@datasynx/agentic-ai-cartography 2.10.0 → 2.12.1

package/dist/index.js

@@ -4652,6 +4652,8 @@ function reversalKey(orgKey) {
 // src/anonymize.ts
 var PRIVATE_IP = /\b(?:10(?:\.\d{1,3}){3}|192\.168(?:\.\d{1,3}){2}|172\.(?:1[6-9]|2\d|3[01])(?:\.\d{1,3}){2})\b/g;
 var HOSTNAME = /\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}\b/gi;
+var BARE_INTERNAL_HOST = /^[a-z0-9]+(?:-[a-z0-9]+)+$|^[a-z]+\d+$|^\d+[a-z]+$/i;
+var ANON_TOKEN = /^anon:(?:host|user|path|ip):[a-z2-7]+$/;
 var POSIX_PATH = /(?:^|(?<=\s|=|:|"|'|\())(\/[A-Za-z0-9._-]+(?:\/[A-Za-z0-9._-]+)+)/g;
 var WIN_PATH = /\b[A-Za-z]:\\[A-Za-z0-9._\\-]+/g;
 var B32_ALPHABET = "abcdefghijklmnopqrstuvwxyz234567";
@@ -4706,8 +4708,18 @@ function pseudonymizeString(s, orgKey, db) {
     (_m, user, host2) => `${pseudonymizeFragment(user, "user", orgKey, db)}@${pseudonymizeFragment(host2, "host", orgKey, db)}`
   );
   out = out.replace(HOSTNAME, (m) => pseudonymizeFragment(m, "host", orgKey, db));
+  const trimmed = out.trim();
+  if (out === s && !ANON_TOKEN.test(trimmed) && BARE_INTERNAL_HOST.test(trimmed)) {
+    out = pseudonymizeFragment(trimmed, "host", orgKey, db);
+  }
   return out;
 }
+function pseudonymizeId(id, orgKey, db) {
+  const segments = id.split(":");
+  if (segments.length <= 1) return pseudonymizeString(id, orgKey, db);
+  const [type, ...rest] = segments;
+  return [type, ...rest.map((seg) => pseudonymizeString(seg, orgKey, db))].join(":");
+}
 function pseudonymize(value, orgKey, db) {
   if (typeof value === "string") return pseudonymizeString(value, orgKey, db);
   if (Array.isArray(value)) return value.map((v) => pseudonymize(v, orgKey, db));
@@ -4734,8 +4746,6 @@ var FQDN = /\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}\b/gi;
 var POSIX_PATH2 = /(?:^|(?<=\s|=|:|"|'|\())(\/[A-Za-z0-9._-]+(?:\/[A-Za-z0-9._-]+)+)/g;
 var WIN_PATH2 = /\b[A-Za-z]:\\[A-Za-z0-9._\\-]+/g;
 var HOME_USER = /(?:\/home\/|\/Users\/|[A-Za-z]:\\Users\\)([A-Za-z0-9._-]+)/g;
-var BARE_INTERNAL_HOST = /^[a-z0-9]+(?:-[a-z0-9]+)+$|^[a-z]+\d+$|^\d+[a-z]+$/i;
-var ANON_TOKEN = /^anon:(?:host|user|path|ip):[a-z2-7]+$/;
 function violationsInString(s, path) {
   const out = [];
   const trimmed = s.trim();
@@ -5125,9 +5135,10 @@ function resolveEffectiveLevel(node, policy) {
 function applySharingLevel(node, level, orgKey, db) {
   if (level === "none") return null;
   if (level === "full") return { ...node, metadata: { ...node.metadata ?? {} }, tags: [...node.tags ?? []] };
+  const { globalId: _g, contentHash: _h, ...rest } = node;
   return {
-    ...node,
-    id: pseudonymizeString(node.id, orgKey, db),
+    ...rest,
+    id: pseudonymizeId(node.id, orgKey, db),
     name: pseudonymizeString(node.name, orgKey, db),
     metadata: pseudonymize(node.metadata ?? {}, orgKey, db),
     tags: (node.tags ?? []).map((t) => pseudonymizeString(t, orgKey, db))
@@ -5979,7 +5990,7 @@ function correlateTopology(nodes, _edges = []) {
 
