npm - @datasynx/agentic-ai-cartography - Versions diffs - 2.9.0 → 2.11.0 - Mend

@datasynx/agentic-ai-cartography 2.9.0 → 2.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/dist/api-bin.js +2 -2
package/dist/{chunk-LRUWWHMQ.js → chunk-FFUUNSWP.js} +276 -6
package/dist/chunk-FFUUNSWP.js.map +1 -0
package/dist/{chunk-YVV6NIT2.js → chunk-LO6YFS6H.js} +2 -1
package/dist/{chunk-W4Q3TXHR.js → chunk-PD67MOKR.js} +2 -2
package/dist/cli.js +3 -3
package/dist/index.cjs +307 -26
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +112 -1
package/dist/index.d.ts +112 -1
package/dist/index.js +287 -12
package/dist/index.js.map +1 -1
package/dist/mcp-bin.js +2 -2
package/llms-full.txt +1 -0
package/package.json +1 -1
package/server.json +2 -2
package/dist/chunk-LRUWWHMQ.js.map +0 -1
/package/dist/{chunk-YVV6NIT2.js.map → chunk-LO6YFS6H.js.map} +0 -0
/package/dist/{chunk-W4Q3TXHR.js.map → chunk-PD67MOKR.js.map} +0 -0

package/dist/api-bin.js CHANGED Viewed

@@ -2,8 +2,8 @@
 import {
   parseApiArgs,
   startApi
-} from "./chunk-W4Q3TXHR.js";
-import "./chunk-YVV6NIT2.js";
+} from "./chunk-PD67MOKR.js";
+import "./chunk-LO6YFS6H.js";
 import "./chunk-QQOQBE2A.js";
 import "./chunk-2SZ5QHGH.js";

package/dist/{chunk-LRUWWHMQ.js → chunk-FFUUNSWP.js} RENAMED Viewed

@@ -20,12 +20,13 @@ import {
   k8sScanner,
   keyMetaOf,
   normalizeTenant,
+  redactSecrets,
   redactValue,
   resolvePrincipal,
   sanitizeUntrusted,
   stableStringify,
   stripSensitive
-} from "./chunk-YVV6NIT2.js";
+} from "./chunk-LO6YFS6H.js";
 import {
   EdgeSchema,
   NODE_TYPES,
@@ -653,9 +654,132 @@ var serviceConfigScanner = {
   }
 };
+// src/scanners/terraform.ts
+import { readFileSync } from "fs";
+var TYPE_RULES = [
+  [/(db_instance|_rds|sql_database|sql_instance|database_instance|cosmosdb|dynamodb|spanner|bigtable|documentdb|redshift)/, "database_server"],
+  [/(elasticache|_redis|memcached|memorystore)/, "cache_server"],
+  [/(s3_bucket|storage_bucket|gcs_bucket|storage_account|_blob)/, "database"],
+  [/(_sqs|_queue|servicebus_queue)/, "queue"],
+  [/(_sns|_topic|pubsub_topic|servicebus_topic)/, "topic"],
+  [/(kafka|_msk|event_hub|kinesis)/, "message_broker"],
+  [/(_eks|_gke|_aks|kubernetes_cluster|container_cluster)/, "k8s_cluster"],
+  [/(ecs_|_container|fargate)/, "container"],
+  [/(lambda|cloud_function|cloudfunctions|function_app|cloud_run)/, "web_service"],
+  [/(_lb$|load_balancer|_alb|_elb|application_gateway)/, "web_service"],
+  [/(api_gateway|apigateway)/, "api_endpoint"],
+  [/(_instance|virtual_machine|_vm$|compute_instance)/, "host"]
+];
+function terraformTypeToNode(tfType) {
+  const t = tfType.toLowerCase();
+  for (const [re, nt] of TYPE_RULES) if (re.test(t)) return nt;
+  return "unknown";
+}
+var IDENTITY_ATTRS = ["id", "arn", "region", "location", "instance_type", "engine", "machine_type"];
+var OWNER_TAGS = ["Owner", "owner", "Team", "team"];
+var SAFE_TAG_KEYS = /* @__PURE__ */ new Set(["Name", "name", "Owner", "owner", "Team", "team", "Env", "env", "Environment", "environment", "Service", "service", "Component", "component", "App", "app", "Project", "project", "Tier", "tier", "Role", "role"]);
+var SECRET_KEY = /pass|secret|token|key|pwd|cred|private/i;
+function attrTags(tags) {
+  if (!tags || typeof tags !== "object") return [];
+  return Object.entries(tags).filter(([k]) => SAFE_TAG_KEYS.has(k) && !SECRET_KEY.test(k)).map(([k, v]) => `${k}:${redactSecrets(String(v))}`);
+}
+function parseTerraformState(json2) {
+  let state;
+  try {
+    state = JSON.parse(json2);
+  } catch {
+    return { nodes: [], edges: [] };
+  }
+  const resources = Array.isArray(state?.resources) ? state.resources : [];
+  const nodes = [];
+  const edges = [];
+  const addrToId = /* @__PURE__ */ new Map();
+  for (const raw of resources) {
+    const r = raw;
+    if (r.mode && r.mode !== "managed") continue;
+    if (typeof r.type !== "string" || typeof r.name !== "string") continue;
+    const address = `${r.type}.${r.name}`;
+    const nt = terraformTypeToNode(r.type);
+    const id = `${nt}:terraform:${address}`;
+    if (addrToId.has(address)) continue;
+    addrToId.set(address, id);
+    const inst = Array.isArray(r.instances) ? r.instances[0] : void 0;
+    const attrs = inst?.attributes ?? {};
+    const identity = { source: "terraform", tfType: r.type };
+    for (const k of IDENTITY_ATTRS) if (attrs[k] !== void 0) identity[k] = attrs[k];
+    const owner = OWNER_TAGS.map((k) => attrs.tags?.[k]).find((v) => typeof v === "string");
+    nodes.push({
+      id,
+      type: nt,
+      name: address,
+      discoveredVia: "terraform-state",
+      confidence: 0.9,
+      // IaC is authoritative declared intent.
