blackveil-dns 2.10.16 → 2.12.0

package/.claude/settings.json

@@ -0,0 +1,61 @@
+{
+  "hooks": {
+    "PostToolUse": [
+      {
+        "matcher": "Write|Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "jq -r '.tool_input.file_path // .tool_response.filePath // empty' | { read -r f; case \"$f\" in *.ts) npx eslint --no-error-on-unmatched-pattern \"$f\" 2>/dev/null || true;; esac; }",
+            "timeout": 15,
+            "statusMessage": "Linting..."
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "if": "Bash(git commit:*)",
+            "command": "node -e \"const p=require('./package.json');const s=require('fs').readFileSync('src/lib/server-version.ts','utf8');const m=s.match(/SERVER_VERSION = '([^']+)'/);if(!m){console.log(JSON.stringify({systemMessage:'WARNING: Cannot parse SERVER_VERSION from src/lib/server-version.ts'}));}else if(p.version!==m[1]){console.log(JSON.stringify({continue:false,stopReason:'Version mismatch: package.json='+p.version+' server-version.ts='+m[1]+'. Fix with: npm version '+m[1]+' --no-git-tag-version'}));}\"",
+            "timeout": 5,
+            "statusMessage": "Checking version sync..."
+          },
+          {
+            "type": "command",
+            "if": "Bash(git commit:*)",
+            "command": "node -e \"const fs=require('fs');const a=fs.readFileSync('src/schemas/tool-args.ts','utf8');const d=fs.readFileSync('src/schemas/tool-definitions.ts','utf8');const sb=a.match(/TOOL_SCHEMA_MAP[^{]*\\{([^}]+)\\}/s)?.[1]||'';const sk=[...sb.matchAll(/^\\t(\\w+):/gm)].map(m=>m[1]);const db=d.match(/TOOL_DEFS[^{]*\\{([\\s\\S]+?)^\\};/m)?.[1]||'';const dk=[...db.matchAll(/^\\t(\\w+):\\s*\\{$/gm)].map(m=>m[1]);const ds=new Set(dk);const ss=new Set(sk);const md=sk.filter(k=>!ds.has(k));const ms=dk.filter(k=>!ss.has(k));if(md.length||ms.length){const msg=[];if(md.length)msg.push('In TOOL_SCHEMA_MAP but not TOOL_DEFS: '+md.join(', '));if(ms.length)msg.push('In TOOL_DEFS but not TOOL_SCHEMA_MAP: '+ms.join(', '));console.log(JSON.stringify({continue:false,stopReason:msg.join('. ')}));}\"",
+            "timeout": 5,
+            "statusMessage": "Checking tool definition sync..."
+          }
+        ]
+      }
+    ],
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "if": "Bash(git add -A:*)",
+            "command": "echo '{\"continue\":false,\"stopReason\":\"Use specific file paths with git add instead of -A to avoid staging sensitive files.\"}'",
+            "timeout": 2
+          },
+          {
+            "type": "command",
+            "if": "Bash(git add .:*)",
+            "command": "echo '{\"continue\":false,\"stopReason\":\"Use specific file paths with git add instead of . to avoid staging sensitive files.\"}'",
+            "timeout": 2
+          },
+          {
+            "type": "command",
+            "if": "Bash(git push --force:*)",
+            "command": "echo '{\"continue\":false,\"stopReason\":\"Force push blocked. This rewrites history and breaks clones/forks. Use git push (without --force) or discuss with the user first.\"}'",
+            "timeout": 2
+          }
+        ]
+      }
+    ]
+  }
+}

package/.cursorrules

@@ -0,0 +1 @@
+Always use the bv-context-engine MCP's codebase_search tool for any semantic search or architectural exploration. Prioritize this over grep to minimize context usage.

