npm - @datasynx/agentic-ai-cartography - Versions diffs - 2.2.0 → 2.4.0 - Mend

@datasynx/agentic-ai-cartography 2.2.0 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/dist/api-bin.js +24 -0
package/dist/api-bin.js.map +1 -0
package/dist/chunk-B4QWX7CP.js +2618 -0
package/dist/chunk-B4QWX7CP.js.map +1 -0
package/dist/chunk-L4OSL7I6.js +1134 -0
package/dist/chunk-L4OSL7I6.js.map +1 -0
package/dist/{chunk-WCR47QA2.js → chunk-QQOQBE2A.js} +16 -5
package/dist/chunk-QQOQBE2A.js.map +1 -0
package/dist/{chunk-BNDCY2RI.js → chunk-X5JA2UDT.js} +60 -2445
package/dist/chunk-X5JA2UDT.js.map +1 -0
package/dist/cli.js +36 -11
package/dist/cli.js.map +1 -1
package/dist/index.cjs +1522 -156
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +450 -10
package/dist/index.d.ts +450 -10
package/dist/index.js +1449 -114
package/dist/index.js.map +1 -1
package/dist/mcp-bin.js +3 -2
package/dist/mcp-bin.js.map +1 -1
package/dist/{types-TJWXAQ2L.js → types-5L3AGZLG.js} +2 -2
package/package.json +8 -5
package/scripts/gen-api-schemas.ts +29 -0
package/scripts/sync-version.mjs +51 -0
package/server.json +2 -2
package/dist/chunk-BNDCY2RI.js.map +0 -1
package/dist/chunk-WCR47QA2.js.map +0 -1
/package/dist/{types-TJWXAQ2L.js.map → types-5L3AGZLG.js.map} +0 -0

package/dist/index.cjs CHANGED Viewed

@@ -45,37 +45,51 @@ __export(src_exports, {
   DriftConfigSchema: () => DriftConfigSchema,
   INGEST_SCHEMA_VERSION: () => INGEST_SCHEMA_VERSION,
   IngestEnvelopeSchema: () => IngestEnvelopeSchema,
+  InvalidTenantError: () => InvalidTenantError,
+  JiraSink: () => JiraSink,
+  LOOPBACK_HOSTS: () => LOOPBACK_HOSTS2,
   MCP_BIN: () => MCP_BIN,
+  NotFoundError: () => NotFoundError,
   PACKAGE_NAME: () => PACKAGE_NAME,
+  PAGERDUTY_ENQUEUE_URL: () => PAGERDUTY_ENQUEUE_URL,
   PERSONAL: () => PERSONAL,
   PORT_MAP: () => PORT_MAP,
   PRIVATE_IP: () => PRIVATE_IP,
   PUSH_SCHEMA_VERSION: () => PUSH_SCHEMA_VERSION,
+  PagerDutySink: () => PagerDutySink,
   ProviderRegistry: () => ProviderRegistry,
   RELATION_TO_DIRECTION: () => RELATION_TO_DIRECTION,
   RuleCheckSchema: () => RuleCheckSchema,
   RulesetSchema: () => RulesetSchema,
   SCAN_ARG_PATTERNS: () => SCAN_ARG_PATTERNS,
+  SDL: () => SDL,
   SEVERITY_WEIGHT: () => SEVERITY_WEIGHT,
   SHARING_LEVELS: () => SHARING_LEVELS,
   ScannerRegistry: () => ScannerRegistry,
   ScannerShape: () => ScannerShape,
   SharingLevelSchema: () => SharingLevelSchema,
+  SlackSink: () => SlackSink,
+  SqliteQueryBackend: () => SqliteQueryBackend,
   SqliteStoreBackend: () => SqliteStoreBackend,
   StdoutSink: () => StdoutSink,
+  TENANT_HEADER: () => TENANT_HEADER,
   VectorStore: () => VectorStore,
   WebhookSink: () => WebhookSink,
   applyInstall: () => applyInstall,
   applySharingLevel: () => applySharingLevel,
   assertReadOnly: () => assertReadOnly,
+  assertSafeBind: () => assertSafeBind,
   assertSafeScanArg: () => assertSafeScanArg,
   assignColors: () => assignColors,
+  bearerToken: () => bearerToken,
   bookmarksScanner: () => bookmarksScanner,
   buildCartographyToolHandlers: () => buildCartographyToolHandlers,
   buildMapData: () => buildMapData,
+  buildOpenApiDocument: () => buildOpenApiDocument,
   buildReport: () => buildReport,
   buildSinks: () => buildSinks,
   centralDbFromEnv: () => centralDbFromEnv,
+  checkBearer: () => checkBearer,
   checkPrerequisites: () => checkPrerequisites,
   checkReadOnly: () => checkReadOnly,
   clampText: () => clampText,
@@ -103,10 +117,12 @@ __export(src_exports, {
   createOpenAIProvider: () => createOpenAIProvider,
   createScanRunner: () => createScanRunner,
   createSemanticSearch: () => createSemanticSearch,
+  createSqliteQueryBackend: () => createSqliteQueryBackend,
   currentOs: () => currentOs,
   cursorDeeplink: () => cursorDeeplink,
   databasesScanner: () => databasesScanner,
   deepMerge: () => deepMerge,
+  defaultAllowedHosts: () => defaultAllowedHosts,
   defaultConfig: () => defaultConfig,
   defaultContext: () => defaultContext,
   defaultProviderRegistry: () => defaultProviderRegistry,
@@ -123,6 +139,7 @@ __export(src_exports, {
   evaluateCheck: () => evaluateCheck,
   evaluateRule: () => evaluateRule,
   evidenceLine: () => evidenceLine,
+  executeGraphql: () => executeGraphql,
   executeNlQuery: () => executeNlQuery,
   exportAll: () => exportAll,
   exportBackstageYAML: () => exportBackstageYAML,
@@ -136,6 +153,9 @@ __export(src_exports, {
   filterBySeverity: () => filterBySeverity,
   findAnonViolations: () => findAnonViolations,
   formatComplianceText: () => formatComplianceText,
+  formatJira: () => formatJira,
+  formatPagerDuty: () => formatPagerDuty,
+  formatSlack: () => formatSlack,
   generateDependencyMermaid: () => generateDependencyMermaid,
   generateDiffMermaid: () => generateDiffMermaid,
   generateTopologyMermaid: () => generateTopologyMermaid,
@@ -143,6 +163,7 @@ __export(src_exports, {
   getRuleset: () => getRuleset,
   globalId: () => globalId,
   groupByDomain: () => groupByDomain,
+  handleGraphqlGet: () => handleGraphqlGet,
   hexCorners: () => hexCorners,
   hexDistance: () => hexDistance,
   hexNeighbors: () => hexNeighbors,
@@ -153,9 +174,11 @@ __export(src_exports, {
   hostname: () => hostname,
   ingestEnvelope: () => ingestEnvelope,
   installedAppsScanner: () => installedAppsScanner,
+  isLoopbackHost: () => isLoopbackHost,
   isPersonalHost: () => isPersonalHost,
   isReadOnlyCommand: () => isReadOnlyCommand,
   isRemembered: () => isRemembered,
+  isSecureWebhookUrl: () => isSecureWebhookUrl,
   k8sScanner: () => k8sScanner,
   keyMetaOf: () => keyMetaOf,
   layoutClusters: () => layoutClusters,
@@ -181,6 +204,7 @@ __export(src_exports, {
   normalizeTenant: () => normalizeTenant,
   orgKeyPath: () => orgKeyPath,
   osUser: () => osUser,
+  parseApiArgs: () => parseApiArgs,
   parseComposeDeps: () => parseComposeDeps,
   parseConfig: () => parseConfig,
   parseConnectionString: () => parseConnectionString,
@@ -193,6 +217,7 @@ __export(src_exports, {
   pixelToHex: () => pixelToHex,
   planInstall: () => planInstall,
   portsScanner: () => portsScanner,
+  postJson: () => postJson,
   previewShare: () => previewShare,
   pseudonymize: () => pseudonymize,
   pseudonymizeFragment: () => pseudonymizeFragment,
@@ -206,10 +231,12 @@ __export(src_exports, {
   resolveEffectiveLevel: () => resolveEffectiveLevel,
   resolveNlQuery: () => resolveNlQuery,
   resolveSharingLevel: () => resolveSharingLevel,
+  resolveTenant: () => resolveTenant,
   revalidateAnonymized: () => revalidateAnonymized,
   reversalKey: () => reversalKey,
   reversePseudonym: () => reversePseudonym,
   rotateOrgKey: () => rotateOrgKey,
+  runApi: () => runApi,
   runDiscovery: () => runDiscovery,
   runDrift: () => runDrift,
   runHttp: () => runHttp,
@@ -232,9 +259,12 @@ __export(src_exports, {
   shareHash: () => shareHash,
   splitSegments: () => splitSegments,
   stableStringify: () => stableStringify,
+  startApi: () => startApi,
   stripSensitive: () => stripSensitive,
+  timingSafeEqual: () => timingSafeEqual,
   validateScanner: () => validateScanner,
-  vscodeDeeplink: () => vscodeDeeplink
+  vscodeDeeplink: () => vscodeDeeplink,
+  zodToJsonSchema: () => zodToJsonSchema
 });
 module.exports = __toCommonJS(src_exports);
@@ -370,6 +400,8 @@ var DOMAIN_PALETTE = [
   "#5eead4"
 ];
 var DRIFT_FIELDS = ["type", "name", "domain", "subDomain", "qualityScore", "metadata", "tags", "owner", "cost"];
+var ANOMALY_KINDS = ["orphan", "shadow-it"];
+var ANOMALY_SEVERITIES = ["low", "medium", "high"];
 var DEFAULT_ANOMALY_THRESHOLDS = {
   orphanWeakDegree: 1,
   shadowConfidence: 0.4,
@@ -394,15 +426,26 @@ var SECURITY_METADATA_KEYS = [
 var DriftConfigSchema = import_zod.z.object({
   minSeverity: import_zod.z.enum(SEVERITIES).default("info"),
   sinks: import_zod.z.array(import_zod.z.object({
-    type: import_zod.z.enum(["stdout", "webhook"]),
+    type: import_zod.z.enum(["stdout", "webhook", "slack", "pagerduty", "jira"]),
     url: import_zod.z.string().url().optional(),
     token: import_zod.z.string().optional(),
-    timeoutMs: import_zod.z.number().int().positive().optional()
+    timeoutMs: import_zod.z.number().int().positive().optional(),
+    routingKey: import_zod.z.string().optional(),
+    email: import_zod.z.string().optional(),
+    project: import_zod.z.string().optional(),
+    issueType: import_zod.z.string().optional()
   })).default([{ type: "stdout" }])
 }).superRefine((cfg, ctx) => {
   for (const [i, s] of cfg.sinks.entries()) {
-    if (s.type === "webhook" && !s.url) {
-      ctx.addIssue({ code: "custom", path: ["sinks", i, "url"], message: "webhook sink requires a url" });
+    const requireUrl = (msg) => {
+      if (!s.url) ctx.addIssue({ code: "custom", path: ["sinks", i, "url"], message: msg });
+    };
+    if (s.type === "webhook") requireUrl("webhook sink requires a url");
+    if (s.type === "slack") requireUrl("slack sink requires a webhook url");
+    if (s.type === "jira") {
+      requireUrl("jira sink requires a base url");
+      if (!s.email) ctx.addIssue({ code: "custom", path: ["sinks", i, "email"], message: "jira sink requires an email" });
+      if (!s.project) ctx.addIssue({ code: "custom", path: ["sinks", i, "project"], message: "jira sink requires a project key" });
     }
   }
 });
@@ -1515,8 +1558,8 @@ var cloudGcpScanner = {
   allowedCommands: ["gcloud"],
   detect: (ctx) => Boolean((ctx.commandExists ?? commandExists)("gcloud")),
   async scan(ctx) {
-    const { project } = parseScanHint(ctx.hint);
-    const pf = project ? ` --project ${project}` : "";
+    const { project: project2 } = parseScanHint(ctx.hint);
+    const pf = project2 ? ` --project ${project2}` : "";
     const runG = createScanRunner((c) => ctx.run(c, { timeout: 2e4 }), { threshold: 3 });
     const nodes = [];
     const edges = [];
@@ -2016,8 +2059,17 @@ function stripSensitive(target) {
     const stripped = `${url.hostname}${url.port ? ":" + url.port : ""}`;
     return stripped || raw;
   } catch {
-    const stripped = raw.replace(/\/.*$/, "").replace(/\?.*$/, "").replace(/@.*:/, ":");
-    return stripped || raw;
+    let s = raw;
+    const slash = s.indexOf("/");
+    if (slash >= 0) s = s.slice(0, slash);
+    const q = s.indexOf("?");
+    if (q >= 0) s = s.slice(0, q);
+    const at = s.indexOf("@");
+    if (at >= 0) {
+      const colon = s.lastIndexOf(":");
+      if (colon > at) s = s.slice(0, at) + ":" + s.slice(colon + 1);
+    }
+    return s || raw;
   }
 }
 var SCAN_ARG_PATTERNS = {
@@ -2035,7 +2087,7 @@ function assertSafeScanArg(kind, value) {
   return value;
 }
 function redactSecrets(value) {
-  return value.replace(/([a-z][a-z0-9+.-]*:\/\/[^:@/\s]+):[^@/\s]+@/gi, "$1:***@");
+  return value.replace(/([a-z][a-z0-9+.-]{0,63}:\/\/[^:@/\s]{1,256}):[^@/\s]{1,256}@/gi, "$1:***@");
 }
 function redactValue(value) {
   if (typeof value === "string") return redactSecrets(value);
@@ -2204,9 +2256,9 @@ async function buildCartographyToolHandlers(db, sessionId, opts = {}) {
     tool("scan_gcp_resources", "Scan Google Cloud Platform via gcloud CLI \u2014 100% readonly (list, describe)", {
       project: import_zod2.z.string().regex(SCAN_ARG_PATTERNS["gcp-project"], "invalid GCP project id").optional().describe("GCP Project ID \u2014 default: current gcloud project")
     }, async (args) => {
-      const project = args["project"];
-      if (project) assertSafeScanArg("gcp-project", project);
-      return runScannerTool(cloudGcpScanner, project ? `project=${project}` : "");
+      const project2 = args["project"];
+      if (project2) assertSafeScanArg("gcp-project", project2);
+      return runScannerTool(cloudGcpScanner, project2 ? `project=${project2}` : "");
     }, { annotations: READ_SCAN }),
     tool("scan_azure_resources", "Scan Azure infrastructure via az CLI \u2014 100% readonly (list, show)", {
       subscription: import_zod2.z.string().regex(SCAN_ARG_PATTERNS["azure-subscription"], "invalid Azure subscription id").optional().describe("Azure Subscription ID"),
@@ -2358,14 +2410,14 @@ async function buildCartographyToolHandlers(db, sessionId, opts = {}) {
         "neon"
       ];
       const found = [];
-      const notFound = [];
+      const notFound2 = [];
       for (const t of knownTools) {
         const r = commandExists(t);
         if (r) found.push(`${t}: ${r}`);
-        else notFound.push(t);
+        else notFound2.push(t);
       }
       results["TOOLS_FOUND"] = found.join("\n") || "(none found)";
-      results["TOOLS_NOT_FOUND"] = notFound.join(", ");
+      results["TOOLS_NOT_FOUND"] = notFound2.join(", ");
       if (hint) {
         const terms = hint.split(/[\s,]+/).filter(Boolean);
         const hintResults = [];
@@ -4502,6 +4554,86 @@ var SqliteStoreBackend = class {
   }
 };
+// src/store/query.ts
+var NotFoundError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "NotFoundError";
+  }
+};
+var MAX_NODE_LIMIT = 1e3;
+var MAX_DEPTH = 64;
+function clamp(value, min, max) {
+  return Math.floor(Math.max(min, Math.min(value, max)));
+}
+var SqliteQueryBackend = class {
+  constructor(db, defaultSession = "latest") {
+    this.db = db;
+    this.defaultSession = defaultSession;
+  }
+  /**
+   * Resolve the session id for a request, scoped to `ctx.tenant`. An explicit id must
+   * belong to the tenant or it resolves to undefined (cross-tenant isolation); else the
+   * newest `discover` session for the tenant. Mirrors `resolveSession` in the MCP server.
