@datasynx/agentic-ai-cartography 2.3.0 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/dist/api-bin.js +3 -3
  2. package/dist/{chunk-7QEBFMN4.js → chunk-GA4427LB.js} +147 -18
  3. package/dist/chunk-GA4427LB.js.map +1 -0
  4. package/dist/{chunk-7VZH5PFV.js → chunk-NQXZUWOI.js} +42 -12
  5. package/dist/chunk-NQXZUWOI.js.map +1 -0
  6. package/dist/{chunk-WCR47QA2.js → chunk-QQOQBE2A.js} +16 -5
  7. package/dist/chunk-QQOQBE2A.js.map +1 -0
  8. package/dist/{chunk-B2AKONVW.js → chunk-RYQ4KQCK.js} +253 -56
  9. package/dist/chunk-RYQ4KQCK.js.map +1 -0
  10. package/dist/cli.js +89 -10
  11. package/dist/cli.js.map +1 -1
  12. package/dist/index.cjs +502 -75
  13. package/dist/index.cjs.map +1 -1
  14. package/dist/index.d.cts +390 -11
  15. package/dist/index.d.ts +390 -11
  16. package/dist/index.js +475 -73
  17. package/dist/index.js.map +1 -1
  18. package/dist/mcp-bin.js +3 -3
  19. package/dist/{types-TJWXAQ2L.js → types-5L3AGZLG.js} +2 -2
  20. package/package.json +1 -1
  21. package/server.json +2 -2
  22. package/dist/chunk-7QEBFMN4.js.map +0 -1
  23. package/dist/chunk-7VZH5PFV.js.map +0 -1
  24. package/dist/chunk-B2AKONVW.js.map +0 -1
  25. package/dist/chunk-WCR47QA2.js.map +0 -1
  26. /package/dist/{types-TJWXAQ2L.js.map → types-5L3AGZLG.js.map} +0 -0
package/dist/chunk-WCR47QA2.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/types.ts"],"sourcesContent":["import { z } from 'zod';\n// Type-only import (erased at runtime — no value cycle with diff.ts, which\n// imports its node/edge types from this module).\nimport type { TopologyDelta } from './diff.js';\n\n// ── Enums ────────────────────────────────\n\nexport const NODE_TYPES = [\n 'host', 'database_server', 'database', 'table',\n 'web_service', 'api_endpoint', 'cache_server',\n 'message_broker', 'queue', 'topic',\n 'container', 'pod', 'k8s_cluster',\n 'config_file', 'saas_tool', 'unknown',\n] as const;\nexport type NodeType = typeof NODE_TYPES[number];\n\n/**\n * Semantic groupings of node types — the single source of truth shared by the MCP\n * resource layer (services/databases) and the exporters (layer assignment). Each\n * node type belongs to at most one group; anything ungrouped is treated as \"other\".\n */\nexport const NODE_TYPE_GROUPS = {\n saas: ['saas_tool'],\n web: ['web_service', 'api_endpoint'],\n data: ['database_server', 'database', 'table', 'cache_server'],\n messaging: ['message_broker', 'queue', 'topic'],\n infra: ['host', 'container', 'pod', 'k8s_cluster'],\n config: ['config_file'],\n} as const satisfies Record<string, readonly NodeType[]>;\n\nexport const EDGE_RELATIONSHIPS = [\n 'connects_to', 'reads_from', 'writes_to',\n 'calls', 'contains', 'depends_on',\n] as const;\nexport type EdgeRelationship = typeof EDGE_RELATIONSHIPS[number];\n\n// ── Zod Schemas ──────────────────────────\n\n/** ISO-4217-ish currency code (3 uppercase letters). */\nconst CurrencyCode = z.string().regex(/^[A-Z]{3}$/, 'ISO-4217 currency code, e.g. \"USD\"');\n\n/** Billing period the amount covers. Cross-period rollup is bucketed, never normalized (5.1). */\nexport const COST_PERIODS = ['hourly', 'daily', 'monthly', 'yearly'] as const;\nexport type CostPeriod = typeof COST_PERIODS[number];\n\n/** Attributed cost for one billing period (3.3). Amount is in `currency` per `period`. */\nexport const CostEntrySchema = z.object({\n amount: z.number().nonnegative().describe('Spend for one `period`, in `currency`'),\n currency: CurrencyCode,\n period: z.enum(COST_PERIODS),\n source: z.string().optional().describe('Provenance, e.g. \"csv:billing-2026-06\", \"aws-ce\"'),\n});\nexport type CostEntry = z.infer<typeof CostEntrySchema>;\n\nexport const NodeSchema = z.object({\n id: z.string().describe('Format: \"{type}:{host}:{port}\" or \"{type}:{name}\"'),\n type: z.enum(NODE_TYPES),\n name: z.string(),\n discoveredVia: z.string(),\n confidence: z.number().min(0).max(1).default(0.5),\n metadata: z.record(z.string(), z.unknown()).default({}),\n tags: z.array(z.string()).default([]),\n domain: z.string().optional().describe('Business domain, e.g. \"Marketing\", \"Finance\"'),\n subDomain: z.string().optional().describe('Sub-domain, e.g. \"Forecast client orders\"'),\n qualityScore: z.number().min(0).max(100).optional().describe('Data