@expressots/studio-agent 4.0.0-preview.1

package/dist/security/fix-resolver.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Compute concrete remediation steps for supply-chain findings.
+ *
+ * For each finding we want to answer two questions:
+ *
+ *   1. **What's the root cause?** For transitive vulns the user can't
+ *      `npm install <vulnerable-pkg>@<fixedVersion>` — they have to
+ *      bump whichever direct dep brought the package in. We resolve
+ *      this from the lockfile graph.
+ *
+ *   2. **What's the fix command?** Either a one-liner the user can
+ *      paste (`npm install pkg@^X`), `npm audit fix` for the
+ *      automatic case, or `--force` for semver-major upgrades. When
+ *      no fix exists we return a `'none'` spec so the UI can render a
+ *      consistent disabled button.
+ *
+ * Pure functions — no I/O, no spawning. The engine wires the spec into
+ * the fix-runner when the user clicks "Apply fix".
+ */
+import type { DependencyFinding, FixGroup } from '../types/index.js';
+import type { AuditFixAvailability } from './npm-audit.js';
+import type { LockfileGraph } from './lockfile-graph.js';
+/**
+ * Enrich every finding in-place with `fix` and `rootCause`. The
+ * lockfile graph is optional — when absent (no `package-lock.json`)
+ * we still produce a best-effort `FixSpec` based on the finding's
+ * own `fixedVersion`.
+ */
+export declare function enrichFindings(findings: DependencyFinding[], fixAvailability: Map<string, AuditFixAvailability>, lockfile: LockfileGraph | null): DependencyFinding[];
+/**
+ * Bucket findings that share a fix command together so the UI can show
+ * "Upgrade lodash — fixes 4 advisories" rather than four separate rows.
+ *
+ * Grouping key:
+ *   - install commands → group by exact command string
+ *   - audit-fix / audit-fix-force → one bucket each across the whole report
+ *   - override / none → not grouped (each finding stays individual)
+ */
+export declare function buildFixGroups(findings: DependencyFinding[]): FixGroup[];
+//# sourceMappingURL=fix-resolver.d.ts.map

package/dist/security/fix-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fix-resolver.d.ts","sourceRoot":"","sources":["../../src/security/fix-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EACV,iBAAiB,EACjB,QAAQ,EAIT,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAWzD;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,iBAAiB,EAAE,EAC7B,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,EAClD,QAAQ,EAAE,aAAa,GAAG,IAAI,GAC7B,iBAAiB,EAAE,CAYrB;AAkGD;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,GAAG,QAAQ,EAAE,CAsDxE"}

package/dist/security/fix-resolver.js

@@ -0,0 +1,283 @@
+/**
+ * Compute concrete remediation steps for supply-chain findings.
+ *
+ * For each finding we want to answer two questions:
+ *
+ *   1. **What's the root cause?** For transitive vulns the user can't
+ *      `npm install <vulnerable-pkg>@<fixedVersion>` — they have to
+ *      bump whichever direct dep brought the package in. We resolve
+ *      this from the lockfile graph.
+ *
+ *   2. **What's the fix command?** Either a one-liner the user can
+ *      paste (`npm install pkg@^X`), `npm audit fix` for the
+ *      automatic case, or `--force` for semver-major upgrades. When
+ *      no fix exists we return a `'none'` spec so the UI can render a
+ *      consistent disabled button.
+ *
+ * Pure functions — no I/O, no spawning. The engine wires the spec into
+ * the fix-runner when the user clicks "Apply fix".
+ */
+/** Severity ordering used to pick the "worst" severity per fix group. */
+const SEVERITY_ORDER = {
+    CRITICAL: 4,
+    HIGH: 3,
+    MEDIUM: 2,
+    LOW: 1,
+    INFO: 0,
+};
+/**
+ * Enrich every finding in-place with `fix` and `rootCause`. The
+ * lockfile graph is optional — when absent (no `package-lock.json`)
+ * we still produce a best-effort `FixSpec` based on the finding's
+ * own `fixedVersion`.
+ */
+export function enrichFindings(findings, fixAvailability, lockfile) {
+    return findings.map((finding) => {
+        const rootCause = lockfile
+            ? lockfile.findRootCause(finding.package) ?? undefined
+            : undefined;
+        const fix = resolveFix(finding, fixAvailability, rootCause, lockfile);
+        return {
+            ...finding,
+            fix,
+            rootCause,
+        };
+    });
+}
+/**
+ * Pick the right command for `finding`. Order of preference:
+ *
+ *   1. If the package is a direct dep and we know a `fixedVersion`,
+ *      generate a precise `npm install <pkg>@<ver>` command.
+ *   2. If npm-audit says it can fix without going semver-major:
+ *      `npm audit fix`.
