@bryan-thompson/inspector-assessment-client 1.35.2 → 1.35.3

package/lib/services/assessment/modules/ManifestValidationAssessor.js

@@ -14,6 +14,67 @@ import { BaseAssessor } from "./BaseAssessor.js";
 const REQUIRED_FIELDS = ["name", "version", "mcp_config"];
 const RECOMMENDED_FIELDS = ["description", "author", "repository"];
 const CURRENT_MANIFEST_VERSION = "0.3";
+const SEMVER_PATTERN = /^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/;
+/**
+ * Calculate Levenshtein distance between two strings
+ * Uses space-optimized two-row algorithm for O(min(n,m)) memory
+ * Used for "did you mean?" suggestions on mismatched tool names (Issue #140)
+ * Exported for testing (Issue #141 - ISSUE-002)
+ */
+export function levenshteinDistance(a, b, maxDist) {
+    // Early termination optimizations
+    if (a === b)
+        return 0;
+    if (a.length === 0)
+        return b.length;
+    if (b.length === 0)
+        return a.length;
+    // If length difference exceeds max distance, no need to compute
+    if (maxDist && Math.abs(a.length - b.length) > maxDist) {
+        return maxDist + 1;
+    }
+    // Ensure a is the shorter string (optimize space)
+    if (a.length > b.length) {
+        [a, b] = [b, a];
+    }
+    // Two-row algorithm: only keep previous and current row
+    let prev = Array.from({ length: a.length + 1 }, (_, i) => i);
+    let curr = new Array(a.length + 1);
+    for (let i = 1; i <= b.length; i++) {
+        curr[0] = i;
+        for (let j = 1; j <= a.length; j++) {
+            if (b.charAt(i - 1) === a.charAt(j - 1)) {
+                curr[j] = prev[j - 1];
+            }
+            else {
+                curr[j] = Math.min(prev[j - 1] + 1, // substitution
+                curr[j - 1] + 1, // insertion
+                prev[j] + 1);
+            }
+        }
+        // Swap rows
+        [prev, curr] = [curr, prev];
+    }
+    return prev[a.length];
+}
+/**
+ * Find closest matching tool name from a set
+ * Returns match if distance <= threshold (default: 10 chars or 40% of length)
+ * Generous threshold to catch common renames like "data" -> "resources"
+ */
+function findClosestMatch(name, candidates, threshold) {
+    const maxDist = threshold ?? Math.max(10, Math.floor(name.length * 0.4));
+    let closest = null;
+    let minDist = Infinity;
+    for (const candidate of candidates) {
+        const dist = levenshteinDistance(name.toLowerCase(), candidate.toLowerCase(), maxDist);
+        if (dist < minDist && dist <= maxDist) {
+            minDist = dist;
+            closest = candidate;
+        }
+    }
+    return closest;
+}
 export class ManifestValidationAssessor extends BaseAssessor {
     /**
      * Get mcp_config from manifest (supports both root and nested v0.3 format)
@@ -33,6 +94,57 @@ export class ManifestValidationAssessor extends BaseAssessor {
         }
         return undefined;
     }
+    /**
+     * Extract contact information from manifest (Issue #141 - D4 check)
+     * Supports: author object, author string (email parsing), repository fallback
+     *
+     * @param manifest - The parsed manifest JSON
+     * @returns Extracted contact info or undefined if no contact info found
+     */
+    extractContactInfo(manifest) {
+        // 1. Check author object format (npm-style)
+        if (typeof manifest.author === "object" && manifest.author !== null) {
+            const authorObj = manifest.author;
+            return {
+                email: authorObj.email,
+                url: authorObj.url,
+                name: authorObj.name,
+                source: "author_object",
+            };
+        }
+        // 2. Check author string (may contain email: "Name <email@example.com>")
+        if (typeof manifest.author === "string" && manifest.author.trim()) {
+            const emailMatch = manifest.author.match(/<([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})>/);
+            return {
+                name: manifest.author.replace(/<[^>]+>/, "").trim() || undefined,
+                email: emailMatch?.[1],
+                source: "author_string",
+            };
+        }
+        // 3. Fallback to repository (provides contact via issues)
+        if (manifest.repository) {
+            return {
+                url: manifest.repository,
+                source: "repository",
+            };
+        }
+        return undefined;
+    }
+    /**
+     * Extract version information from manifest (Issue #141 - D5 check)
+     *
+     * @param manifest - The parsed manifest JSON
+     * @returns Extracted version info or undefined if no version found
