@expressots/studio-agent 4.0.0-preview.1

package/dist/security/index.d.ts

@@ -0,0 +1,140 @@
+/**
+ * Security engine — orchestrates supply-chain scanning (npm audit +
+ * OSV) and runtime posture analysis, packages the result into a single
+ * `SecurityReport`, and offers a debounced re-run hook the agent can
+ * call on each new exchange/log without breaking the host event loop.
+ *
+ * The engine is intentionally framework-free: it takes plain snapshot
+ * functions from the agent and emits reports to a listener. That makes
+ * it trivially testable and keeps the security policy (debounce,
+ * change detection, gating on connected clients) firmly in the agent
+ * itself — the engine just provides the data.
+ */
+import type { AppStructure, FixProgressMessage, FixResultMessage, RecordedExchange, RouteInfo, SecurityReport } from '../types/index.js';
+import type { LogEntry } from '../logging/log-capture.js';
+/**
+ * Snapshot accessors the engine reads on each pass. Functions, not
+ * snapshot objects, so we always see the freshest state without the
+ * agent having to thread updates through.
+ */
+export interface SecurityEngineDeps {
+    cwd: string;
+    dbPath: string;
+    getRoutes: () => RouteInfo[];
+    getStructure: () => AppStructure | null;
+    getExchanges: () => RecordedExchange[];
+    getLogs: () => LogEntry[];
+}
+export type SecurityReportListener = (report: SecurityReport) => void;
+/**
+ * Hook the engine calls during an "Apply fix" run so the agent can
+ * stream output back to the UI. Kept as a callback (not a listener
+ * registered via `onReport`) because progress is per-call, not a
+ * global subscription.
+ */
+export type FixProgressListener = (msg: FixProgressMessage) => void;
+/**
+ * Input to `applyFix` — references either a single finding (`findingId`)
+ * or a fix group (`fixGroupId`). When the request can't be resolved
+ * (stale id, no matching fix), the engine resolves with `success: false`
+ * and an explanatory `summary` rather than throwing.
+ */
+export interface ApplyFixInput {
+    targetKind: 'finding' | 'fix-group';
+    /** ID of the target — either `FixGroup.id` or `DependencyFinding.id`. */
+    targetId: string;
+    /** Set to true to allow semver-major upgrades (`--force`). */
+    allowMajor?: boolean;
+}
+export declare class SecurityEngine {
+    private readonly deps;
+    private readonly osvClient;
+    private readonly osvCache;
+    private lastDependencies;
+    private lastFixGroups;
+    private lastFixAvailability;
+    private lastLockfile;
+    private lastReachability;
+    private lastReport;
+    private lastHash;
+    private listener;
+    private postureTimer;
+    /**
+     * Start in `running` so a freshly-connected UI doesn't briefly show
+     * "no vulnerabilities" before the first scan completes. The engine
+     * flips this to `idle` / `error` when `runFullScan` finishes.
+     */
+    private auditState;
+    private auditError;
+    private missingLockfile;
+    private auditInFlight;
+    /** State of an in-flight Apply-fix job (one at a time). */
+    private fixState;
+    private fixInFlight;
+    constructor(deps: SecurityEngineDeps);
+    /** Subscribe to security report transitions. Only one listener supported. */
+    onReport(listener: SecurityReportListener): void;
+    /** Latest known report (always safe — initialised to an empty one). */
+    getReport(): SecurityReport;
+    /**
+     * Run a full scan: `npm audit` + OSV.dev + posture analysis. Safe to
+     * call repeatedly — concurrent calls coalesce onto the in-flight
+     * promise so we never spawn two `npm audit` children at once.
+     */
+    runFullScan(): Promise<void>;
+    /**
+     * Apply an enrichment pipeline against the latest snapshots. Split
+     * out so `scheduleRefresh` can re-run reachability against fresh
+     * exchanges without re-fetching OSV / re-running npm audit.
+     */
+    private enrichDependencies;
+    /**
+     * Notify the engine that some upstream state likely changed (a new
+     * exchange, log line, etc.). Debounced — multiple calls inside the
+     * debounce window collapse to a single posture pass.
+     */
+    scheduleRefresh(): void;
+    /** Cancel any pending refresh — called from `StudioAgent.stop()`. */
+    stop(): void;
+    /**
+     * Rebuild the report from current state and emit if its finding-id
+     * hash changed (or if the scan state changed). This is the single
+     * point where we decide whether to disturb the WS stream.
+     *
+     * On a posture-only refresh we also re-run reachability against the
+     * latest exchange buffer so the chips ("confirmed: 5 hits") update
+     * without a full audit.
+     */
+    private rebuildAndEmit;
+    /** Emit a transient "scan running / error" frame even when findings haven't changed. */
+    private emitProgress;
+    /**
+     * Apply a remediation. The caller (agent) wires the per-line progress
+     * callback into a `fix_progress` WS broadcast. Returns the final
+     * `FixResultMessage` once the spawned command exits.
+     *
+     * The method enforces two invariants:
+     *   1. Only one fix runs at a time (`fixInFlight` is awaited).
+     *   2. After every fix attempt — success or failure — we trigger a
+     *      full rescan. The post-scan `security` frame is what tells the
+     *      UI whether the change actually cleared the advisory.