package/.devcontainer/Dockerfile

@@ -0,0 +1,17 @@
+# bv-mcp DevContainer for Cloudflare Workers
+FROM mcr.microsoft.com/devcontainers/typescript-node:latest
+
+# Install Wrangler CLI globally
+RUN npm install -g wrangler@latest
+
+# Install Vitest and Cloudflare pool workers for testing
+RUN npm install -g vitest @cloudflare/vitest-pool-workers
+
+# Set working directory
+WORKDIR /workspace
+
+# Install additional tools (optional)
+RUN apt-get update && apt-get install -y git curl
+
+# Default shell
+CMD ["zsh"]

package/.devcontainer/devcontainer.json

@@ -0,0 +1,18 @@
+{
+  "name": "bv-mcp Cloudflare Worker DevContainer",
+  "build": {
+    "dockerfile": "Dockerfile"
+  },
+  "postCreateCommand": "npm install",
+  "forwardPorts": [8787],
+  "features": {},
+  "settings": {
+    "terminal.integrated.defaultProfile.linux": "zsh"
+  },
+  "extensions": [
+    "esbenp.prettier-vscode",
+    "dbaeumer.vscode-eslint",
+    "cloudflare.cloudflare-vscode",
+    "ms-vscode.vscode-typescript-next"
+  ]
+}

package/.editorconfig

@@ -0,0 +1,12 @@
+# http://editorconfig.org
+root = true
+
+[*]
+indent_style = tab
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.yml]
+indent_style = space

package/.gitattributes

@@ -0,0 +1,24 @@
+# Auto detect text files and normalise line endings to LF
+* text=auto eol=lf
+
+# Explicit text files
+*.ts text eol=lf
+*.js text eol=lf
+*.json text eol=lf
+*.jsonc text eol=lf
+*.md text eol=lf
+*.yml text eol=lf
+*.yaml text eol=lf
+*.html text eol=lf
+*.css text eol=lf
+*.sh text eol=lf
+
+# Denote binary files that should not be modified
+*.png binary
+*.jpg binary
+*.ico binary
+*.woff binary
+*.woff2 binary
+
+# Keep lock file line endings consistent
+package-lock.json text eol=lf

package/.githooks/blocked-patterns

@@ -0,0 +1,13 @@
+# IP leakage patterns for pre-commit hook
+#
+# This file has been moved to .dev/blocked-patterns (gitignored) to avoid
+# exposing internal hostnames and infrastructure identifiers in the public repo.
+#
+# To set up: copy .dev/blocked-patterns.example to .dev/blocked-patterns
+# and add your organization-specific patterns.
+#
+# Each line is an extended regex. Lines starting with # are ignored.
+# Example patterns:
+#   internal\.example\.com
+#   @my-org/
+#   deploy\.jsonc

