@cencori/scan 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. package/README.md +98 -0
  2. package/dist/cli.d.mts +1 -0
  3. package/dist/cli.d.ts +1 -0
  4. package/dist/cli.js +679 -0
  5. package/dist/cli.js.map +1 -0
  6. package/dist/cli.mjs +656 -0
  7. package/dist/cli.mjs.map +1 -0
  8. package/dist/index.d.mts +65 -0
  9. package/dist/index.d.ts +65 -0
  10. package/dist/index.js +536 -0
  11. package/dist/index.js.map +1 -0
  12. package/dist/index.mjs +496 -0
  13. package/dist/index.mjs.map +1 -0
  14. package/package.json +58 -0
package/dist/index.js ADDED
@@ -0,0 +1,536 @@
1
+ "use strict";
2
+ var __create = Object.create;
3
+ var __defProp = Object.defineProperty;
4
+ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
5
+ var __getOwnPropNames = Object.getOwnPropertyNames;
6
+ var __getProtoOf = Object.getPrototypeOf;
7
+ var __hasOwnProp = Object.prototype.hasOwnProperty;
8
+ var __export = (target, all) => {
9
+ for (var name in all)
10
+ __defProp(target, name, { get: all[name], enumerable: true });
11
+ };
12
+ var __copyProps = (to, from, except, desc) => {
13
+ if (from && typeof from === "object" || typeof from === "function") {
14
+ for (let key of __getOwnPropNames(from))
15
+ if (!__hasOwnProp.call(to, key) && key !== except)
16
+ __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
17
+ }
18
+ return to;
19
+ };
20
+ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
21
+ // If the importer is in node compatibility mode or this is not an ESM
22
+ // file that has been converted to a CommonJS file using a Babel-
23
+ // compatible transform (i.e. "__esModule" has not been set), then set
24
+ // "default" to the CommonJS "module.exports" for node compatibility.
25
+ isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
26
+ mod
27
+ ));
28
+ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
29
+
30
+ // src/index.ts
31
+ var src_exports = {};
32
+ __export(src_exports, {
33
+ PII_PATTERNS: () => PII_PATTERNS,
34
+ ROUTE_PATTERNS: () => ROUTE_PATTERNS,
35
+ SECRET_PATTERNS: () => SECRET_PATTERNS,
36
+ scan: () => scan
37
+ });
38
+ module.exports = __toCommonJS(src_exports);
39
+
40
+ // src/scanner/index.ts
41
+ var fs = __toESM(require("fs"));
42
+ var path = __toESM(require("path"));
43
+ var import_glob = require("glob");
44
+
45
+ // src/scanner/patterns.ts
46
+ var SECRET_PATTERNS = [
47
+ // OpenAI
48
+ {
49
+ name: "OpenAI API Key",
50
+ provider: "OpenAI",
51
+ pattern: /sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20}/g,
52
+ severity: "critical"
53
+ },
54
+ {
55
+ name: "OpenAI Project Key",
56
+ provider: "OpenAI",
57
+ pattern: /sk-proj-[a-zA-Z0-9_-]{80,}/g,
58
+ severity: "critical"
59
+ },
60
+ // Anthropic
61
+ {
62
+ name: "Anthropic API Key",
63
+ provider: "Anthropic",
64
+ pattern: /sk-ant-[a-zA-Z0-9-]{90,}/g,
65
+ severity: "critical"
66
+ },
67
+ // Google
68
+ {
69
+ name: "Google API Key",
70
+ provider: "Google",
71
+ pattern: /AIza[0-9A-Za-z_-]{35}/g,
72
+ severity: "critical"
73
+ },
74
+ // Supabase
75
+ {
76
+ name: "Supabase Service Role Key",
77
+ provider: "Supabase",
78
+ pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g,
79
+ severity: "critical"
80
+ },
81
+ {
82
+ name: "Supabase Anon Key (if hardcoded)",
83
+ provider: "Supabase",
84
+ pattern: /SUPABASE_ANON_KEY\s*[:=]\s*["']eyJ[^"']+["']/g,
85
+ severity: "medium"
86
+ },
87
+ // Stripe
88
+ {
89
+ name: "Stripe Secret Key",
90
+ provider: "Stripe",
91
+ pattern: /sk_live_[0-9a-zA-Z]{24,}/g,
92
+ severity: "critical"
93
+ },
94
+ {
95
+ name: "Stripe Test Key",
96
+ provider: "Stripe",
97
+ pattern: /sk_test_[0-9a-zA-Z]{24,}/g,
98
+ severity: "medium"
99
+ },
100
+ // AWS
101
+ {
102
+ name: "AWS Access Key ID",
103
+ provider: "AWS",
104
+ pattern: /AKIA[0-9A-Z]{16}/g,
105
+ severity: "critical"
106
+ },
107
+ {
108
+ name: "AWS Secret Access Key",
109
+ provider: "AWS",
110
+ pattern: /aws_secret_access_key\s*[:=]\s*["'][A-Za-z0-9/+=]{40}["']/gi,
111
+ severity: "critical"
112
+ },
113
+ // GitHub
114
+ {
115
+ name: "GitHub Personal Access Token",
116
+ provider: "GitHub",
117
+ pattern: /ghp_[a-zA-Z0-9]{36}/g,
118
+ severity: "critical"
119
+ },
120
+ {
121
+ name: "GitHub OAuth Token",
122
+ provider: "GitHub",
123
+ pattern: /gho_[a-zA-Z0-9]{36}/g,
124
+ severity: "critical"
125
+ },
126
+ // Telegram
127
+ {
128
+ name: "Telegram Bot Token",
129
+ provider: "Telegram",
130
+ pattern: /[0-9]{9,10}:[a-zA-Z0-9_-]{35}/g,
131
+ severity: "high"
132
+ },
133
+ // Discord
134
+ {
135
+ name: "Discord Bot Token",
136
+ provider: "Discord",
