sonobat 0.1.0

package/dist/index.js

@@ -0,0 +1,2546 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import Database from "better-sqlite3";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+
+// src/db/schema.ts
+var SCHEMA_SQL = `
+PRAGMA foreign_keys = ON;
+
+-- ============================================================
+-- \u5B9F\u884C\u5358\u4F4D\uFF08\u4EFB\u610F\uFF09
+-- ============================================================
+CREATE TABLE IF NOT EXISTS scans (
+  id            TEXT PRIMARY KEY,
+  started_at    TEXT NOT NULL,
+  finished_at   TEXT,
+  notes         TEXT
+);
+
+-- ============================================================
+-- \u751F\u51FA\u529B\uFF08\u30D5\u30A1\u30A4\u30EB\uFF09\u53C2\u7167
+-- ============================================================
+CREATE TABLE IF NOT EXISTS artifacts (
+  id            TEXT PRIMARY KEY,
+  scan_id       TEXT,
+  tool          TEXT NOT NULL,              -- "nmap" | "ffuf" | "nuclei"
+  kind          TEXT NOT NULL,              -- "tool_output" | "http_request" | "http_response"
+  path          TEXT NOT NULL,              -- \u30ED\u30FC\u30AB\u30EB\u30D5\u30A1\u30A4\u30EB\u30D1\u30B9 or URI
+  sha256        TEXT,
+  captured_at   TEXT NOT NULL,
+  attrs_json    TEXT,                       -- \u4EFB\u610F\u30E1\u30BF\uFF08\u30B3\u30DE\u30F3\u30C9\u3001\u5F15\u6570\u7B49\uFF09
+  FOREIGN KEY (scan_id) REFERENCES scans(id) ON DELETE SET NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_artifacts_tool ON artifacts(tool);
+
+-- ============================================================
+-- \u30DB\u30B9\u30C8
+-- ============================================================
+CREATE TABLE IF NOT EXISTS hosts (
+  id                TEXT PRIMARY KEY,
+  authority_kind    TEXT NOT NULL,           -- "IP" | "DOMAIN"
+  authority         TEXT NOT NULL UNIQUE,    -- IP \u30A2\u30C9\u30EC\u30B9\u307E\u305F\u306F\u30C9\u30E1\u30A4\u30F3\u540D
+  resolved_ips_json TEXT NOT NULL DEFAULT '[]',
+  created_at        TEXT NOT NULL,
+  updated_at        TEXT NOT NULL
+);
+
+-- ============================================================
+-- \u30D0\u30FC\u30C1\u30E3\u30EB\u30DB\u30B9\u30C8
+-- ============================================================
+CREATE TABLE IF NOT EXISTS vhosts (
+  id                    TEXT PRIMARY KEY,
+  host_id               TEXT NOT NULL,
+  hostname              TEXT NOT NULL,
+  source                TEXT,               -- "nmap" | "cert" | "header" | "manual"
+  evidence_artifact_id  TEXT NOT NULL,
+  created_at            TEXT NOT NULL,
+  UNIQUE (host_id, hostname),
+  FOREIGN KEY (host_id)              REFERENCES hosts(id)     ON DELETE CASCADE,
+  FOREIGN KEY (evidence_artifact_id) REFERENCES artifacts(id) ON DELETE RESTRICT
+);
+
+CREATE INDEX IF NOT EXISTS idx_vhosts_host ON vhosts(host_id);
+
+-- ============================================================
+-- \u30B5\u30FC\u30D3\u30B9
+-- ============================================================
+CREATE TABLE IF NOT EXISTS services (
+  id                    TEXT PRIMARY KEY,
+  host_id               TEXT NOT NULL,
+  transport             TEXT NOT NULL,       -- "tcp" | "udp"
+  port                  INTEGER NOT NULL,
+  app_proto             TEXT NOT NULL,       -- "http" | "ssh" | "ftp" \u7B49
+  proto_confidence      TEXT NOT NULL,       -- "high" | "medium" | "low"
+  banner                TEXT,
+  product               TEXT,
+  version               TEXT,
+  state                 TEXT NOT NULL,       -- "open" | "closed" | "filtered"
+  evidence_artifact_id  TEXT NOT NULL,
+  created_at            TEXT NOT NULL,
+  updated_at            TEXT NOT NULL,
+  UNIQUE (host_id, transport, port),
+  FOREIGN KEY (host_id)              REFERENCES hosts(id)     ON DELETE CASCADE,
+  FOREIGN KEY (evidence_artifact_id) REFERENCES artifacts(id) ON DELETE RESTRICT
+);
+
+CREATE INDEX IF NOT EXISTS idx_services_host ON services(host_id);
+
+-- ============================================================
+-- \u30B5\u30FC\u30D3\u30B9\u89B3\u6E2C\uFF08key-value\uFF09
+-- ============================================================
+CREATE TABLE IF NOT EXISTS service_observations (
+  id                    TEXT PRIMARY KEY,
+  service_id            TEXT NOT NULL,
+  key                   TEXT NOT NULL,
+  value                 TEXT NOT NULL,
+  confidence            TEXT NOT NULL,       -- "high" | "medium" | "low"
+  evidence_artifact_id  TEXT NOT NULL,
+  created_at            TEXT NOT NULL,
+  FOREIGN KEY (service_id)           REFERENCES services(id)  ON DELETE CASCADE,
+  FOREIGN KEY (evidence_artifact_id) REFERENCES artifacts(id) ON DELETE RESTRICT
+);
+
+CREATE INDEX IF NOT EXISTS idx_svc_obs_service ON service_observations(service_id);
+
+-- ============================================================
+-- HTTP \u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8
+-- ============================================================
+CREATE TABLE IF NOT EXISTS http_endpoints (
+  id                    TEXT PRIMARY KEY,
+  service_id            TEXT NOT NULL,
+  vhost_id              TEXT,
+  base_uri              TEXT NOT NULL,       -- "http://example.com:80"
+  method                TEXT NOT NULL,       -- "GET" | "POST" | ...
+  path                  TEXT NOT NULL,       -- "/admin"\uFF08\u30AF\u30A8\u30EA\u306F\u542B\u3081\u306A\u3044\uFF09
+  status_code           INTEGER,
+  content_length        INTEGER,
+  words                 INTEGER,
+  lines                 INTEGER,
+  evidence_artifact_id  TEXT NOT NULL,
+  created_at            TEXT NOT NULL,
+  UNIQUE (service_id, method, path),
+  FOREIGN KEY (service_id)           REFERENCES services(id)  ON DELETE CASCADE,
+  FOREIGN KEY (vhost_id)             REFERENCES vhosts(id)    ON DELETE SET NULL,
+  FOREIGN KEY (evidence_artifact_id) REFERENCES artifacts(id) ON DELETE RESTRICT
+);
+
+CREATE INDEX IF NOT EXISTS idx_endpoints_service ON http_endpoints(service_id);
+
+-- ============================================================
+-- \u5165\u529B\u30D1\u30E9\u30E1\u30FC\u30BF
+-- ============================================================
+CREATE TABLE IF NOT EXISTS inputs (
+  id            TEXT PRIMARY KEY,
+  service_id    TEXT NOT NULL,
+  location      TEXT NOT NULL,              -- "query" | "path" | "body" | "header" | "cookie"
+  name          TEXT NOT NULL,
+  type_hint     TEXT,                       -- "string" | "int" | "json" \u7B49\uFF08\u4EFB\u610F\uFF09
+  created_at    TEXT NOT NULL,
+  updated_at    TEXT NOT NULL,
+  UNIQUE (service_id, location, name),
+  FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_inputs_service ON inputs(service_id);
+
+-- ============================================================
+-- \u30A8\u30F3\u30C9\u30DD\u30A4\u30F3\u30C8 \u2194 \u5165\u529B\uFF08\u591A\u5BFE\u591A\uFF09
+-- ============================================================
+CREATE TABLE IF NOT EXISTS endpoint_inputs (
+  id                    TEXT PRIMARY KEY,
+  endpoint_id           TEXT NOT NULL,
+  input_id              TEXT NOT NULL,
+  evidence_artifact_id  TEXT NOT NULL,
+  created_at            TEXT NOT NULL,
+  UNIQUE (endpoint_id, input_id),
+  FOREIGN KEY (endpoint_id)          REFERENCES http_endpoints(id) ON DELETE CASCADE,
+  FOREIGN KEY (input_id)             REFERENCES inputs(id)         ON DELETE CASCADE,
+  FOREIGN KEY (evidence_artifact_id) REFERENCES artifacts(id)      ON DELETE RESTRICT
+);
+
+CREATE INDEX IF NOT EXISTS idx_ep_inputs_endpoint ON endpoint_inputs(endpoint_id);
+CREATE INDEX IF NOT EXISTS idx_ep_inputs_input    ON endpoint_inputs(input_id);
+
+-- ============================================================
+-- \u89B3\u6E2C\u5024
+-- ============================================================
+CREATE TABLE IF NOT EXISTS observations (
+  id                    TEXT PRIMARY KEY,
+  input_id              TEXT NOT NULL,
+  raw_value             TEXT NOT NULL,
+  norm_value            TEXT NOT NULL,
+  body_path             TEXT,               -- JSON Pointer \u7B49\uFF08\u4F8B: "/user/name"\uFF09
+  source                TEXT NOT NULL,       -- "ffuf_url" | "req_query" | "req_body" | "manual"
+  confidence            TEXT NOT NULL,       -- "high" | "medium" | "low"
+  evidence_artifact_id  TEXT NOT NULL,
+  observed_at           TEXT NOT NULL,
+  FOREIGN KEY (input_id)             REFERENCES inputs(id)    ON DELETE CASCADE,
+  FOREIGN KEY (evidence_artifact_id) REFERENCES artifacts(id) ON DELETE RESTRICT
+);
+
+CREATE INDEX IF NOT EXISTS idx_obs_input ON observations(input_id);
+
+-- ============================================================
+-- \u8A8D\u8A3C\u60C5\u5831
+-- ============================================================
+CREATE TABLE IF NOT EXISTS credentials (
+  id                    TEXT PRIMARY KEY,
+  service_id            TEXT NOT NULL,
+  endpoint_id           TEXT,               -- HTTP \u306E\u5834\u5408\u306E\u307F\uFF08\u4EFB\u610F\uFF09
+  username              TEXT NOT NULL,
+  secret                TEXT NOT NULL,
+  secret_type           TEXT NOT NULL,       -- "password" | "token" | "api_key" | "ssh_key"
+  source                TEXT NOT NULL,       -- "brute_force" | "default" | "leaked" | "manual"
+  confidence            TEXT NOT NULL,       -- "high" | "medium" | "low"
+  evidence_artifact_id  TEXT NOT NULL,
+  created_at            TEXT NOT NULL,
+  FOREIGN KEY (service_id)           REFERENCES services(id)       ON DELETE CASCADE,
+  FOREIGN KEY (endpoint_id)          REFERENCES http_endpoints(id) ON DELETE SET NULL,
+  FOREIGN KEY (evidence_artifact_id) REFERENCES artifacts(id)      ON DELETE RESTRICT
+);
+
+CREATE INDEX IF NOT EXISTS idx_creds_service  ON credentials(service_id);
+CREATE INDEX IF NOT EXISTS idx_creds_endpoint ON credentials(endpoint_id);
+
+-- ============================================================
+-- \u8106\u5F31\u6027
+-- ============================================================
+CREATE TABLE IF NOT EXISTS vulnerabilities (
+  id                    TEXT PRIMARY KEY,
+  service_id            TEXT NOT NULL,
+  endpoint_id           TEXT,               -- HTTP \u306E\u5834\u5408\u306E\u307F\uFF08\u4EFB\u610F\uFF09
+  vuln_type             TEXT NOT NULL,       -- "sqli" | "xss" | "rce" | "lfi" | "ssrf" | ...
