@datasynx/agentic-ai-cartography 2.2.0 → 2.3.0

package/dist/chunk-7VZH5PFV.js

@@ -0,0 +1,1134 @@
+#!/usr/bin/env node
+import {
+  CartographyDB,
+  DEFAULT_TENANT,
+  assertSafeBind,
+  checkBearer,
+  defaultAllowedHosts,
+  normalizeTenant
+} from "./chunk-7QEBFMN4.js";
+import {
+  ANOMALY_KINDS,
+  ANOMALY_SEVERITIES,
+  COST_PERIODS,
+  defaultConfig
+} from "./chunk-WCR47QA2.js";
+
+// src/api/start.ts
+import { readFileSync } from "fs";
+import { dirname, resolve } from "path";
+import { fileURLToPath } from "url";
+
+// src/store/query.ts
+var NotFoundError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "NotFoundError";
+  }
+};
+var MAX_NODE_LIMIT = 1e3;
+var MAX_DEPTH = 64;
+function clamp(value, min, max) {
+  return Math.floor(Math.max(min, Math.min(value, max)));
+}
+var SqliteQueryBackend = class {
+  constructor(db, defaultSession = "latest") {
+    this.db = db;
+    this.defaultSession = defaultSession;
+  }
+  /**
+   * Resolve the session id for a request, scoped to `ctx.tenant`. An explicit id must
+   * belong to the tenant or it resolves to undefined (cross-tenant isolation); else the
+   * newest `discover` session for the tenant. Mirrors `resolveSession` in the MCP server.
+   */
+  resolveSession(ctx, sessionId) {
+    const requested = sessionId ?? (this.defaultSession === "latest" ? void 0 : this.defaultSession);
+    if (requested) {
+      const s = this.db.getSession(requested);
+      if (s && s.tenant === ctx.tenant) return s.id;
+      throw new NotFoundError(`session not found`);
+    }
+    const latest = this.db.getLatestSession("discover", ctx.tenant) ?? this.db.getLatestSession(void 0, ctx.tenant);
+    if (!latest) throw new NotFoundError(`no session available`);
+    return latest.id;
+  }
+  summary(ctx, sessionId) {
+    return this.db.getGraphSummary(this.resolveSession(ctx, sessionId));
+  }
+  nodes(ctx, q, sessionId) {
+    const sid = this.resolveSession(ctx, sessionId);
+    const limit = clamp(q.limit ?? 100, 1, MAX_NODE_LIMIT);
+    const offset = Math.floor(Math.max(0, q.offset ?? 0));
+    const total = this.db.getNodeCount(sid);
+    if (q.search) {
+      const nodes2 = this.db.searchNodes(sid, q.search, { ...q.types ? { types: q.types } : {}, limit });
+      return { nodes: nodes2, total: nodes2.length, limit, offset: 0 };
+    }
+    const nodes = this.db.getNodes(sid, { limit, offset });
+    return { nodes, total, limit, offset };
+  }
+  node(ctx, id, sessionId) {
+    return this.db.getNode(this.resolveSession(ctx, sessionId), id);
+  }
+  dependencies(ctx, id, q, sessionId) {
+    const sid = this.resolveSession(ctx, sessionId);
+    return this.db.getDependencies(sid, id, {
+      direction: q.direction ?? "downstream",
+      maxDepth: clamp(q.maxDepth ?? 8, 1, MAX_DEPTH)
+    });
+  }
+  diff(ctx, base, current) {
+    for (const id of [base, current]) {
+      const s = this.db.getSession(id);
+      if (!s || s.tenant !== ctx.tenant) throw new NotFoundError(`session not found`);
+    }
+    try {
+      return this.db.diffSessions(base, current);
+    } catch (err) {
+      throw new NotFoundError(err instanceof Error ? err.message : "diff failed");
+    }
+  }
+  sessions(ctx) {
+    return this.db.getSessions(ctx.tenant);
+  }
+  health(ctx) {
+    return { store: "sqlite", sessions: this.db.getSessions(ctx.tenant).length };
+  }
+};
+function createSqliteQueryBackend(db, defaultSession = "latest") {
+  return new SqliteQueryBackend(db, defaultSession);
+}
+
+// src/api/server.ts
+import http from "http";
+
+// src/api/tenant.ts
+var TENANT_HEADER = "x-cartograph-tenant";
+var InvalidTenantError = class extends Error {
+  constructor() {
+    super("invalid tenant");
+    this.name = "InvalidTenantError";
+  }
+};
+function resolveTenant(req, url, opts = {}) {
+  const headerName = (opts.header ?? TENANT_HEADER).toLowerCase();
+  const raw = headerValue(req, headerName) ?? url.searchParams.get("tenant") ?? void 0;
+  if (raw === void 0 || raw === "") {
+    return { tenant: opts.defaultTenant ?? DEFAULT_TENANT };
+  }
+  if (raw.trim().length > 128) {
+    throw new InvalidTenantError();
+  }
+  const normalized = normalizeTenant(raw);
+  if (normalized === DEFAULT_TENANT && raw.trim() !== DEFAULT_TENANT) {
+    throw new InvalidTenantError();
+  }
+  return { tenant: normalized };
+}
+function headerValue(req, name) {
+  const v = req.headers[name];
+  if (Array.isArray(v)) return v[0];
+  return v;
+}
+
+// src/api/schemas.ts
+import { z } from "zod";
+var DIRECTIONS = ["downstream", "upstream", "both"];
+var CostSchema = z.object({
+  amount: z.number(),
+  currency: z.string(),
+  period: z.enum(COST_PERIODS),
+  source: z.string().optional()
+});
+var NodeSchema = z.object({
+  id: z.string(),
+  type: z.string(),
+  name: z.string(),
+  confidence: z.number(),
+  domain: z.string().optional(),
+  subDomain: z.string().optional(),
+  qualityScore: z.number().optional(),
+  owner: z.string().optional(),
+  cost: CostSchema.optional(),
+  tags: z.array(z.string())
+});
+var EdgeSchema = z.object({
+  sourceId: z.string(),
+  targetId: z.string(),
+  relationship: z.string(),
+  confidence: z.number(),
+  evidence: z.string()
