@datasynx/agentic-ai-cartography 2.3.0 → 2.4.0

package/dist/cli.js

@@ -11,10 +11,10 @@ import {
   runDrift,
   runLocalDiscovery,
   startMcp
-} from "./chunk-B2AKONVW.js";
+} from "./chunk-B4QWX7CP.js";
 import {
   startApi
-} from "./chunk-7VZH5PFV.js";
+} from "./chunk-L4OSL7I6.js";
 import {
   CartographyDB,
   buildCartographyToolHandlers,
@@ -25,7 +25,7 @@ import {
   redactValue,
   stableStringify,
   stripSensitive
-} from "./chunk-7QEBFMN4.js";
+} from "./chunk-X5JA2UDT.js";
 import {
   ConfigFileSchema,
   CostEntrySchema,
@@ -36,7 +36,7 @@ import {
   SharingLevelSchema,
   centralDbFromEnv,
   defaultConfig
-} from "./chunk-WCR47QA2.js";
+} from "./chunk-QQOQBE2A.js";
 import {
   IS_MAC,
   IS_WIN,
@@ -4508,7 +4508,7 @@ ${infraSummary.substring(0, 12e3)}`;
 `);
       return;
     }
-    const { NODE_TYPES } = await import("./types-TJWXAQ2L.js");
+    const { NODE_TYPES } = await import("./types-5L3AGZLG.js");
     if (!process.stdin.isTTY) {
       w(red("\n  \u2717  Interactive mode requires a terminal (use --file for non-interactive)\n\n"));
       process.exitCode = 1;

package/dist/index.cjs

@@ -46,14 +46,17 @@ __export(src_exports, {
   INGEST_SCHEMA_VERSION: () => INGEST_SCHEMA_VERSION,
   IngestEnvelopeSchema: () => IngestEnvelopeSchema,
   InvalidTenantError: () => InvalidTenantError,
+  JiraSink: () => JiraSink,
   LOOPBACK_HOSTS: () => LOOPBACK_HOSTS2,
   MCP_BIN: () => MCP_BIN,
   NotFoundError: () => NotFoundError,
   PACKAGE_NAME: () => PACKAGE_NAME,
+  PAGERDUTY_ENQUEUE_URL: () => PAGERDUTY_ENQUEUE_URL,
   PERSONAL: () => PERSONAL,
   PORT_MAP: () => PORT_MAP,
   PRIVATE_IP: () => PRIVATE_IP,
   PUSH_SCHEMA_VERSION: () => PUSH_SCHEMA_VERSION,
+  PagerDutySink: () => PagerDutySink,
   ProviderRegistry: () => ProviderRegistry,
   RELATION_TO_DIRECTION: () => RELATION_TO_DIRECTION,
   RuleCheckSchema: () => RuleCheckSchema,
@@ -65,6 +68,7 @@ __export(src_exports, {
   ScannerRegistry: () => ScannerRegistry,
   ScannerShape: () => ScannerShape,
   SharingLevelSchema: () => SharingLevelSchema,
+  SlackSink: () => SlackSink,
   SqliteQueryBackend: () => SqliteQueryBackend,
   SqliteStoreBackend: () => SqliteStoreBackend,
   StdoutSink: () => StdoutSink,
@@ -149,6 +153,9 @@ __export(src_exports, {
   filterBySeverity: () => filterBySeverity,
   findAnonViolations: () => findAnonViolations,
   formatComplianceText: () => formatComplianceText,
+  formatJira: () => formatJira,
+  formatPagerDuty: () => formatPagerDuty,
+  formatSlack: () => formatSlack,
   generateDependencyMermaid: () => generateDependencyMermaid,
   generateDiffMermaid: () => generateDiffMermaid,
   generateTopologyMermaid: () => generateTopologyMermaid,
@@ -171,6 +178,7 @@ __export(src_exports, {
   isPersonalHost: () => isPersonalHost,
   isReadOnlyCommand: () => isReadOnlyCommand,
   isRemembered: () => isRemembered,
+  isSecureWebhookUrl: () => isSecureWebhookUrl,
   k8sScanner: () => k8sScanner,
   keyMetaOf: () => keyMetaOf,
   layoutClusters: () => layoutClusters,
@@ -209,6 +217,7 @@ __export(src_exports, {
   pixelToHex: () => pixelToHex,
   planInstall: () => planInstall,
   portsScanner: () => portsScanner,
+  postJson: () => postJson,
   previewShare: () => previewShare,
   pseudonymize: () => pseudonymize,
   pseudonymizeFragment: () => pseudonymizeFragment,
@@ -417,15 +426,26 @@ var SECURITY_METADATA_KEYS = [
 var DriftConfigSchema = import_zod.z.object({
   minSeverity: import_zod.z.enum(SEVERITIES).default("info"),
   sinks: import_zod.z.array(import_zod.z.object({
