@datasynx/agentic-ai-cartography 2.4.0 → 2.6.0

package/dist/{chunk-B4QWX7CP.js → chunk-X3UWUX3G.js}

@@ -1,9 +1,12 @@
 #!/usr/bin/env node
 import {
+  AuthorizationError,
   CartographyDB,
   RulesetSchema,
+  SqliteCredentialStore,
   assertSafeBind,
-  checkBearer,
+  authorize,
+  bearerToken,
   cloudAwsScanner,
   cloudAzureScanner,
   cloudGcpScanner,
@@ -17,10 +20,11 @@ import {
   keyMetaOf,
   normalizeTenant,
   redactValue,
+  resolvePrincipal,
   sanitizeUntrusted,
   stableStringify,
   stripSensitive
-} from "./chunk-X5JA2UDT.js";
+} from "./chunk-GA4427LB.js";
 import {
   EdgeSchema,
   NODE_TYPES,
@@ -1534,7 +1538,7 @@ async function executeNlQuery(db, sessionId, search, intent, opts = {}) {
 
 // src/mcp/server.ts
 var SERVER_NAME = "cartography";
-var SERVER_VERSION = "2.4.0";
+var SERVER_VERSION = "2.6.0";
 var SERVICE_TYPES = NODE_TYPE_GROUPS.web;
 var DATA_TYPES = NODE_TYPE_GROUPS.data;
 var lexicalSearch = async (db, sessionId, query, opts) => db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));
@@ -1936,6 +1940,14 @@ function createMcpServer(opts = {}) {
         annotations: { readOnlyHint: false, destructiveHint: false, openWorldHint: true }
       },
       async (args) => {
+        if (opts.principal) {
+          try {
+            authorize(opts.principal, "discovery");
+          } catch (err) {
+            if (err instanceof AuthorizationError) return json({ error: `forbidden: role '${opts.principal.role}' may not run discovery (operator required)` });
+            throw err;
+          }
+        }
         let sid = resolveSession();
         if (args.update) {
           if (!sid) return json({ error: "No session to update; run discovery first." });
@@ -2035,6 +2047,9 @@ import { randomUUID } from "crypto";
 import http from "http";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+function samePrincipal(a, b) {
+  return a.subject === b.subject && a.tenant === b.tenant && a.role === b.role;
+}
 async function runStdio(server) {
   const transport = new StdioServerTransport();
   await server.connect(transport);
@@ -2079,6 +2094,14 @@ async function runHttp(factory, opts = {}) {
   assertSafeBind({ host, port, ...opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {}, ...opts.token ? { token: opts.token } : {} });
   const allowedHosts = opts.allowedHosts ?? defaultAllowedHosts(host, port);
   const token = opts.token;
+  const authStore = opts.auth?.store;
+  const defaultTenant = opts.defaultTenant;
+  const resolveAuth = (header) => resolvePrincipal(bearerToken(header), {
+    ...authStore ? { store: authStore } : {},
+    ...token ? { sharedToken: token } : {},
+    ...defaultTenant ? { defaultTenant } : {},
+    ...opts.auth?.required ? { required: true } : {}
+  });
   const transports = /* @__PURE__ */ new Map();
   const httpServer = http.createServer(async (req, res) => {
     try {
@@ -2088,7 +2111,8 @@ async function runHttp(factory, opts = {}) {
         res.writeHead(404, { "content-type": "application/json" }).end('{"error":"not found"}');
         return;
       }
-      if (!checkBearer(req.headers["authorization"], token)) {
+      const principal = resolveAuth(req.headers["authorization"]);
+      if (!principal) {
         res.writeHead(401, { "content-type": "application/json", "www-authenticate": "Bearer" }).end('{"error":"unauthorized"}');
         return;
       }
@@ -2115,8 +2139,12 @@ async function runHttp(factory, opts = {}) {
       const sessionId = req.headers["mcp-session-id"];
       const existing = sessionId ? transports.get(sessionId) : void 0;
       if (existing) {
+        if (!samePrincipal(existing.principal, principal)) {
+          res.writeHead(403, { "content-type": "application/json" }).end('{"error":"session belongs to a different principal"}');
+          return;
+        }
         const body2 = req.method === "POST" ? await readJsonBody(req) : void 0;
-        await existing.handleRequest(req, res, body2);
+        await existing.transport.handleRequest(req, res, body2);
         return;
       }
       if (req.method !== "POST") {
@@ -2130,13 +2158,13 @@ async function runHttp(factory, opts = {}) {
         allowedHosts,
         ...opts.allowedOrigins ? { allowedOrigins: opts.allowedOrigins } : {},
         onsessioninitialized: (id) => {
-          transports.set(id, transport);
+          transports.set(id, { transport, principal });
         }
       });
       transport.onclose = () => {
         if (transport.sessionId) transports.delete(transport.sessionId);
       };
-      await factory().connect(transport);
+      await factory(principal).connect(transport);
       await transport.handleRequest(req, res, body);
     } catch (err) {
       process.stderr.write(`[cartography-mcp] HTTP request failed: ${err instanceof Error ? err.message : String(err)}
@@ -2558,7 +2586,8 @@ function parseMcpArgs(argv) {
     else if (a === "--anon-mode") {
       const m = argv[++i];
       if (m === "reject" || m === "strip") opts.anonMode = m;
-    } else if (a === "--help" || a === "-h") opts.help = true;
+    } else if (a === "--auth-required") opts.authRequired = true;
+    else if (a === "--help" || a === "-h") opts.help = true;
   }
   return opts;
 }
@@ -2573,8 +2602,21 @@ async function startMcp(opts = {}) {
   const discovery = localDiscoveryFn(void 0, plugins);
   const tenant = normalizeTenant(opts.tenant);
   const serverMode = opts.serverMode === true;
-  const org = serverMode ? tenant : void 0;
-  const factory = () => createMcpServer({ db, session: opts.session ?? "latest", tenant, search, discovery, ...org !== void 0 ? { org } : {} });
+  const authStore = new SqliteCredentialStore(db);
+  const rbacActive = authStore.count() > 0;
+  const factory = (principal) => {
+    const scopeTenant = rbacActive && principal ? principal.tenant : tenant;
+    const orgArg = serverMode ? scopeTenant : void 0;
+    return createMcpServer({
+      db,
+      session: opts.session ?? "latest",
+      tenant: scopeTenant,
+      search,
+      discovery,
+      ...principal ? { principal } : {},
+      ...orgArg !== void 0 ? { org: orgArg } : {}
+    });
+  };
   const transport = serverMode ? "http" : opts.transport;
   if (transport === "http") {
     const port = opts.port ?? 3737;
@@ -2589,6 +2631,8 @@ async function startMcp(opts = {}) {
     await runHttp(factory, {
       port,
       host,
+      auth: { store: authStore, ...opts.authRequired ? { required: true } : {} },
+      defaultTenant: tenant,
       ...opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {},
       ...token ? { token } : {},
       ...onIngest ? { onIngest } : {}
@@ -2615,4 +2659,4 @@ export {
   parseMcpArgs,
   startMcp
 };
-//# sourceMappingURL=chunk-B4QWX7CP.js.map
+//# sourceMappingURL=chunk-X3UWUX3G.js.map