+  title                 TEXT NOT NULL,
+  description           TEXT,
+  severity              TEXT NOT NULL,       -- "critical" | "high" | "medium" | "low" | "info"
+  confidence            TEXT NOT NULL,       -- "high" | "medium" | "low"
+  evidence_artifact_id  TEXT NOT NULL,
+  created_at            TEXT NOT NULL,
+  FOREIGN KEY (service_id)           REFERENCES services(id)       ON DELETE CASCADE,
+  FOREIGN KEY (endpoint_id)          REFERENCES http_endpoints(id) ON DELETE SET NULL,
+  FOREIGN KEY (evidence_artifact_id) REFERENCES artifacts(id)      ON DELETE RESTRICT
+);
+
+CREATE INDEX IF NOT EXISTS idx_vulns_service  ON vulnerabilities(service_id);
+CREATE INDEX IF NOT EXISTS idx_vulns_endpoint ON vulnerabilities(endpoint_id);
+CREATE INDEX IF NOT EXISTS idx_vulns_severity ON vulnerabilities(severity);
+
+-- ============================================================
+-- CVE \u60C5\u5831
+-- ============================================================
+CREATE TABLE IF NOT EXISTS cves (
+  id                TEXT PRIMARY KEY,
+  vulnerability_id  TEXT NOT NULL,
+  cve_id            TEXT NOT NULL,          -- "CVE-YYYY-NNNNN"
+  description       TEXT,
+  cvss_score        REAL,
+  cvss_vector       TEXT,
+  reference_url     TEXT,
+  created_at        TEXT NOT NULL,
+  FOREIGN KEY (vulnerability_id) REFERENCES vulnerabilities(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_cves_vuln ON cves(vulnerability_id);
+CREATE INDEX IF NOT EXISTS idx_cves_cveid ON cves(cve_id);
+`;
+
+// src/db/migrate.ts
+function migrateDatabase(db2) {
+  db2.pragma("foreign_keys = ON");
+  db2.exec(SCHEMA_SQL);
+}
+
+// src/mcp/server.ts
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+
+// src/mcp/tools/query.ts
+import { z } from "zod";
+
+// src/db/repository/host-repository.ts
+import crypto from "crypto";
+function rowToHost(row) {
+  return {
+    id: row.id,
+    authorityKind: row.authority_kind,
+    authority: row.authority,
+    resolvedIpsJson: row.resolved_ips_json,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at
+  };
+}
+var HostRepository = class {
+  db;
+  constructor(db2) {
+    this.db = db2;
+  }
+  /** Insert a new Host and return the full entity. */
+  create(input) {
+    const id = crypto.randomUUID();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const stmt = this.db.prepare(
+      `INSERT INTO hosts (id, authority_kind, authority, resolved_ips_json, created_at, updated_at)
+       VALUES (?, ?, ?, ?, ?, ?)`
+    );
+    stmt.run(
+      id,
+      input.authorityKind,
+      input.authority,
+      input.resolvedIpsJson,
+      now,
+      now
+    );
+    return {
+      id,
+      authorityKind: input.authorityKind,
+      authority: input.authority,
+      resolvedIpsJson: input.resolvedIpsJson,
+      createdAt: now,
+      updatedAt: now
+    };
+  }
+  /** Find a Host by its primary key. Returns undefined if not found. */
+  findById(id) {
+    const stmt = this.db.prepare(
+      `SELECT id, authority_kind, authority, resolved_ips_json, created_at, updated_at
+       FROM hosts
+       WHERE id = ?`
+    );
+    const row = stmt.get(id);
+    return row ? rowToHost(row) : void 0;
+  }
+  /** Return all Hosts. */
+  findAll() {
+    const stmt = this.db.prepare(
+      `SELECT id, authority_kind, authority, resolved_ips_json, created_at, updated_at
+       FROM hosts`
+    );
+    const rows = stmt.all();
+    return rows.map(rowToHost);
+  }
+  /** Find a Host by its unique authority value. Returns undefined if not found. */
+  findByAuthority(authority) {
+    const stmt = this.db.prepare(
+      `SELECT id, authority_kind, authority, resolved_ips_json, created_at, updated_at
+       FROM hosts
+       WHERE authority = ?`
+    );
+    const row = stmt.get(authority);
+    return row ? rowToHost(row) : void 0;
+  }
+  /**
+   * Update an existing Host with the provided fields.
+   * Always bumps `updated_at`. Returns the updated entity, or undefined if
+   * the Host was not found.
+   */
+  update(id, input) {
+    const setClauses = [];
+    const params = [];
+    if (input.resolvedIpsJson !== void 0) {
+      setClauses.push("resolved_ips_json = ?");
+      params.push(input.resolvedIpsJson);
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    setClauses.push("updated_at = ?");
+    params.push(now);
+    params.push(id);
+    const sql = `UPDATE hosts SET ${setClauses.join(", ")} WHERE id = ?`;
+    const stmt = this.db.prepare(sql);
+    const result = stmt.run(...params);
+    if (result.changes === 0) {
+      return void 0;
+    }
+    return this.findById(id);
+  }
+  /** Delete a Host by id. Returns true if a row was deleted. */
+  delete(id) {
+    const stmt = this.db.prepare("DELETE FROM hosts WHERE id = ?");
+    const result = stmt.run(id);
+    return result.changes > 0;
+  }
+};
+
+// src/db/repository/service-repository.ts
+import crypto2 from "crypto";
+function rowToService(row) {
+  return {
+    id: row.id,
+    hostId: row.host_id,
+    transport: row.transport,
+    port: row.port,
+    appProto: row.app_proto,
+    protoConfidence: row.proto_confidence,
+    banner: row.banner ?? void 0,
+    product: row.product ?? void 0,
+    version: row.version ?? void 0,
+    state: row.state,
+    evidenceArtifactId: row.evidence_artifact_id,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at
+  };
+}
+var ServiceRepository = class {
+  db;
+  constructor(db2) {
+    this.db = db2;
+  }
+  /** Insert a new Service and return the full entity. */
+  create(input) {
+    const id = crypto2.randomUUID();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const stmt = this.db.prepare(
+      `INSERT INTO services (id, host_id, transport, port, app_proto, proto_confidence, banner, product, version, state, evidence_artifact_id, created_at, updated_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    );
+    stmt.run(
+      id,
+      input.hostId,
+      input.transport,
+      input.port,
+      input.appProto,
+      input.protoConfidence,
+      input.banner ?? null,
+      input.product ?? null,
+      input.version ?? null,
+      input.state,
+      input.evidenceArtifactId,
+      now,
+      now
+    );
+    return {
+      id,
+      hostId: input.hostId,
+      transport: input.transport,
+      port: input.port,
+      appProto: input.appProto,
+      protoConfidence: input.protoConfidence,
+      banner: input.banner,
+      product: input.product,
+      version: input.version,
+      state: input.state,
+      evidenceArtifactId: input.evidenceArtifactId,
+      createdAt: now,
+      updatedAt: now
+    };
+  }
+  /** Find a Service by its primary key. Returns undefined if not found. */
+  findById(id) {
+    const stmt = this.db.prepare(
+      `SELECT id, host_id, transport, port, app_proto, proto_confidence, banner, product, version, state, evidence_artifact_id, created_at, updated_at
+       FROM services
+       WHERE id = ?`
+    );
+    const row = stmt.get(id);
+    return row ? rowToService(row) : void 0;
+  }
+  /** Find all Services belonging to a given host. */
+  findByHostId(hostId) {
+    const stmt = this.db.prepare(
+      `SELECT id, host_id, transport, port, app_proto, proto_confidence, banner, product, version, state, evidence_artifact_id, created_at, updated_at
+       FROM services
+       WHERE host_id = ?`
+    );
+    const rows = stmt.all(hostId);
+    return rows.map(rowToService);
+  }
+  /**
+   * Update an existing Service with the provided fields.
+   * Always bumps `updated_at`. Returns the updated entity, or undefined if
+   * the Service was not found.
