npm - @datasynx/agentic-ai-cartography - Versions diffs - 2.3.0 → 2.5.0 - Mend

@datasynx/agentic-ai-cartography 2.3.0 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/dist/api-bin.js +3 -3
package/dist/{chunk-7QEBFMN4.js → chunk-GA4427LB.js} +147 -18
package/dist/chunk-GA4427LB.js.map +1 -0
package/dist/{chunk-7VZH5PFV.js → chunk-NQXZUWOI.js} +42 -12
package/dist/chunk-NQXZUWOI.js.map +1 -0
package/dist/{chunk-WCR47QA2.js → chunk-QQOQBE2A.js} +16 -5
package/dist/chunk-QQOQBE2A.js.map +1 -0
package/dist/{chunk-B2AKONVW.js → chunk-RYQ4KQCK.js} +253 -56
package/dist/chunk-RYQ4KQCK.js.map +1 -0
package/dist/cli.js +89 -10
package/dist/cli.js.map +1 -1
package/dist/index.cjs +502 -75
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +390 -11
package/dist/index.d.ts +390 -11
package/dist/index.js +475 -73
package/dist/index.js.map +1 -1
package/dist/mcp-bin.js +3 -3
package/dist/{types-TJWXAQ2L.js → types-5L3AGZLG.js} +2 -2
package/package.json +1 -1
package/server.json +2 -2
package/dist/chunk-7QEBFMN4.js.map +0 -1
package/dist/chunk-7VZH5PFV.js.map +0 -1
package/dist/chunk-B2AKONVW.js.map +0 -1
package/dist/chunk-WCR47QA2.js.map +0 -1
/package/dist/{types-TJWXAQ2L.js.map → types-5L3AGZLG.js.map} +0 -0

package/dist/{chunk-B2AKONVW.js → chunk-RYQ4KQCK.js} RENAMED Viewed

@@ -1,9 +1,12 @@
 #!/usr/bin/env node
 import {
+  AuthorizationError,
   CartographyDB,
   RulesetSchema,
+  SqliteCredentialStore,
   assertSafeBind,
-  checkBearer,
+  authorize,
+  bearerToken,
   cloudAwsScanner,
   cloudAzureScanner,
   cloudGcpScanner,
@@ -17,10 +20,11 @@ import {
   keyMetaOf,
   normalizeTenant,
   redactValue,
+  resolvePrincipal,
   sanitizeUntrusted,
   stableStringify,
   stripSensitive
-} from "./chunk-7QEBFMN4.js";
+} from "./chunk-GA4427LB.js";
 import {
   EdgeSchema,
   NODE_TYPES,
@@ -29,7 +33,7 @@ import {
   SECURITY_METADATA_KEYS,
   SEVERITIES,
   defaultConfig
-} from "./chunk-WCR47QA2.js";
+} from "./chunk-QQOQBE2A.js";
 import {
   IS_WIN,
   PLATFORM,
@@ -965,6 +969,41 @@ var StdoutSink = class {
 // src/sinks/webhook.ts
 var LOOPBACK_HOSTS = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "[::1]", "::1"]);
+async function postJson(opts) {
+  const doFetch = opts.fetchImpl ?? (typeof fetch === "function" ? fetch : void 0);
+  if (!doFetch) {
+    logWarn("sink unavailable: global fetch missing", { sink: opts.sinkName });
+    return;
+  }
+  if (!opts.url) {
+    logWarn("sink unavailable: no url configured", { sink: opts.sinkName });
+    return;
+  }
+  if (!isSecureWebhookUrl(opts.url)) {
+    logWarn("sink refused: insecure scheme (use https:// or a loopback host)", {
+      sink: opts.sinkName,
+      host: stripSensitive(opts.url)
+    });
+    return;
+  }
+  try {
+    const res = await doFetch(opts.url, {
+      method: "POST",
+      headers: { "content-type": "application/json", ...opts.headers ?? {} },
+      body: JSON.stringify(opts.body),
+      signal: AbortSignal.timeout(opts.timeoutMs ?? 1e4)
+    });
+    if (!res.ok) {
+      logError("sink delivery failed", { sink: opts.sinkName, host: stripSensitive(opts.url), status: res.status });
+    }
+  } catch (err) {
+    logError("sink delivery failed", {
+      sink: opts.sinkName,
+      host: stripSensitive(opts.url),
