npm - k8s-av - Versions diffs - 1.0.0 - Mend

k8s-av 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (84) hide show

package/.env.example +18 -0
package/dist/cli/docker.d.ts +29 -0
package/dist/cli/docker.js +241 -0
package/dist/cli/index.d.ts +16 -0
package/dist/cli/index.js +155 -0
package/dist/cli/scan.d.ts +16 -0
package/dist/cli/scan.js +151 -0
package/dist/cli/start.d.ts +20 -0
package/dist/cli/start.js +261 -0
package/dist/core/attack-path.d.ts +26 -0
package/dist/core/attack-path.js +191 -0
package/dist/core/cve-enricher.d.ts +10 -0
package/dist/core/cve-enricher.js +175 -0
package/dist/core/fetcher.d.ts +26 -0
package/dist/core/fetcher.js +130 -0
package/dist/core/schema.d.ts +290 -0
package/dist/core/schema.js +125 -0
package/dist/core/transformer.d.ts +19 -0
package/dist/core/transformer.js +510 -0
package/dist/db/loader.d.ts +16 -0
package/dist/db/loader.js +261 -0
package/dist/db/neo4j-client.d.ts +35 -0
package/dist/db/neo4j-client.js +218 -0
package/dist/db/queries.d.ts +71 -0
package/dist/db/queries.js +290 -0
package/dist/db/test.d.ts +19 -0
package/dist/db/test.js +268 -0
package/dist/db/types.d.ts +137 -0
package/dist/db/types.js +37 -0
package/dist/schemas/index.d.ts +70 -0
package/dist/schemas/index.js +43 -0
package/dist/server/routes/blast.d.ts +3 -0
package/dist/server/routes/blast.js +44 -0
package/dist/server/routes/critical.d.ts +3 -0
package/dist/server/routes/critical.js +80 -0
package/dist/server/routes/cycles.d.ts +3 -0
package/dist/server/routes/cycles.js +41 -0
package/dist/server/routes/graph.d.ts +3 -0
package/dist/server/routes/graph.js +57 -0
package/dist/server/routes/ingest.d.ts +3 -0
package/dist/server/routes/ingest.js +82 -0
package/dist/server/routes/paths.d.ts +3 -0
package/dist/server/routes/paths.js +66 -0
package/dist/server/routes/report.d.ts +3 -0
package/dist/server/routes/report.js +47 -0
package/dist/server/routes/simulate.d.ts +3 -0
package/dist/server/routes/simulate.js +75 -0
package/dist/server/routes/vulnerabilities.d.ts +3 -0
package/dist/server/routes/vulnerabilities.js +129 -0
package/dist/server/server.d.ts +15 -0
package/dist/server/server.js +136 -0
package/dist/services/ingestion.service.d.ts +25 -0
package/dist/services/ingestion.service.js +100 -0
package/dist/services/report/formatter.d.ts +12 -0
package/dist/services/report/formatter.js +138 -0
package/dist/services/report/generator.d.ts +27 -0
package/dist/services/report/generator.js +68 -0
package/dist/services/risk-explainer.d.ts +67 -0
package/dist/services/risk-explainer.js +285 -0
package/docker/docker-compose.yml +66 -0
package/package.json +75 -0
package/ui/index.html +12 -0
package/ui/package-lock.json +3150 -0
package/ui/package.json +30 -0
package/ui/postcss.config.cjs +6 -0
package/ui/src/App.tsx +37 -0
package/ui/src/components/Box.tsx +33 -0
package/ui/src/components/DetailPanel.tsx +239 -0
package/ui/src/components/RiskBadge.tsx +38 -0
package/ui/src/components/Sidebar.tsx +107 -0
package/ui/src/components/graph/CustomNode.tsx +102 -0
package/ui/src/components/graph/GraphCanvas.tsx +174 -0
package/ui/src/index.css +48 -0
package/ui/src/lib/api.ts +161 -0
package/ui/src/main.tsx +10 -0
package/ui/src/store/useAppStore.ts +168 -0
package/ui/src/views/CriticalNodeView.tsx +150 -0
package/ui/src/views/OverviewView.tsx +76 -0
package/ui/src/views/PathsView.tsx +280 -0
package/ui/src/views/ReportView.tsx +367 -0
package/ui/src/views/VulnerabilitiesView.tsx +135 -0
package/ui/tailwind.config.ts +14 -0
package/ui/tsconfig.json +20 -0
package/ui/vite.config.ts +19 -0

