@fourteensystems/prodcheck 0.3.0

package/dist/rules/rate-limit-missing.test.js

@@ -0,0 +1,381 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdirSync, writeFileSync, rmSync } from "node:fs";
+import path from "node:path";
+import { run } from "./rate-limit-missing.js";
+/* ------------------------------------------------------------------ */
+/*  Helpers                                                            */
+/* ------------------------------------------------------------------ */
+const NO_SIGNALS = {
+    hasMutationEvidence: false,
+    hasDbWriteEvidence: false,
+    hasStripeWriteEvidence: false,
+    mutationDetails: [],
+};
+const MUTATION_SIGNALS = {
+    hasMutationEvidence: true,
+    hasDbWriteEvidence: true,
+    hasStripeWriteEvidence: false,
+    mutationDetails: ["prisma.create"],
+};
+function protectionSummary(opts) {
+    return {
+        auth: {
+            satisfied: opts.authSatisfied ?? false,
+            enforced: opts.authEnforced ?? false,
+            sources: opts.authSatisfied ? ["direct"] : [],
+            details: [],
+            unverifiedWrappers: [],
+        },
+        rateLimit: {
+            satisfied: opts.rlSatisfied ?? false,
+            enforced: false,
+            sources: [],
+            details: [],
+            unverifiedWrappers: opts.unverifiedWrappers ?? [],
+        },
+    };
+}
+let tmpDir;
+beforeEach(() => {
+    tmpDir = path.join("/tmp", `prodcheck-rl-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+    mkdirSync(tmpDir, { recursive: true });
+});
+afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+});
+/** Create a route file on disk and return a NextRoute pointing to it */
+function createRoute(relPath, source, overrides = {}) {
+    const fullPath = path.join(tmpDir, relPath);
+    mkdirSync(path.dirname(fullPath), { recursive: true });
+    writeFileSync(fullPath, source);
+    const pathname = "/" + relPath
+        .replace(/\/route\.(ts|tsx|js|jsx)$/, "")
+        .replace(/^app\//, "");
+    return {
+        kind: "route-handler",
+        file: relPath,
+        isApi: pathname.startsWith("/api/") || pathname === "/api",
+        isPublic: true,
+        pathname,
+        signals: NO_SIGNALS,
+        protection: protectionSummary({}),
+        ...overrides,
+    };
+}
+function makeIndex(routes) {
+    return {
+        version: 1,
+        framework: "next-app-router",
+        rootDir: tmpDir,
+        deps: {
+            hasNextAuth: false, hasClerk: false, hasSupabase: false,
+            hasKinde: false, hasWorkOS: false, hasBetterAuth: false,
+            hasLucia: false, hasAuth0: false, hasIronSession: false,
+            hasFirebaseAuth: false, hasUpstashRatelimit: false, hasArcjet: false,
+            hasUnkey: false, hasPrisma: false, hasDrizzle: false, hasTrpc: false,
+        },
+        hints: {
+            auth: { functions: ["auth"], middlewareFiles: [], allowlistPaths: [] },
+            rateLimit: { wrappers: ["rateLimit"], allowlistPaths: [] },
+            tenancy: { orgFieldNames: [] },
+        },
+        middleware: { authLikely: false, rateLimitLikely: false, matcherPatterns: [] },
+        wrappers: { wrappers: new Map() },
+        routes: { all: routes, mutationRoutes: routes.filter(r => r.signals.hasMutationEvidence) },
+        serverActions: { all: [], mutationActions: [] },
+        trpc: { detected: false, procedures: [], mutationProcedures: [] },
+    };
+}
+function makeConfig(overrides = {}) {
+    return {
+        framework: "next-app-router",
+        include: ["app/**"],
+        exclude: [],
+        ci: { failOn: "critical", minConfidence: "high", minScore: 70, maxNewCritical: 0 },
+        scoring: { start: 100, penalties: { critical: 25, high: 10, med: 3, low: 1 } },
+        hints: {
+            auth: { functions: ["auth"], middlewareFiles: [], allowlistPaths: [] },
+            rateLimit: { wrappers: ["rateLimit"], allowlistPaths: [] },
+            tenancy: { orgFieldNames: [] },
+        },
+        rules: { "RATE-LIMIT-MISSING": { severity: "critical" } },
+        waiversFile: "prodcheck.waivers.json",
+        ...overrides,
+    };
+}
+const BASIC_HANDLER = `export async function GET(request: Request) { return Response.json({ ok: true }); }`;
+const MUTATION_HANDLER = `export async function POST(request: Request) {
+  const body = await request.json();
+  await prisma.user.create({ data: body });
+  return Response.json({ ok: true });
+}`;
+const BODY_HANDLER = `export async function POST(request: Request) {
