npm - @datasynx/agentic-ai-cartography - Versions diffs - 2.4.0 → 2.5.0 - Mend

@datasynx/agentic-ai-cartography 2.4.0 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/api-bin.js +2 -2
package/dist/{chunk-X5JA2UDT.js → chunk-GA4427LB.js} +134 -14
package/dist/chunk-GA4427LB.js.map +1 -0
package/dist/{chunk-L4OSL7I6.js → chunk-NQXZUWOI.js} +41 -11
package/dist/chunk-NQXZUWOI.js.map +1 -0
package/dist/{chunk-B4QWX7CP.js → chunk-RYQ4KQCK.js} +55 -11
package/dist/chunk-RYQ4KQCK.js.map +1 -0
package/dist/cli.js +87 -8
package/dist/cli.js.map +1 -1
package/dist/index.cjs +262 -26
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +223 -3
package/dist/index.d.ts +223 -3
package/dist/index.js +244 -24
package/dist/index.js.map +1 -1
package/dist/mcp-bin.js +2 -2
package/package.json +1 -1
package/server.json +2 -2
package/dist/chunk-B4QWX7CP.js.map +0 -1
package/dist/chunk-L4OSL7I6.js.map +0 -1
package/dist/chunk-X5JA2UDT.js.map +0 -1

package/dist/cli.js CHANGED Viewed

@@ -11,21 +11,22 @@ import {
   runDrift,
   runLocalDiscovery,
   startMcp
-} from "./chunk-B4QWX7CP.js";
+} from "./chunk-RYQ4KQCK.js";
 import {
   startApi
-} from "./chunk-L4OSL7I6.js";
+} from "./chunk-NQXZUWOI.js";
 import {
   CartographyDB,
   buildCartographyToolHandlers,
   createCartographyTools,
   deriveSessionName,
   diffTopology,
+  hashToken,
   normalizeTenant,
   redactValue,
   stableStringify,
   stripSensitive
-} from "./chunk-X5JA2UDT.js";
+} from "./chunk-GA4427LB.js";
 import {
   ConfigFileSchema,
   CostEntrySchema,
@@ -52,6 +53,7 @@ import {
 } from "./chunk-2SZ5QHGH.js";
 // src/cli.ts
+import { randomBytes } from "crypto";
 import { Command } from "commander";
 // src/preflight.ts
@@ -114,6 +116,30 @@ function checkClaudePrerequisites() {
   }
 }
+// src/auth/types.ts
+import { z } from "zod";
+var ROLES = ["viewer", "operator", "admin"];
+var RoleSchema = z.enum(ROLES);
+var ACTIONS = ["read", "discovery", "admin"];
+var ActionSchema = z.enum(ACTIONS);
+var PrincipalSchema = z.object({
+  subject: z.string().min(1),
+  tenant: z.string().min(1),
+  role: RoleSchema
+});
+var CredentialConfigSchema = z.object({
+  token: z.string().min(1),
+  subject: z.string().min(1),
+  tenant: z.string().optional(),
+  role: RoleSchema.default("viewer")
+});
+var AuthConfigSchema = z.object({
+  /** Seed credentials (merged into the SQLite store on startup). */
+  credentials: z.array(CredentialConfigSchema).optional(),
+  /** Reject unauthenticated requests even on loopback (default: loopback dev stays open). */
+  required: z.boolean().optional()
+});
 // src/providers/types.ts
 var ProviderRegistry = class {
   factories = /* @__PURE__ */ new Map();
@@ -274,13 +300,13 @@ function createClaudeProvider() {
 }
 // src/providers/shell.ts
-import { z } from "zod";
+import { z as z2 } from "zod";
 function createBashTool() {
   const shell = IS_WIN ? "powershell" : "posix";
   return {
     name: "Bash",
     description: "Run a read-only shell command (inspect ports, processes, config). Mutating or destructive commands are blocked by the read-only allowlist.",
-    inputShape: { command: z.string().describe("The read-only shell command to run") },
+    inputShape: { command: z2.string().describe("The read-only shell command to run") },
     annotations: { readOnlyHint: true, openWorldHint: true },
     handler: async (args) => {
       const command = String(args["command"] ?? "").trim();
@@ -4961,7 +4987,7 @@ ${infraSummary.substring(0, 12e3)}`;
       db.close();
     }
   });