package/.env.example ADDED Viewed

@@ -0,0 +1,18 @@
+# ── Neo4j ─────────────────────────────────────────────────────────────────────
+# Connection URL for the Neo4j Bolt protocol.
+# Default matches the docker/docker-compose.yml service.
+NEO4J_URI=bolt://localhost:7687
+# Credentials set via NEO4J_AUTH in docker-compose.yml
+NEO4J_USER=neo4j
+NEO4J_PASSWORD=password
+# ── Express server ─────────────────────────────────────────────────────────────
+PORT=3001
+# Allowed CORS origin (Vite dev server default)
+CORS_ORIGIN=http://localhost:5173
+# ── Optional ───────────────────────────────────────────────────────────────────
+# Set to a real kubeconfig path when using --source live
+# KUBECONFIG=/home/user/.kube/config

package/dist/cli/docker.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * docker.ts — Docker detection and Neo4j container lifecycle helpers.
+ *
+ * Used by the `start` and `ingest` CLI commands before they touch Neo4j.
+ * The `scan` command is Docker-free and never calls this module.
+ */
+declare const NEO4J_BOLT_PORT = 7687;
+declare const NEO4J_HTTP_PORT = 7474;
+export declare function checkDockerInstalled(): Promise<boolean>;
+export declare function checkDockerRunning(): Promise<boolean>;
+export declare function isNeo4jContainerRunning(): Promise<boolean>;
+export declare function startNeo4j(): Promise<void>;
+export declare function waitForNeo4j(timeoutMs?: number, pollMs?: number): Promise<void>;
+export interface PreflightResult {
+    ok: boolean;
+}
+/**
+ * Run the full Docker preflight:
+ *   1. Docker installed?
+ *   2. Docker daemon running?
+ *   3. Neo4j container up? (start it if not)
+ *   4. Neo4j accepting connections?
+ *
+ * Prints clear, actionable messages for every failure case.
+ * Never throws — returns { ok: false } so the caller can exit cleanly.
+ */
+export declare function runPreflight(): Promise<PreflightResult>;
+export { NEO4J_BOLT_PORT, NEO4J_HTTP_PORT };
+//# sourceMappingURL=docker.d.ts.map