+      metadata: redactValue(identity),
+      tags: attrTags(attrs.tags),
+      ...owner ? { owner } : {}
+    });
+  }
+  for (const raw of resources) {
+    const r = raw;
+    if (r.mode && r.mode !== "managed") continue;
+    if (typeof r.type !== "string" || typeof r.name !== "string") continue;
+    const srcId = addrToId.get(`${r.type}.${r.name}`);
+    if (!srcId) continue;
+    const inst = Array.isArray(r.instances) ? r.instances[0] : void 0;
+    const deps = Array.isArray(inst?.dependencies) ? inst.dependencies : [];
+    for (const dep of deps) {
+      if (typeof dep !== "string") continue;
+      const tgtId = addrToId.get(dep) ?? addrToId.get(dep.split("[")[0]);
+      if (!tgtId || tgtId === srcId) continue;
+      edges.push({ sourceId: srcId, targetId: tgtId, relationship: "depends_on", evidence: evidenceLine("config-declared", `terraform depends_on ${dep}`), confidence: 0.85 });
+    }
+  }
+  return { nodes, edges };
+}
+function stateDirs() {
+  return [".", "./terraform", "./infra", "./infrastructure", "./deploy", "./terraform/environments"];
+}
+function hintPath(hint) {
+  if (!hint) return void 0;
+  const m = /(?:^|[\s,])tfstate=([^\s,]+)/.exec(hint);
+  return m ? m[1] : void 0;
+}
+function resolveStatePath(ctx) {
+  const explicit = hintPath(ctx.hint);
+  if (explicit) return explicit;
+  const found = (ctx.findFiles ?? findFiles)(stateDirs(), ["*.tfstate"], 4, 20).split(/\r?\n/).map((s) => s.trim()).filter(Boolean);
+  return found[0];
+}
+function readStateFile(path) {
+  try {
+    return readFileSync(path, "utf8");
+  } catch {
+    return "";
+  }
+}
+var terraformScanner = {
+  id: "terraform-state",
+  title: "Terraform state (IaC)",
+  platforms: "all",
+  // No shell commands — the state file is read directly via node:fs, so an
+  // operator-supplied path can never inject a command (no `cat "${path}"` interpolation).