+});
+var AnomalySchema = z.object({
+  nodeId: z.string(),
+  kind: z.enum(ANOMALY_KINDS),
+  severity: z.enum(ANOMALY_SEVERITIES),
+  reason: z.string()
+});
+var TopConnectedSchema = z.object({
+  id: z.string(),
+  name: z.string(),
+  type: z.string(),
+  degree: z.number().int()
+});
+var CostByDomainSchema = z.object({
+  domain: z.string(),
+  currency: z.string(),
+  period: z.string(),
+  total: z.number(),
+  nodes: z.number().int()
+});
+var CostByOwnerSchema = z.object({
+  owner: z.string(),
+  currency: z.string(),
+  period: z.string(),
+  total: z.number(),
+  nodes: z.number().int()
+});
+var SummaryResponse = z.object({
+  sessionId: z.string(),
+  totals: z.object({ nodes: z.number().int(), edges: z.number().int() }),
+  nodesByType: z.record(z.string(), z.number().int()),
+  nodesByDomain: z.record(z.string(), z.number().int()),
+  edgesByRelationship: z.record(z.string(), z.number().int()),
+  topConnected: z.array(TopConnectedSchema),
+  anomalies: z.array(AnomalySchema),
+  contributors: z.number().int(),
+  costByDomain: z.array(CostByDomainSchema),
+  costByOwner: z.array(CostByOwnerSchema),
+  costCoverage: z.object({ withCost: z.number().int(), total: z.number().int() })
+});
+var NodesResponse = z.object({
+  nodes: z.array(NodeSchema),
+  total: z.number().int(),
+  limit: z.number().int(),
+  offset: z.number().int()
+});
+var DependencyNodeSchema = NodeSchema.extend({ depth: z.number().int() });
+var DependenciesResponse = z.object({
+  root: NodeSchema.optional(),
+  direction: z.enum(DIRECTIONS),
+  maxDepth: z.number().int(),
+  nodes: z.array(DependencyNodeSchema),
+  edges: z.array(EdgeSchema)
+});
+var SessionEndpointSchema = z.object({
+  sessionId: z.string(),
+  startedAt: z.string(),
+  nodeCount: z.number().int(),
+  edgeCount: z.number().int()
+});
+var NodeChangeSchema = z.object({
+  id: z.string(),
+  changedFields: z.array(z.string()),
+  confidenceDelta: z.number()
+});
+var DiffResponse = z.object({
+  base: SessionEndpointSchema,
+  current: SessionEndpointSchema,
+  summary: z.object({
+    nodesAdded: z.number().int(),
+    nodesRemoved: z.number().int(),
+    nodesChanged: z.number().int(),
+    edgesAdded: z.number().int(),
+    edgesRemoved: z.number().int()
+  }),
+  nodes: z.object({
+    added: z.array(NodeSchema),
+    removed: z.array(NodeSchema),
+    changed: z.array(NodeChangeSchema),
+    unchanged: z.number().int()
+  }),
+  edges: z.object({
+    added: z.array(EdgeSchema),
+    removed: z.array(EdgeSchema),
+    unchanged: z.number().int()
+  }),
+  anomalies: z.object({ added: z.array(AnomalySchema) })
+});
+var SessionSchema = z.object({
+  id: z.string(),
+  mode: z.literal("discover"),
+  startedAt: z.string(),
+  completedAt: z.string().optional(),
+  name: z.string().optional(),
+  tenant: z.string(),
+  lastScannedAt: z.string().optional()
+});
+var SessionsResponse = z.object({ sessions: z.array(SessionSchema) });
+var HealthResponse = z.object({
+  status: z.literal("ok"),
+  version: z.string(),
+  store: z.literal("sqlite"),
+  sessions: z.number().int()
+});
+var ErrorResponse = z.object({
+  error: z.string(),
+  code: z.string().optional()
+});
+var API_SCHEMAS = {
+  Node: NodeSchema,
+  Edge: EdgeSchema,
+  Anomaly: AnomalySchema,
+  Summary: SummaryResponse,
+  Nodes: NodesResponse,
+  Dependencies: DependenciesResponse,
+  Diff: DiffResponse,
+  Session: SessionSchema,
+  Sessions: SessionsResponse,
+  Health: HealthResponse,
+  Error: ErrorResponse
+};
+
+// src/api/rest.ts
+function toApiNode(n) {
+  const out = { id: n.id, type: n.type, name: n.name, confidence: n.confidence, tags: n.tags };
+  if (n.domain !== void 0) out["domain"] = n.domain;
+  if (n.subDomain !== void 0) out["subDomain"] = n.subDomain;
+  if (n.qualityScore !== void 0) out["qualityScore"] = n.qualityScore;
+  if (n.owner !== void 0) out["owner"] = n.owner;
+  if (n.cost !== void 0) out["cost"] = n.cost;
+  return out;
+}
+function toApiEdge(e) {
+  return { sourceId: e.sourceId, targetId: e.targetId, relationship: e.relationship, confidence: e.confidence, evidence: e.evidence };
+}
+function toApiSession(s) {
+  const out = { id: s.id, mode: s.mode, startedAt: s.startedAt, tenant: s.tenant };
+  if (s.completedAt !== void 0) out["completedAt"] = s.completedAt;
+  if (s.name !== void 0) out["name"] = s.name;
+  if (s.lastScannedAt !== void 0) out["lastScannedAt"] = s.lastScannedAt;
+  return out;
+}
+function toApiAnomaly(a) {
+  return { nodeId: a.nodeId, kind: a.kind, severity: a.severity, reason: a.reason };
+}
+function projectDependencies(r) {
+  return {
+    ...r.root ? { root: toApiNode(r.root) } : {},
+    direction: r.direction,
+    maxDepth: r.maxDepth,
+    nodes: r.nodes.map((n) => ({ ...toApiNode(n), depth: n.depth })),
+    edges: r.edges.map(toApiEdge)
+  };
+}
+function projectDiff(diff) {
+  return {
+    base: { sessionId: diff.base.sessionId, startedAt: diff.base.startedAt, nodeCount: diff.base.nodeCount, edgeCount: diff.base.edgeCount },
+    current: { sessionId: diff.current.sessionId, startedAt: diff.current.startedAt, nodeCount: diff.current.nodeCount, edgeCount: diff.current.edgeCount },
+    summary: diff.summary,
