npm - @datasynx/agentic-ai-cartography - Versions diffs - 2.4.0 → 2.5.0 - Mend

@datasynx/agentic-ai-cartography 2.4.0 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/api-bin.js +2 -2
package/dist/{chunk-X5JA2UDT.js → chunk-GA4427LB.js} +134 -14
package/dist/chunk-GA4427LB.js.map +1 -0
package/dist/{chunk-L4OSL7I6.js → chunk-NQXZUWOI.js} +41 -11
package/dist/chunk-NQXZUWOI.js.map +1 -0
package/dist/{chunk-B4QWX7CP.js → chunk-RYQ4KQCK.js} +55 -11
package/dist/chunk-RYQ4KQCK.js.map +1 -0
package/dist/cli.js +87 -8
package/dist/cli.js.map +1 -1
package/dist/index.cjs +262 -26
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +223 -3
package/dist/index.d.ts +223 -3
package/dist/index.js +244 -24
package/dist/index.js.map +1 -1
package/dist/mcp-bin.js +2 -2
package/package.json +1 -1
package/server.json +2 -2
package/dist/chunk-B4QWX7CP.js.map +0 -1
package/dist/chunk-L4OSL7I6.js.map +0 -1
package/dist/chunk-X5JA2UDT.js.map +0 -1

package/dist/api-bin.js CHANGED Viewed

@@ -2,8 +2,8 @@
 import {
   parseApiArgs,
   startApi
-} from "./chunk-L4OSL7I6.js";
-import "./chunk-X5JA2UDT.js";
+} from "./chunk-NQXZUWOI.js";
+import "./chunk-GA4427LB.js";
 import "./chunk-QQOQBE2A.js";
 import "./chunk-2SZ5QHGH.js";