137
+ pattern: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27}/g,
138
+ severity: "high"
139
+ },
140
+ // Slack
141
+ {
142
+ name: "Slack Bot Token",
143
+ provider: "Slack",
144
+ pattern: /xoxb-[0-9]{11}-[0-9]{11}-[a-zA-Z0-9]{24}/g,
145
+ severity: "high"
146
+ },
147
+ // SendGrid
148
+ {
149
+ name: "SendGrid API Key",
150
+ provider: "SendGrid",
151
+ pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/g,
152
+ severity: "high"
153
+ },
154
+ // Twilio
155
+ {
156
+ name: "Twilio API Key",
157
+ provider: "Twilio",
158
+ pattern: /SK[a-fA-F0-9]{32}/g,
159
+ severity: "high"
160
+ },
161
+ // Mailgun
162
+ {
163
+ name: "Mailgun API Key",
164
+ provider: "Mailgun",
165
+ pattern: /key-[a-zA-Z0-9]{32}/g,
166
+ severity: "high"
167
+ },
168
+ // Firebase
169
+ {
170
+ name: "Firebase Database URL",
171
+ provider: "Firebase",
172
+ pattern: /https:\/\/[a-z0-9-]+\.firebaseio\.com/g,
173
+ severity: "medium"
174
+ },
175
+ // Generic patterns
176
+ {
177
+ name: "Private Key",
178
+ provider: "Generic",
179
+ pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
180
+ severity: "critical"
181
+ },
182
+ {
183
+ name: "Generic API Key Assignment",
184
+ provider: "Generic",
185
+ pattern: /(api_key|apikey|api_secret|secret_key)\s*[:=]\s*["'][a-zA-Z0-9_-]{20,}["']/gi,
186
+ severity: "high"
187
+ },
188
+ {
189
+ name: "Password Assignment",
190
+ provider: "Generic",
191
+ pattern: /(password|passwd|pwd)\s*[:=]\s*["'][^"']{8,}["']/gi,
192
+ severity: "high"
193
+ },
194
+ // Replicate
195
+ {
196
+ name: "Replicate API Token",
197
+ provider: "Replicate",
198
+ pattern: /r8_[a-zA-Z0-9]{38}/g,
199
+ severity: "critical"
200
+ },
201
+ // Hugging Face
202
+ {
203
+ name: "Hugging Face Token",
204
+ provider: "Hugging Face",
205
+ pattern: /hf_[a-zA-Z0-9]{34}/g,
206
+ severity: "critical"
207
+ },
208
+ // Cohere
209
+ {
210
+ name: "Cohere API Key",
211
+ provider: "Cohere",
212
+ pattern: /[a-zA-Z0-9]{40}/g,
213
+ // Less specific, check context
214
+ severity: "medium"
215
+ }
216
+ ];
217
+ var PII_PATTERNS = [
218
+ {
219
+ name: "Email Address",
220
+ pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
221
+ severity: "medium"
222
+ },
223
+ {
224
+ name: "Phone Number (US)",
225
+ pattern: /(\+1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}/g,
226
+ severity: "medium"
227
+ },
228
+ {
229
+ name: "Phone Number (International)",
230
+ pattern: /\+[1-9]\d{1,14}/g,
231
+ severity: "medium"
232
+ },
233
+ {
234
+ name: "Social Security Number",
235
+ pattern: /\b\d{3}-\d{2}-\d{4}\b/g,
236
+ severity: "high"
237
+ },
238
+ {
239
+ name: "Credit Card Number",
240
+ pattern: /\b(?:\d{4}[-\s]?){3}\d{4}\b/g,
241
+ severity: "high"
242
+ },
243
+ {
244
+ name: "IP Address",
245
+ pattern: /\b(?:\d{1,3}\.){3}\d{1,3}\b/g,
246
+ severity: "low"
247
+ }
248
+ ];
249
+ var ROUTE_PATTERNS = [
250
+ // Next.js API routes without auth
251
+ {
252
+ name: "Next.js API Route (check for auth)",
253
+ framework: "Next.js",
254
+ pattern: /export\s+(async\s+)?function\s+(GET|POST|PUT|DELETE|PATCH)\s*\(/g,
255
+ severity: "medium",
256
+ description: "API route handler - verify authentication is implemented"
257
+ },
258
+ // Express routes
259
+ {
260
+ name: "Express Route without Auth Middleware",
261
+ framework: "Express",
262
+ pattern: /app\.(get|post|put|delete|patch)\s*\(\s*["'`][^"'`]+["'`]\s*,\s*(?!.*auth)/gi,
263
+ severity: "medium",
264
+ description: "Express route - check if auth middleware is applied"
265
+ }
266
+ ];
267
+ var IGNORE_PATTERNS = [
268
+ "node_modules",
269
+ ".git",
270
+ "dist",
271
+ "build",
272
+ ".next",
273
+ ".venv",
274
+ "__pycache__",
275
+ "*.min.js",
276
+ "*.min.css",
277
+ "*.map",
278
+ "package-lock.json",
279
+ "yarn.lock",
280
+ "pnpm-lock.yaml"
281
+ ];
282
+ var SCANNABLE_EXTENSIONS = [
283
+ ".js",
284
+ ".jsx",
285
+ ".ts",
286
+ ".tsx",
287
+ ".mjs",
288
+ ".cjs",
289
+ ".py",
290
+ ".rb",
291
+ ".go",
292
+ ".java",
293
+ ".php",
294
+ ".env",
295
+ ".json",
296
+ ".yaml",
297
+ ".yml",
298
+ ".toml",
299
+ ".xml",
300
+ ".md",
301
+ ".txt",
302
+ ".sql",
303
+ ".sh",
304
+ ".bash",
305
+ ".zsh"
306
+ ];
307
+
308
+ // src/scanner/index.ts
309
+ function redact(match, showChars = 4) {
310
+ if (match.length <= showChars * 2) {
311
+ return "*".repeat(match.length);
312
+ }
313
+ return match.slice(0, showChars) + "****" + match.slice(-showChars);
314
+ }
315
+ function getPosition(content, index) {
316
+ const lines = content.slice(0, index).split("\n");
317
+ return {
318
+ line: lines.length,
319
