@datasynx/agentic-ai-cartography 2.4.0 → 2.6.0

package/dist/cli.js

@@ -11,21 +11,24 @@ import {
   runDrift,
   runLocalDiscovery,
   startMcp
-} from "./chunk-B4QWX7CP.js";
+} from "./chunk-X3UWUX3G.js";
 import {
-  startApi
-} from "./chunk-L4OSL7I6.js";
+  entitiesToYaml,
+  startApi,
+  toBackstageEntities
+} from "./chunk-PQ7Q6MI5.js";
 import {
   CartographyDB,
   buildCartographyToolHandlers,
   createCartographyTools,
   deriveSessionName,
   diffTopology,
+  hashToken,
   normalizeTenant,
   redactValue,
   stableStringify,
   stripSensitive
-} from "./chunk-X5JA2UDT.js";
+} from "./chunk-GA4427LB.js";
 import {
   ConfigFileSchema,
   CostEntrySchema,
@@ -52,6 +55,7 @@ import {
 } from "./chunk-2SZ5QHGH.js";
 
 // src/cli.ts
+import { randomBytes } from "crypto";
 import { Command } from "commander";
 
 // src/preflight.ts
@@ -114,6 +118,30 @@ function checkClaudePrerequisites() {
   }
 }
 
+// src/auth/types.ts
+import { z } from "zod";
+var ROLES = ["viewer", "operator", "admin"];
+var RoleSchema = z.enum(ROLES);
+var ACTIONS = ["read", "discovery", "admin"];
+var ActionSchema = z.enum(ACTIONS);
+var PrincipalSchema = z.object({
+  subject: z.string().min(1),
+  tenant: z.string().min(1),
+  role: RoleSchema
+});
+var CredentialConfigSchema = z.object({
+  token: z.string().min(1),
+  subject: z.string().min(1),
+  tenant: z.string().optional(),
+  role: RoleSchema.default("viewer")
+});
+var AuthConfigSchema = z.object({
+  /** Seed credentials (merged into the SQLite store on startup). */
+  credentials: z.array(CredentialConfigSchema).optional(),
+  /** Reject unauthenticated requests even on loopback (default: loopback dev stays open). */
+  required: z.boolean().optional()
+});
+
 // src/providers/types.ts
 var ProviderRegistry = class {
   factories = /* @__PURE__ */ new Map();
@@ -274,13 +302,13 @@ function createClaudeProvider() {
 }
 
