@datasynx/agentic-ai-cartography 2.3.0 → 2.5.0

package/dist/api-bin.js

@@ -2,9 +2,9 @@
 import {
   parseApiArgs,
   startApi
-} from "./chunk-7VZH5PFV.js";
-import "./chunk-7QEBFMN4.js";
-import "./chunk-WCR47QA2.js";
+} from "./chunk-NQXZUWOI.js";
+import "./chunk-GA4427LB.js";
+import "./chunk-QQOQBE2A.js";
 import "./chunk-2SZ5QHGH.js";
 
 // src/api-bin.ts

package/dist/{chunk-7QEBFMN4.js → chunk-GA4427LB.js}

@@ -7,7 +7,7 @@ import {
   NODE_TYPES,
   NODE_TYPE_GROUPS,
   SharingLevelSchema
-} from "./chunk-WCR47QA2.js";
+} from "./chunk-QQOQBE2A.js";
 import {
   HOME,
   IS_LINUX,
@@ -744,8 +744,17 @@ function stripSensitive(target) {
     const stripped = `${url.hostname}${url.port ? ":" + url.port : ""}`;
     return stripped || raw;
   } catch {
-    const stripped = raw.replace(/\/.*$/, "").replace(/\?.*$/, "").replace(/@.*:/, ":");
-    return stripped || raw;
+    let s = raw;
+    const slash = s.indexOf("/");
+    if (slash >= 0) s = s.slice(0, slash);
+    const q = s.indexOf("?");
+    if (q >= 0) s = s.slice(0, q);
+    const at = s.indexOf("@");
+    if (at >= 0) {
+      const colon = s.lastIndexOf(":");
+      if (colon > at) s = s.slice(0, at) + ":" + s.slice(colon + 1);
+    }
+    return s || raw;
   }
 }
 var SCAN_ARG_PATTERNS = {
@@ -763,7 +772,7 @@ function assertSafeScanArg(kind, value) {
   return value;
 }
 function redactSecrets(value) {
-  return value.replace(/([a-z][a-z0-9+.-]*:\/\/[^:@/\s]+):[^@/\s]+@/gi, "$1:***@");
+  return value.replace(/([a-z][a-z0-9+.-]{0,63}:\/\/[^:@/\s]{1,256}):[^@/\s]{1,256}@/gi, "$1:***@");
 }
 function redactValue(value) {
   if (typeof value === "string") return redactSecrets(value);
@@ -1765,7 +1774,10 @@ CREATE TABLE IF NOT EXISTS activity_events (
   duration_ms INTEGER,
   command TEXT,
   result_bytes INTEGER,
-  tenant TEXT NOT NULL DEFAULT 'local'
+  tenant TEXT NOT NULL DEFAULT 'local',
+  actor_subject TEXT,
+  actor_role TEXT,
+  actor_tenant TEXT
 );
 