+     */
+    extractVersionInfo(manifest) {
+        if (!manifest.version)
+            return undefined;
+        return {
+            version: manifest.version,
+            valid: true,
+            semverCompliant: SEMVER_PATTERN.test(manifest.version),
+        };
+    }
     /**
      * Run manifest validation assessment
      */
@@ -129,6 +241,11 @@ export class ManifestValidationAssessor extends BaseAssessor {
         // Validate version format
         this.testCount++;
         validationResults.push(this.validateVersionFormat(manifest.version));
+        // Validate tool names match server (Issue #140)
+        if (manifest.tools && context.tools.length > 0) {
+            const toolResults = this.validateToolNamesMatch(manifest, context.tools);
+            validationResults.push(...toolResults);
+        }
         // Validate privacy policy URLs if present
         let privacyPolicies;
         if (manifest.privacy_policies &&
@@ -164,6 +281,9 @@ export class ManifestValidationAssessor extends BaseAssessor {
         const status = this.determineManifestStatus(validationResults, hasRequiredFields);
         const explanation = this.generateExplanation(validationResults, hasRequiredFields, hasIcon, privacyPolicies);
         const recommendations = this.generateRecommendations(validationResults, privacyPolicies);
+        // Extract D4/D5 fields (Issue #141)
+        const contactInfo = this.extractContactInfo(manifest);
+        const versionInfo = this.extractVersionInfo(manifest);
         this.logger.info(`Assessment complete: ${validationResults.filter((r) => r.valid).length}/${validationResults.length} checks passed`);
         return {
             hasManifest: true,
@@ -173,6 +293,8 @@ export class ManifestValidationAssessor extends BaseAssessor {
             hasRequiredFields,
             missingFields,
             privacyPolicies,
+            contactInfo,
+            versionInfo,
             status,
             explanation,
             recommendations,
@@ -426,9 +548,7 @@ export class ManifestValidationAssessor extends BaseAssessor {
                 severity: "ERROR",
             };
         }
-        // Check for semver format
-        const semverPattern = /^\d+\.\d+\.\d+(-[a-zA-Z0-9.]+)?(\+[a-zA-Z0-9.]+)?$/;
-        if (!semverPattern.test(version)) {
+        if (!SEMVER_PATTERN.test(version)) {
             return {
                 field: "version (format)",
                 valid: false,
@@ -444,6 +564,98 @@ export class ManifestValidationAssessor extends BaseAssessor {
             severity: "INFO",
         };
     }
+    /**
+     * Validate manifest tool declarations against actual server tools (Issue #140)
+     * Compares tool names in manifest.tools against context.tools from tools/list
+     * Uses Levenshtein distance for "did you mean?" suggestions
+     */
+    validateToolNamesMatch(manifest, serverTools) {
+        const results = [];
+        // Skip if manifest doesn't declare tools
+        if (!manifest.tools || manifest.tools.length === 0) {
+            return results;
+        }
+        this.testCount++;
+        const manifestToolNames = new Set(manifest.tools.map((t) => t.name));
+        const serverToolNames = new Set(serverTools.map((t) => t.name));
+        // Check for tools declared in manifest but not on server
+        const mismatches = [];
+        for (const name of manifestToolNames) {
+            if (!serverToolNames.has(name)) {
+                const suggestion = findClosestMatch(name, serverToolNames);
+                mismatches.push({ manifest: name, suggestion });
+            }
+        }
+        // Check for tools on server but not declared in manifest
+        const undeclaredTools = [];
+        for (const name of serverToolNames) {
+            if (!manifestToolNames.has(name)) {
+                undeclaredTools.push(name);
+            }
+        }
+        // Report mismatches with suggestions
+        if (mismatches.length > 0) {
+            const issueLines = mismatches.map((m) => m.suggestion
+                ? `"${m.manifest}" (did you mean "${m.suggestion}"?)`
+                : `"${m.manifest}"`);
+            results.push({
+                field: "tools (manifest vs server)",
+                valid: false,
+                value: mismatches,
+                issue: `Manifest declares tools not found on server: ${issueLines.join(", ")}`,
+                severity: "WARNING",
+            });
+        }
+        if (undeclaredTools.length > 0) {