+  const body = await request.json();
+  return Response.json({ received: true });
+}`;
+/* ------------------------------------------------------------------ */
+/*  Framework-managed exemptions                                       */
+/* ------------------------------------------------------------------ */
+describe("framework-managed route exemptions", () => {
+    const config = makeConfig();
+    it("exempts NextAuth catch-all route", () => {
+        const route = createRoute("app/api/auth/[...nextauth]/route.ts", BASIC_HANDLER);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts NextAuth with different param name", () => {
+        const route = createRoute("app/api/auth/[...params]/route.ts", BASIC_HANDLER);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts OAuth token endpoint", () => {
+        const route = createRoute("app/api/oauth/token/route.ts", BASIC_HANDLER);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts SAML callback route", () => {
+        const route = createRoute("app/api/auth/saml/callback/route.ts", BASIC_HANDLER);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts callback routes from external services", () => {
+        const route = createRoute("app/api/callback/stripe/route.ts", BASIC_HANDLER);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts nested callback routes", () => {
+        const route = createRoute("app/api/slack/callback/route.ts", BASIC_HANDLER, {
+            pathname: "/api/slack/callback",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts OG image routes", () => {
+        const route = createRoute("app/api/og/analytics/route.tsx", BASIC_HANDLER);
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts terminal OG path", () => {
+        const route = createRoute("app/api/og/route.tsx", BASIC_HANDLER, {
+            pathname: "/api/og",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("does NOT exempt regular API routes", () => {
+        const route = createRoute("app/api/users/route.ts", BASIC_HANDLER);
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  Improved webhook detection                                         */
+/* ------------------------------------------------------------------ */
+describe("webhook path detection", () => {
+    const config = makeConfig();
+    it("exempts /webhook path", () => {
+        const route = createRoute("app/api/webhook/route.ts", BASIC_HANDLER, {
+            pathname: "/api/webhook",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts compound webhook path like /stripe-webhook", () => {
+        const route = createRoute("app/api/billing/stripe-webhook/route.ts", BASIC_HANDLER, {
+            pathname: "/api/billing/stripe-webhook",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts /webhooks/stripe nested path", () => {
+        const route = createRoute("app/api/webhooks/stripe/route.ts", BASIC_HANDLER, {
+            pathname: "/api/webhooks/stripe",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  Existing exemptions still work                                     */
+/* ------------------------------------------------------------------ */
+describe("existing exemptions", () => {
+    const config = makeConfig();
+    it("exempts health check routes", () => {
+        const route = createRoute("app/api/health/route.ts", BASIC_HANDLER, {
+            pathname: "/api/health",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("exempts cron routes", () => {
+        const route = createRoute("app/api/cron/daily/route.ts", BASIC_HANDLER, {
+            pathname: "/api/cron/daily",
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("skips non-API routes", () => {
+        const route = createRoute("app/dashboard/route.ts", BASIC_HANDLER, {
+            pathname: "/dashboard",
+            isApi: false,
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("skips routes with rate-limit protection satisfied", () => {
+        const route = createRoute("app/api/users/route.ts", BASIC_HANDLER, {
+            protection: protectionSummary({ rlSatisfied: true }),
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("defers to WRAPPER-UNRECOGNIZED for unverified wrappers", () => {
+        const route = createRoute("app/api/users/route.ts", BASIC_HANDLER, {
+            protection: protectionSummary({ unverifiedWrappers: ["withCustom"] }),
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  Auth-aware severity: public routes (unchanged behavior)            */
+/* ------------------------------------------------------------------ */