+     */
+    applyFix(input: ApplyFixInput, onProgress: FixProgressListener): Promise<FixResultMessage>;
+    /**
+     * Look up the FixSpec corresponding to the user's request and convert
+     * it into the argv tuple `runFix` expects. Returns `null` for unknown
+     * ids / nothing-to-do specs.
+     */
+    private resolveFixTarget;
+    private snapshotScanState;
+}
+export { OsvCache } from './osv-cache.js';
+export { OsvClient } from './osv-client.js';
+export { runNpmAudit } from './npm-audit.js';
+export { analyzePosture } from './posture-analyzer.js';
+export { buildSecurityReport, hashFindingIds, emptyReport } from './score.js';
+export { LockfileGraph } from './lockfile-graph.js';
+export { enrichFindings as enrichFindingsWithFixes, buildFixGroups, } from './fix-resolver.js';
+export { buildReachabilitySnapshot, enrichWithReachability, } from './reachability.js';
+export { runFix, buildFixArgs } from './fix-runner.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/security/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,KAAK,EACV,YAAY,EAGZ,kBAAkB,EAClB,gBAAgB,EAEhB,gBAAgB,EAChB,SAAS,EACT,cAAc,EACf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAiC1D;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,SAAS,EAAE,CAAC;IAC7B,YAAY,EAAE,MAAM,YAAY,GAAG,IAAI,CAAC;IACxC,YAAY,EAAE,MAAM,gBAAgB,EAAE,CAAC;IACvC,OAAO,EAAE,MAAM,QAAQ,EAAE,CAAC;CAC3B;AAED,MAAM,MAAM,sBAAsB,GAAG,CAAC,MAAM,EAAE,cAAc,KAAK,IAAI,CAAC;AAEtE;;;;;GAKG;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,GAAG,EAAE,kBAAkB,KAAK,IAAI,CAAC;AAEpE;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,SAAS,GAAG,WAAW,CAAC;IACpC,yEAAyE;IACzE,QAAQ,EAAE,MAAM,CAAC;IACjB,8DAA8D;IAC9D,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,qBAAa,cAAc;IA2Bb,OAAO,CAAC,QAAQ,CAAC,IAAI;IA1BjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAW;IAEpC,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,aAAa,CAAkB;IACvC,OAAO,CAAC,mBAAmB,CAAgD;IAC3E,OAAO,CAAC,YAAY,CAA8B;IAClD,OAAO,CAAC,gBAAgB,CAAqC;IAC7D,OAAO,CAAC,UAAU,CAAiB;IACnC,OAAO,CAAC,QAAQ,CAAM;IACtB,OAAO,CAAC,QAAQ,CAAuC;IAEvD,OAAO,CAAC,YAAY,CAA8C;IAClE;;;;OAIG;IACH,OAAO,CAAC,UAAU,CAAmD;IACrE,OAAO,CAAC,UAAU,CAAqB;IACvC,OAAO,CAAC,eAAe,CAAS;IAChC,OAAO,CAAC,aAAa,CAA8B;IACnD,2DAA2D;IAC3D,OAAO,CAAC,QAAQ,CAAiD;IACjE,OAAO,CAAC,WAAW,CAA0C;gBAEhC,IAAI,EAAE,kBAAkB;IAMrD,6EAA6E;IAC7E,QAAQ,CAAC,QAAQ,EAAE,sBAAsB,GAAG,IAAI;IAIhD,uEAAuE;IACvE,SAAS,IAAI,cAAc;IAI3B;;;;OAIG;IACG,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;IAmDlC;;;;OAIG;IACH,OAAO,CAAC,kBAAkB;IAgB1B;;;;OAIG;IACH,eAAe,IAAI,IAAI;IAQvB,qEAAqE;IACrE,IAAI,IAAI,IAAI;IAQZ;;;;;;;;OAQG;IACH,OAAO,CAAC,cAAc;IA4CtB,wFAAwF;IACxF,OAAO,CAAC,YAAY;IAkBpB;;;;;;;;;;OAUG;IACG,QAAQ,CACZ,KAAK,EAAE,aAAa,EACpB,UAAU,EAAE,mBAAmB,GAC9B,OAAO,CAAC,gBAAgB,CAAC;IA4F5B;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IAgDxB,OAAO,CAAC,iBAAiB;CAW1B;AAkHD,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC9E,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EACL,cAAc,IAAI,uBAAuB,EACzC,cAAc,GACf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,yBAAyB,EACzB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/security/index.js

@@ -0,0 +1,460 @@
+/**
+ * Security engine — orchestrates supply-chain scanning (npm audit +
+ * OSV) and runtime posture analysis, packages the result into a single
+ * `SecurityReport`, and offers a debounced re-run hook the agent can
+ * call on each new exchange/log without breaking the host event loop.
+ *
+ * The engine is intentionally framework-free: it takes plain snapshot
+ * functions from the agent and emits reports to a listener. That makes
+ * it trivially testable and keeps the security policy (debounce,
+ * change detection, gating on connected clients) firmly in the agent
+ * itself — the engine just provides the data.