+      reason: err instanceof Error ? err.message : String(err)
+    });
+  }
+}
 function isSecureWebhookUrl(url, env = process.env) {
   if (env.CARTOGRAPHY_ALLOW_INSECURE_SYNC === "1") return true;
   let parsed;
@@ -983,59 +1022,177 @@ var WebhookSink = class {
   }
   name = "webhook";
   async emit(alert) {
-    if (typeof fetch !== "function") {
-      logWarn("webhook sink unavailable: global fetch missing", { sink: this.name });
-      return;
-    }
     const { url, token, timeoutMs } = this.opts;
-    if (!url) {
-      logWarn("webhook sink unavailable: no url configured", { sink: this.name });
-      return;
-    }
-    if (!isSecureWebhookUrl(url)) {
-      logWarn("webhook sink refused: insecure scheme (use https:// or a loopback host)", {
-        sink: this.name,
-        host: stripSensitive(url)
-      });
-      return;
-    }
-    try {
-      const res = await fetch(url, {
-        method: "POST",
-        headers: {
-          "content-type": "application/json",
-          ...token ? { authorization: `Bearer ${token}` } : {}
-        },
-        body: JSON.stringify(redactValue(alert)),
-        signal: AbortSignal.timeout(timeoutMs ?? 1e4)
-      });
-      if (!res.ok) {
-        logError("webhook sink failed", { sink: this.name, host: stripSensitive(url), status: res.status });
+    await postJson({
+      url,
+      body: redactValue(alert),
+      ...token ? { headers: { authorization: `Bearer ${token}` } } : {},
+      ...timeoutMs !== void 0 ? { timeoutMs } : {},
+      sinkName: this.name
+    });
+  }
+};
+// src/sinks/providers.ts
+var MAX_ITEMS = 20;
+var SEVERITY_EMOJI = { info: "\u{1F7E2}", warning: "\u{1F7E1}", critical: "\u{1F534}" };
+function headline(alert) {
+  const s = alert.summary;
+  return `${s.nodesAdded}+ / ${s.nodesRemoved}- / ${s.nodesChanged}~ nodes, ${s.edgesAdded}+ / ${s.edgesRemoved}- edges`;
+}
+function itemLine(it) {
+  const sec = it.securityFields?.length ? ` [security: ${it.securityFields.join(", ")}]` : "";
+  const fields = it.changedFields?.length ? ` (${it.changedFields.join(", ")})` : "";
+  return `${it.severity.toUpperCase()} \xB7 ${it.kind} \xB7 ${it.label}${fields}${sec}`;
+}
+function bodyText(alert) {
+  const lines = alert.items.slice(0, MAX_ITEMS).map(itemLine);
+  const more = alert.items.length > MAX_ITEMS ? [`\u2026and ${alert.items.length - MAX_ITEMS} more`] : [];
+  return [headline(alert), "", ...lines, ...more].join("\n");
+}
+function formatSlack(alert) {
+  const title = `${SEVERITY_EMOJI[alert.severity]} Topology drift \u2014 ${alert.severity}`;
+  return {
+    text: `${title}: ${headline(alert)}`,
+    blocks: [
+      { type: "header", text: { type: "plain_text", text: title, emoji: true } },
+      { type: "section", text: { type: "mrkdwn", text: "```" + bodyText(alert) + "```" } },
+      { type: "context", elements: [{ type: "mrkdwn", text: `base ${alert.base.sessionId} \u2192 current ${alert.current.sessionId} \xB7 ${alert.generatedAt}` }] }
+    ]
+  };
+}
+var PD_SEVERITY = {
+  info: "info",
+  warning: "warning",
+  critical: "critical"
+};
+function formatPagerDuty(alert, routingKey) {
+  return {
+    routing_key: routingKey,
+    event_action: "trigger",
+    // Stable per base→current pair so repeated alerts for the same delta de-duplicate.
