@expressots/studio-agent 4.0.0-preview.1

package/dist/security/posture-analyzer.js

@@ -0,0 +1,397 @@
+/**
+ * Runtime security posture analyzer.
+ *
+ * This is Studio's unique contribution: Snyk-style scanners only see
+ * `package.json`, but Studio has the recorded traffic, the routes, the
+ * DI graph and live logs. The analyzer turns all of that into a set
+ * of OWASP-mapped findings the user can act on directly from the UI.
+ *
+ * Rules implemented here are intentionally conservative — false
+ * positives erode trust quickly in a security tool. Every rule has
+ * either (a) a high-confidence runtime signal (e.g. literal
+ * `Access-Control-Allow-Origin: *`) or (b) an explicit "advisory"
+ * severity so users know the finding is heuristic.
+ *
+ * All passes are pure functions over a snapshot of in-memory state.
+ * The engine is responsible for debouncing and change detection.
+ */
+import { createHash } from 'node:crypto';
+/**
+ * Run every posture check over the given snapshot. Returns an
+ * unsorted list — the engine aggregates and dedupes by `id`.
+ */
+export function analyzePosture(input) {
+    const findings = [];
+    findings.push(...checkSecurityHeaders(input));
+    findings.push(...checkPermissiveCors(input));
+    findings.push(...checkAuthGaps(input));
+    findings.push(...checkVerboseErrors(input));
+    findings.push(...checkSecretLeakage(input));
+    findings.push(...checkInputValidation(input));
+    return findings;
+}
+// ────────────────────────────────────────────────────────────────────
+// Rule: missing standard security response headers
+// ────────────────────────────────────────────────────────────────────
+const REQUIRED_HEADERS = [
+    { name: 'content-security-policy', severity: 'MEDIUM', owasp: 'API8:2023' },
+    { name: 'strict-transport-security', severity: 'MEDIUM', owasp: 'API8:2023' },
+    { name: 'x-content-type-options', severity: 'LOW', owasp: 'API8:2023' },
+    { name: 'x-frame-options', severity: 'LOW', owasp: 'API8:2023' },
+    { name: 'referrer-policy', severity: 'LOW', owasp: 'API8:2023' },
+];
+/**
+ * For each route observed in the recorded exchanges, check whether the
+ * most recent successful response carried the standard security
+ * headers. We pick the *last* 2xx response per route so transient
+ * misses on error paths don't flag every route.
+ */
+function checkSecurityHeaders(input) {
+    const out = [];
+    const lastSuccessByRoute = mostRecentSuccessByRoute(input.exchanges);
+    for (const [, exchange] of lastSuccessByRoute) {
+        const headers = lowercaseHeaderKeys(exchange.response.headers);
+        for (const required of REQUIRED_HEADERS) {
+            if (headers[required.name])
+                continue;
+            out.push({
+                id: stableId('missing-header', required.name, exchange.request.path),
+                rule: `missing-${required.name}`,
+                owasp: required.owasp,
+                severity: required.severity,
+                title: `Missing ${prettyHeader(required.name)} header`,
+                description: `Responses to \`${exchange.request.method} ${exchange.request.path}\` ` +
+                    `are not sending the \`${prettyHeader(required.name)}\` header. ` +
+                    'This relaxes browser-side defences against a range of common attacks.',
+                evidence: { kind: 'exchange', exchangeId: exchange.id },
+                fixHint: 'Register `helmet()` (or set the header explicitly in a response interceptor).',
+            });
+        }
+    }
+    return out;
+}
+// ────────────────────────────────────────────────────────────────────
+// Rule: permissive CORS
+// ────────────────────────────────────────────────────────────────────
+/**
+ * Flags responses that pair `Access-Control-Allow-Origin: *` with
+ * authenticated requests — that combination effectively turns CORS
+ * off for cross-origin attackers who can persuade a victim to issue
+ * a request bearing their own credentials.