+    nodes: {
+      added: diff.nodes.added.map(toApiNode),
+      removed: diff.nodes.removed.map(toApiNode),
+      changed: diff.nodes.changed.map((c) => ({ id: c.id, changedFields: c.changedFields, confidenceDelta: c.confidenceDelta })),
+      unchanged: diff.nodes.unchanged
+    },
+    edges: {
+      added: diff.edges.added.map(toApiEdge),
+      removed: diff.edges.removed.map(toApiEdge),
+      unchanged: diff.edges.unchanged
+    },
+    anomalies: { added: diff.anomalies.added.map(toApiAnomaly) }
+  };
+}
+function ok(body) {
+  return { status: 200, body };
+}
+function badRequest(error) {
+  return { status: 400, body: { error } };
+}
+function notFound(error = "not found") {
+  return { status: 404, body: { error } };
+}
+function guard(fn) {
+  try {
+    return fn();
+  } catch (err) {
+    if (err instanceof NotFoundError) return notFound(err.message);
+    throw err;
+  }
+}
+function validateOut(schema, body) {
+  if (process.env["NODE_ENV"] !== "production") {
+    const r = schema.safeParse(body);
+    if (!r.success) throw new Error(`API response failed its own schema contract: ${r.error.message}`);
+  }
+  return body;
+}
+function intParam(url, name) {
+  const raw = url.searchParams.get(name);
+  if (raw === null || raw.trim() === "") return void 0;
+  const n = Number(raw);
+  return Number.isInteger(n) ? n : void 0;
+}
+function sessionParam(url) {
+  return url.searchParams.get("session") ?? void 0;
+}
+function handleSummary(ctx, url, d) {
+  return guard(() => ok(validateOut(SummaryResponse, d.backend.summary(ctx, sessionParam(url)))));
+}
+function handleNodes(ctx, url, d) {
+  return guard(() => {
+    const search = url.searchParams.get("search") ?? void 0;
+    const typesRaw = url.searchParams.get("types");
+    const types = typesRaw ? typesRaw.split(",").map((s) => s.trim()).filter(Boolean) : void 0;
+    const limit = intParam(url, "limit");
+    const offset = intParam(url, "offset");
+    const r = d.backend.nodes(
+      ctx,
+      { ...search ? { search } : {}, ...types ? { types } : {}, ...limit !== void 0 ? { limit } : {}, ...offset !== void 0 ? { offset } : {} },
+      sessionParam(url)
+    );
+    return ok(validateOut(NodesResponse, { nodes: r.nodes.map(toApiNode), total: r.total, limit: r.limit, offset: r.offset }));
+  });
+}
+function handleDependencies(ctx, id, url, d) {
+  const directionRaw = url.searchParams.get("direction");
+  if (directionRaw !== null && !DIRECTIONS.includes(directionRaw)) {
+    return badRequest(`direction must be one of ${DIRECTIONS.join(", ")}`);
+  }
+  return guard(() => {
+    const direction = directionRaw ?? void 0;
+    const maxDepth = intParam(url, "maxDepth");
+    const r = d.backend.dependencies(
+      ctx,
+      id,
+      { ...direction ? { direction } : {}, ...maxDepth !== void 0 ? { maxDepth } : {} },
+      sessionParam(url)
+    );
+    return ok(validateOut(DependenciesResponse, projectDependencies(r)));
+  });
+}
+function handleDiff(ctx, url, d) {
+  const base = url.searchParams.get("base");
+  const current = url.searchParams.get("current");
+  if (!base || !current) return badRequest("both `base` and `current` query params are required");
+  return guard(() => {
+    const diff = d.backend.diff(ctx, base, current);
+    return ok(validateOut(DiffResponse, projectDiff(diff)));
+  });
+}
+function handleSessions(ctx, d) {
+  return guard(() => ok(validateOut(SessionsResponse, { sessions: d.backend.sessions(ctx).map(toApiSession) })));
+}
+function handleHealth(ctx, d) {
+  const h = d.backend.health(ctx);
+  return ok(validateOut(HealthResponse, { status: "ok", version: d.version, store: h.store, sessions: h.sessions }));
+}
+
+// src/api/openapi.ts
+function defOf(schema) {
+  return schema.def ?? {};
+}
+function unwrapOptional(schema) {
+  const def = defOf(schema);
+  if ((def.type === "optional" || def.type === "nullable") && def.innerType) {
+    return { inner: def.innerType, optional: true };
+  }
+  return { inner: schema, optional: false };
+}
+function zodToJsonSchema(schema) {
+  const def = defOf(schema);
+  switch (def.type) {
+    case "string":
+      return { type: "string" };
+    case "number": {
+      const isInt = (def.checks ?? []).some((c) => c._zod?.def?.check === "number_format");
+      return { type: isInt ? "integer" : "number" };
+    }
+    case "boolean":
+      return { type: "boolean" };
+    case "literal": {
+      const values = def.values ?? [];
+      return values.length === 1 ? { const: values[0] } : { enum: values };
+    }
+    case "enum":
+      return { type: "string", enum: Object.values(def.entries ?? {}) };
+    case "array":
+      return { type: "array", items: def.element ? zodToJsonSchema(def.element) : {} };
+    case "record":
+      return { type: "object", additionalProperties: def.valueType ? zodToJsonSchema(def.valueType) : true };
+    case "optional":
+    case "nullable":
+      return def.innerType ? zodToJsonSchema(def.innerType) : {};
+    case "object": {
+      const shape = def.shape ?? {};
+      const properties = {};
+      const required = [];
+      for (const key of Object.keys(shape)) {