+ column: lines[lines.length - 1].length + 1
320
+ };
321
+ }
322
+ function shouldIgnore(filePath) {
323
+ const normalized = filePath.replace(/\\/g, "/");
324
+ return IGNORE_PATTERNS.some((pattern) => {
325
+ if (pattern.startsWith("*")) {
326
+ return normalized.endsWith(pattern.slice(1));
327
+ }
328
+ return normalized.includes(pattern);
329
+ });
330
+ }
331
+ function isScannable(filePath) {
332
+ const ext = path.extname(filePath).toLowerCase();
333
+ return SCANNABLE_EXTENSIONS.includes(ext);
334
+ }
335
+ function scanFile(filePath, content) {
336
+ const issues = [];
337
+ const relativePath = filePath;
338
+ for (const pattern of SECRET_PATTERNS) {
339
+ pattern.pattern.lastIndex = 0;
340
+ let match;
341
+ while ((match = pattern.pattern.exec(content)) !== null) {
342
+ const pos = getPosition(content, match.index);
343
+ issues.push({
344
+ type: "secret",
345
+ severity: pattern.severity,
346
+ name: pattern.name,
347
+ provider: pattern.provider,
348
+ file: relativePath,
349
+ line: pos.line,
350
+ column: pos.column,
351
+ match: redact(match[0])
352
+ });
353
+ }
354
+ }
355
+ for (const pattern of PII_PATTERNS) {
356
+ pattern.pattern.lastIndex = 0;
357
+ let match;
358
+ while ((match = pattern.pattern.exec(content)) !== null) {
359
+ const matchStr = match[0];
360
+ if (isLikelyFalsePositive(matchStr, pattern.name)) {
361
+ continue;
362
+ }
363
+ const pos = getPosition(content, match.index);
364
+ issues.push({
365
+ type: "pii",
366
+ severity: pattern.severity,
367
+ name: pattern.name,
368
+ file: relativePath,
369
+ line: pos.line,
370
+ column: pos.column,
371
+ match: redact(matchStr, 3)
372
+ });
373
+ }
374
+ }
375
+ for (const pattern of ROUTE_PATTERNS) {
376
+ pattern.pattern.lastIndex = 0;
377
+ let match;
378
+ while ((match = pattern.pattern.exec(content)) !== null) {
379
+ const pos = getPosition(content, match.index);
380
+ issues.push({
381
+ type: "route",
382
+ severity: pattern.severity,
383
+ name: pattern.name,
384
+ file: relativePath,
385
+ line: pos.line,
386
+ column: pos.column,
387
+ match: match[0],
388
+ description: pattern.description
389
+ });
390
+ }
391
+ }
392
+ const fileName = path.basename(filePath);
393
+ if (fileName.startsWith(".env") && !fileName.includes(".example")) {
394
+ const gitignorePath = path.join(path.dirname(filePath), ".gitignore");
395
+ const gitignoreExists = fs.existsSync(gitignorePath);
396
+ issues.push({
397
+ type: "config",
398
+ severity: "high",
399
+ name: "Environment file in repository",
400
+ file: relativePath,
401
+ line: 1,
402
+ column: 1,
403
+ match: fileName,
404
+ description: gitignoreExists ? "Verify this file is in .gitignore" : "Add .env* to .gitignore"
405
+ });
406
+ }
407
+ return issues;
408
+ }
409
+ function isLikelyFalsePositive(match, patternName) {
410
+ if (patternName === "Email Address") {
411
+ const falseDomains = [
412
+ "example.com",
413
+ "example.org",
414
+ "test.com",
415
+ "localhost",
416
+ "placeholder.com"
417
+ ];
418
+ if (falseDomains.some((d) => match.includes(d))) {
419
+ return true;
420
+ }
421
+ const publicPrefixes = [
422
+ "support@",
423
+ "help@",
424
+ "info@",
425
+ "contact@",
426
+ "sales@",
427
+ "admin@",
428
+ "noreply@",
429
+ "no-reply@",
430
+ "hello@",
431
+ "team@",
432
+ "partners@",
433
+ "enterprise@",
434
+ "security@",
435
+ "privacy@",
436
+ "legal@"
437
+ ];
438
+ if (publicPrefixes.some((p) => match.toLowerCase().startsWith(p))) {
439
+ return true;
440
+ }
441
+ }
442
+ if (patternName === "IP Address") {
443
+ const falseIPs = ["0.0.0.0", "127.0.0.1", "192.168.", "10.0.", "172.16."];
444
+ if (falseIPs.some((ip) => match.startsWith(ip))) {
445
+ return true;
446
+ }
447
+ }
448
+ if (patternName.includes("Phone Number")) {
449
+ if (match.includes("555") || match.includes("123-456") || match.includes("000-000")) {
450
+ return true;
451
+ }
452
+ }
453
+ return false;
454
+ }
455
+ function calculateScore(issues) {
456
+ const critical = issues.filter((i) => i.severity === "critical").length;
457
+ const high = issues.filter((i) => i.severity === "high").length;
458
+ const medium = issues.filter((i) => i.severity === "medium").length;
459
+ const total = issues.length;
460
+ if (critical > 0) return "F";
461
+ if (high >= 3) return "F";
462
+ if (high >= 2) return "D";
463
+ if (high >= 1 || medium >= 5) return "C";
464
+ if (medium >= 2) return "B";
465
+ if (total === 0) return "A";
466
+ return "B";
467
+ }
468
+ function getTierDescription(score) {
469
+ switch (score) {
470
+ case "A":
471
