@datasynx/agentic-ai-cartography 2.10.0 → 2.12.1

package/dist/index.d.cts

@@ -1984,6 +1984,18 @@ type FragmentKind = 'host' | 'user' | 'path' | 'ip';
  * left intact (so topology against public infra still reads).
  */
 declare const PRIVATE_IP: RegExp;
+/**
+ * A bare single-label internal hostname — the known 2.10 residual that {@link HOSTNAME}
+ * (multi-label only) never tokenizes. We only treat a single label as an internal host
+ * when it *looks* like one: it contains a hyphen or a digit run (e.g. `db-01`, `web2`,
+ * `prod-db`) so we do not false-positive ordinary English words used as a `name`
+ * (`Postgres`, `Marketing`) or the literal `localhost`. Single-sourced here so the
+ * client (this module) and the server (`src/central/anonymization.ts`, which re-imports
+ * this constant) agree on what counts as a bare internal host.
+ */
+declare const BARE_INTERNAL_HOST: RegExp;
+/** A pseudonym token produced by this module (`anon:host:abc…`) — already anonymized. */
+declare const ANON_TOKEN: RegExp;
 /**
  * Deterministic token for one identifying fragment. When `db` is supplied, the
  * plaintext is AES-256-GCM-encrypted under `reversalKey(orgKey)` and persisted so
@@ -1998,6 +2010,17 @@ declare function pseudonymizeFragment(plaintext: string, kind: FragmentKind, org
  * or a path segment is never mis-tokenized as a host.
  */
 declare function pseudonymizeString(s: string, orgKey: Buffer, db?: CartographyDB): string;
+/**
+ * Pseudonymize the host material of a structured node id (`{type}:{host}[:{port}]` or
+ * `{type}:{provider}:{name}`). The leading `{type}` segment is a non-identifying schema
+ * prefix and is left verbatim; every later colon-delimited segment is run through
+ * {@link pseudonymizeString} (so an FQDN, a private IP, an absolute path, or a bare
+ * internal host inside a segment all tokenize, while a numeric port — matching no rule —
+ * is preserved). Re-join with `:`. This is the structural id transform used for node ids
+ * and for edge endpoints, so both stay consistent. A token already inside a segment is
+ * not re-tokenized (the bare-host pass is whole-string and `anon:` tokens are excluded).
+ */
+declare function pseudonymizeId(id: string, orgKey: Buffer, db?: CartographyDB): string;
 /**
  * Recursive, structure-preserving walker — same shape as `redactValue`
  * (`src/tools.ts`): strings → {@link pseudonymizeString}, arrays → map,
@@ -2042,8 +2065,16 @@ declare function resolveEffectiveLevel(node: DiscoveryNode, policy: SharingPolic
  *                  (structure-preserving); identifying fragments tokenized.
  * - `full`       → a structural clone, verbatim.
  *
- * The same deterministic `pseudonymizeString` is applied to the id here and by
- * {@link previewShare} when remapping edges, so endpoints always resolve.
+ * The same deterministic `pseudonymizeId` is applied to the id here and by
+ * {@link previewShare} when remapping edges (via the shared idMap), so endpoints
+ * always resolve. `pseudonymizeId` is id-aware: it tokenizes the host segment(s) —
+ * including a bare single-label internal host — while sparing the `{type}` prefix.
+ *
+ * At the `anonymized` level the derived identity fields `globalId`
+ * (`{tenant}:{normalizeId(id)}`, which embeds the raw id) and `contentHash` are
+ * dropped from the outgoing payload — they would otherwise carry the raw id past
+ * anonymization, and the central collector recomputes both from the (anonymized)
+ * node on ingest (`computeIdentity`), so omitting them is both leak-free and lossless.
  */
 declare function applySharingLevel(node: DiscoveryNode, level: SharingLevel, orgKey: Buffer, db?: CartographyDB): DiscoveryNode | null;
 interface SharePreviewEntry {
@@ -2150,6 +2181,11 @@ interface ScanContext {
     scanEstablishedConnections?: () => string;
     /** Injectable seam: cross-platform file search (3.2). Defaults to `findFiles`. */
     findFiles?: (dirs: string[], patterns: string[], maxDepth: number, limit: number) => string;
+    /**
+     * Injectable seam: read a local file's UTF-8 contents, '' on any error (5.3). Reads via
+     * `node:fs` (NOT the shell) so an operator-supplied path can never inject a command.
+     */
+    readFile?: (path: string) => string;
     /** Injectable seam: browser-bookmark host source. Defaults to `scanAllBookmarks`. */
     scanBookmarks?: () => Promise<BookmarkHost[]>;
 }
@@ -2801,6 +2837,33 @@ declare function parseConnectionString(name: string, url: string): {
 } | null;
 declare const serviceConfigScanner: Scanner;
 
+/**
+ * Terraform-state importer (5.3) — a first-class deterministic `Scanner`.
+ *
+ * Ingests Terraform state JSON (a local `*.tfstate`, or the output of
+ * `terraform state pull` piped to a file) and emits authoritative `nodes`/`edges` into
+ * the existing discovery pipeline. This bridges *declared intent* (IaC) with *observed
+ * reality* (the live scanners): a resource declared in Terraform and a node observed on
+ * the machine reconcile to one record under `runLocalDiscovery`'s highest-confidence
+ * dedup, and the importer's `depends_on` edges are subject to the same endpoint-existence
+ * gate. Registered in `defaultRegistry()`, so it surfaces through both the CLI discovery
+ * command and the MCP `run_discovery` tool with zero extra wiring.
+ *
+ * Read-only: it only `cat`s a state file (allowlisted). Attribute values are
+ * credential-redacted before storage; only a small identity subset is kept.
+ */
+
+/** Map a Terraform resource type (e.g. `aws_db_instance`) to a Cartograph node type. */
+declare function terraformTypeToNode(tfType: string): NodeType;
+/**
+ * Parse Terraform state JSON into nodes/edges. Pure + deterministic. A managed resource
+ * becomes a node keyed `{type}:terraform:{addr}`; its `dependencies[]` become `depends_on`
+ * edges to other managed resources in the same state. Malformed JSON → empty result
+ * (graceful degradation, never throws).
+ */
+declare function parseTerraformState(json: string): ScanResult;
+declare const terraformScanner: Scanner;
+
 /**
  * Confidence rubric for inferred dependency edges (3.2).
  *
@@ -3518,6 +3581,66 @@ declare function executeNlQuery(db: CartographyDB, sessionId: string, search: Se
 /** Convenience: parse + execute in one call. */
 declare function resolveNlQuery(db: CartographyDB, sessionId: string, search: SearchFn, raw: string, opts?: NlQueryOptions): Promise<NlQueryResult>;
 
+/**
+ * Kubernetes operator (5.2) — a thin, deterministic, LLM-free reconcile loop.
+ *
+ * Runs Cartograph's discovery continuously **inside** a cluster and reports drift between
+ * cycles — the "continuous CMDB for Kubernetes" outcome. It is a thin orchestration over
+ * two engine halves that already exist and are DB-agnostic: the deterministic discovery
+ * driver `runLocalDiscovery` (with a **k8s-only** scanner registry — it maps in-cluster
+ * resources, never the host) and the drift engine `runDrift` (which classifies the delta
+ * vs the previous cycle and dispatches it to the configured sinks, 3.1/4.4). No agent loop,
+ * no Anthropic coupling, read-only (only `kubectl` reads via the allowlist).