-    type: import_zod.z.enum(["stdout", "webhook"]),
+    type: import_zod.z.enum(["stdout", "webhook", "slack", "pagerduty", "jira"]),
     url: import_zod.z.string().url().optional(),
     token: import_zod.z.string().optional(),
-    timeoutMs: import_zod.z.number().int().positive().optional()
+    timeoutMs: import_zod.z.number().int().positive().optional(),
+    routingKey: import_zod.z.string().optional(),
+    email: import_zod.z.string().optional(),
+    project: import_zod.z.string().optional(),
+    issueType: import_zod.z.string().optional()
   })).default([{ type: "stdout" }])
 }).superRefine((cfg, ctx) => {
   for (const [i, s] of cfg.sinks.entries()) {
-    if (s.type === "webhook" && !s.url) {
-      ctx.addIssue({ code: "custom", path: ["sinks", i, "url"], message: "webhook sink requires a url" });
+    const requireUrl = (msg) => {
+      if (!s.url) ctx.addIssue({ code: "custom", path: ["sinks", i, "url"], message: msg });
+    };
+    if (s.type === "webhook") requireUrl("webhook sink requires a url");
+    if (s.type === "slack") requireUrl("slack sink requires a webhook url");
+    if (s.type === "jira") {
+      requireUrl("jira sink requires a base url");
+      if (!s.email) ctx.addIssue({ code: "custom", path: ["sinks", i, "email"], message: "jira sink requires an email" });
+      if (!s.project) ctx.addIssue({ code: "custom", path: ["sinks", i, "project"], message: "jira sink requires a project key" });
     }
   }
 });
@@ -2039,8 +2059,17 @@ function stripSensitive(target) {
     const stripped = `${url.hostname}${url.port ? ":" + url.port : ""}`;
     return stripped || raw;
   } catch {
-    const stripped = raw.replace(/\/.*$/, "").replace(/\?.*$/, "").replace(/@.*:/, ":");
-    return stripped || raw;
+    let s = raw;
+    const slash = s.indexOf("/");
+    if (slash >= 0) s = s.slice(0, slash);
+    const q = s.indexOf("?");
+    if (q >= 0) s = s.slice(0, q);
+    const at = s.indexOf("@");
+    if (at >= 0) {
+      const colon = s.lastIndexOf(":");
+      if (colon > at) s = s.slice(0, at) + ":" + s.slice(colon + 1);
+    }
+    return s || raw;
   }
 }
 var SCAN_ARG_PATTERNS = {
@@ -2058,7 +2087,7 @@ function assertSafeScanArg(kind, value) {
   return value;
 }
 function redactSecrets(value) {
-  return value.replace(/([a-z][a-z0-9+.-]*:\/\/[^:@/\s]+):[^@/\s]+@/gi, "$1:***@");
+  return value.replace(/([a-z][a-z0-9+.-]{0,63}:\/\/[^:@/\s]{1,256}):[^@/\s]{1,256}@/gi, "$1:***@");
 }
 function redactValue(value) {
   if (typeof value === "string") return redactSecrets(value);
@@ -5156,6 +5185,41 @@ var StdoutSink = class {
 
 // src/sinks/webhook.ts
 var LOOPBACK_HOSTS = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "[::1]", "::1"]);
+async function postJson(opts) {
+  const doFetch = opts.fetchImpl ?? (typeof fetch === "function" ? fetch : void 0);
+  if (!doFetch) {
+    logWarn("sink unavailable: global fetch missing", { sink: opts.sinkName });
+    return;
+  }
+  if (!opts.url) {
+    logWarn("sink unavailable: no url configured", { sink: opts.sinkName });
+    return;
+  }
+  if (!isSecureWebhookUrl(opts.url)) {
+    logWarn("sink refused: insecure scheme (use https:// or a loopback host)", {
+      sink: opts.sinkName,
+      host: stripSensitive(opts.url)
+    });
+    return;
+  }
+  try {
+    const res = await doFetch(opts.url, {
+      method: "POST",
+      headers: { "content-type": "application/json", ...opts.headers ?? {} },
+      body: JSON.stringify(opts.body),
+      signal: AbortSignal.timeout(opts.timeoutMs ?? 1e4)
+    });
+    if (!res.ok) {