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { runNpmAudit, } from './npm-audit.js';
+import { OsvClient } from './osv-client.js';
+import { OsvCache } from './osv-cache.js';
+import { analyzePosture } from './posture-analyzer.js';
+import { buildSecurityReport, emptyReport, hashFindingIds, } from './score.js';
+import { LockfileGraph } from './lockfile-graph.js';
+import { buildFixGroups, enrichFindings, } from './fix-resolver.js';
+import { buildReachabilitySnapshot, enrichWithReachability, } from './reachability.js';
+import { buildFixArgs, runFix, } from './fix-runner.js';
+/** How often the engine will re-run posture analysis on event-driven triggers. */
+const POSTURE_DEBOUNCE_MS = 2000;
+export class SecurityEngine {
+    deps;
+    osvClient;
+    osvCache;
+    lastDependencies = [];
+    lastFixGroups = [];
+    lastFixAvailability = new Map();
+    lastLockfile = null;
+    lastReachability = null;
+    lastReport;
+    lastHash = '';
+    listener = null;
+    postureTimer = null;
+    /**
+     * Start in `running` so a freshly-connected UI doesn't briefly show
+     * "no vulnerabilities" before the first scan completes. The engine
+     * flips this to `idle` / `error` when `runFullScan` finishes.
+     */
+    auditState = 'running';
+    auditError;
+    missingLockfile = false;
+    auditInFlight = null;
+    /** State of an in-flight Apply-fix job (one at a time). */
+    fixState = undefined;
+    fixInFlight = null;
+    constructor(deps) {
+        this.deps = deps;
+        this.osvCache = new OsvCache(deps.dbPath);
+        this.osvClient = new OsvClient(this.osvCache);
+        this.lastReport = emptyReport(this.snapshotScanState(0));
+    }
+    /** Subscribe to security report transitions. Only one listener supported. */
+    onReport(listener) {
+        this.listener = listener;
+    }
+    /** Latest known report (always safe — initialised to an empty one). */
+    getReport() {
+        return this.lastReport;
+    }
+    /**
+     * Run a full scan: `npm audit` + OSV.dev + posture analysis. Safe to
+     * call repeatedly — concurrent calls coalesce onto the in-flight
+     * promise so we never spawn two `npm audit` children at once.
+     */
+    async runFullScan() {
+        if (this.auditInFlight)
+            return this.auditInFlight;
+        this.auditInFlight = (async () => {
+            this.auditState = 'running';
+            this.auditError = undefined;
+            this.emitProgress();
+            const audit = await runNpmAudit(this.deps.cwd);
+            this.missingLockfile = audit.state === 'missing-lockfile';
+            this.lastFixAvailability = audit.fixAvailability;
+            if (audit.state === 'error') {
+                this.auditState = 'error';
+                this.auditError = audit.error;
+            }
+            else {
+                this.auditState = 'idle';
+            }
+            let osvFindings = [];
+            if (audit.state === 'ok') {
+                try {
+                    const packages = readInstalledPackages(this.deps.cwd);
+                    osvFindings = await this.osvClient.lookup(packages);
+                }
+                catch {
+                    // OSV failures degrade gracefully — we still ship npm audit findings.
+                }
+            }
+            // Reconcile npm + OSV first; then enrich with lockfile root-cause
+            // analysis; then with reachability. The enrichment passes are pure
+            // functions of (findings, snapshot) so order is deterministic.
+            const reconciled = reconcileDependencyFindings(audit.findings, osvFindings);
+            this.lastLockfile = LockfileGraph.load(this.deps.cwd);
+            this.lastReachability = await buildReachabilitySnapshot(this.deps.cwd, this.deps.getStructure());
+            this.lastDependencies = this.enrichDependencies(reconciled);
+            this.lastFixGroups = buildFixGroups(this.lastDependencies);
+            this.rebuildAndEmit();
+        })();
+        try {
+            await this.auditInFlight;
+        }
+        finally {
+            this.auditInFlight = null;
+        }
+    }
+    /**
+     * Apply an enrichment pipeline against the latest snapshots. Split
+     * out so `scheduleRefresh` can re-run reachability against fresh
+     * exchanges without re-fetching OSV / re-running npm audit.
+     */
+    enrichDependencies(findings) {
+        const withFix = enrichFindings(findings, this.lastFixAvailability, this.lastLockfile);
+        if (!this.lastReachability)
+            return withFix;
+        return enrichWithReachability(withFix, this.lastReachability, this.deps.getExchanges());
+    }
+    /**
+     * Notify the engine that some upstream state likely changed (a new
+     * exchange, log line, etc.). Debounced — multiple calls inside the
+     * debounce window collapse to a single posture pass.
+     */
+    scheduleRefresh() {
+        if (this.postureTimer)
+            return;
+        this.postureTimer = setTimeout(() => {
+            this.postureTimer = null;
+            this.rebuildAndEmit();
+        }, POSTURE_DEBOUNCE_MS);
+    }
+    /** Cancel any pending refresh — called from `StudioAgent.stop()`. */
+    stop() {
+        if (this.postureTimer) {
+            clearTimeout(this.postureTimer);
+            this.postureTimer = null;
+        }
+        this.osvCache.flush();
+    }
+    /**
+     * Rebuild the report from current state and emit if its finding-id
+     * hash changed (or if the scan state changed). This is the single
+     * point where we decide whether to disturb the WS stream.