+        const { inner, optional } = unwrapOptional(shape[key]);
+        properties[key] = zodToJsonSchema(inner);
+        if (!optional) required.push(key);
+      }
+      return { type: "object", properties, required, additionalProperties: false };
+    }
+    default:
+      throw new Error(`zodToJsonSchema: unsupported zod construct "${def.type ?? "unknown"}". Extend src/api/openapi.ts.`);
+  }
+}
+var TENANT_PARAM = {
+  name: "tenant",
+  in: "query",
+  required: false,
+  description: 'Tenant/org scope (also accepted via the X-Cartograph-Tenant header). Defaults to "local".',
+  schema: { type: "string" }
+};
+var SESSION_PARAM = {
+  name: "session",
+  in: "query",
+  required: false,
+  description: "Session id to query, or omit for the latest discovery session.",
+  schema: { type: "string" }
+};
+function errorResponses() {
+  const err = { description: "Error", content: { "application/json": { schema: { $ref: "#/components/schemas/Error" } } } };
+  return { "400": { ...err, description: "Bad request" }, "401": { ...err, description: "Unauthorized" }, "404": { ...err, description: "Not found" } };
+}
+function ok2(ref, description) {
+  return { description, content: { "application/json": { schema: { $ref: `#/components/schemas/${ref}` } } } };
+}
+function buildOpenApiDocument(opts) {
+  const schemas = {};
+  for (const [name, schema] of Object.entries(API_SCHEMAS)) {
+    schemas[name] = zodToJsonSchema(schema);
+  }
+  return {
+    openapi: "3.1.0",
+    info: {
+      title: "Cartograph API",
+      version: opts.version,
+      description: "Read-only REST API over the discovered infrastructure/agentic-AI topology. Every endpoint is tenant-scoped and bearer-authenticated."
+    },
+    servers: [{ url: "/" }],
+    security: [{ bearerAuth: [] }],
+    components: {
+      securitySchemes: { bearerAuth: { type: "http", scheme: "bearer" } },
+      schemas
+    },
+    paths: {
+      "/v1/health": {
+        get: {
+          summary: "Liveness + store/coverage probe",
+          security: [],
+          responses: { "200": ok2("Health", "Service health") }
+        }
+      },
+      "/v1/openapi.json": {
+        get: {
+          summary: "This OpenAPI document",
+          security: [],
+          responses: { "200": { description: "OpenAPI 3.1 document", content: { "application/json": { schema: { type: "object" } } } } }
+        }
+      },
+      "/v1/summary": {
+        get: {
+          summary: "Low-token topology aggregate for the resolved session",
+          parameters: [SESSION_PARAM, TENANT_PARAM],
+          responses: { "200": ok2("Summary", "Topology summary"), ...errorResponses() }
+        }
+      },
+      "/v1/nodes": {
+        get: {
+          summary: "List/search/paginate nodes",
+          parameters: [
+            { name: "search", in: "query", required: false, description: "Lexical/semantic search anchor.", schema: { type: "string" } },
+            { name: "types", in: "query", required: false, description: "Comma-separated node-type filter.", schema: { type: "string" } },
+            { name: "limit", in: "query", required: false, description: "Page size (default 100, max 1000).", schema: { type: "integer" } },
+            { name: "offset", in: "query", required: false, description: "Page offset (ignored for search).", schema: { type: "integer" } },
+            SESSION_PARAM,
+            TENANT_PARAM
+          ],
+          responses: { "200": ok2("Nodes", "A page of nodes"), ...errorResponses() }
+        }
+      },
+      "/v1/nodes/{id}/dependencies": {
+        get: {
+          summary: "Dependency traversal from a node",
+          parameters: [
+            { name: "id", in: "path", required: true, description: 'Node id ("{type}:{id}").', schema: { type: "string" } },
+            { name: "direction", in: "query", required: false, description: "downstream | upstream | both (default downstream).", schema: { type: "string", enum: ["downstream", "upstream", "both"] } },
+            { name: "maxDepth", in: "query", required: false, description: "Traversal depth (default 8, max 64).", schema: { type: "integer" } },
+            SESSION_PARAM,
+            TENANT_PARAM
+          ],
+          responses: { "200": ok2("Dependencies", "Traversal result"), ...errorResponses() }
+        }
+      },
+      "/v1/diff": {
+        get: {
+          summary: "Compare two sessions (drift)",
+          parameters: [
+            { name: "base", in: "query", required: true, description: "Base session id.", schema: { type: "string" } },
+            { name: "current", in: "query", required: true, description: "Current session id.", schema: { type: "string" } },
+            TENANT_PARAM
+          ],
+          responses: { "200": ok2("Diff", "Topology delta"), ...errorResponses() }
+        }
+      },
+      "/v1/sessions": {
+        get: {
+          summary: "List discovery sessions for the tenant",
+          parameters: [TENANT_PARAM],
+          responses: { "200": ok2("Sessions", "Sessions"), ...errorResponses() }
+        }
+      }
+    }
+  };
+}
+
+// src/api/graphql.ts
+var SDL = `# Cartograph read-only GraphQL API (4.2). Mirrors the REST surface.