+ *   3. If npm-audit can only fix with `--force`: `npm audit fix --force`,
+ *      flagged as breaking.
+ *   4. Otherwise — no upstream fix yet. UI renders an advisory link
+ *      and a disabled "Apply fix" button.
+ */
+function resolveFix(finding, availability, rootCause, lockfile) {
+    const fa = availability.get(finding.package) ?? { kind: 'none' };
+    const isDirect = rootCause?.isDirect ?? lockfile?.isDirect(finding.package) ?? false;
+    // Direct dep with a known fix version → exact install command.
+    if (isDirect && finding.fixedVersion) {
+        const breaking = isSemVerMajor(finding.installedVersion, finding.fixedVersion);
+        return {
+            kind: 'install',
+            command: `npm install ${finding.package}@${quoteVersionRange(finding.fixedVersion)}`,
+            breaking,
+            label: `Upgrade ${finding.package} ${finding.installedVersion} → ${finding.fixedVersion}`,
+            note: breaking ? 'Semver-major upgrade — may include breaking changes.' : undefined,
+        };
+    }
+    // npm-audit reports a specific upgrade target (typically points at
+    // the root package the user owns, even for transitive vulns).
+    if (fa.kind === 'specific') {
+        if (!fa.isSemVerMajor) {
+            return {
+                kind: 'audit-fix',
+                command: 'npm audit fix',
+                breaking: false,
+                label: rootCause && !rootCause.isDirect
+                    ? `Upgrade ${rootCause.rootPackage} via npm audit fix`
+                    : `Auto-fix ${fa.name ?? finding.package}`,
+            };
+        }
+        return {
+            kind: 'audit-fix-force',
+            command: 'npm audit fix --force',
+            breaking: true,
+            label: rootCause && !rootCause.isDirect
+                ? `Force-upgrade ${rootCause.rootPackage} (semver-major)`
+                : `Force-fix ${fa.name ?? finding.package}`,
+            note: '`--force` may install semver-major upgrades that break your build.',
+        };
+    }
+    // npm-audit said it can auto-fix but didn't pin a version (the most
+    // common "fixAvailable: true" case). We still recommend running
+    // `npm audit fix` — npm will pick the right targets.
+    if (fa.kind === 'auto') {
+        return {
+            kind: 'audit-fix',
+            command: 'npm audit fix',
+            breaking: false,
+            label: rootCause && !rootCause.isDirect
+                ? `Upgrade ${rootCause.rootPackage} via npm audit fix`
+                : `Auto-fix ${finding.package} via npm audit fix`,
+        };
+    }
+    // No fixAvailable target. If the vulnerable package isn't a direct
+    // dep but we know a fixed version, the user can pin it via
+    // `package.json` overrides — surface that as a manual step.
+    if (!isDirect && rootCause && finding.fixedVersion) {
+        return {
+            kind: 'override',
+            command: '',
+            breaking: false,
+            label: `Add a ${finding.package} override`,
+            note: `Upstream (${rootCause.rootPackage}) hasn't shipped a fixed version. ` +
+                `Add an "overrides" entry to package.json pinning ${finding.package}@${finding.fixedVersion}.`,
+        };
+    }
+    return {
+        kind: 'none',
+        command: '',
+        breaking: false,
+        label: 'No upstream fix yet',
+        note: isDirect ? 'Watch the advisory link for a patched release.' : undefined,
+    };
+}
+/**
+ * Bucket findings that share a fix command together so the UI can show
+ * "Upgrade lodash — fixes 4 advisories" rather than four separate rows.
+ *
+ * Grouping key:
+ *   - install commands → group by exact command string
+ *   - audit-fix / audit-fix-force → one bucket each across the whole report
+ *   - override / none → not grouped (each finding stays individual)
+ */
+export function buildFixGroups(findings) {
+    const buckets = new Map();
+    for (const f of findings) {
+        if (!f.fix)
+            continue;
+        if (f.fix.kind === 'none' || f.fix.kind === 'override')
+            continue;
+        const key = `${f.fix.kind}::${f.fix.command}`;
+        const list = buckets.get(key) ?? [];
+        list.push(f);
+        buckets.set(key, list);
+    }
+    const out = [];
+    for (const [key, list] of buckets) {
+        if (list.length === 0)
+            continue;
+        const first = list[0];
+        const fix = first.fix;
+        const groupPkg = first.rootCause?.rootPackage ?? first.package;
+        const fromVersion = first.rootCause?.rootInstalledVersion ?? first.installedVersion;
+        const toVersion = inferTargetVersion(fix, first);
+        const severity = list.reduce((acc, f) => SEVERITY_ORDER[f.severity] > SEVERITY_ORDER[acc] ? f.severity : acc, 'INFO');
+        const reachability = pickStrongestReachability(list);
+        out.push({
+            id: `fg-${hashKey(key)}-${list.length}`,
+            package: groupPkg,
+            fromVersion,
+            toVersion,
+            breaking: fix.breaking,
+            severity,
+            findingIds: list.map((f) => f.id),
+            fix,
+            reachability,
+        });
+    }
+    // Sort highest-impact groups first: more findings, then higher severity,
+    // then reachability (confirmed > likely > unknown > unreachable).