+   */
+  update(id, input) {
+    const setClauses = [];
+    const params = [];
+    if (input.appProto !== void 0) {
+      setClauses.push("app_proto = ?");
+      params.push(input.appProto);
+    }
+    if (input.protoConfidence !== void 0) {
+      setClauses.push("proto_confidence = ?");
+      params.push(input.protoConfidence);
+    }
+    if (input.banner !== void 0) {
+      setClauses.push("banner = ?");
+      params.push(input.banner);
+    }
+    if (input.product !== void 0) {
+      setClauses.push("product = ?");
+      params.push(input.product);
+    }
+    if (input.version !== void 0) {
+      setClauses.push("version = ?");
+      params.push(input.version);
+    }
+    if (input.state !== void 0) {
+      setClauses.push("state = ?");
+      params.push(input.state);
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    setClauses.push("updated_at = ?");
+    params.push(now);
+    params.push(id);
+    const sql = `UPDATE services SET ${setClauses.join(", ")} WHERE id = ?`;
+    const stmt = this.db.prepare(sql);
+    const result = stmt.run(...params);
+    if (result.changes === 0) {
+      return void 0;
+    }
+    return this.findById(id);
+  }
+  /** Delete a Service by id. Returns true if a row was deleted. */
+  delete(id) {
+    const stmt = this.db.prepare("DELETE FROM services WHERE id = ?");
+    const result = stmt.run(id);
+    return result.changes > 0;
+  }
+};
+
+// src/db/repository/vhost-repository.ts
+import crypto3 from "crypto";
+function rowToVhost(row) {
+  return {
+    id: row.id,
+    hostId: row.host_id,
+    hostname: row.hostname,
+    source: row.source ?? void 0,
+    evidenceArtifactId: row.evidence_artifact_id,
+    createdAt: row.created_at
+  };
+}
+var VhostRepository = class {
+  db;
+  constructor(db2) {
+    this.db = db2;
+  }
+  /** Insert a new Vhost and return the full entity. */
+  create(input) {
+    const id = crypto3.randomUUID();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const stmt = this.db.prepare(
+      `INSERT INTO vhosts (id, host_id, hostname, source, evidence_artifact_id, created_at)
+       VALUES (?, ?, ?, ?, ?, ?)`
+    );
+    stmt.run(
+      id,
+      input.hostId,
+      input.hostname,
+      input.source ?? null,
+      input.evidenceArtifactId,
+      now
+    );
+    return {
+      id,
+      hostId: input.hostId,
+      hostname: input.hostname,
+      source: input.source,
+      evidenceArtifactId: input.evidenceArtifactId,
+      createdAt: now
+    };
+  }
+  /** Find a Vhost by its primary key. Returns undefined if not found. */
+  findById(id) {
+    const stmt = this.db.prepare(
+      `SELECT id, host_id, hostname, source, evidence_artifact_id, created_at
+       FROM vhosts
+       WHERE id = ?`
+    );
+    const row = stmt.get(id);
+    return row ? rowToVhost(row) : void 0;
+  }
+  /** Return all Vhosts belonging to a given host. */
+  findByHostId(hostId) {
+    const stmt = this.db.prepare(
+      `SELECT id, host_id, hostname, source, evidence_artifact_id, created_at
+       FROM vhosts
+       WHERE host_id = ?`
+    );
+    const rows = stmt.all(hostId);
+    return rows.map(rowToVhost);
+  }
+  /** Delete a Vhost by id. Returns true if a row was deleted. */
+  delete(id) {
+    const stmt = this.db.prepare("DELETE FROM vhosts WHERE id = ?");
+    const result = stmt.run(id);
+    return result.changes > 0;
+  }
+};
+
+// src/db/repository/http-endpoint-repository.ts
+import crypto4 from "crypto";
+function rowToHttpEndpoint(row) {
+  return {
+    id: row.id,
+    serviceId: row.service_id,
+    vhostId: row.vhost_id ?? void 0,
+    baseUri: row.base_uri,
+    method: row.method,
+    path: row.path,
+    statusCode: row.status_code ?? void 0,
+    contentLength: row.content_length ?? void 0,
+    words: row.words ?? void 0,
+    lines: row.lines ?? void 0,
+    evidenceArtifactId: row.evidence_artifact_id,
+    createdAt: row.created_at
+  };
+}
+var HttpEndpointRepository = class {
+  db;
+  constructor(db2) {
+    this.db = db2;
+  }
+  /** Insert a new HttpEndpoint and return the full entity. */
+  create(input) {
+    const id = crypto4.randomUUID();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const stmt = this.db.prepare(
+      `INSERT INTO http_endpoints (id, service_id, vhost_id, base_uri, method, path, status_code, content_length, words, lines, evidence_artifact_id, created_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    );
+    stmt.run(
+      id,
+      input.serviceId,
+      input.vhostId ?? null,
+      input.baseUri,
+      input.method,
+      input.path,
+      input.statusCode ?? null,
+      input.contentLength ?? null,
+      input.words ?? null,
+      input.lines ?? null,
+      input.evidenceArtifactId,
+      now
+    );
+    return {
+      id,
+      serviceId: input.serviceId,
+      vhostId: input.vhostId,
+      baseUri: input.baseUri,
+      method: input.method,
+      path: input.path,
+      statusCode: input.statusCode,
+      contentLength: input.contentLength,
+      words: input.words,
+      lines: input.lines,
+      evidenceArtifactId: input.evidenceArtifactId,
+      createdAt: now
+    };
+  }
+  /** Find an HttpEndpoint by its primary key. Returns undefined if not found. */
+  findById(id) {
+    const stmt = this.db.prepare(
+      `SELECT id, service_id, vhost_id, base_uri, method, path, status_code, content_length, words, lines, evidence_artifact_id, created_at
+       FROM http_endpoints
+       WHERE id = ?`
+    );
+    const row = stmt.get(id);
+    return row ? rowToHttpEndpoint(row) : void 0;
+  }
+  /** Return all HttpEndpoints for a given service. */
+  findByServiceId(serviceId) {
+    const stmt = this.db.prepare(
+      `SELECT id, service_id, vhost_id, base_uri, method, path, status_code, content_length, words, lines, evidence_artifact_id, created_at
+       FROM http_endpoints
+       WHERE service_id = ?`
+    );
+    const rows = stmt.all(serviceId);
+    return rows.map(rowToHttpEndpoint);
+  }
+  /** Delete an HttpEndpoint by id. Returns true if a row was deleted. */
+  delete(id) {
+    const stmt = this.db.prepare(
+      "DELETE FROM http_endpoints WHERE id = ?"
+    );
+    const result = stmt.run(id);
+    return result.changes > 0;
+  }
+};
+
+// src/db/repository/input-repository.ts
+import crypto5 from "crypto";
+function rowToInput(row) {
+  return {
+    id: row.id,
+    serviceId: row.service_id,
+    location: row.location,
+    name: row.name,
+    typeHint: row.type_hint ?? void 0,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at
+  };
+}
+var InputRepository = class {
+  db;
+  constructor(db2) {
+    this.db = db2;
+  }
+  /** Insert a new Input and return the full entity. */
+  create(input) {
+    const id = crypto5.randomUUID();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const stmt = this.db.prepare(
+      `INSERT INTO inputs (id, service_id, location, name, type_hint, created_at, updated_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?)`
+    );
+    stmt.run(
+      id,
+      input.serviceId,
+      input.location,
+      input.name,
+      input.typeHint ?? null,
+      now,
+      now
+    );
+    return {
+      id,
+      serviceId: input.serviceId,
+      location: input.location,
+      name: input.name,
+      typeHint: input.typeHint,
+      createdAt: now,
+      updatedAt: now
+    };
+  }
+  /** Find an Input by its primary key. Returns undefined if not found. */
+  findById(id) {
+    const stmt = this.db.prepare(
+      `SELECT id, service_id, location, name, type_hint, created_at, updated_at
+       FROM inputs
+       WHERE id = ?`
+    );
+    const row = stmt.get(id);
+    return row ? rowToInput(row) : void 0;
+  }
+  /**
+   * Find all Inputs for a given service.
+   * If location is provided, further filter by location.
+   */
+  findByServiceId(serviceId, location) {
+    if (location !== void 0) {
+      const stmt2 = this.db.prepare(
+        `SELECT id, service_id, location, name, type_hint, created_at, updated_at
+         FROM inputs
+         WHERE service_id = ? AND location = ?`
+      );
+      const rows2 = stmt2.all(serviceId, location);
+      return rows2.map(rowToInput);
+    }
+    const stmt = this.db.prepare(
+      `SELECT id, service_id, location, name, type_hint, created_at, updated_at
+       FROM inputs
+       WHERE service_id = ?`
+    );
+    const rows = stmt.all(serviceId);
+    return rows.map(rowToInput);
+  }
+  /**
+   * Update an existing Input with the provided fields.
+   * Always bumps `updated_at`. Returns the updated entity, or undefined if
+   * the Input was not found.
+   */
+  update(id, input) {
+    const setClauses = [];
+    const params = [];
+    if (input.typeHint !== void 0) {
+      setClauses.push("type_hint = ?");
+      params.push(input.typeHint);
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    setClauses.push("updated_at = ?");
+    params.push(now);
+    params.push(id);
+    const sql = `UPDATE inputs SET ${setClauses.join(", ")} WHERE id = ?`;
+    const stmt = this.db.prepare(sql);
+    const result = stmt.run(...params);
+    if (result.changes === 0) {
+      return void 0;
+    }
+    return this.findById(id);
+  }
+  /** Delete an Input by id. Returns true if a row was deleted. */
+  delete(id) {
+    const stmt = this.db.prepare("DELETE FROM inputs WHERE id = ?");
+    const result = stmt.run(id);
+    return result.changes > 0;
+  }
+};
+
+// src/db/repository/observation-repository.ts
+import crypto6 from "crypto";
+function rowToObservation(row) {
+  return {
+    id: row.id,
+    inputId: row.input_id,
+    rawValue: row.raw_value,
+    normValue: row.norm_value,
+    bodyPath: row.body_path ?? void 0,
+    source: row.source,
+    confidence: row.confidence,
+    evidenceArtifactId: row.evidence_artifact_id,
+    observedAt: row.observed_at
+  };
+}
+var ObservationRepository = class {
+  db;
+  constructor(db2) {
+    this.db = db2;
+  }
+  /** Insert a new Observation and return the full entity. */
+  create(input) {
+    const id = crypto6.randomUUID();
+    const stmt = this.db.prepare(
+      `INSERT INTO observations (id, input_id, raw_value, norm_value, body_path, source, confidence, evidence_artifact_id, observed_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    );
+    stmt.run(
+      id,
+      input.inputId,
+      input.rawValue,
+      input.normValue,
+      input.bodyPath ?? null,
+      input.source,
+      input.confidence,
+      input.evidenceArtifactId,
+      input.observedAt
+    );
+    return {
+      id,
+      inputId: input.inputId,
+      rawValue: input.rawValue,
+      normValue: input.normValue,
+      bodyPath: input.bodyPath,
+      source: input.source,
+      confidence: input.confidence,
+      evidenceArtifactId: input.evidenceArtifactId,
+      observedAt: input.observedAt
+    };
+  }
+  /** Find an Observation by its primary key. Returns undefined if not found. */
+  findById(id) {
+    const stmt = this.db.prepare(
+      `SELECT id, input_id, raw_value, norm_value, body_path, source, confidence, evidence_artifact_id, observed_at
+       FROM observations
+       WHERE id = ?`
+    );
+    const row = stmt.get(id);
+    return row ? rowToObservation(row) : void 0;
+  }
+  /** Return all Observations for a given input ID. */
+  findByInputId(inputId) {
+    const stmt = this.db.prepare(
+      `SELECT id, input_id, raw_value, norm_value, body_path, source, confidence, evidence_artifact_id, observed_at
+       FROM observations
+       WHERE input_id = ?`
+    );
+    const rows = stmt.all(inputId);
+    return rows.map(rowToObservation);
+  }
+  /** Delete an Observation by id. Returns true if a row was deleted. */
+  delete(id) {
+    const stmt = this.db.prepare("DELETE FROM observations WHERE id = ?");
+    const result = stmt.run(id);
+    return result.changes > 0;
+  }
+};
+
+// src/db/repository/credential-repository.ts
+import crypto7 from "crypto";
+function rowToCredential(row) {
+  return {
+    id: row.id,
+    serviceId: row.service_id,
+    endpointId: row.endpoint_id ?? void 0,
+    username: row.username,
+    secret: row.secret,
+    secretType: row.secret_type,
+    source: row.source,
+    confidence: row.confidence,
+    evidenceArtifactId: row.evidence_artifact_id,
+    createdAt: row.created_at
+  };
+}
+var CredentialRepository = class {
+  db;
+  constructor(db2) {
+    this.db = db2;
+  }
+  /** Insert a new Credential and return the full entity. */
+  create(input) {
+    const id = crypto7.randomUUID();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const stmt = this.db.prepare(
+      `INSERT INTO credentials (id, service_id, endpoint_id, username, secret, secret_type, source, confidence, evidence_artifact_id, created_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    );
+    stmt.run(
+      id,
+      input.serviceId,
+      input.endpointId ?? null,
+      input.username,
+      input.secret,
+      input.secretType,
+      input.source,
+      input.confidence,
+      input.evidenceArtifactId,
+      now
+    );
+    return {
+      id,
+      serviceId: input.serviceId,
+      endpointId: input.endpointId ?? void 0,
+      username: input.username,
+      secret: input.secret,
+      secretType: input.secretType,
+      source: input.source,
+      confidence: input.confidence,
+      evidenceArtifactId: input.evidenceArtifactId,
+      createdAt: now
+    };
+  }
+  /** Find a Credential by its primary key. Returns undefined if not found. */
+  findById(id) {
+    const stmt = this.db.prepare(
+      `SELECT id, service_id, endpoint_id, username, secret, secret_type, source, confidence, evidence_artifact_id, created_at
+       FROM credentials
+       WHERE id = ?`
+    );
+    const row = stmt.get(id);
+    return row ? rowToCredential(row) : void 0;
+  }
+  /** Return all Credentials for a given service. */
+  findByServiceId(serviceId) {
+    const stmt = this.db.prepare(
+      `SELECT id, service_id, endpoint_id, username, secret, secret_type, source, confidence, evidence_artifact_id, created_at
+       FROM credentials
+       WHERE service_id = ?`
+    );
+    const rows = stmt.all(serviceId);
+    return rows.map(rowToCredential);
+  }
+  /** Return all Credentials across all services. */
+  findAll() {
+    const stmt = this.db.prepare(
+      `SELECT id, service_id, endpoint_id, username, secret, secret_type, source, confidence, evidence_artifact_id, created_at
+       FROM credentials`
+    );
+    const rows = stmt.all();
+    return rows.map(rowToCredential);
+  }
+  /** Delete a Credential by id. Returns true if a row was deleted. */
+  delete(id) {
+    const stmt = this.db.prepare("DELETE FROM credentials WHERE id = ?");
+    const result = stmt.run(id);
+    return result.changes > 0;
+  }
+};
+
+// src/db/repository/vulnerability-repository.ts
+import crypto8 from "crypto";
+function rowToVulnerability(row) {
+  return {
+    id: row.id,
+    serviceId: row.service_id,
+    endpointId: row.endpoint_id ?? void 0,
+    vulnType: row.vuln_type,
+    title: row.title,
+    description: row.description ?? void 0,
+    severity: row.severity,
+    confidence: row.confidence,
+    evidenceArtifactId: row.evidence_artifact_id,
+    createdAt: row.created_at
+  };
+}
+var VulnerabilityRepository = class {
+  db;
+  constructor(db2) {
+    this.db = db2;
+  }
+  /** Insert a new Vulnerability and return the full entity. */
+  create(input) {
+    const id = crypto8.randomUUID();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const stmt = this.db.prepare(
+      `INSERT INTO vulnerabilities (id, service_id, endpoint_id, vuln_type, title, description, severity, confidence, evidence_artifact_id, created_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    );
+    stmt.run(
+      id,
+      input.serviceId,
+      input.endpointId ?? null,
+      input.vulnType,
+      input.title,
+      input.description ?? null,
+      input.severity,
+      input.confidence,
+      input.evidenceArtifactId,
+      now
+    );
+    return {
+      id,
+      serviceId: input.serviceId,
+      endpointId: input.endpointId,
+      vulnType: input.vulnType,
+      title: input.title,
+      description: input.description,
+      severity: input.severity,
+      confidence: input.confidence,
+      evidenceArtifactId: input.evidenceArtifactId,
+      createdAt: now
+    };
+  }
+  /** Find a Vulnerability by its primary key. Returns undefined if not found. */
+  findById(id) {
+    const stmt = this.db.prepare(
+      `SELECT id, service_id, endpoint_id, vuln_type, title, description, severity, confidence, evidence_artifact_id, created_at
+       FROM vulnerabilities
+       WHERE id = ?`
+    );
+    const row = stmt.get(id);
+    return row ? rowToVulnerability(row) : void 0;
+  }
+  /**
+   * Return all Vulnerabilities for a given service.