+ *
+ * It is a periodic-reconcile operator, not a CRD controller — no custom resource or
+ * controller-runtime dependency; the loop is a plain interval (or a single `--once` pass
+ * for a CronJob driver). All side effects are injectable, so a cycle is unit-testable
+ * without a cluster.
+ */
+
+/** A k8s-only scanner registry — the operator discovers cluster resources, not the host. */
+declare function k8sRegistry(): ScannerRegistry;
+/** True when running inside a Kubernetes pod (the service-account API env is injected). */
+declare function isInCluster(env?: NodeJS.ProcessEnv): boolean;
+interface OperatorCycleResult {
+    sessionId: string;
+    nodes: number;
+    edges: number;
+    /** The classified drift vs the previous cycle, or null (first cycle / no change). */
+    drift: DriftAlert | null;
+}
+interface OperatorOptions {
+    /** Reconcile interval (ms). Default 5 minutes. */
+    intervalMs?: number;
+    /** Run a single reconcile and return — CronJob-driver friendly. */
+    once?: boolean;
+    /** Injected discovery (tests). Default: `runLocalDiscovery` over the k8s registry. */
+    discover?: (db: CartographyDB, sessionId: string) => Promise<{
+        nodes: number;
+        edges: number;
+    }>;
+    /** Injected drift dispatch (tests). Default: `runDrift` (dispatches to `config.drift` sinks). */
+    drift?: (db: CartographyDB, config: CartographyConfig) => Promise<DriftAlert | null>;
+    /** Stop the reconcile loop (SIGINT/SIGTERM → abort). */
+    signal?: AbortSignal;
+    /** Sleep between cycles (tests inject a controlled/no-wait sleep). */
+    sleep?: (ms: number) => Promise<void>;
+    /**
+     * Keep only the most recent N discovery sessions (default 10) — a continuous operator
+     * creates one session per cycle, so older snapshots are pruned each cycle to bound the
+     * catalog. Drift only needs the latest two; the rest are retained history.
+     */
+    retain?: number;
+    log?: (msg: string) => void;
+}
+/**
+ * One reconcile cycle: discover in-cluster → record the session → classify + dispatch drift
+ * vs the previous cycle. Returns the cycle outcome.
+ */
+declare function runOperatorCycle(db: CartographyDB, config: CartographyConfig, opts?: OperatorOptions): Promise<OperatorCycleResult>;
+/** Run the operator: a single cycle if `once`, else a reconcile loop until the signal aborts. */
+declare function runOperator(db: CartographyDB, config: CartographyConfig, opts?: OperatorOptions): Promise<void>;
+
 /**
  * Multi-cloud correlation engine (5.1).
  *
@@ -4379,4 +4502,4 @@ declare function logInfo(message: string, context?: Record<string, unknown>): vo
 declare function logWarn(message: string, context?: Record<string, unknown>): void;
 declare function logError(message: string, context?: Record<string, unknown>): void;
 
-export { ACTIONS, ANOMALY_KINDS, ANOMALY_SEVERITIES, type Action, ActionSchema, type AgentProvider, type AgentRunContext, type AgentTool, type Anomaly, type AnomalyConfig, type AnomalyKind, type AnomalySeverity, type AnomalyThresholds, type AnonViolation, type AnonymizationLevel, type ApiServerOptions, type AskUserFn, type AuthConfig, AuthConfigSchema, AuthorizationError, type Awaitable, type BackstageEntity, type BackstageMapOptions, type BindGuardOptions, type BoltDriver, type BoltRecord, type BoltResult, type BoltSession, CLIENTS, CONFIDENCE, CORRELATION_CONFIDENCE, COST_PERIODS, type CanonicalNode, type CartographyConfig, CartographyDB, type CartographyMapData, type CentralDbConfig, CentralDbConfigSchema, type ClassifiedItem, type ClassifyInput, type ClassifyResult, type ClientSpec, type Cluster, ClusterSchema, type ComplianceInput, type ComplianceReport, ComplianceReportSchema, type ComplianceRule, ComplianceRuleSchema, type Condition, ConditionSchema, ConfigError, type ConfigFile, ConfigFileSchema, type ConfigFormat, type Connection, ConnectionSchema, type Contributor, type ControlResult, ControlResultSchema, type CorrelatedTopology, type CorrelationEdge, type CorrelationSignal, type CostEntry, CostEntrySchema, type CostPeriod, type CostRecord, type CostSource, type CreateMcpServerOptions, type CredentialConfig, CredentialConfigSchema, type CredentialDb, type CredentialRecord, type CredentialStore, type CronFields, CsvCostSource, type CsvCostSourceOptions, DEFAULT_ANOMALY_THRESHOLDS, DEFAULT_FAST_MODEL, DEFAULT_INGEST_QUOTA, DEFAULT_LEAD_MODEL, DEFAULT_SERVER_NAME, DEFAULT_TENANT, DOMAIN_COLORS, DOMAIN_PALETTE, DRIFT_FIELDS, type DashboardOptions, type DataAsset, DataAssetSchema, type DependencyQuery, type DiscoveryEdge, type DiscoveryEvent, type DiscoveryFn, type DiscoveryNode, type DriftAlert, type DriftAlertItem, type DriftConfig, DriftConfigSchema, type DriftField, type DriftItemKind, type DriftRunRow, type DriftSink, type DriftSinkConfig, EDGE_RELATIONSHIPS, type EdgeRelationship, type EdgeRow, EdgeSchema, type EmbeddingProvider, type EnrichResult, type EntryOptions, type EstablishedConn, type EvidenceKind, type FetchLike, type FragmentKind, GraphStoreBackend, type GraphSummary, type HealthResult, type HttpOptions, INGEST_SCHEMA_VERSION, type IngestEnvelope, IngestEnvelopeSchema, type IngestHandler, type IngestHandlerOptions, type IngestOptions, type IngestResponse, type IngestResult, type InstallPlan, InvalidTenantError, type JiraIssue, type JiraOptions, JiraSink, type JiraSinkOptions, LOOPBACK_HOSTS, type LocalDiscoveryOptions, type LocalDiscoveryResult, type LogEntry, type LogLevel, MCP_BIN, type MatchStrategy, NODE_TYPES, NODE_TYPE_GROUPS, type NlIntent, type NlQueryOptions, type NlQueryResult, type NlRelation, type NodeAttribution, type NodeChange, type NodeIdentity, type NodeQuery, type NodeRow, NodeSchema, type NodeSignals, type NodeType, type NodesResult, NotFoundError, OUTPUT_FORMATS, type OrgKeyOptions, type OrgSummary, type OsKind, type OutputFormat, PACKAGE_NAME, PAGERDUTY_ENQUEUE_URL, PENDING_STATUSES, PERSONAL, PORT_MAP, PRIVATE_IP, PUSH_SCHEMA_VERSION, type PagerDutyEvent, PagerDutySink, type PagerDutySinkOptions, type ParsedApiArgs, type PendingShareRow, type PendingStatus, type PlanOptions, type PolicyResult, type PostJsonOptions, type Principal, PrincipalSchema, type ProviderFactory, type ProviderName, ProviderRegistry, type PushItem, type PushOptions, type PushResult, type QueryBackend, type QuotaConfig, type