k8s-av 1.0.0

package/dist/core/fetcher.d.ts

@@ -0,0 +1,26 @@
+/** Raw output from kubectl get <resource> -A -o json */
+export interface KubeList {
+    apiVersion: string;
+    kind: string;
+    items: unknown[];
+}
+/** Structured raw cluster data as fetched from kubectl */
+export interface RawClusterData {
+    pods: KubeList;
+    serviceAccounts: KubeList;
+    roles: KubeList;
+    clusterRoles: KubeList;
+    roleBindings: KubeList;
+    clusterRoleBindings: KubeList;
+    secrets: KubeList;
+    configMaps: KubeList;
+    services: KubeList;
+}
+/**
+ * Fetches raw Kubernetes cluster data.
+ *
+ * @param mockMode  When true, loads data from the bundled mock JSON file
+ *                  and skips all kubectl calls entirely.
+ */
+export declare function fetchClusterData(mockMode?: boolean): Promise<RawClusterData>;
+//# sourceMappingURL=fetcher.d.ts.map

package/dist/core/fetcher.js

@@ -0,0 +1,130 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchClusterData = fetchClusterData;
+const child_process_1 = require("child_process");
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+// ─────────────────────────────────────────────────────────────────────────────
+// CONSTANTS
+// ─────────────────────────────────────────────────────────────────────────────
+const EMPTY_LIST = { apiVersion: 'v1', kind: 'List', items: [] };
+const KUBECTL_TIMEOUT_MS = 30000;
+// ─────────────────────────────────────────────────────────────────────────────
+// HELPERS
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Executes a single kubectl command and returns the parsed JSON.
+ * On failure, logs a warning and returns an empty list — never crashes.
+ */
+function runKubectl(command, resourceName) {
+    try {
+        const raw = (0, child_process_1.execSync)(command, {
+            encoding: 'utf8',
+            timeout: KUBECTL_TIMEOUT_MS,
+            // Pipe all three streams so kubectl's stderr never reaches the terminal.
+            // stdout is returned as a string; stderr is captured silently.
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        // Extract the first meaningful line from stderr if available, otherwise
+        // fall back to the generic Error message.
+        let msg = 'unknown error';
+        if (err instanceof Error) {
+            const detail = err.stderr;
+            const firstLine = (detail ?? err.message)
+                .split('\n')
+                .map((l) => l.trim())
+                .find((l) => l.length > 0 && !l.startsWith('E0') && !l.startsWith('W0'));
+            msg = firstLine ?? err.message.split('\n')[0];
+        }
+        console.warn(`  ⚠️  Failed to fetch ${resourceName}: ${msg}`);
+        return { ...EMPTY_LIST, kind: `${resourceName}List` };
+    }
+}
+/** Resolves the path to the mock data file, supporting both ts-node and compiled dist. */
+function resolveMockPath() {
+    // When running via ts-node: __dirname = src/cli or src/core
+    // When running compiled:    __dirname = dist/cli or dist/core
+    const candidates = [
+        path.resolve(__dirname, '../data/mock-cluster-graph.json'), // ts-node from src/core
+        path.resolve(__dirname, '../../src/data/mock-cluster-graph.json'), // compiled from dist/core
+        path.resolve(process.cwd(), 'src/data/mock-cluster-graph.json'),
+        path.resolve(process.cwd(), 'data/mock-cluster-graph.json'),
+    ];
+    for (const p of candidates) {
+        if (fs.existsSync(p))
+            return p;
+    }
+    throw new Error(`Mock data file not found. Tried:\n${candidates.map((c) => `  • ${c}`).join('\n')}`);
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// PUBLIC API
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Fetches raw Kubernetes cluster data.
+ *
+ * @param mockMode  When true, loads data from the bundled mock JSON file
+ *                  and skips all kubectl calls entirely.