+ */
+function checkPermissiveCors(input) {
+    const out = [];
+    const seen = new Set();
+    for (const ex of input.exchanges) {
+        const headers = lowercaseHeaderKeys(ex.response.headers);
+        if (headers['access-control-allow-origin'] !== '*')
+            continue;
+        const reqHeaders = lowercaseHeaderKeys(ex.request.headers);
+        const hasAuth = Boolean(reqHeaders['authorization'] || reqHeaders['cookie']);
+        const key = `${ex.request.method}:${ex.request.path}:${hasAuth}`;
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        out.push({
+            id: stableId('permissive-cors', ex.request.method, ex.request.path, String(hasAuth)),
+            rule: 'permissive-cors',
+            owasp: 'API8:2023',
+            severity: hasAuth ? 'HIGH' : 'LOW',
+            title: hasAuth
+                ? 'Wildcard CORS on authenticated route'
+                : 'Wildcard CORS origin',
+            description: hasAuth
+                ? `\`${ex.request.method} ${ex.request.path}\` returns \`Access-Control-Allow-Origin: *\` ` +
+                    'while the client sends credentials. Browsers will refuse the response, but the ' +
+                    'configuration is a footgun — pin the origin to your front-end host instead.'
+                : `\`${ex.request.method} ${ex.request.path}\` returns \`Access-Control-Allow-Origin: *\`. ` +
+                    'Acceptable for fully public endpoints; replace with an explicit allow-list otherwise.',
+            evidence: { kind: 'exchange', exchangeId: ex.id },
+            fixHint: 'Configure CORS with a concrete `origin` list rather than `*`.',
+        });
+    }
+    return out;
+}
+// ────────────────────────────────────────────────────────────────────
+// Rule: routes returning 2xx with no auth evidence
+// ────────────────────────────────────────────────────────────────────
+const PUBLIC_PATH_PATTERNS = [
+    /^\/?$/,
+    /^\/health/i,
+    /^\/healthz/i,
+    /^\/status/i,
+    /^\/metrics/i,
+    /^\/ready/i,
+    /^\/favicon/i,
+];
+/**
+ * For each route, look at the most recent 2xx response: if no request
+ * we've seen against it carried an `Authorization` header or a session
+ * cookie, *and* the static / runtime middleware list shows no obvious
+ * auth interceptor, flag it as potentially unauthenticated.
+ *
+ * Intentionally LOW severity (not HIGH) because plenty of routes are
+ * legitimately public. Users skim the list and mute false positives.
+ */
+function checkAuthGaps(input) {
+    const out = [];
+    const lastByRoute = mostRecentSuccessByRoute(input.exchanges);
+    const allByRoute = groupByRoute(input.exchanges);
+    const middlewareNames = (input.structure?.middleware ?? []).map((m) => m.toLowerCase());
+    const hasGlobalAuth = middlewareNames.some((n) => /auth|jwt|session|guard/.test(n));
+    for (const [routeKey, exchange] of lastByRoute) {
+        if (looksPublic(exchange.request.path))
+            continue;
+        if (hasGlobalAuth)
+            continue;
+        const everyExchange = allByRoute.get(routeKey) ?? [];
+        const sawCredentials = everyExchange.some((ex) => {
+            const h = lowercaseHeaderKeys(ex.request.headers);
+            return Boolean(h['authorization'] || h['cookie']);
+        });
+        if (sawCredentials)
+            continue;
+        out.push({
+            id: stableId('unauthenticated-route', exchange.request.method, exchange.request.path),
+            rule: 'unauthenticated-route',
+            owasp: 'API2:2023',
+            severity: 'LOW',
+            title: 'Route may be unauthenticated',
+            description: `\`${exchange.request.method} ${exchange.request.path}\` returned 2xx for every ` +
+                'recorded request, and Studio never observed an `Authorization` header or session ' +
+                'cookie. If this endpoint is meant to be private, add an auth interceptor.',
+            evidence: {
+                kind: 'route',
+                method: exchange.request.method,
+                path: exchange.request.path,
+            },
+            fixHint: 'Apply an auth interceptor on the controller or the route, or register one globally.',
+        });
+    }
+    return out;
+}
