@datasynx/agentic-ai-cartography 2.2.0 → 2.3.0

package/dist/index.cjs

@@ -45,7 +45,10 @@ __export(src_exports, {
   DriftConfigSchema: () => DriftConfigSchema,
   INGEST_SCHEMA_VERSION: () => INGEST_SCHEMA_VERSION,
   IngestEnvelopeSchema: () => IngestEnvelopeSchema,
+  InvalidTenantError: () => InvalidTenantError,
+  LOOPBACK_HOSTS: () => LOOPBACK_HOSTS2,
   MCP_BIN: () => MCP_BIN,
+  NotFoundError: () => NotFoundError,
   PACKAGE_NAME: () => PACKAGE_NAME,
   PERSONAL: () => PERSONAL,
   PORT_MAP: () => PORT_MAP,
@@ -56,26 +59,33 @@ __export(src_exports, {
   RuleCheckSchema: () => RuleCheckSchema,
   RulesetSchema: () => RulesetSchema,
   SCAN_ARG_PATTERNS: () => SCAN_ARG_PATTERNS,
+  SDL: () => SDL,
   SEVERITY_WEIGHT: () => SEVERITY_WEIGHT,
   SHARING_LEVELS: () => SHARING_LEVELS,
   ScannerRegistry: () => ScannerRegistry,
   ScannerShape: () => ScannerShape,
   SharingLevelSchema: () => SharingLevelSchema,
+  SqliteQueryBackend: () => SqliteQueryBackend,
   SqliteStoreBackend: () => SqliteStoreBackend,
   StdoutSink: () => StdoutSink,
+  TENANT_HEADER: () => TENANT_HEADER,
   VectorStore: () => VectorStore,
   WebhookSink: () => WebhookSink,
   applyInstall: () => applyInstall,
   applySharingLevel: () => applySharingLevel,
   assertReadOnly: () => assertReadOnly,
+  assertSafeBind: () => assertSafeBind,
   assertSafeScanArg: () => assertSafeScanArg,
   assignColors: () => assignColors,
+  bearerToken: () => bearerToken,
   bookmarksScanner: () => bookmarksScanner,
   buildCartographyToolHandlers: () => buildCartographyToolHandlers,
   buildMapData: () => buildMapData,
+  buildOpenApiDocument: () => buildOpenApiDocument,
   buildReport: () => buildReport,
   buildSinks: () => buildSinks,
   centralDbFromEnv: () => centralDbFromEnv,
+  checkBearer: () => checkBearer,
   checkPrerequisites: () => checkPrerequisites,
   checkReadOnly: () => checkReadOnly,
   clampText: () => clampText,
@@ -103,10 +113,12 @@ __export(src_exports, {
   createOpenAIProvider: () => createOpenAIProvider,
   createScanRunner: () => createScanRunner,
   createSemanticSearch: () => createSemanticSearch,
+  createSqliteQueryBackend: () => createSqliteQueryBackend,
   currentOs: () => currentOs,
   cursorDeeplink: () => cursorDeeplink,
   databasesScanner: () => databasesScanner,
   deepMerge: () => deepMerge,
+  defaultAllowedHosts: () => defaultAllowedHosts,
   defaultConfig: () => defaultConfig,
   defaultContext: () => defaultContext,
   defaultProviderRegistry: () => defaultProviderRegistry,
@@ -123,6 +135,7 @@ __export(src_exports, {
   evaluateCheck: () => evaluateCheck,
   evaluateRule: () => evaluateRule,
   evidenceLine: () => evidenceLine,
+  executeGraphql: () => executeGraphql,
   executeNlQuery: () => executeNlQuery,
   exportAll: () => exportAll,
   exportBackstageYAML: () => exportBackstageYAML,
@@ -143,6 +156,7 @@ __export(src_exports, {
   getRuleset: () => getRuleset,
   globalId: () => globalId,
   groupByDomain: () => groupByDomain,
+  handleGraphqlGet: () => handleGraphqlGet,
   hexCorners: () => hexCorners,
   hexDistance: () => hexDistance,
   hexNeighbors: () => hexNeighbors,
@@ -153,6 +167,7 @@ __export(src_exports, {
   hostname: () => hostname,
   ingestEnvelope: () => ingestEnvelope,
   installedAppsScanner: () => installedAppsScanner,
+  isLoopbackHost: () => isLoopbackHost,
   isPersonalHost: () => isPersonalHost,
   isReadOnlyCommand: () => isReadOnlyCommand,
   isRemembered: () => isRemembered,
@@ -181,6 +196,7 @@ __export(src_exports, {
   normalizeTenant: () => normalizeTenant,
   orgKeyPath: () => orgKeyPath,
   osUser: () => osUser,
+  parseApiArgs: () => parseApiArgs,
   parseComposeDeps: () => parseComposeDeps,
   parseConfig: () => parseConfig,
   parseConnectionString: () => parseConnectionString,
@@ -206,10 +222,12 @@ __export(src_exports, {
   resolveEffectiveLevel: () => resolveEffectiveLevel,
   resolveNlQuery: () => resolveNlQuery,
   resolveSharingLevel: () => resolveSharingLevel,
+  resolveTenant: () => resolveTenant,
   revalidateAnonymized: () => revalidateAnonymized,
   reversalKey: () => reversalKey,
   reversePseudonym: () => reversePseudonym,
   rotateOrgKey: () => rotateOrgKey,
+  runApi: () => runApi,
   runDiscovery: () => runDiscovery,
   runDrift: () => runDrift,
   runHttp: () => runHttp,
@@ -232,9 +250,12 @@ __export(src_exports, {
   shareHash: () => shareHash,
   splitSegments: () => splitSegments,
   stableStringify: () => stableStringify,
+  startApi: () => startApi,
   stripSensitive: () => stripSensitive,
+  timingSafeEqual: () => timingSafeEqual,
   validateScanner: () => validateScanner,
-  vscodeDeeplink: () => vscodeDeeplink
+  vscodeDeeplink: () => vscodeDeeplink,
+  zodToJsonSchema: () => zodToJsonSchema
 });
 module.exports = __toCommonJS(src_exports);
 
@@ -370,6 +391,8 @@ var DOMAIN_PALETTE = [
   "#5eead4"
 ];
 var DRIFT_FIELDS = ["type", "name", "domain", "subDomain", "qualityScore", "metadata", "tags", "owner", "cost"];
+var ANOMALY_KINDS = ["orphan", "shadow-it"];
+var ANOMALY_SEVERITIES = ["low", "medium", "high"];
 var DEFAULT_ANOMALY_THRESHOLDS = {
   orphanWeakDegree: 1,
   shadowConfidence: 0.4,
@@ -1515,8 +1538,8 @@ var cloudGcpScanner = {
   allowedCommands: ["gcloud"],
   detect: (ctx) => Boolean((ctx.commandExists ?? commandExists)("gcloud")),
   async scan(ctx) {
-    const { project } = parseScanHint(ctx.hint);
-    const pf = project ? ` --project ${project}` : "";
+    const { project: project2 } = parseScanHint(ctx.hint);
+    const pf = project2 ? ` --project ${project2}` : "";
     const runG = createScanRunner((c) => ctx.run(c, { timeout: 2e4 }), { threshold: 3 });
     const nodes = [];
     const edges = [];
@@ -2204,9 +2227,9 @@ async function buildCartographyToolHandlers(db, sessionId, opts = {}) {
     tool("scan_gcp_resources", "Scan Google Cloud Platform via gcloud CLI \u2014 100% readonly (list, describe)", {
       project: import_zod2.z.string().regex(SCAN_ARG_PATTERNS["gcp-project"], "invalid GCP project id").optional().describe("GCP Project ID \u2014 default: current gcloud project")
     }, async (args) => {
-      const project = args["project"];
-      if (project) assertSafeScanArg("gcp-project", project);
-      return runScannerTool(cloudGcpScanner, project ? `project=${project}` : "");
+      const project2 = args["project"];
+      if (project2) assertSafeScanArg("gcp-project", project2);
+      return runScannerTool(cloudGcpScanner, project2 ? `project=${project2}` : "");
     }, { annotations: READ_SCAN }),
     tool("scan_azure_resources", "Scan Azure infrastructure via az CLI \u2014 100% readonly (list, show)", {
       subscription: import_zod2.z.string().regex(SCAN_ARG_PATTERNS["azure-subscription"], "invalid Azure subscription id").optional().describe("Azure Subscription ID"),
@@ -2358,14 +2381,14 @@ async function buildCartographyToolHandlers(db, sessionId, opts = {}) {
         "neon"
       ];
       const found = [];
-      const notFound = [];
+      const notFound2 = [];
       for (const t of knownTools) {
         const r = commandExists(t);
         if (r) found.push(`${t}: ${r}`);
-        else notFound.push(t);
+        else notFound2.push(t);
       }
       results["TOOLS_FOUND"] = found.join("\n") || "(none found)";
-      results["TOOLS_NOT_FOUND"] = notFound.join(", ");
+      results["TOOLS_NOT_FOUND"] = notFound2.join(", ");
       if (hint) {
         const terms = hint.split(/[\s,]+/).filter(Boolean);
         const hintResults = [];
@@ -4502,6 +4525,86 @@ var SqliteStoreBackend = class {
   }
 };
 