+    out.sort((a, b) => {
+        if (b.findingIds.length !== a.findingIds.length) {
+            return b.findingIds.length - a.findingIds.length;
+        }
+        if (SEVERITY_ORDER[b.severity] !== SEVERITY_ORDER[a.severity]) {
+            return SEVERITY_ORDER[b.severity] - SEVERITY_ORDER[a.severity];
+        }
+        return reachabilityRank(b.reachability) - reachabilityRank(a.reachability);
+    });
+    return out;
+}
+// ────────────────────────────────────────────────────────────────────────
+// Helpers
+// ────────────────────────────────────────────────────────────────────────
+/**
+ * Return the target version string we want to show on a fix-group card.
+ * For exact `install` commands we extract it from the command itself;
+ * for `audit-fix` we don't actually know the target until npm runs, so
+ * we fall back to the finding's `fixedVersion` (best signal we have).
+ */
+function inferTargetVersion(fix, finding) {
+    if (fix.kind === 'install') {
+        const m = fix.command.match(/@([^@]+)$/);
+        if (m)
+            return m[1].replace(/^['"]/, '').replace(/['"]$/, '');
+    }
+    return finding.fixedVersion ?? 'latest';
+}
+function pickStrongestReachability(findings) {
+    let best = -1;
+    let label;
+    for (const f of findings) {
+        const lvl = f.reachability?.level;
+        if (!lvl)
+            continue;
+        const rank = reachabilityRank(lvl);
+        if (rank > best) {
+            best = rank;
+            label = lvl;
+        }
+    }
+    return label;
+}
+function reachabilityRank(r) {
+    switch (r) {
+        case 'confirmed':
+            return 3;
+        case 'likely':
+            return 2;
+        case 'unknown':
+            return 1;
+        case 'unreachable':
+            return 0;
+        default:
+            return -1;
+    }
+}
+/**
+ * Quote the version range for the shell when it contains characters
+ * that have special meaning in PowerShell / zsh. Caret (`^`) and tilde
+ * (`~`) are safe in bash but break in PowerShell — wrap in single
+ * quotes whenever we see them.
+ */
+function quoteVersionRange(version) {
+    if (/[\s<>=^~|*"'\\]/.test(version)) {
+        // Use single quotes; npm install on every platform accepts the
+        // shell-quoted form. Escape any embedded single quotes too.
+        return `'${version.replace(/'/g, "\\'")}'`;
+    }
+    return version;
+}
+/**
+ * Cheap, non-cryptographic hash for fix-group ids. Stable across
+ * scans so the UI can keep its expanded/collapsed state across
+ * incoming reports.
+ */
+function hashKey(input) {
+    let h = 2166136261;
+    for (let i = 0; i < input.length; i++) {
+        h ^= input.charCodeAt(i);
+        h = Math.imul(h, 16777619);
+    }
+    return (h >>> 0).toString(36);
+}
+/**
+ * Best-effort semver-major detection used when npm-audit doesn't tell
+ * us whether the upgrade is breaking. We strip non-digit prefixes and
+ * compare the leading number — good enough for the standard "X.Y.Z"
+ * shape; conservatively returns `false` on anything weirder so we
+ * don't scare users about benign patch bumps.
+ */
+function isSemVerMajor(from, to) {
+    const fromMajor = leadingMajor(from);
+    const toMajor = leadingMajor(to);
+    if (fromMajor === null || toMajor === null)
+        return false;
+    return toMajor > fromMajor;
+}
+function leadingMajor(version) {
+    // npm-audit `range` strings can be like ">=1.2.3 <2.0.0" — take the
+    // first numeric component.