+schema { query: Query }
+
+type Query {
+  summary(session: String): Summary
+  nodes(search: String, types: [String!], limit: Int, offset: Int, session: String): NodeConnection
+  node(id: String!, session: String): Node
+  dependencies(id: String!, direction: Direction, maxDepth: Int, session: String): Dependencies
+  diff(base: String!, current: String!): Diff
+  sessions: [Session!]!
+}
+
+enum Direction { downstream upstream both }
+
+type Totals { nodes: Int! edges: Int! }
+type Count { key: String! value: Int! }
+type TopConnected { id: String! name: String! type: String! degree: Int! }
+type Anomaly { nodeId: String! kind: String! severity: String! reason: String! }
+type Cost { amount: Float! currency: String! period: String! source: String }
+type CostRollup { key: String! currency: String! period: String! total: Float! nodes: Int! }
+type CostCoverage { withCost: Int! total: Int! }
+
+type Node {
+  id: String! type: String! name: String! confidence: Float!
+  domain: String subDomain: String qualityScore: Float owner: String cost: Cost tags: [String!]!
+}
+type DependencyNode {
+  id: String! type: String! name: String! confidence: Float!
+  domain: String subDomain: String qualityScore: Float owner: String cost: Cost tags: [String!]! depth: Int!
+}
+type Edge { sourceId: String! targetId: String! relationship: String! confidence: Float! evidence: String! }
+
+type Summary {
+  sessionId: String!
+  totals: Totals!
+  topConnected: [TopConnected!]!
+  anomalies: [Anomaly!]!
+  contributors: Int!
+  costByDomain: [CostRollup!]!
+  costByOwner: [CostRollup!]!
+  costCoverage: CostCoverage!
+}
+
+type NodeConnection { nodes: [Node!]! total: Int! limit: Int! offset: Int! }
+type Dependencies { root: Node direction: Direction! maxDepth: Int! nodes: [DependencyNode!]! edges: [Edge!]! }
+
+type SessionEndpoint { sessionId: String! startedAt: String! nodeCount: Int! edgeCount: Int! }
+type DiffSummary { nodesAdded: Int! nodesRemoved: Int! nodesChanged: Int! edgesAdded: Int! edgesRemoved: Int! }
+type NodeChange { id: String! changedFields: [String!]! confidenceDelta: Float! }
+type DiffNodes { added: [Node!]! removed: [Node!]! changed: [NodeChange!]! unchanged: Int! }
+type DiffEdges { added: [Edge!]! removed: [Edge!]! unchanged: Int! }
+type DiffAnomalies { added: [Anomaly!]! }
+type Diff {
+  base: SessionEndpoint! current: SessionEndpoint! summary: DiffSummary!
+  nodes: DiffNodes! edges: DiffEdges! anomalies: DiffAnomalies!