package/dist/cli/docker.js ADDED Viewed

@@ -0,0 +1,241 @@
+"use strict";
+/**
+ * docker.ts — Docker detection and Neo4j container lifecycle helpers.
+ *
+ * Used by the `start` and `ingest` CLI commands before they touch Neo4j.
+ * The `scan` command is Docker-free and never calls this module.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NEO4J_HTTP_PORT = exports.NEO4J_BOLT_PORT = void 0;
+exports.checkDockerInstalled = checkDockerInstalled;
+exports.checkDockerRunning = checkDockerRunning;
+exports.isNeo4jContainerRunning = isNeo4jContainerRunning;
+exports.startNeo4j = startNeo4j;
+exports.waitForNeo4j = waitForNeo4j;
+exports.runPreflight = runPreflight;
+const child_process_1 = require("child_process");
+const path = __importStar(require("path"));
+const util = __importStar(require("util"));
+const exec = util.promisify(child_process_1.exec);
+// ─── Constants ───────────────────────────────────────────────────────────────
+const CONTAINER_NAME = 'k8s-attack-neo4j';
+const COMPOSE_DIR = path.resolve(__dirname, '..', '..', 'docker');
+const NEO4J_BOLT_PORT = 7687;
+exports.NEO4J_BOLT_PORT = NEO4J_BOLT_PORT;
+const NEO4J_HTTP_PORT = 7474;
+exports.NEO4J_HTTP_PORT = NEO4J_HTTP_PORT;
+// ─── Logging helpers ─────────────────────────────────────────────────────────
+const ok = (msg) => console.log(`  ✔  ${msg}`);
+const warn = (msg) => console.log(`  ⚠  ${msg}`);
+const fail = (msg) => console.error(`  ✖  ${msg}`);
+const info = (msg) => console.log(`     ${msg}`);
+const line = () => console.log('  ' + '─'.repeat(58));
+// ─────────────────────────────────────────────────────────────────────────────
+// PART 1 — Is Docker installed?
+// ─────────────────────────────────────────────────────────────────────────────
+async function checkDockerInstalled() {
+    try {
+        const { stdout } = await exec('docker --version');
+        const version = stdout.trim().split('\n')[0] ?? 'unknown';
+        ok(`Docker installed  (${version})`);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// PART 2 — Is the Docker daemon running?
+// ─────────────────────────────────────────────────────────────────────────────
+async function checkDockerRunning() {
+    try {
+        await exec('docker ps');
+        ok('Docker daemon is running');
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// PART 3 — Is the Neo4j container already up?
+// ─────────────────────────────────────────────────────────────────────────────
+async function isNeo4jContainerRunning() {
+    try {
+        const { stdout } = await exec(`docker inspect --format "{{.State.Running}}" ${CONTAINER_NAME}`);
+        return stdout.trim() === 'true';
+    }
+    catch {
+        return false;
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// PART 4 — Start Neo4j via docker-compose
+// ─────────────────────────────────────────────────────────────────────────────
+async function startNeo4j() {
+    return new Promise((resolve, reject) => {
+        const child = (0, child_process_1.spawn)('docker', ['compose', 'up', '-d', '--remove-orphans'], { cwd: COMPOSE_DIR, stdio: 'pipe', shell: process.platform === 'win32' });
+        let stderr = '';
+        child.stderr?.on('data', (d) => { stderr += d.toString(); });
+        child.once('close', (code) => {
+            if (code === 0) {
+                resolve();
+            }
+            else {
+                reject(new Error(`docker compose up failed (exit ${code}):\n${stderr.slice(0, 400)}`));
+            }
+        });
+        child.once('error', reject);
+    });
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// PART 5 — Poll until Neo4j Bolt port is accepting connections
+// ─────────────────────────────────────────────────────────────────────────────
+async function waitForNeo4j(timeoutMs = 120000, pollMs = 3000) {
+    const deadline = Date.now() + timeoutMs;
+    let attempt = 0;
+    while (Date.now() < deadline) {
+        attempt++;
+        try {
+            // Use `docker exec` to run a lightweight cypher-shell ping
+            await exec(`docker exec ${CONTAINER_NAME} cypher-shell -u neo4j -p password "RETURN 1" --format plain`);