+// ────────────────────────────────────────────────────────────────────
+// Rule: verbose error responses (stack trace leakage)
+// ────────────────────────────────────────────────────────────────────
+const STACK_REGEX = /at\s+[\w.<>$]+\s+\(.+:\d+:\d+\)/;
+function checkVerboseErrors(input) {
+    const out = [];
+    const seen = new Set();
+    for (const ex of input.exchanges) {
+        if (ex.response.statusCode < 500)
+            continue;
+        const body = renderBody(ex.response.body);
+        if (!body)
+            continue;
+        if (!STACK_REGEX.test(body))
+            continue;
+        const key = `${ex.request.method}:${ex.request.path}`;
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        out.push({
+            id: stableId('verbose-error', ex.request.method, ex.request.path),
+            rule: 'verbose-error',
+            owasp: 'API8:2023',
+            severity: 'MEDIUM',
+            title: '5xx response includes a stack trace',
+            description: `\`${ex.request.method} ${ex.request.path}\` returned ${ex.response.statusCode} ` +
+                'with a response body containing what looks like a stack trace. Production clients ' +
+                'should never see implementation details from server-side errors.',
+            evidence: { kind: 'exchange', exchangeId: ex.id },
+            fixHint: 'Install a global error filter that strips stack frames from outbound responses.',
+        });
+    }
+    return out;
+}
+// ────────────────────────────────────────────────────────────────────
+// Rule: likely secret leakage in responses or logs
+// ────────────────────────────────────────────────────────────────────
+/**
+ * High-precision patterns only. A single false positive on a secret
+ * scanner is much worse than a missed one — users learn to ignore the
+ * tool. We deliberately don't try to catch generic "long random string
+ * that might be a token". Adopt the [trufflehog / git-leaks] vocab.
+ */
+const SECRET_PATTERNS = [
+    { name: 'AWS Access Key', regex: /AKIA[0-9A-Z]{16}/ },
+    { name: 'GitHub PAT', regex: /\bghp_[A-Za-z0-9]{36}\b/ },
+    { name: 'GitHub Fine-grained PAT', regex: /\bgithub_pat_[A-Za-z0-9_]{82}\b/ },
+    { name: 'Slack token', regex: /\bxox[abprs]-[A-Za-z0-9-]{10,48}\b/ },
+    { name: 'Stripe live key', regex: /\bsk_live_[A-Za-z0-9]{24,}\b/ },
+    { name: 'JWT', regex: /\beyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/ },
+];
+function checkSecretLeakage(input) {
+    const out = [];
+    for (const ex of input.exchanges) {
+        const body = renderBody(ex.response.body);
+        if (!body)
+            continue;
+        for (const pat of SECRET_PATTERNS) {
+            if (!pat.regex.test(body))
+                continue;
+            out.push({
+                id: stableId('response-secret', pat.name, ex.request.method, ex.request.path),
+                rule: 'response-secret',
+                owasp: 'API3:2023',
+                severity: 'HIGH',
+                title: `Response body matches a ${pat.name} pattern`,
+                description: `\`${ex.request.method} ${ex.request.path}\` returned a body containing what ` +
+                    `looks like a ${pat.name}. Strip credentials from response payloads — they should ` +
+                    'never reach the client.',
+                evidence: { kind: 'exchange', exchangeId: ex.id },
+            });
+        }
+    }
+    for (let i = 0; i < input.logs.length; i++) {
+        const entry = input.logs[i];
+        for (const pat of SECRET_PATTERNS) {
+            if (!pat.regex.test(entry.message))
+                continue;
+            out.push({
+                id: stableId('log-secret', pat.name, entry.message.slice(0, 64)),
+                rule: 'log-secret',
+                owasp: 'API3:2023',
+                severity: 'MEDIUM',
+                title: `Log line matches a ${pat.name} pattern`,
+                description: `A captured log entry contains what looks like a ${pat.name}. Logs propagate to ` +
+                    'log aggregators and rotated files; treat them as untrusted destinations for secrets.',
+                evidence: { kind: 'log', logIndex: i },
+            });
+            // Don't double-report on the same line for multiple patterns.
