@appland/scanner 1.40.3 → 1.44.0

package/doc/rules/queryFromView.md

@@ -0,0 +1,42 @@
+---
+rule: query-from-view
+name: Query from view
+title: Queries from view
+references:
+  CWE-1057: https://cwe.mitre.org/data/definitions/1057.html
+impactDomain: Maintainability
+---
+
+Ensures that SQL queries are not performed directly from the view layer. This helps to make the code
+more maintainable by encapsulating access to the database.
+
+### Notes
+
+Performing SQL queries directly from the view layer introduces several maintainability concerns:
+
+1. View logic is tied to the server, and cannot be refactored to the client side.
+2. Database interactions are harder to test, because they depend on details of the view
+   implementation.
+3. Performance can be adversely and unexpectedly affected by minor changes to the view.
+
+### Rule logic
+
+Each query is tested to see if it has an ancestor event with the view label.
+
+### Resolution
+
+Data objects which are passed to the view layer for rendering should not have access to the
+database. Disable database access in some way, or transfer data from DAO objects into plain old
+structs.
+
+### Options
+
+- `forbiddenLabel`. Label which identifies the view layer. Default: `mvc.template`.
+
+### Examples
+
+```yaml
+- rule: queryFromView
+  properties:
+    forbiddenLabel: mvc.template
+```

package/doc/rules/rpcWithoutCircuitBreaker.md

@@ -0,0 +1,44 @@
+---
+rule: rpc-without-circuit-breaker
+name: RPC without circuit breaker
+title: RPC without circuit breaker
+impactDomain: Stability
+labels:
+  - rpc.circuit_breaker
+---
+
+Identifies HTTP client requests which do not utilize a
+[circuit breaker](https://martinfowler.com/bliki/CircuitBreaker.html).
+
+### Rule logic
+
+Each HTTP client request is expected to have a descendant labeled with the expected label.
+
+### Notes
+
+Use the circuit breaker pattern in microservices architecture to make system behavior more
+predictable when a service becomes overloaded or unavailable.
+
+### Resolution
+
+Utilize a circuit breaker library - your organization may have a specific preference.
+
+Some examples:
+
+- [Hystrix (Java)](https://github.com/Netflix/Hystrix/wiki/How-it-Works#CircuitBreaker)
+- [CircuitBox (Ruby)](https://github.com/yammer/circuitbox)
+- [Semian (Ruby)](https://github.com/Shopify/semian#circuit-breaker)
+- [pybreaker (Python)](https://github.com/danielfm/pybreaker)
+
+### Options
+
+- `expectedLabel`. Label which identifies the circuit breaker function. Default:
+  `rpc.circuit_breaker`.
+
+### Examples
+
+```yaml
+- rule: rpcWithoutCircuitBreaker
+  properties:
+    expectedLabel: rpc.circuit_breaker
+```

package/doc/rules/saveWithoutValidation.md

@@ -0,0 +1,33 @@
+---
+rule: save-without-validation
+name: Save without validation
+title: Save without validation
+references:
+  CWE-20: https://cwe.mitre.org/data/definitions/20.html
+impactDomain: Stability
+---
+
+Ensures that data saved by data access object is validated first.
+
+### Rule logic
+
+Finds events whose method name is `save` or `save!`. Then verifies that each of these events has a
+descendant whose method name is `valid?` or `validate!`.
+
+### Notes
+
+In a future revision, this rule will be refactored to use labels rather than method names.
+
+### Resolution
+
+Ensure that data is validated before being saved; for example, using a `before_save` hook.
+
+### Options
+
+None
+
+### Examples
+
+```yaml
+- rule: saveWithoutValidation
+```