+    const m = version.match(/(?:^|[^\d])(\d+)/);
+    if (!m)
+        return null;
+    const n = parseInt(m[1], 10);
+    return Number.isFinite(n) ? n : null;
+}
+//# sourceMappingURL=fix-resolver.js.map

package/dist/security/fix-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fix-resolver.js","sourceRoot":"","sources":["../../src/security/fix-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAYH,yEAAyE;AACzE,MAAM,cAAc,GAA6B;IAC/C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,QAA6B,EAC7B,eAAkD,EAClD,QAA8B;IAE9B,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;QAC9B,MAAM,SAAS,GAAG,QAAQ;YACxB,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,SAAS;YACtD,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,GAAG,GAAG,UAAU,CAAC,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;QACtE,OAAO;YACL,GAAG,OAAO;YACV,GAAG;YACH,SAAS;SACV,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,UAAU,CACjB,OAA0B,EAC1B,YAA+C,EAC/C,SAAgC,EAChC,QAA8B;IAE9B,MAAM,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,MAAe,EAAE,CAAC;IAC1E,MAAM,QAAQ,GACZ,SAAS,EAAE,QAAQ,IAAI,QAAQ,EAAE,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC;IAEtE,+DAA+D;IAC/D,IAAI,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,gBAAgB,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;QAC/E,OAAO;YACL,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,eAAe,OAAO,CAAC,OAAO,IAAI,iBAAiB,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE;YACpF,QAAQ;YACR,KAAK,EAAE,WAAW,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,gBAAgB,MAAM,OAAO,CAAC,YAAY,EAAE;YACzF,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,sDAAsD,CAAC,CAAC,CAAC,SAAS;SACpF,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,8DAA8D;IAC9D,IAAI,EAAE,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QAC3B,IAAI,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC;YACtB,OAAO;gBACL,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,eAAe;gBACxB,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,SAAS,IAAI,CAAC,SAAS,CAAC,QAAQ;oBACrC,CAAC,CAAC,WAAW,SAAS,CAAC,WAAW,oBAAoB;oBACtD,CAAC,CAAC,YAAY,EAAE,CAAC,IAAI,IAAI,OAAO,CAAC,OAAO,EAAE;aAC7C,CAAC;QACJ,CAAC;QACD,OAAO;YACL,IAAI,EAAE,iBAAiB;YACvB,OAAO,EAAE,uBAAuB;YAChC,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,SAAS,IAAI,CAAC,SAAS,CAAC,QAAQ;gBACrC,CAAC,CAAC,iBAAiB,SAAS,CAAC,WAAW,iBAAiB;gBACzD,CAAC,CAAC,aAAa,EAAE,CAAC,IAAI,IAAI,OAAO,CAAC,OAAO,EAAE;YAC7C,IAAI,EAAE,oEAAoE;SAC3E,CAAC;IACJ,CAAC;IAED,oEAAoE;IACpE,gEAAgE;IAChE,qDAAqD;IACrD,IAAI,EAAE,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QACvB,OAAO;YACL,IAAI,EAAE,WAAW;YACjB,OAAO,EAAE,eAAe;YACxB,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,SAAS,IAAI,CAAC,SAAS,CAAC,QAAQ;gBACrC,CAAC,CAAC,WAAW,SAAS,CAAC,WAAW,oBAAoB;gBACtD,CAAC,CAAC,YAAY,OAAO,CAAC,OAAO,oBAAoB;SACpD,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,2DAA2D;IAC3D,4DAA4D;IAC5D,IAAI,CAAC,QAAQ,IAAI,SAAS,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACnD,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,EAAE;YACX,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,SAAS,OAAO,CAAC,OAAO,WAAW;YAC1C,IAAI,EACF,aAAa,SAAS,CAAC,WAAW,oCAAoC;gBACtE,oDAAoD,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,YAAY,GAAG;SACjG,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,EAAE;QACX,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,qBAAqB;QAC5B,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,gDAAgD,CAAC,CAAC,CAAC,SAAS;KAC9E,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAAC,QAA6B;IAC1D,MAAM,OAAO,GAAG,IAAI,GAAG,EAA+B,CAAC;IAEvD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,CAAC,GAAG;YAAE,SAAS;QACrB,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,KAAK,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,KAAK,UAAU;YAAE,SAAS;QACjE,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACpC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACzB,CAAC;IAED,MAAM,GAAG,GAAe,EAAE,CAAC;IAC3B,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,OAAO,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAChC,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,GAAG,GAAG,KAAK,CAAC,GAAI,CAAC;QACvB,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAS,EAAE,WAAW,IAAI,KAAK,CAAC,OAAO,CAAC;QAC/D,MAAM,WAAW,GACf,KAAK,CAAC,SAAS,EAAE,oBAAoB,IAAI,KAAK,CAAC,gBAAgB,CAAC;QAClE,MAAM,SAAS,GAAG,kBAAkB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAC1B,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CACT,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,EACrE,MAAM,CACP,CAAC;QACF,MAAM,YAAY,GAAG,yBAAyB,CAAC,IAAI,CAAC,CAAC;QAErD,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,MAAM,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE;YACvC,OAAO,EAAE,QAAQ;YACjB,WAAW;YACX,SAAS;YACT,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,QAAQ;YACR,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACjC,GAAG;YACH,YAAY;SACb,CAAC,CAAC;IACL,CAAC;IAED,yEAAyE;IACzE,kEAAkE;IAClE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAChB,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;YAChD,OAAO,CAAC,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC;QACnD,CAAC;QACD,IAAI,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9D,OAAO,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACjE,CAAC;QACD,OAAO,gBAAgB,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,OAAO,GAAG,CAAC;AACb,CAAC;AAED,2EAA2E;AAC3E,UAAU;AACV,2EAA2E;AAE3E;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,GAAY,EAAE,OAA0B;IAClE,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACzC,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC/D,CAAC;IACD,OAAO,OAAO,CAAC,YAAY,IAAI,QAAQ,CAAC;AAC1C,CAAC;AAED,SAAS,yBAAyB,CAChC,QAA6B;IAE7B,IAAI,IAAI,GAAW,CAAC,CAAC,CAAC;IACtB,IAAI,KAAqE,CAAC;IAC1E,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,CAAC,CAAC,YAAY,EAAE,KAAK,CAAC;QAClC,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,IAAI,GAAG,IAAI,EAAE,CAAC;YAChB,IAAI,GAAG,IAAI,CAAC;YACZ,KAAK,GAAG,GAAG,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB,CACvB,CAAiE;IAEjE,QAAQ,CAAC,EAAE,CAAC;QACV,KAAK,WAAW;YACd,OAAO,CAAC,CAAC;QACX,KAAK,QAAQ;YACX,OAAO,CAAC,CAAC;QACX,KAAK,SAAS;YACZ,OAAO,CAAC,CAAC;QACX,KAAK,aAAa;YAChB,OAAO,CAAC,CAAC;QACX;YACE,OAAO,CAAC,CAAC,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,iBAAiB,CAAC,OAAe;IACxC,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACpC,+DAA+D;QAC/D,4DAA4D;QAC5D,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC;IAC7C,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,SAAS,OAAO,CAAC,KAAa;IAC5B,IAAI,CAAC,GAAG,UAAU,CAAC;IACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QACzB,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;AAChC,CAAC;AAED;;;;;;GAMG;AACH,SAAS,aAAa,CAAC,IAAY,EAAE,EAAU;IAC7C,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,OAAO,GAAG,YAAY,CAAC,EAAE,CAAC,CAAC;IACjC,IAAI,SAAS,KAAK,IAAI,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACzD,OAAO,OAAO,GAAG,SAAS,CAAC;AAC7B,CAAC;AAED,SAAS,YAAY,CAAC,OAAe;IACnC,oEAAoE;IACpE,2BAA2B;IAC3B,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAC5C,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACpB,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC7B,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACvC,CAAC"}

package/dist/security/fix-runner.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Spawn a fix command (`npm install pkg@ver`, `npm audit fix`, or
+ * `npm audit fix --force`) in the host project's cwd and stream its
+ * output back to the engine line-by-line.
+ *
+ * The runner is intentionally policy-free: it neither decides what
+ * command to run (that's the fix-resolver's job) nor what to do with
+ * the result (the engine triggers a rescan). It just owns spawning,
+ * timeouts, buffer caps, and line splitting.
+ *
+ * **Safety constraints**
+ *   - Only commands matching a small allow-list of fix kinds run. The
+ *     command string from the WS message is never forwarded to the
+ *     shell verbatim; the runner re-builds the argv from a vetted
+ *     `kind` enum + optional `pkg@version` tuple.
+ *   - 10 min hard timeout. `npm install` over a slow network can easily
+ *     take a few minutes; anything beyond that is a hung process.
+ *   - 4 MB stdout / 256 KB stderr caps so a runaway can't OOM the agent.
+ */
+/** Lifecycle states surfaced to the UI for the "fix in progress" banner. */
+export type FixState = 'running' | 'success' | 'error';
+/** Caller-supplied identifier echoed in progress/result frames. */
+export type FixTargetId = string;
+/** The discrete kinds of fix invocations the runner will accept. */
+export type FixCommandKind = 'install' | 'audit-fix' | 'audit-fix-force';
+export interface FixRunInput {
+    cwd: string;
+    kind: FixCommandKind;
+    /** Required for `kind: 'install'`. */
+    package?: string;
+    /** Required for `kind: 'install'`. */
+    version?: string;
+    /** Identifier echoed back via progress/result frames. */
+    targetId: FixTargetId;
+}
+export interface FixRunResult {
+    state: FixState;
+    exitCode: number | null;
+    command: string;
+    durationMs: number;
+    stdoutTail: string;
+    stderrTail: string;
+}
+export type FixProgressHandler = (line: string, stream: 'stdout' | 'stderr') => void;
+/**
+ * Build the argv for `kind`. Returns `null` for an invalid input so
+ * callers can fail fast without spawning anything.