+// src/store/query.ts
+var NotFoundError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "NotFoundError";
+  }
+};
+var MAX_NODE_LIMIT = 1e3;
+var MAX_DEPTH = 64;
+function clamp(value, min, max) {
+  return Math.floor(Math.max(min, Math.min(value, max)));
+}
+var SqliteQueryBackend = class {
+  constructor(db, defaultSession = "latest") {
+    this.db = db;
+    this.defaultSession = defaultSession;
+  }
+  /**
+   * Resolve the session id for a request, scoped to `ctx.tenant`. An explicit id must
+   * belong to the tenant or it resolves to undefined (cross-tenant isolation); else the
+   * newest `discover` session for the tenant. Mirrors `resolveSession` in the MCP server.
+   */
+  resolveSession(ctx, sessionId) {
+    const requested = sessionId ?? (this.defaultSession === "latest" ? void 0 : this.defaultSession);
+    if (requested) {
+      const s = this.db.getSession(requested);
+      if (s && s.tenant === ctx.tenant) return s.id;
+      throw new NotFoundError(`session not found`);
+    }
+    const latest = this.db.getLatestSession("discover", ctx.tenant) ?? this.db.getLatestSession(void 0, ctx.tenant);
+    if (!latest) throw new NotFoundError(`no session available`);
+    return latest.id;
+  }
+  summary(ctx, sessionId) {
+    return this.db.getGraphSummary(this.resolveSession(ctx, sessionId));
+  }
+  nodes(ctx, q, sessionId) {
+    const sid = this.resolveSession(ctx, sessionId);
+    const limit = clamp(q.limit ?? 100, 1, MAX_NODE_LIMIT);
+    const offset = Math.floor(Math.max(0, q.offset ?? 0));
+    const total = this.db.getNodeCount(sid);
+    if (q.search) {
+      const nodes2 = this.db.searchNodes(sid, q.search, { ...q.types ? { types: q.types } : {}, limit });
+      return { nodes: nodes2, total: nodes2.length, limit, offset: 0 };
+    }
+    const nodes = this.db.getNodes(sid, { limit, offset });
+    return { nodes, total, limit, offset };
+  }
+  node(ctx, id, sessionId) {
+    return this.db.getNode(this.resolveSession(ctx, sessionId), id);
+  }
+  dependencies(ctx, id, q, sessionId) {
+    const sid = this.resolveSession(ctx, sessionId);
+    return this.db.getDependencies(sid, id, {
+      direction: q.direction ?? "downstream",
+      maxDepth: clamp(q.maxDepth ?? 8, 1, MAX_DEPTH)
+    });
+  }
+  diff(ctx, base, current) {
+    for (const id of [base, current]) {
+      const s = this.db.getSession(id);
+      if (!s || s.tenant !== ctx.tenant) throw new NotFoundError(`session not found`);
+    }
+    try {
+      return this.db.diffSessions(base, current);
+    } catch (err) {
+      throw new NotFoundError(err instanceof Error ? err.message : "diff failed");
+    }
+  }
+  sessions(ctx) {
+    return this.db.getSessions(ctx.tenant);
+  }
+  health(ctx) {
+    return { store: "sqlite", sessions: this.db.getSessions(ctx.tenant).length };
+  }
+};
+function createSqliteQueryBackend(db, defaultSession = "latest") {
+  return new SqliteQueryBackend(db, defaultSession);
+}
+
 // src/central/merge.ts
 function computeIdentity(org, node) {
   return {
@@ -5532,7 +5635,7 @@ async function resolveNlQuery(db, sessionId, search, raw, opts) {
 
 // src/mcp/server.ts
 var SERVER_NAME = "cartography";
-var SERVER_VERSION = "2.2.0";
+var SERVER_VERSION = "2.3.0";
 var SERVICE_TYPES = NODE_TYPE_GROUPS.web;
 var DATA_TYPES = NODE_TYPE_GROUPS.data;
 var lexicalSearch = async (db, sessionId, query, opts) => db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));
@@ -6033,6 +6136,50 @@ var import_node_crypto5 = require("crypto");
 var import_node_http = __toESM(require("http"), 1);
 var import_stdio = require("@modelcontextprotocol/sdk/server/stdio.js");
 var import_streamableHttp = require("@modelcontextprotocol/sdk/server/streamableHttp.js");
+
+// src/api/auth.ts
+var LOOPBACK_HOSTS2 = /* @__PURE__ */ new Set(["127.0.0.1", "localhost", "::1", "[::1]"]);
+function isLoopbackHost(host2) {
+  return LOOPBACK_HOSTS2.has(host2);
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  return diff === 0;
+}
+function bearerToken(header) {
+  if (!header) return void 0;
+  const trimmed = header.trim();
+  if (trimmed.length < 7 || trimmed.slice(0, 6).toLowerCase() !== "bearer") return void 0;
+  const rest = trimmed.slice(6);
+  if (!/^\s/.test(rest)) return void 0;
+  const token = rest.trimStart();
+  return token.length > 0 ? token : void 0;
+}
+function checkBearer(authorizationHeader, token) {
+  if (!token) return true;
+  const provided = bearerToken(authorizationHeader);
+  return provided !== void 0 && timingSafeEqual(provided, token);
+}
+function assertSafeBind(opts) {
+  if (isLoopbackHost(opts.host)) return;
+  if (opts.allowedHosts === void 0) {
+    throw new Error(
+      `Refusing to bind a non-loopback host (${opts.host}) without an explicit allowedHosts allowlist. Pass { allowedHosts: ['your.public.host:port'] } to opt in, or bind 127.0.0.1 for local-only use.`
+    );
+  }
+  if (!opts.token) {
+    throw new Error(
+      `Refusing to bind a non-loopback host (${opts.host}) without an auth token. Pass { token } (or --token / CARTOGRAPHY_HTTP_TOKEN) so requests must carry 'Authorization: Bearer <token>'.`
+    );
+  }
+}
+function defaultAllowedHosts(host2, port) {
+  return [`${host2}:${port}`, `localhost:${port}`, `127.0.0.1:${port}`];
+}
+
+// src/mcp/transports.ts
 async function runStdio(server) {
   const transport = new import_stdio.StdioServerTransport();
   await server.connect(transport);
@@ -6061,17 +6208,6 @@ async function readCappedBody(req, cap) {
     return { overflow: false, value: void 0 };
   }
 }
-function timingSafeEqual(a, b) {
-  if (a.length !== b.length) return false;
-  let diff = 0;
-  for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
-  return diff === 0;
-}
-function bearerToken(header) {
-  if (!header) return void 0;
-  const m = /^Bearer\s+(.+)$/i.exec(header.trim());
-  return m ? m[1] : void 0;
-}
 async function readJsonBody(req) {
   const chunks = [];
   for await (const chunk of req) chunks.push(chunk);
@@ -6082,22 +6218,11 @@ async function readJsonBody(req) {
     return void 0;
   }
 }
-var LOOPBACK_HOSTS2 = /* @__PURE__ */ new Set(["127.0.0.1", "localhost", "::1", "[::1]"]);
 async function runHttp(factory, opts = {}) {
   const host2 = opts.host ?? "127.0.0.1";
   const port = opts.port ?? 3737;
-  const isLoopback = LOOPBACK_HOSTS2.has(host2);
-  if (!isLoopback && opts.allowedHosts === void 0) {
-    throw new Error(
-      `Refusing to bind a non-loopback host (${host2}) without an explicit allowedHosts allowlist. Pass { allowedHosts: ['your.public.host:port'] } to opt in, or bind 127.0.0.1 for local-only use.`
-    );
-  }
-  if (!isLoopback && !opts.token) {
-    throw new Error(
-      `Refusing to bind a non-loopback host (${host2}) without an auth token. Pass { token } (or --token / CARTOGRAPHY_HTTP_TOKEN) so requests must carry 'Authorization: Bearer <token>'.`
-    );
-  }
-  const allowedHosts = opts.allowedHosts ?? [`${host2}:${port}`, `localhost:${port}`, `127.0.0.1:${port}`];
+  assertSafeBind({ host: host2, port, ...opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {}, ...opts.token ? { token: opts.token } : {} });
+  const allowedHosts = opts.allowedHosts ?? defaultAllowedHosts(host2, port);
   const token = opts.token;
   const transports = /* @__PURE__ */ new Map();
   const httpServer = import_node_http.default.createServer(async (req, res) => {
@@ -6108,12 +6233,9 @@ async function runHttp(factory, opts = {}) {
         res.writeHead(404, { "content-type": "application/json" }).end('{"error":"not found"}');
         return;
       }
-      if (token) {
-        const provided = bearerToken(req.headers["authorization"]);
-        if (!provided || !timingSafeEqual(provided, token)) {
-          res.writeHead(401, { "content-type": "application/json", "www-authenticate": "Bearer" }).end('{"error":"unauthorized"}');
-          return;
-        }
+      if (!checkBearer(req.headers["authorization"], token)) {
+        res.writeHead(401, { "content-type": "application/json", "www-authenticate": "Bearer" }).end('{"error":"unauthorized"}');
+        return;
       }
       if (isIngest) {
         const hostHeader = (req.headers["host"] ?? "").toLowerCase();
@@ -6167,7 +6289,7 @@ async function runHttp(factory, opts = {}) {
       if (!res.headersSent) res.writeHead(500, { "content-type": "application/json" }).end('{"error":"internal error"}');
     }
   });
-  await new Promise((resolve2) => httpServer.listen(port, host2, resolve2));
+  await new Promise((resolve3) => httpServer.listen(port, host2, resolve3));
   return httpServer;
 }
 
@@ -6349,8 +6471,8 @@ async function createSemanticSearch(db, embedder, opts = {}) {
     return lexicalSearch2();
   }
   const store = new VectorStore(db, provider);
-  const ok = await store.init();
-  if (!ok) {
+  const ok3 = await store.init();
+  if (!ok3) {
     log2?.("semantic search: vector store unavailable (sqlite-vec not installed or failed to load) \u2014 using lexical search");
     return lexicalSearch2();
   }
@@ -6959,6 +7081,1038 @@ function localDiscoveryFn(registry, plugins) {
   };
 }
 
