@datasynx/agentic-ai-cartography 2.9.0 → 2.11.0

package/dist/{chunk-YVV6NIT2.js → chunk-LO6YFS6H.js}

@@ -3391,6 +3391,7 @@ export {
   k8sScanner,
   databasesScanner,
   stripSensitive,
+  redactSecrets,
   redactValue,
   buildCartographyToolHandlers,
   createCartographyTools,
@@ -3414,4 +3415,4 @@ export {
   AuthorizationError,
   authorize
 };
-//# sourceMappingURL=chunk-YVV6NIT2.js.map
+//# sourceMappingURL=chunk-LO6YFS6H.js.map

package/dist/{chunk-W4Q3TXHR.js → chunk-PD67MOKR.js}

@@ -10,7 +10,7 @@ import {
   defaultAllowedHosts,
   normalizeTenant,
   resolvePrincipal
-} from "./chunk-YVV6NIT2.js";
+} from "./chunk-LO6YFS6H.js";
 import {
   ANOMALY_KINDS,
   ANOMALY_SEVERITIES,
@@ -1409,4 +1409,4 @@ export {
   parseApiArgs,
   startApi
 };
-//# sourceMappingURL=chunk-W4Q3TXHR.js.map
+//# sourceMappingURL=chunk-PD67MOKR.js.map

package/dist/cli.js

@@ -11,12 +11,12 @@ import {
   runDrift,
   runLocalDiscovery,
   startMcp
-} from "./chunk-LRUWWHMQ.js";
+} from "./chunk-FFUUNSWP.js";
 import {
   entitiesToYaml,
   startApi,
   toBackstageEntities
-} from "./chunk-W4Q3TXHR.js";
+} from "./chunk-PD67MOKR.js";
 import {
   CartographyDB,
   buildCartographyToolHandlers,
@@ -28,7 +28,7 @@ import {
   redactValue,
   stableStringify,
   stripSensitive
-} from "./chunk-YVV6NIT2.js";
+} from "./chunk-LO6YFS6H.js";
 import {
   ConfigFileSchema,
   CostEntrySchema,

package/dist/index.cjs

@@ -36,6 +36,7 @@ __export(src_exports, {
   AuthorizationError: () => AuthorizationError,
   CLIENTS: () => CLIENTS,
   CONFIDENCE: () => CONFIDENCE,
+  CORRELATION_CONFIDENCE: () => CORRELATION_CONFIDENCE,
   CartographyDB: () => CartographyDB,
   ComplianceReportSchema: () => ComplianceReportSchema,
   ComplianceRuleSchema: () => ComplianceRuleSchema,
@@ -122,6 +123,7 @@ __export(src_exports, {
   computeIdentity: () => computeIdentity,
   connectionsScanner: () => connectionsScanner,
   contentHash: () => contentHash,
+  correlateTopology: () => correlateTopology,
   createBashTool: () => createBashTool,
   createCartographyTools: () => createCartographyTools,
   createClaudeProvider: () => createClaudeProvider,
@@ -169,6 +171,7 @@ __export(src_exports, {
   exportJGF: () => exportJGF,
   exportJSON: () => exportJSON,
   extractListeningPorts: () => extractListeningPorts,
+  extractSignals: () => extractSignals,
   filterBySeverity: () => filterBySeverity,
   findAnonViolations: () => findAnonViolations,
   formatComplianceText: () => formatComplianceText,
@@ -235,6 +238,7 @@ __export(src_exports, {
   parseNginxUpstreams: () => parseNginxUpstreams,
   parseNlQuery: () => parseNlQuery,
   parseScanHint: () => parseScanHint,
+  parseTerraformState: () => parseTerraformState,
   pixelToHex: () => pixelToHex,
   planInstall: () => planInstall,
   portsScanner: () => portsScanner,
@@ -284,6 +288,8 @@ __export(src_exports, {
   stableStringify: () => stableStringify,
   startApi: () => startApi,
   stripSensitive: () => stripSensitive,
+  terraformScanner: () => terraformScanner,
+  terraformTypeToNode: () => terraformTypeToNode,
   timingSafeEqual: () => timingSafeEqual,
   toBackstageEntities: () => toBackstageEntities,
   validateScanner: () => validateScanner,
@@ -6134,9 +6140,146 @@ async function resolveNlQuery(db, sessionId, search, raw, opts) {
   return executeNlQuery(db, sessionId, search, parseNlQuery(raw), opts);
 }
 