 // src/mcp/server.ts
 var SERVER_NAME = "cartography";
-var SERVER_VERSION = "2.10.0";
+var SERVER_VERSION = "2.12.1";
 var SERVICE_TYPES = NODE_TYPE_GROUPS.web;
 var DATA_TYPES = NODE_TYPE_GROUPS.data;
 var lexicalSearch = async (db, sessionId, query, opts) => db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));
@@ -7389,9 +7400,132 @@ var serviceConfigScanner = {
   }
 };
 
+// src/scanners/terraform.ts
+import { readFileSync as readFileSync4 } from "fs";
+var TYPE_RULES = [
+  [/(db_instance|_rds|sql_database|sql_instance|database_instance|cosmosdb|dynamodb|spanner|bigtable|documentdb|redshift)/, "database_server"],
+  [/(elasticache|_redis|memcached|memorystore)/, "cache_server"],
+  [/(s3_bucket|storage_bucket|gcs_bucket|storage_account|_blob)/, "database"],
+  [/(_sqs|_queue|servicebus_queue)/, "queue"],
+  [/(_sns|_topic|pubsub_topic|servicebus_topic)/, "topic"],
+  [/(kafka|_msk|event_hub|kinesis)/, "message_broker"],
+  [/(_eks|_gke|_aks|kubernetes_cluster|container_cluster)/, "k8s_cluster"],
+  [/(ecs_|_container|fargate)/, "container"],
+  [/(lambda|cloud_function|cloudfunctions|function_app|cloud_run)/, "web_service"],
+  [/(_lb$|load_balancer|_alb|_elb|application_gateway)/, "web_service"],
+  [/(api_gateway|apigateway)/, "api_endpoint"],
+  [/(_instance|virtual_machine|_vm$|compute_instance)/, "host"]
+];
+function terraformTypeToNode(tfType) {
+  const t = tfType.toLowerCase();
+  for (const [re, nt] of TYPE_RULES) if (re.test(t)) return nt;
+  return "unknown";
+}
+var IDENTITY_ATTRS = ["id", "arn", "region", "location", "instance_type", "engine", "machine_type"];
+var OWNER_TAGS = ["Owner", "owner", "Team", "team"];
+var SAFE_TAG_KEYS = /* @__PURE__ */ new Set(["Name", "name", "Owner", "owner", "Team", "team", "Env", "env", "Environment", "environment", "Service", "service", "Component", "component", "App", "app", "Project", "project", "Tier", "tier", "Role", "role"]);
+var SECRET_KEY = /pass|secret|token|key|pwd|cred|private/i;
+function attrTags(tags) {
+  if (!tags || typeof tags !== "object") return [];
+  return Object.entries(tags).filter(([k]) => SAFE_TAG_KEYS.has(k) && !SECRET_KEY.test(k)).map(([k, v]) => `${k}:${redactSecrets(String(v))}`);
+}
+function parseTerraformState(json2) {
+  let state;
+  try {
+    state = JSON.parse(json2);
+  } catch {
+    return { nodes: [], edges: [] };
+  }
+  const resources = Array.isArray(state?.resources) ? state.resources : [];
+  const nodes = [];
+  const edges = [];
+  const addrToId = /* @__PURE__ */ new Map();
+  for (const raw of resources) {
+    const r = raw;
+    if (r.mode && r.mode !== "managed") continue;
+    if (typeof r.type !== "string" || typeof r.name !== "string") continue;
+    const address = `${r.type}.${r.name}`;
+    const nt = terraformTypeToNode(r.type);
+    const id = `${nt}:terraform:${address}`;
+    if (addrToId.has(address)) continue;
+    addrToId.set(address, id);
+    const inst = Array.isArray(r.instances) ? r.instances[0] : void 0;
+    const attrs = inst?.attributes ?? {};
+    const identity = { source: "terraform", tfType: r.type };
+    for (const k of IDENTITY_ATTRS) if (attrs[k] !== void 0) identity[k] = attrs[k];
+    const owner = OWNER_TAGS.map((k) => attrs.tags?.[k]).find((v) => typeof v === "string");