+            results.push({
+                field: "tools (undeclared)",
+                valid: false,
+                value: undeclaredTools,
+                issue: `Server has tools not declared in manifest: ${undeclaredTools.join(", ")}`,
+                severity: "INFO",
+            });
+        }
+        // All matched
+        if (mismatches.length === 0 && undeclaredTools.length === 0) {
+            results.push({
+                field: "tools (manifest vs server)",
+                valid: true,
+                value: `${manifestToolNames.size} tools matched`,
+                severity: "INFO",
+            });
+        }
+        return results;
+    }
+    /**
+     * Fetch with retry logic for transient network failures
+     */
+    async fetchWithRetry(url, method, retries = 2, backoffMs = 100) {
+        let lastError = null;
+        for (let attempt = 0; attempt <= retries; attempt++) {
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), 5000);
+            try {
+                const response = await fetch(url, {
+                    method,
+                    signal: controller.signal,
+                    redirect: "follow",
+                });
+                clearTimeout(timeoutId);
+                return response;
+            }
+            catch (error) {
+                clearTimeout(timeoutId);
+                lastError = error instanceof Error ? error : new Error(String(error));
+                // Don't retry on last attempt
+                if (attempt < retries) {
+                    // Exponential backoff
+                    await new Promise((resolve) => setTimeout(resolve, backoffMs * Math.pow(2, attempt)));
+                }
+            }
+        }
+        // All retries exhausted
+        throw lastError;
+    }
     /**
      * Validate privacy policy URLs are accessible
      */
@@ -467,15 +679,8 @@ export class ManifestValidationAssessor extends BaseAssessor {
                 continue;
             }
             try {
-                // Use HEAD request for efficiency, fallback to GET if needed
-                const controller = new AbortController();
-                const timeoutId = setTimeout(() => controller.abort(), 5000);
-                const response = await fetch(url, {
-                    method: "HEAD",
-                    signal: controller.signal,
-                    redirect: "follow",
-                });
-                clearTimeout(timeoutId);
+                // Use HEAD request for efficiency with retry logic
+                const response = await this.fetchWithRetry(url, "HEAD");
                 results.push({
                     url,
                     accessible: response.ok,
@@ -489,14 +694,7 @@ export class ManifestValidationAssessor extends BaseAssessor {
                     error: headError instanceof Error ? headError.message : String(headError),
                 });
                 try {
-                    const controller = new AbortController();
-                    const timeoutId = setTimeout(() => controller.abort(), 5000);
-                    const response = await fetch(url, {
-                        method: "GET",
-                        signal: controller.signal,
-                        redirect: "follow",
-                    });
-                    clearTimeout(timeoutId);
+                    const response = await this.fetchWithRetry(url, "GET");
                     results.push({
                         url,
                         accessible: response.ok,

package/lib/services/assessment/modules/securityTests/ConfidenceScorer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ConfidenceScorer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/ConfidenceScorer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAE1E;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,oBAAoB,EAAE,OAAO,CAAC;IAC9B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmCD;;GAEG;AACH,qBAAa,gBAAgB;IAC3B;;;;;;;;;;;;;;;;OAgBG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IA4JnB;;;;;OAKG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAOxE;;;;;OAKG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;CAOtD"}
+{"version":3,"file":"ConfidenceScorer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/ConfidenceScorer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC;AAE1E;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,oBAAoB,EAAE,OAAO,CAAC;IAC9B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmCD;;GAEG;AACH,qBAAa,gBAAgB;IAC3B;;;;;;;;;;;;;;;;OAgBG;IACH,mBAAmB,CACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,eAAe,EACxB,kBAAkB,CAAC,EAAE,2BAA2B,GAC/C,gBAAgB;IAgMnB;;;;;OAKG;IACH,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAOxE;;;;;OAKG;IACH,mBAAmB,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO;CAOtD"}