+   */
+  resolveSession(ctx, sessionId) {
+    const requested = sessionId ?? (this.defaultSession === "latest" ? void 0 : this.defaultSession);
+    if (requested) {
+      const s = this.db.getSession(requested);
+      if (s && s.tenant === ctx.tenant) return s.id;
+      throw new NotFoundError(`session not found`);
+    }
+    const latest = this.db.getLatestSession("discover", ctx.tenant) ?? this.db.getLatestSession(void 0, ctx.tenant);
+    if (!latest) throw new NotFoundError(`no session available`);
+    return latest.id;
+  }
+  summary(ctx, sessionId) {
+    return this.db.getGraphSummary(this.resolveSession(ctx, sessionId));
+  }
+  nodes(ctx, q, sessionId) {
+    const sid = this.resolveSession(ctx, sessionId);
+    const limit = clamp(q.limit ?? 100, 1, MAX_NODE_LIMIT);
+    const offset = Math.floor(Math.max(0, q.offset ?? 0));
+    const total = this.db.getNodeCount(sid);
+    if (q.search) {
+      const nodes2 = this.db.searchNodes(sid, q.search, { ...q.types ? { types: q.types } : {}, limit });
+      return { nodes: nodes2, total: nodes2.length, limit, offset: 0 };
+    }
+    const nodes = this.db.getNodes(sid, { limit, offset });
+    return { nodes, total, limit, offset };
+  }
+  node(ctx, id, sessionId) {
+    return this.db.getNode(this.resolveSession(ctx, sessionId), id);
+  }
+  dependencies(ctx, id, q, sessionId) {
+    const sid = this.resolveSession(ctx, sessionId);
+    return this.db.getDependencies(sid, id, {
+      direction: q.direction ?? "downstream",
+      maxDepth: clamp(q.maxDepth ?? 8, 1, MAX_DEPTH)
+    });
+  }
+  diff(ctx, base, current) {
+    for (const id of [base, current]) {
+      const s = this.db.getSession(id);
+      if (!s || s.tenant !== ctx.tenant) throw new NotFoundError(`session not found`);
+    }
+    try {
+      return this.db.diffSessions(base, current);
+    } catch (err) {
+      throw new NotFoundError(err instanceof Error ? err.message : "diff failed");
+    }
+  }
+  sessions(ctx) {
+    return this.db.getSessions(ctx.tenant);
+  }
+  health(ctx) {
+    return { store: "sqlite", sessions: this.db.getSessions(ctx.tenant).length };
+  }
+};
+function createSqliteQueryBackend(db, defaultSession = "latest") {
+  return new SqliteQueryBackend(db, defaultSession);
+}
 // src/central/merge.ts
 function computeIdentity(org, node) {
   return {
@@ -5053,6 +5185,41 @@ var StdoutSink = class {
 // src/sinks/webhook.ts
 var LOOPBACK_HOSTS = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "[::1]", "::1"]);
+async function postJson(opts) {
+  const doFetch = opts.fetchImpl ?? (typeof fetch === "function" ? fetch : void 0);
+  if (!doFetch) {
+    logWarn("sink unavailable: global fetch missing", { sink: opts.sinkName });
+    return;
+  }
+  if (!opts.url) {
+    logWarn("sink unavailable: no url configured", { sink: opts.sinkName });
+    return;
+  }
+  if (!isSecureWebhookUrl(opts.url)) {
+    logWarn("sink refused: insecure scheme (use https:// or a loopback host)", {
+      sink: opts.sinkName,
+      host: stripSensitive(opts.url)
+    });
+    return;
+  }
+  try {
+    const res = await doFetch(opts.url, {
+      method: "POST",
+      headers: { "content-type": "application/json", ...opts.headers ?? {} },
+      body: JSON.stringify(opts.body),
+      signal: AbortSignal.timeout(opts.timeoutMs ?? 1e4)
+    });
+    if (!res.ok) {
+      logError("sink delivery failed", { sink: opts.sinkName, host: stripSensitive(opts.url), status: res.status });
+    }
+  } catch (err) {
+    logError("sink delivery failed", {
+      sink: opts.sinkName,
+      host: stripSensitive(opts.url),
+      reason: err instanceof Error ? err.message : String(err)
+    });
+  }
+}
 function isSecureWebhookUrl(url, env = process.env) {
   if (env.CARTOGRAPHY_ALLOW_INSECURE_SYNC === "1") return true;
   let parsed;
@@ -5071,59 +5238,177 @@ var WebhookSink = class {
   }
   name = "webhook";
   async emit(alert) {
-    if (typeof fetch !== "function") {
-      logWarn("webhook sink unavailable: global fetch missing", { sink: this.name });
-      return;
-    }
     const { url, token, timeoutMs } = this.opts;
-    if (!url) {
-      logWarn("webhook sink unavailable: no url configured", { sink: this.name });
-      return;
-    }
-    if (!isSecureWebhookUrl(url)) {
-      logWarn("webhook sink refused: insecure scheme (use https:// or a loopback host)", {
-        sink: this.name,
-        host: stripSensitive(url)
-      });
-      return;
-    }
-    try {
-      const res = await fetch(url, {
-        method: "POST",
-        headers: {
-          "content-type": "application/json",
-          ...token ? { authorization: `Bearer ${token}` } : {}
-        },
-        body: JSON.stringify(redactValue(alert)),
-        signal: AbortSignal.timeout(timeoutMs ?? 1e4)
-      });
-      if (!res.ok) {
-        logError("webhook sink failed", { sink: this.name, host: stripSensitive(url), status: res.status });
+    await postJson({
+      url,
+      body: redactValue(alert),
+      ...token ? { headers: { authorization: `Bearer ${token}` } } : {},
+      ...timeoutMs !== void 0 ? { timeoutMs } : {},
+      sinkName: this.name
+    });
+  }
+};
+// src/sinks/providers.ts
+var MAX_ITEMS2 = 20;
+var SEVERITY_EMOJI = { info: "\u{1F7E2}", warning: "\u{1F7E1}", critical: "\u{1F534}" };
+function headline(alert) {
+  const s = alert.summary;
+  return `${s.nodesAdded}+ / ${s.nodesRemoved}- / ${s.nodesChanged}~ nodes, ${s.edgesAdded}+ / ${s.edgesRemoved}- edges`;
+}
+function itemLine(it) {
+  const sec = it.securityFields?.length ? ` [security: ${it.securityFields.join(", ")}]` : "";
+  const fields = it.changedFields?.length ? ` (${it.changedFields.join(", ")})` : "";
+  return `${it.severity.toUpperCase()} \xB7 ${it.kind} \xB7 ${it.label}${fields}${sec}`;
+}
+function bodyText(alert) {
+  const lines = alert.items.slice(0, MAX_ITEMS2).map(itemLine);
+  const more = alert.items.length > MAX_ITEMS2 ? [`\u2026and ${alert.items.length - MAX_ITEMS2} more`] : [];
+  return [headline(alert), "", ...lines, ...more].join("\n");
+}
+function formatSlack(alert) {
+  const title = `${SEVERITY_EMOJI[alert.severity]} Topology drift \u2014 ${alert.severity}`;
+  return {
+    text: `${title}: ${headline(alert)}`,
+    blocks: [
+      { type: "header", text: { type: "plain_text", text: title, emoji: true } },
+      { type: "section", text: { type: "mrkdwn", text: "```" + bodyText(alert) + "```" } },
+      { type: "context", elements: [{ type: "mrkdwn", text: `base ${alert.base.sessionId} \u2192 current ${alert.current.sessionId} \xB7 ${alert.generatedAt}` }] }
+    ]
+  };
+}
+var PD_SEVERITY = {
+  info: "info",
+  warning: "warning",
+  critical: "critical"
+};
+function formatPagerDuty(alert, routingKey) {
+  return {
+    routing_key: routingKey,
+    event_action: "trigger",
+    // Stable per base→current pair so repeated alerts for the same delta de-duplicate.