+ */
+async function fetchClusterData(mockMode = false) {
+    if (mockMode) {
+        const filePath = resolveMockPath();
+        console.log(`  → Loading mock cluster data from: ${filePath}`);
+        const raw = fs.readFileSync(filePath, 'utf8');
+        return JSON.parse(raw);
+    }
+    // ── Live kubectl mode ──────────────────────────────────────────────────────
+    const resources = [
+        ['pods', 'kubectl get pods -A -o json', 'pods'],
+        ['serviceAccounts', 'kubectl get serviceaccounts -A -o json', 'serviceAccounts'],
+        ['roles', 'kubectl get roles -A -o json', 'roles'],
+        ['clusterRoles', 'kubectl get clusterroles -A -o json', 'clusterRoles'],
+        ['roleBindings', 'kubectl get rolebindings -A -o json', 'roleBindings'],
+        ['clusterRoleBindings', 'kubectl get clusterrolebindings -A -o json', 'clusterRoleBindings'],
+        ['secrets', 'kubectl get secrets -A -o json', 'secrets'],
+        ['configMaps', 'kubectl get configmaps -A -o json', 'configMaps'],
+        ['services', 'kubectl get services -A -o json', 'services'],
+    ];
+    const result = {};
+    for (const [key, command, label] of resources) {
+        console.log(`  → Fetching ${label}...`);
+        result[key] = runKubectl(command, label);
+    }
+    return result;
+}
+//# sourceMappingURL=fetcher.js.map

package/dist/core/schema.d.ts

@@ -0,0 +1,290 @@
+import { z } from 'zod';
+export declare const NodeTypeEnum: z.ZodEnum<["Pod", "ServiceAccount", "Role", "ClusterRole", "Secret", "ConfigMap", "Database", "Service"]>;
+export declare const EdgeTypeEnum: z.ZodEnum<["USES_SERVICE_ACCOUNT", "BINDS_TO", "HAS_ACCESS", "EXPOSES", "MOUNTS_SECRET", "READS_CONFIGMAP", "CAN_EXEC_INTO"]>;
+export declare const NodeSchema: z.ZodObject<{
+    /** Unique identifier: "namespace:name" */
+    id: z.ZodString;
+    type: z.ZodEnum<["Pod", "ServiceAccount", "Role", "ClusterRole", "Secret", "ConfigMap", "Database", "Service"]>;
+    name: z.ZodString;
+    /** "cluster" for cluster-scoped resources */
+    namespace: z.ZodString;
+    /** 0–10; higher = more dangerous */
+    riskScore: z.ZodNumber;
+    /** True if directly reachable from outside the cluster */
+    isEntryPoint: z.ZodBoolean;
+    /** True if compromising this node is critical (secrets, prod DBs) */
+    isCrownJewel: z.ZodBoolean;
+    /** CVE identifiers discovered via NVD enrichment */
+    cve: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /** Container image (Pod nodes only) */
+    image: z.ZodOptional<z.ZodString>;
+    labels: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    annotations: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+}, "strip", z.ZodTypeAny, {
+    id: string;
+    type: "Pod" | "ServiceAccount" | "Role" | "ClusterRole" | "Secret" | "ConfigMap" | "Database" | "Service";
+    name: string;
+    namespace: string;
+    riskScore: number;
+    isEntryPoint: boolean;
+    isCrownJewel: boolean;
+    cve?: string[] | undefined;
+    image?: string | undefined;
+    labels?: Record<string, string> | undefined;
+    annotations?: Record<string, string> | undefined;
+}, {
+    id: string;
+    type: "Pod" | "ServiceAccount" | "Role" | "ClusterRole" | "Secret" | "ConfigMap" | "Database" | "Service";
+    name: string;
+    namespace: string;
+    riskScore: number;
+    isEntryPoint: boolean;
+    isCrownJewel: boolean;
+    cve?: string[] | undefined;
+    image?: string | undefined;
+    labels?: Record<string, string> | undefined;
+    annotations?: Record<string, string> | undefined;
+}>;
+export declare const EdgeSchema: z.ZodObject<{
+    from: z.ZodString;
+    to: z.ZodString;
+    type: z.ZodEnum<["USES_SERVICE_ACCOUNT", "BINDS_TO", "HAS_ACCESS", "EXPOSES", "MOUNTS_SECRET", "READS_CONFIGMAP", "CAN_EXEC_INTO"]>;
+    /** Privilege severity: 0 = read-only, 10 = full admin */
+    weight: z.ZodNumber;
+    /** RBAC verbs that grant this access */
+    verbs: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /** Kubernetes resource types involved */
+    resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    type: "USES_SERVICE_ACCOUNT" | "BINDS_TO" | "HAS_ACCESS" | "EXPOSES" | "MOUNTS_SECRET" | "READS_CONFIGMAP" | "CAN_EXEC_INTO";
+    from: string;