+   * Optionally filter by severity when the parameter is provided.
+   */
+  findByServiceId(serviceId, severity) {
+    if (severity !== void 0) {
+      const stmt2 = this.db.prepare(
+        `SELECT id, service_id, endpoint_id, vuln_type, title, description, severity, confidence, evidence_artifact_id, created_at
+         FROM vulnerabilities
+         WHERE service_id = ? AND severity = ?`
+      );
+      const rows2 = stmt2.all(serviceId, severity);
+      return rows2.map(rowToVulnerability);
+    }
+    const stmt = this.db.prepare(
+      `SELECT id, service_id, endpoint_id, vuln_type, title, description, severity, confidence, evidence_artifact_id, created_at
+       FROM vulnerabilities
+       WHERE service_id = ?`
+    );
+    const rows = stmt.all(serviceId);
+    return rows.map(rowToVulnerability);
+  }
+  /**
+   * Return all Vulnerabilities across all services.
+   * Optionally filter by severity when the parameter is provided.
+   */
+  findAll(severity) {
+    if (severity !== void 0) {
+      const stmt2 = this.db.prepare(
+        `SELECT id, service_id, endpoint_id, vuln_type, title, description, severity, confidence, evidence_artifact_id, created_at
+         FROM vulnerabilities
+         WHERE severity = ?`
+      );
+      const rows2 = stmt2.all(severity);
+      return rows2.map(rowToVulnerability);
+    }
+    const stmt = this.db.prepare(
+      `SELECT id, service_id, endpoint_id, vuln_type, title, description, severity, confidence, evidence_artifact_id, created_at
+       FROM vulnerabilities`
+    );
+    const rows = stmt.all();
+    return rows.map(rowToVulnerability);
+  }
+  /** Delete a Vulnerability by id. Returns true if a row was deleted. */
+  delete(id) {
+    const stmt = this.db.prepare("DELETE FROM vulnerabilities WHERE id = ?");
+    const result = stmt.run(id);
+    return result.changes > 0;
+  }
+};
+
+// src/mcp/tools/query.ts
+function registerQueryTools(server2, db2) {
+  const hostRepo = new HostRepository(db2);
+  const serviceRepo = new ServiceRepository(db2);
+  const vhostRepo = new VhostRepository(db2);
+  const httpEndpointRepo = new HttpEndpointRepository(db2);
+  const inputRepo = new InputRepository(db2);
+  const observationRepo = new ObservationRepository(db2);
+  const credentialRepo = new CredentialRepository(db2);
+  const vulnRepo = new VulnerabilityRepository(db2);
+  server2.tool("list_hosts", "List all discovered hosts", {}, async () => {
+    const hosts = hostRepo.findAll();
+    return { content: [{ type: "text", text: JSON.stringify(hosts, null, 2) }] };
+  });
+  server2.tool(
+    "get_host",
+    "Get detailed information about a host including services and vhosts",
+    { hostId: z.string().describe("Host UUID") },
+    async ({ hostId }) => {
+      const host = hostRepo.findById(hostId);
+      if (!host) {
+        return { content: [{ type: "text", text: `Host not found: ${hostId}` }], isError: true };
+      }
+      const services = serviceRepo.findByHostId(hostId);
+      const vhosts = vhostRepo.findByHostId(hostId);
+      const result = { ...host, services, vhosts };
+      return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+    }
+  );
+  server2.tool(
+    "list_services",
+    "List all services for a host",
+    { hostId: z.string().describe("Host UUID") },
+    async ({ hostId }) => {
+      const services = serviceRepo.findByHostId(hostId);
+      return { content: [{ type: "text", text: JSON.stringify(services, null, 2) }] };
+    }
+  );
+  server2.tool(
+    "list_endpoints",
+    "List all HTTP endpoints for a service",
+    { serviceId: z.string().describe("Service UUID") },
+    async ({ serviceId }) => {
+      const endpoints = httpEndpointRepo.findByServiceId(serviceId);
+      return { content: [{ type: "text", text: JSON.stringify(endpoints, null, 2) }] };
+    }
+  );
+  server2.tool(
+    "list_inputs",
+    "List all input parameters for a service, optionally filtered by location",
+    {
+      serviceId: z.string().describe("Service UUID"),
+      location: z.string().optional().describe("Filter by location (query, path, body, header, cookie)")
+    },
+    async ({ serviceId, location }) => {
+      const inputs = inputRepo.findByServiceId(serviceId, location);
+      return { content: [{ type: "text", text: JSON.stringify(inputs, null, 2) }] };
+    }
+  );
+  server2.tool(
+    "list_observations",
+    "List all observations for an input parameter",
+    { inputId: z.string().describe("Input UUID") },
+    async ({ inputId }) => {
+      const observations = observationRepo.findByInputId(inputId);
+      return { content: [{ type: "text", text: JSON.stringify(observations, null, 2) }] };
+    }
+  );
+  server2.tool(
+    "list_credentials",
+    "List credentials, optionally filtered by service",
+    {
+      serviceId: z.string().optional().describe("Service UUID (optional, omit to list all)")
+    },
+    async ({ serviceId }) => {
+      const credentials = serviceId ? credentialRepo.findByServiceId(serviceId) : credentialRepo.findAll();
+      return { content: [{ type: "text", text: JSON.stringify(credentials, null, 2) }] };
+    }
+  );
+  server2.tool(
+    "list_vulnerabilities",
+    "List vulnerabilities, optionally filtered by service and/or severity",
+    {
+      serviceId: z.string().optional().describe("Service UUID (optional, omit to list all)"),
+      severity: z.string().optional().describe("Filter by severity (critical, high, medium, low, info)")
+    },
+    async ({ serviceId, severity }) => {
+      const vulns = serviceId ? vulnRepo.findByServiceId(serviceId, severity) : vulnRepo.findAll(severity);
+      return { content: [{ type: "text", text: JSON.stringify(vulns, null, 2) }] };
+    }
+  );
+}
+
+// src/mcp/tools/ingest.ts
+import { z as z2 } from "zod";
+
+// src/engine/ingest.ts
+import fs from "fs";
+import crypto13 from "crypto";
+import path from "path";
+
+// src/db/repository/artifact-repository.ts
+import crypto9 from "crypto";
+function rowToArtifact(row) {
+  return {
+    id: row.id,
+    ...row.scan_id !== null ? { scanId: row.scan_id } : {},
+    tool: row.tool,
+    kind: row.kind,
+    path: row.path,
+    ...row.sha256 !== null ? { sha256: row.sha256 } : {},
+    capturedAt: row.captured_at,
+    ...row.attrs_json !== null ? { attrsJson: row.attrs_json } : {}
+  };
+}
+var ArtifactRepository = class {
+  db;
+  insertStmt;
+  selectByIdStmt;
+  selectAllStmt;
+  selectByToolStmt;
+  constructor(db2) {
+    this.db = db2;
+    this.insertStmt = this.db.prepare(
+      "INSERT INTO artifacts (id, scan_id, tool, kind, path, sha256, captured_at, attrs_json) VALUES (?, ?, ?, ?, ?, ?, ?, ?)"
+    );
+    this.selectByIdStmt = this.db.prepare(
+      "SELECT id, scan_id, tool, kind, path, sha256, captured_at, attrs_json FROM artifacts WHERE id = ?"
+    );
+    this.selectAllStmt = this.db.prepare(
+      "SELECT id, scan_id, tool, kind, path, sha256, captured_at, attrs_json FROM artifacts"
+    );
+    this.selectByToolStmt = this.db.prepare(
+      "SELECT id, scan_id, tool, kind, path, sha256, captured_at, attrs_json FROM artifacts WHERE tool = ?"
