@datasynx/agentic-ai-cartography 2.6.0 → 2.8.0

package/dist/index.d.cts

@@ -982,6 +982,12 @@ interface NodeAttribution {
 
 /** Default tenant for single-user / pre-migration installs. */
 declare const DEFAULT_TENANT = "local";
+/**
+ * The current catalog schema version. A fresh DB initializes here and the migration
+ * chain advances to it; the collector readiness probe (4.7) asserts a reopened DB
+ * reports exactly this. Keep in lockstep with the final `user_version` set in `migrate()`.
+ */
+declare const SCHEMA_VERSION = 15;
 /**
  * Normalize an untrusted tenant id: strip invisible/control characters, trim,
  * cap length, and enforce a conservative key charset. Falls back to DEFAULT_TENANT
@@ -1352,6 +1358,12 @@ declare class CartographyDB {
      * Prune sessions older than the given ISO date string. Returns count of deleted sessions.
      */
     pruneSessions(olderThan: string): number;
+    /**
+     * Retention/compaction (4.7): delete audit events older than `olderThan` (ISO 8601).
+     * The audit trail grows unbounded on a busy collector; this bounds it without touching
+     * sessions/nodes/edges. Returns the number of events removed.
+     */
+    pruneEventsOlderThan(olderThan: string): number;
     /** Fetch a single node by id within a session. */
     getNode(sessionId: string, nodeId: string): NodeRow | undefined;
     /** Batch-fetch nodes by id, keyed for O(1) lookup. Chunked to stay under SQLite's bind-variable limit. */
@@ -1457,9 +1469,18 @@ interface NodeIdentity {
     /** Secondary merge key — content hash that catches `id` drift between machines. */
     contentHash: string;
 }
+/**
+ * A value that may be produced synchronously (SQLite, `better-sqlite3`) or
+ * asynchronously (a graph DB over the async Bolt driver, 4.3). The ingest core
+ * `await`s every backend call, so a sync implementation incurs no overhead and the
+ * SQLite path stays byte-for-byte synchronous.
+ */
+type Awaitable<T> = T | Promise<T>;
 /**
  * A provider-agnostic central store. All operations are scoped to a single tenant
- * (`org`); there is no cross-tenant read or write path.
+ * (`org`); there is no cross-tenant read or write path. Methods are **async-capable**
+ * (4.3): `SqliteStoreBackend` returns synchronously, `GraphStoreBackend` returns
+ * Promises; consumers await either.
  */
 interface StoreBackend {
     /**
@@ -1468,15 +1489,15 @@ interface StoreBackend {
      * `'created'` when this is the first observation of the logical node, `'merged'`
      * when it collapsed onto an existing one.
      */
-    upsertNode(org: string, node: DiscoveryNode, identity: NodeIdentity, contributor: Contributor): 'created' | 'merged';
+    upsertNode(org: string, node: DiscoveryNode, identity: NodeIdentity, contributor: Contributor): Awaitable<'created' | 'merged'>;
     /** Insert an edge under `org` (idempotent on the logical `(source, target, relationship)` key). */
-    insertEdge(org: string, edge: DiscoveryEdge): void;
+    insertEdge(org: string, edge: DiscoveryEdge): Awaitable<void>;
     /** Org-wide aggregate summary (merged counts across all contributors). */
-    getSummary(org: string): OrgSummary;
+    getSummary(org: string): Awaitable<OrgSummary>;
     /** Contributors for a merged logical node (test/audit helper). */
-    getContributors(globalId: string): Contributor[];
+    getContributors(globalId: string): Awaitable<Contributor[]>;
     /** Release any underlying resources. */
-    close(): void;
+    close(): Awaitable<void>;
 }
 
 /**
@@ -1507,6 +1528,76 @@ declare class SqliteStoreBackend implements StoreBackend {
     close(): void;
 }
 
+/**
+ * `GraphStoreBackend` (4.3) — an opt-in central-store backend over a Bolt-speaking
+ * graph database (Neo4j / Memgraph). Implements the async-capable {@link StoreBackend}
+ * seam so the central collector's merge + org-summary path can scale to 10K+ nodes on a
+ * native graph engine, while SQLite stays the zero-config default.
+ *
+ * `neo4j-driver` is an OPTIONAL dependency, dynamically imported by `openStoreBackend`
+ * (`src/store/index.ts`); this module depends only on a minimal structural Bolt interface,
+ * so it compiles and the package degrades gracefully when the driver is absent. The driver
+ * is injected (constructor), which also lets tests drive it with a mock — no live DB in CI.
+ *
+ * Merge identity mirrors SQLite: a logical node is keyed by `(org, globalId)`; the
+ * `contentHash` is stored + indexed for the id-drift secondary collapse (best-effort here,
+ * tracked as a follow-up). Contributors are `(org, globalId, machineId)` with max-confidence.
+ */
+
+interface BoltRecord {
+    get(key: string): unknown;
+}
+interface BoltResult {
+    records: BoltRecord[];
+}
+interface BoltSession {
+    run(cypher: string, params?: Record<string, unknown>): Promise<BoltResult>;
+    close(): Promise<void>;
+}
+interface BoltDriver {
+    session(): BoltSession;
+    close(): Promise<void>;
+    verifyConnectivity?(): Promise<unknown>;
+}
+declare class GraphStoreBackend implements StoreBackend {
+    private readonly driver;
+    constructor(driver: BoltDriver);
+    private run;
+    upsertNode(org: string, node: DiscoveryNode, identity: NodeIdentity, contributor: Contributor): Promise<'created' | 'merged'>;
+    insertEdge(org: string, edge: DiscoveryEdge): Promise<void>;
+    getSummary(org: string): Promise<OrgSummary>;
+    getContributors(globalId: string): Promise<Contributor[]>;
+    close(): Promise<void>;
+}
+
+/**
+ * Central-store backend factory (4.3).
+ *
+ * `openStoreBackend` returns a {@link GraphStoreBackend} only when a graph backend is
+ * explicitly requested AND the optional `neo4j-driver` is installed AND the server is
+ * reachable; otherwise it logs a structured WARN and returns the always-available
+ * {@link SqliteStoreBackend}. A missing driver or an unreachable graph server therefore
+ * NEVER breaks the collector — it degrades to SQLite (the "optional deps degrade" locked
+ * constraint). SQLite stays the zero-config default.
+ */
+
+interface StoreBackendOptions {
+    /** `'graph'` opts into the graph DB; anything else (default) uses SQLite. */
+    backend?: 'sqlite' | 'graph';
+    /** Bolt URL, e.g. `bolt://graph.internal:7687` or `neo4j+s://…`. */
+    graphUrl?: string;
+    graphUser?: string;
+    graphPassword?: string;
+    /** Injected driver factory (tests). Defaults to dynamically importing `neo4j-driver`. */
+    driverFactory?: (url: string, user: string, password: string) => Promise<BoltDriver>;
+}
+/**
+ * Resolve the central store backend. Graph when requested + available; else SQLite.
+ * The returned backend is owned by the caller (call `close()` on shutdown for the graph
+ * backend; the SQLite backend's `close()` is a no-op — the `CartographyDB` is shared).
+ */
+declare function openStoreBackend(db: CartographyDB, opts?: StoreBackendOptions): Promise<StoreBackend>;
+
 /**
  * `QueryBackend` — the **read-only** query seam for the API server (4.2).
  *
@@ -1758,7 +1849,38 @@ interface IngestOptions {
  * The caller (HTTP handler) wraps this in try/catch; the store's per-node upsert is
  * itself transactional, so a single bad node never half-writes a row.
  */
-declare function ingestEnvelope(store: StoreBackend, envelope: IngestEnvelope, opts?: IngestOptions): IngestResult;
+declare function ingestEnvelope(store: StoreBackend, envelope: IngestEnvelope, opts?: IngestOptions): Promise<IngestResult>;
+
+/**
+ * Ingest backpressure for the central collector (4.7).
+ *
+ * A pure, in-memory **per-org token-bucket** rate limiter. The networked `POST /ingest`
+ * write endpoint must protect the shared store from a runaway or hostile client; over-quota
+ * requests are refused with `429 + Retry-After` rather than admitted. Deterministic given an
+ * injected clock, so it is unit-testable without real time. In-process only (a multi-replica
+ * deployment would front it with a shared limiter; documented in the runbook).
+ */
+interface QuotaConfig {
+    /** Bucket capacity = max burst, and the number of tokens refilled over one `refillMs` window. */
+    capacity: number;
+    /** Milliseconds over which a fully-drained bucket refills to `capacity`. */
+    refillMs: number;
+}
+/** Sensible default: 120 ingests / minute / org (burst 120). */
+declare const DEFAULT_INGEST_QUOTA: QuotaConfig;
+interface QuotaDecision {
+    allowed: boolean;
+    /** Seconds to wait before retrying — populated only when `!allowed` (≥1). */
+    retryAfterSec: number;
+}
+declare class RateLimiter {
+    private readonly cfg;
+    private readonly now;
+    private readonly buckets;
+    constructor(cfg?: QuotaConfig, now?: () => number);
+    /** Consume one token for `key`. Returns whether the request is allowed (+ Retry-After when not). */
+    take(key: string): QuotaDecision;
+}
 