package/.githooks/pre-commit

@@ -0,0 +1,127 @@
+#!/usr/bin/env bash
+# Pre-commit hook: block sensitive paths, scan for secrets/PII, catch IP leakage patterns
+set -euo pipefail
+
+# ──�� 1. Blocked paths ──────────────────────────────���─────────────────
+BLOCKED_PATTERNS=(
+  "docs/plans/"
+  "docs/code-review/"
+  "docs/superpowers/"
+  "docs/github-settings.md"
+  "docs/hn-show-post-draft.md"
+  "docs/mcp-directory-submissions.md"
+  "docs/enterprise-architecture.md"
+  ".dev/"
+  "*.env"
+  "*.env.*"
+)
+
+# Generated/compiled files that must never be committed
+GENERATED_PATTERNS=(
+  "*.pyc"
+  "__pycache__/"
+  "worker-configuration.d.ts"
+  "*.wasm"
+  "*.sqlite"
+  "*.sqlite3"
+  "*.db"
+)
+
+staged=$(git diff --cached --name-only --diff-filter=ACR)
+blocked=""
+
+for file in $staged; do
+  for pattern in "${BLOCKED_PATTERNS[@]}"; do
+    case "$file" in
+      $pattern*|*/$pattern*)
+        blocked="$blocked\n  $file"
+        ;;
+    esac
+  done
+done
+
+if [ -n "$blocked" ]; then
+  echo "BLOCKED: The following staged files are in protected paths:"
+  echo -e "$blocked"
+  echo ""
+  echo "These paths contain sensitive content and must not be committed."
+  echo "If this is intentional, use: git commit --no-verify"
+  exit 1
+fi
+
+# ─── 1b. Generated/compiled files ────────────────────────────────────
+generated=""
+for file in $staged; do
+  for pattern in "${GENERATED_PATTERNS[@]}"; do
+    case "$file" in
+      $pattern|*/$pattern|*.$pattern)
+        generated="$generated\n  $file"
+        ;;
+    esac
+    # Also check by extension for glob patterns like *.pyc
+    case "$pattern" in
+      \*.*)
+        ext="${pattern#\*}"
+        case "$file" in
+          *"$ext")
+            generated="$generated\n  $file"
+            ;;
+        esac
+        ;;
+    esac
+  done
+done
+
+# Deduplicate
+if [ -n "$generated" ]; then
+  generated=$(echo -e "$generated" | sort -u)
+  echo "BLOCKED: Generated/compiled files should not be committed:"
+  echo -e "$generated"
+  echo ""
+  echo "These are build artifacts. Add them to .gitignore instead."
+  echo "To remove from staging: git restore --staged <file>"
+  exit 1
+fi
+
+# ─── 2. Gitleaks (secrets + PII) ──────���──────────────────────────────
+if command -v gitleaks &>/dev/null; then
+  gitleaks protect --staged --config .gitleaks.toml --no-banner 2>&1 | head -20
+  if [ "${PIPESTATUS[0]}" -ne 0 ]; then
+    echo ""
+    echo "Gitleaks found secrets or PII in staged changes."
+    echo "Fix the findings above, or bypass with: git commit --no-verify"
+    exit 1
+  fi
+fi
+
+# ─── 3. IP leakage patterns ─────────��────────────────────────────────
+# Patterns loaded from external file to avoid self-matching.
+# Each line is an extended regex pattern. Lines starting with # are ignored.
+# Loaded from .dev/ (gitignored) to avoid exposing internal hostnames in the public repo.
+PATTERNS_FILE="$(git rev-parse --show-toplevel)/.dev/blocked-patterns"
+
+if [ ! -f "$PATTERNS_FILE" ]; then
+  exit 0
+fi
+
+diff_content=$(git diff --cached --diff-filter=ACM -U0 -- ':!.githooks/' ':!.gitleaks.toml' | grep '^+' | grep -v '^+++' || true)
+
+if [ -n "$diff_content" ]; then
+  ip_found=""
+  while IFS= read -r pattern; do
+    [[ "$pattern" =~ ^#.*$ || -z "$pattern" ]] && continue
+    matches=$(echo "$diff_content" | grep -iE "$pattern" || true)
+    if [ -n "$matches" ]; then
+      ip_found="$ip_found\n  Pattern: $pattern\n$matches\n"
+    fi
+  done < "$PATTERNS_FILE"
+
+  if [ -n "$ip_found" ]; then
+    echo "BLOCKED: IP leakage patterns detected in staged changes:"
+    echo -e "$ip_found"
+    echo "These patterns indicate internal infrastructure, customer data,"
+    echo "or proprietary information that should not be in a public repo."
+    echo "If this is intentional, use: git commit --no-verify"
+    exit 1
+  fi
+fi

package/.github/CODEOWNERS

@@ -0,0 +1,11 @@
+# Baseline CODEOWNERS for bv-mcp
+
+* @blackveil-security/engineering
+
+# Core scanner and protocol behavior
+src/ @blackveil-security/security-team
+packages/ @blackveil-security/security-team
+
+# CI/CD and release surface
+.github/workflows/ @blackveil-security/devops
+package.json @blackveil-security/devops