+// src/correlation/signals.ts
+var IPV4 = /\b(?:(?:25[0-5]|2[0-4]\d|1?\d?\d)\.){3}(?:25[0-5]|2[0-4]\d|1?\d?\d)\b/g;
+var DNS = /\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.){1,8}[a-z]{2,24}\b/gi;
+var ENDPOINT = /\b((?:[a-z0-9][a-z0-9.-]{0,253})):(\d{1,5})\b/gi;
+function isPrivateIp(ip) {
+  return /^(?:10\.|127\.|169\.254\.|192\.168\.|172\.(?:1[6-9]|2\d|3[01])\.)/.test(ip);
+}
+function sources(node) {
+  const out = [node.id, node.name];
+  const meta = node.metadata;
+  if (meta) {
+    for (const k of ["host", "hostname", "ip", "address", "dns", "dnsName", "endpoint", "fqdn", "publicIp", "privateIp", "url"]) {
+      const v = meta[k];
+      if (typeof v === "string") out.push(v);
+    }
+  }
+  return out;
+}
+var KNOWN_PROVIDERS = /* @__PURE__ */ new Set(["aws", "gcp", "azure", "k8s", "kubernetes", "localhost", "docker"]);
+function parseProvider(id) {
+  const seg = id.split(":");
+  if (seg.length >= 3 && KNOWN_PROVIDERS.has(seg[1])) return seg[1];
+  return void 0;
+}
+function extractSignals(node) {
+  const text = sources(node).join(" \n ");
+  const publicIps = /* @__PURE__ */ new Set();
+  const privateIps = /* @__PURE__ */ new Set();
+  const dnsNames = /* @__PURE__ */ new Set();
+  const endpoints = /* @__PURE__ */ new Set();
+  for (const m of text.matchAll(IPV4)) (isPrivateIp(m[0]) ? privateIps : publicIps).add(m[0]);
+  for (const m of text.matchAll(DNS)) dnsNames.add(m[0].toLowerCase());
+  for (const m of text.matchAll(ENDPOINT)) endpoints.add(`${m[1].toLowerCase()}:${m[2]}`);
+  const provider = parseProvider(node.id);
+  const sortUniq = (s) => [...s].sort();
+  return {
+    ...provider ? { provider } : {},
+    endpoints: sortUniq(endpoints),
+    publicIps: sortUniq(publicIps),
+    privateIps: sortUniq(privateIps),
+    // The DNS regex requires an alphabetic TLD, so pure IPv4s never land here.
+    dnsNames: sortUniq(dnsNames)
+  };
+}
+
+// src/correlation/correlate.ts
+var CORRELATION_CONFIDENCE = {
+  "global-identity": 1,
+  "dns-name": 0.95,
+  "public-ip": 0.9,
+  "endpoint": 0.85,
+  "private-ip": 0.5
+};
+var MERGE_THRESHOLD = 0.85;
+var DSU = class {
+  parent;
+  constructor(n) {
+    this.parent = Array.from({ length: n }, (_, i) => i);
+  }
+  find(x) {
+    while (this.parent[x] !== x) {
+      this.parent[x] = this.parent[this.parent[x]];
+      x = this.parent[x];
+    }
+    return x;
+  }
+  union(a, b) {
+    const ra = this.find(a), rb = this.find(b);
+    if (ra !== rb) this.parent[Math.max(ra, rb)] = Math.min(ra, rb);
+  }
+};
+function correlateTopology(nodes, _edges = []) {
+  const n = nodes.length;
+  const signals = nodes.map(extractSignals);
+  const dsu = new DSU(n);
+  const correlations = [];
+  const merged = /* @__PURE__ */ new Set();
+  const buckets = /* @__PURE__ */ new Map();
+  const add = (sig, val, i) => {
+    const k = `${sig}|${val}`;
+    const arr = buckets.get(k);
+    if (arr) arr.push(i);
+    else buckets.set(k, [i]);
+  };
+  nodes.forEach((node, i) => {
+    if (node.globalId) add("global-identity", node.globalId, i);
+    for (const d of signals[i].dnsNames) add("dns-name", d, i);
+    for (const ip of signals[i].publicIps) add("public-ip", ip, i);
+    for (const e of signals[i].endpoints) add("endpoint", e, i);
+  });
+  const order = ["global-identity", "dns-name", "public-ip", "endpoint"];
+  for (const sig of order) {