 /**
  * The central-collector ingest HTTP surface (2.12).
@@ -1775,12 +1897,18 @@ declare function ingestEnvelope(store: StoreBackend, envelope: IngestEnvelope, o
  * handler ever runs, so the handler never sees (and never logs) the token.
  */
 
-/** A transport-agnostic HTTP-ish response: a status code and a JSON-serializable body. */
+/** A transport-agnostic HTTP-ish response: a status code, a JSON-serializable body, optional headers. */
 interface IngestResponse {
     status: number;
     body: unknown;
+    /** Extra response headers (e.g. `Retry-After` on a 429). */
+    headers?: Record<string, string>;
+}
+type IngestHandler = (body: unknown) => Promise<IngestResponse>;
+interface IngestHandlerOptions extends IngestOptions {
+    /** Per-org ingest rate limiter (4.7 backpressure). Over-quota → 429 + Retry-After. */
+    quota?: RateLimiter;
 }
-type IngestHandler = (body: unknown) => IngestResponse;
 /**
  * Build the `/ingest` handler over a {@link StoreBackend}. The handler validates the
  * 2.11 push envelope, runs ingest (re-validating anonymization first), and maps the
@@ -1789,7 +1917,7 @@ type IngestHandler = (body: unknown) => IngestResponse;
  *  - 500 — ingest threw (the store's per-node transaction rolls that node back).
  *  - 200 — {@link IngestResult}.
  */
-declare function createIngestHandler(store: StoreBackend, opts?: IngestOptions): IngestHandler;
+declare function createIngestHandler(store: StoreBackend, opts?: IngestHandlerOptions): IngestHandler;
 
 /**
  * Org-key lifecycle for the 2.10 anonymization layer.
@@ -2137,6 +2265,12 @@ interface CreateMcpServerOptions {
      * behaviour exactly. The org is normalized to a tenant.
      */
     org?: string;
+    /**
+     * Org-wide summary source (4.3). When set (server-mode with a graph backend), the
+     * org `get_summary` reads from here instead of `db.getOrgSummary` — so a graph-DB
+     * collector serves its own merged aggregate. Defaults to the SQLite central store.
+     */
+    orgSummary?: (org: string) => OrgSummary | Promise<OrgSummary>;
     /**
      * The authenticated principal (4.5 RBAC). When set, mutating tools (`run_discovery`)
      * are gated by role: a `viewer` is refused with a forbidden error. Read tools are
@@ -2180,9 +2314,14 @@ interface HttpOptions {
      * caps the body, parses JSON, and returns the hook's `{ status, body }`. When unset,
      * `/ingest` 404s exactly like any other path — the collector stays dark by default.
      */
-    onIngest?: (body: unknown) => {
+    onIngest?: (body: unknown) => Promise<{
         status: number;
         body: unknown;
+        headers?: Record<string, string>;
+    }> | {
+        status: number;
+        body: unknown;
+        headers?: Record<string, string>;
     };
     /**
      * RBAC (4.5). When `store` holds credentials, the transport runs in RBAC mode: a
@@ -2197,6 +2336,14 @@ interface HttpOptions {
     };
     /** Tenant assigned to implicit (shared/loopback) admin principals. */
     defaultTenant?: string;
+    /**
+     * Readiness probe (4.7). When set, `GET /readyz` calls it: 200 when `ready`, else 503.
+     * `GET /healthz` (liveness) is always 200. Both are PUBLIC (no auth) for k8s/LB probes.
+     */
+    readiness?: () => {
+        ready: boolean;
+        detail?: Record<string, unknown>;
+    };
 }
 /**
  * Start a Streamable HTTP server. A fresh MCP server instance is created per
@@ -4128,4 +4275,4 @@ declare function logInfo(message: string, context?: Record<string, unknown>): vo
 declare function logWarn(message: string, context?: Record<string, unknown>): void;
 declare function logError(message: string, context?: Record<string, unknown>): void;
 