+    dedup_key: `cartograph-drift:${alert.base.sessionId}:${alert.current.sessionId}`,
+    payload: {
+      summary: `Cartograph topology drift (${alert.severity}): ${headline(alert)}`,
+      source: "cartograph",
+      severity: PD_SEVERITY[alert.severity],
+      timestamp: alert.generatedAt,
+      custom_details: {
+        summary: alert.summary,
+        items: alert.items.slice(0, MAX_ITEMS2).map((it) => ({
+          kind: it.kind,
+          ref: it.ref,
+          severity: it.severity,
+          ...it.changedFields ? { changedFields: it.changedFields } : {},
+          ...it.securityFields ? { securityFields: it.securityFields } : {}
+        }))
       }
-    } catch (err) {
-      logError("webhook sink failed", {
-        sink: this.name,
-        host: stripSensitive(url),
-        reason: err instanceof Error ? err.message : String(err)
-      });
     }
+  };
+}
+function formatJira(alert, opts) {
+  return {
+    fields: {
+      project: { key: opts.project },
+      issuetype: { name: opts.issueType ?? "Task" },
+      summary: `Cartograph topology drift (${alert.severity}): ${headline(alert)}`,
+      description: bodyText(alert) + `
+base ${alert.base.sessionId} \u2192 current ${alert.current.sessionId}
+generated ${alert.generatedAt}`
+    }
+  };
+}
+// src/sinks/provider-sink.ts
+var PAGERDUTY_ENQUEUE_URL = "https://events.pagerduty.com/v2/enqueue";
+function deliver(name, url, body, opts, headers) {
+  return postJson({
+    url,
+    body,
+    sinkName: name,
+    ...headers ? { headers } : {},
+    ...opts.timeoutMs !== void 0 ? { timeoutMs: opts.timeoutMs } : {},
+    ...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+  });
+}
+var SlackSink = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  name = "slack";
+  async emit(alert) {
+    await deliver(this.name, this.opts.url, formatSlack(redactValue(alert)), this.opts);
+  }
+};
+var PagerDutySink = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  name = "pagerduty";
+  async emit(alert) {
+    const body = formatPagerDuty(redactValue(alert), this.opts.routingKey);
+    await deliver(this.name, this.opts.url || PAGERDUTY_ENQUEUE_URL, body, this.opts);
+  }
+};
+var JiraSink = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  name = "jira";
+  async emit(alert) {
+    const body = formatJira(redactValue(alert), {
+      project: this.opts.project,
+      ...this.opts.issueType ? { issueType: this.opts.issueType } : {}
+    });
+    const auth = Buffer.from(`${this.opts.email}:${this.opts.token}`).toString("base64");
+    const base = this.opts.url.replace(/\/+$/, "");
+    await deliver(this.name, `${base}/rest/api/2/issue`, body, this.opts, { authorization: `Basic ${auth}` });
   }
 };
 // src/sinks/index.ts
 function buildSinks(drift) {
   const configs = drift?.sinks && drift.sinks.length > 0 ? drift.sinks : [{ type: "stdout" }];
+  const envSecret = process.env.CARTOGRAPHY_DRIFT_TOKEN;
   const sinks = [];
   for (const s of configs) {
-    if (s.type === "webhook") {
-      if (!s.url) continue;
-      sinks.push(new WebhookSink({
-        url: s.url,
-        token: s.token ?? process.env.CARTOGRAPHY_DRIFT_TOKEN,
-        timeoutMs: s.timeoutMs
-      }));
-    } else {
-      sinks.push(new StdoutSink());
+    const timeoutMs = s.timeoutMs;
+    switch (s.type) {
+      case "webhook":
+        if (!s.url) {
+          logWarn("drift sink skipped: webhook requires a url", { sink: s.type });
+          break;
+        }
+        sinks.push(new WebhookSink({ url: s.url, token: s.token ?? envSecret, timeoutMs }));
+        break;
+      case "slack":
+        if (!s.url) {
+          logWarn("drift sink skipped: slack requires a webhook url", { sink: s.type });
+          break;
+        }
+        sinks.push(new SlackSink({ url: s.url, timeoutMs }));
+        break;
+      case "pagerduty": {
+        const routingKey = s.routingKey ?? s.token ?? envSecret;
+        if (!routingKey) {
+          logWarn("drift sink skipped: pagerduty requires a routingKey (or CARTOGRAPHY_DRIFT_TOKEN)", { sink: s.type });
+          break;
+        }
+        sinks.push(new PagerDutySink({ url: s.url ?? PAGERDUTY_ENQUEUE_URL, routingKey, timeoutMs }));
+        break;
+      }
+      case "jira": {
+        const token = s.token ?? envSecret;
+        if (!s.url || !s.email || !s.project || !token) {
+          logWarn("drift sink skipped: jira requires url, email, project and a token", { sink: s.type });
+          break;
+        }
+        sinks.push(new JiraSink({ url: s.url, email: s.email, token, project: s.project, issueType: s.issueType, timeoutMs }));
+        break;
+      }
+      default:
+        sinks.push(new StdoutSink());
     }
   }
   return sinks.length > 0 ? sinks : [new StdoutSink()];
@@ -5532,7 +5817,7 @@ async function resolveNlQuery(db, sessionId, search, raw, opts) {
 // src/mcp/server.ts
 var SERVER_NAME = "cartography";
-var SERVER_VERSION = "2.2.0";
+var SERVER_VERSION = "2.4.0";
 var SERVICE_TYPES = NODE_TYPE_GROUPS.web;
 var DATA_TYPES = NODE_TYPE_GROUPS.data;
 var lexicalSearch = async (db, sessionId, query, opts) => db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));
@@ -6033,6 +6318,50 @@ var import_node_crypto5 = require("crypto");
 var import_node_http = __toESM(require("http"), 1);
 var import_stdio = require("@modelcontextprotocol/sdk/server/stdio.js");
 var import_streamableHttp = require("@modelcontextprotocol/sdk/server/streamableHttp.js");
+// src/api/auth.ts
+var LOOPBACK_HOSTS2 = /* @__PURE__ */ new Set(["127.0.0.1", "localhost", "::1", "[::1]"]);
+function isLoopbackHost(host2) {
+  return LOOPBACK_HOSTS2.has(host2);
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  return diff === 0;
+}
+function bearerToken(header) {
+  if (!header) return void 0;
+  const trimmed = header.trim();
+  if (trimmed.length < 7 || trimmed.slice(0, 6).toLowerCase() !== "bearer") return void 0;
+  const rest = trimmed.slice(6);
+  if (!/^\s/.test(rest)) return void 0;
+  const token = rest.trimStart();
+  return token.length > 0 ? token : void 0;
+}
+function checkBearer(authorizationHeader, token) {
+  if (!token) return true;
+  const provided = bearerToken(authorizationHeader);
+  return provided !== void 0 && timingSafeEqual(provided, token);
+}
+function assertSafeBind(opts) {
+  if (isLoopbackHost(opts.host)) return;
+  if (opts.allowedHosts === void 0) {
+    throw new Error(
+      `Refusing to bind a non-loopback host (${opts.host}) without an explicit allowedHosts allowlist. Pass { allowedHosts: ['your.public.host:port'] } to opt in, or bind 127.0.0.1 for local-only use.`
+    );
+  }
+  if (!opts.token) {
+    throw new Error(
+      `Refusing to bind a non-loopback host (${opts.host}) without an auth token. Pass { token } (or --token / CARTOGRAPHY_HTTP_TOKEN) so requests must carry 'Authorization: Bearer <token>'.`
+    );
+  }
+}
+function defaultAllowedHosts(host2, port) {
+  return [`${host2}:${port}`, `localhost:${port}`, `127.0.0.1:${port}`];
+}
+// src/mcp/transports.ts
 async function runStdio(server) {
   const transport = new import_stdio.StdioServerTransport();
   await server.connect(transport);
@@ -6061,17 +6390,6 @@ async function readCappedBody(req, cap) {
     return { overflow: false, value: void 0 };
   }
 }
-function timingSafeEqual(a, b) {
-  if (a.length !== b.length) return false;
-  let diff = 0;
-  for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
-  return diff === 0;
-}
-function bearerToken(header) {
-  if (!header) return void 0;
-  const m = /^Bearer\s+(.+)$/i.exec(header.trim());
-  return m ? m[1] : void 0;
-}
 async function readJsonBody(req) {
   const chunks = [];
   for await (const chunk of req) chunks.push(chunk);
@@ -6082,22 +6400,11 @@ async function readJsonBody(req) {
     return void 0;
   }
 }
-var LOOPBACK_HOSTS2 = /* @__PURE__ */ new Set(["127.0.0.1", "localhost", "::1", "[::1]"]);
 async function runHttp(factory, opts = {}) {
   const host2 = opts.host ?? "127.0.0.1";
   const port = opts.port ?? 3737;
-  const isLoopback = LOOPBACK_HOSTS2.has(host2);
-  if (!isLoopback && opts.allowedHosts === void 0) {
-    throw new Error(
-      `Refusing to bind a non-loopback host (${host2}) without an explicit allowedHosts allowlist. Pass { allowedHosts: ['your.public.host:port'] } to opt in, or bind 127.0.0.1 for local-only use.`
-    );
-  }
-  if (!isLoopback && !opts.token) {
-    throw new Error(
-      `Refusing to bind a non-loopback host (${host2}) without an auth token. Pass { token } (or --token / CARTOGRAPHY_HTTP_TOKEN) so requests must carry 'Authorization: Bearer <token>'.`
-    );
-  }
-  const allowedHosts = opts.allowedHosts ?? [`${host2}:${port}`, `localhost:${port}`, `127.0.0.1:${port}`];
+  assertSafeBind({ host: host2, port, ...opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {}, ...opts.token ? { token: opts.token } : {} });
+  const allowedHosts = opts.allowedHosts ?? defaultAllowedHosts(host2, port);
   const token = opts.token;
   const transports = /* @__PURE__ */ new Map();
   const httpServer = import_node_http.default.createServer(async (req, res) => {
@@ -6108,12 +6415,9 @@ async function runHttp(factory, opts = {}) {
         res.writeHead(404, { "content-type": "application/json" }).end('{"error":"not found"}');
         return;
       }
-      if (token) {
-        const provided = bearerToken(req.headers["authorization"]);
-        if (!provided || !timingSafeEqual(provided, token)) {
-          res.writeHead(401, { "content-type": "application/json", "www-authenticate": "Bearer" }).end('{"error":"unauthorized"}');
-          return;
-        }
+      if (!checkBearer(req.headers["authorization"], token)) {
+        res.writeHead(401, { "content-type": "application/json", "www-authenticate": "Bearer" }).end('{"error":"unauthorized"}');
+        return;
       }
       if (isIngest) {
         const hostHeader = (req.headers["host"] ?? "").toLowerCase();
@@ -6167,7 +6471,7 @@ async function runHttp(factory, opts = {}) {
       if (!res.headersSent) res.writeHead(500, { "content-type": "application/json" }).end('{"error":"internal error"}');
     }
   });
-  await new Promise((resolve2) => httpServer.listen(port, host2, resolve2));
+  await new Promise((resolve3) => httpServer.listen(port, host2, resolve3));
   return httpServer;
 }
@@ -6349,8 +6653,8 @@ async function createSemanticSearch(db, embedder, opts = {}) {
     return lexicalSearch2();
   }
   const store = new VectorStore(db, provider);
-  const ok = await store.init();
-  if (!ok) {
+  const ok3 = await store.init();
+  if (!ok3) {
     log2?.("semantic search: vector store unavailable (sqlite-vec not installed or failed to load) \u2014 using lexical search");
     return lexicalSearch2();
   }
@@ -6959,6 +7263,1038 @@ function localDiscoveryFn(registry, plugins) {
   };
 }
+// src/api/server.ts
+var import_node_http2 = __toESM(require("http"), 1);
+// src/api/tenant.ts
+var TENANT_HEADER = "x-cartograph-tenant";
+var InvalidTenantError = class extends Error {
+  constructor() {
+    super("invalid tenant");
+    this.name = "InvalidTenantError";
+  }
+};
+function resolveTenant(req, url, opts = {}) {
+  const headerName = (opts.header ?? TENANT_HEADER).toLowerCase();
+  const raw = headerValue(req, headerName) ?? url.searchParams.get("tenant") ?? void 0;
+  if (raw === void 0 || raw === "") {
+    return { tenant: opts.defaultTenant ?? DEFAULT_TENANT };
+  }
+  if (raw.trim().length > 128) {
+    throw new InvalidTenantError();
+  }
+  const normalized = normalizeTenant(raw);
+  if (normalized === DEFAULT_TENANT && raw.trim() !== DEFAULT_TENANT) {
+    throw new InvalidTenantError();
+  }
+  return { tenant: normalized };
+}
+function headerValue(req, name) {
+  const v = req.headers[name];
+  if (Array.isArray(v)) return v[0];
+  return v;
+}
+// src/api/schemas.ts
+var import_zod8 = require("zod");
+var DIRECTIONS = ["downstream", "upstream", "both"];
+var CostSchema = import_zod8.z.object({
+  amount: import_zod8.z.number(),
+  currency: import_zod8.z.string(),
+  period: import_zod8.z.enum(COST_PERIODS),
+  source: import_zod8.z.string().optional()
+});
+var NodeSchema2 = import_zod8.z.object({
+  id: import_zod8.z.string(),
+  type: import_zod8.z.string(),
+  name: import_zod8.z.string(),
+  confidence: import_zod8.z.number(),
+  domain: import_zod8.z.string().optional(),
+  subDomain: import_zod8.z.string().optional(),
+  qualityScore: import_zod8.z.number().optional(),
+  owner: import_zod8.z.string().optional(),
+  cost: CostSchema.optional(),
+  tags: import_zod8.z.array(import_zod8.z.string())
+});
+var EdgeSchema2 = import_zod8.z.object({
+  sourceId: import_zod8.z.string(),
+  targetId: import_zod8.z.string(),
+  relationship: import_zod8.z.string(),
+  confidence: import_zod8.z.number(),
+  evidence: import_zod8.z.string()
+});
+var AnomalySchema = import_zod8.z.object({
+  nodeId: import_zod8.z.string(),
+  kind: import_zod8.z.enum(ANOMALY_KINDS),
+  severity: import_zod8.z.enum(ANOMALY_SEVERITIES),
+  reason: import_zod8.z.string()
+});