+    const conf = CORRELATION_CONFIDENCE[sig];
+    const keys = [...buckets.keys()].filter((k) => k.startsWith(`${sig}|`)).sort();
+    for (const key of keys) {
+      const members = buckets.get(key).slice().sort((x, y) => nodes[x].id.localeCompare(nodes[y].id));
+      const value = key.slice(sig.length + 1);
+      for (let j = 1; j < members.length; j++) {
+        const a = members[0], b = members[j];
+        if (conf < MERGE_THRESHOLD) continue;
+        dsu.union(a, b);
+        merged.add(a);
+        merged.add(b);
+        const [s, t] = [nodes[a].id, nodes[b].id].sort();
+        correlations.push({ sourceId: s, targetId: t, relationship: "same_as", signal: sig, confidence: conf, evidence: `[${sig}] shared ${value}` });
+      }
+    }
+  }
+  const clusters = /* @__PURE__ */ new Map();
+  for (let i = 0; i < n; i++) {
+    const r = dsu.find(i);
+    const arr = clusters.get(r);
+    if (arr) arr.push(i);
+    else clusters.set(r, [i]);
+  }
+  const canonical = [];
+  let crossCloud = 0;
+  for (const idxs of clusters.values()) {
+    const memberNodes = idxs.map((i) => nodes[i]);
+    const members = memberNodes.map((m) => m.id).sort();
+    const providers = [...new Set(idxs.map((i) => signals[i].provider).filter((p) => !!p))].sort();
+    const rep = memberNodes.reduce((a, b) => a.id < b.id ? a : b);
+    const memberIds = new Set(members);
+    const internal = correlations.filter((c) => memberIds.has(c.sourceId) && memberIds.has(c.targetId));
+    const confidence = internal.length ? Math.min(...internal.map((c) => c.confidence)) : 1;
+    if (providers.length > 1) crossCloud += 1;
+    canonical.push({ id: rep.id, type: rep.type, name: rep.name, members, providers, confidence });
+  }
+  canonical.sort((a, b) => a.id.localeCompare(b.id));
+  correlations.sort((a, b) => b.confidence - a.confidence || a.sourceId.localeCompare(b.sourceId) || a.targetId.localeCompare(b.targetId));
+  return {
+    canonical,
+    correlations,
+    summary: { rawNodes: n, canonicalNodes: canonical.length, collapsed: n - canonical.length, crossCloud }
+  };
+}
+
 // src/mcp/server.ts
 var SERVER_NAME = "cartography";
-var SERVER_VERSION = "2.9.0";
+var SERVER_VERSION = "2.11.0";
 var SERVICE_TYPES = NODE_TYPE_GROUPS.web;
 var DATA_TYPES = NODE_TYPE_GROUPS.data;
 var lexicalSearch = async (db, sessionId, query, opts) => db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));
@@ -6296,6 +6439,15 @@ function createMcpServer(opts = {}) {
       return json(db.getGraphSummary(sid));
     }
   );
+  server.registerTool(
+    "correlate_topology",
+    { title: "Correlate multi-cloud topology", description: "Collapse the same logical resource discovered across clouds/on-prem (by global identity or a shared DNS name / public IP / endpoint) into canonical entities with confidence-scored same_as links. Read-only, non-destructive (5.1).", inputSchema: {}, annotations: readOnly },
+    () => {
+      const sid = resolveSession();
+      if (!sid) return json({ error: "No discovery session found." });
+      return json(correlateTopology(db.getNodes(sid), db.getEdges(sid)));
+    }
+  );
   server.registerTool(
     "get_cost_summary",
     { title: "Get cost summary", description: "FinOps rollup: cost by domain and owner, currency/period-bucketed (3.3).", inputSchema: {}, annotations: readOnly },
@@ -7537,9 +7689,132 @@ var serviceConfigScanner = {
   }
 };
 