package/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,99 @@
+name: Bug report
+description: Report a reproducible bug in Blackveil DNS
+title: "[BUG]: "
+labels: []
+assignees: []
+body:
+  - type: textarea
+    id: bug
+    attributes:
+      label: Describe the bug
+      description: Clear and concise summary of the problem.
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      value: |
+        1.
+        2.
+        3.
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual behavior
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: precheck
+    attributes:
+      label: Pre-submission checklist
+      options:
+        - label: I searched existing issues for duplicates.
+          required: true
+        - label: I confirmed this on the latest `main` branch or latest release.
+          required: true
+        - label: I redacted any secrets, tokens, and sensitive domains.
+          required: true
+
+  - type: textarea
+    id: request
+    attributes:
+      label: MCP request payload used
+      description: Paste JSON-RPC request body (redacted as needed).
+      render: json
+
+  - type: textarea
+    id: response
+    attributes:
+      label: Error response or logs
+      description: Paste relevant worker logs, stack traces, and error output.
+
+  - type: dropdown
+    id: auth_mode
+    attributes:
+      label: Authentication mode
+      options:
+        - Open mode (no BV_API_KEY)
+        - Bearer auth enabled (BV_API_KEY set)
+    validations:
+      required: true
+
+  - type: input
+    id: endpoint
+    attributes:
+      label: Endpoint type
+      placeholder: hosted / localhost
+
+  - type: input
+    id: os
+    attributes:
+      label: OS and version
+      placeholder: e.g. macOS 26.2
+    validations:
+      required: true
+
+  - type: textarea
+    id: client
+    attributes:
+      label: MCP client details
+      description: Client name/version (Claude, Copilot, Cursor, etc.) and how it was configured.
+
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional context
+      description: Any extra details that may help diagnose the issue.

package/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+  - name: 💬 Community Discussion / Q&A
+    url: https://github.com/MadaBurns/bv-mcp/discussions
+    about: Questions, ideas, or general discussion — not a bug report.
+  - name: 🔒 Security vulnerability
+    url: https://github.com/MadaBurns/bv-mcp/security/advisories/new
+    about: Report a security vulnerability privately. Do NOT open a public issue for security bugs.
+  - name: ⚠️ Vendor pitch / partnership outreach
+    url: https://blackveilsecurity.com
+    about: Product integrations, partnership proposals, or marketing outreach belong in email — not the issue tracker. Issues matching promotional patterns will be auto-labeled.

package/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,51 @@
+name: Feature request
+description: Suggest a new feature or improvement
+title: "[FEATURE]: "
+labels: []
+assignees: []
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem statement
+      description: What problem are you trying to solve?
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: What behavior should be added or changed?
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Any alternatives or workarounds you've tried.
+
+  - type: checkboxes
+    id: impact
+    attributes:
+      label: Impact areas
+      options:
+        - label: MCP tool schema/API surface
+        - label: Scoring/reporting behavior
+        - label: Security hardening
+        - label: Performance/cache/rate limiting
+        - label: Documentation/developer experience
+
+  - type: textarea
+    id: examples
+    attributes:
+      label: Example request/response
+      description: If applicable, include sample MCP request/response that illustrates the need.
+      render: json
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: Links, screenshots, prior art, or implementation notes.

package/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,30 @@
+## Summary
+
+<!-- Brief description of what this PR does and why -->
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] New feature
+- [ ] Security fix
+- [ ] Refactor / cleanup
+- [ ] Documentation
+- [ ] CI / tooling
+
+## Security impact
+
+<!-- Does this PR touch auth, validation, rate limiting, sanitization, or error handling? If yes, describe the changes and any implications. If no, write "None". -->
+
+## Test plan
+
+- [ ] Unit tests added / updated
+- [ ] Manual testing performed
+- [ ] `npm test` passes
+- [ ] `npm run typecheck` passes
+
+## Checklist
+
+- [ ] Changes follow existing code conventions
+- [ ] No secrets, credentials, or internal references included
+- [ ] Error messages follow the safe-prefix convention (see CLAUDE.md)
+- [ ] New tool? Followed the "Adding a New Tool" checklist in CLAUDE.md