+      logError("sink delivery failed", { sink: opts.sinkName, host: stripSensitive(opts.url), status: res.status });
+    }
+  } catch (err) {
+    logError("sink delivery failed", {
+      sink: opts.sinkName,
+      host: stripSensitive(opts.url),
+      reason: err instanceof Error ? err.message : String(err)
+    });
+  }
+}
 function isSecureWebhookUrl(url, env = process.env) {
   if (env.CARTOGRAPHY_ALLOW_INSECURE_SYNC === "1") return true;
   let parsed;
@@ -5174,59 +5238,177 @@ var WebhookSink = class {
   }
   name = "webhook";
   async emit(alert) {
-    if (typeof fetch !== "function") {
-      logWarn("webhook sink unavailable: global fetch missing", { sink: this.name });
-      return;
-    }
     const { url, token, timeoutMs } = this.opts;
-    if (!url) {
-      logWarn("webhook sink unavailable: no url configured", { sink: this.name });
-      return;
-    }
-    if (!isSecureWebhookUrl(url)) {
-      logWarn("webhook sink refused: insecure scheme (use https:// or a loopback host)", {
-        sink: this.name,
-        host: stripSensitive(url)
-      });
-      return;
-    }
-    try {
-      const res = await fetch(url, {
-        method: "POST",
-        headers: {
-          "content-type": "application/json",
-          ...token ? { authorization: `Bearer ${token}` } : {}
-        },
-        body: JSON.stringify(redactValue(alert)),
-        signal: AbortSignal.timeout(timeoutMs ?? 1e4)
-      });
-      if (!res.ok) {
-        logError("webhook sink failed", { sink: this.name, host: stripSensitive(url), status: res.status });
+    await postJson({
+      url,
+      body: redactValue(alert),
+      ...token ? { headers: { authorization: `Bearer ${token}` } } : {},
+      ...timeoutMs !== void 0 ? { timeoutMs } : {},
+      sinkName: this.name
+    });
+  }
+};
+
+// src/sinks/providers.ts
+var MAX_ITEMS2 = 20;
+var SEVERITY_EMOJI = { info: "\u{1F7E2}", warning: "\u{1F7E1}", critical: "\u{1F534}" };
+function headline(alert) {
+  const s = alert.summary;
+  return `${s.nodesAdded}+ / ${s.nodesRemoved}- / ${s.nodesChanged}~ nodes, ${s.edgesAdded}+ / ${s.edgesRemoved}- edges`;
+}
+function itemLine(it) {
+  const sec = it.securityFields?.length ? ` [security: ${it.securityFields.join(", ")}]` : "";
+  const fields = it.changedFields?.length ? ` (${it.changedFields.join(", ")})` : "";
+  return `${it.severity.toUpperCase()} \xB7 ${it.kind} \xB7 ${it.label}${fields}${sec}`;
+}
+function bodyText(alert) {
+  const lines = alert.items.slice(0, MAX_ITEMS2).map(itemLine);
+  const more = alert.items.length > MAX_ITEMS2 ? [`\u2026and ${alert.items.length - MAX_ITEMS2} more`] : [];
+  return [headline(alert), "", ...lines, ...more].join("\n");
+}
+function formatSlack(alert) {
+  const title = `${SEVERITY_EMOJI[alert.severity]} Topology drift \u2014 ${alert.severity}`;
+  return {
+    text: `${title}: ${headline(alert)}`,
+    blocks: [
+      { type: "header", text: { type: "plain_text", text: title, emoji: true } },
+      { type: "section", text: { type: "mrkdwn", text: "```" + bodyText(alert) + "```" } },
+      { type: "context", elements: [{ type: "mrkdwn", text: `base ${alert.base.sessionId} \u2192 current ${alert.current.sessionId} \xB7 ${alert.generatedAt}` }] }
+    ]
+  };
+}
+var PD_SEVERITY = {
+  info: "info",
+  warning: "warning",
+  critical: "critical"
+};
+function formatPagerDuty(alert, routingKey) {
+  return {
+    routing_key: routingKey,
+    event_action: "trigger",
+    // Stable per base→current pair so repeated alerts for the same delta de-duplicate.