+}
+
+type Session { id: String! mode: String! startedAt: String! completedAt: String name: String tenant: String! lastScannedAt: String }
+`;
+var resolvers = {
+  summary: (ctx, args, backend) => backend.summary(ctx, str(args["session"])),
+  nodes: (ctx, args, backend) => {
+    const r = backend.nodes(
+      ctx,
+      {
+        ...str(args["search"]) ? { search: str(args["search"]) } : {},
+        ...Array.isArray(args["types"]) ? { types: args["types"].map(String) } : {},
+        ...num(args["limit"]) !== void 0 ? { limit: num(args["limit"]) } : {},
+        ...num(args["offset"]) !== void 0 ? { offset: num(args["offset"]) } : {}
+      },
+      str(args["session"])
+    );
+    return { nodes: r.nodes.map(toApiNode), total: r.total, limit: r.limit, offset: r.offset };
+  },
+  node: (ctx, args, backend) => {
+    const n = backend.node(ctx, String(args["id"]), str(args["session"]));
+    return n ? toApiNode(n) : null;
+  },
+  dependencies: (ctx, args, backend) => {
+    const r = backend.dependencies(
+      ctx,
+      String(args["id"]),
+      {
+        ...str(args["direction"]) ? { direction: str(args["direction"]) } : {},
+        ...num(args["maxDepth"]) !== void 0 ? { maxDepth: num(args["maxDepth"]) } : {}
+      },
+      str(args["session"])
+    );
+    return projectDependencies(r);
+  },
+  diff: (ctx, args, backend) => projectDiff(backend.diff(ctx, String(args["base"]), String(args["current"]))),
+  sessions: (ctx, _args, backend) => backend.sessions(ctx).map(toApiSession)
+};
+function str(v) {
+  return typeof v === "string" ? v : void 0;
+}
+function num(v) {
+  return typeof v === "number" && Number.isInteger(v) ? v : void 0;
+}
+var NAME_RE = /[_A-Za-z][_0-9A-Za-z]*/y;
+function tokenize(src) {
+  const tokens = [];
+  let i = 0;
+  while (i < src.length) {
+    const c = src[i];
+    if (/\s|,/.test(c)) {
+      i++;
+      continue;
+    }
+    if (c === "#") {
+      while (i < src.length && src[i] !== "\n") i++;
+      continue;
+    }
+    if ("{}()[]:!$".includes(c)) {
+      tokens.push(c);
+      i++;
+      continue;
+    }
+    if (c === '"') {
+      let j = i + 1;
+      let s = "";
+      while (j < src.length && src[j] !== '"') {
+        s += src[j];
+        j++;
+      }
+      tokens.push(JSON.stringify(s));
+      i = j + 1;
+      continue;
+    }
+    NAME_RE.lastIndex = i;
+    const m = NAME_RE.exec(src);
+    if (m && m.index === i) {
+      tokens.push(m[0]);
+      i = NAME_RE.lastIndex;
+      continue;
+    }
+    const numMatch = /-?\d+(\.\d+)?/y;
+    numMatch.lastIndex = i;
+    const nm = numMatch.exec(src);
+    if (nm && nm.index === i) {
+      tokens.push(nm[0]);
+      i = numMatch.lastIndex;
+      continue;
+    }
+    throw new Error(`unexpected character '${c}'`);
+  }
+  return tokens;
+}
+var MAX_SELECTION_DEPTH = 32;
+var Parser = class {
+  constructor(tokens, variables) {
+    this.tokens = tokens;
+    this.variables = variables;
+  }
+  pos = 0;
+  depth = 0;
+  peek() {
+    return this.tokens[this.pos];
+  }
+  next() {
+    return this.tokens[this.pos++];
+  }
+  expect(tok) {
+    if (this.tokens[this.pos] !== tok) throw new Error(`expected '${tok}', got '${this.tokens[this.pos] ?? "<eof>"}'`);
+    this.pos++;
+  }
+  parseDocument() {
+    if (this.peek() === "mutation" || this.peek() === "subscription") {
+      throw new Error("only query operations are supported (read-only API)");
+    }
+    if (this.peek() === "query") {
+      this.next();
+      if (this.peek() && this.peek() !== "{" && this.peek() !== "(") this.next();
+      if (this.peek() === "(") this.skipBalanced("(", ")");
+    }
+    this.expect("{");
+    const selections = this.parseSelectionSet();
+    return selections;
+  }
+  skipBalanced(open, close) {
+    this.expect(open);
+    let depth = 1;
+    while (depth > 0) {
+      const t = this.next();
+      if (t === void 0) throw new Error("unbalanced");
+      if (t === open) depth++;
+      else if (t === close) depth--;
+    }
+  }
+  parseSelectionSet() {
+    if (++this.depth > MAX_SELECTION_DEPTH) throw new Error(`selection set nested deeper than ${MAX_SELECTION_DEPTH}`);
+    const out = [];
+    while (this.peek() !== "}") {
+      if (this.peek() === void 0) throw new Error("unexpected end of selection set");
+      out.push(this.parseSelection());
+    }
+    this.expect("}");
+    this.depth--;
+    return out;
+  }
+  parseSelection() {
+    let name = this.next();
+    const alias = name;
+    if (this.peek() === ":") {
+      this.next();
+      name = this.next();
+    }
+    const args = {};
+    if (this.peek() === "(") {
+      this.next();
+      while (this.peek() !== ")") {
+        const argName = this.next();
+        this.expect(":");
+        args[argName] = this.parseValue();
+      }
+      this.expect(")");
+    }
+    let selections = [];
+    if (this.peek() === "{") {
+      this.next();
+      selections = this.parseSelectionSet();
+    }
+    return { name, alias, args, selections };
+  }
+  parseValue() {
+    const t = this.next();
+    if (t === "$") {
+      const v = this.next();
+      return this.variables[v];
+    }
+    if (t === "[") {
+      const arr = [];
+      while (this.peek() !== "]") arr.push(this.parseValue());
+      this.expect("]");
+      return arr;
+    }
+    if (t.startsWith('"')) return JSON.parse(t);
+    if (t === "true") return true;
+    if (t === "false") return false;
+    if (t === "null") return null;
+    if (/^-?\d+(\.\d+)?$/.test(t)) return Number(t);
+    return t;
+  }
+};
+function project(value, selections) {
+  if (value === null || value === void 0) return null;