+var TopConnectedSchema = import_zod8.z.object({
+  id: import_zod8.z.string(),
+  name: import_zod8.z.string(),
+  type: import_zod8.z.string(),
+  degree: import_zod8.z.number().int()
+});
+var CostByDomainSchema = import_zod8.z.object({
+  domain: import_zod8.z.string(),
+  currency: import_zod8.z.string(),
+  period: import_zod8.z.string(),
+  total: import_zod8.z.number(),
+  nodes: import_zod8.z.number().int()
+});
+var CostByOwnerSchema = import_zod8.z.object({
+  owner: import_zod8.z.string(),
+  currency: import_zod8.z.string(),
+  period: import_zod8.z.string(),
+  total: import_zod8.z.number(),
+  nodes: import_zod8.z.number().int()
+});
+var SummaryResponse = import_zod8.z.object({
+  sessionId: import_zod8.z.string(),
+  totals: import_zod8.z.object({ nodes: import_zod8.z.number().int(), edges: import_zod8.z.number().int() }),
+  nodesByType: import_zod8.z.record(import_zod8.z.string(), import_zod8.z.number().int()),
+  nodesByDomain: import_zod8.z.record(import_zod8.z.string(), import_zod8.z.number().int()),
+  edgesByRelationship: import_zod8.z.record(import_zod8.z.string(), import_zod8.z.number().int()),
+  topConnected: import_zod8.z.array(TopConnectedSchema),
+  anomalies: import_zod8.z.array(AnomalySchema),
+  contributors: import_zod8.z.number().int(),
+  costByDomain: import_zod8.z.array(CostByDomainSchema),
+  costByOwner: import_zod8.z.array(CostByOwnerSchema),
+  costCoverage: import_zod8.z.object({ withCost: import_zod8.z.number().int(), total: import_zod8.z.number().int() })
+});
+var NodesResponse = import_zod8.z.object({
+  nodes: import_zod8.z.array(NodeSchema2),
+  total: import_zod8.z.number().int(),
+  limit: import_zod8.z.number().int(),
+  offset: import_zod8.z.number().int()
+});
+var DependencyNodeSchema = NodeSchema2.extend({ depth: import_zod8.z.number().int() });
+var DependenciesResponse = import_zod8.z.object({
+  root: NodeSchema2.optional(),
+  direction: import_zod8.z.enum(DIRECTIONS),
+  maxDepth: import_zod8.z.number().int(),
+  nodes: import_zod8.z.array(DependencyNodeSchema),
+  edges: import_zod8.z.array(EdgeSchema2)
+});
+var SessionEndpointSchema = import_zod8.z.object({
+  sessionId: import_zod8.z.string(),
+  startedAt: import_zod8.z.string(),
+  nodeCount: import_zod8.z.number().int(),
+  edgeCount: import_zod8.z.number().int()
+});
+var NodeChangeSchema = import_zod8.z.object({
+  id: import_zod8.z.string(),
+  changedFields: import_zod8.z.array(import_zod8.z.string()),
+  confidenceDelta: import_zod8.z.number()
+});
+var DiffResponse = import_zod8.z.object({
+  base: SessionEndpointSchema,
+  current: SessionEndpointSchema,
+  summary: import_zod8.z.object({
+    nodesAdded: import_zod8.z.number().int(),
+    nodesRemoved: import_zod8.z.number().int(),
+    nodesChanged: import_zod8.z.number().int(),
+    edgesAdded: import_zod8.z.number().int(),
+    edgesRemoved: import_zod8.z.number().int()
+  }),
+  nodes: import_zod8.z.object({
+    added: import_zod8.z.array(NodeSchema2),
+    removed: import_zod8.z.array(NodeSchema2),
+    changed: import_zod8.z.array(NodeChangeSchema),
+    unchanged: import_zod8.z.number().int()
+  }),
+  edges: import_zod8.z.object({
+    added: import_zod8.z.array(EdgeSchema2),
+    removed: import_zod8.z.array(EdgeSchema2),
+    unchanged: import_zod8.z.number().int()
+  }),
+  anomalies: import_zod8.z.object({ added: import_zod8.z.array(AnomalySchema) })
+});
+var SessionSchema = import_zod8.z.object({
+  id: import_zod8.z.string(),
+  mode: import_zod8.z.literal("discover"),
+  startedAt: import_zod8.z.string(),
+  completedAt: import_zod8.z.string().optional(),
+  name: import_zod8.z.string().optional(),
+  tenant: import_zod8.z.string(),
+  lastScannedAt: import_zod8.z.string().optional()
+});
+var SessionsResponse = import_zod8.z.object({ sessions: import_zod8.z.array(SessionSchema) });
+var HealthResponse = import_zod8.z.object({
+  status: import_zod8.z.literal("ok"),
+  version: import_zod8.z.string(),
+  store: import_zod8.z.literal("sqlite"),
+  sessions: import_zod8.z.number().int()
+});
+var ErrorResponse = import_zod8.z.object({
+  error: import_zod8.z.string(),
+  code: import_zod8.z.string().optional()
+});
+var API_SCHEMAS = {
+  Node: NodeSchema2,
+  Edge: EdgeSchema2,
+  Anomaly: AnomalySchema,
+  Summary: SummaryResponse,
+  Nodes: NodesResponse,
+  Dependencies: DependenciesResponse,
+  Diff: DiffResponse,
+  Session: SessionSchema,
+  Sessions: SessionsResponse,
+  Health: HealthResponse,
+  Error: ErrorResponse
+};
+// src/api/rest.ts
+function toApiNode(n) {
+  const out = { id: n.id, type: n.type, name: n.name, confidence: n.confidence, tags: n.tags };
+  if (n.domain !== void 0) out["domain"] = n.domain;
+  if (n.subDomain !== void 0) out["subDomain"] = n.subDomain;
+  if (n.qualityScore !== void 0) out["qualityScore"] = n.qualityScore;
+  if (n.owner !== void 0) out["owner"] = n.owner;
+  if (n.cost !== void 0) out["cost"] = n.cost;
+  return out;
+}
+function toApiEdge(e) {
+  return { sourceId: e.sourceId, targetId: e.targetId, relationship: e.relationship, confidence: e.confidence, evidence: e.evidence };
+}
+function toApiSession(s) {
+  const out = { id: s.id, mode: s.mode, startedAt: s.startedAt, tenant: s.tenant };
+  if (s.completedAt !== void 0) out["completedAt"] = s.completedAt;
+  if (s.name !== void 0) out["name"] = s.name;
+  if (s.lastScannedAt !== void 0) out["lastScannedAt"] = s.lastScannedAt;
+  return out;
+}
+function toApiAnomaly(a) {
+  return { nodeId: a.nodeId, kind: a.kind, severity: a.severity, reason: a.reason };
+}
+function projectDependencies(r) {
+  return {
+    ...r.root ? { root: toApiNode(r.root) } : {},
+    direction: r.direction,
+    maxDepth: r.maxDepth,
+    nodes: r.nodes.map((n) => ({ ...toApiNode(n), depth: n.depth })),
+    edges: r.edges.map(toApiEdge)
+  };
+}
+function projectDiff(diff) {
+  return {
+    base: { sessionId: diff.base.sessionId, startedAt: diff.base.startedAt, nodeCount: diff.base.nodeCount, edgeCount: diff.base.edgeCount },
+    current: { sessionId: diff.current.sessionId, startedAt: diff.current.startedAt, nodeCount: diff.current.nodeCount, edgeCount: diff.current.edgeCount },
+    summary: diff.summary,
+    nodes: {
+      added: diff.nodes.added.map(toApiNode),
+      removed: diff.nodes.removed.map(toApiNode),
+      changed: diff.nodes.changed.map((c) => ({ id: c.id, changedFields: c.changedFields, confidenceDelta: c.confidenceDelta })),
+      unchanged: diff.nodes.unchanged
+    },
+    edges: {
+      added: diff.edges.added.map(toApiEdge),
+      removed: diff.edges.removed.map(toApiEdge),
+      unchanged: diff.edges.unchanged
+    },
+    anomalies: { added: diff.anomalies.added.map(toApiAnomaly) }
+  };
+}
+function ok(body) {
+  return { status: 200, body };
+}
+function badRequest(error) {
+  return { status: 400, body: { error } };
+}
+function notFound(error = "not found") {
+  return { status: 404, body: { error } };
+}
+function guard(fn) {
+  try {
+    return fn();
+  } catch (err) {
+    if (err instanceof NotFoundError) return notFound(err.message);
+    throw err;
+  }
+}
+function validateOut(schema, body) {
+  if (process.env["NODE_ENV"] !== "production") {
+    const r = schema.safeParse(body);
+    if (!r.success) throw new Error(`API response failed its own schema contract: ${r.error.message}`);
+  }
+  return body;
+}
+function intParam(url, name) {
+  const raw = url.searchParams.get(name);
+  if (raw === null || raw.trim() === "") return void 0;
+  const n = Number(raw);
+  return Number.isInteger(n) ? n : void 0;
+}
+function sessionParam(url) {
+  return url.searchParams.get("session") ?? void 0;
+}
+function handleSummary(ctx, url, d) {
+  return guard(() => ok(validateOut(SummaryResponse, d.backend.summary(ctx, sessionParam(url)))));
+}
+function handleNodes(ctx, url, d) {
+  return guard(() => {
+    const search = url.searchParams.get("search") ?? void 0;
+    const typesRaw = url.searchParams.get("types");
+    const types = typesRaw ? typesRaw.split(",").map((s) => s.trim()).filter(Boolean) : void 0;
+    const limit = intParam(url, "limit");
+    const offset = intParam(url, "offset");
+    const r = d.backend.nodes(
+      ctx,
+      { ...search ? { search } : {}, ...types ? { types } : {}, ...limit !== void 0 ? { limit } : {}, ...offset !== void 0 ? { offset } : {} },
+      sessionParam(url)
+    );
+    return ok(validateOut(NodesResponse, { nodes: r.nodes.map(toApiNode), total: r.total, limit: r.limit, offset: r.offset }));
+  });
+}
+function handleDependencies(ctx, id, url, d) {
+  const directionRaw = url.searchParams.get("direction");
+  if (directionRaw !== null && !DIRECTIONS.includes(directionRaw)) {
+    return badRequest(`direction must be one of ${DIRECTIONS.join(", ")}`);
+  }
+  return guard(() => {
+    const direction = directionRaw ?? void 0;
+    const maxDepth = intParam(url, "maxDepth");
+    const r = d.backend.dependencies(
+      ctx,
+      id,
+      { ...direction ? { direction } : {}, ...maxDepth !== void 0 ? { maxDepth } : {} },
+      sessionParam(url)
+    );
+    return ok(validateOut(DependenciesResponse, projectDependencies(r)));
+  });
+}
+function handleDiff(ctx, url, d) {
+  const base = url.searchParams.get("base");
+  const current = url.searchParams.get("current");
+  if (!base || !current) return badRequest("both `base` and `current` query params are required");
+  return guard(() => {
+    const diff = d.backend.diff(ctx, base, current);
+    return ok(validateOut(DiffResponse, projectDiff(diff)));
+  });
+}
+function handleSessions(ctx, d) {
+  return guard(() => ok(validateOut(SessionsResponse, { sessions: d.backend.sessions(ctx).map(toApiSession) })));
+}
+function handleHealth(ctx, d) {
+  const h = d.backend.health(ctx);
+  return ok(validateOut(HealthResponse, { status: "ok", version: d.version, store: h.store, sessions: h.sessions }));
+}
+// src/api/openapi.ts
+function defOf(schema) {
+  return schema.def ?? {};
+}
+function unwrapOptional(schema) {
+  const def = defOf(schema);
+  if ((def.type === "optional" || def.type === "nullable") && def.innerType) {
+    return { inner: def.innerType, optional: true };
+  }
+  return { inner: schema, optional: false };
+}
+function zodToJsonSchema(schema) {
+  const def = defOf(schema);
+  switch (def.type) {
+    case "string":
+      return { type: "string" };
+    case "number": {
+      const isInt = (def.checks ?? []).some((c) => c._zod?.def?.check === "number_format");
+      return { type: isInt ? "integer" : "number" };
+    }
+    case "boolean":
+      return { type: "boolean" };
+    case "literal": {
+      const values = def.values ?? [];
+      return values.length === 1 ? { const: values[0] } : { enum: values };
+    }
+    case "enum":
+      return { type: "string", enum: Object.values(def.entries ?? {}) };
+    case "array":
+      return { type: "array", items: def.element ? zodToJsonSchema(def.element) : {} };
+    case "record":
+      return { type: "object", additionalProperties: def.valueType ? zodToJsonSchema(def.valueType) : true };
+    case "optional":
+    case "nullable":
+      return def.innerType ? zodToJsonSchema(def.innerType) : {};
+    case "object": {
+      const shape = def.shape ?? {};
+      const properties = {};
+      const required = [];
+      for (const key of Object.keys(shape)) {
+        const { inner, optional } = unwrapOptional(shape[key]);
+        properties[key] = zodToJsonSchema(inner);
+        if (!optional) required.push(key);
+      }
+      return { type: "object", properties, required, additionalProperties: false };
+    }
+    default:
+      throw new Error(`zodToJsonSchema: unsupported zod construct "${def.type ?? "unknown"}". Extend src/api/openapi.ts.`);
+  }
+}
+var TENANT_PARAM = {
+  name: "tenant",
+  in: "query",
+  required: false,
+  description: 'Tenant/org scope (also accepted via the X-Cartograph-Tenant header). Defaults to "local".',
+  schema: { type: "string" }
+};
+var SESSION_PARAM = {
+  name: "session",
+  in: "query",
+  required: false,
+  description: "Session id to query, or omit for the latest discovery session.",
+  schema: { type: "string" }
+};
+function errorResponses() {
+  const err = { description: "Error", content: { "application/json": { schema: { $ref: "#/components/schemas/Error" } } } };
+  return { "400": { ...err, description: "Bad request" }, "401": { ...err, description: "Unauthorized" }, "404": { ...err, description: "Not found" } };
+}
+function ok2(ref, description) {
+  return { description, content: { "application/json": { schema: { $ref: `#/components/schemas/${ref}` } } } };
+}
+function buildOpenApiDocument(opts) {
+  const schemas = {};
+  for (const [name, schema] of Object.entries(API_SCHEMAS)) {
+    schemas[name] = zodToJsonSchema(schema);
+  }
+  return {
+    openapi: "3.1.0",
+    info: {
+      title: "Cartograph API",
+      version: opts.version,
+      description: "Read-only REST API over the discovered infrastructure/agentic-AI topology. Every endpoint is tenant-scoped and bearer-authenticated."