quality score 0–100'),\n owner: z.string().optional().describe('Owning team/person, e.g. from an `Owner`/`Team` tag (3.3)'),\n cost: CostEntrySchema.optional().describe('Attributed cost for one billing period (3.3)'),\n});\nexport type DiscoveryNode = z.infer<typeof NodeSchema>;\n\nexport const EdgeSchema = z.object({\n sourceId: z.string(),\n targetId: z.string(),\n relationship: z.enum(EDGE_RELATIONSHIPS),\n evidence: z.string(),\n confidence: z.number().min(0).max(1).default(0.5),\n});\nexport type DiscoveryEdge = z.infer<typeof EdgeSchema>;\n\n// ── Sharing policy (2.10 consent + anonymization) ─────────────────────────────\n\n/**\n * Per-employee sharing levels, ordered most-private → least-private:\n * - `none` — share nothing (the opt-in default; nothing leaves the machine).\n * - `anonymized` — pseudonymize identifying fields (host/user/path/private-IP) via\n * an org-keyed, admin-reversible HMAC while preserving topology shape.\n * - `full` — share the raw record verbatim.\n */\nexport const SHARING_LEVELS = ['none', 'anonymized', 'full'] as const;\nexport const SharingLevelSchema = z.enum(SHARING_LEVELS);\nexport type SharingLevel = typeof SHARING_LEVELS[number];\n\n/**\n * A resolved sharing policy: the global `defaultLevel` (the `'*'` row) plus\n * remembered pattern overrides (glob over the node id). The most-specific\n * matching override wins; the default applies when nothing matches.\n */\nexport interface SharingPolicy {\n defaultLevel: SharingLevel;\n overrides: { pattern: string; level: SharingLevel }[];\n}\n\n// ── Cartography Map Types ────────────────\n\nexport const DataAssetSchema = z.object({\n id: z.string(),\n name: z.string(),\n domain: z.string(),\n subDomain: z.string().optional(),\n qualityScore: z.number().min(0).max(100).optional(),\n metadata: z.record(z.string(), z.unknown()).default({}),\n position: z.object({ q: z.number(), r: z.number() }),\n});\nexport type DataAsset = z.infer<typeof DataAssetSchema>;\n\nexport const ClusterSchema = z.object({\n id: z.string(),\n label: z.string(),\n domain: z.string(),\n color: z.string(),\n assetIds: z.array(z.string()),\n centroid: z.object({ x: z.number(), y: z.number() }),\n});\nexport type Cluster = z.infer<typeof ClusterSchema>;\n\nexport const ConnectionSchema = z.object({\n id: z.string(),\n sourceAssetId: z.string(),\n targetAssetId: z.string(),\n type: z.string().optional(),\n});\nexport type Connection = z.infer<typeof ConnectionSchema>;\n\nexport interface CartographyMapData {\n assets: DataAsset[];\n clusters: Cluster[];\n connections: Connection[];\n meta: { exportedAt: string; theme: 'light' | 'dark' };\n}\n\n/** Navy → medium blue → periwinkle → teal/cyan palette */\nexport const DOMAIN_COLORS: Record<string, string> = {\n 'Quality Control': '#1a2744',\n 'Supply Chain': '#1e3a6e',\n 'Marketing': '#6a7fb5',\n 'Finance': '#3a8a8a',\n 'HR': '#2a5a9a',\n 'Logistics': '#0e7490',\n 'Sales': '#1d4ed8',\n 'Engineering': '#4338ca',\n 'Operations': '#0891b2',\n 'Data Layer': '#1e3352',\n 'Web / API': '#1a3a1a',\n 'Messaging': '#2a1a3a',\n 'Infrastructure': '#0f2a40',\n 'Other': '#374151',\n};\n\n/** Ordered palette for dynamic domain assignment */\nexport const DOMAIN_PALETTE = [\n '#1a2e5a', '#1e3a8a', '#1d4ed8', '#2563eb', '#3b82f6',\n '#6366f1', '#818cf8', '#7c9fc3', '#0e7490', '#0891b2',\n '#06b6d4', '#22d3ee', '#0d9488', '#14b8a6', '#2dd4bf', '#5eead4',\n] as const;\n\n// ── DB Row Types ─────────────────────────\n\nexport interface NodeRow extends DiscoveryNode {\n sessionId: string;\n discoveredAt: string;\n depth: number;\n pathId?: string;\n /**\n * Org-scoped human-readable global identity (`{tenant}:{normalizedId}`); the\n * same logical resource collapses to one `globalId` across machines (2.9).\n */\n globalId?: string;\n /** Secondary dedup key (sha256 over type + name + key-meta) that catches `id` drift between machines (2.9). */\n contentHash?: string;\n}\n\nexport interface EdgeRow extends DiscoveryEdge {\n id: string;\n sessionId: string;\n discoveredAt: string;\n pathId?: string;\n}\n\nexport interface SessionRow {\n id: string;\n mode: 'discover';\n startedAt: string;\n completedAt?: string;\n config: string;\n /** Human-friendly, deterministically-derived label (e.g. \"infra+data · 42 nodes · 2026-06-11\"). */\n name?: string;\n /** Tenant/organization partition this session belongs to. Defaults to `'local'`. */\n tenant: string;\n /**\n * Source attribution captured at session creation (2.9). Local-only — these\n * identifying fields never leave the machine; off-machine sharing (2.11) and\n * anonymization/consent (2.10) are deferred.