+// src/api/server.ts
+var import_node_http2 = __toESM(require("http"), 1);
+
+// src/api/tenant.ts
+var TENANT_HEADER = "x-cartograph-tenant";
+var InvalidTenantError = class extends Error {
+  constructor() {
+    super("invalid tenant");
+    this.name = "InvalidTenantError";
+  }
+};
+function resolveTenant(req, url, opts = {}) {
+  const headerName = (opts.header ?? TENANT_HEADER).toLowerCase();
+  const raw = headerValue(req, headerName) ?? url.searchParams.get("tenant") ?? void 0;
+  if (raw === void 0 || raw === "") {
+    return { tenant: opts.defaultTenant ?? DEFAULT_TENANT };
+  }
+  if (raw.trim().length > 128) {
+    throw new InvalidTenantError();
+  }
+  const normalized = normalizeTenant(raw);
+  if (normalized === DEFAULT_TENANT && raw.trim() !== DEFAULT_TENANT) {
+    throw new InvalidTenantError();
+  }
+  return { tenant: normalized };
+}
+function headerValue(req, name) {
+  const v = req.headers[name];
+  if (Array.isArray(v)) return v[0];
+  return v;
+}
+
+// src/api/schemas.ts
+var import_zod8 = require("zod");
+var DIRECTIONS = ["downstream", "upstream", "both"];
+var CostSchema = import_zod8.z.object({
+  amount: import_zod8.z.number(),
+  currency: import_zod8.z.string(),
+  period: import_zod8.z.enum(COST_PERIODS),
+  source: import_zod8.z.string().optional()
+});
+var NodeSchema2 = import_zod8.z.object({
+  id: import_zod8.z.string(),
+  type: import_zod8.z.string(),
+  name: import_zod8.z.string(),
+  confidence: import_zod8.z.number(),
+  domain: import_zod8.z.string().optional(),
+  subDomain: import_zod8.z.string().optional(),
+  qualityScore: import_zod8.z.number().optional(),
+  owner: import_zod8.z.string().optional(),
+  cost: CostSchema.optional(),
+  tags: import_zod8.z.array(import_zod8.z.string())
+});
+var EdgeSchema2 = import_zod8.z.object({
+  sourceId: import_zod8.z.string(),
+  targetId: import_zod8.z.string(),
+  relationship: import_zod8.z.string(),
+  confidence: import_zod8.z.number(),
+  evidence: import_zod8.z.string()
+});
+var AnomalySchema = import_zod8.z.object({
+  nodeId: import_zod8.z.string(),
+  kind: import_zod8.z.enum(ANOMALY_KINDS),
+  severity: import_zod8.z.enum(ANOMALY_SEVERITIES),
+  reason: import_zod8.z.string()
+});
+var TopConnectedSchema = import_zod8.z.object({
+  id: import_zod8.z.string(),
+  name: import_zod8.z.string(),
+  type: import_zod8.z.string(),
+  degree: import_zod8.z.number().int()
+});
+var CostByDomainSchema = import_zod8.z.object({
+  domain: import_zod8.z.string(),
+  currency: import_zod8.z.string(),
+  period: import_zod8.z.string(),
+  total: import_zod8.z.number(),
+  nodes: import_zod8.z.number().int()
+});
+var CostByOwnerSchema = import_zod8.z.object({
+  owner: import_zod8.z.string(),
+  currency: import_zod8.z.string(),
+  period: import_zod8.z.string(),
+  total: import_zod8.z.number(),
+  nodes: import_zod8.z.number().int()
+});
+var SummaryResponse = import_zod8.z.object({
+  sessionId: import_zod8.z.string(),
+  totals: import_zod8.z.object({ nodes: import_zod8.z.number().int(), edges: import_zod8.z.number().int() }),
+  nodesByType: import_zod8.z.record(import_zod8.z.string(), import_zod8.z.number().int()),
+  nodesByDomain: import_zod8.z.record(import_zod8.z.string(), import_zod8.z.number().int()),
+  edgesByRelationship: import_zod8.z.record(import_zod8.z.string(), import_zod8.z.number().int()),
+  topConnected: import_zod8.z.array(TopConnectedSchema),
+  anomalies: import_zod8.z.array(AnomalySchema),
+  contributors: import_zod8.z.number().int(),
+  costByDomain: import_zod8.z.array(CostByDomainSchema),
+  costByOwner: import_zod8.z.array(CostByOwnerSchema),
+  costCoverage: import_zod8.z.object({ withCost: import_zod8.z.number().int(), total: import_zod8.z.number().int() })
+});
+var NodesResponse = import_zod8.z.object({
+  nodes: import_zod8.z.array(NodeSchema2),
+  total: import_zod8.z.number().int(),
+  limit: import_zod8.z.number().int(),
+  offset: import_zod8.z.number().int()
+});
+var DependencyNodeSchema = NodeSchema2.extend({ depth: import_zod8.z.number().int() });
+var DependenciesResponse = import_zod8.z.object({
+  root: NodeSchema2.optional(),
+  direction: import_zod8.z.enum(DIRECTIONS),
+  maxDepth: import_zod8.z.number().int(),
+  nodes: import_zod8.z.array(DependencyNodeSchema),
+  edges: import_zod8.z.array(EdgeSchema2)
+});
+var SessionEndpointSchema = import_zod8.z.object({
+  sessionId: import_zod8.z.string(),
+  startedAt: import_zod8.z.string(),
+  nodeCount: import_zod8.z.number().int(),
+  edgeCount: import_zod8.z.number().int()
+});
+var NodeChangeSchema = import_zod8.z.object({
+  id: import_zod8.z.string(),
+  changedFields: import_zod8.z.array(import_zod8.z.string()),
+  confidenceDelta: import_zod8.z.number()
+});
+var DiffResponse = import_zod8.z.object({
+  base: SessionEndpointSchema,
+  current: SessionEndpointSchema,
+  summary: import_zod8.z.object({
+    nodesAdded: import_zod8.z.number().int(),
+    nodesRemoved: import_zod8.z.number().int(),
+    nodesChanged: import_zod8.z.number().int(),
+    edgesAdded: import_zod8.z.number().int(),
+    edgesRemoved: import_zod8.z.number().int()
+  }),
+  nodes: import_zod8.z.object({
+    added: import_zod8.z.array(NodeSchema2),
+    removed: import_zod8.z.array(NodeSchema2),
+    changed: import_zod8.z.array(NodeChangeSchema),
+    unchanged: import_zod8.z.number().int()
+  }),
+  edges: import_zod8.z.object({
+    added: import_zod8.z.array(EdgeSchema2),
+    removed: import_zod8.z.array(EdgeSchema2),
+    unchanged: import_zod8.z.number().int()
+  }),
+  anomalies: import_zod8.z.object({ added: import_zod8.z.array(AnomalySchema) })
+});
+var SessionSchema = import_zod8.z.object({
+  id: import_zod8.z.string(),
+  mode: import_zod8.z.literal("discover"),
+  startedAt: import_zod8.z.string(),
+  completedAt: import_zod8.z.string().optional(),
+  name: import_zod8.z.string().optional(),
+  tenant: import_zod8.z.string(),
+  lastScannedAt: import_zod8.z.string().optional()
+});
+var SessionsResponse = import_zod8.z.object({ sessions: import_zod8.z.array(SessionSchema) });
+var HealthResponse = import_zod8.z.object({
+  status: import_zod8.z.literal("ok"),
+  version: import_zod8.z.string(),
+  store: import_zod8.z.literal("sqlite"),
+  sessions: import_zod8.z.number().int()
+});
+var ErrorResponse = import_zod8.z.object({
+  error: import_zod8.z.string(),
+  code: import_zod8.z.string().optional()
+});
+var API_SCHEMAS = {
+  Node: NodeSchema2,
+  Edge: EdgeSchema2,
+  Anomaly: AnomalySchema,
+  Summary: SummaryResponse,
+  Nodes: NodesResponse,
+  Dependencies: DependenciesResponse,
+  Diff: DiffResponse,
+  Session: SessionSchema,
+  Sessions: SessionsResponse,
+  Health: HealthResponse,
+  Error: ErrorResponse
+};
+
+// src/api/rest.ts
+function toApiNode(n) {
+  const out = { id: n.id, type: n.type, name: n.name, confidence: n.confidence, tags: n.tags };
+  if (n.domain !== void 0) out["domain"] = n.domain;
+  if (n.subDomain !== void 0) out["subDomain"] = n.subDomain;
+  if (n.qualityScore !== void 0) out["qualityScore"] = n.qualityScore;
+  if (n.owner !== void 0) out["owner"] = n.owner;
+  if (n.cost !== void 0) out["cost"] = n.cost;
+  return out;
+}
+function toApiEdge(e) {
+  return { sourceId: e.sourceId, targetId: e.targetId, relationship: e.relationship, confidence: e.confidence, evidence: e.evidence };
+}
+function toApiSession(s) {
+  const out = { id: s.id, mode: s.mode, startedAt: s.startedAt, tenant: s.tenant };
+  if (s.completedAt !== void 0) out["completedAt"] = s.completedAt;
+  if (s.name !== void 0) out["name"] = s.name;
+  if (s.lastScannedAt !== void 0) out["lastScannedAt"] = s.lastScannedAt;
+  return out;
+}
+function toApiAnomaly(a) {
+  return { nodeId: a.nodeId, kind: a.kind, severity: a.severity, reason: a.reason };
+}
+function projectDependencies(r) {
+  return {
+    ...r.root ? { root: toApiNode(r.root) } : {},
+    direction: r.direction,
+    maxDepth: r.maxDepth,
+    nodes: r.nodes.map((n) => ({ ...toApiNode(n), depth: n.depth })),
+    edges: r.edges.map(toApiEdge)
+  };
+}
+function projectDiff(diff) {
+  return {
+    base: { sessionId: diff.base.sessionId, startedAt: diff.base.startedAt, nodeCount: diff.base.nodeCount, edgeCount: diff.base.edgeCount },
+    current: { sessionId: diff.current.sessionId, startedAt: diff.current.startedAt, nodeCount: diff.current.nodeCount, edgeCount: diff.current.edgeCount },
+    summary: diff.summary,
+    nodes: {
+      added: diff.nodes.added.map(toApiNode),
+      removed: diff.nodes.removed.map(toApiNode),
+      changed: diff.nodes.changed.map((c) => ({ id: c.id, changedFields: c.changedFields, confidenceDelta: c.confidenceDelta })),
+      unchanged: diff.nodes.unchanged
+    },
+    edges: {
+      added: diff.edges.added.map(toApiEdge),
+      removed: diff.edges.removed.map(toApiEdge),
+      unchanged: diff.edges.unchanged
+    },
+    anomalies: { added: diff.anomalies.added.map(toApiAnomaly) }
+  };
+}
+function ok(body) {
+  return { status: 200, body };
+}
+function badRequest(error) {
+  return { status: 400, body: { error } };
+}
+function notFound(error = "not found") {
+  return { status: 404, body: { error } };
+}
+function guard(fn) {
+  try {
+    return fn();
+  } catch (err) {
+    if (err instanceof NotFoundError) return notFound(err.message);
+    throw err;
+  }
+}
+function validateOut(schema, body) {
+  if (process.env["NODE_ENV"] !== "production") {
+    const r = schema.safeParse(body);
+    if (!r.success) throw new Error(`API response failed its own schema contract: ${r.error.message}`);
+  }
+  return body;
+}
+function intParam(url, name) {
+  const raw = url.searchParams.get(name);
+  if (raw === null || raw.trim() === "") return void 0;
+  const n = Number(raw);
+  return Number.isInteger(n) ? n : void 0;
+}
+function sessionParam(url) {
+  return url.searchParams.get("session") ?? void 0;
+}
+function handleSummary(ctx, url, d) {
+  return guard(() => ok(validateOut(SummaryResponse, d.backend.summary(ctx, sessionParam(url)))));
+}
+function handleNodes(ctx, url, d) {
+  return guard(() => {
+    const search = url.searchParams.get("search") ?? void 0;
+    const typesRaw = url.searchParams.get("types");
+    const types = typesRaw ? typesRaw.split(",").map((s) => s.trim()).filter(Boolean) : void 0;
+    const limit = intParam(url, "limit");
+    const offset = intParam(url, "offset");
+    const r = d.backend.nodes(
+      ctx,
+      { ...search ? { search } : {}, ...types ? { types } : {}, ...limit !== void 0 ? { limit } : {}, ...offset !== void 0 ? { offset } : {} },
+      sessionParam(url)
+    );
+    return ok(validateOut(NodesResponse, { nodes: r.nodes.map(toApiNode), total: r.total, limit: r.limit, offset: r.offset }));
+  });
+}
+function handleDependencies(ctx, id, url, d) {
+  const directionRaw = url.searchParams.get("direction");
+  if (directionRaw !== null && !DIRECTIONS.includes(directionRaw)) {
+    return badRequest(`direction must be one of ${DIRECTIONS.join(", ")}`);
+  }
+  return guard(() => {
+    const direction = directionRaw ?? void 0;
+    const maxDepth = intParam(url, "maxDepth");
+    const r = d.backend.dependencies(
+      ctx,
+      id,
+      { ...direction ? { direction } : {}, ...maxDepth !== void 0 ? { maxDepth } : {} },
+      sessionParam(url)
+    );
+    return ok(validateOut(DependenciesResponse, projectDependencies(r)));
+  });
+}
+function handleDiff(ctx, url, d) {
+  const base = url.searchParams.get("base");
+  const current = url.searchParams.get("current");
+  if (!base || !current) return badRequest("both `base` and `current` query params are required");
+  return guard(() => {
+    const diff = d.backend.diff(ctx, base, current);
+    return ok(validateOut(DiffResponse, projectDiff(diff)));
+  });
+}
+function handleSessions(ctx, d) {
+  return guard(() => ok(validateOut(SessionsResponse, { sessions: d.backend.sessions(ctx).map(toApiSession) })));
+}
+function handleHealth(ctx, d) {
+  const h = d.backend.health(ctx);
+  return ok(validateOut(HealthResponse, { status: "ok", version: d.version, store: h.store, sessions: h.sessions }));
+}
+
+// src/api/openapi.ts
+function defOf(schema) {
+  return schema.def ?? {};
+}
+function unwrapOptional(schema) {
+  const def = defOf(schema);
+  if ((def.type === "optional" || def.type === "nullable") && def.innerType) {
+    return { inner: def.innerType, optional: true };
+  }
+  return { inner: schema, optional: false };
+}
+function zodToJsonSchema(schema) {
+  const def = defOf(schema);
+  switch (def.type) {
+    case "string":
+      return { type: "string" };
+    case "number": {
+      const isInt = (def.checks ?? []).some((c) => c._zod?.def?.check === "number_format");
+      return { type: isInt ? "integer" : "number" };
+    }
+    case "boolean":
+      return { type: "boolean" };
+    case "literal": {
+      const values = def.values ?? [];
+      return values.length === 1 ? { const: values[0] } : { enum: values };
+    }
+    case "enum":
+      return { type: "string", enum: Object.values(def.entries ?? {}) };
+    case "array":
+      return { type: "array", items: def.element ? zodToJsonSchema(def.element) : {} };
+    case "record":
+      return { type: "object", additionalProperties: def.valueType ? zodToJsonSchema(def.valueType) : true };
+    case "optional":
+    case "nullable":
+      return def.innerType ? zodToJsonSchema(def.innerType) : {};
+    case "object": {
+      const shape = def.shape ?? {};
+      const properties = {};
+      const required = [];
+      for (const key of Object.keys(shape)) {
+        const { inner, optional } = unwrapOptional(shape[key]);
+        properties[key] = zodToJsonSchema(inner);
+        if (!optional) required.push(key);
+      }
+      return { type: "object", properties, required, additionalProperties: false };
+    }
+    default:
+      throw new Error(`zodToJsonSchema: unsupported zod construct "${def.type ?? "unknown"}". Extend src/api/openapi.ts.`);
+  }
+}
+var TENANT_PARAM = {
+  name: "tenant",
+  in: "query",
+  required: false,
+  description: 'Tenant/org scope (also accepted via the X-Cartograph-Tenant header). Defaults to "local".',
+  schema: { type: "string" }
+};
+var SESSION_PARAM = {
+  name: "session",
+  in: "query",
+  required: false,
+  description: "Session id to query, or omit for the latest discovery session.",
+  schema: { type: "string" }
+};
+function errorResponses() {
+  const err = { description: "Error", content: { "application/json": { schema: { $ref: "#/components/schemas/Error" } } } };
+  return { "400": { ...err, description: "Bad request" }, "401": { ...err, description: "Unauthorized" }, "404": { ...err, description: "Not found" } };
+}
+function ok2(ref, description) {
+  return { description, content: { "application/json": { schema: { $ref: `#/components/schemas/${ref}` } } } };
+}
+function buildOpenApiDocument(opts) {
+  const schemas = {};
+  for (const [name, schema] of Object.entries(API_SCHEMAS)) {
+    schemas[name] = zodToJsonSchema(schema);
+  }
+  return {
+    openapi: "3.1.0",
+    info: {
+      title: "Cartograph API",
+      version: opts.version,
+      description: "Read-only REST API over the discovered infrastructure/agentic-AI topology. Every endpoint is tenant-scoped and bearer-authenticated."
+    },
+    servers: [{ url: "/" }],
+    security: [{ bearerAuth: [] }],
+    components: {
+      securitySchemes: { bearerAuth: { type: "http", scheme: "bearer" } },
+      schemas
+    },
+    paths: {
+      "/v1/health": {
+        get: {
+          summary: "Liveness + store/coverage probe",
+          security: [],
+          responses: { "200": ok2("Health", "Service health") }
+        }
+      },
+      "/v1/openapi.json": {
+        get: {
+          summary: "This OpenAPI document",
+          security: [],
+          responses: { "200": { description: "OpenAPI 3.1 document", content: { "application/json": { schema: { type: "object" } } } } }
+        }
+      },
+      "/v1/summary": {
+        get: {
+          summary: "Low-token topology aggregate for the resolved session",
+          parameters: [SESSION_PARAM, TENANT_PARAM],
+          responses: { "200": ok2("Summary", "Topology summary"), ...errorResponses() }
+        }
+      },
+      "/v1/nodes": {
+        get: {
+          summary: "List/search/paginate nodes",
+          parameters: [
+            { name: "search", in: "query", required: false, description: "Lexical/semantic search anchor.", schema: { type: "string" } },
+            { name: "types", in: "query", required: false, description: "Comma-separated node-type filter.", schema: { type: "string" } },
+            { name: "limit", in: "query", required: false, description: "Page size (default 100, max 1000).", schema: { type: "integer" } },
+            { name: "offset", in: "query", required: false, description: "Page offset (ignored for search).", schema: { type: "integer" } },
+            SESSION_PARAM,
+            TENANT_PARAM
+          ],
+          responses: { "200": ok2("Nodes", "A page of nodes"), ...errorResponses() }
+        }
+      },
+      "/v1/nodes/{id}/dependencies": {
+        get: {
+          summary: "Dependency traversal from a node",
+          parameters: [
+            { name: "id", in: "path", required: true, description: 'Node id ("{type}:{id}").', schema: { type: "string" } },
+            { name: "direction", in: "query", required: false, description: "downstream | upstream | both (default downstream).", schema: { type: "string", enum: ["downstream", "upstream", "both"] } },
+            { name: "maxDepth", in: "query", required: false, description: "Traversal depth (default 8, max 64).", schema: { type: "integer" } },
+            SESSION_PARAM,
+            TENANT_PARAM
+          ],
+          responses: { "200": ok2("Dependencies", "Traversal result"), ...errorResponses() }
+        }
+      },
+      "/v1/diff": {
+        get: {
+          summary: "Compare two sessions (drift)",
+          parameters: [
+            { name: "base", in: "query", required: true, description: "Base session id.", schema: { type: "string" } },
+            { name: "current", in: "query", required: true, description: "Current session id.", schema: { type: "string" } },
+            TENANT_PARAM
+          ],
+          responses: { "200": ok2("Diff", "Topology delta"), ...errorResponses() }
+        }
+      },
+      "/v1/sessions": {
+        get: {
+          summary: "List discovery sessions for the tenant",
+          parameters: [TENANT_PARAM],
+          responses: { "200": ok2("Sessions", "Sessions"), ...errorResponses() }
+        }
+      }
+    }
+  };
+}
+
+// src/api/graphql.ts
+var SDL = `# Cartograph read-only GraphQL API (4.2). Mirrors the REST surface.
+schema { query: Query }
+
+type Query {
+  summary(session: String): Summary
+  nodes(search: String, types: [String!], limit: Int, offset: Int, session: String): NodeConnection
+  node(id: String!, session: String): Node
+  dependencies(id: String!, direction: Direction, maxDepth: Int, session: String): Dependencies
+  diff(base: String!, current: String!): Diff
+  sessions: [Session!]!
+}
+
+enum Direction { downstream upstream both }
+
+type Totals { nodes: Int! edges: Int! }