+ */
+export declare function buildFixArgs(input: FixRunInput): {
+    cmd: string;
+    args: string[];
+    pretty: string;
+} | null;
+/**
+ * Spawn the fix command, stream line-by-line progress through
+ * `onProgress`, and resolve with the captured tails once the child
+ * exits or the timeout fires.
+ */
+export declare function runFix(input: FixRunInput, onProgress: FixProgressHandler): Promise<FixRunResult>;
+//# sourceMappingURL=fix-runner.d.ts.map

package/dist/security/fix-runner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fix-runner.d.ts","sourceRoot":"","sources":["../../src/security/fix-runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,4EAA4E;AAC5E,MAAM,MAAM,QAAQ,GAAG,SAAS,GAAG,SAAS,GAAG,OAAO,CAAC;AAEvD,mEAAmE;AACnE,MAAM,MAAM,WAAW,GAAG,MAAM,CAAC;AAEjC,oEAAoE;AACpE,MAAM,MAAM,cAAc,GACtB,SAAS,GACT,WAAW,GACX,iBAAiB,CAAC;AAEtB,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,cAAc,CAAC;IACrB,sCAAsC;IACtC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,sCAAsC;IACtC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,QAAQ,EAAE,WAAW,CAAC;CACvB;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,QAAQ,CAAC;IAChB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,MAAM,kBAAkB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,GAAG,QAAQ,KAAK,IAAI,CAAC;AAOrF;;;GAGG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,WAAW,GACjB;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,EAAE,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAwBxD;AAED;;;;GAIG;AACH,wBAAgB,MAAM,CACpB,KAAK,EAAE,WAAW,EAClB,UAAU,EAAE,kBAAkB,GAC7B,OAAO,CAAC,YAAY,CAAC,CA8GvB"}

package/dist/security/fix-runner.js

@@ -0,0 +1,188 @@
+/**
+ * Spawn a fix command (`npm install pkg@ver`, `npm audit fix`, or
+ * `npm audit fix --force`) in the host project's cwd and stream its
+ * output back to the engine line-by-line.
+ *
+ * The runner is intentionally policy-free: it neither decides what
+ * command to run (that's the fix-resolver's job) nor what to do with
+ * the result (the engine triggers a rescan). It just owns spawning,
+ * timeouts, buffer caps, and line splitting.
+ *
+ * **Safety constraints**
+ *   - Only commands matching a small allow-list of fix kinds run. The
+ *     command string from the WS message is never forwarded to the
+ *     shell verbatim; the runner re-builds the argv from a vetted
+ *     `kind` enum + optional `pkg@version` tuple.
+ *   - 10 min hard timeout. `npm install` over a slow network can easily
+ *     take a few minutes; anything beyond that is a hung process.
+ *   - 4 MB stdout / 256 KB stderr caps so a runaway can't OOM the agent.
+ */
+import { spawn } from 'node:child_process';
+/** Hard cap for an in-flight fix command (10 min). */
+const FIX_TIMEOUT_MS = 10 * 60 * 1000;
+const MAX_STDOUT_BYTES = 4 * 1024 * 1024;
+const MAX_STDERR_BYTES = 256 * 1024;
+/**
+ * Build the argv for `kind`. Returns `null` for an invalid input so
+ * callers can fail fast without spawning anything.
+ */
+export function buildFixArgs(input) {
+    switch (input.kind) {
+        case 'install': {
+            if (!input.package || !input.version)
+                return null;
+            // Keep the *exact* spec the resolver emitted — quoting is not
+            // needed for spawn() because we bypass the shell.
+            const spec = `${input.package}@${input.version}`;
+            return {
+                cmd: 'npm',
+                args: ['install', spec],
+                pretty: `npm install ${spec}`,
+            };
+        }
+        case 'audit-fix':
+            return { cmd: 'npm', args: ['audit', 'fix'], pretty: 'npm audit fix' };
+        case 'audit-fix-force':
+            return {
+                cmd: 'npm',
+                args: ['audit', 'fix', '--force'],
+                pretty: 'npm audit fix --force',
+            };
+        default:
+            return null;
+    }
+}
+/**
+ * Spawn the fix command, stream line-by-line progress through
+ * `onProgress`, and resolve with the captured tails once the child
+ * exits or the timeout fires.
+ */
+export function runFix(input, onProgress) {
+    return new Promise((resolve) => {
+        const argv = buildFixArgs(input);
+        if (!argv) {
+            resolve({
+                state: 'error',
+                exitCode: null,
+                command: '',
+                durationMs: 0,
+                stdoutTail: '',
+                stderrTail: 'Invalid fix command (missing package/version for install).',
+            });
+            return;
+        }
+        const started = Date.now();
+        let child;
+        try {
+            child = spawn(argv.cmd, argv.args, {
+                cwd: input.cwd,
+                // npm on Windows is `npm.cmd`; the shell flag lets the OS resolve it.