+    nodes.push({
+      id,
+      type: nt,
+      name: address,
+      discoveredVia: "terraform-state",
+      confidence: 0.9,
+      // IaC is authoritative declared intent.
+      metadata: redactValue(identity),
+      tags: attrTags(attrs.tags),
+      ...owner ? { owner } : {}
+    });
+  }
+  for (const raw of resources) {
+    const r = raw;
+    if (r.mode && r.mode !== "managed") continue;
+    if (typeof r.type !== "string" || typeof r.name !== "string") continue;
+    const srcId = addrToId.get(`${r.type}.${r.name}`);
+    if (!srcId) continue;
+    const inst = Array.isArray(r.instances) ? r.instances[0] : void 0;
+    const deps = Array.isArray(inst?.dependencies) ? inst.dependencies : [];
+    for (const dep of deps) {
+      if (typeof dep !== "string") continue;
+      const tgtId = addrToId.get(dep) ?? addrToId.get(dep.split("[")[0]);
+      if (!tgtId || tgtId === srcId) continue;
+      edges.push({ sourceId: srcId, targetId: tgtId, relationship: "depends_on", evidence: evidenceLine("config-declared", `terraform depends_on ${dep}`), confidence: 0.85 });
+    }
+  }
+  return { nodes, edges };
+}
+function stateDirs() {
+  return [".", "./terraform", "./infra", "./infrastructure", "./deploy", "./terraform/environments"];
+}
+function hintPath(hint) {
+  if (!hint) return void 0;
+  const m = /(?:^|[\s,])tfstate=([^\s,]+)/.exec(hint);
+  return m ? m[1] : void 0;
+}
+function resolveStatePath(ctx) {
+  const explicit = hintPath(ctx.hint);
+  if (explicit) return explicit;
+  const found = (ctx.findFiles ?? findFiles)(stateDirs(), ["*.tfstate"], 4, 20).split(/\r?\n/).map((s) => s.trim()).filter(Boolean);
+  return found[0];
+}
+function readStateFile(path) {
+  try {
+    return readFileSync4(path, "utf8");
+  } catch {
+    return "";
+  }
+}
+var terraformScanner = {
+  id: "terraform-state",
+  title: "Terraform state (IaC)",
+  platforms: "all",
+  // No shell commands — the state file is read directly via node:fs, so an
+  // operator-supplied path can never inject a command (no `cat "${path}"` interpolation).
+  detect(ctx) {
+    return resolveStatePath(ctx) !== void 0;
+  },
+  async scan(ctx) {
+    const path = resolveStatePath(ctx);
+    if (!path) return { nodes: [], edges: [] };
+    const json2 = (ctx.readFile ?? readStateFile)(path);
+    if (!json2) return { nodes: [], edges: [] };
+    const result = parseTerraformState(json2);
+    return { ...result, report: `terraform-state: ${result.nodes.length} resources, ${result.edges.length} dependencies from ${path}` };
+  }
+};
+
 // src/scanners/registry.ts
 function defaultRegistry() {
-  return new ScannerRegistry().register(bookmarksScanner).register(installedAppsScanner).register(portsScanner).register(cloudAwsScanner).register(cloudGcpScanner).register(cloudAzureScanner).register(k8sScanner).register(databasesScanner).register(connectionsScanner).register(serviceConfigScanner);
+  return new ScannerRegistry().register(bookmarksScanner).register(installedAppsScanner).register(portsScanner).register(cloudAwsScanner).register(cloudGcpScanner).register(cloudAzureScanner).register(k8sScanner).register(databasesScanner).register(connectionsScanner).register(serviceConfigScanner).register(terraformScanner);
 }
 