package/lib/services/assessment/modules/securityTests/ConfidenceScorer.js

@@ -58,6 +58,34 @@ export class ConfidenceScorer {
      * @returns Confidence result with manual review requirements
      */
     calculateConfidence(tool, isVulnerable, evidence, responseText, payload, sanitizationResult) {
+        // Issue #146: Extract execution context from evidence if present
+        // This handles context classification from SecurityResponseAnalyzer
+        const contextMatch = evidence.match(/\[Context: (CONFIRMED|LIKELY_FALSE_POSITIVE|SUSPECTED)/);
+        if (contextMatch) {
+            const context = contextMatch[1];
+            // LIKELY_FALSE_POSITIVE: Payload reflected in error message, not executed
+            // Mark as low confidence requiring manual review
+            if (context === "LIKELY_FALSE_POSITIVE") {
+                return {
+                    confidence: "low",
+                    requiresManualReview: true,
+                    manualReviewReason: "Payload reflected in error message, operation failed",
+                    reviewGuidance: "The server rejected the operation but echoed the payload in the error. " +
+                        "Verify if the tool actually processed the payload or just reflected it in the error message. " +
+                        "Check the HTTP status code and error type to confirm the operation was rejected.",
+                };
+            }
+            // CONFIRMED: Operation succeeded, payload was executed
+            // High confidence vulnerability
+            if (context === "CONFIRMED") {
+                return {
+                    confidence: "high",
+                    requiresManualReview: false,
+                };
+            }
+            // SUSPECTED: Ambiguous case - continue with normal scoring but add review flag
+            // Will be handled by downstream logic with medium confidence
+        }
         // Issue #56: If sanitization is detected, reduce confidence for vulnerabilities
         // This helps reduce false positives on well-protected servers
         if (isVulnerable && sanitizationResult?.detected) {

package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts

@@ -25,6 +25,37 @@ export declare const HTTP_ERROR_PATTERNS: {
  * Used by: isMCPValidationError()
  */
 export declare const VALIDATION_ERROR_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Issue #146: Error context patterns indicating operation failure
+ * Used to detect when payload appears in error message (likely false positive)
+ * These patterns indicate the server rejected/failed the operation
+ */
+export declare const ERROR_CONTEXT_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Issue #146: Success context patterns indicating operation completion
+ * Used to confirm operation actually executed (high confidence vulnerability)
+ * These patterns indicate the server processed and returned results
+ */
+export declare const SUCCESS_CONTEXT_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Issue #146: Check if payload appears in error context (likely false positive)
+ * @param responseText The full response text from the tool
+ * @param payload The payload that was sent to the tool
+ * @returns true if payload is reflected in an error context
+ */
+export declare function isPayloadInErrorContext(responseText: string, payload: string): boolean;
+/**
+ * Issue #146: Check if response indicates successful operation (high confidence)
+ * @param responseText The full response text from the tool
+ * @returns true if response indicates operation succeeded
+ */
+export declare function hasSuccessContext(responseText: string): boolean;
+/**
+ * Issue #146: Check if response indicates failed operation (error context)
+ * @param responseText The full response text from the tool
+ * @returns true if response indicates operation failed
+ */
+export declare function hasErrorContext(responseText: string): boolean;
 /**
  * Patterns indicating actual code/command execution
  * Used by: hasExecutionEvidence()
@@ -380,6 +411,70 @@ export declare const OUTPUT_INJECTION_PATTERNS: {
     /** Canary markers for echo detection */
     readonly canaryMarkers: readonly [RegExp];
 };
+/**
+ * Patterns indicating scope violation in tool response
+ * Detects when tools exceed their declared annotations at runtime