+                shell: process.platform === 'win32',
+                env: process.env,
+            });
+        }
+        catch (err) {
+            resolve({
+                state: 'error',
+                exitCode: null,
+                command: argv.pretty,
+                durationMs: 0,
+                stdoutTail: '',
+                stderrTail: err.message || 'failed to spawn npm',
+            });
+            return;
+        }
+        let stdoutBytes = 0;
+        let stderrBytes = 0;
+        let stdoutTail = '';
+        let stderrTail = '';
+        // Line buffer: hold partial lines across chunk boundaries so the UI
+        // never sees a half-formed log entry. Flush on newline.
+        let pendingOut = '';
+        let pendingErr = '';
+        child.stdout?.on('data', (chunk) => {
+            stdoutBytes += chunk.length;
+            const text = chunk.toString('utf-8');
+            if (stdoutBytes <= MAX_STDOUT_BYTES) {
+                stdoutTail += text;
+                if (stdoutTail.length > MAX_STDOUT_BYTES) {
+                    stdoutTail = stdoutTail.slice(-MAX_STDOUT_BYTES);
+                }
+            }
+            pendingOut += text;
+            pendingOut = flushLines(pendingOut, (line) => onProgress(line, 'stdout'));
+        });
+        child.stderr?.on('data', (chunk) => {
+            stderrBytes += chunk.length;
+            const text = chunk.toString('utf-8');
+            if (stderrBytes <= MAX_STDERR_BYTES) {
+                stderrTail += text;
+                if (stderrTail.length > MAX_STDERR_BYTES) {
+                    stderrTail = stderrTail.slice(-MAX_STDERR_BYTES);
+                }
+            }
+            pendingErr += text;
+            pendingErr = flushLines(pendingErr, (line) => onProgress(line, 'stderr'));
+        });
+        let settled = false;
+        const settle = (state, code) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            // Flush any trailing partial line.
+            if (pendingOut.trim().length > 0)
+                onProgress(pendingOut.trim(), 'stdout');
+            if (pendingErr.trim().length > 0)
+                onProgress(pendingErr.trim(), 'stderr');
+            resolve({
+                state,
+                exitCode: code,
+                command: argv.pretty,
+                durationMs: Date.now() - started,
+                stdoutTail,
+                stderrTail,
+            });
+        };
+        const timer = setTimeout(() => {
+            try {
+                child.kill('SIGTERM');
+            }
+            catch {
+                // Process already exited — ignore.
+            }
+            // Give it a beat to clean up before we resolve as an error.
+            setTimeout(() => settle('error', null), 250);
+        }, FIX_TIMEOUT_MS);
+        child.on('error', () => settle('error', null));
+        child.on('close', (code) => {
+            // npm install exits 0 on success. npm audit fix exits 0 on full
+            // remediation; non-zero when issues remain (which from the
+            // user's POV may still be progress). We treat any non-zero exit
+            // as `error` so the UI surfaces it, but the rescan that follows
+            // will accurately show the new state.
+            settle(code === 0 ? 'success' : 'error', code ?? null);
+        });
+    });
+}
+/**
+ * Split `buffer` on newlines, hand each complete line to `onLine`, and
+ * return whatever partial line remains for next time.
+ */
+function flushLines(buffer, onLine) {
+    let start = 0;
+    for (let i = 0; i < buffer.length; i++) {
+        const ch = buffer.charCodeAt(i);
+        if (ch !== 10 && ch !== 13)
+            continue; // \n or \r
+        const line = buffer.slice(start, i);
+        if (line.length > 0)
+            onLine(line);
+        // Skip CRLF as a unit.