-export { ACTIONS, ANOMALY_KINDS, ANOMALY_SEVERITIES, type Action, ActionSchema, type AgentProvider, type AgentRunContext, type AgentTool, type Anomaly, type AnomalyConfig, type AnomalyKind, type AnomalySeverity, type AnomalyThresholds, type AnonViolation, type AnonymizationLevel, type ApiServerOptions, type AskUserFn, type AuthConfig, AuthConfigSchema, AuthorizationError, type BackstageEntity, type BackstageMapOptions, type BindGuardOptions, CLIENTS, CONFIDENCE, COST_PERIODS, type CartographyConfig, CartographyDB, type CartographyMapData, type CentralDbConfig, CentralDbConfigSchema, type ClassifiedItem, type ClassifyInput, type ClassifyResult, type ClientSpec, type Cluster, ClusterSchema, type ComplianceInput, type ComplianceReport, ComplianceReportSchema, type ComplianceRule, ComplianceRuleSchema, type Condition, ConditionSchema, ConfigError, type ConfigFile, ConfigFileSchema, type ConfigFormat, type Connection, ConnectionSchema, type Contributor, type ControlResult, ControlResultSchema, type CostEntry, CostEntrySchema, type CostPeriod, type CostRecord, type CostSource, type CreateMcpServerOptions, type CredentialConfig, CredentialConfigSchema, type CredentialDb, type CredentialRecord, type CredentialStore, type CronFields, CsvCostSource, type CsvCostSourceOptions, DEFAULT_ANOMALY_THRESHOLDS, DEFAULT_FAST_MODEL, DEFAULT_LEAD_MODEL, DEFAULT_SERVER_NAME, DEFAULT_TENANT, DOMAIN_COLORS, DOMAIN_PALETTE, DRIFT_FIELDS, type DataAsset, DataAssetSchema, type DependencyQuery, type DiscoveryEdge, type DiscoveryEvent, type DiscoveryFn, type DiscoveryNode, type DriftAlert, type DriftAlertItem, type DriftConfig, DriftConfigSchema, type DriftField, type DriftItemKind, type DriftRunRow, type DriftSink, type DriftSinkConfig, EDGE_RELATIONSHIPS, type EdgeRelationship, type EdgeRow, EdgeSchema, type EmbeddingProvider, type EnrichResult, type EntryOptions, type EstablishedConn, type EvidenceKind, type FetchLike, type FragmentKind, type GraphSummary, type HealthResult, type HttpOptions, INGEST_SCHEMA_VERSION, type IngestEnvelope, IngestEnvelopeSchema, type IngestHandler, type IngestOptions, type IngestResponse, type IngestResult, type InstallPlan, InvalidTenantError, type JiraIssue, type JiraOptions, JiraSink, type JiraSinkOptions, LOOPBACK_HOSTS, type LocalDiscoveryOptions, type LocalDiscoveryResult, type LogEntry, type LogLevel, MCP_BIN, type MatchStrategy, NODE_TYPES, NODE_TYPE_GROUPS, type NlIntent, type NlQueryOptions, type NlQueryResult, type NlRelation, type NodeAttribution, type NodeChange, type NodeIdentity, type NodeQuery, type NodeRow, NodeSchema, type NodeType, type NodesResult, NotFoundError, OUTPUT_FORMATS, type OrgKeyOptions, type OrgSummary, type OsKind, type OutputFormat, PACKAGE_NAME, PAGERDUTY_ENQUEUE_URL, PENDING_STATUSES, PERSONAL, PORT_MAP, PRIVATE_IP, PUSH_SCHEMA_VERSION, type PagerDutyEvent, PagerDutySink, type PagerDutySinkOptions, type ParsedApiArgs, type PendingShareRow, type PendingStatus, type PlanOptions, type PolicyResult, type PostJsonOptions, type Principal, PrincipalSchema, type ProviderFactory, type ProviderName, ProviderRegistry, type PushItem, type PushOptions, type PushResult, type QueryBackend, RELATION_TO_DIRECTION, ROLES, type ResolveContext, type ResolveOptions, type Role, RoleSchema, type RuleCheck, RuleCheckSchema, type RuleScope, type Ruleset, RulesetSchema, type RunDriftOptions, SCAN_ARG_PATTERNS, SDL, SECURITY_METADATA_KEYS, SEVERITIES, SEVERITY_WEIGHT, SHARING_LEVELS, type ScanArgKind, type ScanContext, type ScanHintParams, type ScanResult, type Scanner, type ScannerPlugin, type ScannerPluginApi, ScannerRegistry, ScannerShape, type ScheduleConfig, ScheduleConfigSchema, type ScheduledRunResult, type Scope, type SearchFn, type SemanticSearchOptions, type ServerEntry, type SessionRow, type Severity, type SharePreview, type SharePreviewEntry, type SharingLevel, SharingLevelSchema, type SharingPolicy, type ShellKind, type SlackMessage, SlackSink, SqliteCredentialStore, SqliteQueryBackend, SqliteStoreBackend, type StartApiOptions, StdoutSink, type StoreBackend, type SyncClassifyOptions, type SyncClassifyResult, TENANT_HEADER, type TenantContext, TenantMismatchError, type TenantOptions, type ToolResult, type TopologyDelta, type TopologyDiff, type TopologyInput, type TraversalResult, VectorStore, WebhookSink, type WebhookSinkOptions, applyInstall, applySharingLevel, assertReadOnly, assertSafeBind, assertSafeScanArg, assertSameTenant, assignColors, authorize, bearerToken, bookmarksScanner, buildCartographyToolHandlers, buildMapData, buildOpenApiDocument, buildReport, buildSinks, can, centralDbFromEnv, checkBearer, checkPrerequisites, checkReadOnly, clampText, classify, classifyDrift, cleanupTempFiles, cloudAwsScanner, cloudAzureScanner, cloudGcpScanner, codeAddMcpCommand, computeCentroid, computeClusterBounds, computeIdentity, connectionsScanner, contentHash, createBashTool, createCartographyTools, createClaudeProvider, createDefaultRegistry, createHashEmbedder, createIngestHandler, createLocalEmbedder, createMcpServer, createOllamaProvider, createOpenAIProvider, createScanRunner, createSemanticSearch, createSqliteQueryBackend, currentOs, cursorDeeplink, databasesScanner, deepMerge, defaultAllowedHosts, defaultConfig, defaultContext, defaultProviderRegistry, defaultRegistry, defaultServerEntry, definePlugin, deriveSessionName, detectAnomalies, detectOrphans, detectShadowIt, diffTopology, edgesToConnections, enrichCosts, entitiesToYaml, evaluateCheck, evaluateRule, evidenceLine, executeGraphql, executeNlQuery, exportAll, exportBackstageYAML, exportComplianceReport, exportCostCSV, exportCostSummary, exportDiscoveryApp, exportJGF, exportJSON, extractListeningPorts, filterBySeverity, findAnonViolations, formatComplianceText, formatJira, formatPagerDuty, formatSlack, generateDependencyMermaid, generateDiffMermaid, generateTopologyMermaid, getClient, getRuleset, globalId, groupByDomain, handleGraphqlGet, hashToken, hexCorners, hexDistance, hexNeighbors, hexRing, hexSpiral, hexToPixel, hmacKey, hostname, ingestEnvelope, installedAppsScanner, isLoopbackHost, isPersonalHost, isReadOnlyCommand, isRemembered, isSecureWebhookUrl, k8sScanner, keyMetaOf, layoutClusters, listClients, listRulesets, loadConfig, loadOrgKey, loadPlugins, loadRuleset, localDiscoveryFn, log, logDebug, logError, logInfo, logWarn, machineId, maxSeverity, mcpServerObject, newAnomalies, nextRun, nodesToAssets, normalizeId, normalizeTenant, orgKeyPath, osUser, parseApiArgs, parseComposeDeps, parseConfig, parseConnectionString, parseCostCsv, parseCron, parseEstablished, parseNginxUpstreams, parseNlQuery, parseScanHint, pixelToHex, planInstall, portsScanner, postJson, previewShare, pseudonymize, pseudonymizeFragment, pseudonymizeString, pushDeltas, readConfigFile, redactConnectionString, redactSecrets, redactValue, renderDiff, resolveEffectiveLevel, resolveNlQuery, resolvePrincipal, resolveSharingLevel, resolveTenant, revalidateAnonymized, reversalKey, reversePseudonym, rotateOrgKey, runApi, runDiscovery, runDrift, runHttp, runLocalDiscovery, runOnce, runStdio, runSyncClassify, safeEnv, safeJson, safetyHook, sanitizeUntrusted, sanitizeValue, scopeReads, scoreTopology, securityRelevantChange, serializeConfig, serviceConfigScanner, setVerbose, shadeVariant, shapeToJsonSchema, shareHash, splitSegments, stableStringify, startApi, stripSensitive, timingSafeEqual, toBackstageEntities, validateScanner, vscodeDeeplink, zodToJsonSchema };