+    },
+    servers: [{ url: "/" }],
+    security: [{ bearerAuth: [] }],
+    components: {
+      securitySchemes: { bearerAuth: { type: "http", scheme: "bearer" } },
+      schemas
+    },
+    paths: {
+      "/v1/health": {
+        get: {
+          summary: "Liveness + store/coverage probe",
+          security: [],
+          responses: { "200": ok2("Health", "Service health") }
+        }
+      },
+      "/v1/openapi.json": {
+        get: {
+          summary: "This OpenAPI document",
+          security: [],
+          responses: { "200": { description: "OpenAPI 3.1 document", content: { "application/json": { schema: { type: "object" } } } } }
+        }
+      },
+      "/v1/summary": {
+        get: {
+          summary: "Low-token topology aggregate for the resolved session",
+          parameters: [SESSION_PARAM, TENANT_PARAM],
+          responses: { "200": ok2("Summary", "Topology summary"), ...errorResponses() }
+        }
+      },
+      "/v1/nodes": {
+        get: {
+          summary: "List/search/paginate nodes",
+          parameters: [
+            { name: "search", in: "query", required: false, description: "Lexical/semantic search anchor.", schema: { type: "string" } },
+            { name: "types", in: "query", required: false, description: "Comma-separated node-type filter.", schema: { type: "string" } },
+            { name: "limit", in: "query", required: false, description: "Page size (default 100, max 1000).", schema: { type: "integer" } },
+            { name: "offset", in: "query", required: false, description: "Page offset (ignored for search).", schema: { type: "integer" } },
+            SESSION_PARAM,
+            TENANT_PARAM
+          ],
+          responses: { "200": ok2("Nodes", "A page of nodes"), ...errorResponses() }
+        }
+      },
+      "/v1/nodes/{id}/dependencies": {
+        get: {
+          summary: "Dependency traversal from a node",
+          parameters: [
+            { name: "id", in: "path", required: true, description: 'Node id ("{type}:{id}").', schema: { type: "string" } },
+            { name: "direction", in: "query", required: false, description: "downstream | upstream | both (default downstream).", schema: { type: "string", enum: ["downstream", "upstream", "both"] } },
+            { name: "maxDepth", in: "query", required: false, description: "Traversal depth (default 8, max 64).", schema: { type: "integer" } },
+            SESSION_PARAM,
+            TENANT_PARAM
+          ],
+          responses: { "200": ok2("Dependencies", "Traversal result"), ...errorResponses() }
+        }
+      },
+      "/v1/diff": {
+        get: {
+          summary: "Compare two sessions (drift)",
+          parameters: [
+            { name: "base", in: "query", required: true, description: "Base session id.", schema: { type: "string" } },
+            { name: "current", in: "query", required: true, description: "Current session id.", schema: { type: "string" } },
+            TENANT_PARAM
+          ],
+          responses: { "200": ok2("Diff", "Topology delta"), ...errorResponses() }
+        }
+      },
+      "/v1/sessions": {
+        get: {
+          summary: "List discovery sessions for the tenant",
+          parameters: [TENANT_PARAM],
+          responses: { "200": ok2("Sessions", "Sessions"), ...errorResponses() }
+        }
+      }
+    }
+  };
+}
+// src/api/graphql.ts
+var SDL = `# Cartograph read-only GraphQL API (4.2). Mirrors the REST surface.
+schema { query: Query }
+type Query {
+  summary(session: String): Summary
+  nodes(search: String, types: [String!], limit: Int, offset: Int, session: String): NodeConnection
+  node(id: String!, session: String): Node
+  dependencies(id: String!, direction: Direction, maxDepth: Int, session: String): Dependencies
+  diff(base: String!, current: String!): Diff
+  sessions: [Session!]!
+}
+enum Direction { downstream upstream both }
+type Totals { nodes: Int! edges: Int! }
+type Count { key: String! value: Int! }
+type TopConnected { id: String! name: String! type: String! degree: Int! }
+type Anomaly { nodeId: String! kind: String! severity: String! reason: String! }
+type Cost { amount: Float! currency: String! period: String! source: String }
+type CostRollup { key: String! currency: String! period: String! total: Float! nodes: Int! }
+type CostCoverage { withCost: Int! total: Int! }
+type Node {
+  id: String! type: String! name: String! confidence: Float!
+  domain: String subDomain: String qualityScore: Float owner: String cost: Cost tags: [String!]!
+}
+type DependencyNode {
+  id: String! type: String! name: String! confidence: Float!
+  domain: String subDomain: String qualityScore: Float owner: String cost: Cost tags: [String!]! depth: Int!
+}
+type Edge { sourceId: String! targetId: String! relationship: String! confidence: Float! evidence: String! }
+type Summary {
+  sessionId: String!
+  totals: Totals!
+  topConnected: [TopConnected!]!
+  anomalies: [Anomaly!]!
+  contributors: Int!
+  costByDomain: [CostRollup!]!
+  costByOwner: [CostRollup!]!
+  costCoverage: CostCoverage!
+}
+type NodeConnection { nodes: [Node!]! total: Int! limit: Int! offset: Int! }
+type Dependencies { root: Node direction: Direction! maxDepth: Int! nodes: [DependencyNode!]! edges: [Edge!]! }
+type SessionEndpoint { sessionId: String! startedAt: String! nodeCount: Int! edgeCount: Int! }
+type DiffSummary { nodesAdded: Int! nodesRemoved: Int! nodesChanged: Int! edgesAdded: Int! edgesRemoved: Int! }
+type NodeChange { id: String! changedFields: [String!]! confidenceDelta: Float! }
+type DiffNodes { added: [Node!]! removed: [Node!]! changed: [NodeChange!]! unchanged: Int! }
+type DiffEdges { added: [Edge!]! removed: [Edge!]! unchanged: Int! }
+type DiffAnomalies { added: [Anomaly!]! }
+type Diff {
+  base: SessionEndpoint! current: SessionEndpoint! summary: DiffSummary!
+  nodes: DiffNodes! edges: DiffEdges! anomalies: DiffAnomalies!
+}
+type Session { id: String! mode: String! startedAt: String! completedAt: String name: String tenant: String! lastScannedAt: String }
+`;
+var resolvers = {
+  summary: (ctx, args, backend) => backend.summary(ctx, str(args["session"])),
+  nodes: (ctx, args, backend) => {
+    const r = backend.nodes(
+      ctx,
+      {
+        ...str(args["search"]) ? { search: str(args["search"]) } : {},
+        ...Array.isArray(args["types"]) ? { types: args["types"].map(String) } : {},
+        ...num(args["limit"]) !== void 0 ? { limit: num(args["limit"]) } : {},
+        ...num(args["offset"]) !== void 0 ? { offset: num(args["offset"]) } : {}
+      },
+      str(args["session"])
+    );
+    return { nodes: r.nodes.map(toApiNode), total: r.total, limit: r.limit, offset: r.offset };
+  },
+  node: (ctx, args, backend) => {
+    const n = backend.node(ctx, String(args["id"]), str(args["session"]));
+    return n ? toApiNode(n) : null;
+  },
+  dependencies: (ctx, args, backend) => {
+    const r = backend.dependencies(
+      ctx,
+      String(args["id"]),
+      {
+        ...str(args["direction"]) ? { direction: str(args["direction"]) } : {},
+        ...num(args["maxDepth"]) !== void 0 ? { maxDepth: num(args["maxDepth"]) } : {}
+      },
+      str(args["session"])
+    );
+    return projectDependencies(r);
+  },
+  diff: (ctx, args, backend) => projectDiff(backend.diff(ctx, String(args["base"]), String(args["current"]))),
+  sessions: (ctx, _args, backend) => backend.sessions(ctx).map(toApiSession)
+};
+function str(v) {
+  return typeof v === "string" ? v : void 0;
+}
+function num(v) {
+  return typeof v === "number" && Number.isInteger(v) ? v : void 0;
+}
+var NAME_RE = /[_A-Za-z][_0-9A-Za-z]*/y;
+function tokenize2(src) {
+  const tokens = [];
+  let i = 0;
+  while (i < src.length) {
+    const c = src[i];
+    if (/\s|,/.test(c)) {
+      i++;
+      continue;
+    }
+    if (c === "#") {
+      while (i < src.length && src[i] !== "\n") i++;
+      continue;
+    }
+    if ("{}()[]:!$".includes(c)) {
+      tokens.push(c);
+      i++;
+      continue;
+    }
+    if (c === '"') {
+      let j = i + 1;
+      let s = "";
+      while (j < src.length && src[j] !== '"') {
+        s += src[j];
+        j++;
+      }
+      tokens.push(JSON.stringify(s));
+      i = j + 1;
+      continue;
+    }
+    NAME_RE.lastIndex = i;
+    const m = NAME_RE.exec(src);
+    if (m && m.index === i) {
+      tokens.push(m[0]);
+      i = NAME_RE.lastIndex;
+      continue;
+    }
+    const numMatch = /-?\d+(\.\d+)?/y;
+    numMatch.lastIndex = i;
+    const nm = numMatch.exec(src);
+    if (nm && nm.index === i) {
+      tokens.push(nm[0]);
+      i = numMatch.lastIndex;
+      continue;
+    }
+    throw new Error(`unexpected character '${c}'`);
+  }
+  return tokens;
+}
+var MAX_SELECTION_DEPTH = 32;
+var Parser = class {
+  constructor(tokens, variables) {
+    this.tokens = tokens;
+    this.variables = variables;
+  }
+  pos = 0;
+  depth = 0;
+  peek() {
+    return this.tokens[this.pos];
+  }
+  next() {
+    return this.tokens[this.pos++];
+  }
+  expect(tok) {
+    if (this.tokens[this.pos] !== tok) throw new Error(`expected '${tok}', got '${this.tokens[this.pos] ?? "<eof>"}'`);
+    this.pos++;
+  }
+  parseDocument() {
+    if (this.peek() === "mutation" || this.peek() === "subscription") {
+      throw new Error("only query operations are supported (read-only API)");
+    }
+    if (this.peek() === "query") {
+      this.next();
+      if (this.peek() && this.peek() !== "{" && this.peek() !== "(") this.next();
+      if (this.peek() === "(") this.skipBalanced("(", ")");
+    }
+    this.expect("{");
+    const selections = this.parseSelectionSet();
+    return selections;
+  }
+  skipBalanced(open, close) {
+    this.expect(open);
+    let depth = 1;
+    while (depth > 0) {
+      const t = this.next();
+      if (t === void 0) throw new Error("unbalanced");
+      if (t === open) depth++;
+      else if (t === close) depth--;
+    }
+  }
+  parseSelectionSet() {
+    if (++this.depth > MAX_SELECTION_DEPTH) throw new Error(`selection set nested deeper than ${MAX_SELECTION_DEPTH}`);
+    const out = [];
+    while (this.peek() !== "}") {
+      if (this.peek() === void 0) throw new Error("unexpected end of selection set");
+      out.push(this.parseSelection());
+    }
+    this.expect("}");
+    this.depth--;
+    return out;
+  }
+  parseSelection() {
+    let name = this.next();
+    const alias = name;
+    if (this.peek() === ":") {
+      this.next();
+      name = this.next();
+    }
+    const args = {};
+    if (this.peek() === "(") {
+      this.next();
+      while (this.peek() !== ")") {
+        const argName = this.next();
+        this.expect(":");
+        args[argName] = this.parseValue();
+      }
+      this.expect(")");
+    }
+    let selections = [];
+    if (this.peek() === "{") {
+      this.next();
+      selections = this.parseSelectionSet();
+    }
+    return { name, alias, args, selections };
+  }
+  parseValue() {
+    const t = this.next();
+    if (t === "$") {
+      const v = this.next();
+      return this.variables[v];
+    }
+    if (t === "[") {
+      const arr = [];
+      while (this.peek() !== "]") arr.push(this.parseValue());
+      this.expect("]");
+      return arr;
+    }
+    if (t.startsWith('"')) return JSON.parse(t);
+    if (t === "true") return true;
+    if (t === "false") return false;
+    if (t === "null") return null;
+    if (/^-?\d+(\.\d+)?$/.test(t)) return Number(t);
+    return t;
+  }
+};
+function project(value, selections) {