+            return; // success
+        }
+        catch {
+            const remaining = Math.ceil((deadline - Date.now()) / 1000);
+            process.stdout.write(`\r     ⏳ Waiting for Neo4j... attempt ${attempt}  (${remaining}s left)  `);
+            await sleep(pollMs);
+        }
+    }
+    process.stdout.write('\n');
+    throw new Error(`Neo4j did not become ready within ${timeoutMs / 1000}s.\n` +
+        `  Check container logs: docker logs ${CONTAINER_NAME}`);
+}
+/**
+ * Run the full Docker preflight:
+ *   1. Docker installed?
+ *   2. Docker daemon running?
+ *   3. Neo4j container up? (start it if not)
+ *   4. Neo4j accepting connections?
+ *
+ * Prints clear, actionable messages for every failure case.
+ * Never throws — returns { ok: false } so the caller can exit cleanly.
+ */
+async function runPreflight() {
+    console.log('\n' + '─'.repeat(62));
+    console.log('  Docker & Neo4j Preflight');
+    console.log('─'.repeat(62));
+    // ── 1. Docker installed ───────────────────────────────────────────────────
+    const installed = await checkDockerInstalled();
+    if (!installed) {
+        fail('Docker is not installed.\n');
+        info('K8s-AV requires Docker to run Neo4j locally.');
+        info('');
+        info('  👉  Install Docker Desktop:');
+        info('      https://www.docker.com/products/docker-desktop/');
+        info('');
+        info('  After installing, start Docker Desktop and re-run:');
+        info('    npx k8s-av start');
+        info('');
+        info('  Or skip Neo4j and run in demo mode:');
+        info('    npx k8s-av start --mock');
+        line();
+        return { ok: false };
+    }
+    // ── 2. Docker daemon running ──────────────────────────────────────────────
+    const running = await checkDockerRunning();
+    if (!running) {
+        warn('Docker is installed but the daemon is not running.\n');
+        info('  Please start Docker Desktop and try again.');
+        info('');
+        info('  Once running, re-run:');
+        info('    npx k8s-av start');
+        info('');
+        info('  Or skip Neo4j and run in demo mode:');
+        info('    npx k8s-av start --mock');
+        line();
+        return { ok: false };
+    }
+    // ── 3. Neo4j container ───────────────────────────────────────────────────
+    const neo4jUp = await isNeo4jContainerRunning();
+    if (neo4jUp) {
+        ok(`Neo4j container running  (${CONTAINER_NAME})`);
+    }
+    else {
+        info(`Neo4j container not found — starting it now...`);
+        info(`  Working directory: ${COMPOSE_DIR}`);
+        try {
+            await startNeo4j();
+            ok('Neo4j container started');
+        }
+        catch (err) {
+            fail('Failed to start Neo4j container.\n');
+            info(`  ${err instanceof Error ? err.message : String(err)}`);
+            info('');
+            info('  Try starting it manually:');
+            info('    cd docker && docker compose up -d');
+            info('');
+            info('  Or run in demo mode (no Neo4j required):');
+            info('    npx k8s-av start --mock');
+            line();
+            return { ok: false };
+        }
+    }
+    // ── 4. Wait for Neo4j to be ready ────────────────────────────────────────
+    info(`Neo4j ports: Bolt :${NEO4J_BOLT_PORT}  Browser :${NEO4J_HTTP_PORT}`);
+    try {
+        await waitForNeo4j(120000);
+        process.stdout.write('\n'); // clear the spinner line
+        ok('Neo4j is ready');
+    }
+    catch (err) {
+        process.stdout.write('\n');
+        fail('Neo4j did not become ready in time.\n');
+        info(`  ${err instanceof Error ? err.message : String(err)}`);
+        info('');
+        info('  View logs:  docker logs ' + CONTAINER_NAME);
+        info('  Try again:  npx k8s-av start');
+        line();
+        return { ok: false };
+    }
+    line();
+    return { ok: true };
+}
+// ─── Utility ─────────────────────────────────────────────────────────────────
+function sleep(ms) {
+    return new Promise((r) => setTimeout(r, ms));
+}
+//# sourceMappingURL=docker.js.map