package/doc/rules/secretInLog.md

@@ -0,0 +1,49 @@
+---
+rule: secret-in-log
+name: Secret in log
+title: Secret in log
+references:
+  CWE-532: https://cwe.mitre.org/data/definitions/532.html
+impactDomain: Security
+labels:
+  - secret
+  - log
+---
+
+Identifies when a known or assumed secret is written to a log. Logs are often transported into other
+systems that are treated with lesser security - such as backups. Therefore, secrets written into log
+files are more likely to be leaked or discovered by cyber-attackers.
+
+### Rule logic
+
+Operation of this rule depends on two labels: `secret` and `log`. A function labeled `secret` is
+assumed to return a secret value - this rule keeps a running tally of all the secrets created in an
+AppMap. When a function labeled `log` is called, the rule looks at the log message, and checks
+whether any of the known secrets are in it.
+
+The log message is also tested against a list of known regular expressions that are likely to match
+secrets.
+
+### Notes
+
+Be sure and apply the `secret` label to any function in your code base that generates a secret (such
+as encryption keys, user tokens, API keys, reset tokens, etc.).
+
+### Resolution
+
+If the log message is written by code that you control, the simplest resolution is to remove the log
+statement - or to remove the secret from the log message.
+
+If the log message is not controlled by you (it's generated by a framework), your choices are more
+limited. You could open a pull request with the framework, or you can change the log level to
+suppress the offending message.
+
+### Options
+
+None
+
+### Examples
+
+```yaml
+- rule: secretInLog
+```

package/doc/rules/slowFunctionCall.md

@@ -0,0 +1,39 @@
+---
+rule: slow-function-call
+name: Slow function call
+title: Slow function call
+impactDomain: Performance
+scope: root
+---
+
+Ensures that function elapsed time does not exceed a threshold.
+
+### Rule logic
+
+Checks all configured functions to see if the elapsed time exceeds the configured threshold.
+
+### Notes
+
+This rule is most useful when applied to code that is specifically designed to test application
+performance.
+
+### Resolution
+
+Optimize the function elapsed time using a profiler, SQL tuning, etc.
+
+### Options
+
+- `functions: `[MatchPatternConfig](/docs/analysis/match-pattern-config.html)`[]` list of functions
+  to check. Required.
+- `timeAllowed` max time (in seconds) allowed for the function.
+
+### Examples
+
+```yaml
+- rule: slowFunctionCall
+  properties:
+    timeAllowed: 0.25
+    functions:
+      - match: ^app/models
+      - match: ^app/jobs
+```

package/doc/rules/slowHttpServerRequest.md

@@ -0,0 +1,34 @@
+---
+rule: slow-http-server-request
+name: Slow HTTP server request
+title: Slow HTTP server request
+impactDomain: Performance
+scope: http_server_request
+---
+
+Ensures that HTTP server request elapsed time does not exceed a threshold.
+
+### Rule logic
+
+Checks HTTP server requests to see if the elapsed time exceeds the configured threshold.
+
+### Notes
+
+This rule is most useful when applied to code that is specifically designed to test application
+performance.
+
+### Resolution
+
+Optimize the request elapsed time using a profiler, SQL tuning, etc.
+
+### Options
+
+- `timeAllowed` max time (in seconds) allowed for the request.
+
+### Examples
+
+```yaml
+- rule: slowHttpServerRequest
+  properties:
+    timeAllowed: 0.25
+```

package/doc/rules/slowQuery.md

@@ -0,0 +1,33 @@
+---
+rule: slow-query
+name: Slow query
+title: Slow SQL query
+impactDomain: Performance
+---
+
+Ensures that SQL query elapsed time does not exceed a threshold.
+
+### Rule logic
+
+Checks all configured queries to see if the elapsed time exceeds the configured threshold.
+
+### Notes
+
+This rule is most useful when applied to code that is specifically designed to test application
+performance.
+
+### Resolution
+
+Optimize the elapsed time using SQL tuning.
+
+### Options
+
+- `timeAllowed` max time (in seconds) allowed for the query.
+
+### Examples
+
+```yaml
+- rule: slowQuery
+  properties:
+    timeAllowed: 0.25
+```