+export { ACTIONS, ANOMALY_KINDS, ANOMALY_SEVERITIES, type Action, ActionSchema, type AgentProvider, type AgentRunContext, type AgentTool, type Anomaly, type AnomalyConfig, type AnomalyKind, type AnomalySeverity, type AnomalyThresholds, type AnonViolation, type AnonymizationLevel, type ApiServerOptions, type AskUserFn, type AuthConfig, AuthConfigSchema, AuthorizationError, type Awaitable, type BackstageEntity, type BackstageMapOptions, type BindGuardOptions, type BoltDriver, type BoltRecord, type BoltResult, type BoltSession, CLIENTS, CONFIDENCE, COST_PERIODS, type CartographyConfig, CartographyDB, type CartographyMapData, type CentralDbConfig, CentralDbConfigSchema, type ClassifiedItem, type ClassifyInput, type ClassifyResult, type ClientSpec, type Cluster, ClusterSchema, type ComplianceInput, type ComplianceReport, ComplianceReportSchema, type ComplianceRule, ComplianceRuleSchema, type Condition, ConditionSchema, ConfigError, type ConfigFile, ConfigFileSchema, type ConfigFormat, type Connection, ConnectionSchema, type Contributor, type ControlResult, ControlResultSchema, type CostEntry, CostEntrySchema, type CostPeriod, type CostRecord, type CostSource, type CreateMcpServerOptions, type CredentialConfig, CredentialConfigSchema, type CredentialDb, type CredentialRecord, type CredentialStore, type CronFields, CsvCostSource, type CsvCostSourceOptions, DEFAULT_ANOMALY_THRESHOLDS, DEFAULT_FAST_MODEL, DEFAULT_INGEST_QUOTA, DEFAULT_LEAD_MODEL, DEFAULT_SERVER_NAME, DEFAULT_TENANT, DOMAIN_COLORS, DOMAIN_PALETTE, DRIFT_FIELDS, type DataAsset, DataAssetSchema, type DependencyQuery, type DiscoveryEdge, type DiscoveryEvent, type DiscoveryFn, type DiscoveryNode, type DriftAlert, type DriftAlertItem, type DriftConfig, DriftConfigSchema, type DriftField, type DriftItemKind, type DriftRunRow, type DriftSink, type DriftSinkConfig, EDGE_RELATIONSHIPS, type EdgeRelationship, type EdgeRow, EdgeSchema, type EmbeddingProvider, type EnrichResult, type EntryOptions, type EstablishedConn, type EvidenceKind, type FetchLike, type FragmentKind, GraphStoreBackend, type GraphSummary, type HealthResult, type HttpOptions, INGEST_SCHEMA_VERSION, type IngestEnvelope, IngestEnvelopeSchema, type IngestHandler, type IngestHandlerOptions, type IngestOptions, type IngestResponse, type IngestResult, type InstallPlan, InvalidTenantError, type JiraIssue, type JiraOptions, JiraSink, type JiraSinkOptions, LOOPBACK_HOSTS, type LocalDiscoveryOptions, type LocalDiscoveryResult, type LogEntry, type LogLevel, MCP_BIN, type MatchStrategy, NODE_TYPES, NODE_TYPE_GROUPS, type NlIntent, type NlQueryOptions, type NlQueryResult, type NlRelation, type NodeAttribution, type NodeChange, type NodeIdentity, type NodeQuery, type NodeRow, NodeSchema, type NodeType, type NodesResult, NotFoundError, OUTPUT_FORMATS, type OrgKeyOptions, type OrgSummary, type OsKind, type OutputFormat, PACKAGE_NAME, PAGERDUTY_ENQUEUE_URL, PENDING_STATUSES, PERSONAL, PORT_MAP, PRIVATE_IP, PUSH_SCHEMA_VERSION, type PagerDutyEvent, PagerDutySink, type PagerDutySinkOptions, type ParsedApiArgs, type PendingShareRow, type PendingStatus, type PlanOptions, type PolicyResult, type PostJsonOptions, type Principal, PrincipalSchema, type ProviderFactory, type ProviderName, ProviderRegistry, type PushItem, type PushOptions, type PushResult, type QueryBackend, type QuotaConfig, type QuotaDecision, RELATION_TO_DIRECTION, ROLES, RateLimiter, type ResolveContext, type ResolveOptions, type Role, RoleSchema, type RuleCheck, RuleCheckSchema, type RuleScope, type Ruleset, RulesetSchema, type RunDriftOptions, SCAN_ARG_PATTERNS, SCHEMA_VERSION, SDL, SECURITY_METADATA_KEYS, SEVERITIES, SEVERITY_WEIGHT, SHARING_LEVELS, type ScanArgKind, type ScanContext, type ScanHintParams, type ScanResult, type Scanner, type ScannerPlugin, type ScannerPluginApi, ScannerRegistry, ScannerShape, type ScheduleConfig, ScheduleConfigSchema, type ScheduledRunResult, type Scope, type SearchFn, type SemanticSearchOptions, type ServerEntry, type SessionRow, type Severity, type SharePreview, type SharePreviewEntry, type SharingLevel, SharingLevelSchema, type SharingPolicy, type ShellKind, type SlackMessage, SlackSink, SqliteCredentialStore, SqliteQueryBackend, SqliteStoreBackend, type StartApiOptions, StdoutSink, type StoreBackend, type StoreBackendOptions, type SyncClassifyOptions, type SyncClassifyResult, TENANT_HEADER, type TenantContext, TenantMismatchError, type TenantOptions, type ToolResult, type TopologyDelta, type TopologyDiff, type TopologyInput, type TraversalResult, VectorStore, WebhookSink, type WebhookSinkOptions, applyInstall, applySharingLevel, assertReadOnly, assertSafeBind, assertSafeScanArg, assertSameTenant, assignColors, authorize, bearerToken, bookmarksScanner, buildCartographyToolHandlers, buildMapData, buildOpenApiDocument, buildReport, buildSinks, can, centralDbFromEnv, checkBearer, checkPrerequisites, checkReadOnly, clampText, classify, classifyDrift, cleanupTempFiles, cloudAwsScanner, cloudAzureScanner, cloudGcpScanner, codeAddMcpCommand, computeCentroid, computeClusterBounds, computeIdentity, connectionsScanner, contentHash, createBashTool, createCartographyTools, createClaudeProvider, createDefaultRegistry, createHashEmbedder, createIngestHandler, createLocalEmbedder, createMcpServer, createOllamaProvider, createOpenAIProvider, createScanRunner, createSemanticSearch, createSqliteQueryBackend, currentOs, cursorDeeplink, databasesScanner, deepMerge, defaultAllowedHosts, defaultConfig, defaultContext, defaultProviderRegistry, defaultRegistry, defaultServerEntry, definePlugin, deriveSessionName, detectAnomalies, detectOrphans, detectShadowIt, diffTopology, edgesToConnections, enrichCosts, entitiesToYaml, evaluateCheck, evaluateRule, evidenceLine, executeGraphql, executeNlQuery, exportAll, exportBackstageYAML, exportComplianceReport, exportCostCSV, exportCostSummary, exportDiscoveryApp, exportJGF, exportJSON, extractListeningPorts, filterBySeverity, findAnonViolations, formatComplianceText, formatJira, formatPagerDuty, formatSlack, generateDependencyMermaid, generateDiffMermaid, generateTopologyMermaid, getClient, getRuleset, globalId, groupByDomain, handleGraphqlGet, hashToken, hexCorners, hexDistance, hexNeighbors, hexRing, hexSpiral, hexToPixel, hmacKey, hostname, ingestEnvelope, installedAppsScanner, isLoopbackHost, isPersonalHost, isReadOnlyCommand, isRemembered, isSecureWebhookUrl, k8sScanner, keyMetaOf, layoutClusters, listClients, listRulesets, loadConfig, loadOrgKey, loadPlugins, loadRuleset, localDiscoveryFn, log, logDebug, logError, logInfo, logWarn, machineId, maxSeverity, mcpServerObject, newAnomalies, nextRun, nodesToAssets, normalizeId, normalizeTenant, openStoreBackend, orgKeyPath, osUser, parseApiArgs, parseComposeDeps, parseConfig, parseConnectionString, parseCostCsv, parseCron, parseEstablished, parseNginxUpstreams, parseNlQuery, parseScanHint, pixelToHex, planInstall, portsScanner, postJson, previewShare, pseudonymize, pseudonymizeFragment, pseudonymizeString, pushDeltas, readConfigFile, redactConnectionString, redactSecrets, redactValue, renderDiff, resolveEffectiveLevel, resolveNlQuery, resolvePrincipal, resolveSharingLevel, resolveTenant, revalidateAnonymized, reversalKey, reversePseudonym, rotateOrgKey, runApi, runDiscovery, runDrift, runHttp, runLocalDiscovery, runOnce, runStdio, runSyncClassify, safeEnv, safeJson, safetyHook, sanitizeUntrusted, sanitizeValue, scopeReads, scoreTopology, securityRelevantChange, serializeConfig, serviceConfigScanner, setVerbose, shadeVariant, shapeToJsonSchema, shareHash, splitSegments, stableStringify, startApi, stripSensitive, timingSafeEqual, toBackstageEntities, validateScanner, vscodeDeeplink, zodToJsonSchema };