\n */\n hostname?: string;\n user?: string;\n machineId?: string;\n /**\n * Raw `--org` / `config.organization` value as supplied (provenance). The\n * normalized form is {@link tenant} — the org-scope partition introduced by 2.8.\n */\n organization?: string;\n /**\n * ISO 8601 UTC timestamp of the last in-place rescan of this session (2.1).\n * `undefined`/NULL until the session is rescanned via incremental discovery —\n * the freshness signal for scheduled discovery (2.5) to build on.\n */\n lastScannedAt?: string;\n}\n\n/**\n * One observation of a logical node from a single machine. Accumulated in the\n * `node_contributors` table (keyed by `(global_id, machine_id)`); never anonymized\n * in 2.9 (that is 2.10) and never transmitted off-machine in 2.9 (that is 2.11).\n */\nexport interface Contributor {\n machineId: string;\n hostname: string;\n user: string;\n /** Effective org-scope of the contribution (the session's tenant). */\n organization?: string;\n /** ISO 8601 UTC timestamp of the contributing observation. */\n at: string;\n /** Confidence of the observation that produced this contribution (0–1). */\n confidence: number;\n}\n\n// ── Diff / Drift ─────────────────────────\n\n/**\n * Node fields whose change marks a node as `changed` in a topology diff.\n * `confidence` is deliberately excluded — it fluctuates between scans (noise)\n * and is reported separately as `confidenceDelta` rather than triggering drift.\n */\nexport const DRIFT_FIELDS = ['type', 'name', 'domain', 'subDomain', 'qualityScore', 'metadata', 'tags', 'owner', 'cost'] as const;\nexport type DriftField = typeof DRIFT_FIELDS[number];\n\nexport interface NodeChange {\n id: string;\n before: NodeRow;\n after: NodeRow;\n /** Which of DRIFT_FIELDS differ between `before` and `after`. */\n changedFields: DriftField[];\n /** Informational confidence delta (after − before); does not itself trigger drift. */\n confidenceDelta: number;\n}\n\n// ── Anomalies (3.6) ──────────────────────\n\nexport const ANOMALY_KINDS = ['orphan', 'shadow-it'] as const;\nexport type AnomalyKind = typeof ANOMALY_KINDS[number];\n\nexport const ANOMALY_SEVERITIES = ['low', 'medium', 'high'] as const;\nexport type AnomalySeverity = typeof ANOMALY_SEVERITIES[number];\n\n/** A standing structural anomaly within a single topology snapshot. Deterministic. */\nexport interface Anomaly {\n /** The flagged node, structured id \"{type}:{id}\" — never raw free-text. */\n nodeId: string;\n kind: AnomalyKind;\n severity: AnomalySeverity;\n /** Stable, human-readable explanation built only from nodeId + numeric scores. */\n reason: string;\n}\n\n/** Resolved anomaly thresholds (defaults in `DEFAULT_ANOMALY_THRESHOLDS` unless overridden by config). */\nexport interface AnomalyThresholds {\n /** Degree at or below which a node is a weak-link orphan candidate (0 = isolated). */\n orphanWeakDegree: number;\n /** Confidence (0–1) below which an undomained node is shadow-IT. */\n shadowConfidence: number;\n /** qualityScore (0–100) below which an undomained node is shadow-IT. */\n shadowQuality: number;\n}\n\nexport interface AnomalyConfig extends AnomalyThresholds {\n /** When false, the engine short-circuits to an empty array (rollback flag). */\n enabled: boolean;\n}\n\n/**\n * Default anomaly thresholds. Defined here (not in `anomaly.ts`) so `defaultConfig`\n * can reference them without a runtime cycle; `anomaly.ts` re-exports this constant.