QuotaDecision, RELATION_TO_DIRECTION, ROLES, RateLimiter, type ResolveContext, type ResolveOptions, type Role, RoleSchema, type RuleCheck, RuleCheckSchema, type RuleScope, type Ruleset, RulesetSchema, type RunDriftOptions, SCAN_ARG_PATTERNS, SCHEMA_VERSION, SDL, SECURITY_METADATA_KEYS, SEVERITIES, SEVERITY_WEIGHT, SHARING_LEVELS, type ScanArgKind, type ScanContext, type ScanHintParams, type ScanResult, type Scanner, type ScannerPlugin, type ScannerPluginApi, ScannerRegistry, ScannerShape, type ScheduleConfig, ScheduleConfigSchema, type ScheduledRunResult, type Scope, type SearchFn, type SemanticSearchOptions, type ServerEntry, type SessionRow, type Severity, type SharePreview, type SharePreviewEntry, type SharingLevel, SharingLevelSchema, type SharingPolicy, type ShellKind, type SlackMessage, SlackSink, SqliteCredentialStore, SqliteQueryBackend, SqliteStoreBackend, type StartApiOptions, StdoutSink, type StoreBackend, type StoreBackendOptions, type SyncClassifyOptions, type SyncClassifyResult, TENANT_HEADER, type TenantContext, TenantMismatchError, type TenantOptions, type ToolResult, type TopologyDelta, type TopologyDiff, type TopologyInput, type TraversalResult, VectorStore, WebhookSink, type WebhookSinkOptions, applyInstall, applySharingLevel, assertReadOnly, assertSafeBind, assertSafeScanArg, assertSameTenant, assignColors, authorize, bearerToken, bookmarksScanner, buildCartographyToolHandlers, buildMapData, buildOpenApiDocument, buildReport, buildSinks, can, centralDbFromEnv, checkBearer, checkPrerequisites, checkReadOnly, clampText, classify, classifyDrift, cleanupTempFiles, cloudAwsScanner, cloudAzureScanner, cloudGcpScanner, codeAddMcpCommand, computeCentroid, computeClusterBounds, computeIdentity, connectionsScanner, contentHash, correlateTopology, createBashTool, createCartographyTools, createClaudeProvider, createDefaultRegistry, createHashEmbedder, createIngestHandler, createLocalEmbedder, createMcpServer, createOllamaProvider, createOpenAIProvider, createScanRunner, createSemanticSearch, createSqliteQueryBackend, currentOs, cursorDeeplink, dashboardHtml, databasesScanner, deepMerge, defaultAllowedHosts, defaultConfig, defaultContext, defaultProviderRegistry, defaultRegistry, defaultServerEntry, definePlugin, deriveSessionName, detectAnomalies, detectOrphans, detectShadowIt, diffTopology, edgesToConnections, enrichCosts, entitiesToYaml, evaluateCheck, evaluateRule, evidenceLine, executeGraphql, executeNlQuery, exportAll, exportBackstageYAML, exportComplianceReport, exportCostCSV, exportCostSummary, exportDiscoveryApp, exportJGF, exportJSON, extractListeningPorts, extractSignals, filterBySeverity, findAnonViolations, formatComplianceText, formatJira, formatPagerDuty, formatSlack, generateDependencyMermaid, generateDiffMermaid, generateTopologyMermaid, getClient, getRuleset, globalId, groupByDomain, handleGraphqlGet, hashToken, hexCorners, hexDistance, hexNeighbors, hexRing, hexSpiral, hexToPixel, hmacKey, hostname, ingestEnvelope, installedAppsScanner, isLoopbackHost, isPersonalHost, isReadOnlyCommand, isRemembered, isSecureWebhookUrl, k8sScanner, keyMetaOf, layoutClusters, listClients, listRulesets, loadConfig, loadOrgKey, loadPlugins, loadRuleset, localDiscoveryFn, log, logDebug, logError, logInfo, logWarn, machineId, maxSeverity, mcpServerObject, newAnomalies, nextRun, nodesToAssets, normalizeId, normalizeTenant, openStoreBackend, orgKeyPath, osUser, parseApiArgs, parseComposeDeps, parseConfig, parseConnectionString, parseCostCsv, parseCron, parseEstablished, parseNginxUpstreams, parseNlQuery, parseScanHint, pixelToHex, planInstall, portsScanner, postJson, previewShare, pseudonymize, pseudonymizeFragment, pseudonymizeString, pushDeltas, readConfigFile, redactConnectionString, redactSecrets, redactValue, renderDiff, resolveEffectiveLevel, resolveNlQuery, resolvePrincipal, resolveSharingLevel, resolveTenant, revalidateAnonymized, reversalKey, reversePseudonym, rotateOrgKey, runApi, runDiscovery, runDrift, runHttp, runLocalDiscovery, runOnce, runStdio, runSyncClassify, safeEnv, safeJson, safetyHook, sanitizeUntrusted, sanitizeValue, scopeReads, scoreTopology, securityRelevantChange, serializeConfig, serviceConfigScanner, setVerbose, shadeVariant, shapeToJsonSchema, shareHash, splitSegments, stableStringify, startApi, stripSensitive, timingSafeEqual, toBackstageEntities, validateScanner, vscodeDeeplink, zodToJsonSchema };
+export { ACTIONS, ANOMALY_KINDS, ANOMALY_SEVERITIES, ANON_TOKEN, type Action, ActionSchema, type AgentProvider, type AgentRunContext, type AgentTool, type Anomaly, type AnomalyConfig, type AnomalyKind, type AnomalySeverity, type AnomalyThresholds, type AnonViolation, type AnonymizationLevel, type ApiServerOptions, type AskUserFn, type AuthConfig, AuthConfigSchema, AuthorizationError, type Awaitable, BARE_INTERNAL_HOST, type BackstageEntity, type BackstageMapOptions, type BindGuardOptions, type BoltDriver, type BoltRecord, type BoltResult, type BoltSession, CLIENTS, CONFIDENCE, CORRELATION_CONFIDENCE, COST_PERIODS, type CanonicalNode, type CartographyConfig, CartographyDB, type CartographyMapData, type CentralDbConfig, CentralDbConfigSchema, type ClassifiedItem, type ClassifyInput, type ClassifyResult, type ClientSpec, type Cluster, ClusterSchema, type ComplianceInput, type ComplianceReport, ComplianceReportSchema, type ComplianceRule, ComplianceRuleSchema, type Condition, ConditionSchema, ConfigError, type ConfigFile, ConfigFileSchema, type ConfigFormat, type Connection, ConnectionSchema, type Contributor, type ControlResult, ControlResultSchema, type CorrelatedTopology, type CorrelationEdge, type CorrelationSignal, type CostEntry, CostEntrySchema, type CostPeriod, type CostRecord, type CostSource, type CreateMcpServerOptions, type CredentialConfig, CredentialConfigSchema, type CredentialDb, type CredentialRecord, type CredentialStore, type CronFields, CsvCostSource, type CsvCostSourceOptions, DEFAULT_ANOMALY_THRESHOLDS, DEFAULT_FAST_MODEL, DEFAULT_INGEST_QUOTA, DEFAULT_LEAD_MODEL, DEFAULT_SERVER_NAME, DEFAULT_TENANT, DOMAIN_COLORS, DOMAIN_PALETTE, DRIFT_FIELDS, type DashboardOptions, type DataAsset, DataAssetSchema, type DependencyQuery, type DiscoveryEdge, type DiscoveryEvent, type DiscoveryFn, type DiscoveryNode, type DriftAlert, type DriftAlertItem, type DriftConfig, DriftConfigSchema, type DriftField, type