+type Count { key: String! value: Int! }
+type TopConnected { id: String! name: String! type: String! degree: Int! }
+type Anomaly { nodeId: String! kind: String! severity: String! reason: String! }
+type Cost { amount: Float! currency: String! period: String! source: String }
+type CostRollup { key: String! currency: String! period: String! total: Float! nodes: Int! }
+type CostCoverage { withCost: Int! total: Int! }
+
+type Node {
+  id: String! type: String! name: String! confidence: Float!
+  domain: String subDomain: String qualityScore: Float owner: String cost: Cost tags: [String!]!
+}
+type DependencyNode {
+  id: String! type: String! name: String! confidence: Float!
+  domain: String subDomain: String qualityScore: Float owner: String cost: Cost tags: [String!]! depth: Int!
+}
+type Edge { sourceId: String! targetId: String! relationship: String! confidence: Float! evidence: String! }
+
+type Summary {
+  sessionId: String!
+  totals: Totals!
+  topConnected: [TopConnected!]!
+  anomalies: [Anomaly!]!
+  contributors: Int!
+  costByDomain: [CostRollup!]!
+  costByOwner: [CostRollup!]!
+  costCoverage: CostCoverage!
+}
+
+type NodeConnection { nodes: [Node!]! total: Int! limit: Int! offset: Int! }
+type Dependencies { root: Node direction: Direction! maxDepth: Int! nodes: [DependencyNode!]! edges: [Edge!]! }
+
+type SessionEndpoint { sessionId: String! startedAt: String! nodeCount: Int! edgeCount: Int! }
+type DiffSummary { nodesAdded: Int! nodesRemoved: Int! nodesChanged: Int! edgesAdded: Int! edgesRemoved: Int! }
+type NodeChange { id: String! changedFields: [String!]! confidenceDelta: Float! }
+type DiffNodes { added: [Node!]! removed: [Node!]! changed: [NodeChange!]! unchanged: Int! }
+type DiffEdges { added: [Edge!]! removed: [Edge!]! unchanged: Int! }
+type DiffAnomalies { added: [Anomaly!]! }
+type Diff {
+  base: SessionEndpoint! current: SessionEndpoint! summary: DiffSummary!
+  nodes: DiffNodes! edges: DiffEdges! anomalies: DiffAnomalies!
+}
+
+type Session { id: String! mode: String! startedAt: String! completedAt: String name: String tenant: String! lastScannedAt: String }
+`;
+var resolvers = {
+  summary: (ctx, args, backend) => backend.summary(ctx, str(args["session"])),
+  nodes: (ctx, args, backend) => {
+    const r = backend.nodes(
+      ctx,
+      {
+        ...str(args["search"]) ? { search: str(args["search"]) } : {},
+        ...Array.isArray(args["types"]) ? { types: args["types"].map(String) } : {},
+        ...num(args["limit"]) !== void 0 ? { limit: num(args["limit"]) } : {},
+        ...num(args["offset"]) !== void 0 ? { offset: num(args["offset"]) } : {}
+      },
+      str(args["session"])
+    );
+    return { nodes: r.nodes.map(toApiNode), total: r.total, limit: r.limit, offset: r.offset };
+  },
+  node: (ctx, args, backend) => {
+    const n = backend.node(ctx, String(args["id"]), str(args["session"]));
+    return n ? toApiNode(n) : null;
+  },
+  dependencies: (ctx, args, backend) => {
+    const r = backend.dependencies(
+      ctx,
+      String(args["id"]),
+      {
+        ...str(args["direction"]) ? { direction: str(args["direction"]) } : {},
+        ...num(args["maxDepth"]) !== void 0 ? { maxDepth: num(args["maxDepth"]) } : {}
+      },
+      str(args["session"])
+    );
+    return projectDependencies(r);
+  },
+  diff: (ctx, args, backend) => projectDiff(backend.diff(ctx, String(args["base"]), String(args["current"]))),
+  sessions: (ctx, _args, backend) => backend.sessions(ctx).map(toApiSession)
+};
+function str(v) {
+  return typeof v === "string" ? v : void 0;
+}
+function num(v) {
+  return typeof v === "number" && Number.isInteger(v) ? v : void 0;
+}
+var NAME_RE = /[_A-Za-z][_0-9A-Za-z]*/y;
+function tokenize2(src) {
+  const tokens = [];
+  let i = 0;
+  while (i < src.length) {
+    const c = src[i];
+    if (/\s|,/.test(c)) {
+      i++;
+      continue;
+    }
+    if (c === "#") {
+      while (i < src.length && src[i] !== "\n") i++;
+      continue;
+    }
+    if ("{}()[]:!$".includes(c)) {
+      tokens.push(c);
+      i++;
+      continue;
+    }
+    if (c === '"') {
+      let j = i + 1;
+      let s = "";
+      while (j < src.length && src[j] !== '"') {
+        s += src[j];
+        j++;
+      }
+      tokens.push(JSON.stringify(s));
+      i = j + 1;
+      continue;
+    }
+    NAME_RE.lastIndex = i;
+    const m = NAME_RE.exec(src);
+    if (m && m.index === i) {
+      tokens.push(m[0]);
+      i = NAME_RE.lastIndex;
+      continue;
+    }
+    const numMatch = /-?\d+(\.\d+)?/y;
+    numMatch.lastIndex = i;
+    const nm = numMatch.exec(src);
+    if (nm && nm.index === i) {
+      tokens.push(nm[0]);
+      i = numMatch.lastIndex;
+      continue;
+    }
+    throw new Error(`unexpected character '${c}'`);
+  }
+  return tokens;
+}
+var MAX_SELECTION_DEPTH = 32;
+var Parser = class {
+  constructor(tokens, variables) {
+    this.tokens = tokens;
+    this.variables = variables;
+  }
+  pos = 0;
+  depth = 0;
+  peek() {
+    return this.tokens[this.pos];
+  }
+  next() {
+    return this.tokens[this.pos++];
+  }
+  expect(tok) {
+    if (this.tokens[this.pos] !== tok) throw new Error(`expected '${tok}', got '${this.tokens[this.pos] ?? "<eof>"}'`);
+    this.pos++;
+  }
+  parseDocument() {
+    if (this.peek() === "mutation" || this.peek() === "subscription") {
+      throw new Error("only query operations are supported (read-only API)");
+    }
+    if (this.peek() === "query") {
+      this.next();
+      if (this.peek() && this.peek() !== "{" && this.peek() !== "(") this.next();
+      if (this.peek() === "(") this.skipBalanced("(", ")");
+    }
+    this.expect("{");
+    const selections = this.parseSelectionSet();
+    return selections;
+  }
+  skipBalanced(open, close) {
+    this.expect(open);
+    let depth = 1;
+    while (depth > 0) {
+      const t = this.next();
+      if (t === void 0) throw new Error("unbalanced");
+      if (t === open) depth++;
+      else if (t === close) depth--;
+    }
+  }
+  parseSelectionSet() {
+    if (++this.depth > MAX_SELECTION_DEPTH) throw new Error(`selection set nested deeper than ${MAX_SELECTION_DEPTH}`);
+    const out = [];
+    while (this.peek() !== "}") {
+      if (this.peek() === void 0) throw new Error("unexpected end of selection set");
+      out.push(this.parseSelection());
+    }
+    this.expect("}");
+    this.depth--;
+    return out;
+  }
+  parseSelection() {
+    let name = this.next();
+    const alias = name;
+    if (this.peek() === ":") {
+      this.next();
+      name = this.next();
+    }
+    const args = {};
+    if (this.peek() === "(") {
+      this.next();
+      while (this.peek() !== ")") {
+        const argName = this.next();
+        this.expect(":");
+        args[argName] = this.parseValue();
+      }
+      this.expect(")");
+    }
+    let selections = [];
+    if (this.peek() === "{") {
+      this.next();
+      selections = this.parseSelectionSet();
+    }
+    return { name, alias, args, selections };
+  }
+  parseValue() {
+    const t = this.next();
+    if (t === "$") {
+      const v = this.next();
+      return this.variables[v];
+    }
+    if (t === "[") {
+      const arr = [];
+      while (this.peek() !== "]") arr.push(this.parseValue());
+      this.expect("]");
+      return arr;
+    }
+    if (t.startsWith('"')) return JSON.parse(t);
+    if (t === "true") return true;
+    if (t === "false") return false;
+    if (t === "null") return null;
+    if (/^-?\d+(\.\d+)?$/.test(t)) return Number(t);
+    return t;
+  }
+};
+function project(value, selections) {
+  if (value === null || value === void 0) return null;
+  if (selections.length === 0) return value;
+  if (Array.isArray(value)) return value.map((v) => project(v, selections));
+  if (typeof value !== "object") return value;
+  const obj = value;
+  const out = {};
+  for (const sel of selections) {
+    if (sel.name === "__typename") {
+      out[sel.alias] = void 0;
+      continue;
+    }
+    out[sel.alias] = project(obj[sel.name], sel.selections);
+  }
+  return out;
+}
+function introspectionSchema() {
+  const names = [...SDL.matchAll(/^(?:type|enum)\s+([_A-Za-z][_0-9A-Za-z]*)/gm)].map((m) => m[1]);
+  const types = names.map((name) => ({ name, kind: /^[A-Z]/.test(name) ? "OBJECT" : "SCALAR" }));
+  return {
+    __schema: {
+      queryType: { name: "Query" },
+      mutationType: null,
+      subscriptionType: null,
+      types,
+      directives: []
+    }
+  };
+}
+async function executeGraphql(ctx, body, deps) {
+  const req = body ?? {};
+  if (typeof req.query !== "string" || req.query.trim() === "") {
+    return { errors: [{ message: "missing query" }] };
+  }
+  const variables = typeof req.variables === "object" && req.variables !== null ? req.variables : {};
+  let selections;
+  try {
+    selections = new Parser(tokenize2(req.query), variables).parseDocument();
+  } catch (err) {
+    return { errors: [{ message: `syntax error: ${err instanceof Error ? err.message : String(err)}` }] };
+  }
+  const data = {};
+  const errors = [];
+  for (const sel of selections) {
+    try {
+      if (sel.name === "__schema") {
+        data[sel.alias] = project(introspectionSchema()["__schema"], sel.selections);
+        continue;
+      }
+      if (sel.name === "__typename") {
+        data[sel.alias] = "Query";
+        continue;
+      }
+      const resolver = resolvers[sel.name];
+      if (!resolver) {
+        errors.push({ message: `Cannot query field "${sel.name}" on type "Query"` });
+        continue;
+      }
+      const resolved = resolver(ctx, sel.args, deps.backend);
+      data[sel.alias] = project(resolved, sel.selections);
+    } catch (err) {
+      errors.push({ message: err instanceof Error ? err.message : String(err) });
+    }
+  }
+  return errors.length > 0 ? { data, errors } : { data };
+}
+function handleGraphqlGet() {
+  return { status: 200, body: SDL };
+}
+
+// src/api/server.ts
+var DEPENDENCIES_RE = /^\/v1\/nodes\/(.+)\/dependencies$/;
+var MAX_GRAPHQL_BYTES = 1024 * 1024;
+function send(res, status, body, headers = {}) {
+  res.writeHead(status, { "content-type": "application/json", ...headers }).end(JSON.stringify(body));
+}
+async function readBody(req, cap) {
+  const chunks = [];
+  let total = 0;
+  let overflow = false;
+  for await (const chunk of req) {
+    if (overflow) continue;
+    const buf = chunk;
+    total += buf.length;
+    if (total > cap) {
+      overflow = true;
+      chunks.length = 0;
+      continue;
+    }
+    chunks.push(buf);
+  }
+  if (overflow) return { overflow: true, value: void 0 };
+  if (chunks.length === 0) return { overflow: false, value: void 0 };
+  try {
+    return { overflow: false, value: JSON.parse(Buffer.concat(chunks).toString("utf8")) };
+  } catch {
+    return { overflow: false, value: void 0 };
+  }
+}
+async function runApi(opts) {
+  const host2 = opts.host ?? "127.0.0.1";
+  const requestedPort = opts.port ?? 3737;
+  const token = opts.token;
+  const graphqlEnabled = opts.graphql !== false;
+  const defaultTenant = opts.tenant?.defaultTenant ?? DEFAULT_TENANT;
+  const log2 = opts.log ?? (() => {
+  });
+  const restDeps = { backend: opts.backend, version: opts.version };
+  const openApiDoc = buildOpenApiDocument({ version: opts.version });
+  const allowedOrigins = opts.allowedOrigins ?? [];
+  assertSafeBind({ host: host2, port: requestedPort, ...opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {}, ...token ? { token } : {} });
+  let allowedHosts = opts.allowedHosts ?? [];
+  const corsHeaders = (req) => {
+    const origin = req.headers["origin"];
+    if (typeof origin === "string" && allowedOrigins.includes(origin)) {
+      return {
+        "access-control-allow-origin": origin,
+        "vary": "Origin",
+        "access-control-allow-methods": "GET, POST, OPTIONS",
+        "access-control-allow-headers": "authorization, content-type, x-cartograph-tenant"
+      };
+    }
+    return {};
+  };
+  const server = import_node_http2.default.createServer((req, res) => {
+    const started = Date.now();
+    let tenantLabel = "-";
+    const finish = (status) => {
+      log2(`[cartography-api] ${req.method ?? "-"} ${req.url ?? "-"} ${status} ${Date.now() - started}ms tenant=${tenantLabel}`);
+    };
+    void (async () => {
+      try {
+        const url = new URL(req.url ?? "/", `http://${req.headers["host"] ?? host2}`);
+        const path = url.pathname;
+        const cors = corsHeaders(req);
+        if (req.method === "OPTIONS") {
+          res.writeHead(204, cors).end();
+          finish(204);
+          return;
+        }
+        const hostHeader = (req.headers["host"] ?? "").toLowerCase();
+        if (!allowedHosts.some((h) => h.toLowerCase() === hostHeader)) {
+          send(res, 403, { error: "host not allowed" }, cors);
+          finish(403);
+          return;
+        }
+        if (path === "/v1/openapi.json" && req.method === "GET") {
+          send(res, 200, openApiDoc, cors);
+          finish(200);
+          return;
+        }
+        if (path === "/v1/health") {
+          if (req.method !== "GET") {
+            send(res, 405, { error: "method not allowed" }, { allow: "GET", ...cors });
+            finish(405);
+            return;
+          }
+          tenantLabel = defaultTenant;
+          const r = handleHealth({ tenant: defaultTenant }, restDeps);
+          send(res, r.status, r.body, cors);
+          finish(r.status);
+          return;
+        }
+        if (!checkBearer(req.headers["authorization"], token)) {
+          send(res, 401, { error: "unauthorized" }, { "www-authenticate": "Bearer", ...cors });
+          finish(401);
+          return;
+        }
+        let ctx;
+        try {
+          ctx = resolveTenant(req, url, opts.tenant ?? {});
+          tenantLabel = ctx.tenant;
+        } catch (err) {
+          if (err instanceof InvalidTenantError) {
+            send(res, 400, { error: "invalid tenant" }, cors);
+            finish(400);
+            return;
+          }
+          throw err;
+        }
+        if (graphqlEnabled && path === "/graphql") {
+          if (req.method === "GET") {
+            const g = handleGraphqlGet();
+            res.writeHead(g.status, { "content-type": "text/plain; charset=utf-8", ...cors }).end(g.body);
+            finish(g.status);
+            return;
+          }
+          if (req.method === "POST") {
+            const { overflow, value } = await readBody(req, MAX_GRAPHQL_BYTES);
+            if (overflow) {
+              send(res, 413, { error: "payload too large" }, cors);
+              finish(413);
+              return;
+            }
+            const result = await executeGraphql(ctx, value, { backend: opts.backend });
+            send(res, 200, result, cors);
+            finish(200);
+            return;
+          }
+          send(res, 405, { error: "method not allowed" }, { allow: "GET, POST", ...cors });
+          finish(405);
+          return;
+        }
+        if (path.startsWith("/v1/")) {
+          if (req.method !== "GET") {
+            send(res, 405, { error: "method not allowed" }, { allow: "GET", ...cors });
+            finish(405);
+            return;
+          }
+          const result = dispatchRest(ctx, path, url, restDeps);
+          if (result) {
+            send(res, result.status, result.body, cors);
+            finish(result.status);
+            return;
+          }
+        }
+        send(res, 404, { error: "not found" }, cors);
+        finish(404);
+      } catch (err) {
+        process.stderr.write(`[cartography-api] request failed: ${err instanceof Error ? err.message : String(err)}
+`);
+        if (!res.headersSent) send(res, 500, { error: "internal error" });
+        finish(500);
+      }
+    })();
+  });
+  await new Promise((resolve3) => server.listen(requestedPort, host2, resolve3));
+  const actualPort = server.address().port;
+  if (allowedHosts.length === 0) allowedHosts = defaultAllowedHosts(host2, actualPort);
+  return server;
+}
+function dispatchRest(ctx, path, url, deps) {
+  switch (path) {
+    case "/v1/summary":
+      return handleSummary(ctx, url, deps);
+    case "/v1/nodes":
+      return handleNodes(ctx, url, deps);
+    case "/v1/diff":
+      return handleDiff(ctx, url, deps);
+    case "/v1/sessions":
+      return handleSessions(ctx, deps);
+    default: {
+      const m = DEPENDENCIES_RE.exec(path);
+      if (m) return handleDependencies(ctx, decodeURIComponent(m[1]), url, deps);
+      return void 0;
+    }
+  }
+}
+
+// src/api/start.ts
+var import_node_fs5 = require("fs");
+var import_node_path5 = require("path");
+var import_node_url = require("url");
+var import_meta = {};
+function readVersion() {
+  try {
+    const dir = import_meta.dirname ?? (0, import_node_path5.dirname)((0, import_node_url.fileURLToPath)(import_meta.url));
+    return JSON.parse((0, import_node_fs5.readFileSync)((0, import_node_path5.resolve)(dir, "..", "package.json"), "utf-8")).version ?? "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
+function parseApiArgs(argv) {
+  const opts = {};
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === "--http") continue;
+    else if (a === "--no-graphql") opts.graphql = false;
+    else if (a === "--port") opts.port = Number(argv[++i]);
+    else if (a === "--host") opts.host = argv[++i];
+    else if (a === "--allowed-hosts") opts.allowedHosts = splitList(argv[++i]);
+    else if (a === "--allowed-origins") opts.allowedOrigins = splitList(argv[++i]);
+    else if (a === "--token") opts.token = argv[++i];
+    else if (a === "--db") opts.dbPath = argv[++i];
+    else if (a === "--session") opts.session = argv[++i];
+    else if (a === "--tenant" || a === "--org") opts.tenant = argv[++i];
+    else if (a === "--help" || a === "-h") opts.help = true;
+  }
+  return opts;
+}
+function splitList(raw) {
+  return (raw ?? "").split(",").map((s) => s.trim()).filter(Boolean);
+}
+async function startApi(opts = {}) {
+  const log2 = opts.log ?? ((m) => process.stderr.write(m + "\n"));
+  const db = new CartographyDB(opts.dbPath ?? defaultConfig().dbPath);
+  const backend = createSqliteQueryBackend(db, opts.session ?? "latest");
+  const token = opts.token ?? process.env["CARTOGRAPHY_HTTP_TOKEN"];
+  const host2 = opts.host ?? "127.0.0.1";
+  const port = opts.port ?? 3737;
+  const version = readVersion();
+  const server = await runApi({
+    host: host2,
+    port,
+    backend,
+    version,
+    ...opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {},
+    ...opts.allowedOrigins ? { allowedOrigins: opts.allowedOrigins } : {},
+    ...token ? { token } : {},
+    ...opts.graphql === false ? { graphql: false } : {},
+    ...opts.tenant ? { tenant: { defaultTenant: normalizeTenant(opts.tenant) } } : {},
+    log: log2
+  });
+  const graphqlNote = opts.graphql === false ? " [REST only]" : " + /graphql";
+  log2(
+    `Cartograph API (REST${graphqlNote}) on http://${host2}:${port}/v1${token ? " (auth: bearer token required)" : ""} (tenant: ${normalizeTenant(opts.tenant)})`
+  );
+  return server;
+}
+
 // src/installer/format.ts
 var import_smol_toml = require("smol-toml");
 var import_yaml = require("yaml");
@@ -7031,8 +8185,8 @@ function defaultServerEntry(opts = {}) {
 }
 