+  if (selections.length === 0) return value;
+  if (Array.isArray(value)) return value.map((v) => project(v, selections));
+  if (typeof value !== "object") return value;
+  const obj = value;
+  const out = {};
+  for (const sel of selections) {
+    if (sel.name === "__typename") {
+      out[sel.alias] = void 0;
+      continue;
+    }
+    out[sel.alias] = project(obj[sel.name], sel.selections);
+  }
+  return out;
+}
+function introspectionSchema() {
+  const names = [...SDL.matchAll(/^(?:type|enum)\s+([_A-Za-z][_0-9A-Za-z]*)/gm)].map((m) => m[1]);
+  const types = names.map((name) => ({ name, kind: /^[A-Z]/.test(name) ? "OBJECT" : "SCALAR" }));
+  return {
+    __schema: {
+      queryType: { name: "Query" },
+      mutationType: null,
+      subscriptionType: null,
+      types,
+      directives: []
+    }
+  };
+}
+async function executeGraphql(ctx, body, deps) {
+  const req = body ?? {};
+  if (typeof req.query !== "string" || req.query.trim() === "") {
+    return { errors: [{ message: "missing query" }] };
+  }
+  const variables = typeof req.variables === "object" && req.variables !== null ? req.variables : {};
+  let selections;
+  try {
+    selections = new Parser(tokenize(req.query), variables).parseDocument();
+  } catch (err) {
+    return { errors: [{ message: `syntax error: ${err instanceof Error ? err.message : String(err)}` }] };
+  }
+  const data = {};
+  const errors = [];
+  for (const sel of selections) {
+    try {
+      if (sel.name === "__schema") {
+        data[sel.alias] = project(introspectionSchema()["__schema"], sel.selections);
+        continue;
+      }
+      if (sel.name === "__typename") {
+        data[sel.alias] = "Query";
+        continue;
+      }
+      const resolver = resolvers[sel.name];
+      if (!resolver) {
+        errors.push({ message: `Cannot query field "${sel.name}" on type "Query"` });
+        continue;
+      }
+      const resolved = resolver(ctx, sel.args, deps.backend);
+      data[sel.alias] = project(resolved, sel.selections);
+    } catch (err) {
+      errors.push({ message: err instanceof Error ? err.message : String(err) });
+    }
+  }
+  return errors.length > 0 ? { data, errors } : { data };
+}
+function handleGraphqlGet() {
+  return { status: 200, body: SDL };
+}
+
+// src/api/server.ts
+var DEPENDENCIES_RE = /^\/v1\/nodes\/(.+)\/dependencies$/;
+var MAX_GRAPHQL_BYTES = 1024 * 1024;
+function send(res, status, body, headers = {}) {
+  res.writeHead(status, { "content-type": "application/json", ...headers }).end(JSON.stringify(body));
+}
+async function readBody(req, cap) {
+  const chunks = [];
+  let total = 0;
+  let overflow = false;
+  for await (const chunk of req) {
+    if (overflow) continue;
+    const buf = chunk;
+    total += buf.length;
+    if (total > cap) {
+      overflow = true;
+      chunks.length = 0;
+      continue;
+    }
+    chunks.push(buf);
+  }
+  if (overflow) return { overflow: true, value: void 0 };
+  if (chunks.length === 0) return { overflow: false, value: void 0 };
+  try {
+    return { overflow: false, value: JSON.parse(Buffer.concat(chunks).toString("utf8")) };
+  } catch {
+    return { overflow: false, value: void 0 };
+  }
+}
+async function runApi(opts) {
+  const host = opts.host ?? "127.0.0.1";
+  const requestedPort = opts.port ?? 3737;
+  const token = opts.token;
+  const graphqlEnabled = opts.graphql !== false;
+  const defaultTenant = opts.tenant?.defaultTenant ?? DEFAULT_TENANT;
+  const log = opts.log ?? (() => {
+  });
+  const restDeps = { backend: opts.backend, version: opts.version };
+  const openApiDoc = buildOpenApiDocument({ version: opts.version });
+  const allowedOrigins = opts.allowedOrigins ?? [];
+  assertSafeBind({ host, port: requestedPort, ...opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {}, ...token ? { token } : {} });
+  let allowedHosts = opts.allowedHosts ?? [];
+  const corsHeaders = (req) => {
+    const origin = req.headers["origin"];
+    if (typeof origin === "string" && allowedOrigins.includes(origin)) {
+      return {
+        "access-control-allow-origin": origin,
+        "vary": "Origin",
+        "access-control-allow-methods": "GET, POST, OPTIONS",
+        "access-control-allow-headers": "authorization, content-type, x-cartograph-tenant"
+      };
+    }
+    return {};
+  };
+  const server = http.createServer((req, res) => {
+    const started = Date.now();
+    let tenantLabel = "-";
+    const finish = (status) => {
+      log(`[cartography-api] ${req.method ?? "-"} ${req.url ?? "-"} ${status} ${Date.now() - started}ms tenant=${tenantLabel}`);
+    };
+    void (async () => {
+      try {
+        const url = new URL(req.url ?? "/", `http://${req.headers["host"] ?? host}`);
+        const path = url.pathname;
+        const cors = corsHeaders(req);
+        if (req.method === "OPTIONS") {
+          res.writeHead(204, cors).end();
+          finish(204);
+          return;
+        }
+        const hostHeader = (req.headers["host"] ?? "").toLowerCase();
+        if (!allowedHosts.some((h) => h.toLowerCase() === hostHeader)) {
+          send(res, 403, { error: "host not allowed" }, cors);
+          finish(403);
+          return;
+        }
+        if (path === "/v1/openapi.json" && req.method === "GET") {
+          send(res, 200, openApiDoc, cors);
+          finish(200);
+          return;
+        }
+        if (path === "/v1/health") {
+          if (req.method !== "GET") {
+            send(res, 405, { error: "method not allowed" }, { allow: "GET", ...cors });
+            finish(405);
+            return;
+          }
+          tenantLabel = defaultTenant;