DriftItemKind, type DriftRunRow, type DriftSink, type DriftSinkConfig, EDGE_RELATIONSHIPS, type EdgeRelationship, type EdgeRow, EdgeSchema, type EmbeddingProvider, type EnrichResult, type EntryOptions, type EstablishedConn, type EvidenceKind, type FetchLike, type FragmentKind, GraphStoreBackend, type GraphSummary, type HealthResult, type HttpOptions, INGEST_SCHEMA_VERSION, type IngestEnvelope, IngestEnvelopeSchema, type IngestHandler, type IngestHandlerOptions, type IngestOptions, type IngestResponse, type IngestResult, type InstallPlan, InvalidTenantError, type JiraIssue, type JiraOptions, JiraSink, type JiraSinkOptions, LOOPBACK_HOSTS, type LocalDiscoveryOptions, type LocalDiscoveryResult, type LogEntry, type LogLevel, MCP_BIN, type MatchStrategy, NODE_TYPES, NODE_TYPE_GROUPS, type NlIntent, type NlQueryOptions, type NlQueryResult, type NlRelation, type NodeAttribution, type NodeChange, type NodeIdentity, type NodeQuery, type NodeRow, NodeSchema, type NodeSignals, type NodeType, type NodesResult, NotFoundError, OUTPUT_FORMATS, type OperatorCycleResult, type OperatorOptions, type OrgKeyOptions, type OrgSummary, type OsKind, type OutputFormat, PACKAGE_NAME, PAGERDUTY_ENQUEUE_URL, PENDING_STATUSES, PERSONAL, PORT_MAP, PRIVATE_IP, PUSH_SCHEMA_VERSION, type PagerDutyEvent, PagerDutySink, type PagerDutySinkOptions, type ParsedApiArgs, type PendingShareRow, type PendingStatus, type PlanOptions, type PolicyResult, type PostJsonOptions, type Principal, PrincipalSchema, type ProviderFactory, type ProviderName, ProviderRegistry, type PushItem, type PushOptions, type PushResult, type QueryBackend, type QuotaConfig, type QuotaDecision, RELATION_TO_DIRECTION, ROLES, RateLimiter, type ResolveContext, type ResolveOptions, type Role, RoleSchema, type RuleCheck, RuleCheckSchema, type RuleScope, type Ruleset, RulesetSchema, type RunDriftOptions, SCAN_ARG_PATTERNS, SCHEMA_VERSION, SDL, SECURITY_METADATA_KEYS, SEVERITIES, SEVERITY_WEIGHT, SHARING_LEVELS, type ScanArgKind, type ScanContext, type ScanHintParams, type ScanResult, type Scanner, type ScannerPlugin, type ScannerPluginApi, ScannerRegistry, ScannerShape, type ScheduleConfig, ScheduleConfigSchema, type ScheduledRunResult, type Scope, type SearchFn, type SemanticSearchOptions, type ServerEntry, type SessionRow, type Severity, type SharePreview, type SharePreviewEntry, type SharingLevel, SharingLevelSchema, type SharingPolicy, type ShellKind, type SlackMessage, SlackSink, SqliteCredentialStore, SqliteQueryBackend, SqliteStoreBackend, type StartApiOptions, StdoutSink, type StoreBackend, type StoreBackendOptions, type SyncClassifyOptions, type SyncClassifyResult, TENANT_HEADER, type TenantContext, TenantMismatchError, type TenantOptions, type ToolResult, type TopologyDelta, type TopologyDiff, type TopologyInput, type TraversalResult, VectorStore, WebhookSink, type WebhookSinkOptions, applyInstall, applySharingLevel, assertReadOnly, assertSafeBind, assertSafeScanArg, assertSameTenant, assignColors, authorize, bearerToken, bookmarksScanner, buildCartographyToolHandlers, buildMapData, buildOpenApiDocument, buildReport, buildSinks, can, centralDbFromEnv, checkBearer, checkPrerequisites, checkReadOnly, clampText, classify, classifyDrift, cleanupTempFiles, cloudAwsScanner, cloudAzureScanner, cloudGcpScanner, codeAddMcpCommand, computeCentroid, computeClusterBounds, computeIdentity, connectionsScanner, contentHash, correlateTopology, createBashTool, createCartographyTools, createClaudeProvider, createDefaultRegistry, createHashEmbedder, createIngestHandler, createLocalEmbedder, createMcpServer, createOllamaProvider, createOpenAIProvider, createScanRunner, createSemanticSearch, createSqliteQueryBackend, currentOs, cursorDeeplink, dashboardHtml, databasesScanner, deepMerge, defaultAllowedHosts, defaultConfig, defaultContext, defaultProviderRegistry, defaultRegistry, defaultServerEntry, definePlugin, deriveSessionName, detectAnomalies, detectOrphans, detectShadowIt, diffTopology, edgesToConnections, enrichCosts, entitiesToYaml, evaluateCheck, evaluateRule, evidenceLine, executeGraphql, executeNlQuery, exportAll, exportBackstageYAML, exportComplianceReport, exportCostCSV, exportCostSummary, exportDiscoveryApp, exportJGF, exportJSON, extractListeningPorts, extractSignals, filterBySeverity, findAnonViolations, formatComplianceText, formatJira, formatPagerDuty, formatSlack, generateDependencyMermaid, generateDiffMermaid, generateTopologyMermaid, getClient, getRuleset, globalId, groupByDomain, handleGraphqlGet, hashToken, hexCorners, hexDistance, hexNeighbors, hexRing, hexSpiral, hexToPixel, hmacKey, hostname, ingestEnvelope, installedAppsScanner, isInCluster, isLoopbackHost, isPersonalHost, isReadOnlyCommand, isRemembered, isSecureWebhookUrl, k8sRegistry, k8sScanner, keyMetaOf, layoutClusters, listClients, listRulesets, loadConfig, loadOrgKey, loadPlugins, loadRuleset, localDiscoveryFn, log, logDebug, logError, logInfo, logWarn, machineId, maxSeverity, mcpServerObject, newAnomalies, nextRun, nodesToAssets, normalizeId, normalizeTenant, openStoreBackend, orgKeyPath, osUser, parseApiArgs, parseComposeDeps, parseConfig, parseConnectionString, parseCostCsv, parseCron, parseEstablished, parseNginxUpstreams, parseNlQuery, parseScanHint, parseTerraformState, pixelToHex, planInstall, portsScanner, postJson, previewShare, pseudonymize, pseudonymizeFragment, pseudonymizeId, pseudonymizeString, pushDeltas, readConfigFile, redactConnectionString, redactSecrets, redactValue, renderDiff, resolveEffectiveLevel, resolveNlQuery, resolvePrincipal, resolveSharingLevel, resolveTenant, revalidateAnonymized, reversalKey, reversePseudonym, rotateOrgKey, runApi, runDiscovery, runDrift, runHttp, runLocalDiscovery, runOnce, runOperator, runOperatorCycle, runStdio, runSyncClassify, safeEnv, safeJson, safetyHook, sanitizeUntrusted, sanitizeValue, scopeReads, scoreTopology, securityRelevantChange, serializeConfig, serviceConfigScanner, setVerbose, shadeVariant, shapeToJsonSchema, shareHash, splitSegments, stableStringify, startApi, stripSensitive, terraformScanner, terraformTypeToNode, timingSafeEqual, toBackstageEntities, validateScanner, vscodeDeeplink, zodToJsonSchema };

package/dist/index.d.ts

@@ -1984,6 +1984,18 @@ type FragmentKind = 'host' | 'user' | 'path' | 'ip';
  * left intact (so topology against public infra still reads).