package/dist/{chunk-X5JA2UDT.js → chunk-GA4427LB.js} RENAMED Viewed

@@ -1774,7 +1774,10 @@ CREATE TABLE IF NOT EXISTS activity_events (
   duration_ms INTEGER,
   command TEXT,
   result_bytes INTEGER,
-  tenant TEXT NOT NULL DEFAULT 'local'
+  tenant TEXT NOT NULL DEFAULT 'local',
+  actor_subject TEXT,
+  actor_role TEXT,
+  actor_tenant TEXT
 );
 CREATE TABLE IF NOT EXISTS tasks (
@@ -1883,6 +1886,16 @@ CREATE INDEX IF NOT EXISTS idx_nodes_tenant_content ON nodes(tenant, content_has
 CREATE INDEX IF NOT EXISTS idx_contrib_org ON node_contributors(organization, global_id);
 CREATE INDEX IF NOT EXISTS idx_nodes_owner ON nodes(session_id, owner);
 `;
+var AUTH_SCHEMA = `
+CREATE TABLE IF NOT EXISTS auth_credentials (
+  token_hash TEXT PRIMARY KEY,
+  subject TEXT NOT NULL,
+  tenant TEXT NOT NULL DEFAULT 'local',
+  role TEXT NOT NULL,
+  created_at TEXT NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_auth_subject ON auth_credentials(subject);
+`;
 var CartographyDB = class {
   db;
   /** 3.6 anomaly settings; defaults apply when no `anomaly` config is supplied. */
@@ -1902,7 +1915,8 @@ var CartographyDB = class {
     const version = this.db.pragma("user_version", { simple: true });
     if (version === 0) {
       this.db.exec(SCHEMA);
-      this.db.pragma("user_version = 14");
+      this.db.exec(AUTH_SCHEMA);
+      this.db.pragma("user_version = 15");
       return;
     } else if (version === 1) {
       const cols = this.db.prepare("PRAGMA table_info(nodes)").all().map((c) => c.name);
@@ -2088,6 +2102,18 @@ var CartographyDB = class {
       }
       this.db.pragma("user_version = 14");
     }
+    const v14 = this.db.pragma("user_version", { simple: true });
+    if (v14 < 15) {
+      this.db.exec(AUTH_SCHEMA);
+      const ev = this.db.prepare("PRAGMA table_info(activity_events)").all();
+      if (ev.length > 0) {
+        const cols = ev.map((c) => c.name);
+        if (!cols.includes("actor_subject")) this.db.exec("ALTER TABLE activity_events ADD COLUMN actor_subject TEXT");
+        if (!cols.includes("actor_role")) this.db.exec("ALTER TABLE activity_events ADD COLUMN actor_role TEXT");
+        if (!cols.includes("actor_tenant")) this.db.exec("ALTER TABLE activity_events ADD COLUMN actor_tenant TEXT");
+      }
+      this.db.pragma("user_version = 15");
+    }
   }
   close() {
     this.db.pragma("optimize");
@@ -2518,13 +2544,13 @@ var CartographyDB = class {
     });
   }
   // ── Events ──────────────────────────────
-  insertEvent(sessionId, event, taskId) {
+  insertEvent(sessionId, event, taskId, actor) {
     const id = crypto.randomUUID();
     const tenant = this.tenantOf(sessionId);
     this.db.prepare(`
       INSERT INTO activity_events
-        (id, session_id, task_id, timestamp, event_type, process, pid, target, target_type, port, command, result_bytes, tenant)
-      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+        (id, session_id, task_id, timestamp, event_type, process, pid, target, target_type, port, command, result_bytes, tenant, actor_subject, actor_role, actor_tenant)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
     `).run(
       id,
       sessionId,
@@ -2538,9 +2564,52 @@ var CartographyDB = class {
       event.port ?? null,
       event.command ?? null,
       event.resultBytes ?? null,
-      tenant
+      tenant,
+      actor?.subject ?? null,
+      actor?.role ?? null,
+      actor?.tenant ?? null
     );
   }
+  // ── RBAC credential store (4.5) ─────────────
+  /** Number of stored credentials. `0` ⇒ no RBAC configured (fall back to shared/loopback). */
+  countCredentials() {
+    return this.db.prepare("SELECT COUNT(*) AS n FROM auth_credentials").get().n;
+  }
+  /** Look up a credential by its sha256 token hash. */
+  findCredentialByHash(tokenHash) {
+    const r = this.db.prepare("SELECT * FROM auth_credentials WHERE token_hash = ?").get(tokenHash);
+    if (!r) return void 0;
+    return {
+      tokenHash: r["token_hash"],
+      subject: r["subject"],
+      tenant: r["tenant"],
+      role: r["role"],
+      createdAt: r["created_at"]
+    };
+  }
+  /** Upsert a credential (idempotent on the token hash). Stores only the hash, never the raw token. */
+  addCredential(rec) {