+    dedup_key: `cartograph-drift:${alert.base.sessionId}:${alert.current.sessionId}`,
+    payload: {
+      summary: `Cartograph topology drift (${alert.severity}): ${headline(alert)}`,
+      source: "cartograph",
+      severity: PD_SEVERITY[alert.severity],
+      timestamp: alert.generatedAt,
+      custom_details: {
+        summary: alert.summary,
+        items: alert.items.slice(0, MAX_ITEMS2).map((it) => ({
+          kind: it.kind,
+          ref: it.ref,
+          severity: it.severity,
+          ...it.changedFields ? { changedFields: it.changedFields } : {},
+          ...it.securityFields ? { securityFields: it.securityFields } : {}
+        }))
       }
-    } catch (err) {
-      logError("webhook sink failed", {
-        sink: this.name,
-        host: stripSensitive(url),
-        reason: err instanceof Error ? err.message : String(err)
-      });
     }
+  };
+}
+function formatJira(alert, opts) {
+  return {
+    fields: {
+      project: { key: opts.project },
+      issuetype: { name: opts.issueType ?? "Task" },
+      summary: `Cartograph topology drift (${alert.severity}): ${headline(alert)}`,
+      description: bodyText(alert) + `
+
+base ${alert.base.sessionId} \u2192 current ${alert.current.sessionId}
+generated ${alert.generatedAt}`
+    }
+  };
+}
+
+// src/sinks/provider-sink.ts
+var PAGERDUTY_ENQUEUE_URL = "https://events.pagerduty.com/v2/enqueue";
+function deliver(name, url, body, opts, headers) {
+  return postJson({
+    url,
+    body,
+    sinkName: name,
+    ...headers ? { headers } : {},
+    ...opts.timeoutMs !== void 0 ? { timeoutMs: opts.timeoutMs } : {},
+    ...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+  });
+}
+var SlackSink = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  name = "slack";
+  async emit(alert) {
+    await deliver(this.name, this.opts.url, formatSlack(redactValue(alert)), this.opts);
+  }
+};
+var PagerDutySink = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  name = "pagerduty";
+  async emit(alert) {
+    const body = formatPagerDuty(redactValue(alert), this.opts.routingKey);
+    await deliver(this.name, this.opts.url || PAGERDUTY_ENQUEUE_URL, body, this.opts);
+  }
+};
+var JiraSink = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  name = "jira";
+  async emit(alert) {
+    const body = formatJira(redactValue(alert), {
+      project: this.opts.project,
+      ...this.opts.issueType ? { issueType: this.opts.issueType } : {}
+    });
+    const auth = Buffer.from(`${this.opts.email}:${this.opts.token}`).toString("base64");
+    const base = this.opts.url.replace(/\/+$/, "");
+    await deliver(this.name, `${base}/rest/api/2/issue`, body, this.opts, { authorization: `Basic ${auth}` });
   }
 };
 
 // src/sinks/index.ts
 function buildSinks(drift) {
   const configs = drift?.sinks && drift.sinks.length > 0 ? drift.sinks : [{ type: "stdout" }];
+  const envSecret = process.env.CARTOGRAPHY_DRIFT_TOKEN;
   const sinks = [];
   for (const s of configs) {
-    if (s.type === "webhook") {
-      if (!s.url) continue;
-      sinks.push(new WebhookSink({
-        url: s.url,
-        token: s.token ?? process.env.CARTOGRAPHY_DRIFT_TOKEN,
-        timeoutMs: s.timeoutMs