  */
 declare const PRIVATE_IP: RegExp;
+/**
+ * A bare single-label internal hostname — the known 2.10 residual that {@link HOSTNAME}
+ * (multi-label only) never tokenizes. We only treat a single label as an internal host
+ * when it *looks* like one: it contains a hyphen or a digit run (e.g. `db-01`, `web2`,
+ * `prod-db`) so we do not false-positive ordinary English words used as a `name`
+ * (`Postgres`, `Marketing`) or the literal `localhost`. Single-sourced here so the
+ * client (this module) and the server (`src/central/anonymization.ts`, which re-imports
+ * this constant) agree on what counts as a bare internal host.
+ */
+declare const BARE_INTERNAL_HOST: RegExp;
+/** A pseudonym token produced by this module (`anon:host:abc…`) — already anonymized. */
+declare const ANON_TOKEN: RegExp;
 /**
  * Deterministic token for one identifying fragment. When `db` is supplied, the
  * plaintext is AES-256-GCM-encrypted under `reversalKey(orgKey)` and persisted so
@@ -1998,6 +2010,17 @@ declare function pseudonymizeFragment(plaintext: string, kind: FragmentKind, org
  * or a path segment is never mis-tokenized as a host.
  */
 declare function pseudonymizeString(s: string, orgKey: Buffer, db?: CartographyDB): string;
+/**
+ * Pseudonymize the host material of a structured node id (`{type}:{host}[:{port}]` or
+ * `{type}:{provider}:{name}`). The leading `{type}` segment is a non-identifying schema
+ * prefix and is left verbatim; every later colon-delimited segment is run through
+ * {@link pseudonymizeString} (so an FQDN, a private IP, an absolute path, or a bare
+ * internal host inside a segment all tokenize, while a numeric port — matching no rule —
+ * is preserved). Re-join with `:`. This is the structural id transform used for node ids
+ * and for edge endpoints, so both stay consistent. A token already inside a segment is
+ * not re-tokenized (the bare-host pass is whole-string and `anon:` tokens are excluded).
+ */
+declare function pseudonymizeId(id: string, orgKey: Buffer, db?: CartographyDB): string;
 /**
  * Recursive, structure-preserving walker — same shape as `redactValue`
  * (`src/tools.ts`): strings → {@link pseudonymizeString}, arrays → map,
@@ -2042,8 +2065,16 @@ declare function resolveEffectiveLevel(node: DiscoveryNode, policy: SharingPolic
  *                  (structure-preserving); identifying fragments tokenized.
  * - `full`       → a structural clone, verbatim.
  *
- * The same deterministic `pseudonymizeString` is applied to the id here and by
- * {@link previewShare} when remapping edges, so endpoints always resolve.
+ * The same deterministic `pseudonymizeId` is applied to the id here and by
+ * {@link previewShare} when remapping edges (via the shared idMap), so endpoints
+ * always resolve. `pseudonymizeId` is id-aware: it tokenizes the host segment(s) —
+ * including a bare single-label internal host — while sparing the `{type}` prefix.
+ *
+ * At the `anonymized` level the derived identity fields `globalId`
+ * (`{tenant}:{normalizeId(id)}`, which embeds the raw id) and `contentHash` are
+ * dropped from the outgoing payload — they would otherwise carry the raw id past
+ * anonymization, and the central collector recomputes both from the (anonymized)
+ * node on ingest (`computeIdentity`), so omitting them is both leak-free and lossless.
  */
 declare function applySharingLevel(node: DiscoveryNode, level: SharingLevel, orgKey: Buffer, db?: CartographyDB): DiscoveryNode | null;
 interface SharePreviewEntry {
@@ -2150,6 +2181,11 @@ interface ScanContext {
     scanEstablishedConnections?: () => string;
     /** Injectable seam: cross-platform file search (3.2). Defaults to `findFiles`. */
     findFiles?: (dirs: string[], patterns: string[], maxDepth: number, limit: number) => string;
+    /**
+     * Injectable seam: read a local file's UTF-8 contents, '' on any error (5.3). Reads via
+     * `node:fs` (NOT the shell) so an operator-supplied path can never inject a command.
+     */
+    readFile?: (path: string) => string;
     /** Injectable seam: browser-bookmark host source. Defaults to `scanAllBookmarks`. */
     scanBookmarks?: () => Promise<BookmarkHost[]>;
 }
@@ -2801,6 +2837,33 @@ declare function parseConnectionString(name: string, url: string): {
 } | null;
 declare const serviceConfigScanner: Scanner;
 
+/**
+ * Terraform-state importer (5.3) — a first-class deterministic `Scanner`.
+ *
+ * Ingests Terraform state JSON (a local `*.tfstate`, or the output of
+ * `terraform state pull` piped to a file) and emits authoritative `nodes`/`edges` into
+ * the existing discovery pipeline. This bridges *declared intent* (IaC) with *observed
+ * reality* (the live scanners): a resource declared in Terraform and a node observed on
+ * the machine reconcile to one record under `runLocalDiscovery`'s highest-confidence
+ * dedup, and the importer's `depends_on` edges are subject to the same endpoint-existence
+ * gate. Registered in `defaultRegistry()`, so it surfaces through both the CLI discovery
+ * command and the MCP `run_discovery` tool with zero extra wiring.
+ *
+ * Read-only: it only `cat`s a state file (allowlisted). Attribute values are
+ * credential-redacted before storage; only a small identity subset is kept.
+ */
+
+/** Map a Terraform resource type (e.g. `aws_db_instance`) to a Cartograph node type. */
+declare function terraformTypeToNode(tfType: string): NodeType;
+/**
+ * Parse Terraform state JSON into nodes/edges. Pure + deterministic. A managed resource
+ * becomes a node keyed `{type}:terraform:{addr}`; its `dependencies[]` become `depends_on`
+ * edges to other managed resources in the same state. Malformed JSON → empty result
+ * (graceful degradation, never throws).
+ */
+declare function parseTerraformState(json: string): ScanResult;
+declare const terraformScanner: Scanner;
+
 /**
  * Confidence rubric for inferred dependency edges (3.2).
  *
@@ -3518,6 +3581,66 @@ declare function executeNlQuery(db: CartographyDB, sessionId: string, search: Se
 /** Convenience: parse + execute in one call. */
 declare function resolveNlQuery(db: CartographyDB, sessionId: string, search: SearchFn, raw: string, opts?: NlQueryOptions): Promise<NlQueryResult>;
 
+/**
+ * Kubernetes operator (5.2) — a thin, deterministic, LLM-free reconcile loop.
+ *
+ * Runs Cartograph's discovery continuously **inside** a cluster and reports drift between
+ * cycles — the "continuous CMDB for Kubernetes" outcome. It is a thin orchestration over
+ * two engine halves that already exist and are DB-agnostic: the deterministic discovery
+ * driver `runLocalDiscovery` (with a **k8s-only** scanner registry — it maps in-cluster
+ * resources, never the host) and the drift engine `runDrift` (which classifies the delta
+ * vs the previous cycle and dispatches it to the configured sinks, 3.1/4.4). No agent loop,
+ * no Anthropic coupling, read-only (only `kubectl` reads via the allowlist).