+        if (ch === 13 && buffer.charCodeAt(i + 1) === 10)
+            i++;
+        start = i + 1;
+    }
+    return buffer.slice(start);
+}
+//# sourceMappingURL=fix-runner.js.map

package/dist/security/fix-runner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fix-runner.js","sourceRoot":"","sources":["../../src/security/fix-runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,KAAK,EAAqB,MAAM,oBAAoB,CAAC;AAoC9D,sDAAsD;AACtD,MAAM,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AACtC,MAAM,gBAAgB,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AACzC,MAAM,gBAAgB,GAAG,GAAG,GAAG,IAAI,CAAC;AAEpC;;;GAGG;AACH,MAAM,UAAU,YAAY,CAC1B,KAAkB;IAElB,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,IAAI,CAAC,KAAK,CAAC,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAC;YAClD,8DAA8D;YAC9D,kDAAkD;YAClD,MAAM,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YACjD,OAAO;gBACL,GAAG,EAAE,KAAK;gBACV,IAAI,EAAE,CAAC,SAAS,EAAE,IAAI,CAAC;gBACvB,MAAM,EAAE,eAAe,IAAI,EAAE;aAC9B,CAAC;QACJ,CAAC;QACD,KAAK,WAAW;YACd,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;QACzE,KAAK,iBAAiB;YACpB,OAAO;gBACL,GAAG,EAAE,KAAK;gBACV,IAAI,EAAE,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC;gBACjC,MAAM,EAAE,uBAAuB;aAChC,CAAC;QACJ;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,MAAM,CACpB,KAAkB,EAClB,UAA8B;IAE9B,OAAO,IAAI,OAAO,CAAe,CAAC,OAAO,EAAE,EAAE;QAC3C,MAAM,IAAI,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QACjC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,CAAC;gBACN,KAAK,EAAE,OAAO;gBACd,QAAQ,EAAE,IAAI;gBACd,OAAO,EAAE,EAAE;gBACX,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,EAAE;gBACd,UAAU,EAAE,4DAA4D;aACzE,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC3B,IAAI,KAAmB,CAAC;QACxB,IAAI,CAAC;YACH,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,EAAE;gBACjC,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,sEAAsE;gBACtE,KAAK,EAAE,OAAO,CAAC,QAAQ,KAAK,OAAO;gBACnC,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC;gBACN,KAAK,EAAE,OAAO;gBACd,QAAQ,EAAE,IAAI;gBACd,OAAO,EAAE,IAAI,CAAC,MAAM;gBACpB,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,EAAE;gBACd,UAAU,EAAG,GAAa,CAAC,OAAO,IAAI,qBAAqB;aAC5D,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,UAAU,GAAG,EAAE,CAAC;QACpB,IAAI,UAAU,GAAG,EAAE,CAAC;QAEpB,oEAAoE;QACpE,wDAAwD;QACxD,IAAI,UAAU,GAAG,EAAE,CAAC;QACpB,IAAI,UAAU,GAAG,EAAE,CAAC;QAEpB,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,WAAW,IAAI,KAAK,CAAC,MAAM,CAAC;YAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACrC,IAAI,WAAW,IAAI,gBAAgB,EAAE,CAAC;gBACpC,UAAU,IAAI,IAAI,CAAC;gBACnB,IAAI,UAAU,CAAC,MAAM,GAAG,gBAAgB,EAAE,CAAC;oBACzC,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,gBAAgB,CAAC,CAAC;gBACnD,CAAC;YACH,CAAC;YACD,UAAU,IAAI,IAAI,CAAC;YACnB,UAAU,GAAG,UAAU,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC5E,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACzC,WAAW,IAAI,KAAK,CAAC,MAAM,CAAC;YAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACrC,IAAI,WAAW,IAAI,gBAAgB,EAAE,CAAC;gBACpC,UAAU,IAAI,IAAI,CAAC;gBACnB,IAAI,UAAU,CAAC,MAAM,GAAG,gBAAgB,EAAE,CAAC;oBACzC,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,gBAAgB,CAAC,CAAC;gBACnD,CAAC;YACH,CAAC;YACD,UAAU,IAAI,IAAI,CAAC;YACnB,UAAU,GAAG,UAAU,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC5E,CAAC,CAAC,CAAC;QAEH,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,MAAM,GAAG,CAAC,KAAe,EAAE,IAAmB,EAAE,EAAE;YACtD,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,mCAAmC;YACnC,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;gBAAE,UAAU,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC;YAC1E,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;gBAAE,UAAU,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC;YAC1E,OAAO,CAAC;gBACN,KAAK;gBACL,QAAQ,EAAE,IAAI;gBACd,OAAO,EAAE,IAAI,CAAC,MAAM;gBACpB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;gBAChC,UAAU;gBACV,UAAU;aACX,CAAC,CAAC;QACL,CAAC,CAAC;QAEF,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,IAAI,CAAC;gBACH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,mCAAmC;YACrC,CAAC;YACD,4DAA4D;YAC5D,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC;QAC/C,CAAC,EAAE,cAAc,CAAC,CAAC;QAEnB,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC;QAC/C,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,gEAAgE;YAChE,2DAA2D;YAC3D,gEAAgE;YAChE,gEAAgE;YAChE,sCAAsC;YACtC,MAAM,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,UAAU,CAAC,MAAc,EAAE,MAA8B;IAChE,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,EAAE,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAChC,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE;YAAE,SAAS,CAAC,WAAW;QACjD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACpC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QAClC,uBAAuB;QACvB,IAAI,EAAE,KAAK,EAAE,IAAI,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE;YAAE,CAAC,EAAE,CAAC;QACtD,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC;IAChB,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AAC7B,CAAC"}