+    to: string;
+    weight: number;
+    verbs?: string[] | undefined;
+    resources?: string[] | undefined;
+}, {
+    type: "USES_SERVICE_ACCOUNT" | "BINDS_TO" | "HAS_ACCESS" | "EXPOSES" | "MOUNTS_SECRET" | "READS_CONFIGMAP" | "CAN_EXEC_INTO";
+    from: string;
+    to: string;
+    weight: number;
+    verbs?: string[] | undefined;
+    resources?: string[] | undefined;
+}>;
+export declare const AttackPathSchema: z.ZodObject<{
+    /** Ordered list of node IDs from entry point to crown jewel */
+    path: z.ZodArray<z.ZodString, "many">;
+    /** Average risk score across path nodes */
+    riskScore: z.ZodNumber;
+    entryPoint: z.ZodString;
+    crownJewel: z.ZodString;
+    /** Number of hops (edges) in the path */
+    hops: z.ZodNumber;
+}, "strip", z.ZodTypeAny, {
+    riskScore: number;
+    path: string[];
+    entryPoint: string;
+    crownJewel: string;
+    hops: number;
+}, {
+    riskScore: number;
+    path: string[];
+    entryPoint: string;
+    crownJewel: string;
+    hops: number;
+}>;
+export declare const GraphSchema: z.ZodObject<{
+    nodes: z.ZodArray<z.ZodObject<{
+        /** Unique identifier: "namespace:name" */
+        id: z.ZodString;
+        type: z.ZodEnum<["Pod", "ServiceAccount", "Role", "ClusterRole", "Secret", "ConfigMap", "Database", "Service"]>;
+        name: z.ZodString;
+        /** "cluster" for cluster-scoped resources */
+        namespace: z.ZodString;
+        /** 0–10; higher = more dangerous */
+        riskScore: z.ZodNumber;
+        /** True if directly reachable from outside the cluster */
+        isEntryPoint: z.ZodBoolean;
+        /** True if compromising this node is critical (secrets, prod DBs) */
+        isCrownJewel: z.ZodBoolean;
+        /** CVE identifiers discovered via NVD enrichment */
+        cve: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        /** Container image (Pod nodes only) */
+        image: z.ZodOptional<z.ZodString>;
+        labels: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+        annotations: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    }, "strip", z.ZodTypeAny, {
+        id: string;
+        type: "Pod" | "ServiceAccount" | "Role" | "ClusterRole" | "Secret" | "ConfigMap" | "Database" | "Service";
+        name: string;
+        namespace: string;
+        riskScore: number;
+        isEntryPoint: boolean;
+        isCrownJewel: boolean;
+        cve?: string[] | undefined;
+        image?: string | undefined;
+        labels?: Record<string, string> | undefined;
+        annotations?: Record<string, string> | undefined;
+    }, {
+        id: string;
+        type: "Pod" | "ServiceAccount" | "Role" | "ClusterRole" | "Secret" | "ConfigMap" | "Database" | "Service";
+        name: string;
+        namespace: string;
+        riskScore: number;
+        isEntryPoint: boolean;
+        isCrownJewel: boolean;
+        cve?: string[] | undefined;
+        image?: string | undefined;
+        labels?: Record<string, string> | undefined;
+        annotations?: Record<string, string> | undefined;
+    }>, "many">;
+    edges: z.ZodArray<z.ZodObject<{
+        from: z.ZodString;
+        to: z.ZodString;
+        type: z.ZodEnum<["USES_SERVICE_ACCOUNT", "BINDS_TO", "HAS_ACCESS", "EXPOSES", "MOUNTS_SECRET", "READS_CONFIGMAP", "CAN_EXEC_INTO"]>;
+        /** Privilege severity: 0 = read-only, 10 = full admin */
+        weight: z.ZodNumber;
+        /** RBAC verbs that grant this access */
+        verbs: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        /** Kubernetes resource types involved */
+        resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        type: "USES_SERVICE_ACCOUNT" | "BINDS_TO" | "HAS_ACCESS" | "EXPOSES" | "MOUNTS_SECRET" | "READS_CONFIGMAP" | "CAN_EXEC_INTO";
+        from: string;
+        to: string;
+        weight: number;
+        verbs?: string[] | undefined;
+        resources?: string[] | undefined;
+    }, {
+        type: "USES_SERVICE_ACCOUNT" | "BINDS_TO" | "HAS_ACCESS" | "EXPOSES" | "MOUNTS_SECRET" | "READS_CONFIGMAP" | "CAN_EXEC_INTO";
+        from: string;
+        to: string;
+        weight: number;
+        verbs?: string[] | undefined;
+        resources?: string[] | undefined;