+ * CWE-250: Execution with Unnecessary Privileges
+ * CWE-269: Improper Privilege Management
+ */
+export declare const SCOPE_VIOLATION_PATTERNS: readonly [{
+    readonly pattern: RegExp;
+    readonly evidence: "scope_violation: true (tool exceeded declared scope)";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "scope_escalation: true (privilege escalation via input)";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "actual_scope indicates privileged operation";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "privileged_data exposed in response";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "system_secrets leaked in response";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Admin mode activated via keyword trigger";
+}];
+/**
+ * Patterns indicating safe scope enforcement (hardened behavior)
+ * Used to confirm tools properly reject privileged actions
+ */
+export declare const SCOPE_ENFORCED_PATTERNS: readonly [{
+    readonly pattern: RegExp;
+    readonly evidence: "scope_enforced: true (safe)";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Action blocked by allowlist";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Allowlist enforcement";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Explicit rejection: action not in allowlist";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "No escalation attempted (safe)";
+}, {
+    readonly pattern: RegExp;
+    readonly evidence: "Allowlist defined and enforced";
+}];
+/**
+ * Privileged actions that should be blocked by readOnlyHint=True tools
+ */
+export declare const PRIVILEGED_ACTIONS: readonly ["write", "write_file", "delete", "delete_data", "execute", "execute_command", "network", "network_request", "modify", "modify_config", "admin", "environment_access"];
+/**
+ * Escalation keywords that may trigger hidden privilege escalation
+ */
+export declare const ESCALATION_KEYWORDS: readonly ["admin", "sudo", "elevate", "root", "superuser", "privilege"];
+/**
+ * Check if response contains scope violation indicators (Issue #144)
+ */
+export declare function hasScopeViolation(text: string): boolean;
+/**
+ * Check if response contains scope enforcement indicators (Issue #144)
+ */
+export declare function hasScopeEnforcement(text: string): boolean;
 /**
  * Check if any pattern in array matches text
  */

package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityPatternLibrary.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPatternLibrary.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;IAC9B,kEAAkE;;IAIlE,8DAA8D;;IAG9D,kCAAkC;;IAGlC,gCAAgC;;CAExB,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,2JAmB5B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,oBAAoB,2LAuBvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B;IACtC,iCAAiC;;IAejC,0DAA0D;;CAElD,CAAC;AAMX;;;;;;;GAOG;AACH,eAAO,MAAM,qBAAqB,2KA4BxB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,uDAAuD;;IAOvD,oDAAoD;;CAO5C,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,oCAAoC;;IAqBpC,4DAA4D;;IAW5D,+BAA+B;;CAEvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B;;;;CAMhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,eAAe,mJAkBlB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,mBAAmB,2rBAwGtB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA+B1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAc5B,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;EAiCjC,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;EAyB3B,CAAC;AAMX;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iCAAiC,EAAE,oBAAoB,EA0FnE,CAAC;AAEF;;;;;;;;GAQG;AAKH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,MAAM,CAAC;AAE9C;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,IAAM,CAAC;AAMxC;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,MAAM,CAC1C,MAAM,EACN;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,EAAE,CAgCxC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,CAiB5E;AAED,eAAO,MAAM,2BAA2B,EAAE,oBAAoB,EAuE7D,CAAC;AAMF;;;GAGG;AACH,eAAO,MAAM,sBAAsB,2FAWzB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,iBAAiB,mHAcpB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,mFAU1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,mDAM9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,2DAO1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB,2DAO5B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B,yKAWhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,kBAAkB,mGAYrB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,QACO,CAAC;AAMhD;;;GAGG;AACH,eAAO,MAAM,mBAAmB,QAC8B,CAAC;AAE/D;;;GAGG;AACH,eAAO,MAAM,wBAAwB,2EAS3B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,oRA4B9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;IAClC,iCAAiC;;IAQjC,mDAAmD;;IAInD,gDAAgD;;IAIhD,oCAAoC;;IAEpC,6CAA6C;;CAIrC,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB;IACpC,oDAAoD;;IAOpD,wCAAwC;;CAEhC,CAAC;AAMX;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAE7E;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE5D;AAED;;;GAGG;AACH,wBAAgB,+BAA+B,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAKrE"}