-  program.command("mcp").description("Run the Model Context Protocol server (stdio by default) \u2014 the primary interface for AI agents").option("--http", "Use Streamable HTTP transport instead of stdio", false).option("--port <n>", "HTTP port", "3737").option("--host <h>", "HTTP host", "127.0.0.1").option("--allowed-hosts <list>", "Comma-separated Host allowlist (required for non-loopback --host)").option("--token <secret>", "Bearer token required on HTTP requests (or CARTOGRAPHY_HTTP_TOKEN); mandatory for non-loopback --host").option("--db <path>", "DB path").option("--session <id>", 'Session to serve (id or "latest")', "latest").option("--tenant <id>", "Tenant/organization whose topology to serve (alias: --org; default: local)").option("--org <id>", "Alias for --tenant").option("--no-semantic", "Disable semantic (vector) search").option("--plugins <list>", "Comma-separated scanner plugin package names to load (opt-in; or CARTOGRAPHY_PLUGINS)").option("--server-mode", "Run as a central collector: enable the authenticated POST /ingest write route + org-wide summary (implies --http; opt-in)", false).option("--anon-mode <mode>", "On ingest, reject|strip un-anonymized identifying fragments (server-mode)", "reject").action(async (opts) => {
+  program.command("mcp").description("Run the Model Context Protocol server (stdio by default) \u2014 the primary interface for AI agents").option("--http", "Use Streamable HTTP transport instead of stdio", false).option("--port <n>", "HTTP port", "3737").option("--host <h>", "HTTP host", "127.0.0.1").option("--allowed-hosts <list>", "Comma-separated Host allowlist (required for non-loopback --host)").option("--token <secret>", "Bearer token required on HTTP requests (or CARTOGRAPHY_HTTP_TOKEN); mandatory for non-loopback --host").option("--db <path>", "DB path").option("--session <id>", 'Session to serve (id or "latest")', "latest").option("--tenant <id>", "Tenant/organization whose topology to serve (alias: --org; default: local)").option("--org <id>", "Alias for --tenant").option("--no-semantic", "Disable semantic (vector) search").option("--plugins <list>", "Comma-separated scanner plugin package names to load (opt-in; or CARTOGRAPHY_PLUGINS)").option("--server-mode", "Run as a central collector: enable the authenticated POST /ingest write route + org-wide summary (implies --http; opt-in)", false).option("--anon-mode <mode>", "On ingest, reject|strip un-anonymized identifying fragments (server-mode)", "reject").option("--auth-required", "Reject unauthenticated requests even on loopback (RBAC required mode)", false).action(async (opts) => {
     try {
       const anonMode = opts.anonMode;
       if (anonMode !== "reject" && anonMode !== "strip") {
@@ -4983,7 +5009,8 @@ error: --anon-mode must be 'reject' or 'strip' (got '${anonMode}')
         semantic: opts.semantic,
         plugins: opts.plugins ? String(opts.plugins).split(",").map((p) => p.trim()).filter(Boolean) : void 0,
         serverMode: opts.serverMode === true,
-        anonMode
+        anonMode,
+        authRequired: opts.authRequired === true
       });
     } catch (err) {
       process.stderr.write(`
@@ -4992,9 +5019,10 @@ error: ${err instanceof Error ? err.message : String(err)}
       process.exitCode = 1;
     }
   });
-  program.command("api").description("Run the read-only REST/GraphQL API server over the topology store (4.2)").option("--http", "Use HTTP transport (default; kept for symmetry with mcp)", true).option("--port <n>", "HTTP port", "3737").option("--host <h>", "HTTP host", "127.0.0.1").option("--allowed-hosts <list>", "Comma-separated Host allowlist (required for non-loopback --host)").option("--allowed-origins <list>", "Comma-separated CORS Origin allowlist (default: same-origin only)").option("--token <secret>", "Bearer token required on requests (or CARTOGRAPHY_HTTP_TOKEN); mandatory for non-loopback --host").option("--db <path>", "DB path").option("--session <id>", 'Session to serve (id or "latest")', "latest").option("--tenant <id>", "Default tenant whose topology to serve (alias: --org; default: local)").option("--org <id>", "Alias for --tenant").option("--no-graphql", "Disable the /graphql endpoint (REST only)").action(async (opts) => {