+  if (value === null || value === void 0) return null;
+  if (selections.length === 0) return value;
+  if (Array.isArray(value)) return value.map((v) => project(v, selections));
+  if (typeof value !== "object") return value;
+  const obj = value;
+  const out = {};
+  for (const sel of selections) {
+    if (sel.name === "__typename") {
+      out[sel.alias] = void 0;
+      continue;
+    }
+    out[sel.alias] = project(obj[sel.name], sel.selections);
+  }
+  return out;
+}
+function introspectionSchema() {
+  const names = [...SDL.matchAll(/^(?:type|enum)\s+([_A-Za-z][_0-9A-Za-z]*)/gm)].map((m) => m[1]);
+  const types = names.map((name) => ({ name, kind: /^[A-Z]/.test(name) ? "OBJECT" : "SCALAR" }));
+  return {
+    __schema: {
+      queryType: { name: "Query" },
+      mutationType: null,
+      subscriptionType: null,
+      types,
+      directives: []
+    }
+  };
+}
+async function executeGraphql(ctx, body, deps) {
+  const req = body ?? {};
+  if (typeof req.query !== "string" || req.query.trim() === "") {
+    return { errors: [{ message: "missing query" }] };
+  }
+  const variables = typeof req.variables === "object" && req.variables !== null ? req.variables : {};
+  let selections;
+  try {
+    selections = new Parser(tokenize2(req.query), variables).parseDocument();
+  } catch (err) {
+    return { errors: [{ message: `syntax error: ${err instanceof Error ? err.message : String(err)}` }] };
+  }
+  const data = {};
+  const errors = [];
+  for (const sel of selections) {
+    try {
+      if (sel.name === "__schema") {
+        data[sel.alias] = project(introspectionSchema()["__schema"], sel.selections);
+        continue;
+      }
+      if (sel.name === "__typename") {
+        data[sel.alias] = "Query";
+        continue;
+      }
+      const resolver = resolvers[sel.name];
+      if (!resolver) {
+        errors.push({ message: `Cannot query field "${sel.name}" on type "Query"` });
+        continue;
+      }
+      const resolved = resolver(ctx, sel.args, deps.backend);
+      data[sel.alias] = project(resolved, sel.selections);
+    } catch (err) {
+      errors.push({ message: err instanceof Error ? err.message : String(err) });
+    }
+  }
+  return errors.length > 0 ? { data, errors } : { data };
+}
+function handleGraphqlGet() {
+  return { status: 200, body: SDL };
+}
+// src/api/server.ts
+var DEPENDENCIES_RE = /^\/v1\/nodes\/(.+)\/dependencies$/;
+var MAX_GRAPHQL_BYTES = 1024 * 1024;
+function send(res, status, body, headers = {}) {
+  res.writeHead(status, { "content-type": "application/json", ...headers }).end(JSON.stringify(body));
+}
+async function readBody(req, cap) {
+  const chunks = [];
+  let total = 0;
+  let overflow = false;
+  for await (const chunk of req) {
+    if (overflow) continue;
+    const buf = chunk;
+    total += buf.length;
+    if (total > cap) {
+      overflow = true;
+      chunks.length = 0;
+      continue;
+    }
+    chunks.push(buf);
+  }
+  if (overflow) return { overflow: true, value: void 0 };
+  if (chunks.length === 0) return { overflow: false, value: void 0 };
+  try {
+    return { overflow: false, value: JSON.parse(Buffer.concat(chunks).toString("utf8")) };
+  } catch {
+    return { overflow: false, value: void 0 };
+  }
+}
+async function runApi(opts) {
+  const host2 = opts.host ?? "127.0.0.1";
+  const requestedPort = opts.port ?? 3737;
+  const token = opts.token;
+  const graphqlEnabled = opts.graphql !== false;
+  const defaultTenant = opts.tenant?.defaultTenant ?? DEFAULT_TENANT;
+  const log2 = opts.log ?? (() => {
+  });
+  const restDeps = { backend: opts.backend, version: opts.version };
+  const openApiDoc = buildOpenApiDocument({ version: opts.version });
+  const allowedOrigins = opts.allowedOrigins ?? [];
+  assertSafeBind({ host: host2, port: requestedPort, ...opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {}, ...token ? { token } : {} });
+  let allowedHosts = opts.allowedHosts ?? [];
+  const corsHeaders = (req) => {
+    const origin = req.headers["origin"];
+    if (typeof origin === "string" && allowedOrigins.includes(origin)) {
+      return {
+        "access-control-allow-origin": origin,
+        "vary": "Origin",
+        "access-control-allow-methods": "GET, POST, OPTIONS",
+        "access-control-allow-headers": "authorization, content-type, x-cartograph-tenant"
+      };
+    }
+    return {};
+  };
+  const server = import_node_http2.default.createServer((req, res) => {
+    const started = Date.now();
+    let tenantLabel = "-";
+    const finish = (status) => {
+      log2(`[cartography-api] ${req.method ?? "-"} ${req.url ?? "-"} ${status} ${Date.now() - started}ms tenant=${tenantLabel}`);
+    };
+    void (async () => {
+      try {
+        const url = new URL(req.url ?? "/", `http://${req.headers["host"] ?? host2}`);
+        const path = url.pathname;
+        const cors = corsHeaders(req);
+        if (req.method === "OPTIONS") {
+          res.writeHead(204, cors).end();
+          finish(204);
+          return;
+        }
+        const hostHeader = (req.headers["host"] ?? "").toLowerCase();
+        if (!allowedHosts.some((h) => h.toLowerCase() === hostHeader)) {
+          send(res, 403, { error: "host not allowed" }, cors);
+          finish(403);
+          return;
+        }
+        if (path === "/v1/openapi.json" && req.method === "GET") {
+          send(res, 200, openApiDoc, cors);
+          finish(200);
+          return;
+        }
+        if (path === "/v1/health") {
+          if (req.method !== "GET") {
+            send(res, 405, { error: "method not allowed" }, { allow: "GET", ...cors });
+            finish(405);
+            return;
+          }
+          tenantLabel = defaultTenant;
+          const r = handleHealth({ tenant: defaultTenant }, restDeps);
+          send(res, r.status, r.body, cors);
+          finish(r.status);
+          return;
+        }
+        if (!checkBearer(req.headers["authorization"], token)) {
+          send(res, 401, { error: "unauthorized" }, { "www-authenticate": "Bearer", ...cors });
+          finish(401);
+          return;
+        }
+        let ctx;
+        try {
+          ctx = resolveTenant(req, url, opts.tenant ?? {});
+          tenantLabel = ctx.tenant;
+        } catch (err) {
+          if (err instanceof InvalidTenantError) {
+            send(res, 400, { error: "invalid tenant" }, cors);
+            finish(400);
+            return;
+          }
+          throw err;
+        }
+        if (graphqlEnabled && path === "/graphql") {
+          if (req.method === "GET") {
+            const g = handleGraphqlGet();
+            res.writeHead(g.status, { "content-type": "text/plain; charset=utf-8", ...cors }).end(g.body);
+            finish(g.status);
+            return;
+          }
+          if (req.method === "POST") {
+            const { overflow, value } = await readBody(req, MAX_GRAPHQL_BYTES);
+            if (overflow) {
+              send(res, 413, { error: "payload too large" }, cors);
+              finish(413);
+              return;
+            }
+            const result = await executeGraphql(ctx, value, { backend: opts.backend });
+            send(res, 200, result, cors);
+            finish(200);
+            return;
+          }
+          send(res, 405, { error: "method not allowed" }, { allow: "GET, POST", ...cors });
+          finish(405);
+          return;
+        }
+        if (path.startsWith("/v1/")) {
+          if (req.method !== "GET") {
+            send(res, 405, { error: "method not allowed" }, { allow: "GET", ...cors });
+            finish(405);
+            return;
+          }
+          const result = dispatchRest(ctx, path, url, restDeps);
+          if (result) {
+            send(res, result.status, result.body, cors);
+            finish(result.status);
+            return;
+          }
+        }
+        send(res, 404, { error: "not found" }, cors);
+        finish(404);
+      } catch (err) {
+        process.stderr.write(`[cartography-api] request failed: ${err instanceof Error ? err.message : String(err)}
+`);
+        if (!res.headersSent) send(res, 500, { error: "internal error" });
+        finish(500);
+      }
+    })();
+  });
+  await new Promise((resolve3) => server.listen(requestedPort, host2, resolve3));
+  const actualPort = server.address().port;
+  if (allowedHosts.length === 0) allowedHosts = defaultAllowedHosts(host2, actualPort);
+  return server;
+}
+function dispatchRest(ctx, path, url, deps) {
+  switch (path) {
+    case "/v1/summary":
+      return handleSummary(ctx, url, deps);
+    case "/v1/nodes":
+      return handleNodes(ctx, url, deps);
+    case "/v1/diff":
+      return handleDiff(ctx, url, deps);
+    case "/v1/sessions":
+      return handleSessions(ctx, deps);
+    default: {
+      const m = DEPENDENCIES_RE.exec(path);
+      if (m) return handleDependencies(ctx, decodeURIComponent(m[1]), url, deps);
+      return void 0;
+    }
+  }
+}
+// src/api/start.ts
+var import_node_fs5 = require("fs");
+var import_node_path5 = require("path");
+var import_node_url = require("url");
+var import_meta = {};
+function readVersion() {
+  try {
+    const dir = import_meta.dirname ?? (0, import_node_path5.dirname)((0, import_node_url.fileURLToPath)(import_meta.url));
+    return JSON.parse((0, import_node_fs5.readFileSync)((0, import_node_path5.resolve)(dir, "..", "package.json"), "utf-8")).version ?? "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
+function parseApiArgs(argv) {
+  const opts = {};
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === "--http") continue;
+    else if (a === "--no-graphql") opts.graphql = false;
+    else if (a === "--port") opts.port = Number(argv[++i]);
+    else if (a === "--host") opts.host = argv[++i];
+    else if (a === "--allowed-hosts") opts.allowedHosts = splitList(argv[++i]);
+    else if (a === "--allowed-origins") opts.allowedOrigins = splitList(argv[++i]);
+    else if (a === "--token") opts.token = argv[++i];
+    else if (a === "--db") opts.dbPath = argv[++i];
+    else if (a === "--session") opts.session = argv[++i];
+    else if (a === "--tenant" || a === "--org") opts.tenant = argv[++i];
+    else if (a === "--help" || a === "-h") opts.help = true;
+  }
+  return opts;
+}
+function splitList(raw) {
+  return (raw ?? "").split(",").map((s) => s.trim()).filter(Boolean);
+}
+async function startApi(opts = {}) {
+  const log2 = opts.log ?? ((m) => process.stderr.write(m + "\n"));
+  const db = new CartographyDB(opts.dbPath ?? defaultConfig().dbPath);
+  const backend = createSqliteQueryBackend(db, opts.session ?? "latest");
+  const token = opts.token ?? process.env["CARTOGRAPHY_HTTP_TOKEN"];
+  const host2 = opts.host ?? "127.0.0.1";
+  const port = opts.port ?? 3737;
+  const version = readVersion();
+  const server = await runApi({
+    host: host2,
+    port,
+    backend,
+    version,
+    ...opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {},
+    ...opts.allowedOrigins ? { allowedOrigins: opts.allowedOrigins } : {},
+    ...token ? { token } : {},
+    ...opts.graphql === false ? { graphql: false } : {},
+    ...opts.tenant ? { tenant: { defaultTenant: normalizeTenant(opts.tenant) } } : {},
+    log: log2
+  });
+  const graphqlNote = opts.graphql === false ? " [REST only]" : " + /graphql";
+  log2(
+    `Cartograph API (REST${graphqlNote}) on http://${host2}:${port}/v1${token ? " (auth: bearer token required)" : ""} (tenant: ${normalizeTenant(opts.tenant)})`
+  );
+  return server;