+{"version":3,"file":"SecurityPatternLibrary.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPatternLibrary.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;IAC9B,kEAAkE;;IAIlE,8DAA8D;;IAG9D,kCAAkC;;IAGlC,gCAAgC;;CAExB,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,2JAmB5B,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,2GAazB,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,mFAU3B,CAAC;AAEX;;;;;GAKG;AACH,wBAAgB,uBAAuB,CACrC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,MAAM,GACd,OAAO,CAWT;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAE/D;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAE7D;AAMD;;;GAGG;AACH,eAAO,MAAM,oBAAoB,2LAuBvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B;IACtC,iCAAiC;;IAejC,0DAA0D;;CAElD,CAAC;AAMX;;;;;;;GAOG;AACH,eAAO,MAAM,qBAAqB,2KA4BxB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,uDAAuD;;IAOvD,oDAAoD;;CAO5C,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;IACpC,oCAAoC;;IAqBpC,4DAA4D;;IAW5D,+BAA+B;;CAEvB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B;;;;CAMhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,eAAe,mJAkBlB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,mBAAmB,2rBAwGtB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA+B1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAc5B,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;EAiCjC,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;EAyB3B,CAAC;AAMX;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iCAAiC,EAAE,oBAAoB,EA0FnE,CAAC;AAEF;;;;;;;;GAQG;AAKH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,MAAM,CAAC;AAE9C;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,IAAM,CAAC;AAMxC;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAE,MAAM,CAC1C,MAAM,EACN;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,EAAE,CAgCxC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,EAAE,CAiB5E;AAED,eAAO,MAAM,2BAA2B,EAAE,oBAAoB,EAuE7D,CAAC;AAMF;;;GAGG;AACH,eAAO,MAAM,sBAAsB,2FAWzB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,iBAAiB,mHAcpB,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,mFAU1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,mDAM9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB,2DAO1B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,yBAAyB,2DAO5B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B,yKAWhC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,kBAAkB,mGAYrB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,QACO,CAAC;AAMhD;;;GAGG;AACH,eAAO,MAAM,mBAAmB,QAC8B,CAAC;AAE/D;;;GAGG;AACH,eAAO,MAAM,wBAAwB,2EAS3B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,2BAA2B,oRA4B9B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;CAK7B,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;IAClC,iCAAiC;;IAQjC,mDAAmD;;IAInD,gDAAgD;;IAIhD,oCAAoC;;IAEpC,6CAA6C;;CAIrC,CAAC;AAMX;;;;GAIG;AACH,eAAO,MAAM,yBAAyB;IACpC,oDAAoD;;IAOpD,wCAAwC;;CAEhC,CAAC;AAMX;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;EAyB3B,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;EAyB1B,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,kBAAkB,iLAarB,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,mBAAmB,yEAOtB,CAAC;AAEX;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEzD;AAMD;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAE7E;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE5D;AAED;;;GAGG;AACH,wBAAgB,+BAA+B,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAKrE"}

package/lib/services/assessment/modules/securityTests/SecurityPatternLibrary.js

@@ -51,6 +51,75 @@ export const VALIDATION_ERROR_PATTERNS = [
     /field.*required/i,
 ];
 // =============================================================================
+// ERROR CONTEXT PATTERNS (Issue #146)
+// =============================================================================
+/**
+ * Issue #146: Error context patterns indicating operation failure
+ * Used to detect when payload appears in error message (likely false positive)
+ * These patterns indicate the server rejected/failed the operation