+     *
+     * On a posture-only refresh we also re-run reachability against the
+     * latest exchange buffer so the chips ("confirmed: 5 hits") update
+     * without a full audit.
+     */
+    rebuildAndEmit() {
+        const posture = analyzePosture({
+            routes: this.deps.getRoutes(),
+            structure: this.deps.getStructure(),
+            exchanges: this.deps.getExchanges(),
+            logs: this.deps.getLogs(),
+        });
+        // Light-touch refresh: reachability snapshot only depends on src/
+        // (rarely changes during a session) so we reuse the cached one,
+        // but we re-run `enrichWithReachability` to fold in the latest
+        // exchange counts.
+        if (this.lastReachability && this.lastDependencies.length > 0) {
+            this.lastDependencies = enrichWithReachability(this.lastDependencies, this.lastReachability, this.deps.getExchanges());
+            // Reachability changes can move findings between groups (severity
+            // tie-break uses reachability), so we rebuild groups too.
+            this.lastFixGroups = buildFixGroups(this.lastDependencies);
+        }
+        const report = buildSecurityReport({
+            dependencies: this.lastDependencies,
+            posture,
+            fixGroups: this.lastFixGroups,
+            scanState: this.snapshotScanState(Date.now()),
+        });
+        const nextHash = hashFindingIds(report) +
+            '|' +
+            scanStateHash(report.scanState) +
+            '|' +
+            hashReachability(report.dependencies);
+        this.lastReport = report;
+        if (nextHash !== this.lastHash) {
+            this.lastHash = nextHash;
+            this.listener?.(report);
+        }
+    }
+    /** Emit a transient "scan running / error" frame even when findings haven't changed. */
+    emitProgress() {
+        const report = buildSecurityReport({
+            dependencies: this.lastDependencies,
+            posture: this.lastReport.posture,
+            fixGroups: this.lastFixGroups,
+            scanState: this.snapshotScanState(this.lastReport.scanState.postureLastRunAt),
+        });
+        this.lastReport = report;
+        // Force-emit: scan state transitions are user-visible.
+        this.lastHash =
+            hashFindingIds(report) +
+                '|' +
+                scanStateHash(report.scanState) +
+                '|' +
+                hashReachability(report.dependencies);
+        this.listener?.(report);
+    }
+    /**
+     * Apply a remediation. The caller (agent) wires the per-line progress
+     * callback into a `fix_progress` WS broadcast. Returns the final
+     * `FixResultMessage` once the spawned command exits.
+     *
+     * The method enforces two invariants:
+     *   1. Only one fix runs at a time (`fixInFlight` is awaited).
+     *   2. After every fix attempt — success or failure — we trigger a
+     *      full rescan. The post-scan `security` frame is what tells the
+     *      UI whether the change actually cleared the advisory.
+     */
+    async applyFix(input, onProgress) {
+        if (this.fixInFlight) {
+            return {
+                targetId: input.targetId,
+                success: false,
+                exitCode: null,
+                durationMs: 0,
+                command: '',
+                summary: 'Another fix is already running. Please wait.',
+            };
+        }
+        const target = this.resolveFixTarget(input);
+        if (!target) {
+            return {
+                targetId: input.targetId,
+                success: false,
+                exitCode: null,
+                durationMs: 0,
+                command: '',
+                summary: 'Fix target not found. Rescan and try again.',
+            };
+        }
+        const job = (async () => {
+            this.fixState = {
+                state: 'running',
+                targetId: input.targetId,
+                command: target.pretty,
+            };
+            this.emitProgress();
+            const result = await runFix({
+                cwd: this.deps.cwd,
+                kind: target.kind,
+                package: target.package,
+                version: target.version,
+                targetId: input.targetId,
+            }, (line, stream) => onProgress({
+                targetId: input.targetId,
+                stream,
+                line,
+                timestamp: Date.now(),
+            }));
+            const summary = result.state === 'success'
+                ? `${target.pretty} completed in ${(result.durationMs / 1000).toFixed(1)}s`
+                : `${target.pretty} failed (${result.exitCode ?? 'no exit code'})`;
+            const finalMsg = {
+                targetId: input.targetId,
+                success: result.state === 'success',
+                exitCode: result.exitCode,
+                durationMs: result.durationMs,
+                command: result.command || target.pretty,
+                summary,
+                errorTail: result.state === 'success'
+                    ? undefined
+                    : result.stderrTail.slice(-4096) || result.stdoutTail.slice(-4096),
+            };
+            this.fixState = {
+                state: result.state === 'success' ? 'success' : 'error',
+                targetId: input.targetId,
+                command: result.command || target.pretty,
+                error: result.state === 'success' ? undefined : summary,
+            };
+            // Always rescan — even on failure — so the UI agrees with the
+            // lockfile's actual current state, not what we *hoped* would change.
+            await this.runFullScan();
+            // Clear the fix banner once the rescan has updated everything else.