 // src/installer/install.ts
-var import_node_fs5 = require("fs");
-var import_node_path5 = require("path");
+var import_node_fs6 = require("fs");
+var import_node_path6 = require("path");
 var import_node_os4 = require("os");
 function currentOs() {
   if (process.platform === "win32") return "win";
@@ -7047,8 +8201,8 @@ function planInstall(spec, ctx, opts) {
   if (!path) {
     throw new Error(`${spec.label} does not support the "${ctx.scope}" scope.`);
   }
-  const fileExists = (0, import_node_fs5.existsSync)(path);
-  const before = fileExists ? (0, import_node_fs5.readFileSync)(path, "utf8") : "";
+  const fileExists = (0, import_node_fs6.existsSync)(path);
+  const before = fileExists ? (0, import_node_fs6.readFileSync)(path, "utf8") : "";
   const existing = parseConfig(before, spec.format);
   const merged = spec.apply(existing, opts.serverName ?? DEFAULT_SERVER_NAME, opts.entry);
   const after = serializeConfig(merged, spec.format);
@@ -7065,8 +8219,8 @@ function planInstall(spec, ctx, opts) {
   };
 }
 function applyInstall(plan) {
-  (0, import_node_fs5.mkdirSync)((0, import_node_path5.dirname)(plan.path), { recursive: true });
-  (0, import_node_fs5.writeFileSync)(plan.path, plan.after, "utf8");
+  (0, import_node_fs6.mkdirSync)((0, import_node_path6.dirname)(plan.path), { recursive: true });
+  (0, import_node_fs6.writeFileSync)(plan.path, plan.after, "utf8");
 }
 function renderDiff(before, after) {
   if (before === after) return "  (no changes)";
@@ -7086,7 +8240,7 @@ function renderDiff(before, after) {
 }
 