+ return "Excellent! No security issues detected.";
472
+ case "B":
473
+ return "Good, but minor improvements recommended.";
474
+ case "C":
475
+ return "Fair. Some security concerns need attention.";
476
+ case "D":
477
+ return "Poor. Significant security issues detected.";
478
+ case "F":
479
+ return "Critical! Your app is leaking secrets.";
480
+ default:
481
+ return "";
482
+ }
483
+ }
484
+ async function scan(targetPath) {
485
+ const startTime = Date.now();
486
+ const absolutePath = path.resolve(targetPath);
487
+ const files = await (0, import_glob.glob)("**/*", {
488
+ cwd: absolutePath,
489
+ nodir: true,
490
+ ignore: IGNORE_PATTERNS,
491
+ absolute: true
492
+ });
493
+ const issues = [];
494
+ let filesScanned = 0;
495
+ for (const file of files) {
496
+ if (!isScannable(file) || shouldIgnore(file)) {
497
+ continue;
498
+ }
499
+ try {
500
+ const content = fs.readFileSync(file, "utf-8");
501
+ const relativePath = path.relative(absolutePath, file);
502
+ const fileIssues = scanFile(relativePath, content);
503
+ issues.push(...fileIssues);
504
+ filesScanned++;
505
+ } catch {
506
+ continue;
507
+ }
508
+ }
509
+ const score = calculateScore(issues);
510
+ const scanDuration = Date.now() - startTime;
511
+ return {
512
+ score,
513
+ tierDescription: getTierDescription(score),
514
+ issues,
515
+ filesScanned,
516
+ scanDuration,
517
+ summary: {
518
+ secrets: issues.filter((i) => i.type === "secret").length,
519
+ pii: issues.filter((i) => i.type === "pii").length,
520
+ routes: issues.filter((i) => i.type === "route").length,
521
+ config: issues.filter((i) => i.type === "config").length,
522
+ critical: issues.filter((i) => i.severity === "critical").length,
523
+ high: issues.filter((i) => i.severity === "high").length,
524
+ medium: issues.filter((i) => i.severity === "medium").length,
525
+ low: issues.filter((i) => i.severity === "low").length
526
+ }
527
+ };
528
+ }
529
+ // Annotate the CommonJS export names for ESM import in node:
530
+ 0 && (module.exports = {
531
+ PII_PATTERNS,
532
+ ROUTE_PATTERNS,
533
+ SECRET_PATTERNS,
534
+ scan
535
+ });
536
+ //# sourceMappingURL=index.js.map
package/dist/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/index.ts","../src/scanner/index.ts","../src/scanner/patterns.ts"],"sourcesContent":["/**\n * Cencori Vibe Check\n * Security scanner for AI apps\n */\n\nexport { scan, type ScanResult, type ScanIssue } from './scanner/index.js';\nexport {\n SECRET_PATTERNS,\n PII_PATTERNS,\n ROUTE_PATTERNS,\n type SecretPattern,\n type PIIPattern,\n type RoutePattern,\n} from './scanner/patterns.js';\n","import * as fs from 'fs';\nimport * as path from 'path';\nimport { glob } from 'glob';\nimport {\n SECRET_PATTERNS,\n PII_PATTERNS,\n ROUTE_PATTERNS,\n IGNORE_PATTERNS,\n SCANNABLE_EXTENSIONS,\n type SecretPattern,\n type PIIPattern,\n type RoutePattern,\n} from './patterns';\n\nexport interface ScanIssue {\n type: 'secret' | 'pii' | 'route' | 'config';\n severity: 'critical' | 'high' | 'medium' | 'low';\n name: string;\n provider?: string;\n file: string;\n line: number;\n column: number;\n match: string; // Redacted version\n description?: string;\n}\n\nexport interface ScanResult {\n score: 'A' | 'B' | 'C' | 'D' | 'F';\n tierDescription: string;\n issues: ScanIssue[];\n filesScanned: number;\n scanDuration: number;\n summary: {\n secrets: number;\n pii: number;\n routes: number;\n config: number;\n critical: number;\n high: number;\n medium: number;\n low: number;\n };\n}\n\n/**\n * Redact sensitive content for display\n */\nfunction redact(match: string, showChars: number = 4): string {\n if (match.length <= showChars * 2) {\n return '*'.repeat(match.length);\n }\n return match.slice(0, showChars) + '****' + match.slice(-showChars);\n}\n\n/**\n * Get line and column number for a match index\n */\nfunction getPosition(content: string, index: number): { line: number; column: number } {\n const lines = content.slice(0, index).split('\\n');\n return {\n line: lines.length,\n column: lines[lines.length - 1].length + 1,\n };\n}\n\n/**\n * Check if a file should be ignored\n */\nfunction shouldIgnore(filePath: string): boolean {\n const normalized = filePath.replace(/\\\\/g, '/');\n return IGNORE_PATTERNS.some(pattern => {\n if (pattern.startsWith('*')) {\n return normalized.endsWith(pattern.slice(1));\n }\n return normalized.includes(pattern);\n });\n}\n\n/**\n * Check if file has scannable extension\n */\nfunction isScannable(filePath: string): boolean {\n const ext = path.extname(filePath).toLowerCase();\n return SCANNABLE_EXTENSIONS.includes(ext);\n}\n\n/**\n * Scan a single file for issues\n */\nfunction scanFile(filePath: string, content: string): ScanIssue[] {\n const issues: ScanIssue[] = [];\n const relativePath = filePath;\n\n // Scan for secrets\n for (const pattern of SECRET_PATTERNS) {\n // Reset regex lastIndex\n pattern.pattern.lastIndex = 0;\n let match;\n while ((match = pattern.pattern.exec(content)) !