\n */\nexport const DEFAULT_ANOMALY_THRESHOLDS: AnomalyThresholds = {\n orphanWeakDegree: 1,\n shadowConfidence: 0.4,\n shadowQuality: 40,\n};\n\nexport interface TopologyDiff {\n base: { sessionId: string; startedAt: string; nodeCount: number; edgeCount: number };\n current: { sessionId: string; startedAt: string; nodeCount: number; edgeCount: number };\n nodes: { added: NodeRow[]; removed: NodeRow[]; changed: NodeChange[]; unchanged: number };\n edges: { added: EdgeRow[]; removed: EdgeRow[]; unchanged: number };\n summary: {\n nodesAdded: number; nodesRemoved: number; nodesChanged: number;\n edgesAdded: number; edgesRemoved: number;\n };\n /** Standing anomalies in base vs current, plus those newly appearing in current (3.6). */\n anomalies: { base: Anomaly[]; current: Anomaly[]; added: Anomaly[] };\n}\n\n// ── Drift alerts (3.1) ───────────────────\n\n/** Severity rank, ascending. `maxSeverity` and threshold filtering rely on this order. */\nexport const SEVERITIES = ['info', 'warning', 'critical'] as const;\nexport type Severity = typeof SEVERITIES[number];\n\n/**\n * Free-form metadata keys (case-insensitive) whose change escalates a node-changed\n * item to `critical`. Security-/exposure-relevant signals live only in the\n * free-form `metadata` blob (there are no first-class security node fields).\n */\nexport const SECURITY_METADATA_KEYS = [\n 'publicexposure', 'public', 'exposed', 'iamrole', 'role', 'encryption',\n 'encrypted', 'tls', 'tlsenabled', 'ports', 'openports', 'auth', 'authentication',\n] as const;\n\nexport type DriftItemKind =\n | 'node-added' | 'node-removed' | 'node-changed' | 'edge-added' | 'edge-removed';\n\nexport interface DriftAlertItem {\n kind: DriftItemKind;\n /** Node id, or \"source -rel-> target\" for edges. */\n ref: string;\n /** Human-readable node/edge name for display. */\n label: string;\n nodeType?: NodeType;\n severity: Severity;\n /** Present for node-changed; subset of DRIFT_FIELDS that differ. */\n changedFields?: DriftField[];\n /** Present for node-changed; metadata keys that triggered escalation. */\n securityFields?: string[];\n}\n\nexport interface DriftAlert {\n base: TopologyDiff['base'];\n current: TopologyDiff['current'];\n summary: TopologyDiff['summary'];\n /** Overall severity = max severity across items (info when no items). */\n severity: Severity;\n items: DriftAlertItem[];\n /** ISO-8601 UTC generation time. */\n generatedAt: string;\n}\n\n/** One configured drift sink. `url` is required when `type === 'webhook'`. */\nexport interface DriftSinkConfig {\n type: 'stdout' | 'webhook';\n /** Required when type === 'webhook'. */\n url?: string;\n /** Optional bearer token; falls back to CARTOGRAPHY_DRIFT_TOKEN. */\n token?: string;\n timeoutMs?: number;\n}\n\n/**\n * Opt-in drift-alerting block on {@link CartographyConfig}. Absent → the runner\n * defaults to a single `stdout` sink at `minSeverity: 'info'` (everything stays\n * local; no outbound traffic unless a `webhook` sink is explicitly configured).\n */\nexport interface DriftConfig {\n /** Items below this severity are dropped before dispatch. Default 'info'. */\n minSeverity: Severity;\n sinks: DriftSinkConfig[];\n}\n\n/** Validate an externally-supplied drift block (CLI/env/future file loader). */\nexport const DriftConfigSchema = z.object({\n minSeverity: z.enum(SEVERITIES).default('info'),\n sinks: z.array(z.object({\n type: z.enum(['stdout', 'webhook']),\n url: z.string().url().optional(),\n token: z.string().optional(),\n timeoutMs: z.number().int().positive().optional(),\n })).default([{ type: 'stdout' }]),\n}).superRefine((cfg, ctx) => {\n for (const [i, s] of cfg.sinks.entries()) {\n if (s.type === 'webhook' && !s.url) {\n ctx.addIssue({ code: 'custom', path: ['sinks', i, 'url'], message: 'webhook sink requires a url' });\n }\n }\n});\n\n// ── Schedule / config file (2.5) ─────────\n\n/** Machine-readable result formats shared by `discover` (#67) and `schedule`. */\nexport const OUTPUT_FORMATS = ['text', 'json', 'stream-json'] as const;\nexport type OutputFormat = typeof OUTPUT_FORMATS[number];\n\n/**\n * A recurring-discovery schedule, read from a JSON config file. The `cron`\n * string is a 5-field expression (min hour dom month dow) validated by\n * `parseCron` in `schedule.ts`; the Zod schema only enforces non-emptiness so\n * the config layer stays decoupled from the cron grammar.