package/doc/rules/tooManyJoins.md

@@ -0,0 +1,40 @@
+---
+rule: too-many-joins
+name: Too many joins
+title: Too many joins
+references:
+  CWE-1049: https://cwe.mitre.org/data/definitions/1049.html
+impactDomain: Performance
+scope: command
+---
+
+Verifies that the number of joins in SQL queries does not exceed a threshold.
+
+### Rule logic
+
+Counts the number of joins in each SQL query. If the count exceeds the configured threshold, a
+finding is reported.
+
+### Notes
+
+Queries with too many joins often have poor or unpredictable performance.
+
+### Resolution
+
+Having multiple joins may be legitimate - but it is a situation that merits a closer look,
+especially when the query is generated by an ORM.
+
+Take a look at a query plan from a database that has a realistically high volume of data, and verify
+that the query can be executed efficiently.
+
+### Options
+
+- `warningLimit` the maximum number of joins allowed.
+
+### Examples
+
+```yaml
+- rule: tooManyJoins
+  properties:
+    warningLimit: 5
+```

package/doc/rules/tooManyUpdates.md

@@ -0,0 +1,46 @@
+---
+rule: too-many-updates
+name: Too many updates
+title: Too many SQL and RPC updates performed in one command
+references:
+  CWE-1048: https://cwe.mitre.org/data/definitions/1048.html
+impactDomain: Maintainability
+scope: command
+---
+
+Verifies that the number of SQL and RPC updates performed by a command does not exceed a threshold.
+
+### Rule logic
+
+Counts the number of SQL and RPC updates in each command. A SQL update is any `INSERT` or `UPDATE`
+query. An RPC update is an HTTP client request that uses `PUT`, `POST`, or `PATCH`.
+
+If the number of updates exceeds the threshold, a finding is reported.
+
+### Notes
+
+As a codebase evolves, sometimes a request can start to make more and more SQL and RPC updates.There
+are several negative repercussions of this:
+
+1. It's no longer clear to a developer what the primary responsibility of the command is.
+2. The command becomes more likely to fail - resulting in a rollback of all the updates, or possibly
+   leaving the system in an inconsistent state.
+3. The performance of the command degrades as it does more and more work.
+
+### Resolution
+
+Consider refactoring the command into multiple commands.
+
+Schedule a job to perform some of the work offline.
+
+### Options
+
+- `warningLimit` the maximum number of joins allowed.
+
+### Examples
+
+```yaml
+- rule: tooManyUpdates
+  properties:
+    warningLimit: 20
+```

package/doc/rules/unbatchedMaterializedQuery.md

@@ -0,0 +1,54 @@
+---
+rule: unbatched-materialized-query
+name: Unbatched materialized query
+title: Unbatched materialized SQL query
+references:
+  CWE-1049: https://cwe.mitre.org/data/definitions/1049.html
+impactDomain: Performance
+labels:
+  - dao.materialize
+scope: command
+---
+
+Finds large data sets that are queried from the database and loaded into memory.
+
+### Rule logic
+
+Examines all SQL SELECT queries (as opposed to insert/update). If the query satisfies any of the
+following conditions:
+
+- Has a LIMIT clause
+- Has a COUNT clause at the top level
+- Queries only for metadata (`sqlite_master` table)
+
+then the query is skipped.
+
+Otherwise, the rule checks to see if the query has an ancestor labeled `dao.materialize`. If so,
+it's emitted as a finding.
+
+### Notes
+
+Materializing large amounts of data code objects is a frequent cause of poor performance and memory
+exhaustion.
+
+A `COUNT` or `LIMIT` clause is a good indication that the code is taking steps to limit the amount
+of data that's loaded into memory.
+
+### Resolution
+
+If data is being loaded into memory from an un-LIMITed query:
+
+- Consider whether the data processing that's being performed in-memory can be performed in the
+  database - either via SQL or a stored procedure.
+- If the data is being loaded solely for presentation purposes, fetch data in batches - e.g. with a
+  pagination library.
+
+### Options
+
+None
+
+### Examples
+
+```yaml
+- rule: unbatchedMaterializedQuery
+```