== null) {\n const pos = getPosition(content, match.index);\n issues.push({\n type: 'secret',\n severity: pattern.severity,\n name: pattern.name,\n provider: pattern.provider,\n file: relativePath,\n line: pos.line,\n column: pos.column,\n match: redact(match[0]),\n });\n }\n }\n\n // Scan for PII\n for (const pattern of PII_PATTERNS) {\n pattern.pattern.lastIndex = 0;\n let match;\n while ((match = pattern.pattern.exec(content)) !== null) {\n // Skip common false positives\n const matchStr = match[0];\n if (isLikelyFalsePositive(matchStr, pattern.name)) {\n continue;\n }\n\n const pos = getPosition(content, match.index);\n issues.push({\n type: 'pii',\n severity: pattern.severity,\n name: pattern.name,\n file: relativePath,\n line: pos.line,\n column: pos.column,\n match: redact(matchStr, 3),\n });\n }\n }\n\n // Scan for exposed routes\n for (const pattern of ROUTE_PATTERNS) {\n pattern.pattern.lastIndex = 0;\n let match;\n while ((match = pattern.pattern.exec(content)) !== null) {\n const pos = getPosition(content, match.index);\n issues.push({\n type: 'route',\n severity: pattern.severity,\n name: pattern.name,\n file: relativePath,\n line: pos.line,\n column: pos.column,\n match: match[0],\n description: pattern.description,\n });\n }\n }\n\n // Check for .env files in wrong places\n const fileName = path.basename(filePath);\n if (fileName.startsWith('.env') && !fileName.includes('.example')) {\n // If we're scanning a .env file, it might be committed\n const gitignorePath = path.join(path.dirname(filePath), '.gitignore');\n const gitignoreExists = fs.existsSync(gitignorePath);\n\n issues.push({\n type: 'config',\n severity: 'high',\n name: 'Environment file in repository',\n file: relativePath,\n line: 1,\n column: 1,\n match: fileName,\n description: gitignoreExists\n ? 'Verify this file is in .gitignore'\n : 'Add .env* to .gitignore',\n });\n }\n\n return issues;\n}\n\n/**\n * Filter out likely false positives\n */\nfunction isLikelyFalsePositive(match: string, patternName: string): boolean {\n // Common email false positives\n if (patternName === 'Email Address') {\n const falseDomains = [\n 'example.com',\n 'example.org',\n 'test.com',\n 'localhost',\n 'placeholder.com',\n ];\n if (falseDomains.some(d => match.includes(d))) {\n return true;\n }\n\n // Common public email prefixes (not personal PII)\n const publicPrefixes = [\n 'support@',\n 'help@',\n 'info@',\n 'contact@',\n 'sales@',\n 'admin@',\n 'noreply@',\n 'no-reply@',\n 'hello@',\n 'team@',\n 'partners@',\n 'enterprise@',\n 'security@',\n 'privacy@',\n 'legal@',\n ];\n if (publicPrefixes.some(p => match.toLowerCase().startsWith(p))) {\n return true;\n }\n }\n\n // IP address false positives (version numbers, etc)\n if (patternName === 'IP Address') {\n const falseIPs = ['0.0.0.0', '127.0.0.1', '192.168.', '10.0.', '172.16.'];\n if (falseIPs.some(ip => match.startsWith(ip))) {\n return true;\n }\n }\n\n // Phone number false positives (example numbers in docs)\n if (patternName.includes('Phone Number')) {\n // Common example phone numbers\n if (match.includes('555') || match.includes('123-456') || match.includes('000-000')) {\n return true;\n }\n }\n\n return false;\n}\n\n/**\n * Calculate the fragility score based on issues\n */\nfunction calculateScore(issues: ScanIssue[]): 'A' | 'B' | 'C' | 'D' | 'F' {\n const critical = issues.filter(i => i.severity === 'critical').length;\n const high = issues.filter(i => i.severity === 'high').length;\n const medium = issues.filter(i => i.severity === 'medium').length;\n const total = issues.length;\n\n // Scoring algorithm\n if (critical > 0) return 'F';\n if (high >= 3) return 'F';\n if (high >= 2) return 'D';\n if (high >= 1 || medium >= 5) return 'C';\n if (medium >= 2) return 'B';\n if (total === 0) return 'A';\n return 'B';\n}\n\n/**\n * Get tier description\n */\nfunction getTierDescription(score: string): string {\n switch (score) {\n case 'A':\n return 'Excellent! No security issues detected.';\n case 'B':\n return 'Good, but minor improvements recommended.';\n case 'C':\n return 'Fair. Some security concerns need attention.';\n case 'D':\n return 'Poor. Significant security issues