\n */\nexport const ScheduleConfigSchema = z\n .object({\n /** 5-field cron expression (min hour dom month dow). Validated by schedule.ts. */\n cron: z.string().min(1),\n /** Discovery entry points for the scheduled scan (falls back to the file-level / default). */\n entryPoints: z.array(z.string().min(1)).nonempty().optional(),\n /** Machine-readable result format for `--watch`/`--once` output. */\n outputFormat: z.enum(OUTPUT_FORMATS).default('json'),\n /** Catalog path the scheduled runs read/write (falls back to the file-level / default). */\n dbPath: z.string().min(1).optional(),\n })\n .strict();\nexport type ScheduleConfig = z.infer<typeof ScheduleConfigSchema>;\n\n// ── Central-DB sync (2.11) ───────────────\n\n/**\n * Outbound central-DB connection (2.11). The first egress path Cartograph has:\n * after a scan, consented, policy-transformed deltas are pushed to this ingest\n * endpoint over bearer-auth HTTPS. Presence of `url` *is* the feature flag — when\n * absent the entire sync pipeline short-circuits and nothing ever networks.\n *\n * `.strict()` so a typo'd key in `config.json` fails loudly. The `token` is an\n * opaque secret (never logged, never serialized into a payload); `org` is forwarded\n * as a header so the central side (2.12) can scope ingest by tenant.\n */\nexport const CentralDbConfigSchema = z\n .object({\n /** Ingest endpoint. Must be `https:` for any non-loopback host (see push.ts). */\n url: z.string().url(),\n /** Opaque bearer token sent as `Authorization: Bearer <token>`. Never logged. */\n token: z.string().min(1),\n /** Org/tenant routing hint forwarded to the ingest API. */\n org: z.string().min(1).optional(),\n /** Items per push batch (default 100). */\n batchSize: z.number().int().positive().max(1000).optional(),\n })\n .strict();\nexport type CentralDbConfig = z.infer<typeof CentralDbConfigSchema>;\n\n/**\n * Read a {@link CentralDbConfig} from environment variables\n * (`CARTOGRAPHY_CENTRAL_URL`/`_TOKEN`/`_ORG`), letting CI / secret-managers inject\n * the token without a file. Returns a partial — only the keys actually present —\n * so it composes field-wise over a `config.json` block. Never throws.\n */\nexport function centralDbFromEnv(env: NodeJS.ProcessEnv = process.env): Partial<CentralDbConfig> {\n const out: Partial<CentralDbConfig> = {};\n if (env.CARTOGRAPHY_CENTRAL_URL) out.url = env.CARTOGRAPHY_CENTRAL_URL;\n if (env.CARTOGRAPHY_CENTRAL_TOKEN) out.token = env.CARTOGRAPHY_CENTRAL_TOKEN;\n if (env.CARTOGRAPHY_CENTRAL_ORG) out.org = env.CARTOGRAPHY_CENTRAL_ORG;\n return out;\n}\n\n/**\n * Lifecycle status of one queued share item (2.11):\n * - `pending` — new/unmatched, awaiting the employee's explicit review.\n * - `approved` — cleared to leave (by `sync review`, or auto by a remembered rule).\n * - `shared` — successfully pushed to the central ingest endpoint.\n * - `withheld` — explicitly suppressed; never leaves.\n *\n * The load-bearing privacy invariant: only `approved` rows are ever pushed.\n */\nexport const PENDING_STATUSES = ['pending', 'approved', 'shared', 'withheld'] as const;\nexport type PendingStatus = typeof PENDING_STATUSES[number];\n\n/**\n * One row of the `pending_shares` review queue (2.11). `payload` is the *already\n * policy-transformed* (anonymized/dropped) projection from `previewShare` — never\n * raw node data for `anonymized`/`none` items — so what is queued is exactly what\n * may leave. Keyed by `contentHash` (a hash of that transformed payload).\n */\nexport interface PendingShareRow {\n contentHash: string;\n sessionId: string;\n nodeId?: string;\n kind: 'node' | 'edge';\n /** Policy-transformed payload (the exact bytes a push would send). */\n payload: unknown;\n status: PendingStatus;\n /** Who decided: `'user'` (interactive review) or `'rule'` (remembered policy). */\n decidedBy?: 'user' | 'rule';\n createdAt: string;\n decidedAt?: string;\n sharedAt?: string;\n}\n\n/**\n * Top-level shape of a `cartography.config.json` file. `.strict()` rejects\n * unknown keys so typos fail loudly rather than being silently ignored. WS 2.11\n * (central-org sync) extends this same schema with a `centralDb` block.\n */\nexport const ConfigFileSchema = z\n .object({\n schedule: ScheduleConfigSchema.optional(),\n entryPoints: z.array(z.string().min(1)).nonempty().optional(),\n dbPath: z.string().min(1).optional(),\n organization: z.string().min(1).optional(),\n centralDb: CentralDbConfigSchema.optional(),\n })\n .strict();\nexport type ConfigFile = z.infer<typeof ConfigFileSchema>;\n\n/**\n * One persisted scheduled-discovery run (2.5). Records what changed between this\n * run's session and the prior one, with the full {@link TopologyDelta} for audit\n * and the summary counts for fast querying. `baseSessionId` is `undefined` on the\n * very first run (no prior topology — everything is `added`).