+describe("severity: public routes (no auth)", () => {
+    const config = makeConfig();
+    it("public mutation route → critical/high", () => {
+        const route = createRoute("app/api/users/route.ts", MUTATION_HANDLER, {
+            signals: MUTATION_SIGNALS,
+            protection: protectionSummary({ authSatisfied: false }),
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].severity).toBe("critical");
+        expect(findings[0].confidence).toBe("high");
+    });
+    it("public body-parsing route → high/high", () => {
+        const route = createRoute("app/api/upload/route.ts", BODY_HANDLER, {
+            protection: protectionSummary({ authSatisfied: false }),
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].severity).toBe("high");
+        expect(findings[0].confidence).toBe("high");
+    });
+    it("public GET-only route → med/med", () => {
+        const route = createRoute("app/api/data/route.ts", BASIC_HANDLER, {
+            protection: protectionSummary({ authSatisfied: false }),
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].severity).toBe("med");
+        expect(findings[0].confidence).toBe("med");
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  Authenticated routes: no RL findings emitted                       */
+/* ------------------------------------------------------------------ */
+describe("authenticated routes suppressed", () => {
+    const config = makeConfig();
+    it("strongly authed mutation route → no finding", () => {
+        const route = createRoute("app/api/users/route.ts", MUTATION_HANDLER, {
+            signals: MUTATION_SIGNALS,
+            protection: protectionSummary({ authSatisfied: true, authEnforced: true }),
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("strongly authed body-parsing route → no finding", () => {
+        const route = createRoute("app/api/upload/route.ts", BODY_HANDLER, {
+            protection: protectionSummary({ authSatisfied: true, authEnforced: true }),
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("strongly authed GET-only route → no finding", () => {
+        const route = createRoute("app/api/data/route.ts", BASIC_HANDLER, {
+            protection: protectionSummary({ authSatisfied: true, authEnforced: true }),
+        });
+        expect(run(makeIndex([route]), config)).toHaveLength(0);
+    });
+    it("weakly authed route (satisfied but not enforced) → still emits finding", () => {
+        const route = createRoute("app/api/data/route.ts", MUTATION_HANDLER, {
+            signals: MUTATION_SIGNALS,
+            protection: protectionSummary({ authSatisfied: true, authEnforced: false }),
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].severity).toBe("critical");
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  Severity cap                                                       */
+/* ------------------------------------------------------------------ */
+describe("severity cap", () => {
+    it("caps severity at rule max from config", () => {
+        const config = makeConfig({
+            rules: { "RATE-LIMIT-MISSING": { severity: "high" } },
+        });
+        const route = createRoute("app/api/users/route.ts", MUTATION_HANDLER, {
+            signals: MUTATION_SIGNALS,
+            protection: protectionSummary({ authSatisfied: false }),
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        // Would be critical but capped to high
+        expect(findings[0].severity).toBe("high");
+    });
+});
+/* ------------------------------------------------------------------ */
+/*  public-intent severity floor + SSRF escalation                     */
+/* ------------------------------------------------------------------ */
+describe("public-intent", () => {
+    const config = makeConfig();
+    it("floors RL severity to HIGH for GET-only public-intent route", () => {
+        const route = createRoute("app/api/status/route.ts", BASIC_HANDLER, {
+            protection: protectionSummary({ authSatisfied: false }),
+            publicIntent: { reason: "Public status page", line: 1 },
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        // Would be med for GET-only, but floored to high by public-intent
+        expect(findings[0].severity).toBe("high");
+        expect(findings[0].confidence).toBe("high");
+        expect(findings[0].tags).toContain("public-intent");
+        expect(findings[0].evidence).toContain('public-intent: "Public status page"');
+    });