package/dist/index.d.ts

@@ -982,6 +982,12 @@ interface NodeAttribution {
 
 /** Default tenant for single-user / pre-migration installs. */
 declare const DEFAULT_TENANT = "local";
+/**
+ * The current catalog schema version. A fresh DB initializes here and the migration
+ * chain advances to it; the collector readiness probe (4.7) asserts a reopened DB
+ * reports exactly this. Keep in lockstep with the final `user_version` set in `migrate()`.
+ */
+declare const SCHEMA_VERSION = 15;
 /**
  * Normalize an untrusted tenant id: strip invisible/control characters, trim,
  * cap length, and enforce a conservative key charset. Falls back to DEFAULT_TENANT
@@ -1352,6 +1358,12 @@ declare class CartographyDB {
      * Prune sessions older than the given ISO date string. Returns count of deleted sessions.
      */
     pruneSessions(olderThan: string): number;
+    /**
+     * Retention/compaction (4.7): delete audit events older than `olderThan` (ISO 8601).
+     * The audit trail grows unbounded on a busy collector; this bounds it without touching
+     * sessions/nodes/edges. Returns the number of events removed.
+     */
+    pruneEventsOlderThan(olderThan: string): number;
     /** Fetch a single node by id within a session. */
     getNode(sessionId: string, nodeId: string): NodeRow | undefined;
     /** Batch-fetch nodes by id, keyed for O(1) lookup. Chunked to stay under SQLite's bind-variable limit. */
@@ -1457,9 +1469,18 @@ interface NodeIdentity {
     /** Secondary merge key — content hash that catches `id` drift between machines. */
     contentHash: string;
 }
+/**
+ * A value that may be produced synchronously (SQLite, `better-sqlite3`) or
+ * asynchronously (a graph DB over the async Bolt driver, 4.3). The ingest core
+ * `await`s every backend call, so a sync implementation incurs no overhead and the
+ * SQLite path stays byte-for-byte synchronous.
+ */
+type Awaitable<T> = T | Promise<T>;
 /**
  * A provider-agnostic central store. All operations are scoped to a single tenant
- * (`org`); there is no cross-tenant read or write path.
+ * (`org`); there is no cross-tenant read or write path. Methods are **async-capable**
+ * (4.3): `SqliteStoreBackend` returns synchronously, `GraphStoreBackend` returns
+ * Promises; consumers await either.
  */
 interface StoreBackend {
     /**
@@ -1468,15 +1489,15 @@ interface StoreBackend {
      * `'created'` when this is the first observation of the logical node, `'merged'`
      * when it collapsed onto an existing one.
      */
-    upsertNode(org: string, node: DiscoveryNode, identity: NodeIdentity, contributor: Contributor): 'created' | 'merged';
+    upsertNode(org: string, node: DiscoveryNode, identity: NodeIdentity, contributor: Contributor): Awaitable<'created' | 'merged'>;
     /** Insert an edge under `org` (idempotent on the logical `(source, target, relationship)` key). */
-    insertEdge(org: string, edge: DiscoveryEdge): void;
+    insertEdge(org: string, edge: DiscoveryEdge): Awaitable<void>;
     /** Org-wide aggregate summary (merged counts across all contributors). */
-    getSummary(org: string): OrgSummary;
+    getSummary(org: string): Awaitable<OrgSummary>;
     /** Contributors for a merged logical node (test/audit helper). */
-    getContributors(globalId: string): Contributor[];
+    getContributors(globalId: string): Awaitable<Contributor[]>;
     /** Release any underlying resources. */
-    close(): void;
+    close(): Awaitable<void>;
 }
 
 /**
@@ -1507,6 +1528,76 @@ declare class SqliteStoreBackend implements StoreBackend {
     close(): void;
 }
 
+/**
+ * `GraphStoreBackend` (4.3) — an opt-in central-store backend over a Bolt-speaking
+ * graph database (Neo4j / Memgraph). Implements the async-capable {@link StoreBackend}
+ * seam so the central collector's merge + org-summary path can scale to 10K+ nodes on a
+ * native graph engine, while SQLite stays the zero-config default.
+ *
+ * `neo4j-driver` is an OPTIONAL dependency, dynamically imported by `openStoreBackend`
+ * (`src/store/index.ts`); this module depends only on a minimal structural Bolt interface,
+ * so it compiles and the package degrades gracefully when the driver is absent. The driver
+ * is injected (constructor), which also lets tests drive it with a mock — no live DB in CI.
+ *
+ * Merge identity mirrors SQLite: a logical node is keyed by `(org, globalId)`; the
+ * `contentHash` is stored + indexed for the id-drift secondary collapse (best-effort here,
+ * tracked as a follow-up). Contributors are `(org, globalId, machineId)` with max-confidence.
+ */
+
+interface BoltRecord {
+    get(key: string): unknown;
+}
+interface BoltResult {
+    records: BoltRecord[];
+}
+interface BoltSession {
+    run(cypher: string, params?: Record<string, unknown>): Promise<BoltResult>;
+    close(): Promise<void>;
+}
+interface BoltDriver {
+    session(): BoltSession;
+    close(): Promise<void>;
+    verifyConnectivity?(): Promise<unknown>;
+}
+declare class GraphStoreBackend implements StoreBackend {
+    private readonly driver;
+    constructor(driver: BoltDriver);
+    private run;
+    upsertNode(org: string, node: DiscoveryNode, identity: NodeIdentity, contributor: Contributor): Promise<'created' | 'merged'>;
+    insertEdge(org: string, edge: DiscoveryEdge): Promise<void>;
+    getSummary(org: string): Promise<OrgSummary>;
+    getContributors(globalId: string): Promise<Contributor[]>;
+    close(): Promise<void>;
+}
+
+/**
+ * Central-store backend factory (4.3).
+ *
+ * `openStoreBackend` returns a {@link GraphStoreBackend} only when a graph backend is
+ * explicitly requested AND the optional `neo4j-driver` is installed AND the server is
+ * reachable; otherwise it logs a structured WARN and returns the always-available
+ * {@link SqliteStoreBackend}. A missing driver or an unreachable graph server therefore
+ * NEVER breaks the collector — it degrades to SQLite (the "optional deps degrade" locked
+ * constraint). SQLite stays the zero-config default.
+ */
+
+interface StoreBackendOptions {
+    /** `'graph'` opts into the graph DB; anything else (default) uses SQLite. */
+    backend?: 'sqlite' | 'graph';
+    /** Bolt URL, e.g. `bolt://graph.internal:7687` or `neo4j+s://…`. */
+    graphUrl?: string;
+    graphUser?: string;
+    graphPassword?: string;
+    /** Injected driver factory (tests). Defaults to dynamically importing `neo4j-driver`. */
+    driverFactory?: (url: string, user: string, password: string) => Promise<BoltDriver>;
+}
+/**
+ * Resolve the central store backend. Graph when requested + available; else SQLite.
+ * The returned backend is owned by the caller (call `close()` on shutdown for the graph
+ * backend; the SQLite backend's `close()` is a no-op — the `CartographyDB` is shared).
+ */
+declare function openStoreBackend(db: CartographyDB, opts?: StoreBackendOptions): Promise<StoreBackend>;
+
 /**
  * `QueryBackend` — the **read-only** query seam for the API server (4.2).
  *
@@ -1758,7 +1849,38 @@ interface IngestOptions {
  * The caller (HTTP handler) wraps this in try/catch; the store's per-node upsert is
  * itself transactional, so a single bad node never half-writes a row.
  */
-declare function ingestEnvelope(store: StoreBackend, envelope: IngestEnvelope, opts?: IngestOptions): IngestResult;
+declare function ingestEnvelope(store: StoreBackend, envelope: IngestEnvelope, opts?: IngestOptions): Promise<IngestResult>;
+
+/**
+ * Ingest backpressure for the central collector (4.7).
+ *
+ * A pure, in-memory **per-org token-bucket** rate limiter. The networked `POST /ingest`
+ * write endpoint must protect the shared store from a runaway or hostile client; over-quota
+ * requests are refused with `429 + Retry-After` rather than admitted. Deterministic given an
+ * injected clock, so it is unit-testable without real time. In-process only (a multi-replica
+ * deployment would front it with a shared limiter; documented in the runbook).
+ */
+interface QuotaConfig {
+    /** Bucket capacity = max burst, and the number of tokens refilled over one `refillMs` window. */
+    capacity: number;
+    /** Milliseconds over which a fully-drained bucket refills to `capacity`. */
+    refillMs: number;
+}
+/** Sensible default: 120 ingests / minute / org (burst 120). */
+declare const DEFAULT_INGEST_QUOTA: QuotaConfig;
+interface QuotaDecision {
+    allowed: boolean;
+    /** Seconds to wait before retrying — populated only when `!allowed` (≥1). */
+    retryAfterSec: number;
+}
+declare class RateLimiter {
+    private readonly cfg;
+    private readonly now;
+    private readonly buckets;
+    constructor(cfg?: QuotaConfig, now?: () => number);
+    /** Consume one token for `key`. Returns whether the request is allowed (+ Retry-After when not). */
+    take(key: string): QuotaDecision;
+}
 