+    }>, "many">;
+    attackPaths: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        /** Ordered list of node IDs from entry point to crown jewel */
+        path: z.ZodArray<z.ZodString, "many">;
+        /** Average risk score across path nodes */
+        riskScore: z.ZodNumber;
+        entryPoint: z.ZodString;
+        crownJewel: z.ZodString;
+        /** Number of hops (edges) in the path */
+        hops: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        riskScore: number;
+        path: string[];
+        entryPoint: string;
+        crownJewel: string;
+        hops: number;
+    }, {
+        riskScore: number;
+        path: string[];
+        entryPoint: string;
+        crownJewel: string;
+        hops: number;
+    }>, "many">>;
+    metadata: z.ZodOptional<z.ZodObject<{
+        generatedAt: z.ZodString;
+        clusterContext: z.ZodOptional<z.ZodString>;
+        totalNodes: z.ZodNumber;
+        totalEdges: z.ZodNumber;
+        totalAttackPaths: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        generatedAt: string;
+        totalNodes: number;
+        totalEdges: number;
+        clusterContext?: string | undefined;
+        totalAttackPaths?: number | undefined;
+    }, {
+        generatedAt: string;
+        totalNodes: number;
+        totalEdges: number;
+        clusterContext?: string | undefined;
+        totalAttackPaths?: number | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    nodes: {
+        id: string;
+        type: "Pod" | "ServiceAccount" | "Role" | "ClusterRole" | "Secret" | "ConfigMap" | "Database" | "Service";
+        name: string;
+        namespace: string;
+        riskScore: number;
+        isEntryPoint: boolean;
+        isCrownJewel: boolean;
+        cve?: string[] | undefined;
+        image?: string | undefined;
+        labels?: Record<string, string> | undefined;
+        annotations?: Record<string, string> | undefined;
+    }[];
+    edges: {
+        type: "USES_SERVICE_ACCOUNT" | "BINDS_TO" | "HAS_ACCESS" | "EXPOSES" | "MOUNTS_SECRET" | "READS_CONFIGMAP" | "CAN_EXEC_INTO";
+        from: string;
+        to: string;
+        weight: number;
+        verbs?: string[] | undefined;
+        resources?: string[] | undefined;
+    }[];
+    attackPaths?: {
+        riskScore: number;
+        path: string[];
+        entryPoint: string;
+        crownJewel: string;
+        hops: number;
+    }[] | undefined;
+    metadata?: {
+        generatedAt: string;
+        totalNodes: number;
+        totalEdges: number;
+        clusterContext?: string | undefined;
+        totalAttackPaths?: number | undefined;
+    } | undefined;
+}, {
+    nodes: {
+        id: string;
+        type: "Pod" | "ServiceAccount" | "Role" | "ClusterRole" | "Secret" | "ConfigMap" | "Database" | "Service";
+        name: string;
+        namespace: string;
+        riskScore: number;
+        isEntryPoint: boolean;
+        isCrownJewel: boolean;
+        cve?: string[] | undefined;
+        image?: string | undefined;
+        labels?: Record<string, string> | undefined;
+        annotations?: Record<string, string> | undefined;
+    }[];
+    edges: {
+        type: "USES_SERVICE_ACCOUNT" | "BINDS_TO" | "HAS_ACCESS" | "EXPOSES" | "MOUNTS_SECRET" | "READS_CONFIGMAP" | "CAN_EXEC_INTO";
+        from: string;
+        to: string;
+        weight: number;
+        verbs?: string[] | undefined;
+        resources?: string[] | undefined;
+    }[];
+    attackPaths?: {
+        riskScore: number;
+        path: string[];
+        entryPoint: string;
+        crownJewel: string;
+        hops: number;
+    }[] | undefined;
+    metadata?: {
+        generatedAt: string;
+        totalNodes: number;
+        totalEdges: number;
+        clusterContext?: string | undefined;
+        totalAttackPaths?: number | undefined;
+    } | undefined;
+}>;
+export type NodeType = z.infer<typeof NodeTypeEnum>;
+export type EdgeType = z.infer<typeof EdgeTypeEnum>;
+export type Node = z.infer<typeof NodeSchema>;
+export type Edge = z.infer<typeof EdgeSchema>;
+export type AttackPath = z.infer<typeof AttackPathSchema>;
+export type Graph = z.infer<typeof GraphSchema>;
+/**
+ * Validates a graph object against the Zod schema.