detected.';\n case 'F':\n return 'Critical! Your app is leaking secrets.';\n default:\n return '';\n }\n}\n\n/**\n * Main scan function\n */\nexport async function scan(targetPath: string): Promise<ScanResult> {\n const startTime = Date.now();\n const absolutePath = path.resolve(targetPath);\n\n // Get all files\n const files = await glob('**/*', {\n cwd: absolutePath,\n nodir: true,\n ignore: IGNORE_PATTERNS,\n absolute: true,\n });\n\n const issues: ScanIssue[] = [];\n let filesScanned = 0;\n\n for (const file of files) {\n if (!isScannable(file) || shouldIgnore(file)) {\n continue;\n }\n\n try {\n const content = fs.readFileSync(file, 'utf-8');\n const relativePath = path.relative(absolutePath, file);\n const fileIssues = scanFile(relativePath, content);\n issues.push(...fileIssues);\n filesScanned++;\n } catch {\n // Skip files that can't be read\n continue;\n }\n }\n\n const score = calculateScore(issues);\n const scanDuration = Date.now() - startTime;\n\n return {\n score,\n tierDescription: getTierDescription(score),\n issues,\n filesScanned,\n scanDuration,\n summary: {\n secrets: issues.filter(i => i.type === 'secret').length,\n pii: issues.filter(i => i.type === 'pii').length,\n routes: issues.filter(i => i.type === 'route').length,\n config: issues.filter(i => i.type === 'config').length,\n critical: issues.filter(i => i.severity === 'critical').length,\n high: issues.filter(i => i.severity === 'high').length,\n medium: issues.filter(i => i.severity === 'medium').length,\n low: issues.filter(i => i.severity === 'low').length,\n },\n };\n}\n","/**\n * Secret detection patterns for common API keys and tokens\n */\nexport interface SecretPattern {\n name: string;\n provider: string;\n pattern: RegExp;\n severity: 'critical' | 'high' | 'medium' | 'low';\n}\n\nexport const SECRET_PATTERNS: SecretPattern[] = [\n // OpenAI\n {\n name: 'OpenAI API Key',\n provider: 'OpenAI',\n pattern: /sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20}/g,\n severity: 'critical',\n },\n {\n name: 'OpenAI Project Key',\n provider: 'OpenAI',\n pattern: /sk-proj-[a-zA-Z0-9_-]{80,}/g,\n severity: 'critical',\n },\n // Anthropic\n {\n name: 'Anthropic API Key',\n provider: 'Anthropic',\n pattern: /sk-ant-[a-zA-Z0-9-]{90,}/g,\n severity: 'critical',\n },\n // Google\n {\n name: 'Google API Key',\n provider: 'Google',\n pattern: /AIza[0-9A-Za-z_-]{35}/g,\n severity: 'critical',\n },\n // Supabase\n {\n name: 'Supabase Service Role Key',\n provider: 'Supabase',\n pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\\.[a-zA-Z0-9_-]+\\.[a-zA-Z0-9_-]+/g,\n severity: 'critical',\n },\n {\n name: 'Supabase Anon Key (if hardcoded)',\n provider: 'Supabase',\n pattern: /SUPABASE_ANON_KEY\\s*[:=]\\s*[\"']eyJ[^\"']+[\"']/g,\n severity: 'medium',\n },\n // Stripe\n {\n name: 'Stripe Secret Key',\n provider: 'Stripe',\n pattern: /sk_live_[0-9a-zA-Z]{24,}/g,\n severity: 'critical',\n },\n {\n name: 'Stripe Test Key',\n provider: 'Stripe',\n pattern: /sk_test_[0-9a-zA-Z]{24,}/g,\n severity: 'medium',\n },\n // AWS\n {\n name: 'AWS Access Key ID',\n provider: 'AWS',\n pattern: /AKIA[0-9A-Z]{16}/g,\n severity: 'critical',\n },\n {\n name: 'AWS Secret Access Key',\n provider: 'AWS',\n pattern: /aws_secret_access_key\\s*[:=]\\s*[\"'][A-Za-z0-9/+=]{40}[\"']/gi,\n severity: 'critical',\n },\n // GitHub\n {\n name: 'GitHub Personal Access Token',\n provider: 'GitHub',\n pattern: /ghp_[a-zA-Z0-9]{36}/g,\n severity: 'critical',\n },\n {\n name: 'GitHub OAuth Token',\n provider: 'GitHub',\n pattern: /gho_[a-zA-Z0-9]{36}/g,\n severity: 'critical',\n },\n // Telegram\n {\n name: 'Telegram Bot Token',\n provider: 'Telegram',\n pattern: /[0-9]{9,10}:[a-zA-Z0-9_-]{35}/g,\n severity: 'high',\n },\n // Discord\n {\n name: 'Discord Bot Token',\n provider: 'Discord',\n pattern: /[MN][A-Za-z\\d]{23,}\\.[\\w-]{6}\\.[\\w-]{27}/g,\n severity: 'high',\n },\n // Slack\n {\n name: 'Slack Bot Token',\n provider: 'Slack',\n pattern: /xoxb-[0-9]{11}-[0-9]{11}-[a-zA-Z0-9]{24}/g,\n severity: 'high',\n },\n // SendGrid\n {\n name: 'SendGrid API Key',\n provider: 'SendGrid',\n pattern: /SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}/g,\n severity: 'high',\n },\n // Twilio\n {\n name: 'Twilio API Key',\n provider: 'Twilio',\n pattern: /SK[a-fA-F0-9]{32}/g,\n severity: 'high',\n },\n // Mailgun\n {\n name: 'Mailgun API Key',\n provider: 'Mailgun',\n pattern: /key-[a-zA-Z0-9]{32}/g,\n severity: 'high',\n },\n // Firebase\n {\n name: 'Firebase Database URL',\n provider: 'Firebase',\n pattern: /https:\\/\\/[a-z0-9-]+\\.firebaseio\\.com/g,\n