package/doc/rules/updateInGetRequest.md

@@ -0,0 +1,44 @@
+---
+rule: update-in-get-request
+name: Update in get request
+title: Data update performed in GET or HEAD request
+impactDomain: Maintainability
+labels:
+  - audit
+scope: http_server_request
+---
+
+Finds SQL updates that are performed in an HTTP server `GET` request.
+
+### Rule logic
+
+Checks each HTTP server `GET` and `HEAD` request. Within each of these requests, checks for SQL
+queries that match the `queryInclude` option and don't match `queryExclude`. If any such queries
+exist, they are emitted as findings.
+
+### Notes
+
+Performing data updates in a `GET` request is anti-pattern, and counter to the intent of HTTP. For
+data modifications, use `PUT`, `POST`, or `PATCH`.
+
+Data updates which are used for the purposes of tracking user activity are fine in any type of
+request. Use the `queryExclude` option to allow these queries.
+
+### Resolution
+
+Perform data updates in `PUT`, `POST`, or `PATCH` requests.
+
+### Options
+
+- `queryInclude: RegExp[]`. Default: `[/\binsert\b/i, /\bupdate\b/i]`.
+- `queryExclude: RegExp[]`. Default: empty.
+
+### Examples
+
+```yaml
+- rule: updateInGetRequest
+  properties:
+    queryExclude:
+      - /\bINSERT\b/i
+      - /\bUPDATE\b/i
+```

package/package.json

@@ -1,10 +1,11 @@
 {
   "name": "@appland/scanner",
-  "version": "1.40.3",
+  "version": "1.44.0",
   "description": "",
   "bin": "built/cli.js",
   "files": [
-    "built"
+    "built",
+    "doc"
   ],
   "scripts": {
     "build": "mkdir -p built && cp -r src/sampleConfig built && tsc && yarn schema && yarn doc",
@@ -38,9 +39,9 @@
     "jest": "^27.4.7",
     "nock": "^13.2.2",
     "openapi-types": "^9.3.0",
-    "pkg": "^5.5.1",
+    "pkg": "^5.5.2",
     "prettier": "^2.3.2",
-    "semantic-release": "^18.0.0",
+    "semantic-release": "^19.0.2",
     "sinon": "^11.1.2",
     "ts-jest": "^27.1.3",
     "ts-json-schema-generator": "^0.97.0",
@@ -49,8 +50,10 @@
   },
   "dependencies": {
     "@appland/client": "^1.1.3",
-    "@appland/models": "^1.10.1",
+    "@appland/models": "^1.12.1",
+    "@appland/sql-parser": "^1.3.0",
     "@types/async": "^3.2.12",
+    "@types/lru-cache": "^5.1.1",
     "@types/sinon": "^10.0.2",
     "@types/tar-stream": "^2.2.2",
     "ajv": "^8.8.2",
@@ -59,10 +62,11 @@
     "chalk": "^4.1.2",
     "form-data": "^4.0.0",
     "js-yaml": "^4.1.0",
+    "lru-cache": "^6.0.0",
     "minimatch": "^3.0.4",
     "octokat": "^0.10.0",
     "openapi-diff": "^0.23.5",
-    "semantic-release": "^18.0.0",
+    "pretty-format": "^27.4.6",
     "supports-hyperlinks": "^2.2.0",
     "tar-stream": "^2.2.0",
     "yargs": "^17.1.1"