\n */\nexport interface DriftRunRow {\n id: string;\n sessionId: string;\n baseSessionId?: string;\n /** ISO 8601 UTC timestamp this run was recorded. */\n ranAt: string;\n summary: {\n nodesAdded: number;\n nodesRemoved: number;\n nodesChanged: number;\n edgesAdded: number;\n edgesRemoved: number;\n };\n delta: TopologyDelta;\n}\n\n// ── Config ───────────────────────────────\n\n/**\n * Agent backend selectable via `--provider` / `CARTOGRAPHY_PROVIDER`. Defined here\n * (in the dependency-free types module) and re-exported from `providers/types.ts`\n * so `defaultConfig` can reference it without a runtime cycle.\n */\nexport type ProviderName = 'claude' | 'openai' | 'ollama';\n\nexport interface CartographyConfig {\n maxDepth: number;\n maxTurns: number;\n entryPoints: string[];\n /** Agent backend. Defaults to `'claude'`; selected by `--provider` / `CARTOGRAPHY_PROVIDER`. */\n provider: ProviderName;\n /** Lead/discovery model. Back-compat alias for `models.lead` (kept in sync by defaultConfig). */\n agentModel: string;\n /** Model roles: `lead` drives discovery, `fast` powers cheaper helper tasks (e.g. chat). */\n models: { lead: string; fast: string };\n organization?: string;\n outputDir: string;\n dbPath: string;\n verbose: boolean;\n /** Max characters of a single scan-tool response returned to the agent (guards the context window). */\n maxToolResponseBytes: number;\n /** Explicit allowlist of scanner plugin package names to load (opt-in / consent-first). Default `[]`. */\n plugins: string[];\n /**\n * Optional recurring-discovery schedule (2.5), populated from a config file by\n * `loadConfig`. `undefined` for every existing/CLI caller — additive only.\n */\n schedule?: ScheduleConfig;\n /**\n * Optional central-DB outbound sync target (2.11). `undefined` for every caller\n * unless configured via `config.json` (`centralDb` block), the\n * `CARTOGRAPHY_CENTRAL_*` env vars, or an explicit override. Absent = the sync\n * pipeline is fully inert (no classify, no queue, no push).\n */\n centralDb?: CentralDbConfig;\n /**\n * Optional anomaly-detection thresholds (3.6). `undefined` for every existing\n * caller — `defaultConfig` populates it from `DEFAULT_ANOMALY_THRESHOLDS`, and the\n * engine falls back to those defaults when absent (optional-deps-degrade).\n */\n anomaly?: AnomalyConfig;\n /**\n * Optional drift-alerting block (3.1). `undefined` for every existing/CLI caller\n * (additive only); when absent the drift runner defaults to a local `stdout` sink.\n * No outbound traffic unless an operator configures a `webhook` sink.\n */\n drift?: DriftConfig;\n}\n\n/** Default lead (discovery) model. */\nexport const DEFAULT_LEAD_MODEL = 'claude-sonnet-4-5-20250929';\n/** Default fast model for helper tasks (chat, summaries). */\nexport const DEFAULT_FAST_MODEL = 'claude-haiku-4-5-20251001';\n\nexport function defaultConfig(overrides: Partial<CartographyConfig> = {}): CartographyConfig {\n const home = process.env.HOME ?? process.env.USERPROFILE ?? '/tmp';\n const base: CartographyConfig = {\n maxDepth: 8,\n maxTurns: 50,\n entryPoints: ['localhost'],\n provider: 'claude',\n agentModel: DEFAULT_LEAD_MODEL,\n models: { lead: DEFAULT_LEAD_MODEL, fast: DEFAULT_FAST_MODEL },\n outputDir: './cartography-output',\n dbPath: `${home}/.cartography/cartography.db`,\n verbose: false,\n maxToolResponseBytes: 100_000,\n plugins: [],\n anomaly: { enabled: true, ...DEFAULT_ANOMALY_THRESHOLDS },\n };\n const merged = { ...base, ...overrides };\n // Keep the invariant agentModel === models.lead so existing agentModel readers\n // and the new role config stay consistent. An explicit `models` override wins;\n // otherwise a legacy `agentModel` override flows into the lead role.