+ *
+ * It is a periodic-reconcile operator, not a CRD controller — no custom resource or
+ * controller-runtime dependency; the loop is a plain interval (or a single `--once` pass
+ * for a CronJob driver). All side effects are injectable, so a cycle is unit-testable
+ * without a cluster.
+ */
+
+/** A k8s-only scanner registry — the operator discovers cluster resources, not the host. */
+declare function k8sRegistry(): ScannerRegistry;
+/** True when running inside a Kubernetes pod (the service-account API env is injected). */
+declare function isInCluster(env?: NodeJS.ProcessEnv): boolean;
+interface OperatorCycleResult {
+    sessionId: string;
+    nodes: number;
+    edges: number;
+    /** The classified drift vs the previous cycle, or null (first cycle / no change). */
+    drift: DriftAlert | null;
+}
+interface OperatorOptions {
+    /** Reconcile interval (ms). Default 5 minutes. */
+    intervalMs?: number;
+    /** Run a single reconcile and return — CronJob-driver friendly. */
+    once?: boolean;
+    /** Injected discovery (tests). Default: `runLocalDiscovery` over the k8s registry. */
+    discover?: (db: CartographyDB, sessionId: string) => Promise<{
+        nodes: number;
+        edges: number;
+    }>;
+    /** Injected drift dispatch (tests). Default: `runDrift` (dispatches to `config.drift` sinks). */
+    drift?: (db: CartographyDB, config: CartographyConfig) => Promise<DriftAlert | null>;
+    /** Stop the reconcile loop (SIGINT/SIGTERM → abort). */
+    signal?: AbortSignal;
+    /** Sleep between cycles (tests inject a controlled/no-wait sleep). */
+    sleep?: (ms: number) => Promise<void>;
+    /**
+     * Keep only the most recent N discovery sessions (default 10) — a continuous operator
+     * creates one session per cycle, so older snapshots are pruned each cycle to bound the
+     * catalog. Drift only needs the latest two; the rest are retained history.
+     */
+    retain?: number;
+    log?: (msg: string) => void;
+}
+/**
+ * One reconcile cycle: discover in-cluster → record the session → classify + dispatch drift
+ * vs the previous cycle. Returns the cycle outcome.
+ */
+declare function runOperatorCycle(db: CartographyDB, config: CartographyConfig, opts?: OperatorOptions): Promise<OperatorCycleResult>;
+/** Run the operator: a single cycle if `once`, else a reconcile loop until the signal aborts. */
+declare function runOperator(db: CartographyDB, config: CartographyConfig, opts?: OperatorOptions): Promise<void>;
+
 /**
  * Multi-cloud correlation engine (5.1).
  *
@@ -4379,4 +4502,4 @@ declare function logInfo(message: string, context?: Record<string, unknown>): vo
 declare function logWarn(message: string, context?: Record<string, unknown>): void;
 declare function logError(message: string, context?: Record<string, unknown>): void;
 
-export { ACTIONS, ANOMALY_KINDS, ANOMALY_SEVERITIES, type Action, ActionSchema, type AgentProvider, type AgentRunContext, type AgentTool, type Anomaly, type AnomalyConfig, type AnomalyKind, type AnomalySeverity, type AnomalyThresholds, type AnonViolation, type AnonymizationLevel, type ApiServerOptions, type AskUserFn, type AuthConfig, AuthConfigSchema, AuthorizationError, type Awaitable, type BackstageEntity, type BackstageMapOptions, type BindGuardOptions, type BoltDriver, type BoltRecord, type BoltResult, type BoltSession, CLIENTS, CONFIDENCE, CORRELATION_CONFIDENCE, COST_PERIODS, type CanonicalNode, type CartographyConfig, CartographyDB, type CartographyMapData, type CentralDbConfig, CentralDbConfigSchema, type ClassifiedItem, type ClassifyInput, type ClassifyResult, type ClientSpec, type Cluster, ClusterSchema, type ComplianceInput, type ComplianceReport, ComplianceReportSchema, type ComplianceRule, ComplianceRuleSchema, type Condition, ConditionSchema, ConfigError, type ConfigFile, ConfigFileSchema, type ConfigFormat, type Connection, ConnectionSchema, type Contributor, type ControlResult, ControlResultSchema, type CorrelatedTopology, type CorrelationEdge, type CorrelationSignal, type CostEntry, CostEntrySchema, type CostPeriod, type CostRecord, type CostSource, type CreateMcpServerOptions, type CredentialConfig, CredentialConfigSchema, type CredentialDb, type CredentialRecord, type CredentialStore, type CronFields, CsvCostSource, type CsvCostSourceOptions, DEFAULT_ANOMALY_THRESHOLDS, DEFAULT_FAST_MODEL, DEFAULT_INGEST_QUOTA, DEFAULT_LEAD_MODEL, DEFAULT_SERVER_NAME, DEFAULT_TENANT, DOMAIN_COLORS, DOMAIN_PALETTE, DRIFT_FIELDS, type DashboardOptions, type DataAsset, DataAssetSchema, type DependencyQuery, type DiscoveryEdge, type DiscoveryEvent, type DiscoveryFn, type DiscoveryNode, type DriftAlert, type DriftAlertItem, type DriftConfig, DriftConfigSchema, type DriftField, type DriftItemKind, type DriftRunRow, type DriftSink, type DriftSinkConfig, EDGE_RELATIONSHIPS, type EdgeRelationship, type EdgeRow, EdgeSchema, type EmbeddingProvider, type EnrichResult, type EntryOptions, type EstablishedConn, type EvidenceKind, type FetchLike, type FragmentKind, GraphStoreBackend, type GraphSummary, type HealthResult, type HttpOptions, INGEST_SCHEMA_VERSION, type IngestEnvelope, IngestEnvelopeSchema, type IngestHandler, type IngestHandlerOptions, type IngestOptions, type IngestResponse, type IngestResult, type InstallPlan, InvalidTenantError, type JiraIssue, type JiraOptions, JiraSink, type JiraSinkOptions, LOOPBACK_HOSTS, type LocalDiscoveryOptions, type LocalDiscoveryResult, type LogEntry, type LogLevel, MCP_BIN, type MatchStrategy, NODE_TYPES, NODE_TYPE_GROUPS, type NlIntent, type NlQueryOptions, type NlQueryResult, type NlRelation, type NodeAttribution, type NodeChange, type NodeIdentity, type NodeQuery, type NodeRow, NodeSchema, type NodeSignals, type NodeType, type NodesResult, NotFoundError, OUTPUT_FORMATS, type OrgKeyOptions, type OrgSummary, type OsKind, type OutputFormat, PACKAGE_NAME, PAGERDUTY_ENQUEUE_URL, PENDING_STATUSES, PERSONAL, PORT_MAP, PRIVATE_IP, PUSH_SCHEMA_VERSION, type PagerDutyEvent, PagerDutySink, type PagerDutySinkOptions, type ParsedApiArgs, type PendingShareRow, type PendingStatus, type PlanOptions, type PolicyResult, type PostJsonOptions, type Principal, PrincipalSchema, type ProviderFactory, type ProviderName, ProviderRegistry, type PushItem, type PushOptions, type PushResult, type