+  detect(ctx) {
+    return resolveStatePath(ctx) !== void 0;
+  },
+  async scan(ctx) {
+    const path = resolveStatePath(ctx);
+    if (!path) return { nodes: [], edges: [] };
+    const json2 = (ctx.readFile ?? readStateFile)(path);
+    if (!json2) return { nodes: [], edges: [] };
+    const result = parseTerraformState(json2);
+    return { ...result, report: `terraform-state: ${result.nodes.length} resources, ${result.edges.length} dependencies from ${path}` };
+  }
+};
 // src/scanners/registry.ts
 function defaultRegistry() {
-  return new ScannerRegistry().register(bookmarksScanner).register(installedAppsScanner).register(portsScanner).register(cloudAwsScanner).register(cloudGcpScanner).register(cloudAzureScanner).register(k8sScanner).register(databasesScanner).register(connectionsScanner).register(serviceConfigScanner);
+  return new ScannerRegistry().register(bookmarksScanner).register(installedAppsScanner).register(portsScanner).register(cloudAwsScanner).register(cloudGcpScanner).register(cloudAzureScanner).register(k8sScanner).register(databasesScanner).register(connectionsScanner).register(serviceConfigScanner).register(terraformScanner);
 }
 // src/scanners/loader.ts
@@ -1317,7 +1441,7 @@ async function runDrift(db, config, opts = {}) {
 // src/orgkey.ts
 import { randomBytes, hkdfSync } from "crypto";
-import { existsSync, mkdirSync, readFileSync, writeFileSync, statSync } from "fs";
+import { existsSync, mkdirSync, readFileSync as readFileSync2, writeFileSync, statSync } from "fs";
 import { homedir } from "os";
 import { dirname, join } from "path";
 function orgKeyPath(home = homedir()) {
@@ -1333,7 +1457,7 @@ function loadFileSecret(path) {
       }
     } catch {
     }
-    const hex = readFileSync(path, "utf8").trim();
+    const hex = readFileSync2(path, "utf8").trim();
     const buf = Buffer.from(hex, "hex");
     if (buf.length === KEY_BYTES) return buf;
     logWarn("org-key file was malformed \u2014 regenerating a fresh org key");
@@ -1537,9 +1661,146 @@ async function executeNlQuery(db, sessionId, search, intent, opts = {}) {
   return { intent, anchors, nodes, paths: trav.edges };
 }
+// src/correlation/signals.ts
+var IPV4 = /\b(?:(?:25[0-5]|2[0-4]\d|1?\d?\d)\.){3}(?:25[0-5]|2[0-4]\d|1?\d?\d)\b/g;
+var DNS = /\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.){1,8}[a-z]{2,24}\b/gi;
+var ENDPOINT = /\b((?:[a-z0-9][a-z0-9.-]{0,253})):(\d{1,5})\b/gi;
+function isPrivateIp(ip) {
+  return /^(?:10\.|127\.|169\.254\.|192\.168\.|172\.(?:1[6-9]|2\d|3[01])\.)/.test(ip);
+}
+function sources(node) {
+  const out = [node.id, node.name];
+  const meta = node.metadata;
+  if (meta) {
+    for (const k of ["host", "hostname", "ip", "address", "dns", "dnsName", "endpoint", "fqdn", "publicIp", "privateIp", "url"]) {
+      const v = meta[k];
+      if (typeof v === "string") out.push(v);
+    }
+  }
+  return out;
+}
+var KNOWN_PROVIDERS = /* @__PURE__ */ new Set(["aws", "gcp", "azure", "k8s", "kubernetes", "localhost", "docker"]);
+function parseProvider(id) {
+  const seg = id.split(":");
+  if (seg.length >= 3 && KNOWN_PROVIDERS.has(seg[1])) return seg[1];
+  return void 0;
+}
+function extractSignals(node) {
+  const text = sources(node).join(" \n ");
+  const publicIps = /* @__PURE__ */ new Set();
+  const privateIps = /* @__PURE__ */ new Set();
+  const dnsNames = /* @__PURE__ */ new Set();
+  const endpoints = /* @__PURE__ */ new Set();
+  for (const m of text.matchAll(IPV4)) (isPrivateIp(m[0]) ? privateIps : publicIps).add(m[0]);
+  for (const m of text.matchAll(DNS)) dnsNames.add(m[0].toLowerCase());
+  for (const m of text.matchAll(ENDPOINT)) endpoints.add(`${m[1].toLowerCase()}:${m[2]}`);
+  const provider = parseProvider(node.id);
+  const sortUniq = (s) => [...s].sort();
+  return {
+    ...provider ? { provider } : {},
+    endpoints: sortUniq(endpoints),
+    publicIps: sortUniq(publicIps),
+    privateIps: sortUniq(privateIps),
+    // The DNS regex requires an alphabetic TLD, so pure IPv4s never land here.