 /**
  * The central-collector ingest HTTP surface (2.12).
@@ -1775,12 +1897,18 @@ declare function ingestEnvelope(store: StoreBackend, envelope: IngestEnvelope, o
  * handler ever runs, so the handler never sees (and never logs) the token.
  */
 
-/** A transport-agnostic HTTP-ish response: a status code and a JSON-serializable body. */
+/** A transport-agnostic HTTP-ish response: a status code, a JSON-serializable body, optional headers. */
 interface IngestResponse {
     status: number;
     body: unknown;
+    /** Extra response headers (e.g. `Retry-After` on a 429). */
+    headers?: Record<string, string>;
+}
+type IngestHandler = (body: unknown) => Promise<IngestResponse>;
+interface IngestHandlerOptions extends IngestOptions {
+    /** Per-org ingest rate limiter (4.7 backpressure). Over-quota → 429 + Retry-After. */
+    quota?: RateLimiter;
 }
-type IngestHandler = (body: unknown) => IngestResponse;
 /**
  * Build the `/ingest` handler over a {@link StoreBackend}. The handler validates the
  * 2.11 push envelope, runs ingest (re-validating anonymization first), and maps the
@@ -1789,7 +1917,7 @@ type IngestHandler = (body: unknown) => IngestResponse;
  *  - 500 — ingest threw (the store's per-node transaction rolls that node back).
  *  - 200 — {@link IngestResult}.
  */
-declare function createIngestHandler(store: StoreBackend, opts?: IngestOptions): IngestHandler;
+declare function createIngestHandler(store: StoreBackend, opts?: IngestHandlerOptions): IngestHandler;
 
 /**
  * Org-key lifecycle for the 2.10 anonymization layer.
@@ -2137,6 +2265,12 @@ interface CreateMcpServerOptions {
      * behaviour exactly. The org is normalized to a tenant.
      */
     org?: string;
+    /**
+     * Org-wide summary source (4.3). When set (server-mode with a graph backend), the
+     * org `get_summary` reads from here instead of `db.getOrgSummary` — so a graph-DB
+     * collector serves its own merged aggregate. Defaults to the SQLite central store.
+     */
+    orgSummary?: (org: string) => OrgSummary | Promise<OrgSummary>;
     /**
      * The authenticated principal (4.5 RBAC). When set, mutating tools (`run_discovery`)
      * are gated by role: a `viewer` is refused with a forbidden error. Read tools are
@@ -2180,9 +2314,14 @@ interface HttpOptions {
      * caps the body, parses JSON, and returns the hook's `{ status, body }`. When unset,
      * `/ingest` 404s exactly like any other path — the collector stays dark by default.
      */
-    onIngest?: (body: unknown) => {
+    onIngest?: (body: unknown) => Promise<{
         status: number;
         body: unknown;
+        headers?: Record<string, string>;
+    }> | {
+        status: number;
+        body: unknown;
+        headers?: Record<string, string>;
     };
     /**
      * RBAC (4.5). When `store` holds credentials, the transport runs in RBAC mode: a
@@ -2197,6 +2336,14 @@ interface HttpOptions {
     };
     /** Tenant assigned to implicit (shared/loopback) admin principals. */
     defaultTenant?: string;
+    /**
+     * Readiness probe (4.7). When set, `GET /readyz` calls it: 200 when `ready`, else 503.
+     * `GET /healthz` (liveness) is always 200. Both are PUBLIC (no auth) for k8s/LB probes.
+     */
+    readiness?: () => {
+        ready: boolean;
+        detail?: Record<string, unknown>;
+    };
 }
 /**
  * Start a Streamable HTTP server. A fresh MCP server instance is created per
@@ -4128,4 +4275,4 @@ declare function logInfo(message: string, context?: Record<string, unknown>): vo
 declare function logWarn(message: string, context?: Record<string, unknown>): void;
 declare function logError(message: string, context?: Record<string, unknown>): void;
 