QueryBackend, type QuotaConfig, type QuotaDecision, RELATION_TO_DIRECTION, ROLES, RateLimiter, type ResolveContext, type ResolveOptions, type Role, RoleSchema, type RuleCheck, RuleCheckSchema, type RuleScope, type Ruleset, RulesetSchema, type RunDriftOptions, SCAN_ARG_PATTERNS, SCHEMA_VERSION, SDL, SECURITY_METADATA_KEYS, SEVERITIES, SEVERITY_WEIGHT, SHARING_LEVELS, type ScanArgKind, type ScanContext, type ScanHintParams, type ScanResult, type Scanner, type ScannerPlugin, type ScannerPluginApi, ScannerRegistry, ScannerShape, type ScheduleConfig, ScheduleConfigSchema, type ScheduledRunResult, type Scope, type SearchFn, type SemanticSearchOptions, type ServerEntry, type SessionRow, type Severity, type SharePreview, type SharePreviewEntry, type SharingLevel, SharingLevelSchema, type SharingPolicy, type ShellKind, type SlackMessage, SlackSink, SqliteCredentialStore, SqliteQueryBackend, SqliteStoreBackend, type StartApiOptions, StdoutSink, type StoreBackend, type StoreBackendOptions, type SyncClassifyOptions, type SyncClassifyResult, TENANT_HEADER, type TenantContext, TenantMismatchError, type TenantOptions, type ToolResult, type TopologyDelta, type TopologyDiff, type TopologyInput, type TraversalResult, VectorStore, WebhookSink, type WebhookSinkOptions, applyInstall, applySharingLevel, assertReadOnly, assertSafeBind, assertSafeScanArg, assertSameTenant, assignColors, authorize, bearerToken, bookmarksScanner, buildCartographyToolHandlers, buildMapData, buildOpenApiDocument, buildReport, buildSinks, can, centralDbFromEnv, checkBearer, checkPrerequisites, checkReadOnly, clampText, classify, classifyDrift, cleanupTempFiles, cloudAwsScanner, cloudAzureScanner, cloudGcpScanner, codeAddMcpCommand, computeCentroid, computeClusterBounds, computeIdentity, connectionsScanner, contentHash, correlateTopology, createBashTool, createCartographyTools, createClaudeProvider, createDefaultRegistry, createHashEmbedder, createIngestHandler, createLocalEmbedder, createMcpServer, createOllamaProvider, createOpenAIProvider, createScanRunner, createSemanticSearch, createSqliteQueryBackend, currentOs, cursorDeeplink, dashboardHtml, databasesScanner, deepMerge, defaultAllowedHosts, defaultConfig, defaultContext, defaultProviderRegistry, defaultRegistry, defaultServerEntry, definePlugin, deriveSessionName, detectAnomalies, detectOrphans, detectShadowIt, diffTopology, edgesToConnections, enrichCosts, entitiesToYaml, evaluateCheck, evaluateRule, evidenceLine, executeGraphql, executeNlQuery, exportAll, exportBackstageYAML, exportComplianceReport, exportCostCSV, exportCostSummary, exportDiscoveryApp, exportJGF, exportJSON, extractListeningPorts, extractSignals, filterBySeverity, findAnonViolations, formatComplianceText, formatJira, formatPagerDuty, formatSlack, generateDependencyMermaid, generateDiffMermaid, generateTopologyMermaid, getClient, getRuleset, globalId, groupByDomain, handleGraphqlGet, hashToken, hexCorners, hexDistance, hexNeighbors, hexRing, hexSpiral, hexToPixel, hmacKey, hostname, ingestEnvelope, installedAppsScanner, isLoopbackHost, isPersonalHost, isReadOnlyCommand, isRemembered, isSecureWebhookUrl, k8sScanner, keyMetaOf, layoutClusters, listClients, listRulesets, loadConfig, loadOrgKey, loadPlugins, loadRuleset, localDiscoveryFn, log, logDebug, logError, logInfo, logWarn, machineId, maxSeverity, mcpServerObject, newAnomalies, nextRun, nodesToAssets, normalizeId, normalizeTenant, openStoreBackend, orgKeyPath, osUser, parseApiArgs, parseComposeDeps, parseConfig, parseConnectionString, parseCostCsv, parseCron, parseEstablished, parseNginxUpstreams, parseNlQuery, parseScanHint, pixelToHex, planInstall, portsScanner, postJson, previewShare, pseudonymize, pseudonymizeFragment, pseudonymizeString, pushDeltas, readConfigFile, redactConnectionString, redactSecrets, redactValue, renderDiff, resolveEffectiveLevel, resolveNlQuery, resolvePrincipal, resolveSharingLevel, resolveTenant, revalidateAnonymized, reversalKey, reversePseudonym, rotateOrgKey, runApi, runDiscovery, runDrift, runHttp, runLocalDiscovery, runOnce, runStdio, runSyncClassify, safeEnv, safeJson, safetyHook, sanitizeUntrusted, sanitizeValue, scopeReads, scoreTopology, securityRelevantChange, serializeConfig, serviceConfigScanner, setVerbose, shadeVariant, shapeToJsonSchema, shareHash, splitSegments, stableStringify, startApi, stripSensitive, timingSafeEqual, toBackstageEntities, validateScanner, vscodeDeeplink, zodToJsonSchema };
+export { ACTIONS, ANOMALY_KINDS, ANOMALY_SEVERITIES, ANON_TOKEN, type Action, ActionSchema, type AgentProvider, type AgentRunContext, type AgentTool, type Anomaly, type AnomalyConfig, type AnomalyKind, type AnomalySeverity, type AnomalyThresholds, type AnonViolation, type AnonymizationLevel, type ApiServerOptions, type AskUserFn, type AuthConfig, AuthConfigSchema, AuthorizationError, type Awaitable, BARE_INTERNAL_HOST, type BackstageEntity, type BackstageMapOptions, type BindGuardOptions, type BoltDriver, type BoltRecord, type BoltResult, type BoltSession, CLIENTS, CONFIDENCE, CORRELATION_CONFIDENCE, COST_PERIODS, type CanonicalNode, type CartographyConfig, CartographyDB, type CartographyMapData, type CentralDbConfig, CentralDbConfigSchema, type ClassifiedItem, type ClassifyInput, type ClassifyResult, type ClientSpec, type Cluster, ClusterSchema, type ComplianceInput, type ComplianceReport, ComplianceReportSchema, type ComplianceRule, ComplianceRuleSchema, type Condition, ConditionSchema, ConfigError, type ConfigFile, ConfigFileSchema, type ConfigFormat, type Connection, ConnectionSchema, type Contributor, type ControlResult, ControlResultSchema, type CorrelatedTopology, type CorrelationEdge, type CorrelationSignal, type CostEntry, CostEntrySchema, type CostPeriod, type CostRecord, type CostSource, type CreateMcpServerOptions, type CredentialConfig, CredentialConfigSchema, type CredentialDb, type CredentialRecord, type CredentialStore, type CronFields, CsvCostSource, type CsvCostSourceOptions, DEFAULT_ANOMALY_THRESHOLDS, DEFAULT_FAST_MODEL, DEFAULT_INGEST_QUOTA, DEFAULT_LEAD_MODEL, DEFAULT_SERVER_NAME, DEFAULT_TENANT, DOMAIN_COLORS, DOMAIN_PALETTE, DRIFT_FIELDS, type DashboardOptions, type DataAsset, DataAssetSchema, type DependencyQuery, type DiscoveryEdge, type DiscoveryEvent, type DiscoveryFn, type