+    dnsNames: sortUniq(dnsNames)
+  };
+}
+// src/correlation/correlate.ts
+var CORRELATION_CONFIDENCE = {
+  "global-identity": 1,
+  "dns-name": 0.95,
+  "public-ip": 0.9,
+  "endpoint": 0.85,
+  "private-ip": 0.5
+};
+var MERGE_THRESHOLD = 0.85;
+var DSU = class {
+  parent;
+  constructor(n) {
+    this.parent = Array.from({ length: n }, (_, i) => i);
+  }
+  find(x) {
+    while (this.parent[x] !== x) {
+      this.parent[x] = this.parent[this.parent[x]];
+      x = this.parent[x];
+    }
+    return x;
+  }
+  union(a, b) {
+    const ra = this.find(a), rb = this.find(b);
+    if (ra !== rb) this.parent[Math.max(ra, rb)] = Math.min(ra, rb);
+  }
+};
+function correlateTopology(nodes, _edges = []) {
+  const n = nodes.length;
+  const signals = nodes.map(extractSignals);
+  const dsu = new DSU(n);
+  const correlations = [];
+  const merged = /* @__PURE__ */ new Set();
+  const buckets = /* @__PURE__ */ new Map();
+  const add = (sig, val, i) => {
+    const k = `${sig}|${val}`;
+    const arr = buckets.get(k);
+    if (arr) arr.push(i);
+    else buckets.set(k, [i]);
+  };
+  nodes.forEach((node, i) => {
+    if (node.globalId) add("global-identity", node.globalId, i);
+    for (const d of signals[i].dnsNames) add("dns-name", d, i);
+    for (const ip of signals[i].publicIps) add("public-ip", ip, i);
+    for (const e of signals[i].endpoints) add("endpoint", e, i);
+  });
+  const order = ["global-identity", "dns-name", "public-ip", "endpoint"];
+  for (const sig of order) {
+    const conf = CORRELATION_CONFIDENCE[sig];
+    const keys = [...buckets.keys()].filter((k) => k.startsWith(`${sig}|`)).sort();
+    for (const key of keys) {
+      const members = buckets.get(key).slice().sort((x, y) => nodes[x].id.localeCompare(nodes[y].id));
+      const value = key.slice(sig.length + 1);
+      for (let j = 1; j < members.length; j++) {
+        const a = members[0], b = members[j];
+        if (conf < MERGE_THRESHOLD) continue;
+        dsu.union(a, b);
+        merged.add(a);
+        merged.add(b);
+        const [s, t] = [nodes[a].id, nodes[b].id].sort();
+        correlations.push({ sourceId: s, targetId: t, relationship: "same_as", signal: sig, confidence: conf, evidence: `[${sig}] shared ${value}` });
+      }
+    }
+  }
+  const clusters = /* @__PURE__ */ new Map();
+  for (let i = 0; i < n; i++) {
+    const r = dsu.find(i);
+    const arr = clusters.get(r);
+    if (arr) arr.push(i);
+    else clusters.set(r, [i]);
+  }
+  const canonical = [];
+  let crossCloud = 0;
+  for (const idxs of clusters.values()) {
+    const memberNodes = idxs.map((i) => nodes[i]);
+    const members = memberNodes.map((m) => m.id).sort();
+    const providers = [...new Set(idxs.map((i) => signals[i].provider).filter((p) => !!p))].sort();
+    const rep = memberNodes.reduce((a, b) => a.id < b.id ? a : b);
+    const memberIds = new Set(members);
+    const internal = correlations.filter((c) => memberIds.has(c.sourceId) && memberIds.has(c.targetId));
+    const confidence = internal.length ? Math.min(...internal.map((c) => c.confidence)) : 1;
+    if (providers.length > 1) crossCloud += 1;
+    canonical.push({ id: rep.id, type: rep.type, name: rep.name, members, providers, confidence });
+  }
+  canonical.sort((a, b) => a.id.localeCompare(b.id));
+  correlations.sort((a, b) => b.confidence - a.confidence || a.sourceId.localeCompare(b.sourceId) || a.targetId.localeCompare(b.targetId));
+  return {
+    canonical,
+    correlations,
+    summary: { rawNodes: n, canonicalNodes: canonical.length, collapsed: n - canonical.length, crossCloud }
+  };
+}
 // src/mcp/server.ts
 var SERVER_NAME = "cartography";
-var SERVER_VERSION = "2.9.0";
+var SERVER_VERSION = "2.11.0";
 var SERVICE_TYPES = NODE_TYPE_GROUPS.web;
 var DATA_TYPES = NODE_TYPE_GROUPS.data;
 var lexicalSearch = async (db, sessionId, query, opts) => db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));
@@ -1699,6 +1960,15 @@ function createMcpServer(opts = {}) {
       return json(db.getGraphSummary(sid));
     }
   );
+  server.registerTool(
+    "correlate_topology",
+    { title: "Correlate multi-cloud topology", description: "Collapse the same logical resource discovered across clouds/on-prem (by global identity or a shared DNS name / public IP / endpoint) into canonical entities with confidence-scored same_as links. Read-only, non-destructive (5.1).", inputSchema: {}, annotations: readOnly },
+    () => {
+      const sid = resolveSession();
+      if (!sid) return json({ error: "No discovery session found." });
+      return json(correlateTopology(db.getNodes(sid), db.getEdges(sid)));
+    }
+  );
   server.registerTool(
     "get_cost_summary",
     { title: "Get cost summary", description: "FinOps rollup: cost by domain and owner, currency/period-bucketed (3.3).", inputSchema: {}, annotations: readOnly },
@@ -2882,4 +3152,4 @@ export {
   parseMcpArgs,
   startMcp
 };
-//# sourceMappingURL=chunk-LRUWWHMQ.js.map
+//# sourceMappingURL=chunk-FFUUNSWP.js.map