeEqual,
   toBackstageEntities,
   validateScanner,