 // src/scanners/loader.ts
@@ -8759,13 +8893,13 @@ var AuthConfigSchema = z9.object({
 });
 
 // src/api/start.ts
-import { readFileSync as readFileSync4 } from "fs";
+import { readFileSync as readFileSync5 } from "fs";
 import { dirname as dirname3, resolve } from "path";
 import { fileURLToPath } from "url";
 function readVersion() {
   try {
     const dir = import.meta.dirname ?? dirname3(fileURLToPath(import.meta.url));
-    return JSON.parse(readFileSync4(resolve(dir, "..", "package.json"), "utf-8")).version ?? "0.0.0";
+    return JSON.parse(readFileSync5(resolve(dir, "..", "package.json"), "utf-8")).version ?? "0.0.0";
   } catch {
     return "0.0.0";
   }
@@ -8896,7 +9030,7 @@ function defaultServerEntry(opts = {}) {
 }
 
 // src/installer/install.ts
-import { mkdirSync as mkdirSync4, readFileSync as readFileSync5, writeFileSync as writeFileSync3, existsSync as existsSync4 } from "fs";
+import { mkdirSync as mkdirSync4, readFileSync as readFileSync6, writeFileSync as writeFileSync3, existsSync as existsSync4 } from "fs";
 import { dirname as dirname4 } from "path";
 import { homedir as homedir3 } from "os";
 function currentOs() {
@@ -8913,7 +9047,7 @@ function planInstall(spec, ctx, opts) {
     throw new Error(`${spec.label} does not support the "${ctx.scope}" scope.`);
   }
   const fileExists = existsSync4(path);
-  const before = fileExists ? readFileSync5(path, "utf8") : "";
+  const before = fileExists ? readFileSync6(path, "utf8") : "";
   const existing = parseConfig(before, spec.format);
   const merged = spec.apply(existing, opts.serverName ?? DEFAULT_SERVER_NAME, opts.entry);
   const after = serializeConfig(merged, spec.format);
@@ -9778,8 +9912,65 @@ Use ask_user when you need context from the user.`;
   }
 }
 
+// src/k8s/operator.ts
+function k8sRegistry() {
+  return new ScannerRegistry().register(k8sScanner);
+}
+function isInCluster(env = process.env) {
+  return typeof env["KUBERNETES_SERVICE_HOST"] === "string" && env["KUBERNETES_SERVICE_HOST"].length > 0;
+}
+function pruneToRetention(db, keep, tenant) {
+  const stale = db.getSessions(tenant).slice(Math.max(1, keep));
+  for (const s of stale) db.deleteSession(s.id);
+  return stale.length;
+}
+async function runOperatorCycle(db, config, opts = {}) {
+  const sessionId = db.createSession("discover", config);
+  const discover = opts.discover ?? ((d, s) => runLocalDiscovery(d, s, { registry: k8sRegistry() }));
+  const res = await discover(db, sessionId);
+  const sess = db.getSession(sessionId);
+  if (sess && !sess.name) db.setSessionName(sessionId, deriveSessionName(db.getGraphSummary(sessionId), sess.startedAt));
+  const driftFn = opts.drift ?? ((d, c) => runDrift(d, c));
+  const drift = await driftFn(db, config);
+  pruneToRetention(db, opts.retain ?? 10, normalizeTenant(config.organization));
+  return { sessionId, nodes: res.nodes, edges: res.edges, drift };
+}
+async function runOperator(db, config, opts = {}) {
+  const log2 = opts.log ?? ((m) => process.stderr.write(m + "\n"));
+  const intervalMs = opts.intervalMs ?? 5 * 6e4;
+  const sleep = opts.sleep ?? ((ms) => new Promise((resolve3) => {
+    if (opts.signal?.aborted) {
+      resolve3();
+      return;
+    }
+    const t = setTimeout(() => {
+      opts.signal?.removeEventListener?.("abort", onAbort);
+      resolve3();
+    }, ms);
+    const onAbort = () => {
+      clearTimeout(t);
+      resolve3();
+    };
+    opts.signal?.addEventListener?.("abort", onAbort, { once: true });
+  }));
+  log2(`Cartograph Kubernetes operator (in-cluster: ${isInCluster()}, interval: ${Math.round(intervalMs / 1e3)}s${opts.once ? ", single pass" : ""})`);
+  for (; ; ) {
+    try {
+      const c = await runOperatorCycle(db, config, opts);
+      log2(
+        `reconcile: session ${c.sessionId} \u2014 ${c.nodes} nodes, ${c.edges} edges` + (c.drift ? `, drift ${c.drift.severity} (${c.drift.items.length} change${c.drift.items.length === 1 ? "" : "s"})` : ", no drift")
+      );
+    } catch (err) {
+      log2(`reconcile failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    if (opts.once || opts.signal?.aborted) return;
+    await sleep(intervalMs);
+    if (opts.signal?.aborted) return;
+  }
+}
+
 // src/cost.ts
-import { readFileSync as readFileSync6 } from "fs";
+import { readFileSync as readFileSync7 } from "fs";
 import { resolve as resolve2 } from "path";
 function splitCsvLine(line) {
   const out = [];
@@ -9858,7 +10049,7 @@ var CsvCostSource = class {
   }
   id;
   async fetch() {
-    const text = readFileSync6(resolve2(this.opts.filePath), "utf-8");
+    const text = readFileSync7(resolve2(this.opts.filePath), "utf-8");
     const records = parseCostCsv(text);
     const match = this.opts.match ?? "nodeId";
     const out = /* @__PURE__ */ new Map();
@@ -11623,7 +11814,7 @@ function formatComplianceText(report) {
 }
 