package/dist/cli/index.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+#!/usr/bin/env node
+/**
+ * Kubernetes Attack Path Visualizer — CLI Entry Point
+ *
+ * Commands:
+ *   scan    — fetch + transform + enrich → write cluster-graph.json  (no Neo4j)
+ *   ingest  — full pipeline: scan → load Neo4j → re-project GDS
+ *   report  — generate + print attack report from Neo4j
+ *
+ * Usage:
+ *   npx ts-node src/cli/index.ts scan   --mock
+ *   npx ts-node src/cli/index.ts ingest --source mock
+ *   npx ts-node src/cli/index.ts report --format text
+ */
+import 'dotenv/config';
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.js ADDED Viewed

@@ -0,0 +1,155 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * Kubernetes Attack Path Visualizer — CLI Entry Point
+ *
+ * Commands:
+ *   scan    — fetch + transform + enrich → write cluster-graph.json  (no Neo4j)
+ *   ingest  — full pipeline: scan → load Neo4j → re-project GDS
+ *   report  — generate + print attack report from Neo4j
+ *
+ * Usage:
+ *   npx ts-node src/cli/index.ts scan   --mock
+ *   npx ts-node src/cli/index.ts ingest --source mock
+ *   npx ts-node src/cli/index.ts report --format text
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+require("dotenv/config");
+const commander_1 = require("commander");
+const scan_1 = require("./scan");
+const start_1 = require("./start");
+const ingestion_service_1 = require("../services/ingestion.service");
+const loader_1 = require("../db/loader");
+const queries_1 = require("../db/queries");
+const neo4j_client_1 = require("../db/neo4j-client");
+const generator_1 = require("../services/report/generator");
+const formatter_1 = require("../services/report/formatter");
+const docker_1 = require("./docker");
+const program = new commander_1.Command();
+program
+    .name('k8s-attack-viz')
+    .description('Kubernetes RBAC Attack Path Visualizer\n' +
+    'Ingests cluster data, builds an RBAC graph, enriches with CVEs,\n' +
+    'detects attack paths from entry points to crown jewels.')
+    .version('1.0.0', '-v, --version');
+// ─────────────────────────────────────────────────────────────────────────────
+// scan — local pipeline only (no Neo4j)
+// ─────────────────────────────────────────────────────────────────────────────
+program
+    .command('scan')
+    .description('Scan a Kubernetes cluster and output an attack-path graph (no Neo4j)')
+    .option('--mock', 'Use bundled mock data instead of kubectl', false)
+    .option('--output <file>', 'Path for the output JSON file', 'cluster-graph.json')
+    .option('--skip-cve', 'Skip CVE enrichment', false)
+    .option('--verbose', 'Print all attack paths', false)
+    .action(async (opts) => {
+    try {
+        await (0, scan_1.runScan)({ mock: opts.mock, output: opts.output, skipCve: opts.skipCve, verbose: opts.verbose });
+        process.exit(0);
+    }
+    catch (err) {
+        console.error(`\n❌  Scan failed: ${err instanceof Error ? err.message : String(err)}\n`);
+        process.exit(1);
+    }
+});
+// ─────────────────────────────────────────────────────────────────────────────
+// ingest — full pipeline: scan → Neo4j → GDS
+// Reuses same services as POST /api/ingest
+// ─────────────────────────────────────────────────────────────────────────────
+program
+    .command('ingest')
+    .description('Full ingestion: fetch cluster data → load Neo4j → re-project GDS')
+    .option('--source <source>', 'Data source: mock | live', 'mock')
+    .option('--skip-cve', 'Skip CVE enrichment (faster)', false)
+    .option('--wipe', 'Wipe existing Neo4j graph before loading', false)
+    .action(async (opts) => {
+    const source = opts.source === 'live' ? 'live' : 'mock';
+    try {
+        console.log('\n' + '═'.repeat(60));
+        console.log('  🔷 K8s Attack Path Visualizer — Ingest');
+        console.log('═'.repeat(60));
+        // ── Docker + Neo4j preflight ──────────────────────────────────────────