\n const lead = overrides.models?.lead ?? merged.agentModel;\n const fast = overrides.models?.fast ?? merged.models.fast;\n\n // 2.11 central-DB sync: assemble the optional `centralDb` block field-wise from\n // (low→high) the explicit override < env. A field set in `overrides.centralDb`\n // (e.g. file-derived in loadConfig) wins; env fills the remaining fields, so a\n // file `url` + env `token` compose. Validate the result with `CentralDbConfigSchema`;\n // on failure (or no `url`) drop it and warn — the feature stays inert, never crashes.\n const centralDb = resolveCentralDb(overrides.centralDb);\n\n const out: CartographyConfig = { ...merged, agentModel: lead, models: { lead, fast } };\n // Only a validated block lands; a dropped/invalid one is removed entirely so the\n // feature stays inert rather than carrying through a malformed override.\n if (centralDb) out.centralDb = centralDb;\n else delete out.centralDb;\n return out;\n}\n\n/**\n * Resolve the effective `centralDb` from an explicit (override/file) partial layered\n * over `CARTOGRAPHY_CENTRAL_*` env. Field-wise merge (override wins per field), then\n * `safeParse`. Returns `undefined` (and warns to stderr) when no `url` is present or\n * the assembled block fails validation — so a missing/invalid config degrades to an\n * inert feature rather than a crash. The token is never written to the warning.\n */\nfunction resolveCentralDb(explicit?: Partial<CentralDbConfig>): CentralDbConfig | undefined {\n const env = centralDbFromEnv();\n const assembled: Partial<CentralDbConfig> = { ...env, ...explicit };\n if (assembled.url === undefined && assembled.token === undefined && assembled.org === undefined && assembled.batchSize === undefined) {\n return undefined; // nothing configured anywhere — feature off\n }\n const parsed = CentralDbConfigSchema.safeParse(assembled);\n if (!parsed.success) {\n const detail = parsed.error.issues.map((i) => `${i.path.join('.') || '(root)'}: ${i.message}`).join('; ');\n process.stderr.write(`[cartography] ignoring invalid centralDb config: ${detail}\\n`);\n return undefined;\n }\n return parsed.data;\n}\n"],"mappings":";;;AAAA,SAAS,SAAS;AAOX,IAAM,aAAa;AAAA,EACxB;AAAA,EAAQ;AAAA,EAAmB;AAAA,EAAY;AAAA,EACvC;AAAA,EAAe;AAAA,EAAgB;AAAA,EAC/B;AAAA,EAAkB;AAAA,EAAS;AAAA,EAC3B;AAAA,EAAa;AAAA,EAAO;AAAA,EACpB;AAAA,EAAe;AAAA,EAAa;AAC9B;AAQO,IAAM,mBAAmB;AAAA,EAC9B,MAAW,CAAC,WAAW;AAAA,EACvB,KAAW,CAAC,eAAe,cAAc;AAAA,EACzC,MAAW,CAAC,mBAAmB,YAAY,SAAS,cAAc;AAAA,EAClE,WAAW,CAAC,kBAAkB,SAAS,OAAO;AAAA,EAC9C,OAAW,CAAC,QAAQ,aAAa,OAAO,aAAa;AAAA,EACrD,QAAW,CAAC,aAAa;AAC3B;AAEO,IAAM,qBAAqB;AAAA,EAChC;AAAA,EAAe;AAAA,EAAc;AAAA,EAC7B;AAAA,EAAS;AAAA,EAAY;AACvB;AAMA,IAAM,eAAe,EAAE,OAAO,EAAE,MAAM,cAAc,oCAAoC;AAGjF,IAAM,eAAe,CAAC,UAAU,SAAS,WAAW,QAAQ;AAI5D,IAAM,kBAAkB,EAAE,OAAO;AAAA,EACtC,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE,SAAS,uCAAuC;AAAA,EACjF,UAAU;AAAA,EACV,QAAQ,EAAE,KAAK,YAAY;AAAA,EAC3B,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,kDAAkD;AAC3F,CAAC;AAGM,IAAM,aAAa,EAAE,OAAO;AAAA,EACjC,IAAI,EAAE,OAAO,EAAE,SAAS,mDAAmD;AAAA,EAC3E,MAAM,EAAE,KAAK,UAAU;AAAA,EACvB,MAAM,EAAE,OAAO;AAAA,EACf,eAAe,EAAE,OAAO;AAAA,EACxB,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,QAAQ,GAAG;AAAA,EAChD,UAAU,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,QAAQ,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EACtD,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EACpC,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,8CAA8C;AAAA,EACrF,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,2CAA2C;AAAA,EACrF,cAAc,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS,EAAE,SAAS,+BAA0B;AAAA,EACvF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,2DAA2D;AAAA,EACjG,MAAM,gBAAgB,SAAS,EAAE,SAAS,8CAA8C;AAC1F,CAAC;AAGM,IAAM,aAAa,EAAE,OAAO;AAAA,EACjC,UAAU,EAAE,OAAO;AAAA,EACnB,UAAU,EAAE,OAAO;AAAA,EACnB,cAAc,EAAE,KAAK,kBAAkB;AAAA,EACvC,UAAU,EAAE,OAAO;AAAA,EACnB,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,QAAQ,GAAG;AAClD,CAAC;AAYM,IAAM,iBAAiB,CAAC,QAAQ,cAAc,MAAM;AACpD,IAAM,qBAAqB,EAAE,KAAK,cAAc;AAehD,IAAM,kBAAkB,EAAE,OAAO;AAAA,EACtC,IAAI,EAAE,OAAO;AAAA,EACb,MAAM,EAAE,OAAO;AAAA,EACf,QAAQ,EAAE,OAAO;AAAA,EACjB,WAAW,EAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,cAAc,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EAClD,UAAU,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,QAAQ,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EACtD,UAAU,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,GAAG,GAAG,EAAE,OAAO,EAAE,CAAC;AACrD,CAAC;AAGM,IAAM,gBAAgB,EAAE,OAAO;AAAA,EACpC,IAAI,EAAE,OAAO;AAAA,EACb,OAAO,EAAE,OAAO;AAAA,EAChB,QAAQ,EAAE,OAAO;AAAA,EACjB,OAAO,EAAE,OAAO;AAAA,EAChB,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC5B,UAAU,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,GAAG,GAAG,EAAE,OAAO,EAAE,CAAC;AACrD,CAAC;AAGM,IAAM,mBAAmB,EAAE,OAAO;AAAA,EACvC,IAAI,EAAE,OAAO;AAAA,EACb,eAAe,EAAE,OAAO;AAAA,EACxB,eAAe,EAAE,OAAO;AAAA,EACxB,MAAM,EAAE,OAAO,EAAE,SAAS;AAC5B,CAAC;AAWM,IAAM,gBAAwC;AAAA,EACnD,mBAAmB;AAAA,EACnB,gBAAgB;AAAA,EAChB,aAAa;AAAA,EACb,WAAW;AAAA,EACX,MAAM;AAAA,EACN,aAAa;AAAA,EACb,SAAS;AAAA,EACT,eAAe;AAAA,EACf,cAAc;AAAA,EACd,cAAc;AAAA,EACd,aAAa;AAAA,EACb,aAAa;AAAA,EACb,kBAAkB;AAAA,EAClB,SAAS;AACX;AAGO,IAAM,iBAAiB;AAAA,EAC5B;AAAA,EAAW;AAAA,EAAW;AAAA,EAAW;AAAA,EAAW;AAAA,EAC5C;AAAA,EAAW;AAAA,EAAW;AAAA,EAAW;AAAA,EAAW;AAAA,EAC5C;AAAA,EAAW;AAAA,EAAW;AAAA,EAAW;AAAA,EAAW;AAAA,EAAW;AACzD;AAgFO,IAAM,eAAe,CAAC,QAAQ,QAAQ,UAAU,aAAa,gBAAgB,YAAY,QAAQ,SAAS,MAAM;AAehH,IAAM,gBAAgB,CAAC,UAAU,WAAW;AAG5C,IAAM,qBAAqB,CAAC,OAAO,UAAU,MAAM;AAgCnD,IAAM,6BAAgD;AAAA,EAC3D,kBAAkB;AAAA,EAClB,kBAAkB;AAAA,EAClB,eAAe;AACjB;AAkBO,IAAM,aAAa,CAAC,QAAQ,WAAW,UAAU;AAQjD,IAAM,yBAAyB;AAAA,EACpC;AAAA,EAAkB;AAAA,EAAU;AAAA,EAAW;AAAA,EAAW;AAAA,EAAQ;AAAA,EAC1D;AAAA,EAAa;AAAA,EAAO;AAAA,EAAc;AAAA,EAAS;AAAA,EAAa;AAAA,EAAQ;AAClE;AAoDO,IAAM,oBAAoB,EAAE,OAAO;AAAA,EACxC,aAAa,EAAE,KAAK,UAAU,EAAE,QAAQ,MAAM;AAAA,EAC9C,OAAO,EAAE,MAAM,EAAE,OAAO;AAAA,IACtB,MAAM,EAAE,KAAK,CAAC,UAAU,SAAS,CAAC;AAAA,IAClC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,IAC/B,OAAO,EAAE,OAAO,EAAE,SAAS;AAAA,IAC3B,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EAClD,CAAC,CAAC,EAAE,QAAQ,CAAC,EAAE,MAAM,SAAS,CAAC,CAAC;AAClC,CAAC,EAAE,YAAY,CAAC,KAAK,QAAQ;AAC3B,aAAW,CAAC,GAAG,CAAC,KAAK,IAAI,MAAM,QAAQ,GAAG;AACxC,QAAI,EAAE,SAAS,aAAa,CAAC,EAAE,KAAK;AAClC,UAAI,SAAS,EAAE,MAAM,UAAU,MAAM,CAAC,SAAS,GAAG,KAAK,GAAG,SAAS,8BAA8B,CAAC;AAAA,IACpG;AAAA,EACF;AACF,CAAC;AAKM,IAAM,iBAAiB,CAAC,QAAQ,QAAQ,aAAa;AASrD,IAAM,uBAAuB,EACjC,OAAO;AAAA;AAAA,EAEN,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA;AAAA,EAEtB,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAE5D,cAAc,EAAE,KAAK,cAAc,EAAE,QAAQ,MAAM;AAAA;AAAA,EAEnD,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS;AACrC,CAAC,EACA,OAAO;AAeH,IAAM,wBAAwB,EAClC,OAAO;AAAA;AAAA,EAEN,KAAK,EAAE,OAAO,EAAE,IAAI;AAAA;AAAA,EAEpB,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA;AAAA,EAEvB,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA;AAAA,EAEhC,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,GAAI,EAAE,SAAS;AAC5D,CAAC,EACA,OAAO;AASH,SAAS,iBAAiB,MAAyB,QAAQ,KAA+B;AAC/F,QAAM,MAAgC,CAAC;AACvC,MAAI,IAAI,wBAAyB,KAAI,MAAM,IAAI;AAC/C,MAAI,IAAI,0BAA2B,KAAI,QAAQ,IAAI;AACnD,MAAI,IAAI,wBAAyB,KAAI,MAAM,IAAI;AAC/C,SAAO;AACT;AAWO,IAAM,mBAAmB,CAAC,WAAW,YAAY,UAAU,UAAU;AA6BrE,IAAM,mBAAmB,EAC7B,OAAO;AAAA,EACN,UAAU,qBAAqB,SAAS;AAAA,EACxC,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,SAAS,EAAE,SAAS;AAAA,EAC5D,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACnC,cAAc,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACzC,WAAW,sBAAsB,SAAS;AAC5C,CAAC,EACA,OAAO;AA+EH,IAAM,qBAAqB;AAE3B,IAAM,qBAAqB;AAE3B,SAAS,cAAc,YAAwC,CAAC,GAAsB;AAC3F,QAAM,OAAO,QAAQ,IAAI,QAAQ,QAAQ,IAAI,eAAe;AAC5D,QAAM,OAA0B;AAAA,IAC9B,UAAU;AAAA,IACV,UAAU;AAAA,IACV,aAAa,CAAC,WAAW;AAAA,IACzB,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,QAAQ,EAAE,MAAM,oBAAoB,MAAM,mBAAmB;AAAA,IAC7D,WAAW;AAAA,IACX,QAAQ,GAAG,IAAI;AAAA,IACf,SAAS;AAAA,IACT,sBAAsB;AAAA,IACtB,SAAS,CAAC;AAAA,IACV,SAAS,EAAE,SAAS,MAAM,GAAG,2BAA2B;AAAA,EAC1D;AACA,QAAM,SAAS,EAAE,GAAG,MAAM,GAAG,UAAU;AAIvC,QAAM,OAAO,UAAU,QAAQ,QAAQ,OAAO;AAC9C,QAAM,OAAO,UAAU,QAAQ,QAAQ,OAAO,OAAO;AAOrD,QAAM,YAAY,iBAAiB,UAAU,SAAS;AAEtD,QAAM,MAAyB,EAAE,GAAG,QAAQ,YAAY,MAAM,QAAQ,EAAE,MAAM,KAAK,EAAE;AAGrF,MAAI,UAAW,KAAI,YAAY;AAAA,MAC1B,QAAO,IAAI;AAChB,SAAO;AACT;AASA,SAAS,iBAAiB,UAAkE;AAC1F,QAAM,MAAM,iBAAiB;AAC7B,QAAM,YAAsC,EAAE,GAAG,KAAK,GAAG,SAAS;AAClE,MAAI,UAAU,QAAQ,UAAa,UAAU,UAAU,UAAa,UAAU,QAAQ,UAAa,UAAU,cAAc,QAAW;AACpI,WAAO;AAAA,EACT;AACA,QAAM,SAAS,sBAAsB,UAAU,SAAS;AACxD,MAAI,CAAC,OAAO,SAAS;AACnB,UAAM,SAAS,OAAO,MAAM,OAAO,IAAI,CAAC,MAAM,GAAG,EAAE,KAAK,KAAK,GAAG,KAAK,QAAQ,KAAK,EAAE,OAAO,EAAE,EAAE,KAAK,IAAI;AACxG,YAAQ,OAAO,MAAM,oDAAoD,MAAM;AAAA,CAAI;AACnF,WAAO;AAAA,EACT;AACA,SAAO,OAAO;AAChB;","names":[]}