package/built/integration/appland/appMap.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"appMap.js","sourceRoot":"","sources":["../../../src/integration/appland/appMap.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEA,gDAAqE;AACrE,wDAAiC;AAUjC;IAAA;IAuCA,CAAC;IAtCc,aAAM,GAAnB,UAAoB,IAAY,EAAE,OAA2B;QAA3B,wBAAA,EAAA,YAA2B;;;;;;wBACrD,IAAI,GAAG,IAAI,mBAAQ,EAAE,CAAC;wBAC5B,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;wBACrC,IAAI,OAAO,CAAC,GAAG,EAAE;4BACf,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;yBACjC;wBAEe,qBAAM,IAAA,kBAAY,EAAC,aAAa,CAAC,EAAA;;wBAA3C,OAAO,GAAG,SAAiC;wBACjD,sBAAO,IAAI,OAAO,CAAkB,UAAC,OAAO,EAAE,MAAM;gCAClD,IAAM,GAAG,GAAG,OAAO,CAAC,eAAe,CACjC,OAAO,CAAC,GAAG,EACX;oCACE,MAAM,EAAE,MAAM;oCACd,OAAO,wBACF,OAAO,CAAC,OAAO,GACf,IAAI,CAAC,UAAU,EAAE,CACrB;iCACF,EACD,OAAO,CACR,CAAC;gCACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;gCACxB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;4BACjB,CAAC,CAAC;iCACC,IAAI,CAAC,iBAAW,CAAC;iCACjB,IAAI,CAAC,UAAC,QAAyB;gCAC9B,OAAO,IAAI,OAAO,CAAuB,UAAC,OAAO,EAAE,MAAM;oCACvD,IAAM,YAAY,GAAa,EAAE,CAAC;oCAClC,QAAQ;yCACL,EAAE,CAAC,MAAM,EAAE,UAAC,KAAa;wCACxB,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;oCACxC,CAAC,CAAC;yCACD,EAAE,CAAC,KAAK,EAAE;wCACT,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAyB,CAAC,CAAC;oCACtF,CAAC,CAAC;yCACD,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;gCACzB,CAAC,CAAC,CAAC;4BACL,CAAC,CAAC,EAAC;;;;KACN;IACH,aAAC;AAAD,CAAC,AAvCD,IAuCC;AAvCY,wBAAM"}

package/built/integration/appland/fetchStatus.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"fetchStatus.js","sourceRoot":"","sources":["../../../src/integration/appland/fetchStatus.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,gDAAsE;AAEtE,mBAA+B,KAAa;;;;wBACnC,qBAAM,IAAI,SAAG,CAAC,KAAK,CAAC,CAAC,iBAAiB,EAAE,EAAA;wBAA/C,sBAAO,SAAwC,EAAC;;;;CACjD;AAFD,4BAEC"}