 // src/installer/registry.ts
-var import_node_path6 = require("path");
+var import_node_path7 = require("path");
 function jsonKeyedClient(args) {
   return {
     id: args.id,
@@ -7101,31 +8255,31 @@ var claudeCode = jsonKeyedClient({
   id: "claude-code",
   label: "Claude Code",
   key: "mcpServers",
-  globalPath: (ctx) => (0, import_node_path6.join)(ctx.home, ".claude.json"),
-  projectPath: (ctx) => (0, import_node_path6.join)(ctx.cwd, ".mcp.json")
+  globalPath: (ctx) => (0, import_node_path7.join)(ctx.home, ".claude.json"),
+  projectPath: (ctx) => (0, import_node_path7.join)(ctx.cwd, ".mcp.json")
 });
 var cursor = jsonKeyedClient({
   id: "cursor",
   label: "Cursor",
   key: "mcpServers",
-  globalPath: (ctx) => (0, import_node_path6.join)(ctx.home, ".cursor", "mcp.json"),
-  projectPath: (ctx) => (0, import_node_path6.join)(ctx.cwd, ".cursor", "mcp.json")
+  globalPath: (ctx) => (0, import_node_path7.join)(ctx.home, ".cursor", "mcp.json"),
+  projectPath: (ctx) => (0, import_node_path7.join)(ctx.cwd, ".cursor", "mcp.json")
 });
 function vscodeServerObject(entry) {
   if (entry.url) return { type: "http", url: entry.url, ...entry.env ? { env: entry.env } : {} };
   return { type: "stdio", command: entry.command, args: entry.args ?? [], ...entry.env ? { env: entry.env } : {} };
 }
 function vscodeUserDir(ctx) {
-  if (ctx.os === "win") return (0, import_node_path6.join)(ctx.env.APPDATA ?? (0, import_node_path6.join)(ctx.home, "AppData", "Roaming"), "Code", "User");
-  if (ctx.os === "mac") return (0, import_node_path6.join)(ctx.home, "Library", "Application Support", "Code", "User");
-  return (0, import_node_path6.join)(ctx.home, ".config", "Code", "User");
+  if (ctx.os === "win") return (0, import_node_path7.join)(ctx.env.APPDATA ?? (0, import_node_path7.join)(ctx.home, "AppData", "Roaming"), "Code", "User");
+  if (ctx.os === "mac") return (0, import_node_path7.join)(ctx.home, "Library", "Application Support", "Code", "User");
+  return (0, import_node_path7.join)(ctx.home, ".config", "Code", "User");
 }
 var vscode = {
   id: "vscode",
   label: "VS Code (Copilot)",
   format: "json",
   note: "Uses the `servers` key (not `mcpServers`) \u2014 the most common copy-paste mistake.",
-  path: (ctx) => ctx.scope === "project" ? (0, import_node_path6.join)(ctx.cwd, ".vscode", "mcp.json") : (0, import_node_path6.join)(vscodeUserDir(ctx), "mcp.json"),
+  path: (ctx) => ctx.scope === "project" ? (0, import_node_path7.join)(ctx.cwd, ".vscode", "mcp.json") : (0, import_node_path7.join)(vscodeUserDir(ctx), "mcp.json"),
   apply: (existing, name, entry) => deepMerge(existing, { servers: { [name]: vscodeServerObject(entry) } })
 };
 var codex = {
@@ -7133,17 +8287,17 @@ var codex = {
   label: "Codex CLI",
   format: "toml",
   note: 'Project scope only loads in "trusted" projects.',
-  path: (ctx) => ctx.scope === "project" ? (0, import_node_path6.join)(ctx.cwd, ".codex", "config.toml") : (0, import_node_path6.join)(ctx.home, ".codex", "config.toml"),
+  path: (ctx) => ctx.scope === "project" ? (0, import_node_path7.join)(ctx.cwd, ".codex", "config.toml") : (0, import_node_path7.join)(ctx.home, ".codex", "config.toml"),
   apply: (existing, name, entry) => deepMerge(existing, { mcp_servers: { [name]: mcpServerObject(entry) } })
 };
 var windsurf = jsonKeyedClient({
   id: "windsurf",
   label: "Windsurf",
   key: "mcpServers",
-  globalPath: (ctx) => (0, import_node_path6.join)(ctx.home, ".codeium", "windsurf", "mcp_config.json")
+  globalPath: (ctx) => (0, import_node_path7.join)(ctx.home, ".codeium", "windsurf", "mcp_config.json")
 });
 function codeGlobalStorage(ctx, extensionId) {
-  return (0, import_node_path6.join)(vscodeUserDir(ctx), "globalStorage", extensionId, "settings", "cline_mcp_settings.json");
+  return (0, import_node_path7.join)(vscodeUserDir(ctx), "globalStorage", extensionId, "settings", "cline_mcp_settings.json");
 }
 var cline = {
   id: "cline",
@@ -7158,7 +8312,7 @@ var roo = {
   label: "Roo Code",
   format: "json",
   note: "Project .roo/mcp.json takes precedence over the global settings.",
-  path: (ctx) => ctx.scope === "project" ? (0, import_node_path6.join)(ctx.cwd, ".roo", "mcp.json") : codeGlobalStorage(ctx, "rooveterinaryinc.roo-cline"),
+  path: (ctx) => ctx.scope === "project" ? (0, import_node_path7.join)(ctx.cwd, ".roo", "mcp.json") : codeGlobalStorage(ctx, "rooveterinaryinc.roo-cline"),
   apply: (existing, name, entry) => deepMerge(existing, { mcpServers: { [name]: mcpServerObject(entry) } })
 };
 var zed = {
@@ -7167,9 +8321,9 @@ var zed = {
   format: "json",
   note: 'Manual servers need "source": "custom"; remote uses an mcp-remote bridge.',
   path: (ctx) => {
-    if (ctx.scope === "project") return (0, import_node_path6.join)(ctx.cwd, ".zed", "settings.json");
-    if (ctx.os === "win") return (0, import_node_path6.join)(ctx.env.APPDATA ?? (0, import_node_path6.join)(ctx.home, "AppData", "Roaming"), "Zed", "settings.json");
-    return (0, import_node_path6.join)(ctx.home, ".config", "zed", "settings.json");
+    if (ctx.scope === "project") return (0, import_node_path7.join)(ctx.cwd, ".zed", "settings.json");
+    if (ctx.os === "win") return (0, import_node_path7.join)(ctx.env.APPDATA ?? (0, import_node_path7.join)(ctx.home, "AppData", "Roaming"), "Zed", "settings.json");
+    return (0, import_node_path7.join)(ctx.home, ".config", "zed", "settings.json");
   },
   apply: (existing, name, entry) => {
     const inner = entry.url ? { source: "custom", url: entry.url } : { source: "custom", command: entry.command, args: entry.args ?? [], ...entry.env ? { env: entry.env } : {} };
@@ -7180,14 +8334,14 @@ var junie = {
   id: "junie",
   label: "JetBrains / Junie",
   format: "json",
-  path: (ctx) => ctx.scope === "project" ? (0, import_node_path6.join)(ctx.cwd, ".junie", "mcp", "mcp.json") : (0, import_node_path6.join)(ctx.home, ".junie", "mcp", "mcp.json"),
+  path: (ctx) => ctx.scope === "project" ? (0, import_node_path7.join)(ctx.cwd, ".junie", "mcp", "mcp.json") : (0, import_node_path7.join)(ctx.home, ".junie", "mcp", "mcp.json"),
   apply: (existing, name, entry) => deepMerge(existing, { mcpServers: { [name]: mcpServerObject(entry) } })
 };
 var gemini = {
   id: "gemini",
   label: "Gemini CLI",
   format: "json",
-  path: (ctx) => ctx.scope === "project" ? (0, import_node_path6.join)(ctx.cwd, ".gemini", "settings.json") : (0, import_node_path6.join)(ctx.home, ".gemini", "settings.json"),
+  path: (ctx) => ctx.scope === "project" ? (0, import_node_path7.join)(ctx.cwd, ".gemini", "settings.json") : (0, import_node_path7.join)(ctx.home, ".gemini", "settings.json"),
   apply: (existing, name, entry) => {
     const inner = entry.url ? { httpUrl: entry.url, ...entry.env ? { env: entry.env } : {} } : mcpServerObject(entry);
     return deepMerge(existing, { mcpServers: { [name]: inner } });
@@ -7199,8 +8353,8 @@ var goose = {
   format: "yaml",
   note: "Verify the extension shape against current Goose docs; built-ins are left untouched.",
   path: (ctx) => {
-    if (ctx.os === "win") return (0, import_node_path6.join)(ctx.env.APPDATA ?? (0, import_node_path6.join)(ctx.home, "AppData", "Roaming"), "Block", "goose", "config", "config.yaml");
-    return (0, import_node_path6.join)(ctx.home, ".config", "goose", "config.yaml");
+    if (ctx.os === "win") return (0, import_node_path7.join)(ctx.env.APPDATA ?? (0, import_node_path7.join)(ctx.home, "AppData", "Roaming"), "Block", "goose", "config", "config.yaml");
+    return (0, import_node_path7.join)(ctx.home, ".config", "goose", "config.yaml");
   },
   apply: (existing, name, entry) => {
     const inner = entry.url ? { name, type: "streamable_http", enabled: true, uri: entry.url, ...entry.env ? { env: entry.env } : {} } : { name, type: "stdio", enabled: true, command: entry.command, args: entry.args ?? [], ...entry.env ? { env: entry.env } : {} };
@@ -7215,7 +8369,7 @@ var openhands = {
   label: "OpenHands",
   format: "toml",
   note: "SHTTP is preferred; SSE is legacy. Only api_key is supported (no arbitrary headers).",
-  path: (ctx) => ctx.scope === "project" ? (0, import_node_path6.join)(ctx.cwd, "config.toml") : (0, import_node_path6.join)(ctx.home, ".openhands", "config.toml"),
+  path: (ctx) => ctx.scope === "project" ? (0, import_node_path7.join)(ctx.cwd, "config.toml") : (0, import_node_path7.join)(ctx.home, ".openhands", "config.toml"),
   apply: (existing, name, entry) => {
     const mcp = isObj(existing.mcp) ? { ...existing.mcp } : {};
     const key = entry.url ? "shttp_servers" : "stdio_servers";
@@ -7236,9 +8390,9 @@ var claudeDesktop = {
   note: "One-click install is also available via the .mcpb bundle (npm run build:mcpb).",
   path: (ctx) => {
     if (ctx.scope === "project") return void 0;
-    if (ctx.os === "win") return (0, import_node_path6.join)(ctx.env.APPDATA ?? (0, import_node_path6.join)(ctx.home, "AppData", "Roaming"), "Claude", "claude_desktop_config.json");
-    if (ctx.os === "mac") return (0, import_node_path6.join)(ctx.home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
-    return (0, import_node_path6.join)(ctx.home, ".config", "Claude", "claude_desktop_config.json");
+    if (ctx.os === "win") return (0, import_node_path7.join)(ctx.env.APPDATA ?? (0, import_node_path7.join)(ctx.home, "AppData", "Roaming"), "Claude", "claude_desktop_config.json");
+    if (ctx.os === "mac") return (0, import_node_path7.join)(ctx.home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
+    return (0, import_node_path7.join)(ctx.home, ".config", "Claude", "claude_desktop_config.json");
   },
   apply: (existing, name, entry) => deepMerge(existing, { mcpServers: { [name]: mcpServerObject(entry) } })
 };
@@ -7439,13 +8593,13 @@ function createClaudeProvider() {
 }
 