package/.github/copilot-instructions.md

@@ -0,0 +1,73 @@
+# Project Guidelines
+
+## Build and Test
+- Install dependencies: npm install
+- Build package and CLI bundle: npm run build
+- Build subpackage: npm -w packages/dns-checks run build
+- Run local dev server: npm run dev
+- Run tests (Workers runtime): npm test
+- Run subpackage tests: npm -w packages/dns-checks run test
+- Run single test file: npx vitest run test/check-spf.spec.ts
+- Run chaos test (all 9 MCP client types): python3 scripts/chaos/chaos-test-clients.py
+- Typecheck: npm run typecheck
+- Typecheck subpackage: npm -w packages/dns-checks run typecheck
+- Lint: npm run lint
+- Auto-fix lint issues: npm run lint:fix
+- Enable pre-commit hooks: git config core.hooksPath .githooks
+- Deploy private worker config: npm run deploy:private
+
+## Runtime and Code Style
+- Target Cloudflare Workers APIs only. Do not use Node-only APIs in runtime code.
+- Keep TypeScript strict and preserve existing module/isolatedModules patterns.
+- WASM Policy Engine: Integrated `bv-wasm-core` for high-performance, tamper-resistant permission checks and token estimation.
+- For findings/results, use createFinding() and buildCheckResult() from src/lib/scoring.ts rather than manual object construction.
+- Validate and normalize all domain input with validateDomain() and sanitizeDomain() from src/lib/sanitize.ts.
+- Keep changes minimal and avoid unrelated refactors.
+
+## Architecture
+- HTTP entrypoint and middleware: src/index.ts
+- Internal service binding routes: src/internal.ts
+- Shared MCP execution flow: src/mcp/execute.ts and src/mcp/dispatch.ts
+- Tool handlers and schemas: src/handlers/tools.ts and src/handlers/tool-schemas.ts
+- Individual DNS checks: src/tools/check-*.ts
+- Parallel orchestration and scoring output: src/tools/scan-domain.ts
+- Core DNS/cache/session/rate-limit utilities: src/lib/
+- Monorepo structure: Root Cloudflare Worker + packages/dns-checks runtime-agnostic subpackage
+
+## Project Conventions
+- Keep versions synchronized between package.json version and src/lib/server-version.ts SERVER_VERSION.
+- Error messages intended for clients must start with safe prefixes (for example: Missing required, Invalid, Domain validation failed, Resource not found).
+- Rate limiting for MCP should return HTTP 429 with JSON-RPC error code -32029.
+- Respect output format behavior:
+  - format=compact for interactive clients
+  - format=full for non-interactive clients
+- scan is a supported alias for scan_domain.
+
+## Caching and Performance
+- Per-check cache key pattern: cache:<domain>:check:<name>
+- Scan-level cache key pattern: cache:<domain>
+- Profile cache key pattern: cache:<domain>:profile:<profile>
+- For force_refresh flows, propagate skipCache through runWithCache().
+
+## Testing Patterns
+- Use test/helpers/dns-mock.ts utilities for DNS mocking.
+- Restore fetch mocks in afterEach.
+- In tests that need mock isolation for check_mx, use dynamic imports inside test bodies.
+- Clear both scan-level and per-check cache entries between relevant test cases.
+- Chaos testing: Run `python3 scripts/chaos/chaos-test-clients.py` to validate behavior across all 9 MCP client types.
+
+## Security and Internal Routes
+- Keep SSRF protections and domain sanitization paths intact.
+- Public traffic must not access /internal/* routes.
+- Do not expose secrets in code, logs, or committed files.
+- Do not hardcode API keys in scripts or client config examples; load from environment variables (for example `BV_API_KEY`).
+
+## Documentation Map (Link, Do Not Duplicate)
+- Canonical architecture and repository conventions: CLAUDE.md
+- User-facing overview and quick start: README.md
+- Contributor workflow and expectations: CONTRIBUTING.md
+- Client setup and transport details: docs/client-setup.md
+- Scoring model details: docs/scoring.md
+- Enterprise architecture notes: docs/enterprise-architecture.md
+- Troubleshooting guide: docs/troubleshooting.md
+- Security policy and disclosure process: SECURITY.md