 // src/config.ts
-import { readFileSync as readFileSync7 } from "fs";
+import { readFileSync as readFileSync8 } from "fs";
 var ConfigError = class extends Error {
   constructor(message) {
     super(message);
@@ -11648,7 +11839,7 @@ function loadConfig(path) {
 function readConfigFile(path) {
   let raw;
   try {
-    raw = readFileSync7(path, "utf-8");
+    raw = readFileSync8(path, "utf-8");
   } catch (err) {
     throw new ConfigError(
       `Cannot read config file ${path}: ${err instanceof Error ? err.message : String(err)}`
@@ -12006,14 +12197,14 @@ function runSyncClassify(db, sessionId, config, opts = {}) {
 
 // src/preflight.ts
 import { execSync as execSync2 } from "child_process";
-import { existsSync as existsSync5, readFileSync as readFileSync8 } from "fs";
+import { existsSync as existsSync5, readFileSync as readFileSync9 } from "fs";
 import { join as join6 } from "path";
 function isOAuthLoggedIn() {
   const home = process.env.HOME ?? process.env.USERPROFILE ?? "/tmp";
   const credFile = join6(home, ".claude", ".credentials.json");
   if (!existsSync5(credFile)) return false;
   try {
-    const creds = JSON.parse(readFileSync8(credFile, "utf8"));
+    const creds = JSON.parse(readFileSync9(credFile, "utf8"));
     const oauth = creds["claudeAiOauth"];
     return typeof oauth?.["accessToken"] === "string" && oauth["accessToken"].length > 0;
   } catch {
@@ -12065,9 +12256,11 @@ function checkClaudePrerequisites() {
 }
 export {
   ACTIONS,
+  ANON_TOKEN,
   ActionSchema,
   AuthConfigSchema,
   AuthorizationError,
+  BARE_INTERNAL_HOST,
   CLIENTS,
   CONFIDENCE,
   CORRELATION_CONFIDENCE,
@@ -12231,11 +12424,13 @@ export {
   hostname,
   ingestEnvelope,
   installedAppsScanner,
+  isInCluster,
   isLoopbackHost,
   isPersonalHost,
   isReadOnlyCommand,
   isRemembered,
   isSecureWebhookUrl,
+  k8sRegistry,
   k8sScanner,
   keyMetaOf,
   layoutClusters,
@@ -12272,6 +12467,7 @@ export {
   parseNginxUpstreams,
   parseNlQuery,
   parseScanHint,
+  parseTerraformState,
   pixelToHex,
   planInstall,
   portsScanner,
@@ -12279,6 +12475,7 @@ export {
   previewShare,
   pseudonymize,
   pseudonymizeFragment,
+  pseudonymizeId,
   pseudonymizeString,
   pushDeltas,
   readConfigFile,
@@ -12301,6 +12498,8 @@ export {
   runHttp,
   runLocalDiscovery,
   runOnce,
+  runOperator,
+  runOperatorCycle,
   runStdio,
   runSyncClassify,
   safeEnv,
@@ -12321,6 +12520,8 @@ export {
   stableStringify,
   startApi,
   stripSensitive,
+  terraformScanner,
+  terraformTypeToNode,
   timingSafeEqual,
   toBackstageEntities,
   validateScanner,