+ */
+export const ERROR_CONTEXT_PATTERNS = [
+    /failed\s+to\s+(?:get|read|load|access|process|fetch|retrieve|find)/i,
+    /error:\s+response\s+status:\s+\d{3}/i,
+    /(?:could\s+not|cannot|unable\s+to)\s+(?:find|locate|access|read|get|load)/i,
+    /\b(?:not\s+found|doesn['']t\s+exist|no\s+such|does\s+not\s+exist)\b/i,
+    /error\s+(?:loading|reading|processing|fetching|accessing)/i,
+    /(?:operation|request)\s+failed/i,
+    /invalid\s+(?:path|file|resource|input|parameter)/i,
+    /\b(?:rejected|refused|denied)\b/i,
+    /(?:resource|file|path)\s+(?:is\s+)?(?:invalid|not\s+allowed)/i,
+    /access\s+(?:denied|forbidden)/i,
+    /permission\s+denied/i,
+    /\b(?:4\d{2}|5\d{2})\s*(?:error|not\s+found|bad\s+request|unauthorized|forbidden)/i,
+];
+/**
+ * Issue #146: Success context patterns indicating operation completion
+ * Used to confirm operation actually executed (high confidence vulnerability)
+ * These patterns indicate the server processed and returned results
+ */
+export const SUCCESS_CONTEXT_PATTERNS = [
+    /(?:successfully|completed)\s+(?:read|loaded|accessed|executed|retrieved)/i,
+    /file\s+contents?:/i,
+    /data\s+retrieved/i,
+    /execution\s+result:/i,
+    /\boutput:/i,
+    /\bresults?:/i,
+    /returned\s+(?:data|content|results)/i,
+    /read\s+\d+\s+bytes/i,
+    /fetched\s+(?:from|data)/i,
+];
+/**
+ * Issue #146: Check if payload appears in error context (likely false positive)
+ * @param responseText The full response text from the tool
+ * @param payload The payload that was sent to the tool
+ * @returns true if payload is reflected in an error context
+ */
+export function isPayloadInErrorContext(responseText, payload) {
+    // Check if response contains error patterns
+    const hasErrorContext = ERROR_CONTEXT_PATTERNS.some((p) => p.test(responseText));
+    // Check if payload is reflected in the response
+    const payloadReflected = responseText
+        .toLowerCase()
+        .includes(payload.toLowerCase());
+    return hasErrorContext && payloadReflected;
+}
+/**
+ * Issue #146: Check if response indicates successful operation (high confidence)
+ * @param responseText The full response text from the tool
+ * @returns true if response indicates operation succeeded
+ */
+export function hasSuccessContext(responseText) {
+    return SUCCESS_CONTEXT_PATTERNS.some((p) => p.test(responseText));
+}
+/**
+ * Issue #146: Check if response indicates failed operation (error context)
+ * @param responseText The full response text from the tool
+ * @returns true if response indicates operation failed
+ */
+export function hasErrorContext(responseText) {
+    return ERROR_CONTEXT_PATTERNS.some((p) => p.test(responseText));
+}
+// =============================================================================
 // EXECUTION EVIDENCE PATTERNS
 // =============================================================================
 /**
@@ -985,6 +1054,111 @@ export const OUTPUT_INJECTION_PATTERNS = {
     canaryMarkers: [/SENTINEL_OUTPUT_MARKER_\d+/],
 };
 // =============================================================================
+// EXCESSIVE PERMISSIONS SCOPE PATTERNS (Issue #144, Challenge #22)
+// =============================================================================
+/**
+ * Patterns indicating scope violation in tool response
+ * Detects when tools exceed their declared annotations at runtime
+ * CWE-250: Execution with Unnecessary Privileges
+ * CWE-269: Improper Privilege Management
+ */
+export const SCOPE_VIOLATION_PATTERNS = [
+    {
+        pattern: /"scope_violation"\s*:\s*true/i,
+        evidence: "scope_violation: true (tool exceeded declared scope)",
+    },
+    {
+        pattern: /"scope_escalation"\s*:\s*true/i,
+        evidence: "scope_escalation: true (privilege escalation via input)",
+    },
+    {
+        pattern: /"actual_scope"\s*:\s*"(write|delete|execute|network)"/i,
+        evidence: "actual_scope indicates privileged operation",
+    },
+    {
+        pattern: /"privileged_data"\s*:/i,
+        evidence: "privileged_data exposed in response",
+    },
+    {
+        pattern: /"system_secrets"\s*:/i,
+        evidence: "system_secrets leaked in response",
+    },
+    {
+        pattern: /admin[\s_-]?mode[\s_-]?activated/i,
+        evidence: "Admin mode activated via keyword trigger",
+    },
+];
+/**
+ * Patterns indicating safe scope enforcement (hardened behavior)
+ * Used to confirm tools properly reject privileged actions
+ */
+export const SCOPE_ENFORCED_PATTERNS = [
+    {