severity: 'medium',\n },\n // Generic patterns\n {\n name: 'Private Key',\n provider: 'Generic',\n pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,\n severity: 'critical',\n },\n {\n name: 'Generic API Key Assignment',\n provider: 'Generic',\n pattern: /(api_key|apikey|api_secret|secret_key)\\s*[:=]\\s*[\"'][a-zA-Z0-9_-]{20,}[\"']/gi,\n severity: 'high',\n },\n {\n name: 'Password Assignment',\n provider: 'Generic',\n pattern: /(password|passwd|pwd)\\s*[:=]\\s*[\"'][^\"']{8,}[\"']/gi,\n severity: 'high',\n },\n // Replicate\n {\n name: 'Replicate API Token',\n provider: 'Replicate',\n pattern: /r8_[a-zA-Z0-9]{38}/g,\n severity: 'critical',\n },\n // Hugging Face\n {\n name: 'Hugging Face Token',\n provider: 'Hugging Face',\n pattern: /hf_[a-zA-Z0-9]{34}/g,\n severity: 'critical',\n },\n // Cohere\n {\n name: 'Cohere API Key',\n provider: 'Cohere',\n pattern: /[a-zA-Z0-9]{40}/g, // Less specific, check context\n severity: 'medium',\n },\n];\n\n/**\n * PII detection patterns\n */\nexport interface PIIPattern {\n name: string;\n pattern: RegExp;\n severity: 'high' | 'medium' | 'low';\n}\n\nexport const PII_PATTERNS: PIIPattern[] = [\n {\n name: 'Email Address',\n pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}/g,\n severity: 'medium',\n },\n {\n name: 'Phone Number (US)',\n pattern: /(\\+1[-.\\s]?)?\\(?\\d{3}\\)?[-.\\s]?\\d{3}[-.\\s]?\\d{4}/g,\n severity: 'medium',\n },\n {\n name: 'Phone Number (International)',\n pattern: /\\+[1-9]\\d{1,14}/g,\n severity: 'medium',\n },\n {\n name: 'Social Security Number',\n pattern: /\\b\\d{3}-\\d{2}-\\d{4}\\b/g,\n severity: 'high',\n },\n {\n name: 'Credit Card Number',\n pattern: /\\b(?:\\d{4}[-\\s]?){3}\\d{4}\\b/g,\n severity: 'high',\n },\n {\n name: 'IP Address',\n pattern: /\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b/g,\n severity: 'low',\n },\n];\n\n/**\n * Exposed route patterns for common frameworks\n */\nexport interface RoutePattern {\n name: string;\n framework: string;\n pattern: RegExp;\n severity: 'high' | 'medium' | 'low';\n description: string;\n}\n\nexport const ROUTE_PATTERNS: RoutePattern[] = [\n // Next.js API routes without auth\n {\n name: 'Next.js API Route (check for auth)',\n framework: 'Next.js',\n pattern: /export\\s+(async\\s+)?function\\s+(GET|POST|PUT|DELETE|PATCH)\\s*\\(/g,\n severity: 'medium',\n description: 'API route handler - verify authentication is implemented',\n },\n // Express routes\n {\n name: 'Express Route without Auth Middleware',\n framework: 'Express',\n pattern: /app\\.(get|post|put|delete|patch)\\s*\\(\\s*[\"'`][^\"'`]+[\"'`]\\s*,\\s*(?!.*auth)/gi,\n severity: 'medium',\n description: 'Express route - check if auth middleware is applied',\n },\n];\n\n/**\n * Files/patterns to ignore\n */\nexport const IGNORE_PATTERNS = [\n 'node_modules',\n '.git',\n 'dist',\n 'build',\n '.next',\n '.venv',\n '__pycache__',\n '*.min.js',\n '*.min.css',\n '*.map',\n 'package-lock.json',\n 'yarn.lock',\n 'pnpm-lock.yaml',\n];\n\n/**\n * File extensions to scan\n */\nexport const SCANNABLE_EXTENSIONS = [\n '.js',\n '.jsx',\n '.ts',\n '.tsx',\n '.mjs',\n '.cjs',\n '.py',\n '.rb',\n '.go',\n '.java',\n '.php',\n '.env',\n '.json',\n '.yaml',\n '.yml',\n '.toml',\n '.xml',\n '.md',\n '.txt',\n '.sql',\n '.sh',\n '.bash',\n '.zsh',\n];\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,SAAoB;AACpB,WAAsB;AACtB,kBAAqB;;;ACQd,IAAM,kBAAmC;AAAA;AAAA,EAE5C;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA,EACA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA,EACA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA,EACA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA,EACA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA,EACA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA,EACA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA,EACA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA;AAAA,IACT,UAAU;AAAA,EACd;AACJ;AAWO,IAAM,eAA6B;AAAA,EACtC;AAAA,IACI,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA,EACA;AAAA,IACI,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA,EACA;AAAA,IACI,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA,EACA;AAAA,IACI,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA,EACA;AAAA,IACI,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AAAA,EACA;AAAA,IACI,MAAM;AAAA,IACN,SAAS;AAAA,IACT,UAAU;AAAA,EACd;AACJ;AAaO,IAAM,iBAAiC;AAAA;AAAA,EAE1C;AAAA,IACI,MAAM;AAAA,IACN,WAAW;AAAA,IACX,SAAS;AAAA,IACT,UAAU;AAAA,IACV,aAAa;AAAA,EACjB;AAAA;AAAA,EAEA;AAAA,IACI,MAAM;AAAA,IACN,WAAW;AAAA,IACX,SAAS;AAAA,IACT,UAAU;AAAA,IACV,aAAa;AAAA,