package/built/integration/appland/mapset.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"mapset.js","sourceRoot":"","sources":["../../../src/integration/appland/mapset.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEA,gDAAqE;AAsBrE;IAAA;IA8CA,CAAC;IA7Cc,aAAM,GAAnB,UACE,KAAa,EACb,SAAmB,EACnB,OAA2B;QAA3B,wBAAA,EAAA,YAA2B;;;;;;wBAE3B,OAAO,CAAC,GAAG,CAAC,4BAA0B,KAAK,cAAS,SAAS,CAAC,MAAM,aAAU,CAAC,CAAC;wBAE1E,OAAO,GAAG,IAAI,CAAC,SAAS,YAC5B,GAAG,EAAE,KAAK,EACV,OAAO,EAAE,SAAS,IACf,OAAO,EACV,CAAC;wBACa,qBAAM,IAAA,kBAAY,EAAC,aAAa,CAAC,EAAA;;wBAA3C,OAAO,GAAG,SAAiC;wBACjD,sBAAO,IAAI,OAAO,CAAkB,UAAC,OAAO,EAAE,MAAM;gCAClD,IAAM,GAAG,GAAG,OAAO,CAAC,eAAe,CACjC,OAAO,CAAC,GAAG,EACX;oCACE,MAAM,EAAE,MAAM;oCACd,OAAO,aACL,cAAc,EAAE,kBAAkB,EAClC,gBAAgB,EAAE,OAAO,CAAC,MAAM,IAC7B,OAAO,CAAC,OAAO,CACnB;iCACF,EACD,OAAO,CACR,CAAC;gCACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;gCACxB,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gCACnB,GAAG,CAAC,GAAG,EAAE,CAAC;4BACZ,CAAC,CAAC;iCACC,IAAI,CAAC,iBAAW,CAAC;iCACjB,IAAI,CAAC,UAAC,QAAyB;gCAC9B,OAAO,IAAI,OAAO,CAAiB,UAAC,OAAO,EAAE,MAAM;oCACjD,IAAM,YAAY,GAAa,EAAE,CAAC;oCAClC,QAAQ;yCACL,EAAE,CAAC,MAAM,EAAE,UAAC,KAAa;wCACxB,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;oCACxC,CAAC,CAAC;yCACD,EAAE,CAAC,KAAK,EAAE;wCACT,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAmB,CAAC,CAAC;oCAChF,CAAC,CAAC;yCACD,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;gCACzB,CAAC,CAAC,CAAC;4BACL,CAAC,CAAC,EAAC;;;;KACN;IACH,aAAC;AAAD,CAAC,AA9CD,IA8CC;AA9CY,wBAAM"}