+            break;
+        }
+    }
+    return out;
+}
+// ────────────────────────────────────────────────────────────────────
+// Rule: controllers accepting bodies without validation
+// ────────────────────────────────────────────────────────────────────
+/**
+ * Heuristic check: any controller whose recorded requests carry a
+ * non-empty body, but whose source file doesn't import any of the
+ * canonical validation libraries we recognise. Marked INFO because
+ * it's the most heuristic of the rules — frameworks differ, and the
+ * controller might validate at a layer below our scanner.
+ */
+function checkInputValidation(input) {
+    const out = [];
+    const seen = new Set();
+    const controllerByName = new Map();
+    for (const c of input.structure?.controllers ?? []) {
+        controllerByName.set(c.name, { filePath: c.filePath });
+    }
+    for (const ex of input.exchanges) {
+        if (!hasMeaningfulBody(ex.request.body))
+            continue;
+        const route = input.routes.find((r) => r.path === ex.request.path && r.method === ex.request.method);
+        if (!route)
+            continue;
+        const key = `${route.controller}.${route.controllerMethod}`;
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        const ctrl = controllerByName.get(route.controller);
+        if (!ctrl?.filePath)
+            continue;
+        // We can't reliably read the file here without async I/O; the engine
+        // does the file read once per scan and passes the import list via
+        // `srcRoot` (future enhancement). For now, surface the route and let
+        // the user verify — INFO severity reflects the uncertainty.
+        out.push({
+            id: stableId('unvalidated-body', route.controller, route.controllerMethod),
+            rule: 'unvalidated-body',
+            owasp: 'API4:2023',
+            severity: 'INFO',
+            title: `Verify request validation for ${route.controller}.${route.controllerMethod}`,
+            description: `\`${ex.request.method} ${ex.request.path}\` (handled by ` +
+                `\`${route.controller}.${route.controllerMethod}\`) accepts a body. Confirm that the ` +
+                'handler validates it (zod, class-validator, or a project DTO) before use.',
+            evidence: { kind: 'file', filePath: ctrl.filePath, lineNumber: route.lineNumber },
+            fixHint: 'Wrap the body parameter in a typed DTO + validation pipe or use a runtime schema check.',
+        });
+    }
+    return out;
+}
+// ────────────────────────────────────────────────────────────────────
+// Helpers
+// ────────────────────────────────────────────────────────────────────
+function lowercaseHeaderKeys(headers) {
+    const out = {};
+    if (!headers)
+        return out;
+    for (const [k, v] of Object.entries(headers)) {
+        out[k.toLowerCase()] = v;
+    }
+    return out;
+}
+function looksPublic(path) {
+    return PUBLIC_PATH_PATTERNS.some((p) => p.test(path));
+}
+function mostRecentSuccessByRoute(exchanges) {
+    const out = new Map();
+    for (const ex of exchanges) {
+        if (ex.response.statusCode < 200 || ex.response.statusCode >= 300)
+            continue;
+        const key = routeKey(ex.request.method, ex.request.path);
+        const existing = out.get(key);
+        if (!existing || ex.request.timestamp > existing.request.timestamp) {
+            out.set(key, ex);
+        }
+    }
+    return out;
+}
+function groupByRoute(exchanges) {
+    const out = new Map();
+    for (const ex of exchanges) {
+        const key = routeKey(ex.request.method, ex.request.path);
+        const list = out.get(key) ?? [];
+        list.push(ex);
+        out.set(key, list);
+    }
+    return out;
+}
+function routeKey(method, path) {
+    return `${method}:${path}`;
+}
+function renderBody(body) {
+    if (body == null)
+        return '';
+    if (typeof body === 'string')
+        return body;
+    try {
+        return JSON.stringify(body);
+    }
+    catch {
+        return '';
+    }
+}
+function hasMeaningfulBody(body) {
+    if (body == null)
+        return false;
+    if (typeof body === 'string')
+        return body.trim().length > 0;
+    if (typeof body === 'object') {
+        return Object.keys(body).length > 0;
+    }
+    return true;
+}
+function prettyHeader(headerName) {
+    return headerName
+        .split('-')
+        .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
+        .join('-');
+}
+/**
+ * Build a deterministic id so re-runs of the analyzer produce the same
+ * id for the same finding — the engine relies on this for change
+ * detection (hash the id set; only broadcast on transition).