+    );
+  }
+  /** Create a new Artifact record and return the full entity. */
+  create(input) {
+    const id = crypto9.randomUUID();
+    this.insertStmt.run(
+      id,
+      input.scanId ?? null,
+      input.tool,
+      input.kind,
+      input.path,
+      input.sha256 ?? null,
+      input.capturedAt,
+      input.attrsJson ?? null
+    );
+    return {
+      id,
+      ...input.scanId !== void 0 ? { scanId: input.scanId } : {},
+      tool: input.tool,
+      kind: input.kind,
+      path: input.path,
+      ...input.sha256 !== void 0 ? { sha256: input.sha256 } : {},
+      capturedAt: input.capturedAt,
+      ...input.attrsJson !== void 0 ? { attrsJson: input.attrsJson } : {}
+    };
+  }
+  /** Find an Artifact by its UUID. Returns undefined if not found. */
+  findById(id) {
+    const row = this.selectByIdStmt.get(id);
+    if (row === void 0) {
+      return void 0;
+    }
+    return rowToArtifact(row);
+  }
+  /** Return all Artifact records. */
+  findAll() {
+    const rows = this.selectAllStmt.all();
+    return rows.map(rowToArtifact);
+  }
+  /** Return all Artifact records for the given tool name. */
+  findByTool(tool) {
+    const rows = this.selectByToolStmt.all(tool);
+    return rows.map(rowToArtifact);
+  }
+};
+
+// src/parser/nmap-parser.ts
+import { XMLParser } from "fast-xml-parser";
+
+// src/types/parser.ts
+function emptyParseResult() {
+  return {
+    hosts: [],
+    services: [],
+    serviceObservations: [],
+    httpEndpoints: [],
+    inputs: [],
+    endpointInputs: [],
+    observations: [],
+    vulnerabilities: [],
+    cves: []
+  };
+}
+
+// src/parser/nmap-parser.ts
+function ensureArray(value) {
+  if (value === void 0 || value === null) {
+    return [];
+  }
+  return Array.isArray(value) ? value : [value];
+}
+function toProtoConfidence(conf) {
+  const n = conf !== void 0 ? Number(conf) : 0;
+  if (n === 10) return "high";
+  if (n >= 7) return "medium";
+  return "low";
+}
+function toOsConfidence(accuracy) {
+  const n = Number(accuracy);
+  if (n >= 90) return "high";
+  if (n >= 50) return "medium";
+  return "low";
+}
+function isHttps(service) {
+  return service["@_name"] === "https" || service["@_tunnel"] === "ssl";
+}
+function buildBanner(service) {
+  const parts = [];
+  if (service["@_product"]) parts.push(service["@_product"]);
+  if (service["@_version"]) parts.push(service["@_version"]);
+  if (service["@_extrainfo"]) parts.push(service["@_extrainfo"]);
+  return parts.length > 0 ? parts.join(" ") : void 0;
+}
+function getIpv4Address(addresses) {
+  const ipv4 = addresses.find((a) => a["@_addrtype"] === "ipv4");
+  return ipv4?.["@_addr"];
+}
+function parseNmapXml(xml) {
+  const parser = new XMLParser({
+    ignoreAttributes: false,
+    attributeNamePrefix: "@_",
+    allowBooleanAttributes: true
+  });
+  const parsed = parser.parse(xml);
+  const nmapRun = parsed;
+  const result = emptyParseResult();
+  const hosts = ensureArray(nmapRun.nmaprun?.host);
+  for (const host of hosts) {
+    processHost(host, result);
+  }
+  return result;
+}
+function processHost(host, result) {
+  const addresses = ensureArray(host.address);
+  const authority = getIpv4Address(addresses);
+  if (authority === void 0) {
+    return;
+  }
+  const parsedHost = {
+    authority,
+    authorityKind: "IP"
+  };
+  result.hosts.push(parsedHost);
+  const ports = ensureArray(host.ports?.port);
+  const services = [];
+  for (const port of ports) {
+    const service = processPort(port, authority);
+    services.push(service);
+    result.services.push(service);
+  }
+  const osMatches = ensureArray(host.os?.osmatch);
+  if (osMatches.length > 0) {
+    processOsMatches(osMatches, authority, services, result);
+  }
+}
+function processPort(port, hostAuthority) {
+  const service = port.service;
+  const serviceName = service?.["@_name"] ?? "";
+  const appProto = service !== void 0 && isHttps(service) ? "https" : serviceName;
+  const banner = service !== void 0 ? buildBanner(service) : void 0;
+  const protoConfidence = toProtoConfidence(service?.["@_conf"]);
+  return {
+    hostAuthority,
+    transport: port["@_protocol"],
+    port: Number(port["@_portid"]),
+    appProto,
+    protoConfidence,
+    banner,
+    product: service?.["@_product"],
+    version: service?.["@_version"],
+    state: port.state["@_state"]
+  };
+}
+function processOsMatches(osMatches, hostAuthority, services, result) {
+  const firstService = services.length > 0 ? services[0] : void 0;
+  const transport2 = firstService?.transport ?? "tcp";
+  const port = firstService?.port ?? 0;
+  for (const osMatch of osMatches) {
+    const observation = {
+      hostAuthority,
+      transport: transport2,
+      port,
+      key: "os",
+      value: osMatch["@_name"],
+      confidence: toOsConfidence(osMatch["@_accuracy"])
+    };
+    result.serviceObservations.push(observation);
+  }
+}
+
+// src/parser/ffuf-parser.ts
+var IP_REGEX = /^\d{1,3}(\.\d{1,3}){3}$/;
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function validateFfufJson(raw) {
+  if (!isRecord(raw)) {
+    throw new Error("ffuf JSON: root must be an object");
+  }
+  if (typeof raw["commandline"] !== "string") {
+    throw new Error("ffuf JSON: commandline must be a string");
+  }
+  const config = raw["config"];
+  if (!isRecord(config)) {
+    throw new Error("ffuf JSON: config must be an object");
+  }
+  if (typeof config["url"] !== "string" || typeof config["method"] !== "string") {
+    throw new Error("ffuf JSON: config.url and config.method must be strings");
+  }
+  if (!Array.isArray(raw["results"])) {
+    throw new Error("ffuf JSON: results must be an array");
+  }
+  const results = [];
+  for (const item of raw["results"]) {
+    if (!isRecord(item)) {
+      throw new Error("ffuf JSON: each result must be an object");
+    }
+    results.push({
+      input: isRecord(item["input"]) ? Object.fromEntries(
+        Object.entries(item["input"]).map(([k, v]) => [
+          k,
+          String(v)
+        ])
+      ) : {},
+      status: typeof item["status"] === "number" ? item["status"] : 0,
+      length: typeof item["length"] === "number" ? item["length"] : 0,
+      words: typeof item["words"] === "number" ? item["words"] : 0,
+      lines: typeof item["lines"] === "number" ? item["lines"] : 0,
+      url: typeof item["url"] === "string" ? item["url"] : "",
+      host: typeof item["host"] === "string" ? item["host"] : ""
+    });
+  }
+  return {
+    commandline: raw["commandline"],
+    config: {
+      url: config["url"],
+      method: config["method"]
+    },
+    results
+  };
+}
+function parseUrl(urlStr) {
+  const parsed = new URL(urlStr);
+  const scheme = parsed.protocol.replace(":", "");
+  let port;
+  if (parsed.port !== "") {
+    port = Number(parsed.port);
+  } else {
+    port = scheme === "https" ? 443 : 80;
+  }
+  return {
+    scheme,
+    hostname: parsed.hostname,
+    port,
+    pathname: parsed.pathname,
+    searchParams: parsed.searchParams
+  };
+}
+function determineAuthorityKind(hostname) {
+  return IP_REGEX.test(hostname) ? "IP" : "DOMAIN";
+}
+function parseFfufJson(jsonContent) {
+  const raw = JSON.parse(jsonContent);
+  const ffuf = validateFfufJson(raw);
+  const method = ffuf.config.method;
+  if (ffuf.results.length === 0) {
+    return emptyParseResult();
+  }
+  const hostsMap = /* @__PURE__ */ new Map();
+  const servicesMap = /* @__PURE__ */ new Map();
+  const endpointsMap = /* @__PURE__ */ new Map();
+  const inputsMap = /* @__PURE__ */ new Map();
+  const endpointInputsMap = /* @__PURE__ */ new Map();
+  const observationsMap = /* @__PURE__ */ new Map();
+  for (const result of ffuf.results) {
+    if (result.url === "") {
+      continue;
+    }
+    const parsed = parseUrl(result.url);
+    const { scheme, hostname, port, pathname, searchParams } = parsed;
+    const authorityKind = determineAuthorityKind(hostname);
+    const baseUri = `${scheme}://${hostname}:${port}`;
+    if (!hostsMap.has(hostname)) {
+      hostsMap.set(hostname, {
+        authority: hostname,
+        authorityKind
+      });
+    }
+    const serviceKey = `${hostname}:${port}`;
+    if (!servicesMap.has(serviceKey)) {
+      servicesMap.set(serviceKey, {
+        hostAuthority: hostname,
+        transport: "tcp",
+        port,
+        appProto: scheme,
+        protoConfidence: "high",
+        state: "open"
+      });
+    }
+    const endpointKey = `${method}:${pathname}`;
+    if (!endpointsMap.has(endpointKey)) {
+      endpointsMap.set(endpointKey, {
+        hostAuthority: hostname,
+        port,
+        baseUri,
+        method,
+        path: pathname,
+        statusCode: result.status,
+        contentLength: result.length,
+        words: result.words,
+        lines: result.lines
+      });
+    }
+    for (const [paramName, paramValue] of searchParams.entries()) {
+      if (!inputsMap.has(paramName)) {
+        inputsMap.set(paramName, {
+          hostAuthority: hostname,
+          port,
+          location: "query",
+          name: paramName
+        });
+      }
+      const eiKey = `${method}:${pathname}:query:${paramName}`;
+      if (!endpointInputsMap.has(eiKey)) {
+        endpointInputsMap.set(eiKey, {
+          hostAuthority: hostname,
+          port,
+          method,
+          path: pathname,
+          inputLocation: "query",
+          inputName: paramName
+        });
+      }
+      const obsKey = `query:${paramName}:${paramValue}`;
+      if (!observationsMap.has(obsKey)) {
+        observationsMap.set(obsKey, {
+          hostAuthority: hostname,
+          port,
+          inputLocation: "query",
+          inputName: paramName,
+          rawValue: paramValue,
+          normValue: paramValue,
+          source: "ffuf_url",
+          confidence: "high"
+        });
+      }
+    }
+  }
+  return {
+    hosts: [...hostsMap.values()],
+    services: [...servicesMap.values()],
+    serviceObservations: [],
+    httpEndpoints: [...endpointsMap.values()],
+    inputs: [...inputsMap.values()],
+    endpointInputs: [...endpointInputsMap.values()],
+    observations: [...observationsMap.values()],
+    vulnerabilities: [],
+    cves: []
+  };
+}
+
+// src/parser/nuclei-parser.ts
+function isRecord2(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isStringArray(value) {
+  return Array.isArray(value) && value.every((item) => typeof item === "string");
+}
+function isNucleiClassification(value) {
+  if (!isRecord2(value)) return false;
+  if ("cve-id" in value && !isStringArray(value["cve-id"])) return false;
+  if ("cvss-metrics" in value && typeof value["cvss-metrics"] !== "string" && value["cvss-metrics"] !== void 0)
+    return false;
+  if ("cvss-score" in value && typeof value["cvss-score"] !== "number" && value["cvss-score"] !== void 0)
+    return false;
+  return true;
+}
+function isNucleiInfo(value) {
+  if (!isRecord2(value)) return false;
+  if (typeof value.name !== "string") return false;
+  if (typeof value.severity !== "string") return false;
+  if (!isStringArray(value.tags)) return false;
+  if ("classification" in value && value.classification !== void 0 && !isNucleiClassification(value.classification))