+ * Prints a summary and throws a readable error on failure.
+ */
+export declare function validateGraph(graph: unknown): Graph;
+//# sourceMappingURL=schema.d.ts.map

package/dist/core/schema.js

@@ -0,0 +1,125 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GraphSchema = exports.AttackPathSchema = exports.EdgeSchema = exports.NodeSchema = exports.EdgeTypeEnum = exports.NodeTypeEnum = void 0;
+exports.validateGraph = validateGraph;
+const zod_1 = require("zod");
+// ─────────────────────────────────────────────────────────────────────────────
+// ENUMS
+// ─────────────────────────────────────────────────────────────────────────────
+exports.NodeTypeEnum = zod_1.z.enum([
+    'Pod',
+    'ServiceAccount',
+    'Role',
+    'ClusterRole',
+    'Secret',
+    'ConfigMap',
+    'Database',
+    'Service',
+]);
+exports.EdgeTypeEnum = zod_1.z.enum([
+    'USES_SERVICE_ACCOUNT',
+    'BINDS_TO',
+    'HAS_ACCESS',
+    'EXPOSES',
+    'MOUNTS_SECRET',
+    'READS_CONFIGMAP',
+    'CAN_EXEC_INTO',
+]);
+// ─────────────────────────────────────────────────────────────────────────────
+// NODE SCHEMA
+// ─────────────────────────────────────────────────────────────────────────────
+exports.NodeSchema = zod_1.z.object({
+    /** Unique identifier: "namespace:name" */
+    id: zod_1.z.string().min(1, 'Node id must not be empty'),
+    type: exports.NodeTypeEnum,
+    name: zod_1.z.string().min(1, 'Node name must not be empty'),
+    /** "cluster" for cluster-scoped resources */
+    namespace: zod_1.z.string(),
+    /** 0–10; higher = more dangerous */
+    riskScore: zod_1.z.number().min(0).max(10),
+    /** True if directly reachable from outside the cluster */
+    isEntryPoint: zod_1.z.boolean(),
+    /** True if compromising this node is critical (secrets, prod DBs) */
+    isCrownJewel: zod_1.z.boolean(),
+    /** CVE identifiers discovered via NVD enrichment */
+    cve: zod_1.z.array(zod_1.z.string()).optional(),
+    /** Container image (Pod nodes only) */
+    image: zod_1.z.string().optional(),
+    labels: zod_1.z.record(zod_1.z.string()).optional(),
+    annotations: zod_1.z.record(zod_1.z.string()).optional(),
+});
+// ─────────────────────────────────────────────────────────────────────────────
+// EDGE SCHEMA
+// ─────────────────────────────────────────────────────────────────────────────
+exports.EdgeSchema = zod_1.z.object({
+    from: zod_1.z.string().min(1),
+    to: zod_1.z.string().min(1),
+    type: exports.EdgeTypeEnum,
+    /** Privilege severity: 0 = read-only, 10 = full admin */
+    weight: zod_1.z.number().min(0).max(10),
+    /** RBAC verbs that grant this access */
+    verbs: zod_1.z.array(zod_1.z.string()).optional(),
+    /** Kubernetes resource types involved */
+    resources: zod_1.z.array(zod_1.z.string()).optional(),
+});
+// ─────────────────────────────────────────────────────────────────────────────
+// ATTACK PATH SCHEMA
+// ─────────────────────────────────────────────────────────────────────────────
+exports.AttackPathSchema = zod_1.z.object({
+    /** Ordered list of node IDs from entry point to crown jewel */
+    path: zod_1.z.array(zod_1.z.string()),
+    /** Average risk score across path nodes */
+    riskScore: zod_1.z.number().min(0).max(10),