+          const r = handleHealth({ tenant: defaultTenant }, restDeps);
+          send(res, r.status, r.body, cors);
+          finish(r.status);
+          return;
+        }
+        if (!checkBearer(req.headers["authorization"], token)) {
+          send(res, 401, { error: "unauthorized" }, { "www-authenticate": "Bearer", ...cors });
+          finish(401);
+          return;
+        }
+        let ctx;
+        try {
+          ctx = resolveTenant(req, url, opts.tenant ?? {});
+          tenantLabel = ctx.tenant;
+        } catch (err) {
+          if (err instanceof InvalidTenantError) {
+            send(res, 400, { error: "invalid tenant" }, cors);
+            finish(400);
+            return;
+          }
+          throw err;
+        }
+        if (graphqlEnabled && path === "/graphql") {
+          if (req.method === "GET") {
+            const g = handleGraphqlGet();
+            res.writeHead(g.status, { "content-type": "text/plain; charset=utf-8", ...cors }).end(g.body);
+            finish(g.status);
+            return;
+          }
+          if (req.method === "POST") {
+            const { overflow, value } = await readBody(req, MAX_GRAPHQL_BYTES);
+            if (overflow) {
+              send(res, 413, { error: "payload too large" }, cors);
+              finish(413);
+              return;
+            }
+            const result = await executeGraphql(ctx, value, { backend: opts.backend });
+            send(res, 200, result, cors);
+            finish(200);
+            return;
+          }
+          send(res, 405, { error: "method not allowed" }, { allow: "GET, POST", ...cors });
+          finish(405);
+          return;
+        }
+        if (path.startsWith("/v1/")) {
+          if (req.method !== "GET") {
+            send(res, 405, { error: "method not allowed" }, { allow: "GET", ...cors });
+            finish(405);
+            return;
+          }
+          const result = dispatchRest(ctx, path, url, restDeps);
+          if (result) {
+            send(res, result.status, result.body, cors);
+            finish(result.status);
+            return;
+          }
+        }
+        send(res, 404, { error: "not found" }, cors);
+        finish(404);
+      } catch (err) {
+        process.stderr.write(`[cartography-api] request failed: ${err instanceof Error ? err.message : String(err)}
+`);
+        if (!res.headersSent) send(res, 500, { error: "internal error" });
+        finish(500);
+      }
+    })();
+  });
+  await new Promise((resolve2) => server.listen(requestedPort, host, resolve2));
+  const actualPort = server.address().port;
+  if (allowedHosts.length === 0) allowedHosts = defaultAllowedHosts(host, actualPort);
+  return server;
+}
+function dispatchRest(ctx, path, url, deps) {
+  switch (path) {
+    case "/v1/summary":
+      return handleSummary(ctx, url, deps);
+    case "/v1/nodes":
+      return handleNodes(ctx, url, deps);
+    case "/v1/diff":
+      return handleDiff(ctx, url, deps);
+    case "/v1/sessions":
+      return handleSessions(ctx, deps);
+    default: {
+      const m = DEPENDENCIES_RE.exec(path);
+      if (m) return handleDependencies(ctx, decodeURIComponent(m[1]), url, deps);
+      return void 0;
+    }
+  }
+}
+
+// src/api/start.ts
+function readVersion() {
+  try {
+    const dir = import.meta.dirname ?? dirname(fileURLToPath(import.meta.url));
+    return JSON.parse(readFileSync(resolve(dir, "..", "package.json"), "utf-8")).version ?? "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
+function parseApiArgs(argv) {
+  const opts = {};
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === "--http") continue;
+    else if (a === "--no-graphql") opts.graphql = false;
+    else if (a === "--port") opts.port = Number(argv[++i]);
+    else if (a === "--host") opts.host = argv[++i];
+    else if (a === "--allowed-hosts") opts.allowedHosts = splitList(argv[++i]);
+    else if (a === "--allowed-origins") opts.allowedOrigins = splitList(argv[++i]);
+    else if (a === "--token") opts.token = argv[++i];
+    else if (a === "--db") opts.dbPath = argv[++i];
+    else if (a === "--session") opts.session = argv[++i];
+    else if (a === "--tenant" || a === "--org") opts.tenant = argv[++i];
+    else if (a === "--help" || a === "-h") opts.help = true;
+  }
+  return opts;
+}
+function splitList(raw) {
+  return (raw ?? "").split(",").map((s) => s.trim()).filter(Boolean);
+}
+async function startApi(opts = {}) {
+  const log = opts.log ?? ((m) => process.stderr.write(m + "\n"));
+  const db = new CartographyDB(opts.dbPath ?? defaultConfig().dbPath);
+  const backend = createSqliteQueryBackend(db, opts.session ?? "latest");
+  const token = opts.token ?? process.env["CARTOGRAPHY_HTTP_TOKEN"];
+  const host = opts.host ?? "127.0.0.1";
+  const port = opts.port ?? 3737;
+  const version = readVersion();
+  const server = await runApi({
+    host,
+    port,
+    backend,
+    version,
+    ...opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {},
+    ...opts.allowedOrigins ? { allowedOrigins: opts.allowedOrigins } : {},
+    ...token ? { token } : {},
+    ...opts.graphql === false ? { graphql: false } : {},
+    ...opts.tenant ? { tenant: { defaultTenant: normalizeTenant(opts.tenant) } } : {},
+    log
+  });
+  const graphqlNote = opts.graphql === false ? " [REST only]" : " + /graphql";
+  log(
+    `Cartograph API (REST${graphqlNote}) on http://${host}:${port}/v1${token ? " (auth: bearer token required)" : ""} (tenant: ${normalizeTenant(opts.tenant)})`
+  );
+  return server;
+}
+
+export {
+  parseApiArgs,
+  startApi
+};
+//# sourceMappingURL=chunk-7VZH5PFV.js.map