-      }));
-    } else {
-      sinks.push(new StdoutSink());
+    const timeoutMs = s.timeoutMs;
+    switch (s.type) {
+      case "webhook":
+        if (!s.url) {
+          logWarn("drift sink skipped: webhook requires a url", { sink: s.type });
+          break;
+        }
+        sinks.push(new WebhookSink({ url: s.url, token: s.token ?? envSecret, timeoutMs }));
+        break;
+      case "slack":
+        if (!s.url) {
+          logWarn("drift sink skipped: slack requires a webhook url", { sink: s.type });
+          break;
+        }
+        sinks.push(new SlackSink({ url: s.url, timeoutMs }));
+        break;
+      case "pagerduty": {
+        const routingKey = s.routingKey ?? s.token ?? envSecret;
+        if (!routingKey) {
+          logWarn("drift sink skipped: pagerduty requires a routingKey (or CARTOGRAPHY_DRIFT_TOKEN)", { sink: s.type });
+          break;
+        }
+        sinks.push(new PagerDutySink({ url: s.url ?? PAGERDUTY_ENQUEUE_URL, routingKey, timeoutMs }));
+        break;
+      }
+      case "jira": {
+        const token = s.token ?? envSecret;
+        if (!s.url || !s.email || !s.project || !token) {
+          logWarn("drift sink skipped: jira requires url, email, project and a token", { sink: s.type });
+          break;
+        }
+        sinks.push(new JiraSink({ url: s.url, email: s.email, token, project: s.project, issueType: s.issueType, timeoutMs }));
+        break;
+      }
+      default:
+        sinks.push(new StdoutSink());
     }
   }
   return sinks.length > 0 ? sinks : [new StdoutSink()];
@@ -5635,7 +5817,7 @@ async function resolveNlQuery(db, sessionId, search, raw, opts) {
 
 // src/mcp/server.ts
 var SERVER_NAME = "cartography";
-var SERVER_VERSION = "2.3.0";
+var SERVER_VERSION = "2.4.0";
 var SERVICE_TYPES = NODE_TYPE_GROUPS.web;
 var DATA_TYPES = NODE_TYPE_GROUPS.data;
 var lexicalSearch = async (db, sessionId, query, opts) => db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));
@@ -11393,14 +11575,17 @@ function checkClaudePrerequisites() {
   INGEST_SCHEMA_VERSION,
   IngestEnvelopeSchema,
   InvalidTenantError,
+  JiraSink,
   LOOPBACK_HOSTS,
   MCP_BIN,
   NotFoundError,
   PACKAGE_NAME,
+  PAGERDUTY_ENQUEUE_URL,
   PERSONAL,
   PORT_MAP,
   PRIVATE_IP,
   PUSH_SCHEMA_VERSION,
+  PagerDutySink,
   ProviderRegistry,
   RELATION_TO_DIRECTION,
   RuleCheckSchema,
@@ -11412,6 +11597,7 @@ function checkClaudePrerequisites() {
   ScannerRegistry,
   ScannerShape,
   SharingLevelSchema,
+  SlackSink,
   SqliteQueryBackend,
   SqliteStoreBackend,
   StdoutSink,
@@ -11496,6 +11682,9 @@ function checkClaudePrerequisites() {
   filterBySeverity,
   findAnonViolations,
   formatComplianceText,
+  formatJira,
+  formatPagerDuty,
+  formatSlack,
   generateDependencyMermaid,
   generateDiffMermaid,
   generateTopologyMermaid,
@@ -11518,6 +11707,7 @@ function checkClaudePrerequisites() {
   isPersonalHost,
   isReadOnlyCommand,
   isRemembered,
+  isSecureWebhookUrl,
   k8sScanner,
   keyMetaOf,
   layoutClusters,
@@ -11556,6 +11746,7 @@ function checkClaudePrerequisites() {
   pixelToHex,
   planInstall,
   portsScanner,
+  postJson,
   previewShare,
   pseudonymize,
   pseudonymizeFragment,