+        const preflight = await (0, docker_1.runPreflight)();
+        if (!preflight.ok)
+            process.exit(1);
+        // Verify Neo4j driver connection
+        console.log('\n  Connecting to Neo4j...');
+        await (0, neo4j_client_1.verifyConnection)();
+        // ── Step 1: ingestCluster (Teammate 1) ───────────────────────────────
+        console.log('\n  [1/3] Ingesting cluster data...');
+        const ingestResult = await (0, ingestion_service_1.ingestCluster)({ source, skipCve: opts.skipCve });
+        console.log(`  ✔ Graph JSON written: ${ingestResult.nodes} nodes, ${ingestResult.edges} edges`);
+        // ── Step 2: loadGraph (Teammate 2) ───────────────────────────────────
+        console.log('\n  [2/3] Loading graph into Neo4j...');
+        const stats = await (0, loader_1.loadGraph)(ingestResult.graphPath, opts.wipe);
+        console.log(`  ✔ Neo4j: ${stats.nodesLoaded} nodes, ${stats.edgesLoaded} edges (${stats.durationMs}ms)`);
+        // ── Step 3: Re-project GDS ────────────────────────────────────────────
+        console.log('\n  [3/3] Projecting GDS graph...');
+        await (0, queries_1.ensureProjection)(true);
+        console.log('  ✔ GDS projection ready');
+        console.log('\n' + '─'.repeat(60));
+        console.log('  ✔ Ingestion complete. Run `report` to analyse.\n');
+        process.exit(0);
+    }
+    catch (err) {
+        console.error(`\n❌  Ingest failed: ${err instanceof Error ? err.message : String(err)}\n`);
+        process.exit(1);
+    }
+});
+// ─────────────────────────────────────────────────────────────────────────────
+// report — generate + print attack report
+// Reuses same generator + formatter as GET /api/report
+// ─────────────────────────────────────────────────────────────────────────────
+program
+    .command('report')
+    .description('Generate a full attack-path report from Neo4j data')
+    .option('--format <format>', 'Output format: text | json', 'text')
+    .action(async (opts) => {
+    const format = opts.format === 'json' ? 'json' : 'text';
+    try {
+        console.log('\n  Connecting to Neo4j...');
+        await (0, neo4j_client_1.verifyConnection)();
+        console.log('  Generating report...\n');
+        const data = await (0, generator_1.generateReport)();
+        // Same formatter used by the API — no duplication
+        const output = (0, formatter_1.formatReport)(data, format);
+        console.log(output);
+        process.exit(0);
+    }
+    catch (err) {
+        console.error(`\n❌  Report failed: ${err instanceof Error ? err.message : String(err)}\n`);
+        process.exit(1);
+    }
+});
+// ─────────────────────────────────────────────────────────────────────────────
+// start — full system orchestrator: backend + ingest + UI + browser
+// ─────────────────────────────────────────────────────────────────────────────
+program
+    .command('start')
+    .description('Start backend, load mock data, open the UI in your browser')
+    .option('--source <source>', 'Data source: mock | live', 'mock')
+    .option('--no-browser', 'Skip opening the browser automatically')
+    .action(async (opts) => {
+    try {
+        await (0, start_1.runStart)({
+            source: opts.source === 'live' ? 'live' : 'mock',
+            skipBrowser: !opts.browser,
+        });
+    }
+    catch (err) {
+        console.error(`\n❌  Start failed: ${err instanceof Error ? err.message : String(err)}\n`);
+        process.exit(1);
+    }
+});
+// ─────────────────────────────────────────────────────────────────────────────
+// Fallback
+// ─────────────────────────────────────────────────────────────────────────────
+program.on('command:*', () => {
+    console.error(`Unknown command: ${program.args.join(' ')}`);
+    program.help();
+});
+if (process.argv.length <= 2) {
+    program.help();
+}
+program.parse(process.argv);
+//# sourceMappingURL=index.js.map