+// src/scanners/terraform.ts
+var import_node_fs5 = require("fs");
+var TYPE_RULES = [
+  [/(db_instance|_rds|sql_database|sql_instance|database_instance|cosmosdb|dynamodb|spanner|bigtable|documentdb|redshift)/, "database_server"],
+  [/(elasticache|_redis|memcached|memorystore)/, "cache_server"],
+  [/(s3_bucket|storage_bucket|gcs_bucket|storage_account|_blob)/, "database"],
+  [/(_sqs|_queue|servicebus_queue)/, "queue"],
+  [/(_sns|_topic|pubsub_topic|servicebus_topic)/, "topic"],
+  [/(kafka|_msk|event_hub|kinesis)/, "message_broker"],
+  [/(_eks|_gke|_aks|kubernetes_cluster|container_cluster)/, "k8s_cluster"],
+  [/(ecs_|_container|fargate)/, "container"],
+  [/(lambda|cloud_function|cloudfunctions|function_app|cloud_run)/, "web_service"],
+  [/(_lb$|load_balancer|_alb|_elb|application_gateway)/, "web_service"],
+  [/(api_gateway|apigateway)/, "api_endpoint"],
+  [/(_instance|virtual_machine|_vm$|compute_instance)/, "host"]
+];
+function terraformTypeToNode(tfType) {
+  const t = tfType.toLowerCase();
+  for (const [re, nt] of TYPE_RULES) if (re.test(t)) return nt;
+  return "unknown";
+}
+var IDENTITY_ATTRS = ["id", "arn", "region", "location", "instance_type", "engine", "machine_type"];
+var OWNER_TAGS = ["Owner", "owner", "Team", "team"];
+var SAFE_TAG_KEYS = /* @__PURE__ */ new Set(["Name", "name", "Owner", "owner", "Team", "team", "Env", "env", "Environment", "environment", "Service", "service", "Component", "component", "App", "app", "Project", "project", "Tier", "tier", "Role", "role"]);
+var SECRET_KEY = /pass|secret|token|key|pwd|cred|private/i;
+function attrTags(tags) {
+  if (!tags || typeof tags !== "object") return [];
+  return Object.entries(tags).filter(([k]) => SAFE_TAG_KEYS.has(k) && !SECRET_KEY.test(k)).map(([k, v]) => `${k}:${redactSecrets(String(v))}`);
+}
+function parseTerraformState(json2) {
+  let state;
+  try {
+    state = JSON.parse(json2);
+  } catch {
+    return { nodes: [], edges: [] };
+  }
+  const resources = Array.isArray(state?.resources) ? state.resources : [];
+  const nodes = [];
+  const edges = [];
+  const addrToId = /* @__PURE__ */ new Map();
+  for (const raw of resources) {
+    const r = raw;
+    if (r.mode && r.mode !== "managed") continue;
+    if (typeof r.type !== "string" || typeof r.name !== "string") continue;
+    const address = `${r.type}.${r.name}`;
+    const nt = terraformTypeToNode(r.type);
+    const id = `${nt}:terraform:${address}`;
+    if (addrToId.has(address)) continue;
+    addrToId.set(address, id);
+    const inst = Array.isArray(r.instances) ? r.instances[0] : void 0;
+    const attrs = inst?.attributes ?? {};
+    const identity = { source: "terraform", tfType: r.type };
+    for (const k of IDENTITY_ATTRS) if (attrs[k] !== void 0) identity[k] = attrs[k];
+    const owner = OWNER_TAGS.map((k) => attrs.tags?.[k]).find((v) => typeof v === "string");
+    nodes.push({
+      id,
+      type: nt,
+      name: address,
+      discoveredVia: "terraform-state",
+      confidence: 0.9,
+      // IaC is authoritative declared intent.