package/.github/dependabot.yml

@@ -0,0 +1,22 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    groups:
+      cloudflare:
+        patterns:
+          - "@cloudflare/*"
+          - "wrangler"
+      vitest:
+        patterns:
+          - "vitest"
+          - "@vitest/*"
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5

package/.github/instructions/scan-orchestration.instructions.md

@@ -0,0 +1,56 @@
+---
+description: Use when modifying scan_domain orchestration, maturity staging, post-processing adjustments, partial timeout handling, or scan report formatting in this repository.
+name: Scan Orchestration
+applyTo: src/tools/scan-domain.ts
+---
+# Scan Orchestration
+
+## Parallel execution
+
+`scan_domain` runs **16 checks** in parallel via `Promise.allSettled`:
+`checkSpf`, `checkDmarc`, `checkDkim`, `checkDnssec`, `checkSsl`, `checkMtaSts`, `checkNs`, `checkCaa`, `checkBimi`, `checkTlsrpt`, `checkSubdomainTakeover`, `checkMx`, `checkHttpSecurity`, `checkDane`, `checkDaneHttps`, `checkSvcbHttps`, `checkSubdomailing`
+
+All checks are **static imports** — no dynamic imports in scan context (unlike `check_mx` in `handlers/tools.ts`).
+
+## Timeouts and partial results
+
+- Per-check timeout: `PER_CHECK_TIMEOUT_MS = 8_000` (8s)
+- Total scan timeout: `SCAN_TIMEOUT_MS = 12_000` (12s)
+- Completed checks are preserved on timeout; missing checks get timeout findings
+- Scan context skips secondary DNS confirmation for speed
+
+## Post-processing adjustments
+
+`applyScanPostProcessing()` in `src/tools/scan/post-processing.ts` applies three adjustments after all checks complete:
+
+1. **Non-mail domains** (no MX): queries parent DMARC `sp=`/`p=` → downgrades email-auth findings to `info`
+2. **No-send signal** (SPF `noSendPolicy` metadata): downgrades DKIM/MTA-STS/BIMI missing-record findings to `info`
+3. **BIMI**: rewritten for non-mail domains
+
+## Maturity staging
+
+`computeMaturityStage()` in `src/tools/scan/maturity-staging.ts` classifies domains into stages 0-4:
+- Stage 0: Unprotected
+- Stage 1-2: Basic/Configured
+- Stage 3: Enforcing (does not require DKIM)
+- Stage 4: Hardened (requires CAA + DKIM-discovered + BIMI + DANE + MTA-STS strict)
+
+`capMaturityStage()` applies score-based caps: F (<50) → max Stage 2, D/D+ (<63) → max Stage 3.
+
+## Caching
+
+- Each check cached at `cache:<domain>:check:<name>` (5 min default, `cacheTtlSeconds` override)
+- Top-level scan cached at `cache:<domain>`
+- Profile-specific: `cache:<domain>:profile:<profile>`
+- `force_refresh` propagates via `skipCache` in `runWithCache()`
+
+## Output structure
+
+- `formatScanReport()` in `src/tools/scan/format-report.ts` → human-readable text
+- `buildToolContent()` wraps text + structured JSON for `format=full` clients
+- `StructuredScanResult` interface defined in `src/tools/scan/format-report.ts`
+
+## Reference docs
+
+- Scoring model: [docs/scoring.md](../../docs/scoring.md)
+- Request flow: `src/index.ts` (Hono app) → `src/mcp/dispatch.ts` (JSON-RPC routing) → `src/handlers/tools.ts` (TOOL_REGISTRY) → individual checks under `src/tools/`. Trace the imports directly; the standalone architecture-diagram doc was removed in 2026-05-08 to keep this open-source repo focused on customer-facing material.