package/dist/cli/scan.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+export interface ScanOptions {
+    /** Load data from mock JSON instead of running kubectl */
+    mock: boolean;
+    /** Destination file path for the cluster-graph.json output */
+    output: string;
+    /** Skip CVE enrichment (faster runs, no network required) */
+    skipCve?: boolean;
+    /** Print verbose attack-path report including alternate routes */
+    verbose?: boolean;
+}
+/**
+ * Orchestrates the full ingestion → transformation → enrichment →
+ * validation → output pipeline.
+ */
+export declare function runScan(options: ScanOptions): Promise<void>;
+//# sourceMappingURL=scan.d.ts.map

package/dist/cli/scan.js ADDED Viewed

@@ -0,0 +1,151 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runScan = runScan;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const fetcher_1 = require("../core/fetcher");
+const transformer_1 = require("../core/transformer");
+const cve_enricher_1 = require("../core/cve-enricher");
+const schema_1 = require("../core/schema");
+const attack_path_1 = require("../core/attack-path");
+// ─────────────────────────────────────────────────────────────────────────────
+// LOGGING HELPERS
+// ─────────────────────────────────────────────────────────────────────────────
+function step(label) {
+    console.log(`\n✔ ${label}`);
+}
+function divider() {
+    console.log('  ' + '─'.repeat(60));
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// MAIN SCAN PIPELINE
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Orchestrates the full ingestion → transformation → enrichment →
+ * validation → output pipeline.
+ */
+async function runScan(options) {
+    console.log('\n' + '═'.repeat(62));
+    console.log('  🔐 Kubernetes Attack Path Visualizer');
+    console.log('     RBAC Graph Ingestion & CVE Enrichment Pipeline');
+    console.log('═'.repeat(62));
+    // ── Step 1: Fetch ──────────────────────────────────────────────────────────
+    step('Fetching cluster data...');
+    const rawData = await (0, fetcher_1.fetchClusterData)(options.mock);
+    const podCount = (rawData.pods?.items ?? []).length;
+    const saCount = (rawData.serviceAccounts?.items ?? []).length;
+    const roleCount = (rawData.roles?.items ?? []).length +
+        (rawData.clusterRoles?.items ?? []).length;
+    const bindingCount = (rawData.roleBindings?.items ?? []).length +
+        (rawData.clusterRoleBindings?.items ?? []).length;
+    console.log(`  → Pods: ${podCount}  |  ServiceAccounts: ${saCount}  |  ` +
+        `Roles: ${roleCount}  |  Bindings: ${bindingCount}`);
+    // ── Step 2: Transform ─────────────────────────────────────────────────────
+    step('Transforming RBAC graph...');
+    let graph = (0, transformer_1.transformToGraph)(rawData);
+    console.log(`  → Built ${graph.nodes.length} nodes and ${graph.edges.length} edges`);
+    const entryPts = graph.nodes.filter((n) => n.isEntryPoint).length;
+    const crownJs = graph.nodes.filter((n) => n.isCrownJewel).length;
+    console.log(`  → Entry points: ${entryPts}  |  Crown jewels: ${crownJs}`);
+    // ── Step 3: CVE Enrichment ────────────────────────────────────────────────
+    if (options.skipCve) {
+        console.log('\n✔ CVE enrichment skipped (--skip-cve)');
+    }
+    else {
+        step('Enriching with CVE data...');
+        graph = await (0, cve_enricher_1.enrichWithCVE)(graph);
+        const enriched = graph.nodes.filter((n) => (n.cve?.length ?? 0) > 0).length;
+        console.log(`  → ${enriched} pod(s) enriched with CVE data`);
+    }
+    // ── Step 4: Attack Path Detection ─────────────────────────────────────────
+    step('Detecting attack paths...');
+    let attackPaths;
+    if (options.verbose) {
+        const report = (0, attack_path_1.generateFullAttackReport)(graph);
+        attackPaths = report.paths;
+        console.log(`  → Total paths    : ${report.summary.totalPaths}`);
+        console.log(`  → Critical (≥7)  : ${report.summary.criticalPaths}`);
+        console.log(`  → Avg hops       : ${report.summary.avgHops}`);
+        (0, attack_path_1.printAttackPaths)(attackPaths, 10);
+    }
+    else {
+        attackPaths = (0, attack_path_1.detectAttackPaths)(graph);
+        console.log(`  → ${attackPaths.length} attack path(s) detected`);
+        if (attackPaths.length > 0) {
+            const top = attackPaths[0];
+            console.log(`  → Highest risk   : ${top.entryPoint} → ${top.crownJewel}` +
+                `  (${top.hops} hops, risk ${top.riskScore.toFixed(2)}/10)`);
+            (0, attack_path_1.printAttackPaths)(attackPaths, 6);
+        }
+    }
+    graph = { ...graph, attackPaths };
+    // ── Step 5: Validation ────────────────────────────────────────────────────
+    step('Validating schema...');
+    const finalGraph = {
+        ...graph,
+        metadata: {
+            generatedAt: new Date().toISOString(),
+            clusterContext: options.mock
+                ? 'mock'
+                : process.env['KUBECONFIG'] ?? 'default',
+            totalNodes: graph.nodes.length,
+            totalEdges: graph.edges.length,
+            totalAttackPaths: attackPaths.length,
+        },
+    };
+    const validated = (0, schema_1.validateGraph)(finalGraph);
+    // ── Step 6: Persist ───────────────────────────────────────────────────────
+    step('Saving graph...');
+    const outputPath = path.resolve(options.output);
+    const outputDir = path.dirname(outputPath);
+    if (!fs.existsSync(outputDir)) {
+        fs.mkdirSync(outputDir, { recursive: true });
+    }
+    fs.writeFileSync(outputPath, JSON.stringify(validated, null, 2), 'utf8');
+    console.log(`  → Saved to: ${outputPath}`);
+    // ── Final Summary ─────────────────────────────────────────────────────────
+    divider();
+    console.log('\n  📊 Final Summary\n');
+    console.log(`     Nodes            : ${validated.nodes.length}`);
+    console.log(`     Edges            : ${validated.edges.length}`);
+    console.log(`     Attack Paths     : ${attackPaths.length}`);
+    console.log(`     Entry Points     : ${validated.nodes.filter((n) => n.isEntryPoint).length}`);
+    console.log(`     Crown Jewels     : ${validated.nodes.filter((n) => n.isCrownJewel).length}`);
+    console.log(`     CVE-Enriched     : ${validated.nodes.filter((n) => (n.cve?.length ?? 0) > 0).length}`);
+    console.log(`\n  ✔  cluster-graph.json written to: ${outputPath}\n`);
+    divider();
+}
+//# sourceMappingURL=scan.js.map

package/dist/cli/start.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+ * start.ts — CLI orchestrator
+ *
+ * Sequence:
+ *   0. Docker + Neo4j preflight  (skipped with --mock)
+ *   1. Spawn Express backend     (ts-node or node dist/server/server.js)
+ *   2. Poll /health until ready  (60s timeout)
+ *   3. POST /api/ingest          (load cluster data)
+ *   4. Ensure UI deps installed  (npm install inside ui/ if needed)
+ *   5. Spawn Vite frontend       (npm run dev inside ui/)
+ *   6. Wait for Vite             (poll localhost:5173, 30s timeout)
+ *   7. Open browser
+ *   8. Park — Ctrl+C kills both children cleanly
+ */
+export interface StartOptions {
+    skipBrowser: boolean;
+    source: 'mock' | 'live';
+}
+export declare function runStart(opts: StartOptions): Promise<void>;
+//# sourceMappingURL=start.d.ts.map