+    return false;
+  return true;
+}
+function isNucleiFinding(value) {
+  if (!isRecord2(value)) return false;
+  if (typeof value["template-id"] !== "string") return false;
+  if (!isNucleiInfo(value.info)) return false;
+  if (typeof value.type !== "string") return false;
+  if (typeof value.host !== "string") return false;
+  if (typeof value["matched-at"] !== "string") return false;
+  if (typeof value.ip !== "string") return false;
+  if (typeof value.port !== "string") return false;
+  if (typeof value.scheme !== "string") return false;
+  if (typeof value.url !== "string") return false;
+  return true;
+}
+function extractRawPathname(urlStr) {
+  const schemeEnd = urlStr.indexOf("://");
+  if (schemeEnd === -1) {
+    return "/";
+  }
+  const afterAuthority = urlStr.indexOf("/", schemeEnd + 3);
+  if (afterAuthority === -1) {
+    return "/";
+  }
+  const queryStart = urlStr.indexOf("?", afterAuthority);
+  const fragmentStart = urlStr.indexOf("#", afterAuthority);
+  let pathEnd = urlStr.length;
+  if (queryStart !== -1 && queryStart < pathEnd) {
+    pathEnd = queryStart;
+  }
+  if (fragmentStart !== -1 && fragmentStart < pathEnd) {
+    pathEnd = fragmentStart;
+  }
+  return urlStr.substring(afterAuthority, pathEnd);
+}
+function inferVulnType(tags) {
+  const priorityTags = ["sqli", "xss", "rce", "lfi", "ssrf"];
+  for (const tag of priorityTags) {
+    if (tags.includes(tag)) {
+      return tag;
+    }
+  }
+  return "other";
+}
+function parseNucleiJsonl(jsonl) {
+  const result = emptyParseResult();
+  if (jsonl.trim() === "") {
+    return result;
+  }
+  const lines = jsonl.split("\n");
+  const seenHosts = /* @__PURE__ */ new Set();
+  const seenServices = /* @__PURE__ */ new Set();
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed === "") {
+      continue;
+    }
+    const parsed = JSON.parse(trimmed);
+    if (!isNucleiFinding(parsed)) {
+      continue;
+    }
+    processFinding(parsed, result, seenHosts, seenServices);
+  }
+  return result;
+}
+function processFinding(finding, result, seenHosts, seenServices) {
+  const ip = finding.ip;
+  const port = Number(finding.port);
+  const scheme = finding.scheme;
+  const matchedAt = finding["matched-at"];
+  if (!seenHosts.has(ip)) {
+    seenHosts.add(ip);
+    const host = {
+      authority: ip,
+      authorityKind: "IP"
+    };
+    result.hosts.push(host);
+  }
+  const serviceKey = `${ip}:${port}`;
+  if (!seenServices.has(serviceKey)) {
+    seenServices.add(serviceKey);
+    const service = {
+      hostAuthority: ip,
+      transport: "tcp",
+      port,
+      appProto: scheme,
+      protoConfidence: "high",
+      state: "open"
+    };
+    result.services.push(service);
+  }
+  const rawPath = extractRawPathname(matchedAt);
+  const baseUri = `${scheme}://${ip}:${port}`;
+  const endpoint = {
+    hostAuthority: ip,
+    port,
+    baseUri,
+    method: "GET",
+    path: rawPath
+  };
+  result.httpEndpoints.push(endpoint);
+  const info = finding.info;
+  const vulnerability = {
+    hostAuthority: ip,
+    port,
+    method: "GET",
+    path: rawPath,
+    vulnType: inferVulnType(info.tags),
+    title: info.name,
+    severity: info.severity,
+    confidence: "high"
+  };
+  result.vulnerabilities.push(vulnerability);
+  const classification = info.classification;
+  if (classification !== void 0 && isRecord2(classification) && "cve-id" in classification && isStringArray(classification["cve-id"]) && classification["cve-id"].length > 0) {
+    for (const cveId of classification["cve-id"]) {
+      const cve = {
+        vulnerabilityTitle: info.name,
+        cveId,
+        cvssScore: classification["cvss-score"],
+        cvssVector: classification["cvss-metrics"]
+      };
+      result.cves.push(cve);
+    }
+  }
+}
+
+// src/db/repository/service-observation-repository.ts
+import crypto10 from "crypto";
+function rowToServiceObservation(row) {
+  return {
+    id: row.id,
+    serviceId: row.service_id,
+    key: row.key,
+    value: row.value,
+    confidence: row.confidence,
+    evidenceArtifactId: row.evidence_artifact_id,
+    createdAt: row.created_at
+  };
+}
+var ServiceObservationRepository = class {
+  db;
+  constructor(db2) {
+    this.db = db2;
+  }
+  /** Insert a new ServiceObservation and return the full entity. */
+  create(input) {
+    const id = crypto10.randomUUID();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const stmt = this.db.prepare(
+      `INSERT INTO service_observations (id, service_id, key, value, confidence, evidence_artifact_id, created_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?)`
+    );
+    stmt.run(
+      id,
+      input.serviceId,
+      input.key,
+      input.value,
+      input.confidence,
+      input.evidenceArtifactId,
+      now
+    );
+    return {
+      id,
+      serviceId: input.serviceId,
+      key: input.key,
+      value: input.value,
+      confidence: input.confidence,
+      evidenceArtifactId: input.evidenceArtifactId,
+      createdAt: now
+    };
+  }
+  /** Find a ServiceObservation by its primary key. Returns undefined if not found. */
+  findById(id) {
+    const stmt = this.db.prepare(
+      `SELECT id, service_id, key, value, confidence, evidence_artifact_id, created_at
+       FROM service_observations
+       WHERE id = ?`
+    );
+    const row = stmt.get(id);
+    return row ? rowToServiceObservation(row) : void 0;
+  }
+  /** Return all ServiceObservations for a given service. */
+  findByServiceId(serviceId) {
+    const stmt = this.db.prepare(
+      `SELECT id, service_id, key, value, confidence, evidence_artifact_id, created_at
+       FROM service_observations
+       WHERE service_id = ?`
+    );
+    const rows = stmt.all(serviceId);
+    return rows.map(rowToServiceObservation);
+  }
+  /** Delete a ServiceObservation by id. Returns true if a row was deleted. */
+  delete(id) {
+    const stmt = this.db.prepare("DELETE FROM service_observations WHERE id = ?");
+    const result = stmt.run(id);
+    return result.changes > 0;
+  }
+};
+
+// src/db/repository/endpoint-input-repository.ts
+import crypto11 from "crypto";
+function rowToEndpointInput(row) {
+  return {
+    id: row.id,
+    endpointId: row.endpoint_id,
+    inputId: row.input_id,
+    evidenceArtifactId: row.evidence_artifact_id,
+    createdAt: row.created_at
+  };
+}
+var EndpointInputRepository = class {
+  db;
+  constructor(db2) {
+    this.db = db2;
+  }
+  /** Insert a new EndpointInput and return the full entity. */
+  create(input) {
+    const id = crypto11.randomUUID();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const stmt = this.db.prepare(
+      `INSERT INTO endpoint_inputs (id, endpoint_id, input_id, evidence_artifact_id, created_at)
+       VALUES (?, ?, ?, ?, ?)`
+    );
+    stmt.run(
+      id,
+      input.endpointId,
+      input.inputId,
+      input.evidenceArtifactId,
+      now
+    );
+    return {
+      id,
+      endpointId: input.endpointId,
+      inputId: input.inputId,
+      evidenceArtifactId: input.evidenceArtifactId,
+      createdAt: now
+    };
+  }
+  /** Find an EndpointInput by its primary key. Returns undefined if not found. */
+  findById(id) {
+    const stmt = this.db.prepare(
+      `SELECT id, endpoint_id, input_id, evidence_artifact_id, created_at
+       FROM endpoint_inputs
+       WHERE id = ?`
+    );
+    const row = stmt.get(id);
+    return row ? rowToEndpointInput(row) : void 0;
+  }
+  /** Find all EndpointInputs for a given endpoint. */
+  findByEndpointId(endpointId) {
+    const stmt = this.db.prepare(
+      `SELECT id, endpoint_id, input_id, evidence_artifact_id, created_at
+       FROM endpoint_inputs
+       WHERE endpoint_id = ?`
+    );
+    const rows = stmt.all(endpointId);
+    return rows.map(rowToEndpointInput);
+  }
+  /** Find all EndpointInputs for a given input. */
+  findByInputId(inputId) {
+    const stmt = this.db.prepare(
+      `SELECT id, endpoint_id, input_id, evidence_artifact_id, created_at
+       FROM endpoint_inputs
+       WHERE input_id = ?`
+    );
+    const rows = stmt.all(inputId);
+    return rows.map(rowToEndpointInput);
+  }
+  /** Delete an EndpointInput by id. Returns true if a row was deleted. */
+  delete(id) {
+    const stmt = this.db.prepare("DELETE FROM endpoint_inputs WHERE id = ?");
+    const result = stmt.run(id);
+    return result.changes > 0;
+  }
+};
+
+// src/db/repository/cve-repository.ts
+import crypto12 from "crypto";
+function rowToCve(row) {
+  return {
+    id: row.id,
+    vulnerabilityId: row.vulnerability_id,
+    cveId: row.cve_id,
+    description: row.description ?? void 0,
+    cvssScore: row.cvss_score ?? void 0,
+    cvssVector: row.cvss_vector ?? void 0,
+    referenceUrl: row.reference_url ?? void 0,
+    createdAt: row.created_at
+  };
+}
+var CveRepository = class {
+  db;
+  constructor(db2) {
+    this.db = db2;
+  }
+  /** Insert a new Cve and return the full entity. */
+  create(input) {
+    const id = crypto12.randomUUID();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const stmt = this.db.prepare(
+      `INSERT INTO cves (id, vulnerability_id, cve_id, description, cvss_score, cvss_vector, reference_url, created_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+    );
+    stmt.run(
+      id,
+      input.vulnerabilityId,
+      input.cveId,
+      input.description ?? null,
+      input.cvssScore ?? null,
+      input.cvssVector ?? null,
+      input.referenceUrl ?? null,
+      now
+    );
+    return {
+      id,
+      vulnerabilityId: input.vulnerabilityId,
+      cveId: input.cveId,
+      description: input.description,
+      cvssScore: input.cvssScore,
+      cvssVector: input.cvssVector,
+      referenceUrl: input.referenceUrl,
+      createdAt: now
+    };
+  }
+  /** Find a Cve by its primary key. Returns undefined if not found. */
+  findById(id) {
+    const stmt = this.db.prepare(
+      `SELECT id, vulnerability_id, cve_id, description, cvss_score, cvss_vector, reference_url, created_at
+       FROM cves
+       WHERE id = ?`
+    );
+    const row = stmt.get(id);
+    return row ? rowToCve(row) : void 0;
+  }
+  /** Return all Cves associated with a given vulnerability. */
+  findByVulnerabilityId(vulnerabilityId) {
+    const stmt = this.db.prepare(
+      `SELECT id, vulnerability_id, cve_id, description, cvss_score, cvss_vector, reference_url, created_at
+       FROM cves
+       WHERE vulnerability_id = ?`
+    );
+    const rows = stmt.all(vulnerabilityId);
+    return rows.map(rowToCve);
+  }
+  /** Delete a Cve by id. Returns true if a row was deleted. */
+  delete(id) {
+    const stmt = this.db.prepare("DELETE FROM cves WHERE id = ?");
+    const result = stmt.run(id);
+    return result.changes > 0;
+  }
+};
+
+// src/engine/normalizer.ts
+function normalize(db2, artifactId, parseResult) {
+  const hostRepo = new HostRepository(db2);
+  const serviceRepo = new ServiceRepository(db2);
+  const serviceObsRepo = new ServiceObservationRepository(db2);
+  const httpEndpointRepo = new HttpEndpointRepository(db2);
+  const inputRepo = new InputRepository(db2);
+  const endpointInputRepo = new EndpointInputRepository(db2);
+  const observationRepo = new ObservationRepository(db2);