+ */
+function stableId(...parts) {
+    const h = createHash('sha1');
+    for (const p of parts)
+        h.update(p);
+    h.update('\0');
+    return h.digest('hex').slice(0, 16);
+}
+//# sourceMappingURL=posture-analyzer.js.map

package/dist/security/posture-analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"posture-analyzer.js","sourceRoot":"","sources":["../../src/security/posture-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAYH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAqBzC;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,KAAoB;IACjD,MAAM,QAAQ,GAAqB,EAAE,CAAC;IAEtC,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC,CAAC;IAC9C,QAAQ,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC;IAC7C,QAAQ,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;IACvC,QAAQ,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC;IAC5C,QAAQ,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC;IAC5C,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC,CAAC;IAE9C,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,uEAAuE;AACvE,mDAAmD;AACnD,uEAAuE;AAEvE,MAAM,gBAAgB,GAA+D;IACnF,EAAE,IAAI,EAAE,yBAAyB,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE;IAC3E,EAAE,IAAI,EAAE,2BAA2B,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE;IAC7E,EAAE,IAAI,EAAE,wBAAwB,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE;IACvE,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE;IAChE,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE;CACjE,CAAC;AAEF;;;;;GAKG;AACH,SAAS,oBAAoB,CAAC,KAAoB;IAChD,MAAM,GAAG,GAAqB,EAAE,CAAC;IACjC,MAAM,kBAAkB,GAAG,wBAAwB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAErE,KAAK,MAAM,CAAC,EAAE,QAAQ,CAAC,IAAI,kBAAkB,EAAE,CAAC;QAC9C,MAAM,OAAO,GAAG,mBAAmB,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC/D,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;YACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAAE,SAAS;YACrC,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;gBACpE,IAAI,EAAE,WAAW,QAAQ,CAAC,IAAI,EAAE;gBAChC,KAAK,EAAE,QAAQ,CAAC,KAAK;gBACrB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gBAC3B,KAAK,EAAE,WAAW,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS;gBACtD,WAAW,EACT,kBAAkB,QAAQ,CAAC,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK;oBACvE,yBAAyB,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa;oBACjE,uEAAuE;gBACzE,QAAQ,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE;gBACvD,OAAO,EACL,+EAA+E;aAClF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,uEAAuE;AACvE,wBAAwB;AACxB,uEAAuE;AAEvE;;;;;GAKG;AACH,SAAS,mBAAmB,CAAC,KAAoB;IAC/C,MAAM,GAAG,GAAqB,EAAE,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,mBAAmB,CAAC,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACzD,IAAI,OAAO,CAAC,6BAA6B,CAAC,KAAK,GAAG;YAAE,SAAS;QAE7D,MAAM,UAAU,GAAG,mBAAmB,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;QAE7E,MAAM,GAAG,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,IAAI,OAAO,EAAE,CAAC;QACjE,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEd,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,QAAQ,CAAC,iBAAiB,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;YACpF,IAAI,EAAE,iBAAiB;YACvB,KAAK,EAAE,WAAW;YAClB,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK;YAClC,KAAK,EAAE,OAAO;gBACZ,CAAC,CAAC,sCAAsC;gBACxC,CAAC,CAAC,sBAAsB;YAC1B,WAAW,EAAE,OAAO;gBAClB,CAAC,CAAC,KAAK,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,gDAAgD;oBACzF,iFAAiF;oBACjF,6EAA6E;gBAC/E,CAAC,CAAC,KAAK,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,iDAAiD;oBAC1F,uFAAuF;YAC3F,QAAQ,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,CAAC,EAAE,EAAE;YACjD,OAAO,EAAE,+DAA+D;SACzE,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,uEAAuE;AACvE,mDAAmD;AACnD,uEAAuE;AAEvE,MAAM,oBAAoB,GAAG;IAC3B,OAAO;IACP,YAAY;IACZ,aAAa;IACb,YAAY;IACZ,aAAa;IACb,WAAW;IACX,aAAa;CACd,CAAC;AAEF;;;;;;;;GAQG;AACH,SAAS,aAAa,CAAC,KAAoB;IACzC,MAAM,GAAG,GAAqB,EAAE,CAAC;IACjC,MAAM,WAAW,GAAG,wBAAwB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,YAAY,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAEjD,MAAM,eAAe,GAAG,CAAC,KAAK,CAAC,SAAS,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACxF,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAEpF,KAAK,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC;QAC/C,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;YAAE,SAAS;QACjD,IAAI,aAAa;YAAE,SAAS;QAE5B,MAAM,aAAa,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACrD,MAAM,cAAc,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE;YAC/C,MAAM,CAAC,GAAG,mBAAmB,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAClD,OAAO,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QACH,IAAI,cAAc;YAAE,SAAS;QAE7B,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,QAAQ,CAAC,uBAAuB,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;YACrF,IAAI,EAAE,uBAAuB;YAC7B,KAAK,EAAE,WAAW;YAClB,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,8BAA8B;YACrC,WAAW,EACT,KAAK,QAAQ,CAAC,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,OAAO,CAAC,IAAI,4BAA4B;gBACjF,mFAAmF;gBACnF,2EAA2E;YAC7E,QAAQ,EAAE;gBACR,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM;gBAC/B,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI;aAC5B;YACD,OAAO,EACL,qFAAqF;SACxF,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,uEAAuE;AACvE,sDAAsD;AACtD,uEAAuE;AAEvE,MAAM,WAAW,GAAG,iCAAiC,CAAC;AAEtD,SAAS,kBAAkB,CAAC,KAAoB;IAC9C,MAAM,GAAG,GAAqB,EAAE,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACjC,IAAI,EAAE,CAAC,QAAQ,CAAC,UAAU,GAAG,GAAG;YAAE,SAAS;QAC3C,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,SAAS;QAEtC,MAAM,GAAG,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACtD,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEd,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,QAAQ,CAAC,eAAe,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;YACjE,IAAI,EAAE,eAAe;YACrB,KAAK,EAAE,WAAW;YAClB,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EACT,KAAK,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,eAAe,EAAE,CAAC,QAAQ,CAAC,UAAU,GAAG;gBACjF,oFAAoF;gBACpF,kEAAkE;YACpE,QAAQ,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,CAAC,EAAE,EAAE;YACjD,OAAO,EACL,iFAAiF;SACpF,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,uEAAuE;AACvE,mDAAmD;AACnD,uEAAuE;AAEvE;;;;;GAKG;AACH,MAAM,eAAe,GAA2C;IAC9D,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,kBAAkB,EAAE;IACrD,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,yBAAyB,EAAE;IACxD,EAAE,IAAI,EAAE,yBAAyB,EAAE,KAAK,EAAE,iCAAiC,EAAE;IAC7E,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,oCAAoC,EAAE;IACpE,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,8BAA8B,EAAE;IAClE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,0DAA0D,EAAE;CACnF,CAAC;AAEF,SAAS,kBAAkB,CAAC,KAAoB;IAC9C,MAAM,GAAG,GAAqB,EAAE,CAAC;IAEjC,KAAK,MAAM,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,UAAU,CAAC,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;YAClC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YACpC,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,QAAQ,CAAC,iBAAiB,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;gBAC7E,IAAI,EAAE,iBAAiB;gBACvB,KAAK,EAAE,WAAW;gBAClB,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,2BAA2B,GAAG,CAAC,IAAI,UAAU;gBACpD,WAAW,EACT,KAAK,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,qCAAqC;oBAC9E,gBAAgB,GAAG,CAAC,IAAI,2DAA2D;oBACnF,yBAAyB;gBAC3B,QAAQ,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,CAAC,EAAE,EAAE;aAClD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5B,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;YAClC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBAAE,SAAS;YAC7C,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,QAAQ,CAAC,YAAY,EAAE,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAChE,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,WAAW;gBAClB,