+      metadata: redactValue(identity),
+      tags: attrTags(attrs.tags),
+      ...owner ? { owner } : {}
+    });
+  }
+  for (const raw of resources) {
+    const r = raw;
+    if (r.mode && r.mode !== "managed") continue;
+    if (typeof r.type !== "string" || typeof r.name !== "string") continue;
+    const srcId = addrToId.get(`${r.type}.${r.name}`);
+    if (!srcId) continue;
+    const inst = Array.isArray(r.instances) ? r.instances[0] : void 0;
+    const deps = Array.isArray(inst?.dependencies) ? inst.dependencies : [];
+    for (const dep of deps) {
+      if (typeof dep !== "string") continue;
+      const tgtId = addrToId.get(dep) ?? addrToId.get(dep.split("[")[0]);
+      if (!tgtId || tgtId === srcId) continue;
+      edges.push({ sourceId: srcId, targetId: tgtId, relationship: "depends_on", evidence: evidenceLine("config-declared", `terraform depends_on ${dep}`), confidence: 0.85 });
+    }
+  }
+  return { nodes, edges };
+}
+function stateDirs() {
+  return [".", "./terraform", "./infra", "./infrastructure", "./deploy", "./terraform/environments"];
+}
+function hintPath(hint) {
+  if (!hint) return void 0;
+  const m = /(?:^|[\s,])tfstate=([^\s,]+)/.exec(hint);
+  return m ? m[1] : void 0;
+}
+function resolveStatePath(ctx) {
+  const explicit = hintPath(ctx.hint);
+  if (explicit) return explicit;
+  const found = (ctx.findFiles ?? findFiles)(stateDirs(), ["*.tfstate"], 4, 20).split(/\r?\n/).map((s) => s.trim()).filter(Boolean);
+  return found[0];
+}
+function readStateFile(path) {
+  try {
+    return (0, import_node_fs5.readFileSync)(path, "utf8");
+  } catch {
+    return "";
+  }
+}
+var terraformScanner = {
+  id: "terraform-state",
+  title: "Terraform state (IaC)",
+  platforms: "all",
+  // No shell commands — the state file is read directly via node:fs, so an
+  // operator-supplied path can never inject a command (no `cat "${path}"` interpolation).
+  detect(ctx) {
+    return resolveStatePath(ctx) !== void 0;
+  },
+  async scan(ctx) {
+    const path = resolveStatePath(ctx);
+    if (!path) return { nodes: [], edges: [] };
+    const json2 = (ctx.readFile ?? readStateFile)(path);
+    if (!json2) return { nodes: [], edges: [] };
+    const result = parseTerraformState(json2);
+    return { ...result, report: `terraform-state: ${result.nodes.length} resources, ${result.edges.length} dependencies from ${path}` };
+  }
+};
+
 // src/scanners/registry.ts
 function defaultRegistry() {
-  return new ScannerRegistry().register(bookmarksScanner).register(installedAppsScanner).register(portsScanner).register(cloudAwsScanner).register(cloudGcpScanner).register(cloudAzureScanner).register(k8sScanner).register(databasesScanner).register(connectionsScanner).register(serviceConfigScanner);
+  return new ScannerRegistry().register(bookmarksScanner).register(installedAppsScanner).register(portsScanner).register(cloudAwsScanner).register(cloudGcpScanner).register(cloudAzureScanner).register(k8sScanner).register(databasesScanner).register(connectionsScanner).register(serviceConfigScanner).register(terraformScanner);
 }
 