 // src/providers/shell.ts
-var import_zod8 = require("zod");
+var import_zod9 = require("zod");
 function createBashTool() {
   const shell = IS_WIN ? "powershell" : "posix";
   return {
     name: "Bash",
     description: "Run a read-only shell command (inspect ports, processes, config). Mutating or destructive commands are blocked by the read-only allowlist.",
-    inputShape: { command: import_zod8.z.string().describe("The read-only shell command to run") },
+    inputShape: { command: import_zod9.z.string().describe("The read-only shell command to run") },
     annotations: { readOnlyHint: true, openWorldHint: true },
     handler: async (args) => {
       const command = String(args["command"] ?? "").trim();
@@ -7914,8 +9068,8 @@ Use ask_user when you need context from the user.`;
 }
 
 // src/cost.ts
-var import_node_fs6 = require("fs");
-var import_node_path7 = require("path");
+var import_node_fs7 = require("fs");
+var import_node_path8 = require("path");
 function splitCsvLine(line) {
   const out = [];
   let cur = "";
@@ -7993,7 +9147,7 @@ var CsvCostSource = class {
   }
   id;
   async fetch() {
-    const text = (0, import_node_fs6.readFileSync)((0, import_node_path7.resolve)(this.opts.filePath), "utf-8");
+    const text = (0, import_node_fs7.readFileSync)((0, import_node_path8.resolve)(this.opts.filePath), "utf-8");
     const records = parseCostCsv(text);
     const match = this.opts.match ?? "nodeId";
     const out = /* @__PURE__ */ new Map();
@@ -8024,19 +9178,19 @@ async function enrichCosts(db, sessionId, source) {
   let matched = 0;
   const unmatchedIds = [];
   for (const [nodeId, rec] of records) {
-    const ok = db.enrichNodeAttribution(sessionId, nodeId, {
+    const ok3 = db.enrichNodeAttribution(sessionId, nodeId, {
       owner: rec.owner ?? void 0,
       cost: rec.cost ?? void 0
     });
-    if (ok) matched++;
+    if (ok3) matched++;
     else unmatchedIds.push(nodeId);
   }
   return { source: source.id, total: records.size, matched, unmatched: unmatchedIds.length, unmatchedIds };
 }
 