+        pattern: /"scope_enforced"\s*:\s*true/i,
+        evidence: "scope_enforced: true (safe)",
+    },
+    {
+        pattern: /"blocked"\s*:\s*true/i,
+        evidence: "Action blocked by allowlist",
+    },
+    {
+        pattern: /action.*not.*in.*allowlist/i,
+        evidence: "Allowlist enforcement",
+    },
+    {
+        pattern: /"rejection_reason"\s*:\s*"action_not_in_allowlist"/i,
+        evidence: "Explicit rejection: action not in allowlist",
+    },
+    {
+        pattern: /"escalation_attempted"\s*:\s*false/i,
+        evidence: "No escalation attempted (safe)",
+    },
+    {
+        pattern: /"allowed_actions"\s*:\s*\[/i,
+        evidence: "Allowlist defined and enforced",
+    },
+];
+/**
+ * Privileged actions that should be blocked by readOnlyHint=True tools
+ */
+export const PRIVILEGED_ACTIONS = [
+    "write",
+    "write_file",
+    "delete",
+    "delete_data",
+    "execute",
+    "execute_command",
+    "network",
+    "network_request",
+    "modify",
+    "modify_config",
+    "admin",
+    "environment_access",
+];
+/**
+ * Escalation keywords that may trigger hidden privilege escalation
+ */
+export const ESCALATION_KEYWORDS = [
+    "admin",
+    "sudo",
+    "elevate",
+    "root",
+    "superuser",
+    "privilege",
+];
+/**
+ * Check if response contains scope violation indicators (Issue #144)
+ */
+export function hasScopeViolation(text) {
+    return SCOPE_VIOLATION_PATTERNS.some(({ pattern }) => pattern.test(text));
+}
+/**
+ * Check if response contains scope enforcement indicators (Issue #144)
+ */
+export function hasScopeEnforcement(text) {
+    return SCOPE_ENFORCED_PATTERNS.some(({ pattern }) => pattern.test(text));
+}
+// =============================================================================
 // HELPER FUNCTIONS
 // =============================================================================
 /**

package/lib/services/assessment/modules/securityTests/SecurityPayloadTester.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityPayloadTester.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPayloadTester.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EACL,gBAAgB,EAIjB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAGL,eAAe,EAChB,MAAM,wBAAwB,CAAC;AAOhC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAEpD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,QAAQ,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrD;AAED;;GAEG;AACH,qBAAa,qBAAqB;IAO9B,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,kBAAkB;IAR5B,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,SAAS,CAAK;gBAGZ,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,UAAU,EAClB,kBAAkB,EAAE,CAAC,CAAC,EAC5B,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,OAAO,EAAE,MAAM,KACZ,OAAO,CAAC,CAAC,CAAC;IAOjB;;;OAGG;IACG,yBAAyB,CAC7B,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAqMhC;;;OAGG;IACG,qBAAqB,CACzB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IA6LhC;;OAEG;IACG,WAAW,CACf,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,GACxC,OAAO,CAAC,kBAAkB,CAAC;IA6P9B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAO3B;;OAEG;IACH,OAAO,CAAC,KAAK;CAGd"}
+{"version":3,"file":"SecurityPayloadTester.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/SecurityPayloadTester.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EACL,gBAAgB,EAIjB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,2BAA2B,EAC3B,IAAI,EACL,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAGL,eAAe,EAChB,MAAM,wBAAwB,CAAC;AAOhC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAEpD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/B,QAAQ,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrD;AAED;;GAEG;AACH,qBAAa,qBAAqB;IAO9B,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,kBAAkB;IAR5B,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,SAAS,CAAK;gBAGZ,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,UAAU,EAClB,kBAAkB,EAAE,CAAC,CAAC,EAC5B,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,OAAO,EAAE,MAAM,KACZ,OAAO,CAAC,CAAC,CAAC;IAOjB;;;OAGG;IACG,yBAAyB,CAC7B,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAqMhC;;;OAGG;IACG,qBAAqB,CACzB,KAAK,EAAE,IAAI,EAAE,EACb,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,EACzC,UAAU,CAAC,EAAE,oBAAoB,GAChC,OAAO,CAAC,kBAAkB,EAAE,CAAC;IA6LhC;;OAEG;IACG,WAAW,CACf,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,CACR,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,2BAA2B,CAAC,GACxC,OAAO,CAAC,kBAAkB,CAAC;IAyR9B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAO3B;;OAEG;IACH,OAAO,CAAC,KAAK;CAGd"}