 CREATE TABLE IF NOT EXISTS tasks (
@@ -1874,6 +1886,16 @@ CREATE INDEX IF NOT EXISTS idx_nodes_tenant_content ON nodes(tenant, content_has
 CREATE INDEX IF NOT EXISTS idx_contrib_org ON node_contributors(organization, global_id);
 CREATE INDEX IF NOT EXISTS idx_nodes_owner ON nodes(session_id, owner);
 `;
+var AUTH_SCHEMA = `
+CREATE TABLE IF NOT EXISTS auth_credentials (
+  token_hash TEXT PRIMARY KEY,
+  subject TEXT NOT NULL,
+  tenant TEXT NOT NULL DEFAULT 'local',
+  role TEXT NOT NULL,
+  created_at TEXT NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_auth_subject ON auth_credentials(subject);
+`;
 var CartographyDB = class {
   db;
   /** 3.6 anomaly settings; defaults apply when no `anomaly` config is supplied. */
@@ -1893,7 +1915,8 @@ var CartographyDB = class {
     const version = this.db.pragma("user_version", { simple: true });
     if (version === 0) {
       this.db.exec(SCHEMA);
-      this.db.pragma("user_version = 14");
+      this.db.exec(AUTH_SCHEMA);
+      this.db.pragma("user_version = 15");
       return;
     } else if (version === 1) {
       const cols = this.db.prepare("PRAGMA table_info(nodes)").all().map((c) => c.name);
@@ -2079,6 +2102,18 @@ var CartographyDB = class {
       }
       this.db.pragma("user_version = 14");
     }
+    const v14 = this.db.pragma("user_version", { simple: true });
+    if (v14 < 15) {
+      this.db.exec(AUTH_SCHEMA);
+      const ev = this.db.prepare("PRAGMA table_info(activity_events)").all();
+      if (ev.length > 0) {
+        const cols = ev.map((c) => c.name);
+        if (!cols.includes("actor_subject")) this.db.exec("ALTER TABLE activity_events ADD COLUMN actor_subject TEXT");
+        if (!cols.includes("actor_role")) this.db.exec("ALTER TABLE activity_events ADD COLUMN actor_role TEXT");
+        if (!cols.includes("actor_tenant")) this.db.exec("ALTER TABLE activity_events ADD COLUMN actor_tenant TEXT");
+      }
+      this.db.pragma("user_version = 15");
+    }
   }
   close() {
     this.db.pragma("optimize");
@@ -2509,13 +2544,13 @@ var CartographyDB = class {
     });
   }
   // ── Events ──────────────────────────────
-  insertEvent(sessionId, event, taskId) {
+  insertEvent(sessionId, event, taskId, actor) {
     const id = crypto.randomUUID();
     const tenant = this.tenantOf(sessionId);
     this.db.prepare(`
       INSERT INTO activity_events
-        (id, session_id, task_id, timestamp, event_type, process, pid, target, target_type, port, command, result_bytes, tenant)
-      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+        (id, session_id, task_id, timestamp, event_type, process, pid, target, target_type, port, command, result_bytes, tenant, actor_subject, actor_role, actor_tenant)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
     `).run(
       id,
       sessionId,
@@ -2529,9 +2564,52 @@ var CartographyDB = class {
       event.port ?? null,
       event.command ?? null,
       event.resultBytes ?? null,
-      tenant
+      tenant,
+      actor?.subject ?? null,
+      actor?.role ?? null,
+      actor?.tenant ?? null
     );
   }
+  // ── RBAC credential store (4.5) ─────────────
+  /** Number of stored credentials. `0` ⇒ no RBAC configured (fall back to shared/loopback). */
+  countCredentials() {
+    return this.db.prepare("SELECT COUNT(*) AS n FROM auth_credentials").get().n;
+  }
+  /** Look up a credential by its sha256 token hash. */
+  findCredentialByHash(tokenHash) {
+    const r = this.db.prepare("SELECT * FROM auth_credentials WHERE token_hash = ?").get(tokenHash);
+    if (!r) return void 0;
+    return {
+      tokenHash: r["token_hash"],
+      subject: r["subject"],
+      tenant: r["tenant"],
+      role: r["role"],
+      createdAt: r["created_at"]
+    };
+  }
+  /** Upsert a credential (idempotent on the token hash). Stores only the hash, never the raw token. */
+  addCredential(rec) {
+    this.db.prepare(`
+      INSERT INTO auth_credentials (token_hash, subject, tenant, role, created_at)
+      VALUES (?, ?, ?, ?, ?)
+      ON CONFLICT(token_hash) DO UPDATE SET subject = excluded.subject, tenant = excluded.tenant, role = excluded.role
+    `).run(rec.tokenHash, rec.subject, rec.tenant, rec.role, (/* @__PURE__ */ new Date()).toISOString());
+  }
+  /** List all credentials (token hashes only — the raw token is unrecoverable). */
+  listCredentials() {
+    const rows = this.db.prepare("SELECT * FROM auth_credentials ORDER BY created_at").all();
+    return rows.map((r) => ({
+      tokenHash: r["token_hash"],
+      subject: r["subject"],
+      tenant: r["tenant"],
+      role: r["role"],
+      createdAt: r["created_at"]
+    }));
+  }
+  /** Revoke every credential for a subject. Returns the number removed. */
+  revokeCredentialsBySubject(subject) {
+    return this.db.prepare("DELETE FROM auth_credentials WHERE subject = ?").run(subject).changes;
+  }
   getEvents(sessionId, since) {
     const rows = since ? this.db.prepare("SELECT * FROM activity_events WHERE session_id = ? AND timestamp > ? ORDER BY timestamp").all(sessionId, since) : this.db.prepare("SELECT * FROM activity_events WHERE session_id = ? ORDER BY timestamp").all(sessionId);
     return rows.map((r) => {
@@ -3208,6 +3286,9 @@ var CartographyDB = class {
   }
 };
 