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,sBAAsB,GAAG,CAAC,IAAI,UAAU;gBAC/C,WAAW,EACT,mDAAmD,GAAG,CAAC,IAAI,sBAAsB;oBACjF,sFAAsF;gBACxF,QAAQ,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,EAAE;aACvC,CAAC,CAAC;YACH,8DAA8D;YAC9D,MAAM;QACR,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,uEAAuE;AACvE,wDAAwD;AACxD,uEAAuE;AAEvE;;;;;;GAMG;AACH,SAAS,oBAAoB,CAAC,KAAoB;IAChD,MAAM,GAAG,GAAqB,EAAE,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAgC,CAAC;IACjE,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,EAAE,WAAW,IAAI,EAAE,EAAE,CAAC;QACnD,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACjC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;YAAE,SAAS;QAClD,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,CAC7B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,MAAM,KAAK,EAAE,CAAC,OAAO,CAAC,MAAM,CACpE,CAAC;QACF,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,MAAM,GAAG,GAAG,GAAG,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC5D,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEd,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACpD,IAAI,CAAC,IAAI,EAAE,QAAQ;YAAE,SAAS;QAE9B,qEAAqE;QACrE,kEAAkE;QAClE,qEAAqE;QACrE,4DAA4D;QAC5D,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,QAAQ,CAAC,kBAAkB,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,gBAAgB,CAAC;YAC1E,IAAI,EAAE,kBAAkB;YACxB,KAAK,EAAE,WAAW;YAClB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,iCAAiC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,gBAAgB,EAAE;YACpF,WAAW,EACT,KAAK,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,iBAAiB;gBAC1D,KAAK,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,gBAAgB,uCAAuC;gBACtF,2EAA2E;YAC7E,QAAQ,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE;YACjF,OAAO,EACL,yFAAyF;SAC5F,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,uEAAuE;AACvE,UAAU;AACV,uEAAuE;AAEvE,SAAS,mBAAmB,CAC1B,OAA2C;IAE3C,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,IAAI,CAAC,OAAO;QAAE,OAAO,GAAG,CAAC;IACzB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,wBAAwB,CAC/B,SAA6B;IAE7B,MAAM,GAAG,GAAG,IAAI,GAAG,EAA4B,CAAC;IAChD,KAAK,MAAM,EAAE,IAAI,SAAS,EAAE,CAAC;QAC3B,IAAI,EAAE,CAAC,QAAQ,CAAC,UAAU,GAAG,GAAG,IAAI,EAAE,CAAC,QAAQ,CAAC,UAAU,IAAI,GAAG;YAAE,SAAS;QAC5E,MAAM,GAAG,GAAG,QAAQ,CAAC,EAAE,CAAC,OAAO,CAAC,MAAoB,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACvE,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,OAAO,CAAC,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YACnE,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,YAAY,CACnB,SAA6B;IAE7B,MAAM,GAAG,GAAG,IAAI,GAAG,EAA8B,CAAC;IAClD,KAAK,MAAM,EAAE,IAAI,SAAS,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,QAAQ,CAAC,EAAE,CAAC,OAAO,CAAC,MAAoB,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACvE,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACd,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACrB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,QAAQ,CAAC,MAAkB,EAAE,IAAY;IAChD,OAAO,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;AAC7B,CAAC;AAED,SAAS,UAAU,CAAC,IAAa;IAC/B,IAAI,IAAI,IAAI,IAAI;QAAE,OAAO,EAAE,CAAC;IAC5B,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC1C,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAa;IACtC,IAAI,IAAI,IAAI,IAAI;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;IAC5D,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,OAAO,MAAM,CAAC,IAAI,CAAC,IAAc,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,YAAY,CAAC,UAAkB;IACtC,OAAO,UAAU;SACd,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;SAC3D,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,SAAS,QAAQ,CAAC,GAAG,KAAe;IAClC,MAAM,CAAC,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACf,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACtC,CAAC"}

package/dist/security/reachability.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Runtime reachability analysis for supply-chain findings.