+}
 // src/installer/format.ts
 var import_smol_toml = require("smol-toml");
 var import_yaml = require("yaml");
@@ -7031,8 +8367,8 @@ function defaultServerEntry(opts = {}) {
 }
 // src/installer/install.ts
-var import_node_fs5 = require("fs");
-var import_node_path5 = require("path");
+var import_node_fs6 = require("fs");
+var import_node_path6 = require("path");
 var import_node_os4 = require("os");
 function currentOs() {
   if (process.platform === "win32") return "win";
@@ -7047,8 +8383,8 @@ function planInstall(spec, ctx, opts) {
   if (!path) {
     throw new Error(`${spec.label} does not support the "${ctx.scope}" scope.`);
   }
-  const fileExists = (0, import_node_fs5.existsSync)(path);
-  const before = fileExists ? (0, import_node_fs5.readFileSync)(path, "utf8") : "";
+  const fileExists = (0, import_node_fs6.existsSync)(path);
+  const before = fileExists ? (0, import_node_fs6.readFileSync)(path, "utf8") : "";
   const existing = parseConfig(before, spec.format);
   const merged = spec.apply(existing, opts.serverName ?? DEFAULT_SERVER_NAME, opts.entry);
   const after = serializeConfig(merged, spec.format);
@@ -7065,8 +8401,8 @@ function planInstall(spec, ctx, opts) {
   };
 }
 function applyInstall(plan) {
-  (0, import_node_fs5.mkdirSync)((0, import_node_path5.dirname)(plan.path), { recursive: true });
-  (0, import_node_fs5.writeFileSync)(plan.path, plan.after, "utf8");
+  (0, import_node_fs6.mkdirSync)((0, import_node_path6.dirname)(plan.path), { recursive: true });
+  (0, import_node_fs6.writeFileSync)(plan.path, plan.after, "utf8");
 }
 function renderDiff(before, after) {
   if (before === after) return "  (no changes)";
@@ -7086,7 +8422,7 @@ function renderDiff(before, after) {
 }
 // src/installer/registry.ts
-var import_node_path6 = require("path");
+var import_node_path7 = require("path");
 function jsonKeyedClient(args) {
   return {
     id: args.id,
@@ -7101,31 +8437,31 @@ var claudeCode = jsonKeyedClient({
   id: "claude-code",
   label: "Claude Code",
   key: "mcpServers",
-  globalPath: (ctx) => (0, import_node_path6.join)(ctx.home, ".claude.json"),
-  projectPath: (ctx) => (0, import_node_path6.join)(ctx.cwd, ".mcp.json")
+  globalPath: (ctx) => (0, import_node_path7.join)(ctx.home, ".claude.json"),
+  projectPath: (ctx) => (0, import_node_path7.join)(ctx.cwd, ".mcp.json")
 });
 var cursor = jsonKeyedClient({
   id: "cursor",
   label: "Cursor",
   key: "mcpServers",
-  globalPath: (ctx) => (0, import_node_path6.join)(ctx.home, ".cursor", "mcp.json"),
-  projectPath: (ctx) => (0, import_node_path6.join)(ctx.cwd, ".cursor", "mcp.json")
+  globalPath: (ctx) => (0, import_node_path7.join)(ctx.home, ".cursor", "mcp.json"),
+  projectPath: (ctx) => (0, import_node_path7.join)(ctx.cwd, ".cursor", "mcp.json")
 });
 function vscodeServerObject(entry) {
   if (entry.url) return { type: "http", url: entry.url, ...entry.env ? { env: entry.env } : {} };
   return { type: "stdio", command: entry.command, args: entry.args ?? [], ...entry.env ? { env: entry.env } : {} };
 }
 function vscodeUserDir(ctx) {
-  if (ctx.os === "win") return (0, import_node_path6.join)(ctx.env.APPDATA ?? (0, import_node_path6.join)(ctx.home, "AppData", "Roaming"), "Code", "User");
-  if (ctx.os === "mac") return (0, import_node_path6.join)(ctx.home, "Library", "Application Support", "Code", "User");
-  return (0, import_node_path6.join)(ctx.home, ".config", "Code", "User");
+  if (ctx.os === "win") return (0, import_node_path7.join)(ctx.env.APPDATA ?? (0, import_node_path7.join)(ctx.home, "AppData", "Roaming"), "Code", "User");
+  if (ctx.os === "mac") return (0, import_node_path7.join)(ctx.home, "Library", "Application Support", "Code", "User");
+  return (0, import_node_path7.join)(ctx.home, ".config", "Code", "User");
 }
 var vscode = {
   id: "vscode",
   label: "VS Code (Copilot)",
   format: "json",
   note: "Uses the `servers` key (not `mcpServers`) \u2014 the most common copy-paste mistake.",
-  path: (ctx) => ctx.scope === "project" ? (0, import_node_path6.join)(ctx.cwd, ".vscode", "mcp.json") : (0, import_node_path6.join)(vscodeUserDir(ctx), "mcp.json"),
+  path: (ctx) => ctx.scope === "project" ? (0, import_node_path7.join)(ctx.cwd, ".vscode", "mcp.json") : (0, import_node_path7.join)(vscodeUserDir(ctx), "mcp.json"),
   apply: (existing, name, entry) => deepMerge(existing, { servers: { [name]: vscodeServerObject(entry) } })
 };
 var codex = {
@@ -7133,17 +8469,17 @@ var codex = {
   label: "Codex CLI",
   format: "toml",
   note: 'Project scope only loads in "trusted" projects.',
-  path: (ctx) => ctx.scope === "project" ? (0, import_node_path6.join)(ctx.cwd, ".codex", "config.toml") : (0, import_node_path6.join)(ctx.home, ".codex", "config.toml"),
+  path: (ctx) => ctx.scope === "project" ? (0, import_node_path7.join)(ctx.cwd, ".codex", "config.toml") : (0, import_node_path7.join)(ctx.home, ".codex", "config.toml"),
   apply: (existing, name, entry) => deepMerge(existing, { mcp_servers: { [name]: mcpServerObject(entry) } })
 };
 var windsurf = jsonKeyedClient({
   id: "windsurf",
   label: "Windsurf",
   key: "mcpServers",
-  globalPath: (ctx) => (0, import_node_path6.join)(ctx.home, ".codeium", "windsurf", "mcp_config.json")
+  globalPath: (ctx) => (0, import_node_path7.join)(ctx.home, ".codeium", "windsurf", "mcp_config.json")
 });
 function codeGlobalStorage(ctx, extensionId) {
-  return (0, import_node_path6.join)(vscodeUserDir(ctx), "globalStorage", extensionId, "settings", "cline_mcp_settings.json");
+  return (0, import_node_path7.join)(vscodeUserDir(ctx), "globalStorage", extensionId, "settings", "cline_mcp_settings.json");
 }
 var cline = {
   id: "cline",
@@ -7158,7 +8494,7 @@ var roo = {
   label: "Roo Code",
   format: "json",
   note: "Project .roo/mcp.json takes precedence over the global settings.",
-  path: (ctx) => ctx.scope === "project" ? (0, import_node_path6.join)(ctx.cwd, ".roo", "mcp.json") : codeGlobalStorage(ctx, "rooveterinaryinc.roo-cline"),
+  path: (ctx) => ctx.scope === "project" ? (0, import_node_path7.join)(ctx.cwd, ".roo", "mcp.json") : codeGlobalStorage(ctx, "rooveterinaryinc.roo-cline"),
   apply: (existing, name, entry) => deepMerge(existing, { mcpServers: { [name]: mcpServerObject(entry) } })
 };
 var zed = {
@@ -7167,9 +8503,9 @@ var zed = {
   format: "json",
   note: 'Manual servers need "source": "custom"; remote uses an mcp-remote bridge.',
   path: (ctx) => {
-    if (ctx.scope === "project") return (0, import_node_path6.join)(ctx.cwd, ".zed", "settings.json");
-    if (ctx.os === "win") return (0, import_node_path6.join)(ctx.env.APPDATA ?? (0, import_node_path6.join)(ctx.home, "AppData", "Roaming"), "Zed", "settings.json");
-    return (0, import_node_path6.join)(ctx.home, ".config", "zed", "settings.json");
+    if (ctx.scope === "project") return (0, import_node_path7.join)(ctx.cwd, ".zed", "settings.json");
+    if (ctx.os === "win") return (0, import_node_path7.join)(ctx.env.APPDATA ?? (0, import_node_path7.join)(ctx.home, "AppData", "Roaming"), "Zed", "settings.json");
+    return (0, import_node_path7.join)(ctx.home, ".config", "zed", "settings.json");
   },
   apply: (existing, name, entry) => {
     const inner = entry.url ? { source: "custom", url: entry.url } : { source: "custom", command: entry.command, args: entry.args ?? [], ...entry.env ? { env: entry.env } : {} };
@@ -7180,14 +8516,14 @@ var junie = {
   id: "junie",
   label: "JetBrains / Junie",
   format: "json",
-  path: (ctx) => ctx.scope === "project" ? (0, import_node_path6.join)(ctx.cwd, ".junie", "mcp", "mcp.json") : (0, import_node_path6.join)(ctx.home, ".junie", "mcp", "mcp.json"),
+  path: (ctx) => ctx.scope === "project" ? (0, import_node_path7.join)(ctx.cwd, ".junie", "mcp", "mcp.json") : (0, import_node_path7.join)(ctx.home, ".junie", "mcp", "mcp.json"),
   apply: (existing, name, entry) => deepMerge(existing, { mcpServers: { [name]: mcpServerObject(entry) } })
 };
 var gemini = {
   id: "gemini",
   label: "Gemini CLI",
   format: "json",
-  path: (ctx) => ctx.scope === "project" ? (0, import_node_path6.join)(ctx.cwd, ".gemini", "settings.json") : (0, import_node_path6.join)(ctx.home, ".gemini", "settings.json"),
+  path: (ctx) => ctx.scope === "project" ? (0, import_node_path7.join)(ctx.cwd, ".gemini", "settings.json") : (0, import_node_path7.join)(ctx.home, ".gemini", "settings.json"),
   apply: (existing, name, entry) => {
     const inner = entry.url ? { httpUrl: entry.url, ...entry.env ? { env: entry.env } : {} } : mcpServerObject(entry);
     return deepMerge(existing, { mcpServers: { [name]: inner } });
@@ -7199,8 +8535,8 @@ var goose = {
   format: "yaml",
   note: "Verify the extension shape against current Goose docs; built-ins are left untouched.",
   path: (ctx) => {
-    if (ctx.os === "win") return (0, import_node_path6.join)(ctx.env.APPDATA ?? (0, import_node_path6.join)(ctx.home, "AppData", "Roaming"), "Block", "goose", "config", "config.yaml");
-    return (0, import_node_path6.join)(ctx.home, ".config", "goose", "config.yaml");
+    if (ctx.os === "win") return (0, import_node_path7.join)(ctx.env.APPDATA ?? (0, import_node_path7.join)(ctx.home, "AppData", "Roaming"), "Block", "goose", "config", "config.yaml");
+    return (0, import_node_path7.join)(ctx.home, ".config", "goose", "config.yaml");
   },
   apply: (existing, name, entry) => {
     const inner = entry.url ? { name, type: "streamable_http", enabled: true, uri: entry.url, ...entry.env ? { env: entry.env } : {} } : { name, type: "stdio", enabled: true, command: entry.command, args: entry.args ?? [], ...entry.env ? { env: entry.env } : {} };
@@ -7215,7 +8551,7 @@ var openhands = {
   label: "OpenHands",
   format: "toml",
   note: "SHTTP is preferred; SSE is legacy. Only api_key is supported (no arbitrary headers).",
-  path: (ctx) => ctx.scope === "project" ? (0, import_node_path6.join)(ctx.cwd, "config.toml") : (0, import_node_path6.join)(ctx.home, ".openhands", "config.toml"),
+  path: (ctx) => ctx.scope === "project" ? (0, import_node_path7.join)(ctx.cwd, "config.toml") : (0, import_node_path7.join)(ctx.home, ".openhands", "config.toml"),
   apply: (existing, name, entry) => {
     const mcp = isObj(existing.mcp) ? { ...existing.mcp } : {};
     const key = entry.url ? "shttp_servers" : "stdio_servers";
@@ -7236,9 +8572,9 @@ var claudeDesktop = {
   note: "One-click install is also available via the .mcpb bundle (npm run build:mcpb).",
   path: (ctx) => {
     if (ctx.scope === "project") return void 0;
-    if (ctx.os === "win") return (0, import_node_path6.join)(ctx.env.APPDATA ?? (0, import_node_path6.join)(ctx.home, "AppData", "Roaming"), "Claude", "claude_desktop_config.json");
-    if (ctx.os === "mac") return (0, import_node_path6.join)(ctx.home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
-    return (0, import_node_path6.join)(ctx.home, ".config", "Claude", "claude_desktop_config.json");
+    if (ctx.os === "win") return (0, import_node_path7.join)(ctx.env.APPDATA ?? (0, import_node_path7.join)(ctx.home, "AppData", "Roaming"), "Claude", "claude_desktop_config.json");
+    if (ctx.os === "mac") return (0, import_node_path7.join)(ctx.home, "Library", "Application Support", "Claude", "claude_desktop_config.json");
+    return (0, import_node_path7.join)(ctx.home, ".config", "Claude", "claude_desktop_config.json");
   },
   apply: (existing, name, entry) => deepMerge(existing, { mcpServers: { [name]: mcpServerObject(entry) } })
 };
@@ -7439,13 +8775,13 @@ function createClaudeProvider() {