+            this.fixState = undefined;
+            this.emitProgress();
+            return finalMsg;
+        })();
+        this.fixInFlight = job;
+        try {
+            return await job;
+        }
+        finally {
+            this.fixInFlight = null;
+        }
+    }
+    /**
+     * Look up the FixSpec corresponding to the user's request and convert
+     * it into the argv tuple `runFix` expects. Returns `null` for unknown
+     * ids / nothing-to-do specs.
+     */
+    resolveFixTarget(input) {
+        const spec = input.targetKind === 'fix-group'
+            ? this.lastFixGroups.find((g) => g.id === input.targetId)?.fix
+            : this.lastDependencies.find((f) => f.id === input.targetId)?.fix;
+        if (!spec)
+            return null;
+        let kind;
+        switch (spec.kind) {
+            case 'install':
+                kind = 'install';
+                break;
+            case 'audit-fix':
+                kind = 'audit-fix';
+                break;
+            case 'audit-fix-force':
+                kind = input.allowMajor ? 'audit-fix-force' : 'audit-fix-force';
+                break;
+            case 'override':
+            case 'none':
+                return null;
+        }
+        // For `install` we need to break the version out of the command.
+        let pkg;
+        let ver;
+        if (kind === 'install') {
+            const m = spec.command.match(/^npm install\s+(.+?)@([^@]+)$/);
+            if (!m)
+                return null;
+            pkg = m[1].trim();
+            ver = m[2].trim().replace(/^['"]|['"]$/g, '');
+        }
+        const argv = buildFixArgs({
+            cwd: this.deps.cwd,
+            kind,
+            package: pkg,
+            version: ver,
+            targetId: input.targetId,
+        });
+        if (!argv)
+            return null;
+        return { kind, pretty: argv.pretty, package: pkg, version: ver };
+    }
+    snapshotScanState(postureLastRunAt) {
+        return {
+            audit: this.auditState,
+            postureLastRunAt,
+            auditError: this.auditError,
+            missingLockfile: this.missingLockfile || undefined,
+            fix: this.fixState,
+        };
+    }
+}
+/**
+ * Reachability counts are part of the report payload — when a recorded
+ * exchange flips a finding from `likely` → `confirmed` we want the UI
+ * to update even if the finding-id set hasn't changed.
+ */
+function hashReachability(deps) {
+    const parts = [];
+    for (const f of deps) {
+        const r = f.reachability;
+        if (!r)
+            continue;
+        parts.push(`${f.id}:${r.level}:${r.runtimeHits}`);
+    }
+    parts.sort();
+    return parts.join('|');
+}
+function scanStateHash(s) {
+    return [
+        s.audit,
+        s.missingLockfile ? '1' : '0',
+        s.auditError ?? '',
+        s.fix?.state ?? '',
+        s.fix?.targetId ?? '',
+    ].join('|');
+}
+/**
+ * Combine findings from `npm audit` and OSV, deduping by id. We trust
+ * npm audit's transitive `path` (it knows the lockfile) and OSV's
+ * severity/refs (richer than what npm reports). When both sources
+ * produce a finding for the same id, we merge.
+ */
+function reconcileDependencyFindings(fromNpm, fromOsv) {
+    const byId = new Map();
+    for (const f of fromNpm)
+        byId.set(f.id, { ...f });
+    for (const f of fromOsv) {
+        const existing = byId.get(f.id);
+        if (!existing) {
+            byId.set(f.id, f);
+            continue;
+        }
+        // Merge: keep npm's path (it knows the resolution graph), prefer
+        // OSV's references/summary/cvss (they're richer), and pick the
+        // higher severity to avoid silently downgrading anything.
+        byId.set(f.id, {
+            ...existing,
+            summary: f.summary || existing.summary,
+            references: dedupe([...existing.references, ...f.references]),
+            severity: pickHigherSeverity(existing.severity, f.severity),
+            cvss: f.cvss ?? existing.cvss,
+            fixedVersion: f.fixedVersion ?? existing.fixedVersion,
+        });
+    }
+    return [...byId.values()];
+}
+function pickHigherSeverity(a, b) {
+    const order = [
+        'INFO',
+        'LOW',
+        'MEDIUM',
+        'HIGH',
+        'CRITICAL',
+    ];
+    return order.indexOf(a) >= order.indexOf(b) ? a : b;
+}
+function dedupe(arr) {
+    return [...new Set(arr)];
+}
+/**
+ * Read the host's `package.json` and return a flat list of direct
+ * dependencies to query OSV for. We don't traverse `node_modules` here
+ * — npm audit already covers transitive vulns; querying OSV for every
+ * transitive dep would blow up the batch size and add latency for
+ * diminishing returns.