+  const vulnRepo = new VulnerabilityRepository(db2);
+  const cveRepo = new CveRepository(db2);
+  const run = db2.transaction(() => {
+    const result = {
+      hostsCreated: 0,
+      servicesCreated: 0,
+      serviceObservationsCreated: 0,
+      httpEndpointsCreated: 0,
+      inputsCreated: 0,
+      endpointInputsCreated: 0,
+      observationsCreated: 0,
+      vulnerabilitiesCreated: 0,
+      cvesCreated: 0
+    };
+    const hostIdByAuthority = /* @__PURE__ */ new Map();
+    const serviceIdByKey = /* @__PURE__ */ new Map();
+    const endpointIdByKey = /* @__PURE__ */ new Map();
+    const inputIdByKey = /* @__PURE__ */ new Map();
+    const vulnIdByTitle = /* @__PURE__ */ new Map();
+    for (const parsed of parseResult.hosts) {
+      const existing = hostRepo.findByAuthority(parsed.authority);
+      if (existing) {
+        hostIdByAuthority.set(parsed.authority, existing.id);
+      } else {
+        const host = hostRepo.create({
+          authorityKind: parsed.authorityKind,
+          authority: parsed.authority,
+          resolvedIpsJson: JSON.stringify(parsed.resolvedIps ?? [])
+        });
+        hostIdByAuthority.set(parsed.authority, host.id);
+        result.hostsCreated++;
+      }
+    }
+    for (const parsed of parseResult.services) {
+      const hostId = hostIdByAuthority.get(parsed.hostAuthority);
+      if (!hostId) continue;
+      const svcKey = `${hostId}:${parsed.transport}:${parsed.port}`;
+      if (serviceIdByKey.has(svcKey)) continue;
+      const existingServices = serviceRepo.findByHostId(hostId);
+      const existing = existingServices.find(
+        (s) => s.transport === parsed.transport && s.port === parsed.port
+      );
+      if (existing) {
+        serviceIdByKey.set(svcKey, existing.id);
+      } else {
+        const service = serviceRepo.create({
+          hostId,
+          transport: parsed.transport,
+          port: parsed.port,
+          appProto: parsed.appProto,
+          protoConfidence: parsed.protoConfidence,
+          banner: parsed.banner,
+          product: parsed.product,
+          version: parsed.version,
+          state: parsed.state,
+          evidenceArtifactId: artifactId
+        });
+        serviceIdByKey.set(svcKey, service.id);
+        result.servicesCreated++;
+      }
+    }
+    function resolveServiceId(hostAuthority, port) {
+      const hostId = hostIdByAuthority.get(hostAuthority);
+      if (!hostId) return void 0;
+      return serviceIdByKey.get(`${hostId}:tcp:${port}`);
+    }
+    for (const parsed of parseResult.serviceObservations) {
+      const hostId = hostIdByAuthority.get(parsed.hostAuthority);
+      if (!hostId) continue;
+      const svcKey = `${hostId}:${parsed.transport}:${parsed.port}`;
+      const serviceId = serviceIdByKey.get(svcKey);
+      if (!serviceId) continue;
+      serviceObsRepo.create({
+        serviceId,
+        key: parsed.key,
+        value: parsed.value,
+        confidence: parsed.confidence,
+        evidenceArtifactId: artifactId
+      });
+      result.serviceObservationsCreated++;
+    }
+    for (const parsed of parseResult.httpEndpoints) {
+      const serviceId = resolveServiceId(parsed.hostAuthority, parsed.port);
+      if (!serviceId) continue;
+      const epKey = `${serviceId}:${parsed.method}:${parsed.path}`;
+      if (endpointIdByKey.has(epKey)) continue;
+      const existingEndpoints = httpEndpointRepo.findByServiceId(serviceId);
+      const existing = existingEndpoints.find(
+        (e) => e.method === parsed.method && e.path === parsed.path
+      );
+      if (existing) {
+        endpointIdByKey.set(epKey, existing.id);
+      } else {
+        const endpoint = httpEndpointRepo.create({
+          serviceId,
+          baseUri: parsed.baseUri,
+          method: parsed.method,
+          path: parsed.path,
+          statusCode: parsed.statusCode,
+          contentLength: parsed.contentLength,
+          words: parsed.words,
+          lines: parsed.lines,
+          evidenceArtifactId: artifactId
+        });
+        endpointIdByKey.set(epKey, endpoint.id);
+        result.httpEndpointsCreated++;
+      }
+    }
+    for (const parsed of parseResult.inputs) {
+      const serviceId = resolveServiceId(parsed.hostAuthority, parsed.port);
+      if (!serviceId) continue;
+      const inKey = `${serviceId}:${parsed.location}:${parsed.name}`;
+      if (inputIdByKey.has(inKey)) continue;
+      const existingInputs = inputRepo.findByServiceId(serviceId);
+      const existing = existingInputs.find(
+        (i) => i.location === parsed.location && i.name === parsed.name
+      );
+      if (existing) {
+        inputIdByKey.set(inKey, existing.id);
+      } else {
+        const input = inputRepo.create({
+          serviceId,
+          location: parsed.location,
+          name: parsed.name,
+          typeHint: parsed.typeHint
+        });
+        inputIdByKey.set(inKey, input.id);
+        result.inputsCreated++;
+      }
+    }
+    for (const parsed of parseResult.endpointInputs) {
+      const serviceId = resolveServiceId(parsed.hostAuthority, parsed.port);
+      if (!serviceId) continue;
+      const epKey = `${serviceId}:${parsed.method}:${parsed.path}`;
+      const endpointId = endpointIdByKey.get(epKey);
+      if (!endpointId) continue;
+      const inKey = `${serviceId}:${parsed.inputLocation}:${parsed.inputName}`;
+      const inputId = inputIdByKey.get(inKey);
+      if (!inputId) continue;
+      const existingLinks = endpointInputRepo.findByEndpointId(endpointId);
+      const alreadyLinked = existingLinks.some((l) => l.inputId === inputId);
+      if (alreadyLinked) continue;
+      endpointInputRepo.create({
+        endpointId,
+        inputId,
+        evidenceArtifactId: artifactId
+      });
+      result.endpointInputsCreated++;
+    }
+    for (const parsed of parseResult.observations) {
+      const serviceId = resolveServiceId(parsed.hostAuthority, parsed.port);
+      if (!serviceId) continue;
+      const inKey = `${serviceId}:${parsed.inputLocation}:${parsed.inputName}`;
+      const inputId = inputIdByKey.get(inKey);
+      if (!inputId) continue;
+      observationRepo.create({
+        inputId,
+        rawValue: parsed.rawValue,
+        normValue: parsed.normValue,
+        source: parsed.source,
+        confidence: parsed.confidence,
+        evidenceArtifactId: artifactId,
+        observedAt: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      result.observationsCreated++;
+    }
+    for (const parsed of parseResult.vulnerabilities) {
+      const serviceId = resolveServiceId(parsed.hostAuthority, parsed.port);
+      if (!serviceId) continue;
+      let endpointId;
+      if (parsed.method && parsed.path) {
+        const epKey = `${serviceId}:${parsed.method}:${parsed.path}`;
+        endpointId = endpointIdByKey.get(epKey);
+      }
+      const vuln = vulnRepo.create({
+        serviceId,
+        endpointId,
+        vulnType: parsed.vulnType,
+        title: parsed.title,
+        description: parsed.description,
+        severity: parsed.severity,
+        confidence: parsed.confidence,
+        evidenceArtifactId: artifactId
+      });
+      vulnIdByTitle.set(parsed.title, vuln.id);
+      result.vulnerabilitiesCreated++;
+    }
+    for (const parsed of parseResult.cves) {
+      const vulnId = vulnIdByTitle.get(parsed.vulnerabilityTitle);
+      if (!vulnId) continue;
+      cveRepo.create({
+        vulnerabilityId: vulnId,
+        cveId: parsed.cveId,
+        description: parsed.description,
+        cvssScore: parsed.cvssScore,
+        cvssVector: parsed.cvssVector,
+        referenceUrl: parsed.referenceUrl
+      });
+      result.cvesCreated++;
+    }
+    return result;
+  });
+  return run();
+}
+
+// src/engine/ingest.ts
+function ingestContent(db2, tool, content, filePath) {
+  const sha256 = crypto13.createHash("sha256").update(content).digest("hex");
+  const artifactRepo = new ArtifactRepository(db2);
+  const artifact = artifactRepo.create({
+    tool,
+    kind: "tool_output",
+    path: filePath,
+    sha256,
+    capturedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  let parseResult;
+  switch (tool) {
+    case "nmap":
+      parseResult = parseNmapXml(content);
+      break;
+    case "ffuf":
+      parseResult = parseFfufJson(content);
+      break;
+    case "nuclei":
+      parseResult = parseNucleiJsonl(content);
+      break;
+    default: {
+      const _exhaustive = tool;
+      throw new Error(`Unknown tool: ${String(_exhaustive)}`);
+    }
+  }
+  const normalizeResult = normalize(db2, artifact.id, parseResult);
+  return {
+    artifactId: artifact.id,
+    normalizeResult
+  };
+}
+function ingest(db2, input) {
+  const resolved = path.resolve(input.path);
+  const content = fs.readFileSync(resolved, "utf-8");
+  return ingestContent(db2, input.tool, content, resolved);
+}
+
+// src/mcp/tools/ingest.ts
+function registerIngestTool(server2, db2) {
+  server2.tool(
+    "ingest_file",
+    "Ingest a tool output file (nmap XML, ffuf JSON, nuclei JSONL) into the AttackDataGraph",
+    {
+      path: z2.string().describe("Absolute path to the tool output file"),
+      tool: z2.enum(["nmap", "ffuf", "nuclei"]).describe("Tool that produced the output")
+    },
+    async ({ path: path2, tool }) => {
+      try {
+        const result = ingest(db2, { path: path2, tool });
+        const nr = result.normalizeResult;
+        const summary = [
+          `Ingested ${tool} output from ${path2}`,
+          `Artifact ID: ${result.artifactId}`,
+          `Created: ${nr.hostsCreated} hosts, ${nr.servicesCreated} services, ${nr.httpEndpointsCreated} endpoints, ${nr.inputsCreated} inputs, ${nr.observationsCreated} observations, ${nr.vulnerabilitiesCreated} vulnerabilities, ${nr.cvesCreated} CVEs`
+        ].join("\n");
+        return { content: [{ type: "text", text: summary }] };
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return { content: [{ type: "text", text: `Ingest failed: ${message}` }], isError: true };
+      }
+    }
+  );
+}
+
+// src/mcp/tools/propose.ts
+import { z as z3 } from "zod";
+
+// src/engine/proposer.ts
+function propose(db2, hostId) {
+  const hostRepo = new HostRepository(db2);
+  const serviceRepo = new ServiceRepository(db2);
+  const httpEndpointRepo = new HttpEndpointRepository(db2);
+  const inputRepo = new InputRepository(db2);
+  const observationRepo = new ObservationRepository(db2);
+  const vhostRepo = new VhostRepository(db2);
+  const vulnRepo = new VulnerabilityRepository(db2);
+  const actions = [];
+  let hosts;
+  if (hostId !== void 0) {
+    const host = hostRepo.findById(hostId);
+    if (host === void 0) {
+      return [];
+    }
+    hosts = [host];
+  } else {
+    hosts = hostRepo.findAll();
+  }
+  for (const host of hosts) {
+    const services = serviceRepo.findByHostId(host.id);
+    if (services.length === 0) {
+      actions.push({
+        kind: "nmap_scan",
+        description: `Port scan ${host.authority} to discover services`,
+        command: `nmap -p- -sV ${host.authority}`,
+        params: { hostId: host.id }
+      });
+      continue;
+    }
+    for (const service of services) {
+      if (service.appProto !== "http" && service.appProto !== "https") {
+        continue;
+      }
+      const baseUri = `${service.appProto}://${host.authority}:${service.port}`;
+      proposeForHttpService(
+        actions,
+        host,
+        service,
+        baseUri,
+        httpEndpointRepo,
+        inputRepo,
+        observationRepo,
+        vhostRepo,
+        vulnRepo
+      );
+    }
+  }
+  return actions;
+}
+function proposeForHttpService(actions, host, service, baseUri, httpEndpointRepo, inputRepo, observationRepo, vhostRepo, vulnRepo) {
+  const endpoints = httpEndpointRepo.findByServiceId(service.id);
+  if (endpoints.length === 0) {
+    actions.push({
+      kind: "ffuf_discovery",
+      description: `Discover endpoints on ${baseUri}`,
+      command: `ffuf -u ${baseUri}/FUZZ -w /usr/share/wordlists/dirb/common.txt`,
+      params: { hostId: host.id, serviceId: service.id }
+    });
+  }
+  for (const endpoint of endpoints) {
+    const inputs = inputRepo.findByServiceId(service.id);
+    if (inputs.length === 0) {
+      actions.push({
+        kind: "parameter_discovery",
+        description: `Discover input parameters for ${baseUri}${endpoint.path}`,
+        params: { hostId: host.id, serviceId: service.id, endpointId: endpoint.id }
+      });
+    }
+    for (const input of inputs) {
+      const observations = observationRepo.findByInputId(input.id);
+      if (observations.length === 0) {
+        actions.push({
+          kind: "value_collection",
+          description: `Collect observed values for input "${input.name}" (${input.location})`,
+          params: {
+            hostId: host.id,
+            serviceId: service.id,
+            endpointId: endpoint.id,
+            inputId: input.id
+          }
+        });
+      }
+    }
+  }
+  const vhosts = vhostRepo.findByHostId(host.id);
+  if (vhosts.length === 0) {
+    actions.push({
+      kind: "vhost_discovery",
+      description: `Discover virtual hosts for ${host.authority}`,
+      params: { hostId: host.id, serviceId: service.id }
+    });
+  }
+  const vulns = vulnRepo.findByServiceId(service.id);
+  if (vulns.length === 0) {
+    actions.push({
+      kind: "nuclei_scan",
+      description: `Scan ${baseUri} for known vulnerabilities`,
+      command: `nuclei -u ${baseUri} -jsonl`,
+      params: { hostId: host.id, serviceId: service.id }
+    });
+  }
+}
+
+// src/mcp/tools/propose.ts
+function registerProposeTool(server2, db2) {
+  server2.tool(
+    "propose",
+    "Analyze the AttackDataGraph for missing data and propose next-step actions",
+    {
+      hostId: z3.string().optional().describe("Limit proposals to a specific host (optional)")
+    },
+    async ({ hostId }) => {
+      const actions = propose(db2, hostId);
+      if (actions.length === 0) {
+        return {
+          content: [{ type: "text", text: "No actions proposed. All discovered data appears complete." }]
+        };
+      }
+      return { content: [{ type: "text", text: JSON.stringify(actions, null, 2) }] };
+    }
+  );
+}
+
+// src/mcp/tools/mutation.ts
+import { z as z4 } from "zod";
+function getOrCreateManualArtifact(db2) {
+  const artifactRepo = new ArtifactRepository(db2);
+  const existing = artifactRepo.findByTool("manual");
+  if (existing.length > 0) {
+    return existing[0].id;
+  }
+  const artifact = artifactRepo.create({
+    tool: "manual",
+    kind: "manual_entry",
+    path: "manual",
+    capturedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  return artifact.id;
+}
+function registerMutationTools(server2, db2) {
+  server2.tool(
+    "add_host",
+    "Manually add a host to the AttackDataGraph",
+    {
+      authority: z4.string().describe("IP address or domain name"),
+      authorityKind: z4.enum(["IP", "DOMAIN"]).describe("Type of authority")
+    },
+    async ({ authority, authorityKind }) => {
+      const hostRepo = new HostRepository(db2);
+      const existing = hostRepo.findByAuthority(authority);
+      if (existing) {
+        return {
+          content: [{ type: "text", text: `Host already exists: ${JSON.stringify(existing, null, 2)}` }]
+        };
+      }
+      const host = hostRepo.create({
+        authorityKind,
+        authority,
+        resolvedIpsJson: "[]"
+      });
+      return { content: [{ type: "text", text: JSON.stringify(host, null, 2) }] };
+    }
+  );
+  server2.tool(
+    "add_credential",
+    "Manually add a credential for a service",
+    {
+      serviceId: z4.string().describe("Service UUID"),
+      username: z4.string().describe("Username"),
+      secret: z4.string().describe("Secret value (password, token, etc.)"),
+      secretType: z4.enum(["password", "token", "api_key", "ssh_key"]).describe("Type of secret"),
+      source: z4.enum(["brute_force", "default", "leaked", "manual"]).describe("How the credential was obtained"),
+      confidence: z4.enum(["high", "medium", "low"]).describe("Confidence level").default("medium")
+    },
+    async ({ serviceId, username, secret, secretType, source, confidence }) => {
+      const artifactId = getOrCreateManualArtifact(db2);
+      const credentialRepo = new CredentialRepository(db2);
+      const credential = credentialRepo.create({
+        serviceId,
+        username,
+        secret,
+        secretType,
+        source,
+        confidence,
+        evidenceArtifactId: artifactId
+      });
+      return { content: [{ type: "text", text: JSON.stringify(credential, null, 2) }] };
+    }
+  );
+  server2.tool(
+    "add_vulnerability",
+    "Manually add a vulnerability for a service",
+    {
+      serviceId: z4.string().describe("Service UUID"),
+      vulnType: z4.string().describe("Vulnerability type (sqli, xss, rce, lfi, ssrf, etc.)"),
+      title: z4.string().describe("Vulnerability title"),
+      severity: z4.enum(["critical", "high", "medium", "low", "info"]).describe("Severity level"),
+      confidence: z4.enum(["high", "medium", "low"]).describe("Confidence level").default("medium"),
+      endpointId: z4.string().optional().describe("HTTP endpoint UUID (optional)"),
+      description: z4.string().optional().describe("Detailed description (optional)")
+    },
+    async ({ serviceId, vulnType, title, severity, confidence, endpointId, description }) => {
+      const artifactId = getOrCreateManualArtifact(db2);
+      const vulnRepo = new VulnerabilityRepository(db2);
+      const vuln = vulnRepo.create({
+        serviceId,
+        endpointId,
+        vulnType,
+        title,
+        description,
+        severity,
+        confidence,
+        evidenceArtifactId: artifactId
+      });
+      return { content: [{ type: "text", text: JSON.stringify(vuln, null, 2) }] };
+    }
+  );
+  server2.tool(
+    "link_cve",
+    "Link a CVE record to an existing vulnerability",
+    {
+      vulnerabilityId: z4.string().describe("Vulnerability UUID"),
+      cveId: z4.string().describe("CVE identifier (e.g. CVE-2021-44228)"),
+      description: z4.string().optional().describe("CVE description"),
+      cvssScore: z4.number().optional().describe("CVSS score (0.0 - 10.0)"),
+      cvssVector: z4.string().optional().describe("CVSS vector string"),
+      referenceUrl: z4.string().optional().describe("Reference URL")
+    },
+    async ({ vulnerabilityId, cveId, description, cvssScore, cvssVector, referenceUrl }) => {
+      const cveRepo = new CveRepository(db2);
+      const cve = cveRepo.create({
+        vulnerabilityId,
+        cveId,
+        description,
+        cvssScore,
+        cvssVector,
+        referenceUrl
+      });
+      return { content: [{ type: "text", text: JSON.stringify(cve, null, 2) }] };
+    }
+  );
+}
+
+// src/mcp/resources.ts
+function registerResources(server2, db2) {
+  const hostRepo = new HostRepository(db2);
+  const serviceRepo = new ServiceRepository(db2);
+  const vhostRepo = new VhostRepository(db2);
+  const httpEndpointRepo = new HttpEndpointRepository(db2);
+  const inputRepo = new InputRepository(db2);
+  const vulnRepo = new VulnerabilityRepository(db2);
+  server2.resource("hosts", "sonobat://hosts", { description: "List of all discovered hosts" }, async () => {
+    const hosts = hostRepo.findAll();
+    return {
+      contents: [
+        {
+          uri: "sonobat://hosts",
+          mimeType: "application/json",
+          text: JSON.stringify(hosts, null, 2)
+        }
+      ]
+    };
+  });
+  server2.resource(
+    "host-detail",
+    "sonobat://hosts/{id}",
+    { description: "Detailed host tree with services, endpoints, inputs, and vulnerabilities" },
+    async (uri) => {
+      const hostId = uri.pathname.split("/").pop() ?? "";
+      const host = hostRepo.findById(hostId);
+      if (!host) {
+        return {
+          contents: [
+            {
+              uri: uri.href,
+              mimeType: "application/json",
+              text: JSON.stringify({ error: `Host not found: ${hostId}` })
+            }
+          ]
+        };
+      }
+      const services = serviceRepo.findByHostId(hostId);
+      const vhosts = vhostRepo.findByHostId(hostId);
+      const serviceTree = services.map((service) => {
+        const endpoints = httpEndpointRepo.findByServiceId(service.id);
+        const inputs = inputRepo.findByServiceId(service.id);
+        const vulnerabilities = vulnRepo.findByServiceId(service.id);
+        return { ...service, endpoints, inputs, vulnerabilities };
+      });
+      const result = { ...host, services: serviceTree, vhosts };
+      return {
+        contents: [
+          {
+            uri: uri.href,
+            mimeType: "application/json",
+            text: JSON.stringify(result, null, 2)
+          }
+        ]
+      };
+    }
+  );
+  server2.resource(
+    "summary",
+    "sonobat://summary",
+    { description: "Summary statistics of the AttackDataGraph" },
+    async () => {
+      const counts = {};
+      const tables = [
+        "hosts",
+        "services",
+        "http_endpoints",
+        "inputs",
+        "observations",
+        "credentials",
+        "vulnerabilities",
+        "cves",
+        "vhosts",
+        "artifacts"
+      ];
+      for (const table of tables) {
+        const row = db2.prepare(`SELECT COUNT(*) as count FROM ${table}`).get();
+        counts[table] = row.count;
+      }
+      return {
+        contents: [
+          {
+            uri: "sonobat://summary",
+            mimeType: "application/json",
+            text: JSON.stringify(counts, null, 2)
+          }
+        ]
+      };
+    }
+  );
+}
+
+// src/mcp/server.ts
+function createMcpServer(db2) {
+  const server2 = new McpServer({
+    name: "sonobat",
+    version: "0.1.0"
+  });
+  registerQueryTools(server2, db2);
+  registerIngestTool(server2, db2);
+  registerProposeTool(server2, db2);
+  registerMutationTools(server2, db2);
+  registerResources(server2, db2);
+  return server2;
+}
+
+// src/index.ts
+var DB_PATH = process.env["SONOBAT_DB_PATH"] ?? "sonobat.db";
+var db = new Database(DB_PATH);
+migrateDatabase(db);
+var server = createMcpServer(db);
+var transport = new StdioServerTransport();
+await server.connect(transport);
+//# sourceMappingURL=index.js.map