 // src/providers/shell.ts
-import { z } from "zod";
+import { z as z2 } from "zod";
 function createBashTool() {
   const shell = IS_WIN ? "powershell" : "posix";
   return {
     name: "Bash",
     description: "Run a read-only shell command (inspect ports, processes, config). Mutating or destructive commands are blocked by the read-only allowlist.",
-    inputShape: { command: z.string().describe("The read-only shell command to run") },
+    inputShape: { command: z2.string().describe("The read-only shell command to run") },
     annotations: { readOnlyHint: true, openWorldHint: true },
     handler: async (args) => {
       const command = String(args["command"] ?? "").trim();
@@ -1351,30 +1379,7 @@ function generateDiffMermaid(diff) {
   return lines.join("\n");
 }
 function exportBackstageYAML(nodes, edges, org) {
-  const owner = org ?? "unknown";
-  const docs = [];
-  for (const node of nodes) {
-    const isComponent = ["web_service", "container", "pod"].includes(node.type);
-    const isAPI = node.type === "api_endpoint";
-    const kind = isComponent ? "Component" : isAPI ? "API" : "Resource";
-    const deps = edges.filter((e) => e.sourceId === node.id).map((e) => `    - resource:default/${sanitize(e.targetId)}`);
-    const doc = [
-      `apiVersion: backstage.io/v1alpha1`,
-      `kind: ${kind}`,
-      `metadata:`,
-      `  name: ${sanitize(node.id)}`,
-      `  annotations:`,
-      `    cartography/discovered-at: "${node.discoveredAt}"`,
-      `    cartography/confidence: "${node.confidence}"`,
-      `spec:`,
-      `  type: ${node.type}`,
-      `  lifecycle: production`,
-      `  owner: ${node.owner ?? owner}`,
-      ...deps.length > 0 ? ["  dependsOn:", ...deps] : []
-    ].join("\n");
-    docs.push(doc);
-  }
-  return docs.join("\n---\n");
+  return entitiesToYaml(toBackstageEntities(nodes, edges, org !== void 0 ? { org } : {}));
 }
 function exportJSON(db, sessionId) {
   const nodes = db.getNodes(sessionId);
@@ -4961,7 +4966,7 @@ ${infraSummary.substring(0, 12e3)}`;
       db.close();
     }
   });
-  program.command("mcp").description("Run the Model Context Protocol server (stdio by default) \u2014 the primary interface for AI agents").option("--http", "Use Streamable HTTP transport instead of stdio", false).option("--port <n>", "HTTP port", "3737").option("--host <h>", "HTTP host", "127.0.0.1").option("--allowed-hosts <list>", "Comma-separated Host allowlist (required for non-loopback --host)").option("--token <secret>", "Bearer token required on HTTP requests (or CARTOGRAPHY_HTTP_TOKEN); mandatory for non-loopback --host").option("--db <path>", "DB path").option("--session <id>", 'Session to serve (id or "latest")', "latest").option("--tenant <id>", "Tenant/organization whose topology to serve (alias: --org; default: local)").option("--org <id>", "Alias for --tenant").option("--no-semantic", "Disable semantic (vector) search").option("--plugins <list>", "Comma-separated scanner plugin package names to load (opt-in; or CARTOGRAPHY_PLUGINS)").option("--server-mode", "Run as a central collector: enable the authenticated POST /ingest write route + org-wide summary (implies --http; opt-in)", false).option("--anon-mode <mode>", "On ingest, reject|strip un-anonymized identifying fragments (server-mode)", "reject").action(async (opts) => {
+  program.command("mcp").description("Run the Model Context Protocol server (stdio by default) \u2014 the primary interface for AI agents").option("--http", "Use Streamable HTTP transport instead of stdio", false).option("--port <n>", "HTTP port", "3737").option("--host <h>", "HTTP host", "127.0.0.1").option("--allowed-hosts <list>", "Comma-separated Host allowlist (required for non-loopback --host)").option("--token <secret>", "Bearer token required on HTTP requests (or CARTOGRAPHY_HTTP_TOKEN); mandatory for non-loopback --host").option("--db <path>", "DB path").option("--session <id>", 'Session to serve (id or "latest")', "latest").option("--tenant <id>", "Tenant/organization whose topology to serve (alias: --org; default: local)").option("--org <id>", "Alias for --tenant").option("--no-semantic", "Disable semantic (vector) search").option("--plugins <list>", "Comma-separated scanner plugin package names to load (opt-in; or CARTOGRAPHY_PLUGINS)").option("--server-mode", "Run as a central collector: enable the authenticated POST /ingest write route + org-wide summary (implies --http; opt-in)", false).option("--anon-mode <mode>", "On ingest, reject|strip un-anonymized identifying fragments (server-mode)", "reject").option("--auth-required", "Reject unauthenticated requests even on loopback (RBAC required mode)", false).action(async (opts) => {
     try {
       const anonMode = opts.anonMode;
       if (anonMode !== "reject" && anonMode !== "strip") {
@@ -4983,7 +4988,8 @@ error: --anon-mode must be 'reject' or 'strip' (got '${anonMode}')
         semantic: opts.semantic,
         plugins: opts.plugins ? String(opts.plugins).split(",").map((p) => p.trim()).filter(Boolean) : void 0,
         serverMode: opts.serverMode === true,
-        anonMode
+        anonMode,
+        authRequired: opts.authRequired === true
       });