 // src/scanners/loader.ts
@@ -8907,14 +9182,14 @@ var AuthConfigSchema = import_zod9.z.object({
 });
 
 // src/api/start.ts
-var import_node_fs5 = require("fs");
+var import_node_fs6 = require("fs");
 var import_node_path5 = require("path");
 var import_node_url = require("url");
 var import_meta = {};
 function readVersion() {
   try {
     const dir = import_meta.dirname ?? (0, import_node_path5.dirname)((0, import_node_url.fileURLToPath)(import_meta.url));
-    return JSON.parse((0, import_node_fs5.readFileSync)((0, import_node_path5.resolve)(dir, "..", "package.json"), "utf-8")).version ?? "0.0.0";
+    return JSON.parse((0, import_node_fs6.readFileSync)((0, import_node_path5.resolve)(dir, "..", "package.json"), "utf-8")).version ?? "0.0.0";
   } catch {
     return "0.0.0";
   }
@@ -9045,7 +9320,7 @@ function defaultServerEntry(opts = {}) {
 }
 
 // src/installer/install.ts
-var import_node_fs6 = require("fs");
+var import_node_fs7 = require("fs");
 var import_node_path6 = require("path");
 var import_node_os4 = require("os");
 function currentOs() {
@@ -9061,8 +9336,8 @@ function planInstall(spec, ctx, opts) {
   if (!path) {
     throw new Error(`${spec.label} does not support the "${ctx.scope}" scope.`);
   }
-  const fileExists = (0, import_node_fs6.existsSync)(path);
-  const before = fileExists ? (0, import_node_fs6.readFileSync)(path, "utf8") : "";
+  const fileExists = (0, import_node_fs7.existsSync)(path);
+  const before = fileExists ? (0, import_node_fs7.readFileSync)(path, "utf8") : "";
   const existing = parseConfig(before, spec.format);
   const merged = spec.apply(existing, opts.serverName ?? DEFAULT_SERVER_NAME, opts.entry);
   const after = serializeConfig(merged, spec.format);
@@ -9079,8 +9354,8 @@ function planInstall(spec, ctx, opts) {
   };
 }
 function applyInstall(plan) {
-  (0, import_node_fs6.mkdirSync)((0, import_node_path6.dirname)(plan.path), { recursive: true });
-  (0, import_node_fs6.writeFileSync)(plan.path, plan.after, "utf8");
+  (0, import_node_fs7.mkdirSync)((0, import_node_path6.dirname)(plan.path), { recursive: true });
+  (0, import_node_fs7.writeFileSync)(plan.path, plan.after, "utf8");
 }
 function renderDiff(before, after) {
   if (before === after) return "  (no changes)";
@@ -9928,7 +10203,7 @@ Use ask_user when you need context from the user.`;
 }
 
 // src/cost.ts
-var import_node_fs7 = require("fs");
+var import_node_fs8 = require("fs");
 var import_node_path8 = require("path");
 function splitCsvLine(line) {
   const out = [];
@@ -10007,7 +10282,7 @@ var CsvCostSource = class {
   }
   id;
   async fetch() {
-    const text = (0, import_node_fs7.readFileSync)((0, import_node_path8.resolve)(this.opts.filePath), "utf-8");
+    const text = (0, import_node_fs8.readFileSync)((0, import_node_path8.resolve)(this.opts.filePath), "utf-8");
     const records = parseCostCsv(text);
     const match = this.opts.match ?? "nodeId";
     const out = /* @__PURE__ */ new Map();
@@ -10049,7 +10324,7 @@ async function enrichCosts(db, sessionId, source) {
 }
 
 // src/exporter.ts
-var import_node_fs8 = require("fs");
+var import_node_fs9 = require("fs");
 var import_node_path9 = require("path");
 
 // src/hex.ts
@@ -11719,28 +11994,28 @@ function exportComplianceReport(report, format) {
   return lines.join("\n");
 }
 function exportAll(db, sessionId, outputDir, formats = ["mermaid", "json", "yaml", "html", "map", "discovery"]) {
-  (0, import_node_fs8.mkdirSync)(outputDir, { recursive: true });
+  (0, import_node_fs9.mkdirSync)(outputDir, { recursive: true });
   const nodes = db.getNodes(sessionId);
   const edges = db.getEdges(sessionId);
   const jgfPath = (0, import_node_path9.join)(outputDir, "cartography-graph.jgf.json");
-  (0, import_node_fs8.writeFileSync)(jgfPath, exportJGF(nodes, edges));
+  (0, import_node_fs9.writeFileSync)(jgfPath, exportJGF(nodes, edges));
   if (formats.includes("mermaid")) {
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "topology.mermaid"), generateTopologyMermaid(nodes, edges));
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "dependencies.mermaid"), generateDependencyMermaid(nodes, edges));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "topology.mermaid"), generateTopologyMermaid(nodes, edges));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "dependencies.mermaid"), generateDependencyMermaid(nodes, edges));
   }
   if (formats.includes("json")) {
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "catalog.json"), exportJSON(db, sessionId));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "catalog.json"), exportJSON(db, sessionId));
   }
   if (formats.includes("yaml")) {
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "catalog-info.yaml"), exportBackstageYAML(nodes, edges));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "catalog-info.yaml"), exportBackstageYAML(nodes, edges));
   }
   if (formats.includes("html") || formats.includes("map") || formats.includes("discovery")) {
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "discovery.html"), exportDiscoveryApp(nodes, edges));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "discovery.html"), exportDiscoveryApp(nodes, edges));
   }
   if (formats.includes("cost")) {
     const summary = db.getGraphSummary(sessionId);
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "cost-by-domain.csv"), exportCostCSV(summary));
-    (0, import_node_fs8.writeFileSync)((0, import_node_path9.join)(outputDir, "cost-summary.json"), exportCostSummary(summary));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "cost-by-domain.csv"), exportCostCSV(summary));
+    (0, import_node_fs9.writeFileSync)((0, import_node_path9.join)(outputDir, "cost-summary.json"), exportCostSummary(summary));
   }
 }
 