DiscoveryNode, type DriftAlert, type DriftAlertItem, type DriftConfig, DriftConfigSchema, type DriftField, type DriftItemKind, type DriftRunRow, type DriftSink, type DriftSinkConfig, EDGE_RELATIONSHIPS, type EdgeRelationship, type EdgeRow, EdgeSchema, type EmbeddingProvider, type EnrichResult, type EntryOptions, type EstablishedConn, type EvidenceKind, type FetchLike, type FragmentKind, GraphStoreBackend, type GraphSummary, type HealthResult, type HttpOptions, INGEST_SCHEMA_VERSION, type IngestEnvelope, IngestEnvelopeSchema, type IngestHandler, type IngestHandlerOptions, type IngestOptions, type IngestResponse, type IngestResult, type InstallPlan, InvalidTenantError, type JiraIssue, type JiraOptions, JiraSink, type JiraSinkOptions, LOOPBACK_HOSTS, type LocalDiscoveryOptions, type LocalDiscoveryResult, type LogEntry, type LogLevel, MCP_BIN, type MatchStrategy, NODE_TYPES, NODE_TYPE_GROUPS, type NlIntent, type NlQueryOptions, type NlQueryResult, type NlRelation, type NodeAttribution, type NodeChange, type NodeIdentity, type NodeQuery, type NodeRow, NodeSchema, type NodeSignals, type NodeType, type NodesResult, NotFoundError, OUTPUT_FORMATS, type OperatorCycleResult, type OperatorOptions, type OrgKeyOptions, type OrgSummary, type OsKind, type OutputFormat, PACKAGE_NAME, PAGERDUTY_ENQUEUE_URL, PENDING_STATUSES, PERSONAL, PORT_MAP, PRIVATE_IP, PUSH_SCHEMA_VERSION, type PagerDutyEvent, PagerDutySink, type PagerDutySinkOptions, type ParsedApiArgs, type PendingShareRow, type PendingStatus, type PlanOptions, type PolicyResult, type PostJsonOptions, type Principal, PrincipalSchema, type ProviderFactory, type ProviderName, ProviderRegistry, type PushItem, type PushOptions, type PushResult, type QueryBackend, type QuotaConfig, type QuotaDecision, RELATION_TO_DIRECTION, ROLES, RateLimiter, type ResolveContext, type ResolveOptions, type Role, RoleSchema, type RuleCheck, RuleCheckSchema, type RuleScope, type Ruleset, RulesetSchema, type RunDriftOptions, SCAN_ARG_PATTERNS, SCHEMA_VERSION, SDL, SECURITY_METADATA_KEYS, SEVERITIES, SEVERITY_WEIGHT, SHARING_LEVELS, type ScanArgKind, type ScanContext, type ScanHintParams, type ScanResult, type Scanner, type ScannerPlugin, type ScannerPluginApi, ScannerRegistry, ScannerShape, type ScheduleConfig, ScheduleConfigSchema, type ScheduledRunResult, type Scope, type SearchFn, type SemanticSearchOptions, type ServerEntry, type SessionRow, type Severity, type SharePreview, type SharePreviewEntry, type SharingLevel, SharingLevelSchema, type SharingPolicy, type ShellKind, type SlackMessage, SlackSink, SqliteCredentialStore, SqliteQueryBackend, SqliteStoreBackend, type StartApiOptions, StdoutSink, type StoreBackend, type StoreBackendOptions, type SyncClassifyOptions, type SyncClassifyResult, TENANT_HEADER, type TenantContext, TenantMismatchError, type TenantOptions, type ToolResult, type TopologyDelta, type TopologyDiff, type TopologyInput, type TraversalResult, VectorStore, WebhookSink, type WebhookSinkOptions, applyInstall, applySharingLevel, assertReadOnly, assertSafeBind, assertSafeScanArg, assertSameTenant, assignColors, authorize, bearerToken, bookmarksScanner, buildCartographyToolHandlers, buildMapData, buildOpenApiDocument, buildReport, buildSinks, can, centralDbFromEnv, checkBearer, checkPrerequisites, checkReadOnly, clampText, classify, classifyDrift, cleanupTempFiles, cloudAwsScanner, cloudAzureScanner, cloudGcpScanner, codeAddMcpCommand, computeCentroid, computeClusterBounds, computeIdentity, connectionsScanner, contentHash, correlateTopology, createBashTool, createCartographyTools, createClaudeProvider, createDefaultRegistry, createHashEmbedder, createIngestHandler, createLocalEmbedder, createMcpServer, createOllamaProvider, createOpenAIProvider, createScanRunner, createSemanticSearch, createSqliteQueryBackend, currentOs, cursorDeeplink, dashboardHtml, databasesScanner, deepMerge, defaultAllowedHosts, defaultConfig, defaultContext, defaultProviderRegistry, defaultRegistry, defaultServerEntry, definePlugin, deriveSessionName, detectAnomalies, detectOrphans, detectShadowIt, diffTopology, edgesToConnections, enrichCosts, entitiesToYaml, evaluateCheck, evaluateRule, evidenceLine, executeGraphql, executeNlQuery, exportAll, exportBackstageYAML, exportComplianceReport, exportCostCSV, exportCostSummary, exportDiscoveryApp, exportJGF, exportJSON, extractListeningPorts, extractSignals, filterBySeverity, findAnonViolations, formatComplianceText, formatJira, formatPagerDuty, formatSlack, generateDependencyMermaid, generateDiffMermaid, generateTopologyMermaid, getClient, getRuleset, globalId, groupByDomain, handleGraphqlGet, hashToken, hexCorners, hexDistance, hexNeighbors, hexRing, hexSpiral, hexToPixel, hmacKey, hostname, ingestEnvelope, installedAppsScanner, isInCluster, isLoopbackHost, isPersonalHost, isReadOnlyCommand, isRemembered, isSecureWebhookUrl, k8sRegistry, k8sScanner, keyMetaOf, layoutClusters, listClients, listRulesets, loadConfig, loadOrgKey, loadPlugins, loadRuleset, localDiscoveryFn, log, logDebug, logError, logInfo, logWarn, machineId, maxSeverity, mcpServerObject, newAnomalies, nextRun, nodesToAssets, normalizeId, normalizeTenant, openStoreBackend, orgKeyPath, osUser, parseApiArgs, parseComposeDeps, parseConfig, parseConnectionString, parseCostCsv, parseCron, parseEstablished, parseNginxUpstreams, parseNlQuery, parseScanHint, parseTerraformState, pixelToHex, planInstall, portsScanner, postJson, previewShare, pseudonymize, pseudonymizeFragment, pseudonymizeId, pseudonymizeString, pushDeltas, readConfigFile, redactConnectionString, redactSecrets, redactValue, renderDiff, resolveEffectiveLevel, resolveNlQuery, resolvePrincipal, resolveSharingLevel, resolveTenant, revalidateAnonymized, reversalKey, reversePseudonym, rotateOrgKey, runApi, runDiscovery, runDrift, runHttp, runLocalDiscovery, runOnce, runOperator, runOperatorCycle, runStdio, runSyncClassify, safeEnv, safeJson, safetyHook, sanitizeUntrusted, sanitizeValue, scopeReads, scoreTopology, securityRelevantChange, serializeConfig, serviceConfigScanner, setVerbose, shadeVariant, shapeToJsonSchema, shareHash, splitSegments, stableStringify, startApi, stripSensitive, terraformScanner, terraformTypeToNode, timingSafeEqual, toBackstageEntities, validateScanner, vscodeDeeplink, zodToJsonSchema };