     } catch (err) {
       process.stderr.write(`
@@ -4992,9 +4998,10 @@ error: ${err instanceof Error ? err.message : String(err)}
       process.exitCode = 1;
     }
   });
-  program.command("api").description("Run the read-only REST/GraphQL API server over the topology store (4.2)").option("--http", "Use HTTP transport (default; kept for symmetry with mcp)", true).option("--port <n>", "HTTP port", "3737").option("--host <h>", "HTTP host", "127.0.0.1").option("--allowed-hosts <list>", "Comma-separated Host allowlist (required for non-loopback --host)").option("--allowed-origins <list>", "Comma-separated CORS Origin allowlist (default: same-origin only)").option("--token <secret>", "Bearer token required on requests (or CARTOGRAPHY_HTTP_TOKEN); mandatory for non-loopback --host").option("--db <path>", "DB path").option("--session <id>", 'Session to serve (id or "latest")', "latest").option("--tenant <id>", "Default tenant whose topology to serve (alias: --org; default: local)").option("--org <id>", "Alias for --tenant").option("--no-graphql", "Disable the /graphql endpoint (REST only)").action(async (opts) => {
+  program.command("api").description("Run the read-only REST/GraphQL API server over the topology store (4.2)").option("--http", "Use HTTP transport (default; kept for symmetry with mcp)", true).option("--port <n>", "HTTP port", "3737").option("--host <h>", "HTTP host", "127.0.0.1").option("--allowed-hosts <list>", "Comma-separated Host allowlist (required for non-loopback --host)").option("--allowed-origins <list>", "Comma-separated CORS Origin allowlist (default: same-origin only)").option("--token <secret>", "Bearer token required on requests (or CARTOGRAPHY_HTTP_TOKEN); mandatory for non-loopback --host").option("--db <path>", "DB path").option("--session <id>", 'Session to serve (id or "latest")', "latest").option("--tenant <id>", "Default tenant whose topology to serve (alias: --org; default: local)").option("--org <id>", "Alias for --tenant").option("--no-graphql", "Disable the /graphql endpoint (REST only)").option("--auth-required", "Reject unauthenticated requests even on loopback (RBAC required mode)", false).action(async (opts) => {
     try {
       await startApi({
+        authRequired: opts.authRequired === true,
         port: parseInt(opts.port, 10),
         host: opts.host,
         allowedHosts: opts.allowedHosts ? String(opts.allowedHosts).split(",").map((h) => h.trim()).filter(Boolean) : void 0,
@@ -5012,6 +5019,57 @@ error: ${err instanceof Error ? err.message : String(err)}
       process.exitCode = 1;
     }
   });
+  const authCmd = program.command("auth").description("Manage RBAC credentials for the HTTP surfaces (MCP transport + API server, 4.5)");
+  authCmd.command("add <subject>").description("Create a credential and print its bearer token ONCE (only the hash is stored)").option("--role <role>", "viewer | operator | admin", "viewer").option("--tenant <id>", "Tenant the credential is scoped to (default: local)").option("--token <secret>", "Use this token instead of generating one").option("--db <path>", "DB path").action((subject, opts) => {
+    const role = RoleSchema.safeParse(opts.role);
+    if (!role.success) {
+      process.stderr.write(`
+error: --role must be one of viewer|operator|admin (got '${opts.role}')
+`);
+      process.exitCode = 1;
+      return;
+    }
+    const db = new CartographyDB(opts.db ?? defaultConfig().dbPath);
+    try {
+      const token = opts.token ?? randomBytes(24).toString("base64url");
+      const tenant = normalizeTenant(opts.tenant);
+      db.addCredential({ tokenHash: hashToken(token), subject, tenant, role: role.data });
+      process.stderr.write(`
+\u2713 credential added: subject=${subject} role=${role.data} tenant=${tenant}
+`);
+      process.stderr.write(`  Bearer token (shown once \u2014 store it now):
+
+`);
+      process.stdout.write(token + "\n");
+    } finally {
+      db.close();
+    }
+  });
+  authCmd.command("list").description("List credentials (subjects/roles/tenants \u2014 token hashes only, never the raw token)").option("--db <path>", "DB path").action((opts) => {
+    const db = new CartographyDB(opts.db ?? defaultConfig().dbPath);
+    try {
+      const creds = db.listCredentials();
+      if (creds.length === 0) {
+        process.stderr.write("No credentials configured (open/shared-token mode).\n");
+        return;
+      }
+      for (const c of creds) process.stdout.write(`${c.subject}	${c.role}	${c.tenant}	${c.createdAt}
+`);
+    } finally {
+      db.close();
+    }
+  });
+  authCmd.command("revoke <subject>").description("Revoke all credentials for a subject").option("--db <path>", "DB path").action((subject, opts) => {
+    const db = new CartographyDB(opts.db ?? defaultConfig().dbPath);
+    try {
+      const n = db.revokeCredentialsBySubject(subject);
+      process.stderr.write(n > 0 ? `\u2713 revoked ${n} credential(s) for ${subject}
+` : `no credentials found for ${subject}
+`);
+    } finally {
+      db.close();
+    }
+  });
   const o = (s) => process.stderr.write(s);
   o("\n");
   o(cyan("   ____        _        ____                    ") + "\n");