+    entryPoint: zod_1.z.string(),
+    crownJewel: zod_1.z.string(),
+    /** Number of hops (edges) in the path */
+    hops: zod_1.z.number().int().nonnegative(),
+});
+// ─────────────────────────────────────────────────────────────────────────────
+// GRAPH SCHEMA
+// ─────────────────────────────────────────────────────────────────────────────
+exports.GraphSchema = zod_1.z.object({
+    nodes: zod_1.z.array(exports.NodeSchema).min(1, 'Graph must contain at least one node'),
+    edges: zod_1.z.array(exports.EdgeSchema),
+    attackPaths: zod_1.z.array(exports.AttackPathSchema).optional(),
+    metadata: zod_1.z
+        .object({
+        generatedAt: zod_1.z.string(),
+        clusterContext: zod_1.z.string().optional(),
+        totalNodes: zod_1.z.number().int().nonnegative(),
+        totalEdges: zod_1.z.number().int().nonnegative(),
+        totalAttackPaths: zod_1.z.number().int().nonnegative().optional(),
+    })
+        .optional(),
+});
+// ─────────────────────────────────────────────────────────────────────────────
+// VALIDATION HELPER
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Validates a graph object against the Zod schema.
+ * Prints a summary and throws a readable error on failure.
+ */
+function validateGraph(graph) {
+    const result = exports.GraphSchema.safeParse(graph);
+    if (!result.success) {
+        const errors = result.error.errors
+            .map((e) => `  • ${e.path.join('.')}: ${e.message}`)
+            .join('\n');
+        throw new Error(`Schema validation failed:\n${errors}`);
+    }
+    const g = result.data;
+    const crownJewelCount = g.nodes.filter((n) => n.isCrownJewel).length;
+    const entryPointCount = g.nodes.filter((n) => n.isEntryPoint).length;
+    const cveEnriched = g.nodes.filter((n) => (n.cve?.length ?? 0) > 0).length;
+    console.log('  ✔ Graph validated successfully');
+    console.log(`  ✔ Node count        : ${g.nodes.length}`);
+    console.log(`  ✔ Edge count        : ${g.edges.length}`);
+    console.log(`  ✔ Entry points      : ${entryPointCount}`);
+    console.log(`  ✔ Crown jewels      : ${crownJewelCount}`);
+    console.log(`  ✔ CVE-enriched pods : ${cveEnriched}`);
+    if (g.attackPaths) {
+        console.log(`  ✔ Attack paths      : ${g.attackPaths.length}`);
+    }
+    return g;
+}
+//# sourceMappingURL=schema.js.map

package/dist/core/transformer.d.ts

@@ -0,0 +1,19 @@
+import { Graph } from './schema';
+import { RawClusterData } from './fetcher';
+/**
+ * Converts raw Kubernetes resource lists into a directed attack graph.
+ *
+ * Node creation order:
+ *   1. Pods → 2. ServiceAccounts → 3. Roles → 4. ClusterRoles
+ *   5. Secrets → 6. ConfigMaps → 7. Services (entry points) → 8. Mock DBs
+ *
+ * Edge creation order:
+ *   1. Pod → ServiceAccount (USES_SERVICE_ACCOUNT)
+ *   2. Service → Pod (EXPOSES)
+ *   3. ServiceAccount → Role/ClusterRole (BINDS_TO via RoleBindings)
+ *   4. ServiceAccount → ClusterRole (BINDS_TO via ClusterRoleBindings)
+ *   5. Role → Resources (HAS_ACCESS via rules)
+ *   6. ClusterRole → Resources (HAS_ACCESS via rules, cross-namespace)
+ */
+export declare function transformToGraph(raw: RawClusterData): Graph;
+//# sourceMappingURL=transformer.d.ts.map