+ */
+function readInstalledPackages(cwd) {
+    const file = path.join(cwd, 'package.json');
+    if (!fs.existsSync(file))
+        return [];
+    try {
+        const raw = fs.readFileSync(file, 'utf-8');
+        const parsed = JSON.parse(raw);
+        const out = [];
+        for (const map of [parsed.dependencies, parsed.devDependencies]) {
+            if (!map)
+                continue;
+            for (const [name, version] of Object.entries(map)) {
+                out.push({ name, version: stripSemverPrefix(version) });
+            }
+        }
+        return out;
+    }
+    catch {
+        return [];
+    }
+}
+function stripSemverPrefix(version) {
+    return version.replace(/^[\^~>=<]+/, '').trim();
+}
+export { OsvCache } from './osv-cache.js';
+export { OsvClient } from './osv-client.js';
+export { runNpmAudit } from './npm-audit.js';
+export { analyzePosture } from './posture-analyzer.js';
+export { buildSecurityReport, hashFindingIds, emptyReport } from './score.js';
+export { LockfileGraph } from './lockfile-graph.js';
+export { enrichFindings as enrichFindingsWithFixes, buildFixGroups, } from './fix-resolver.js';
+export { buildReachabilitySnapshot, enrichWithReachability, } from './reachability.js';
+export { runFix, buildFixArgs } from './fix-runner.js';
+//# sourceMappingURL=index.js.map

package/dist/security/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAalC,OAAO,EACL,WAAW,GAEZ,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAqB,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EACL,mBAAmB,EACnB,WAAW,EACX,cAAc,GACf,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EACL,cAAc,EACd,cAAc,GACf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,yBAAyB,EACzB,sBAAsB,GAEvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,YAAY,EACZ,MAAM,GAGP,MAAM,iBAAiB,CAAC;AAEzB,kFAAkF;AAClF,MAAM,mBAAmB,GAAG,IAAI,CAAC;AAwCjC,MAAM,OAAO,cAAc;IA2BI;IA1BZ,SAAS,CAAY;IACrB,QAAQ,CAAW;IAE5B,gBAAgB,GAAwB,EAAE,CAAC;IAC3C,aAAa,GAAe,EAAE,CAAC;IAC/B,mBAAmB,GAAsC,IAAI,GAAG,EAAE,CAAC;IACnE,YAAY,GAAyB,IAAI,CAAC;IAC1C,gBAAgB,GAAgC,IAAI,CAAC;IACrD,UAAU,CAAiB;IAC3B,QAAQ,GAAG,EAAE,CAAC;IACd,QAAQ,GAAkC,IAAI,CAAC;IAE/C,YAAY,GAAyC,IAAI,CAAC;IAClE;;;;OAIG;IACK,UAAU,GAAyC,SAAS,CAAC;IAC7D,UAAU,CAAqB;IAC/B,eAAe,GAAG,KAAK,CAAC;IACxB,aAAa,GAAyB,IAAI,CAAC;IACnD,2DAA2D;IACnD,QAAQ,GAAuC,SAAS,CAAC;IACzD,WAAW,GAAqC,IAAI,CAAC;IAE7D,YAA6B,IAAwB;QAAxB,SAAI,GAAJ,IAAI,CAAoB;QACnD,IAAI,CAAC,QAAQ,GAAG,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9C,IAAI,CAAC,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,6EAA6E;IAC7E,QAAQ,CAAC,QAAgC;QACvC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED,uEAAuE;IACvE,SAAS;QACP,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC,aAAa,CAAC;QAElD,IAAI,CAAC,aAAa,GAAG,CAAC,KAAK,IAAI,EAAE;YAC/B,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;YAC5B,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;YAC5B,IAAI,CAAC,YAAY,EAAE,CAAC;YAEpB,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC/C,IAAI,CAAC,eAAe,GAAG,KAAK,CAAC,KAAK,KAAK,kBAAkB,CAAC;YAC1D,IAAI,CAAC,mBAAmB,GAAG,KAAK,CAAC,eAAe,CAAC;YAEjD,IAAI,KAAK,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;gBAC5B,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC;gBAC1B,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC;YAChC,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC;YAC3B,CAAC;YAED,IAAI,WAAW,GAAwB,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,KAAK,KAAK,IAAI,EAAE,CAAC;gBACzB,IAAI,CAAC;oBACH,MAAM,QAAQ,GAAG,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;oBACtD,WAAW,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACtD,CAAC;gBAAC,MAAM,CAAC;oBACP,sEAAsE;gBACxE,CAAC;YACH,CAAC;YAED,kEAAkE;YAClE,mEAAmE;YACnE,+DAA+D;YAC/D,MAAM,UAAU,GAAG,2BAA2B,CAAC,KAAK,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;YAC5E,IAAI,CAAC,YAAY,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtD,IAAI,CAAC,gBAAgB,GAAG,MAAM,yBAAyB,CACrD,IAAI,CAAC,IAAI,CAAC,GAAG,EACb,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CACzB,CAAC;YACF,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;YAC5D,IAAI,CAAC,aAAa,GAAG,cAAc,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAE3D,IAAI,CAAC,cAAc,EAAE,CAAC;QACxB,CAAC,CAAC,EAAE,CAAC;QAEL,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,aAAa,CAAC;QAC3B,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;QAC5B,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,kBAAkB,CACxB,QAA6B;QAE7B,MAAM,OAAO,GAAG,cAAc,CAC5B,QAAQ,EACR,IAAI,CAAC,mBAAmB,EACxB,IAAI,CAAC,YAAY,CAClB,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,gBAAgB;YAAE,OAAO,OAAO,CAAC;QAC3C,OAAO,sBAAsB,CAC3B,OAAO,EACP,IAAI,CAAC,gBAAgB,EACrB,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CACzB,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,eAAe;QACb,IAAI,IAAI,CAAC,YAAY;YAAE,OAAO;QAC9B,IAAI,CAAC,YAAY,GAAG,UAAU,CAAC,GAAG,EAAE;YAClC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;YACzB,IAAI,CAAC,cAAc,EAAE,CAAC;QACxB,CAAC,EAAE,mBAAmB,CAAC,CAAC;IAC1B,CAAC;IAED,qEAAqE;IACrE,IAAI;QACF,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAChC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QAC3B,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC;IAED;;;;;;;;OAQG;IACK,cAAc;QACpB,MAAM,OAAO,GAAqB,cAAc,CAAC;YAC/C,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE;YAC7B,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE;YACnC,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE;YACnC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE;SAC1B,CAAC,CAAC;QAEH,kEAAkE;QAClE,gEAAgE;QAChE,+DAA+D;QAC/D,mBAAmB;QACnB,IAAI,IAAI,CAAC,gBAAgB,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9D,IAAI,CAAC,gBAAgB,GAAG,sBAAsB,CAC5C,IAAI,CAAC,gBAAgB,EACrB,IAAI,CAAC,gBAAgB,EACrB,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CACzB,CAAC;YACF,kEAAkE;YAClE,0DAA0D;YAC1D,IAAI,CAAC,aAAa,GAAG,cAAc,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC7D,CAAC;QAED,MAAM,MAAM,GAAG,mBAAmB,CAAC;YACjC,YAAY,EAAE,IAAI,CAAC,gBAAgB;YACnC,OAAO;YACP,SAAS,EAAE,IAAI,CAAC,aAAa;YAC7B,SAAS,EAAE,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;SAC9C,CAAC,CAAC;QAEH,MAAM,QAAQ,GACZ,cAAc,CAAC,MAAM,CAAC;YACtB,GAAG;YACH,aAAa,CAAC,MAAM,CAAC,SAAS,CAAC;YAC/B,GAAG;YACH,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QACxC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC;QAEzB,IAAI,QAAQ,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC/B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;YACzB,IAAI,CAAC,QAAQ,EAAE,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,wFAAwF;IAChF,YAAY;QAClB,MAAM,MAAM,GAAG,mBAAmB,CAAC;YACjC,YAAY,EAAE,IAAI,CAAC,gBAAgB;YACnC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,OAAO;YAChC,SAAS,EAAE,IAAI,CAAC,aAAa;YAC7B,SAAS,EAAE,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,gBAAgB,CAAC;SAC9E,CAAC,CAAC;QACH,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC;QACzB,uDAAuD;QACvD,IAAI,CAAC,QAAQ;YACX,cAAc,CAAC,MAAM,CAAC;gBACtB,GAAG;gBACH,aAAa,CAAC,MAAM,CAAC,SAAS,CAAC;gBAC/B,GAAG;gBACH,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ,EAAE,CAAC,MAAM,CAAC,CAAC;IAC1B,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,QAAQ,CACZ,KAAoB,EACpB,UAA+B;QAE/B,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,OAAO;gBACL,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,OAAO,EAAE,KAAK;gBACd,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,CAAC;gBACb,OAAO,EAAE,EAAE;gBACX,OAAO,EAAE,8CAA8C;aACxD,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,OAAO,EAAE,KAAK;gBACd,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,CAAC;gBACb,OAAO,EAAE,EAAE;gBACX,OAAO,EAAE,6CAA6C;aACvD,CAAC;QACJ,CAAC;QAED,MAAM,GAAG,GAAG,CAAC,KAAK,IAA+B,EAAE;YACjD,IAAI,CAAC,QAAQ,GAAG;gBACd,KAAK,EAAE,SAAS;gBAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,OAAO,EAAE,MAAM,CAAC,MAAM;aACvB,CAAC;YACF,IAAI,CAAC,YAAY,EAAE,CAAC;YAEpB,MAAM,MAAM,GAAiB,MAAM,MAAM,CACvC;gBACE,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG;gBAClB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,QAAQ,EAAE,KAAK,CAAC,QAAQ;aACzB,EACD,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,CACf,UAAU,CAAC;gBACT,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,MAAM;gBACN,IAAI;gBACJ,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACtB,CAAC,CACL,CAAC;YAEF,MAAM,OAAO,GACX,MAAM,CAAC,KAAK,KAAK,SAAS;gBACxB,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,iBAAiB,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG;gBAC3E,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,YAAY,MAAM,CAAC,QAAQ,IAAI,cAAc,GAAG,CAAC;YAEvE,MAAM,QAAQ,GAAqB;gBACjC,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,OAAO,EAAE,MAAM,CAAC,KAAK,KAAK,SAAS;gBACnC,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,MAAM;gBACxC,OAAO;gBACP,SAAS,EACP,MAAM,CAAC,KAAK,KAAK,SAAS;oBACxB,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC;aACvE,CAAC;YAEF,IAAI,CAAC,QAAQ,GAAG;gBACd,KAAK,EAAE,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO;gBACvD,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,MAAM;gBACxC,KAAK,EAAE,