+    this.db.prepare(`
+      INSERT INTO auth_credentials (token_hash, subject, tenant, role, created_at)
+      VALUES (?, ?, ?, ?, ?)
+      ON CONFLICT(token_hash) DO UPDATE SET subject = excluded.subject, tenant = excluded.tenant, role = excluded.role
+    `).run(rec.tokenHash, rec.subject, rec.tenant, rec.role, (/* @__PURE__ */ new Date()).toISOString());
+  }
+  /** List all credentials (token hashes only — the raw token is unrecoverable). */
+  listCredentials() {
+    const rows = this.db.prepare("SELECT * FROM auth_credentials ORDER BY created_at").all();
+    return rows.map((r) => ({
+      tokenHash: r["token_hash"],
+      subject: r["subject"],
+      tenant: r["tenant"],
+      role: r["role"],
+      createdAt: r["created_at"]
+    }));
+  }
+  /** Revoke every credential for a subject. Returns the number removed. */
+  revokeCredentialsBySubject(subject) {
+    return this.db.prepare("DELETE FROM auth_credentials WHERE subject = ?").run(subject).changes;
+  }
   getEvents(sessionId, since) {
     const rows = since ? this.db.prepare("SELECT * FROM activity_events WHERE session_id = ? AND timestamp > ? ORDER BY timestamp").all(sessionId, since) : this.db.prepare("SELECT * FROM activity_events WHERE session_id = ? ORDER BY timestamp").all(sessionId);
     return rows.map((r) => {
@@ -3217,6 +3286,9 @@ var CartographyDB = class {
   }
 };
+// src/auth/identity.ts
+import { createHash as createHash2 } from "crypto";
 // src/api/auth.ts
 var LOOPBACK_HOSTS = /* @__PURE__ */ new Set(["127.0.0.1", "localhost", "::1", "[::1]"]);
 function isLoopbackHost(host) {
@@ -3237,11 +3309,6 @@ function bearerToken(header) {
   const token = rest.trimStart();
   return token.length > 0 ? token : void 0;
 }
-function checkBearer(authorizationHeader, token) {
-  if (!token) return true;
-  const provided = bearerToken(authorizationHeader);
-  return provided !== void 0 && timingSafeEqual(provided, token);
-}
 function assertSafeBind(opts) {
   if (isLoopbackHost(opts.host)) return;
   if (opts.allowedHosts === void 0) {
@@ -3259,6 +3326,54 @@ function defaultAllowedHosts(host, port) {
   return [`${host}:${port}`, `localhost:${port}`, `127.0.0.1:${port}`];
 }
+// src/auth/identity.ts
+function hashToken(token) {
+  return createHash2("sha256").update(token, "utf8").digest("hex");
+}
+var SqliteCredentialStore = class {
+  constructor(db) {
+    this.db = db;
+  }
+  count() {
+    return this.db.countCredentials();
+  }
+  findByHash(tokenHash) {
+    return this.db.findCredentialByHash(tokenHash);
+  }
+};
+function resolvePrincipal(presentedToken, opts) {
+  const tenant = opts.defaultTenant ?? DEFAULT_TENANT;
+  if (opts.store && opts.store.count() > 0) {
+    if (!presentedToken) return void 0;
+    const rec = opts.store.findByHash(hashToken(presentedToken));
+    return rec ? { subject: rec.subject, tenant: rec.tenant, role: rec.role } : void 0;
+  }
+  if (opts.sharedToken) {
+    if (!presentedToken || !timingSafeEqual(presentedToken, opts.sharedToken)) return void 0;
+    return { subject: "shared-token", tenant, role: "admin" };
+  }
+  if (opts.required) return void 0;
+  return { subject: "anonymous", tenant, role: "admin" };
+}
+// src/auth/rbac.ts
+var ROLE_RANK = { viewer: 1, operator: 2, admin: 3 };
+var ACTION_MIN_ROLE = { read: "viewer", discovery: "operator", admin: "admin" };
+function can(role, action) {
+  return ROLE_RANK[role] >= ROLE_RANK[ACTION_MIN_ROLE[action]];
+}
+var AuthorizationError = class extends Error {
+  constructor(action, role) {
+    super(`forbidden: role '${role}' may not perform '${action}'`);
+    this.action = action;
+    this.role = role;
+    this.name = "AuthorizationError";
+  }
+};
+function authorize(principal, action) {
+  if (!can(principal.role, action)) throw new AuthorizationError(action, principal.role);
+}
 export {
   sanitizeUntrusted,
   cloudAwsScanner,
@@ -3280,8 +3395,13 @@ export {
   globalId,
   deriveSessionName,
   CartographyDB,
-  checkBearer,
+  bearerToken,
   assertSafeBind,
-  defaultAllowedHosts
+  defaultAllowedHosts,
+  hashToken,
+  SqliteCredentialStore,
+  resolvePrincipal,
+  AuthorizationError,
+  authorize
 };
-//# sourceMappingURL=chunk-X5JA2UDT.js.map
+//# sourceMappingURL=chunk-GA4427LB.js.map