+    dedup_key: `cartograph-drift:${alert.base.sessionId}:${alert.current.sessionId}`,
+    payload: {
+      summary: `Cartograph topology drift (${alert.severity}): ${headline(alert)}`,
+      source: "cartograph",
+      severity: PD_SEVERITY[alert.severity],
+      timestamp: alert.generatedAt,
+      custom_details: {
+        summary: alert.summary,
+        items: alert.items.slice(0, MAX_ITEMS).map((it) => ({
+          kind: it.kind,
+          ref: it.ref,
+          severity: it.severity,
+          ...it.changedFields ? { changedFields: it.changedFields } : {},
+          ...it.securityFields ? { securityFields: it.securityFields } : {}
+        }))
       }
-    } catch (err) {
-      logError("webhook sink failed", {
-        sink: this.name,
-        host: stripSensitive(url),
-        reason: err instanceof Error ? err.message : String(err)
-      });
     }
+  };
+}
+function formatJira(alert, opts) {
+  return {
+    fields: {
+      project: { key: opts.project },
+      issuetype: { name: opts.issueType ?? "Task" },
+      summary: `Cartograph topology drift (${alert.severity}): ${headline(alert)}`,
+      description: bodyText(alert) + `
+base ${alert.base.sessionId} \u2192 current ${alert.current.sessionId}
+generated ${alert.generatedAt}`
+    }
+  };
+}
+// src/sinks/provider-sink.ts
+var PAGERDUTY_ENQUEUE_URL = "https://events.pagerduty.com/v2/enqueue";
+function deliver(name, url, body, opts, headers) {
+  return postJson({
+    url,
+    body,
+    sinkName: name,
+    ...headers ? { headers } : {},
+    ...opts.timeoutMs !== void 0 ? { timeoutMs: opts.timeoutMs } : {},
+    ...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+  });
+}
+var SlackSink = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  name = "slack";
+  async emit(alert) {
+    await deliver(this.name, this.opts.url, formatSlack(redactValue(alert)), this.opts);
+  }
+};
+var PagerDutySink = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  name = "pagerduty";
+  async emit(alert) {
+    const body = formatPagerDuty(redactValue(alert), this.opts.routingKey);
+    await deliver(this.name, this.opts.url || PAGERDUTY_ENQUEUE_URL, body, this.opts);
+  }
+};
+var JiraSink = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  name = "jira";
+  async emit(alert) {
+    const body = formatJira(redactValue(alert), {
+      project: this.opts.project,
+      ...this.opts.issueType ? { issueType: this.opts.issueType } : {}
+    });
+    const auth = Buffer.from(`${this.opts.email}:${this.opts.token}`).toString("base64");
+    const base = this.opts.url.replace(/\/+$/, "");
+    await deliver(this.name, `${base}/rest/api/2/issue`, body, this.opts, { authorization: `Basic ${auth}` });
   }
 };
 // src/sinks/index.ts
 function buildSinks(drift) {
   const configs = drift?.sinks && drift.sinks.length > 0 ? drift.sinks : [{ type: "stdout" }];
+  const envSecret = process.env.CARTOGRAPHY_DRIFT_TOKEN;
   const sinks = [];
   for (const s of configs) {
-    if (s.type === "webhook") {
-      if (!s.url) continue;
-      sinks.push(new WebhookSink({
-        url: s.url,
-        token: s.token ?? process.env.CARTOGRAPHY_DRIFT_TOKEN,
-        timeoutMs: s.timeoutMs
-      }));
-    } else {
-      sinks.push(new StdoutSink());
+    const timeoutMs = s.timeoutMs;
+    switch (s.type) {
+      case "webhook":
+        if (!s.url) {
+          logWarn("drift sink skipped: webhook requires a url", { sink: s.type });
+          break;
+        }
+        sinks.push(new WebhookSink({ url: s.url, token: s.token ?? envSecret, timeoutMs }));
+        break;
+      case "slack":
+        if (!s.url) {
+          logWarn("drift sink skipped: slack requires a webhook url", { sink: s.type });
+          break;
+        }
+        sinks.push(new SlackSink({ url: s.url, timeoutMs }));
+        break;
+      case "pagerduty": {