 }
 // src/providers/shell.ts
-var import_zod8 = require("zod");
+var import_zod9 = require("zod");
 function createBashTool() {
   const shell = IS_WIN ? "powershell" : "posix";
   return {
     name: "Bash",
     description: "Run a read-only shell command (inspect ports, processes, config). Mutating or destructive commands are blocked by the read-only allowlist.",
-    inputShape: { command: import_zod8.z.string().describe("The read-only shell command to run") },
+    inputShape: { command: import_zod9.z.string().describe("The read-only shell command to run") },
     annotations: { readOnlyHint: true, openWorldHint: true },
     handler: async (args) => {
       const command = String(args["command"] ?? "").trim();
@@ -7914,8 +9250,8 @@ Use ask_user when you need context from the user.`;
 }
 // src/cost.ts
-var import_node_fs6 = require("fs");
-var import_node_path7 = require("path");
+var import_node_fs7 = require("fs");
+var import_node_path8 = require("path");
 function splitCsvLine(line) {
   const out = [];
   let cur = "";
@@ -7993,7 +9329,7 @@ var CsvCostSource = class {
   }
   id;
   async fetch() {
-    const text = (0, import_node_fs6.readFileSync)((0, import_node_path7.resolve)(this.opts.filePath), "utf-8");
+    const text = (0, import_node_fs7.readFileSync)((0, import_node_path8.resolve)(this.opts.filePath), "utf-8");
     const records = parseCostCsv(text);
     const match = this.opts.match ?? "nodeId";
     const out = /* @__PURE__ */ new Map();
@@ -8024,19 +9360,19 @@ async function enrichCosts(db, sessionId, source) {
   let matched = 0;
   const unmatchedIds = [];
   for (const [nodeId, rec] of records) {
-    const ok = db.enrichNodeAttribution(sessionId, nodeId, {
+    const ok3 = db.enrichNodeAttribution(sessionId, nodeId, {
       owner: rec.owner ?? void 0,
       cost: rec.cost ?? void 0
     });
-    if (ok) matched++;
+    if (ok3) matched++;
     else unmatchedIds.push(nodeId);
   }
   return { source: source.id, total: records.size, matched, unmatched: unmatchedIds.length, unmatchedIds };
 }
 // src/exporter.ts
-var import_node_fs7 = require("fs");
-var import_node_path8 = require("path");
+var import_node_fs8 = require("fs");
+var import_node_path9 = require("path");
 // src/hex.ts
 function hexToPixel(q, r, size) {
@@ -8135,10 +9471,10 @@ function assignColors(domains) {
   return result;
 }
 function shadeVariant(hex, amount) {
-  const num = parseInt(hex.replace("#", ""), 16);
-  const r = Math.min(255, (num >> 16) + amount);
-  const g = Math.min(255, (num >> 8 & 255) + amount);
-  const b = Math.min(255, (num & 255) + amount);
+  const num2 = parseInt(hex.replace("#", ""), 16);
+  const r = Math.min(255, (num2 >> 16) + amount);
+  const g = Math.min(255, (num2 >> 8 & 255) + amount);
+  const b = Math.min(255, (num2 & 255) + amount);
   return `#${r.toString(16).padStart(2, "0")}${g.toString(16).padStart(2, "0")}${b.toString(16).padStart(2, "0")}`;
 }
 function groupByDomain(assets) {
@@ -9728,28 +11064,28 @@ function exportComplianceReport(report, format) {
   return lines.join("\n");
 }
 function exportAll(db, sessionId, outputDir, formats = ["mermaid", "json", "yaml", "html", "map", "discovery"]) {
-  (0, import_node_fs7.mkdirSync)(outputDir, { recursive: true });
+  (0, import_node_fs8.mkdirSync)(outputDir, { recursive: true });
   const nodes = db.getNodes(sessionId);
   const edges = db.getEdges(sessionId);
-  const jgfPath = (0, import_node_path8.join)(outputDir, "cartography-graph.jgf.json");
-  (0, import_node_fs7.writeFileSync)(jgfPath, exportJGF(nodes, edges));
+  const jgfPath = (0, import_node_path9.join)(outputDir, "cartography-graph.jgf.json");
+  (0, import_node_fs8.writeFileSync)(jgfPath, exportJGF(nodes, edges));
   if (formats.includes("mermaid")) {
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "topology.mermaid"), generateTopologyMermaid(nodes, edges));
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "dependencies.mermaid"), generateDependencyMermaid(nodes, edges));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "topology.mermaid"), generateTopologyMermaid(nodes, edges));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "dependencies.mermaid"), generateDependencyMermaid(nodes, edges));
   }
   if (formats.includes("json")) {
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "catalog.json"), exportJSON(db, sessionId));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "catalog.json"), exportJSON(db, sessionId));
   }
   if (formats.includes("yaml")) {
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "catalog-info.yaml"), exportBackstageYAML(nodes, edges));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "catalog-info.yaml"), exportBackstageYAML(nodes, edges));
   }
   if (formats.includes("html") || formats.includes("map") || formats.includes("discovery")) {
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "discovery.html"), exportDiscoveryApp(nodes, edges));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "discovery.html"), exportDiscoveryApp(nodes, edges));
   }
   if (formats.includes("cost")) {
     const summary = db.getGraphSummary(sessionId);
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "cost-by-domain.csv"), exportCostCSV(summary));
-    (0, import_node_fs7.writeFileSync)((0, import_node_path8.join)(outputDir, "cost-summary.json"), exportCostSummary(summary));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "cost-by-domain.csv"), exportCostCSV(summary));
+    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "cost-summary.json"), exportCostSummary(summary));
   }
 }
@@ -9781,7 +11117,7 @@ function formatComplianceText(report) {
 }
 // src/config.ts
-var import_node_fs8 = require("fs");
+var import_node_fs9 = require("fs");
 var ConfigError = class extends Error {
   constructor(message) {
     super(message);
@@ -9806,7 +11142,7 @@ function loadConfig(path) {
 function readConfigFile(path) {
   let raw;
   try {
-    raw = (0, import_node_fs8.readFileSync)(path, "utf-8");
+    raw = (0, import_node_fs9.readFileSync)(path, "utf-8");
   } catch (err) {
     throw new ConfigError(
       `Cannot read config file ${path}: ${err instanceof Error ? err.message : String(err)}`
@@ -10067,7 +11403,7 @@ async function pushDeltas(config, items, opts = {}) {
       sentHashes.push(...batch.map((b) => b.contentHash));
       continue;
     }
-    let ok = false;
+    let ok3 = false;
     for (let attempt = 0; attempt <= maxRetries; attempt++) {
       const controller = new AbortController();
       const timer = setTimeout(() => controller.abort(), timeoutMs);
@@ -10086,7 +11422,7 @@ async function pushDeltas(config, items, opts = {}) {
         const elapsed = Date.now() - startedAt;
         if (res.ok) {
           log2(`pushed ${batch.length} item(s) \u2192 ${safeUrl} [${res.status}] ${elapsed}ms (attempt ${attempt + 1})`);
-          ok = true;
+          ok3 = true;
           break;
         }
         if (res.status >= 400 && res.status < 500) {
@@ -10105,7 +11441,7 @@ async function pushDeltas(config, items, opts = {}) {
         await sleep(base + Math.floor(Math.random() * 100));
       }
     }
-    if (ok) {
+    if (ok3) {
       sent += batch.length;
       sentHashes.push(...batch.map((b) => b.contentHash));
     } else {
@@ -10164,14 +11500,14 @@ function runSyncClassify(db, sessionId, config, opts = {}) {
 // src/preflight.ts
 var import_node_child_process2 = require("child_process");
-var import_node_fs9 = require("fs");
-var import_node_path9 = require("path");
+var import_node_fs10 = require("fs");
+var import_node_path10 = require("path");
 function isOAuthLoggedIn() {
   const home = process.env.HOME ?? process.env.USERPROFILE ?? "/tmp";
-  const credFile = (0, import_node_path9.join)(home, ".claude", ".credentials.json");
-  if (!(0, import_node_fs9.existsSync)(credFile)) return false;
+  const credFile = (0, import_node_path10.join)(home, ".claude", ".credentials.json");
+  if (!(0, import_node_fs10.existsSync)(credFile)) return false;
   try {
-    const creds = JSON.parse((0, import_node_fs9.readFileSync)(credFile, "utf8"));
+    const creds = JSON.parse((0, import_node_fs10.readFileSync)(credFile, "utf8"));
     const oauth = creds["claudeAiOauth"];
     return typeof oauth?.["accessToken"] === "string" && oauth["accessToken"].length > 0;
   } catch {
@@ -10238,37 +11574,51 @@ function checkClaudePrerequisites() {
   DriftConfigSchema,
   INGEST_SCHEMA_VERSION,
   IngestEnvelopeSchema,
+  InvalidTenantError,
+  JiraSink,
+  LOOPBACK_HOSTS,
   MCP_BIN,
+  NotFoundError,
   PACKAGE_NAME,
+  PAGERDUTY_ENQUEUE_URL,
   PERSONAL,
   PORT_MAP,
   PRIVATE_IP,
   PUSH_SCHEMA_VERSION,
+  PagerDutySink,
   ProviderRegistry,
   RELATION_TO_DIRECTION,
   RuleCheckSchema,
   RulesetSchema,
   SCAN_ARG_PATTERNS,
+  SDL,
   SEVERITY_WEIGHT,
   SHARING_LEVELS,
   ScannerRegistry,
   ScannerShape,
   SharingLevelSchema,
+  SlackSink,
+  SqliteQueryBackend,
   SqliteStoreBackend,
   StdoutSink,
+  TENANT_HEADER,
   VectorStore,
   WebhookSink,
   applyInstall,
   applySharingLevel,
   assertReadOnly,
+  assertSafeBind,
   assertSafeScanArg,
   assignColors,
+  bearerToken,
   bookmarksScanner,
   buildCartographyToolHandlers,
   buildMapData,
+  buildOpenApiDocument,
   buildReport,
   buildSinks,
   centralDbFromEnv,
+  checkBearer,
   checkPrerequisites,
   checkReadOnly,
   clampText,
@@ -10296,10 +11646,12 @@ function checkClaudePrerequisites() {
   createOpenAIProvider,
   createScanRunner,
   createSemanticSearch,
+  createSqliteQueryBackend,
   currentOs,
   cursorDeeplink,
   databasesScanner,
   deepMerge,
+  defaultAllowedHosts,
   defaultConfig,
   defaultContext,
   defaultProviderRegistry,
@@ -10316,6 +11668,7 @@ function checkClaudePrerequisites() {
   evaluateCheck,
   evaluateRule,
   evidenceLine,
+  executeGraphql,
   executeNlQuery,
   exportAll,
   exportBackstageYAML,
@@ -10329,6 +11682,9 @@ function checkClaudePrerequisites() {
   filterBySeverity,
   findAnonViolations,
   formatComplianceText,
+  formatJira,
+  formatPagerDuty,
+  formatSlack,
   generateDependencyMermaid,
   generateDiffMermaid,
   generateTopologyMermaid,
@@ -10336,6 +11692,7 @@ function checkClaudePrerequisites() {
   getRuleset,
   globalId,
   groupByDomain,
+  handleGraphqlGet,
   hexCorners,
   hexDistance,
   hexNeighbors,
@@ -10346,9 +11703,11 @@ function checkClaudePrerequisites() {
   hostname,
   ingestEnvelope,
   installedAppsScanner,
+  isLoopbackHost,
   isPersonalHost,
   isReadOnlyCommand,
   isRemembered,
+  isSecureWebhookUrl,
   k8sScanner,
   keyMetaOf,
   layoutClusters,
@@ -10374,6 +11733,7 @@ function checkClaudePrerequisites() {
   normalizeTenant,
   orgKeyPath,
   osUser,
+  parseApiArgs,
   parseComposeDeps,
   parseConfig,
   parseConnectionString,
@@ -10386,6 +11746,7 @@ function checkClaudePrerequisites() {
   pixelToHex,
   planInstall,
   portsScanner,
+  postJson,
   previewShare,
   pseudonymize,
   pseudonymizeFragment,
@@ -10399,10 +11760,12 @@ function checkClaudePrerequisites() {
   resolveEffectiveLevel,
   resolveNlQuery,
   resolveSharingLevel,
+  resolveTenant,
   revalidateAnonymized,
   reversalKey,
   reversePseudonym,
   rotateOrgKey,
+  runApi,
   runDiscovery,
   runDrift,
   runHttp,
@@ -10425,8 +11788,11 @@ function checkClaudePrerequisites() {
   shareHash,
   splitSegments,
   stableStringify,
+  startApi,
   stripSensitive,
+  timingSafeEqual,
   validateScanner,
-  vscodeDeeplink
+  vscodeDeeplink,
+  zodToJsonSchema
 });
 //# sourceMappingURL=index.cjs.map