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO;aACxD,CAAC;YAEF,8DAA8D;YAC9D,qEAAqE;YACrE,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;YAEzB,oEAAoE;YACpE,IAAI,CAAC,QAAQ,GAAG,SAAS,CAAC;YAC1B,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,OAAO,QAAQ,CAAC;QAClB,CAAC,CAAC,EAAE,CAAC;QAEL,IAAI,CAAC,WAAW,GAAG,GAAG,CAAC;QACvB,IAAI,CAAC;YACH,OAAO,MAAM,GAAG,CAAC;QACnB,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QAC1B,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,gBAAgB,CAAC,KAAoB;QAM3C,MAAM,IAAI,GACR,KAAK,CAAC,UAAU,KAAK,WAAW;YAC9B,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,QAAQ,CAAC,EAAE,GAAG;YAC9D,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,QAAQ,CAAC,EAAE,GAAG,CAAC;QACtE,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,IAAI,IAAoB,CAAC;QACzB,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;YAClB,KAAK,SAAS;gBACZ,IAAI,GAAG,SAAS,CAAC;gBACjB,MAAM;YACR,KAAK,WAAW;gBACd,IAAI,GAAG,WAAW,CAAC;gBACnB,MAAM;YACR,KAAK,iBAAiB;gBACpB,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,iBAAiB,CAAC;gBAChE,MAAM;YACR,KAAK,UAAU,CAAC;YAChB,KAAK,MAAM;gBACT,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,iEAAiE;QACjE,IAAI,GAAuB,CAAC;QAC5B,IAAI,GAAuB,CAAC;QAC5B,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;YAC9D,IAAI,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;YACpB,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAClB,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QAChD,CAAC;QACD,MAAM,IAAI,GAAG,YAAY,CAAC;YACxB,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG;YAClB,IAAI;YACJ,OAAO,EAAE,GAAG;YACZ,OAAO,EAAE,GAAG;YACZ,QAAQ,EAAE,KAAK,CAAC,QAAQ;SACzB,CAAC,CAAC;QACH,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IACnE,CAAC;IAEO,iBAAiB,CACvB,gBAAwB;QAExB,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,UAAU;YACtB,gBAAgB;YAChB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,eAAe,EAAE,IAAI,CAAC,eAAe,IAAI,SAAS;YAClD,GAAG,EAAE,IAAI,CAAC,QAAQ;SACnB,CAAC;IACJ,CAAC;CACF;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,IAAyB;IACjD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,MAAM,CAAC,GAAG,CAAC,CAAC,YAAY,CAAC;QACzB,IAAI,CAAC,CAAC;YAAE,SAAS;QACjB,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACpD,CAAC;IACD,KAAK,CAAC,IAAI,EAAE,CAAC;IACb,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,aAAa,CAAC,CAA8B;IACnD,OAAO;QACL,CAAC,CAAC,KAAK;QACP,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;QAC7B,CAAC,CAAC,UAAU,IAAI,EAAE;QAClB,CAAC,CAAC,GAAG,EAAE,KAAK,IAAI,EAAE;QAClB,CAAC,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE;KACtB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,SAAS,2BAA2B,CAClC,OAA4B,EAC5B,OAA4B;IAE5B,MAAM,IAAI,GAAG,IAAI,GAAG,EAA6B,CAAC;IAClD,KAAK,MAAM,CAAC,IAAI,OAAO;QAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IAElD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAChC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YAClB,SAAS;QACX,CAAC;QACD,iEAAiE;QACjE,+DAA+D;QAC/D,0DAA0D;QAC1D,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YACb,GAAG,QAAQ;YACX,OAAO,EAAE,CAAC,CAAC,OAAO,IAAI,QAAQ,CAAC,OAAO;YACtC,UAAU,EAAE,MAAM,CAAC,CAAC,GAAG,QAAQ,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;YAC7D,QAAQ,EAAE,kBAAkB,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC;YAC3D,IAAI,EAAE,CAAC,CAAC,IAAI,IAAI,QAAQ,CAAC,IAAI;YAC7B,YAAY,EAAE,CAAC,CAAC,YAAY,IAAI,QAAQ,CAAC,YAAY;SACtD,CAAC,CAAC;IACL,CAAC;IAED,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;AAC5B,CAAC;AAED,SAAS,kBAAkB,CACzB,CAAgC,EAChC,CAAgC;IAEhC,MAAM,KAAK,GAAoC;QAC7C,MAAM;QACN,KAAK;QACL,QAAQ;QACR,MAAM;QACN,UAAU;KACX,CAAC;IACF,OAAO,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,MAAM,CAAI,GAAQ;IACzB,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,qBAAqB,CAAC,GAAW;IACxC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IAC5C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAG5B,CAAC;QACF,MAAM,GAAG,GAAmB,EAAE,CAAC;QAC/B,KAAK,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC;YAChE,IAAI,CAAC,GAAG;gBAAE,SAAS;YACnB,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;gBAClD,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,iBAAiB,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAe;IACxC,OAAO,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;AAClD,CAAC;AAED,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC9E,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EACL,cAAc,IAAI,uBAAuB,EACzC,cAAc,GACf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,yBAAyB,EACzB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}