+        const routingKey = s.routingKey ?? s.token ?? envSecret;
+        if (!routingKey) {
+          logWarn("drift sink skipped: pagerduty requires a routingKey (or CARTOGRAPHY_DRIFT_TOKEN)", { sink: s.type });
+          break;
+        }
+        sinks.push(new PagerDutySink({ url: s.url ?? PAGERDUTY_ENQUEUE_URL, routingKey, timeoutMs }));
+        break;
+      }
+      case "jira": {
+        const token = s.token ?? envSecret;
+        if (!s.url || !s.email || !s.project || !token) {
+          logWarn("drift sink skipped: jira requires url, email, project and a token", { sink: s.type });
+          break;
+        }
+        sinks.push(new JiraSink({ url: s.url, email: s.email, token, project: s.project, issueType: s.issueType, timeoutMs }));
+        break;
+      }
+      default:
+        sinks.push(new StdoutSink());
     }
   }
   return sinks.length > 0 ? sinks : [new StdoutSink()];
@@ -1381,7 +1538,7 @@ async function executeNlQuery(db, sessionId, search, intent, opts = {}) {
 // src/mcp/server.ts
 var SERVER_NAME = "cartography";
-var SERVER_VERSION = "2.3.0";
+var SERVER_VERSION = "2.5.0";
 var SERVICE_TYPES = NODE_TYPE_GROUPS.web;
 var DATA_TYPES = NODE_TYPE_GROUPS.data;
 var lexicalSearch = async (db, sessionId, query, opts) => db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));
@@ -1783,6 +1940,14 @@ function createMcpServer(opts = {}) {
         annotations: { readOnlyHint: false, destructiveHint: false, openWorldHint: true }
       },
       async (args) => {
+        if (opts.principal) {
+          try {
+            authorize(opts.principal, "discovery");
+          } catch (err) {
+            if (err instanceof AuthorizationError) return json({ error: `forbidden: role '${opts.principal.role}' may not run discovery (operator required)` });
+            throw err;
+          }
+        }
         let sid = resolveSession();
         if (args.update) {
           if (!sid) return json({ error: "No session to update; run discovery first." });
@@ -1882,6 +2047,9 @@ import { randomUUID } from "crypto";
 import http from "http";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+function samePrincipal(a, b) {
+  return a.subject === b.subject && a.tenant === b.tenant && a.role === b.role;
+}
 async function runStdio(server) {
   const transport = new StdioServerTransport();
   await server.connect(transport);
@@ -1926,6 +2094,14 @@ async function runHttp(factory, opts = {}) {
   assertSafeBind({ host, port, ...opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {}, ...opts.token ? { token: opts.token } : {} });
   const allowedHosts = opts.allowedHosts ?? defaultAllowedHosts(host, port);
   const token = opts.token;
+  const authStore = opts.auth?.store;
+  const defaultTenant = opts.defaultTenant;
+  const resolveAuth = (header) => resolvePrincipal(bearerToken(header), {
+    ...authStore ? { store: authStore } : {},
+    ...token ? { sharedToken: token } : {},
+    ...defaultTenant ? { defaultTenant } : {},
+    ...opts.auth?.required ? { required: true } : {}
+  });
   const transports = /* @__PURE__ */ new Map();
   const httpServer = http.createServer(async (req, res) => {
     try {
@@ -1935,7 +2111,8 @@ async function runHttp(factory, opts = {}) {
         res.writeHead(404, { "content-type": "application/json" }).end('{"error":"not found"}');
         return;
       }
-      if (!checkBearer(req.headers["authorization"], token)) {
+      const principal = resolveAuth(req.headers["authorization"]);
+      if (!principal) {
         res.writeHead(401, { "content-type": "application/json", "www-authenticate": "Bearer" }).end('{"error":"unauthorized"}');
         return;
       }
@@ -1962,8 +2139,12 @@ async function runHttp(factory, opts = {}) {
       const sessionId = req.headers["mcp-session-id"];
       const existing = sessionId ? transports.get(sessionId) : void 0;
       if (existing) {