package/built/integration/appland/upload.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"upload.js","sourceRoot":"","sources":["../../../src/integration/appland/upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,2BAA0B;AAC1B,+BAA8B;AAG9B,gDAAqE;AAGrE,mCAAwE;AACxE,mCAAkD;AAClD,wCAAuC;AAEvC,mBAA+B,WAAwB,EAAE,KAAa;;;;;;oBACpE,OAAO,CAAC,IAAI,CAAC,oDAAkD,KAAK,MAAG,CAAC,CAAC;oBAEjE,QAAQ,GAAK,WAAW,SAAhB,CAAiB;oBAE3B,iBAAiB,GAAG,yBACrB,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAC,CAAC,IAAK,OAAA,CAAC,CAAC,UAAU,EAAZ,CAAY,CAAC,CAAC,GAAG,CAAC,UAAC,CAAC,IAAK,OAAA,CAAC,CAAC,UAAU,EAAZ,CAAY,CAAC,CAAC,SAC9D,CAAC;oBAER,oBAAoB,GAA2B,EAAE,CAAC;oBAClD,WAAW,GAA2B,EAAE,CAAC;oBACzC,WAAW,GAA2B,EAAE,CAAC;oBAEzC,CAAC,GAAG,IAAA,aAAK,EAAC,UAAC,QAAgB,EAAE,QAAQ;wBACzC,OAAO,CAAC,GAAG,CAAC,sBAAoB,QAAU,CAAC,CAAC;wBAE5C,IAAA,mBAAQ,EAAC,QAAQ,CAAC;6BACf,IAAI,CAAC,UAAC,MAAc;;4BACnB,IAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAiB,CAAC;4BACnE,IAAM,MAAM,GAAG,MAAA,YAAY,CAAC,QAAQ,CAAC,GAAG,0CAAE,MAAM,CAAC;4BACjD,IAAM,MAAM,GAAG,MAAA,YAAY,CAAC,QAAQ,CAAC,GAAG,0CAAE,MAAM,CAAC;4BACjD,IAAI,MAAM,EAAE;gCACV,WAAW,CAAC,MAAM,MAAlB,WAAW,CAAC,MAAM,IAAM,CAAC,EAAC;gCAC1B,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;6BAC1B;4BACD,IAAI,MAAM,EAAE;gCACV,WAAW,CAAC,MAAM,MAAlB,WAAW,CAAC,MAAM,IAAM,CAAC,EAAC;gCAC1B,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;6BAC1B;4BAED,OAAO,eAAY,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;wBACrD,CAAC,CAAC;6BACD,IAAI,CAAC,UAAC,MAA4B;4BACjC,IAAI,MAAM,EAAE;gCACV,oBAAoB,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC;6BAC9C;wBACH,CAAC,CAAC;6BACD,IAAI,CAAC,cAAM,OAAA,QAAQ,EAAE,EAAV,CAAU,CAAC;6BACtB,KAAK,CAAC,QAAQ,CAAC,CAAC;oBACrB,CAAC,EAAE,CAAC,CAAC,CAAC;oBACN,CAAC,CAAC,KAAK,CAAC,UAAC,GAAG,EAAE,QAAgB;wBAC5B,OAAO,CAAC,KAAK,CAAC,iCAA+B,QAAQ,UAAK,GAAK,CAAC,CAAC;oBACnE,CAAC,CAAC,CAAC;oBACH,OAAO,CAAC,GAAG,CAAC,eAAa,iBAAiB,CAAC,MAAM,aAAU,CAAC,CAAC;oBAC7D,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;oBAC1B,qBAAM,CAAC,CAAC,KAAK,EAAE,EAAA;;oBAAf,SAAe,CAAC;oBAEV,YAAY,GAAG,UAAC,MAA8B;wBAClD,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC;4BAAE,OAAO;wBAE7C,IAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,UAAC,GAAG,EAAE,KAAK,IAAK,OAAA,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,EAApB,CAAoB,EAAE,CAAC,CAAC,CAAC;wBACvF,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,UAAC,CAAC,IAAK,OAAA,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAjB,CAAiB,CAAE,CAAC,CAAC,CAAC,CAAC;oBACnE,CAAC,CAAC;oBAEI,MAAM,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC;oBACnC,MAAM,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC;oBAC1B,qBAAM,eAAY,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,EAAE;4BACnF,MAAM,QAAA;4BACN,MAAM,QAAA;yBACP,CAAC,EAAA;;oBAHI,MAAM,GAAG,SAGb;oBAEF,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;oBAE7B,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;wBAChC,YAAY,EAAE,WAAW;wBACzB,MAAM,EAAE,MAAM,CAAC,EAAE;wBACjB,wBAAwB,EAAE,oBAAoB;qBAC/C,CAAC,CAAC;oBAEa,qBAAM,IAAA,kBAAY,EAAC,kBAAkB,CAAC,EAAA;;oBAAhD,OAAO,GAAG,SAAsC;oBACtD,sBAAO,IAAI,OAAO,CAAkB,UAAC,OAAO,EAAE,MAAM;4BAClD,IAAM,GAAG,GAAG,OAAO,CAAC,eAAe,CACjC,OAAO,CAAC,GAAG,EACX;gCACE,MAAM,EAAE,MAAM;gCACd,OAAO,aACL,cAAc,EAAE,kBAAkB,EAClC,gBAAgB,EAAE,UAAU,CAAC,MAAM,IAChC,OAAO,CAAC,OAAO,CACnB;6BACF,EACD,OAAO,CACR,CAAC;4BACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;4BACxB,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;4BACtB,GAAG,CAAC,GAAG,EAAE,CAAC;wBACZ,CAAC,CAAC;6BACC,IAAI,CAAC,iBAAW,CAAC;6BACjB,IAAI,CAAC,UAAC,QAAyB;4BAC9B,IAAI,OAAO,GAAG,cAAY,WAAW,CAAC,QAAQ,CAAC,MAAM,cAAW,CAAC;4BACjE,IAAI,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE;gCAC7B,IAAM,SAAS,GAAG,IAAI,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gCACvE,OAAO,IAAI,SAAO,SAAW,CAAC;6BAC/B;4BACD,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;4BACrB,OAAO,OAAO,CAAC,GAAG,CAAC;wBACrB,CAAC,CAAC,EAAC;;;;CACN;AAjGD,4BAiGC"}