-export { ACTIONS, ANOMALY_KINDS, ANOMALY_SEVERITIES, type Action, ActionSchema, type AgentProvider, type AgentRunContext, type AgentTool, type Anomaly, type AnomalyConfig, type AnomalyKind, type AnomalySeverity, type AnomalyThresholds, type AnonViolation, type AnonymizationLevel, type ApiServerOptions, type AskUserFn, type AuthConfig, AuthConfigSchema, AuthorizationError, type BackstageEntity, type BackstageMapOptions, type BindGuardOptions, CLIENTS, CONFIDENCE, COST_PERIODS, type CartographyConfig, CartographyDB, type CartographyMapData, type CentralDbConfig, CentralDbConfigSchema, type ClassifiedItem, type ClassifyInput, type ClassifyResult, type ClientSpec, type Cluster, ClusterSchema, type ComplianceInput, type ComplianceReport, ComplianceReportSchema, type ComplianceRule, ComplianceRuleSchema, type Condition, ConditionSchema, ConfigError, type ConfigFile, ConfigFileSchema, type ConfigFormat, type Connection, ConnectionSchema, type Contributor, type ControlResult, ControlResultSchema, type CostEntry, CostEntrySchema, type CostPeriod, type CostRecord, type CostSource, type CreateMcpServerOptions, type CredentialConfig, CredentialConfigSchema, type CredentialDb, type CredentialRecord, type CredentialStore, type CronFields, CsvCostSource, type CsvCostSourceOptions, DEFAULT_ANOMALY_THRESHOLDS, DEFAULT_FAST_MODEL, DEFAULT_LEAD_MODEL, DEFAULT_SERVER_NAME, DEFAULT_TENANT, DOMAIN_COLORS, DOMAIN_PALETTE, DRIFT_FIELDS, type DataAsset, DataAssetSchema, type DependencyQuery, type DiscoveryEdge, type DiscoveryEvent, type DiscoveryFn, type DiscoveryNode, type DriftAlert, type DriftAlertItem, type DriftConfig, DriftConfigSchema, type DriftField, type DriftItemKind, type DriftRunRow, type DriftSink, type DriftSinkConfig, EDGE_RELATIONSHIPS, type EdgeRelationship, type EdgeRow, EdgeSchema, type EmbeddingProvider, type EnrichResult, type EntryOptions, type EstablishedConn, type EvidenceKind, type FetchLike, type FragmentKind, type GraphSummary, type HealthResult, type HttpOptions, INGEST_SCHEMA_VERSION, type IngestEnvelope, IngestEnvelopeSchema, type IngestHandler, type IngestOptions, type IngestResponse, type IngestResult, type InstallPlan, InvalidTenantError, type JiraIssue, type JiraOptions, JiraSink, type JiraSinkOptions, LOOPBACK_HOSTS, type LocalDiscoveryOptions, type LocalDiscoveryResult, type LogEntry, type LogLevel, MCP_BIN, type MatchStrategy, NODE_TYPES, NODE_TYPE_GROUPS, type NlIntent, type NlQueryOptions, type NlQueryResult, type NlRelation, type NodeAttribution, type NodeChange, type NodeIdentity, type NodeQuery, type NodeRow, NodeSchema, type NodeType, type NodesResult, NotFoundError, OUTPUT_FORMATS, type OrgKeyOptions, type OrgSummary, type OsKind, type OutputFormat, PACKAGE_NAME, PAGERDUTY_ENQUEUE_URL, PENDING_STATUSES, PERSONAL, PORT_MAP, PRIVATE_IP, PUSH_SCHEMA_VERSION, type PagerDutyEvent, PagerDutySink, type PagerDutySinkOptions, type ParsedApiArgs, type PendingShareRow, type PendingStatus, type PlanOptions, type PolicyResult, type PostJsonOptions, type Principal, PrincipalSchema, type ProviderFactory, type ProviderName, ProviderRegistry, type PushItem, type PushOptions, type PushResult, type QueryBackend, RELATION_TO_DIRECTION, ROLES, type ResolveContext, type ResolveOptions, type Role, RoleSchema, type RuleCheck, RuleCheckSchema, type RuleScope, type Ruleset, RulesetSchema, type RunDriftOptions, SCAN_ARG_PATTERNS, SDL, SECURITY_METADATA_KEYS, SEVERITIES, SEVERITY_WEIGHT, SHARING_LEVELS, type ScanArgKind, type ScanContext, type ScanHintParams, type ScanResult, type Scanner, type ScannerPlugin, type ScannerPluginApi, ScannerRegistry, ScannerShape, type ScheduleConfig, ScheduleConfigSchema, type ScheduledRunResult, type Scope, type SearchFn, type SemanticSearchOptions, type ServerEntry, type SessionRow, type Severity, type SharePreview, type SharePreviewEntry, type SharingLevel, SharingLevelSchema, type SharingPolicy, type ShellKind, type SlackMessage, SlackSink, SqliteCredentialStore, SqliteQueryBackend, SqliteStoreBackend, type StartApiOptions, StdoutSink, type StoreBackend, type SyncClassifyOptions, type SyncClassifyResult, TENANT_HEADER, type TenantContext, TenantMismatchError, type TenantOptions, type ToolResult, type TopologyDelta, type TopologyDiff, type TopologyInput, type TraversalResult, VectorStore, WebhookSink, type WebhookSinkOptions, applyInstall, applySharingLevel, assertReadOnly, assertSafeBind, assertSafeScanArg, assertSameTenant, assignColors, authorize, bearerToken, bookmarksScanner, buildCartographyToolHandlers, buildMapData, buildOpenApiDocument, buildReport, buildSinks, can, centralDbFromEnv, checkBearer, checkPrerequisites, checkReadOnly, clampText, classify, classifyDrift, cleanupTempFiles, cloudAwsScanner, cloudAzureScanner, cloudGcpScanner, codeAddMcpCommand, computeCentroid, computeClusterBounds, computeIdentity, connectionsScanner, contentHash, createBashTool, createCartographyTools, createClaudeProvider, createDefaultRegistry, createHashEmbedder, createIngestHandler, createLocalEmbedder, createMcpServer, createOllamaProvider, createOpenAIProvider, createScanRunner, createSemanticSearch, createSqliteQueryBackend, currentOs, cursorDeeplink, databasesScanner, deepMerge, defaultAllowedHosts, defaultConfig, defaultContext, defaultProviderRegistry, defaultRegistry, defaultServerEntry, definePlugin, deriveSessionName, detectAnomalies, detectOrphans, detectShadowIt, diffTopology, edgesToConnections, enrichCosts, entitiesToYaml, evaluateCheck, evaluateRule, evidenceLine, executeGraphql, executeNlQuery, exportAll, exportBackstageYAML, exportComplianceReport, exportCostCSV, exportCostSummary, exportDiscoveryApp, exportJGF, exportJSON, extractListeningPorts, filterBySeverity, findAnonViolations, formatComplianceText, formatJira, formatPagerDuty, formatSlack, generateDependencyMermaid, generateDiffMermaid, generateTopologyMermaid, getClient, getRuleset, globalId, groupByDomain, handleGraphqlGet, hashToken, hexCorners, hexDistance, hexNeighbors, hexRing, hexSpiral, hexToPixel, hmacKey, hostname, ingestEnvelope, installedAppsScanner, isLoopbackHost, isPersonalHost, isReadOnlyCommand, isRemembered, isSecureWebhookUrl, k8sScanner, keyMetaOf, layoutClusters, listClients, listRulesets, loadConfig, loadOrgKey, loadPlugins, loadRuleset, localDiscoveryFn, log, logDebug, logError, logInfo, logWarn, machineId, maxSeverity, mcpServerObject, newAnomalies, nextRun, nodesToAssets, normalizeId, normalizeTenant, orgKeyPath, osUser, parseApiArgs, parseComposeDeps, parseConfig, parseConnectionString, parseCostCsv, parseCron, parseEstablished, parseNginxUpstreams, parseNlQuery, parseScanHint, pixelToHex, planInstall, portsScanner, postJson, previewShare, pseudonymize, pseudonymizeFragment, pseudonymizeString, pushDeltas, readConfigFile, redactConnectionString, redactSecrets, redactValue, renderDiff, resolveEffectiveLevel, resolveNlQuery, resolvePrincipal, resolveSharingLevel, resolveTenant, revalidateAnonymized, reversalKey, reversePseudonym, rotateOrgKey, runApi, runDiscovery, runDrift, runHttp, runLocalDiscovery, runOnce, runStdio, runSyncClassify, safeEnv, safeJson, safetyHook, sanitizeUntrusted, sanitizeValue, scopeReads, scoreTopology, securityRelevantChange, serializeConfig, serviceConfigScanner, setVerbose, shadeVariant, shapeToJsonSchema, shareHash, splitSegments, stableStringify, startApi, stripSensitive, timingSafeEqual, toBackstageEntities, validateScanner, vscodeDeeplink, zodToJsonSchema };