+        if (!samePrincipal(existing.principal, principal)) {
+          res.writeHead(403, { "content-type": "application/json" }).end('{"error":"session belongs to a different principal"}');
+          return;
+        }
         const body2 = req.method === "POST" ? await readJsonBody(req) : void 0;
-        await existing.handleRequest(req, res, body2);
+        await existing.transport.handleRequest(req, res, body2);
         return;
       }
       if (req.method !== "POST") {
@@ -1977,13 +2158,13 @@ async function runHttp(factory, opts = {}) {
         allowedHosts,
         ...opts.allowedOrigins ? { allowedOrigins: opts.allowedOrigins } : {},
         onsessioninitialized: (id) => {
-          transports.set(id, transport);
+          transports.set(id, { transport, principal });
         }
       });
       transport.onclose = () => {
         if (transport.sessionId) transports.delete(transport.sessionId);
       };
-      await factory().connect(transport);
+      await factory(principal).connect(transport);
       await transport.handleRequest(req, res, body);
     } catch (err) {
       process.stderr.write(`[cartography-mcp] HTTP request failed: ${err instanceof Error ? err.message : String(err)}
@@ -2271,7 +2452,7 @@ function revalidateAnonymized(node, level, mode) {
 // src/central/ingest.ts
 var INGEST_SCHEMA_VERSION = 1;
-var MAX_ITEMS = 5e4;
+var MAX_ITEMS2 = 5e4;
 var ContributorSchema = z3.object({
   machineId: z3.string().min(1),
   hostname: z3.string().default("unknown"),
@@ -2285,7 +2466,7 @@ var IngestEnvelopeSchema = z3.object({
     contentHash: z3.string(),
     kind: z3.enum(["node", "edge"]),
     payload: z3.unknown()
-  })).max(MAX_ITEMS),
+  })).max(MAX_ITEMS2),
   // Extensions (forward-compatible; 2.11 does not yet send these).
   contributor: ContributorSchema.optional(),
   anonymizationLevel: z3.enum(["none", "anonymized", "full"]).optional()
@@ -2405,7 +2586,8 @@ function parseMcpArgs(argv) {
     else if (a === "--anon-mode") {
       const m = argv[++i];
       if (m === "reject" || m === "strip") opts.anonMode = m;
-    } else if (a === "--help" || a === "-h") opts.help = true;
+    } else if (a === "--auth-required") opts.authRequired = true;
+    else if (a === "--help" || a === "-h") opts.help = true;
   }
   return opts;
 }
@@ -2420,8 +2602,21 @@ async function startMcp(opts = {}) {
   const discovery = localDiscoveryFn(void 0, plugins);
   const tenant = normalizeTenant(opts.tenant);
   const serverMode = opts.serverMode === true;
-  const org = serverMode ? tenant : void 0;
-  const factory = () => createMcpServer({ db, session: opts.session ?? "latest", tenant, search, discovery, ...org !== void 0 ? { org } : {} });
+  const authStore = new SqliteCredentialStore(db);
+  const rbacActive = authStore.count() > 0;
+  const factory = (principal) => {
+    const scopeTenant = rbacActive && principal ? principal.tenant : tenant;
+    const orgArg = serverMode ? scopeTenant : void 0;
+    return createMcpServer({
+      db,
+      session: opts.session ?? "latest",
+      tenant: scopeTenant,
+      search,
+      discovery,
+      ...principal ? { principal } : {},
+      ...orgArg !== void 0 ? { org: orgArg } : {}
+    });
+  };
   const transport = serverMode ? "http" : opts.transport;
   if (transport === "http") {
     const port = opts.port ?? 3737;
@@ -2436,6 +2631,8 @@ async function startMcp(opts = {}) {
     await runHttp(factory, {
       port,
       host,
+      auth: { store: authStore, ...opts.authRequired ? { required: true } : {} },
+      defaultTenant: tenant,
       ...opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {},
       ...token ? { token } : {},
       ...onIngest ? { onIngest } : {}
@@ -2462,4 +2659,4 @@ export {
   parseMcpArgs,
   startMcp
 };
-//# sourceMappingURL=chunk-B2AKONVW.js.map
+//# sourceMappingURL=chunk-RYQ4KQCK.js.map