+ *
+ * This is the single feature that justifies "why Studio over Snyk?". A
+ * static scanner can tell you that `lodash@4.17.10` has CVE-X; only a
+ * tool sitting inside the running app can tell you that:
+ *
+ *   - `src/users/users.service.ts` actually imports lodash
+ *   - that service is wired into `UsersController`, which owns `GET /users`
+ *   - and `GET /users` has been hit 47 times in the last hour
+ *
+ * We combine three signals to land on one of four labels per finding:
+ *
+ *   - **confirmed**: a route that imports (transitively) the vulnerable
+ *     package has been exercised in the current session.
+ *   - **likely**: the package is imported from `src/` but we haven't
+ *     seen a request hit a route that reaches it yet.
+ *   - **unreachable**: we have a complete import graph for `src/` and
+ *     the package doesn't appear anywhere. Usually means it's only
+ *     pulled in by a dev tool or another transitive dep.
+ *   - **unknown**: we can't compute the graph (no src dir, scanning
+ *     disabled). Default for transitive packages with no direct
+ *     imports — we don't follow node_modules → node_modules edges.
+ *
+ * The analyzer is intentionally cheap: regex-based import extraction
+ * over the same source tree the route scanner already walked. We
+ * don't reach for a TypeScript AST — it'd be 100× slower for almost
+ * no precision gain at this granularity (we only need package names,
+ * not symbols).
+ */
+import type { AppStructure, DependencyFinding, RecordedExchange, RouteInfo } from '../types/index.js';
+/**
+ * Reachability snapshot built once per security scan. We compute it on
+ * the agent thread (synchronous file I/O, but only ~200 small files for
+ * a typical service) and pass it to `enrichWithReachability`, which is
+ * then a pure map.
+ */
+export interface ReachabilitySnapshot {
+    /** package name → files in `src/` that import it. */
+    importedByPkg: Map<string, Set<string>>;
+    /** file path → routes whose handlers live in (or transitively reach) that file. */
+    routesByFile: Map<string, RouteInfo[]>;
+}
+/**
+ * Build a reachability snapshot for the host project. Returns an empty
+ * snapshot if `srcPath` doesn't exist — callers should treat that as
+ * "always emit `unknown`" rather than failing.
+ *
+ * Safe to call on every full scan; for a 1000-file project it usually
+ * completes in <100 ms.
+ */
+export declare function buildReachabilitySnapshot(cwd: string, structure: AppStructure | null): Promise<ReachabilitySnapshot>;
+/**
+ * Attach a `ReachabilityInfo` block to every finding in `findings`.
+ * Pure given the snapshot + exchanges; same call with the same inputs
+ * always produces the same output, which keeps hashing stable.
+ */
+export declare function enrichWithReachability(findings: DependencyFinding[], snapshot: ReachabilitySnapshot, exchanges: RecordedExchange[]): DependencyFinding[];
+//# sourceMappingURL=reachability.d.ts.map

package/dist/security/reachability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reachability.d.ts","sourceRoot":"","sources":["../../src/security/reachability.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAKH,OAAO,KAAK,EACV,YAAY,EAEZ,iBAAiB,EAGjB,gBAAgB,EAChB,SAAS,EAEV,MAAM,mBAAmB,CAAC;AAE3B;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,qDAAqD;IACrD,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;IACxC,mFAAmF;IACnF,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;CACxC;AAaD;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAC7C,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,YAAY,GAAG,IAAI,GAC7B,OAAO,CAAC,oBAAoB,CAAC,CAkC/B;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,iBAAiB,EAAE,EAC7B,QAAQ,EAAE,oBAAoB,EAC9B,SAAS,EAAE,gBAAgB,EAAE,GAC5B,iBAAiB,EAAE,CA0BrB"}