+export { ACTIONS, ANOMALY_KINDS, ANOMALY_SEVERITIES, type Action, ActionSchema, type AgentProvider, type AgentRunContext, type AgentTool, type Anomaly, type AnomalyConfig, type AnomalyKind, type AnomalySeverity, type AnomalyThresholds, type AnonViolation, type AnonymizationLevel, type ApiServerOptions, type AskUserFn, type AuthConfig, AuthConfigSchema, AuthorizationError, type Awaitable, type BackstageEntity, type BackstageMapOptions, type BindGuardOptions, type BoltDriver, type BoltRecord, type BoltResult, type BoltSession, CLIENTS, CONFIDENCE, COST_PERIODS, type CartographyConfig, CartographyDB, type CartographyMapData, type CentralDbConfig, CentralDbConfigSchema, type ClassifiedItem, type ClassifyInput, type ClassifyResult, type ClientSpec, type Cluster, ClusterSchema, type ComplianceInput, type ComplianceReport, ComplianceReportSchema, type ComplianceRule, ComplianceRuleSchema, type Condition, ConditionSchema, ConfigError, type ConfigFile, ConfigFileSchema, type ConfigFormat, type Connection, ConnectionSchema, type Contributor, type ControlResult, ControlResultSchema, type CostEntry, CostEntrySchema, type CostPeriod, type CostRecord, type CostSource, type CreateMcpServerOptions, type CredentialConfig, CredentialConfigSchema, type CredentialDb, type CredentialRecord, type CredentialStore, type CronFields, CsvCostSource, type CsvCostSourceOptions, DEFAULT_ANOMALY_THRESHOLDS, DEFAULT_FAST_MODEL, DEFAULT_INGEST_QUOTA, DEFAULT_LEAD_MODEL, DEFAULT_SERVER_NAME, DEFAULT_TENANT, DOMAIN_COLORS, DOMAIN_PALETTE, DRIFT_FIELDS, type DataAsset, DataAssetSchema, type DependencyQuery, type DiscoveryEdge, type DiscoveryEvent, type DiscoveryFn, type DiscoveryNode, type DriftAlert, type DriftAlertItem, type DriftConfig, DriftConfigSchema, type DriftField, type DriftItemKind, type DriftRunRow, type DriftSink, type DriftSinkConfig, EDGE_RELATIONSHIPS, type EdgeRelationship, type EdgeRow, EdgeSchema, type EmbeddingProvider, type EnrichResult, type EntryOptions, type EstablishedConn, type EvidenceKind, type FetchLike, type FragmentKind, GraphStoreBackend, type GraphSummary, type HealthResult, type HttpOptions, INGEST_SCHEMA_VERSION, type IngestEnvelope, IngestEnvelopeSchema, type IngestHandler, type IngestHandlerOptions, type IngestOptions, type IngestResponse, type IngestResult, type InstallPlan, InvalidTenantError, type JiraIssue, type JiraOptions, JiraSink, type JiraSinkOptions, LOOPBACK_HOSTS, type LocalDiscoveryOptions, type LocalDiscoveryResult, type LogEntry, type LogLevel, MCP_BIN, type MatchStrategy, NODE_TYPES, NODE_TYPE_GROUPS, type NlIntent, type NlQueryOptions, type NlQueryResult, type NlRelation, type NodeAttribution, type NodeChange, type NodeIdentity, type NodeQuery, type NodeRow, NodeSchema, type NodeType, type NodesResult, NotFoundError, OUTPUT_FORMATS, type OrgKeyOptions, type OrgSummary, type OsKind, type OutputFormat, PACKAGE_NAME, PAGERDUTY_ENQUEUE_URL, PENDING_STATUSES, PERSONAL, PORT_MAP, PRIVATE_IP, PUSH_SCHEMA_VERSION, type PagerDutyEvent, PagerDutySink, type PagerDutySinkOptions, type ParsedApiArgs, type PendingShareRow, type PendingStatus, type PlanOptions, type PolicyResult, type PostJsonOptions, type Principal, PrincipalSchema, type ProviderFactory, type ProviderName, ProviderRegistry, type PushItem, type PushOptions, type PushResult, type QueryBackend, type QuotaConfig, type QuotaDecision, RELATION_TO_DIRECTION, ROLES, RateLimiter, type ResolveContext, type ResolveOptions, type Role, RoleSchema, type RuleCheck, RuleCheckSchema, type RuleScope, type Ruleset, RulesetSchema, type RunDriftOptions, SCAN_ARG_PATTERNS, SCHEMA_VERSION, SDL, SECURITY_METADATA_KEYS, SEVERITIES, SEVERITY_WEIGHT, SHARING_LEVELS, type ScanArgKind, type ScanContext, type ScanHintParams, type ScanResult, type Scanner, type ScannerPlugin, type ScannerPluginApi, ScannerRegistry, ScannerShape, type ScheduleConfig, ScheduleConfigSchema, type ScheduledRunResult, type Scope, type SearchFn, type SemanticSearchOptions, type ServerEntry, type SessionRow, type Severity, type SharePreview, type SharePreviewEntry, type SharingLevel, SharingLevelSchema, type SharingPolicy, type ShellKind, type SlackMessage, SlackSink, SqliteCredentialStore, SqliteQueryBackend, SqliteStoreBackend, type StartApiOptions, StdoutSink, type StoreBackend, type StoreBackendOptions, type SyncClassifyOptions, type SyncClassifyResult, TENANT_HEADER, type TenantContext, TenantMismatchError, type TenantOptions, type ToolResult, type TopologyDelta, type TopologyDiff, type TopologyInput, type TraversalResult, VectorStore, WebhookSink, type WebhookSinkOptions, applyInstall, applySharingLevel, assertReadOnly, assertSafeBind, assertSafeScanArg, assertSameTenant, assignColors, authorize, bearerToken, bookmarksScanner, buildCartographyToolHandlers, buildMapData, buildOpenApiDocument, buildReport, buildSinks, can, centralDbFromEnv, checkBearer, checkPrerequisites, checkReadOnly, clampText, classify, classifyDrift, cleanupTempFiles, cloudAwsScanner, cloudAzureScanner, cloudGcpScanner, codeAddMcpCommand, computeCentroid, computeClusterBounds, computeIdentity, connectionsScanner, contentHash, createBashTool, createCartographyTools, createClaudeProvider, createDefaultRegistry, createHashEmbedder, createIngestHandler, createLocalEmbedder, createMcpServer, createOllamaProvider, createOpenAIProvider, createScanRunner, createSemanticSearch, createSqliteQueryBackend, currentOs, cursorDeeplink, databasesScanner, deepMerge, defaultAllowedHosts, defaultConfig, defaultContext, defaultProviderRegistry, defaultRegistry, defaultServerEntry, definePlugin, deriveSessionName, detectAnomalies, detectOrphans, detectShadowIt, diffTopology, edgesToConnections, enrichCosts, entitiesToYaml, evaluateCheck, evaluateRule, evidenceLine, executeGraphql, executeNlQuery, exportAll, exportBackstageYAML, exportComplianceReport, exportCostCSV, exportCostSummary, exportDiscoveryApp, exportJGF, exportJSON, extractListeningPorts, filterBySeverity, findAnonViolations, formatComplianceText, formatJira, formatPagerDuty, formatSlack, generateDependencyMermaid, generateDiffMermaid, generateTopologyMermaid, getClient, getRuleset, globalId, groupByDomain, handleGraphqlGet, hashToken, hexCorners, hexDistance, hexNeighbors, hexRing, hexSpiral, hexToPixel, hmacKey, hostname, ingestEnvelope, installedAppsScanner, isLoopbackHost, isPersonalHost, isReadOnlyCommand, isRemembered, isSecureWebhookUrl, k8sScanner, keyMetaOf, layoutClusters, listClients, listRulesets, loadConfig, loadOrgKey, loadPlugins, loadRuleset, localDiscoveryFn, log, logDebug, logError, logInfo, logWarn, machineId, maxSeverity, mcpServerObject, newAnomalies, nextRun, nodesToAssets, normalizeId, normalizeTenant, openStoreBackend, orgKeyPath, osUser, parseApiArgs, parseComposeDeps, parseConfig, parseConnectionString, parseCostCsv, parseCron, parseEstablished, parseNginxUpstreams, parseNlQuery, parseScanHint, pixelToHex, planInstall, portsScanner, postJson, previewShare, pseudonymize, pseudonymizeFragment, pseudonymizeString, pushDeltas, readConfigFile, redactConnectionString, redactSecrets, redactValue, renderDiff, resolveEffectiveLevel, resolveNlQuery, resolvePrincipal, resolveSharingLevel, resolveTenant, revalidateAnonymized, reversalKey, reversePseudonym, rotateOrgKey, runApi, runDiscovery, runDrift, runHttp, runLocalDiscovery, runOnce, runStdio, runSyncClassify, safeEnv, safeJson, safetyHook, sanitizeUntrusted, sanitizeValue, scopeReads, scoreTopology, securityRelevantChange, serializeConfig, serviceConfigScanner, setVerbose, shadeVariant, shapeToJsonSchema, shareHash, splitSegments, stableStringify, startApi, stripSensitive, timingSafeEqual, toBackstageEntities, validateScanner, vscodeDeeplink, zodToJsonSchema };