+// src/auth/identity.ts
+import { createHash as createHash2 } from "crypto";
+
 // src/api/auth.ts
 var LOOPBACK_HOSTS = /* @__PURE__ */ new Set(["127.0.0.1", "localhost", "::1", "[::1]"]);
 function isLoopbackHost(host) {
@@ -3228,11 +3309,6 @@ function bearerToken(header) {
   const token = rest.trimStart();
   return token.length > 0 ? token : void 0;
 }
-function checkBearer(authorizationHeader, token) {
-  if (!token) return true;
-  const provided = bearerToken(authorizationHeader);
-  return provided !== void 0 && timingSafeEqual(provided, token);
-}
 function assertSafeBind(opts) {
   if (isLoopbackHost(opts.host)) return;
   if (opts.allowedHosts === void 0) {
@@ -3250,6 +3326,54 @@ function defaultAllowedHosts(host, port) {
   return [`${host}:${port}`, `localhost:${port}`, `127.0.0.1:${port}`];
 }
 
+// src/auth/identity.ts
+function hashToken(token) {
+  return createHash2("sha256").update(token, "utf8").digest("hex");
+}
+var SqliteCredentialStore = class {
+  constructor(db) {
+    this.db = db;
+  }
+  count() {
+    return this.db.countCredentials();
+  }
+  findByHash(tokenHash) {
+    return this.db.findCredentialByHash(tokenHash);
+  }
+};
+function resolvePrincipal(presentedToken, opts) {
+  const tenant = opts.defaultTenant ?? DEFAULT_TENANT;
+  if (opts.store && opts.store.count() > 0) {
+    if (!presentedToken) return void 0;
+    const rec = opts.store.findByHash(hashToken(presentedToken));
+    return rec ? { subject: rec.subject, tenant: rec.tenant, role: rec.role } : void 0;
+  }
+  if (opts.sharedToken) {
+    if (!presentedToken || !timingSafeEqual(presentedToken, opts.sharedToken)) return void 0;
+    return { subject: "shared-token", tenant, role: "admin" };
+  }
+  if (opts.required) return void 0;
+  return { subject: "anonymous", tenant, role: "admin" };
+}
+
+// src/auth/rbac.ts
+var ROLE_RANK = { viewer: 1, operator: 2, admin: 3 };
+var ACTION_MIN_ROLE = { read: "viewer", discovery: "operator", admin: "admin" };
+function can(role, action) {
+  return ROLE_RANK[role] >= ROLE_RANK[ACTION_MIN_ROLE[action]];
+}
+var AuthorizationError = class extends Error {
+  constructor(action, role) {
+    super(`forbidden: role '${role}' may not perform '${action}'`);
+    this.action = action;
+    this.role = role;
+    this.name = "AuthorizationError";
+  }
+};
+function authorize(principal, action) {
+  if (!can(principal.role, action)) throw new AuthorizationError(action, principal.role);
+}
+
 export {
   sanitizeUntrusted,
   cloudAwsScanner,
@@ -3271,8 +3395,13 @@ export {
   globalId,
   deriveSessionName,
   CartographyDB,
-  checkBearer,
+  bearerToken,
   assertSafeBind,
-  defaultAllowedHosts
+  defaultAllowedHosts,
+  hashToken,
+  SqliteCredentialStore,
+  resolvePrincipal,
+  AuthorizationError,
+  authorize
 };
-//# sourceMappingURL=chunk-7QEBFMN4.js.map
+//# sourceMappingURL=chunk-GA4427LB.js.map