 // src/exporter.ts
-var import_node_fs7 = require("fs");
-var import_node_path8 = require("path");
+var import_node_fs8 = require("fs");
+var import_node_path9 = require("path");
 
 // src/hex.ts
 function hexToPixel(q, r, size) {
@@ -8135,10 +9289,10 @@ function assignColors(domains) {
   return result;
 }
 function shadeVariant(hex, amount) {
-  const num = parseInt(hex.replace("#", ""), 16);
-  const r = Math.min(255, (num >> 16) + amount);
-  const g = Math.min(255, (num >> 8 & 255) + amount);
-  const b = Math.min(255, (num & 255) + amount);
+  const num2 = parseInt(hex.replace("#", ""), 16);
+  const r = Math.min(255, (num2 >> 16) + amount);
+  const g = Math.min(255, (num2 >> 8 & 255) + amount);
+  const b = Math.min(255, (num2 & 255) + amount);
   return `#${r.toString(16).padStart(2, "0")}${g.toString(16).padStart(2, "0")}${b.toString(16).padStart(2, "0")}`;
 }
 function groupByDomain(assets) {
@@ -9728,28 +10882,28 @@ function exportComplianceReport(report, format) {
   return lines.join("\n");
 }
 function exportAll(db, sessionId, outputDir, formats = ["mermaid", "json", "yaml", "html", "map", "discovery"]) {
-  (0, import_node_fs7.mkdirSync)(outputDir, { recursive: true });
+  (0, import_node_fs8.mkdirSync)(outputDir, { recursive: true });
   const nodes = db.getNodes(sessionId);
   const edges = db.getEdges(sessionId);
-  const jgfPath = (0, import_node_path8.join)(outputDir, "cartography-graph.jgf.json");
-  (0, import_node_fs7.writeFileSync)(jgfPath, exportJGF(nodes, edges));
+  const jgfPath = (0, import_node_path9.join)(outputDir, "cartography-graph.jgf.json");
+  (0, import_node_fs8.writeFileSync)(jgfPath, exportJGF(nodes, edges));
   if (formats.includes("mermaid")) {
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "topology.mermaid"), generateTopologyMermaid(nodes, edges));
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "dependencies.mermaid"), generateDependencyMermaid(nodes, edges));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "topology.mermaid"), generateTopologyMermaid(nodes, edges));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "dependencies.mermaid"), generateDependencyMermaid(nodes, edges));
   }
   if (formats.includes("json")) {
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "catalog.json"), exportJSON(db, sessionId));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "catalog.json"), exportJSON(db, sessionId));
   }
   if (formats.includes("yaml")) {
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "catalog-info.yaml"), exportBackstageYAML(nodes, edges));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "catalog-info.yaml"), exportBackstageYAML(nodes, edges));
   }
   if (formats.includes("html") || formats.includes("map") || formats.includes("discovery")) {
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "discovery.html"), exportDiscoveryApp(nodes, edges));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "discovery.html"), exportDiscoveryApp(nodes, edges));
   }
   if (formats.includes("cost")) {
     const summary = db.getGraphSummary(sessionId);
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "cost-by-domain.csv"), exportCostCSV(summary));
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "cost-summary.json"), exportCostSummary(summary));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "cost-by-domain.csv"), exportCostCSV(summary));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "cost-summary.json"), exportCostSummary(summary));
   }
 }
 
@@ -9781,7 +10935,7 @@ function formatComplianceText(report) {
 }
 
 // src/config.ts
-var import_node_fs8 = require("fs");
+var import_node_fs9 = require("fs");
 var ConfigError = class extends Error {
   constructor(message) {
     super(message);
@@ -9806,7 +10960,7 @@ function loadConfig(path) {
 function readConfigFile(path) {
   let raw;
   try {
-    raw = (0, import_node_fs8.readFileSync)(path, "utf-8");
+    raw = (0, import_node_fs9.readFileSync)(path, "utf-8");
   } catch (err) {
     throw new ConfigError(
       `Cannot read config file ${path}: ${err instanceof Error ? err.message : String(err)}`
@@ -10067,7 +11221,7 @@ async function pushDeltas(config, items, opts = {}) {
       sentHashes.push(...batch.map((b) => b.contentHash));
       continue;
     }
-    let ok = false;
+    let ok3 = false;
     for (let attempt = 0; attempt <= maxRetries; attempt++) {
       const controller = new AbortController();
       const timer = setTimeout(() => controller.abort(), timeoutMs);
@@ -10086,7 +11240,7 @@ async function pushDeltas(config, items, opts = {}) {
         const elapsed = Date.now() - startedAt;
         if (res.ok) {
           log2(`pushed ${batch.length} item(s) \u2192 ${safeUrl} [${res.status}] ${elapsed}ms (attempt ${attempt + 1})`);
-          ok = true;
+          ok3 = true;
           break;
         }
         if (res.status >= 400 && res.status < 500) {
@@ -10105,7 +11259,7 @@ async function pushDeltas(config, items, opts = {}) {
         await sleep(base + Math.floor(Math.random() * 100));
       }
     }
-    if (ok) {
+    if (ok3) {
       sent += batch.length;
       sentHashes.push(...batch.map((b) => b.contentHash));
     } else {
@@ -10164,14 +11318,14 @@ function runSyncClassify(db, sessionId, config, opts = {}) {
 
 // src/preflight.ts
 var import_node_child_process2 = require("child_process");
-var import_node_fs9 = require("fs");
-var import_node_path9 = require("path");
+var import_node_fs10 = require("fs");
+var import_node_path10 = require("path");
 function isOAuthLoggedIn() {
   const home = process.env.HOME ?? process.env.USERPROFILE ?? "/tmp";
-  const credFile = (0, import_node_path9.join)(home, ".claude", ".credentials.json");
-  if (!(0, import_node_fs9.existsSync)(credFile)) return false;
+  const credFile = (0, import_node_path10.join)(home, ".claude", ".credentials.json");
+  if (!(0, import_node_fs10.existsSync)(credFile)) return false;
   try {
-    const creds = JSON.parse((0, import_node_fs9.readFileSync)(credFile, "utf8"));
+    const creds = JSON.parse((0, import_node_fs10.readFileSync)(credFile, "utf8"));
     const oauth = creds["claudeAiOauth"];
     return typeof oauth?.["accessToken"] === "string" && oauth["accessToken"].length > 0;
   } catch {
@@ -10238,7 +11392,10 @@ function checkClaudePrerequisites() {
   DriftConfigSchema,
   INGEST_SCHEMA_VERSION,
   IngestEnvelopeSchema,
+  InvalidTenantError,
+  LOOPBACK_HOSTS,
   MCP_BIN,
+  NotFoundError,
   PACKAGE_NAME,
   PERSONAL,
   PORT_MAP,
@@ -10249,26 +11406,33 @@ function checkClaudePrerequisites() {
   RuleCheckSchema,
   RulesetSchema,
   SCAN_ARG_PATTERNS,
+  SDL,
   SEVERITY_WEIGHT,
   SHARING_LEVELS,
   ScannerRegistry,
   ScannerShape,
   SharingLevelSchema,
+  SqliteQueryBackend,
   SqliteStoreBackend,
   StdoutSink,
+  TENANT_HEADER,
   VectorStore,
   WebhookSink,
   applyInstall,
   applySharingLevel,
   assertReadOnly,
+  assertSafeBind,
   assertSafeScanArg,
   assignColors,
+  bearerToken,
   bookmarksScanner,
   buildCartographyToolHandlers,
   buildMapData,
+  buildOpenApiDocument,
   buildReport,
   buildSinks,
   centralDbFromEnv,
+  checkBearer,
   checkPrerequisites,
   checkReadOnly,
   clampText,
@@ -10296,10 +11460,12 @@ function checkClaudePrerequisites() {
   createOpenAIProvider,
   createScanRunner,
   createSemanticSearch,
+  createSqliteQueryBackend,
   currentOs,
   cursorDeeplink,
   databasesScanner,
   deepMerge,
+  defaultAllowedHosts,
   defaultConfig,
   defaultContext,
   defaultProviderRegistry,
@@ -10316,6 +11482,7 @@ function checkClaudePrerequisites() {
   evaluateCheck,
   evaluateRule,
   evidenceLine,
+  executeGraphql,
   executeNlQuery,
   exportAll,
   exportBackstageYAML,
@@ -10336,6 +11503,7 @@ function checkClaudePrerequisites() {
   getRuleset,
   globalId,
   groupByDomain,
+  handleGraphqlGet,
   hexCorners,
   hexDistance,
   hexNeighbors,
@@ -10346,6 +11514,7 @@ function checkClaudePrerequisites() {
   hostname,
   ingestEnvelope,
   installedAppsScanner,
+  isLoopbackHost,
   isPersonalHost,
   isReadOnlyCommand,
   isRemembered,
@@ -10374,6 +11543,7 @@ function checkClaudePrerequisites() {
   normalizeTenant,
   orgKeyPath,
   osUser,
+  parseApiArgs,
   parseComposeDeps,
   parseConfig,
   parseConnectionString,
@@ -10399,10 +11569,12 @@ function checkClaudePrerequisites() {
   resolveEffectiveLevel,
   resolveNlQuery,
   resolveSharingLevel,
+  resolveTenant,
   revalidateAnonymized,
   reversalKey,
   reversePseudonym,
   rotateOrgKey,
+  runApi,
   runDiscovery,
   runDrift,
   runHttp,
@@ -10425,8 +11597,11 @@ function checkClaudePrerequisites() {
   shareHash,
   splitSegments,
   stableStringify,
+  startApi,
   stripSensitive,
+  timingSafeEqual,
   validateScanner,
-  vscodeDeeplink
+  vscodeDeeplink,
+  zodToJsonSchema
 });
 //# sourceMappingURL=index.cjs.map