+  program.command("api").description("Run the read-only REST/GraphQL API server over the topology store (4.2)").option("--http", "Use HTTP transport (default; kept for symmetry with mcp)", true).option("--port <n>", "HTTP port", "3737").option("--host <h>", "HTTP host", "127.0.0.1").option("--allowed-hosts <list>", "Comma-separated Host allowlist (required for non-loopback --host)").option("--allowed-origins <list>", "Comma-separated CORS Origin allowlist (default: same-origin only)").option("--token <secret>", "Bearer token required on requests (or CARTOGRAPHY_HTTP_TOKEN); mandatory for non-loopback --host").option("--db <path>", "DB path").option("--session <id>", 'Session to serve (id or "latest")', "latest").option("--tenant <id>", "Default tenant whose topology to serve (alias: --org; default: local)").option("--org <id>", "Alias for --tenant").option("--no-graphql", "Disable the /graphql endpoint (REST only)").option("--auth-required", "Reject unauthenticated requests even on loopback (RBAC required mode)", false).action(async (opts) => {
     try {
       await startApi({
+        authRequired: opts.authRequired === true,
         port: parseInt(opts.port, 10),
         host: opts.host,
         allowedHosts: opts.allowedHosts ? String(opts.allowedHosts).split(",").map((h) => h.trim()).filter(Boolean) : void 0,
@@ -5012,6 +5040,57 @@ error: ${err instanceof Error ? err.message : String(err)}
       process.exitCode = 1;
     }
   });
+  const authCmd = program.command("auth").description("Manage RBAC credentials for the HTTP surfaces (MCP transport + API server, 4.5)");
+  authCmd.command("add <subject>").description("Create a credential and print its bearer token ONCE (only the hash is stored)").option("--role <role>", "viewer | operator | admin", "viewer").option("--tenant <id>", "Tenant the credential is scoped to (default: local)").option("--token <secret>", "Use this token instead of generating one").option("--db <path>", "DB path").action((subject, opts) => {
+    const role = RoleSchema.safeParse(opts.role);
+    if (!role.success) {
+      process.stderr.write(`
+error: --role must be one of viewer|operator|admin (got '${opts.role}')
+`);
+      process.exitCode = 1;
+      return;
+    }
+    const db = new CartographyDB(opts.db ?? defaultConfig().dbPath);
+    try {
+      const token = opts.token ?? randomBytes(24).toString("base64url");
+      const tenant = normalizeTenant(opts.tenant);
+      db.addCredential({ tokenHash: hashToken(token), subject, tenant, role: role.data });
+      process.stderr.write(`
+\u2713 credential added: subject=${subject} role=${role.data} tenant=${tenant}
+`);
+      process.stderr.write(`  Bearer token (shown once \u2014 store it now):
+`);
+      process.stdout.write(token + "\n");
+    } finally {
+      db.close();
+    }
+  });
+  authCmd.command("list").description("List credentials (subjects/roles/tenants \u2014 token hashes only, never the raw token)").option("--db <path>", "DB path").action((opts) => {
+    const db = new CartographyDB(opts.db ?? defaultConfig().dbPath);
+    try {
+      const creds = db.listCredentials();
+      if (creds.length === 0) {
+        process.stderr.write("No credentials configured (open/shared-token mode).\n");
+        return;
+      }
+      for (const c of creds) process.stdout.write(`${c.subject}	${c.role}	${c.tenant}	${c.createdAt}
+`);
+    } finally {
+      db.close();
+    }
+  });
+  authCmd.command("revoke <subject>").description("Revoke all credentials for a subject").option("--db <path>", "DB path").action((subject, opts) => {
+    const db = new CartographyDB(opts.db ?? defaultConfig().dbPath);
+    try {
+      const n = db.revokeCredentialsBySubject(subject);
+      process.stderr.write(n > 0 ? `\u2713 revoked ${n} credential(s) for ${subject}
+` : `no credentials found for ${subject}
+`);
+    } finally {
+      db.close();
+    }
+  });
   const o = (s) => process.stderr.write(s);
   o("\n");
   o(cyan("   ____        _        ____                    ") + "\n");