EACjB;AACJ;AAKO,IAAM,kBAAkB;AAAA,EAC3B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACJ;AAKO,IAAM,uBAAuB;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACJ;;;AD5PA,SAAS,OAAO,OAAe,YAAoB,GAAW;AAC1D,MAAI,MAAM,UAAU,YAAY,GAAG;AAC/B,WAAO,IAAI,OAAO,MAAM,MAAM;AAAA,EAClC;AACA,SAAO,MAAM,MAAM,GAAG,SAAS,IAAI,SAAS,MAAM,MAAM,CAAC,SAAS;AACtE;AAKA,SAAS,YAAY,SAAiB,OAAiD;AACnF,QAAM,QAAQ,QAAQ,MAAM,GAAG,KAAK,EAAE,MAAM,IAAI;AAChD,SAAO;AAAA,IACH,MAAM,MAAM;AAAA,IACZ,QAAQ,MAAM,MAAM,SAAS,CAAC,EAAE,SAAS;AAAA,EAC7C;AACJ;AAKA,SAAS,aAAa,UAA2B;AAC7C,QAAM,aAAa,SAAS,QAAQ,OAAO,GAAG;AAC9C,SAAO,gBAAgB,KAAK,aAAW;AACnC,QAAI,QAAQ,WAAW,GAAG,GAAG;AACzB,aAAO,WAAW,SAAS,QAAQ,MAAM,CAAC,CAAC;AAAA,IAC/C;AACA,WAAO,WAAW,SAAS,OAAO;AAAA,EACtC,CAAC;AACL;AAKA,SAAS,YAAY,UAA2B;AAC5C,QAAM,MAAW,aAAQ,QAAQ,EAAE,YAAY;AAC/C,SAAO,qBAAqB,SAAS,GAAG;AAC5C;AAKA,SAAS,SAAS,UAAkB,SAA8B;AAC9D,QAAM,SAAsB,CAAC;AAC7B,QAAM,eAAe;AAGrB,aAAW,WAAW,iBAAiB;AAEnC,YAAQ,QAAQ,YAAY;AAC5B,QAAI;AACJ,YAAQ,QAAQ,QAAQ,QAAQ,KAAK,OAAO,OAAO,MAAM;AACrD,YAAM,MAAM,YAAY,SAAS,MAAM,KAAK;AAC5C,aAAO,KAAK;AAAA,QACR,MAAM;AAAA,QACN,UAAU,QAAQ;AAAA,QAClB,MAAM,QAAQ;AAAA,QACd,UAAU,QAAQ;AAAA,QAClB,MAAM;AAAA,QACN,MAAM,IAAI;AAAA,QACV,QAAQ,IAAI;AAAA,QACZ,OAAO,OAAO,MAAM,CAAC,CAAC;AAAA,MAC1B,CAAC;AAAA,IACL;AAAA,EACJ;AAGA,aAAW,WAAW,cAAc;AAChC,YAAQ,QAAQ,YAAY;AAC5B,QAAI;AACJ,YAAQ,QAAQ,QAAQ,QAAQ,KAAK,OAAO,OAAO,MAAM;AAErD,YAAM,WAAW,MAAM,CAAC;AACxB,UAAI,sBAAsB,UAAU,QAAQ,IAAI,GAAG;AAC/C;AAAA,MACJ;AAEA,YAAM,MAAM,YAAY,SAAS,MAAM,KAAK;AAC5C,aAAO,KAAK;AAAA,QACR,MAAM;AAAA,QACN,UAAU,QAAQ;AAAA,QAClB,MAAM,QAAQ;AAAA,QACd,MAAM;AAAA,QACN,MAAM,IAAI;AAAA,QACV,QAAQ,IAAI;AAAA,QACZ,OAAO,OAAO,UAAU,CAAC;AAAA,MAC7B,CAAC;AAAA,IACL;AAAA,EACJ;AAGA,aAAW,WAAW,gBAAgB;AAClC,YAAQ,QAAQ,YAAY;AAC5B,QAAI;AACJ,YAAQ,QAAQ,QAAQ,QAAQ,KAAK,OAAO,OAAO,MAAM;AACrD,YAAM,MAAM,YAAY,SAAS,MAAM,KAAK;AAC5C,aAAO,KAAK;AAAA,QACR,MAAM;AAAA,QACN,UAAU,QAAQ;AAAA,QAClB,MAAM,QAAQ;AAAA,QACd,MAAM;AAAA,QACN,MAAM,IAAI;AAAA,QACV,QAAQ,IAAI;AAAA,QACZ,OAAO,MAAM,CAAC;AAAA,QACd,aAAa,QAAQ;AAAA,MACzB,CAAC;AAAA,IACL;AAAA,EACJ;AAGA,QAAM,WAAgB,cAAS,QAAQ;AACvC,MAAI,SAAS,WAAW,MAAM,KAAK,CAAC,SAAS,SAAS,UAAU,GAAG;AAE/D,UAAM,gBAAqB,UAAU,aAAQ,QAAQ,GAAG,YAAY;AACpE,UAAM,kBAAqB,cAAW,aAAa;AAEnD,WAAO,KAAK;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,OAAO;AAAA,MACP,aAAa,kBACP,sCACA;AAAA,IACV,CAAC;AAAA,EACL;AAEA,SAAO;AACX;AAKA,SAAS,sBAAsB,OAAe,aAA8B;AAExE,MAAI,gBAAgB,iBAAiB;AACjC,UAAM,eAAe;AAAA,MACjB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACJ;AACA,QAAI,aAAa,KAAK,OAAK,MAAM,SAAS,CAAC,CAAC,GAAG;AAC3C,aAAO;AAAA,IACX;AAGA,UAAM,iBAAiB;AAAA,MACnB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACJ;AACA,QAAI,eAAe,KAAK,OAAK,MAAM,YAAY,EAAE,WAAW,CAAC,CAAC,GAAG;AAC7D,aAAO;AAAA,IACX;AAAA,EACJ;AAGA,MAAI,gBAAgB,cAAc;AAC9B,UAAM,WAAW,CAAC,WAAW,aAAa,YAAY,SAAS,SAAS;AACxE,QAAI,SAAS,KAAK,QAAM,MAAM,WAAW,EAAE,CAAC,GAAG;AAC3C,aAAO;AAAA,IACX;AAAA,EACJ;AAGA,MAAI,YAAY,SAAS,cAAc,GAAG;AAEtC,QAAI,MAAM,SAAS,KAAK,KAAK,MAAM,SAAS,SAAS,KAAK,MAAM,SAAS,SAAS,GAAG;AACjF,aAAO;AAAA,IACX;AAAA,EACJ;AAEA,SAAO;AACX;AAKA,SAAS,eAAe,QAAkD;AACtE,QAAM,WAAW,OAAO,OAAO,OAAK,EAAE,aAAa,UAAU,EAAE;AAC/D,QAAM,OAAO,OAAO,OAAO,OAAK,EAAE,aAAa,MAAM,EAAE;AACvD,QAAM,SAAS,OAAO,OAAO,OAAK,EAAE,aAAa,QAAQ,EAAE;AAC3D,QAAM,QAAQ,OAAO;AAGrB,MAAI,WAAW,EAAG,QAAO;AACzB,MAAI,QAAQ,EAAG,QAAO;AACtB,MAAI,QAAQ,EAAG,QAAO;AACtB,MAAI,QAAQ,KAAK,UAAU,EAAG,QAAO;AACrC,MAAI,UAAU,EAAG,QAAO;AACxB,MAAI,UAAU,EAAG,QAAO;AACxB,SAAO;AACX;AAKA,SAAS,mBAAmB,OAAuB;AAC/C,UAAQ,OAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,aAAO;AAAA,EACf;AACJ;AAKA,eAAsB,KAAK,YAAyC;AAChE,QAAM,YAAY,KAAK,IAAI;AAC3B,QAAM,eAAoB,aAAQ,UAAU;AAG5C,QAAM,QAAQ,UAAM,kBAAK,QAAQ;AAAA,IAC7B,KAAK;AAAA,IACL,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,UAAU;AAAA,EACd,CAAC;AAED,QAAM,SAAsB,CAAC;AAC7B,MAAI,eAAe;AAEnB,aAAW,QAAQ,OAAO;AACtB,QAAI,CAAC,YAAY,IAAI,KAAK,aAAa,IAAI,GAAG;AAC1C;AAAA,IACJ;AAEA,QAAI;AACA,YAAM,UAAa,gBAAa,MAAM,OAAO;AAC7C,YAAM,eAAoB,cAAS,cAAc,IAAI;AACrD,YAAM,aAAa,SAAS,cAAc,OAAO;AACjD,aAAO,KAAK,GAAG,UAAU;AACzB;AAAA,IACJ,QAAQ;AAEJ;AAAA,IACJ;AAAA,EACJ;AAEA,QAAM,QAAQ,eAAe,MAAM;AACnC,QAAM,eAAe,KAAK,IAAI,IAAI;AAElC,SAAO;AAAA,IACH;AAAA,IACA,iBAAiB,mBAAmB,KAAK;AAAA,IACzC;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,MACL,SAAS,OAAO,OAAO,OAAK,EAAE,SAAS,QAAQ,EAAE;AAAA,MACjD,KAAK,OAAO,OAAO,OAAK,EAAE,SAAS,KAAK,EAAE;AAAA,MAC1C,QAAQ,OAAO,OAAO,OAAK,EAAE,SAAS,OAAO,EAAE;AAAA,MAC/C,QAAQ,OAAO,OAAO,OAAK,EAAE,SAAS,QAAQ,EAAE;AAAA,MAChD,UAAU,OAAO,OAAO,OAAK,EAAE,aAAa,UAAU,EAAE;AAAA,MACxD,MAAM,OAAO,OAAO,OAAK,EAAE,aAAa,MAAM,EAAE;AAAA,MAChD,QAAQ,OAAO,OAAO,OAAK,EAAE,aAAa,QAAQ,EAAE;AAAA,MACpD,KAAK,OAAO,OAAO,OAAK,EAAE,aAAa,KAAK,EAAE;AAAA,IAClD;AAAA,EACJ;AACJ;","names":[]}