@@ -11772,7 +12047,7 @@ function formatComplianceText(report) {
 }
 
 // src/config.ts
-var import_node_fs9 = require("fs");
+var import_node_fs10 = require("fs");
 var ConfigError = class extends Error {
   constructor(message) {
     super(message);
@@ -11797,7 +12072,7 @@ function loadConfig(path) {
 function readConfigFile(path) {
   let raw;
   try {
-    raw = (0, import_node_fs9.readFileSync)(path, "utf-8");
+    raw = (0, import_node_fs10.readFileSync)(path, "utf-8");
   } catch (err) {
     throw new ConfigError(
       `Cannot read config file ${path}: ${err instanceof Error ? err.message : String(err)}`
@@ -12155,14 +12430,14 @@ function runSyncClassify(db, sessionId, config, opts = {}) {
 
 // src/preflight.ts
 var import_node_child_process2 = require("child_process");
-var import_node_fs10 = require("fs");
+var import_node_fs11 = require("fs");
 var import_node_path10 = require("path");
 function isOAuthLoggedIn() {
   const home = process.env.HOME ?? process.env.USERPROFILE ?? "/tmp";
   const credFile = (0, import_node_path10.join)(home, ".claude", ".credentials.json");
-  if (!(0, import_node_fs10.existsSync)(credFile)) return false;
+  if (!(0, import_node_fs11.existsSync)(credFile)) return false;
   try {
-    const creds = JSON.parse((0, import_node_fs10.readFileSync)(credFile, "utf8"));
+    const creds = JSON.parse((0, import_node_fs11.readFileSync)(credFile, "utf8"));
     const oauth = creds["claudeAiOauth"];
     return typeof oauth?.["accessToken"] === "string" && oauth["accessToken"].length > 0;
   } catch {
@@ -12220,6 +12495,7 @@ function checkClaudePrerequisites() {
   AuthorizationError,
   CLIENTS,
   CONFIDENCE,
+  CORRELATION_CONFIDENCE,
   CartographyDB,
   ComplianceReportSchema,
   ComplianceRuleSchema,
@@ -12306,6 +12582,7 @@ function checkClaudePrerequisites() {
   computeIdentity,
   connectionsScanner,
   contentHash,
+  correlateTopology,
   createBashTool,
   createCartographyTools,
   createClaudeProvider,
@@ -12353,6 +12630,7 @@ function checkClaudePrerequisites() {
   exportJGF,
   exportJSON,
   extractListeningPorts,
+  extractSignals,
   filterBySeverity,
   findAnonViolations,
   formatComplianceText,
@@ -12419,6 +12697,7 @@ function checkClaudePrerequisites() {
   parseNginxUpstreams,
   parseNlQuery,
   parseScanHint,
+  parseTerraformState,
   pixelToHex,
   planInstall,
   portsScanner,
@@ -12468,6 +12747,8 @@ function checkClaudePrerequisites() {
   stableStringify,
   startApi,
   stripSensitive,
+  terraformScanner,
+  terraformTypeToNode,
   timingSafeEqual,
   toBackstageEntities,
   validateScanner,