+    it("escalates to CRITICAL when outbound fetch + user-influenced URL detected", () => {
+        const route = createRoute("app/api/proxy/route.ts", `
+export async function GET(request: Request) {
+  const url = new URL(request.url).searchParams.get("target");
+  const response = await fetch(url);
+  return Response.json(await response.json());
+}
+`, {
+            protection: protectionSummary({ authSatisfied: false }),
+            publicIntent: { reason: "Public URL checker", line: 1 },
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        expect(findings[0].severity).toBe("critical");
+        expect(findings[0].tags).toContain("ssrf-surface");
+        expect(findings[0].tags).toContain("outbound-fetch");
+    });
+    it("does NOT floor severity when publicIntent is missing (malformed directive)", () => {
+        const route = createRoute("app/api/data/route.ts", BASIC_HANDLER, {
+            protection: protectionSummary({ authSatisfied: false }),
+            malformedPublicIntent: { line: 1, raw: "// prodcheck:public-intent" },
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        // Normal GET-only severity, no floor
+        expect(findings[0].severity).toBe("med");
+        expect(findings[0].tags).not.toContain("public-intent");
+    });
+    it("message says 'Intentionally public' for public-intent routes", () => {
+        const route = createRoute("app/api/check/route.ts", BASIC_HANDLER, {
+            protection: protectionSummary({ authSatisfied: false }),
+            publicIntent: { reason: "Intentional", line: 1 },
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings[0].message).toContain("Intentionally public");
+    });
+    it("does NOT escalate to CRITICAL for fetch with hardcoded URL", () => {
+        const route = createRoute("app/api/external/route.ts", `
+export async function GET(request: Request) {
+  const response = await fetch("https://api.example.com/health");
+  return Response.json(await response.json());
+}
+`, {
+            protection: protectionSummary({ authSatisfied: false }),
+            publicIntent: { reason: "Health aggregator", line: 1 },
+        });
+        const findings = run(makeIndex([route]), config);
+        expect(findings).toHaveLength(1);
+        // Floored to high, but NOT critical (no user-influenced URL)
+        expect(findings[0].severity).toBe("high");
+        expect(findings[0].tags).not.toContain("ssrf-surface");
+    });
+});
+//# sourceMappingURL=rate-limit-missing.test.js.map

package/dist/rules/rate-limit-missing.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit-missing.test.js","sourceRoot":"","sources":["../../src/rules/rate-limit-missing.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC3D,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,GAAG,EAAW,MAAM,yBAAyB,CAAC;AAIvD,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,MAAM,UAAU,GAAG;IACjB,mBAAmB,EAAE,KAAK;IAC1B,kBAAkB,EAAE,KAAK;IACzB,sBAAsB,EAAE,KAAK;IAC7B,eAAe,EAAE,EAAc;CAChC,CAAC;AAEF,MAAM,gBAAgB,GAAG;IACvB,mBAAmB,EAAE,IAAI;IACzB,kBAAkB,EAAE,IAAI;IACxB,sBAAsB,EAAE,KAAK;IAC7B,eAAe,EAAE,CAAC,eAAe,CAAC;CACnC,CAAC;AAEF,SAAS,iBAAiB,CAAC,IAK1B;IACC,OAAO;QACL,IAAI,EAAE;YACJ,SAAS,EAAE,IAAI,CAAC,aAAa,IAAI,KAAK;YACtC,QAAQ,EAAE,IAAI,CAAC,YAAY,IAAI,KAAK;YACpC,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE;YAC7C,OAAO,EAAE,EAAE;YACX,kBAAkB,EAAE,EAAE;SACvB;QACD,SAAS,EAAE;YACT,SAAS,EAAE,IAAI,CAAC,WAAW,IAAI,KAAK;YACpC,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,EAAE;YACX,OAAO,EAAE,EAAE;YACX,kBAAkB,EAAE,IAAI,CAAC,kBAAkB,IAAI,EAAE;SAClD;KACF,CAAC;AACJ,CAAC;AAED,IAAI,MAAc,CAAC;AAEnB,UAAU,CAAC,GAAG,EAAE;IACd,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACrG,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AACzC,CAAC,CAAC,CAAC;AAEH,SAAS,CAAC,GAAG,EAAE;IACb,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AACnD,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,SAAS,WAAW,CAClB,OAAe,EACf,MAAc,EACd,YAAgC,EAAE;IAElC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC5C,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAEhC,MAAM,QAAQ,GAAG,GAAG,GAAG,OAAO;SAC3B,OAAO,CAAC,2BAA2B,EAAE,EAAE,CAAC;SACxC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAEzB,OAAO;QACL,IAAI,EAAE,eAAe;QACrB,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,QAAQ,KAAK,MAAM;QAC1D,QAAQ,EAAE,IAAI;QACd,QAAQ;QACR,OAAO,EAAE,UAAU;QACnB,UAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;QACjC,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,MAAmB;IACpC,OAAO;QACL,OAAO,EAAE,CAAC;QACV,SAAS,EAAE,iBAAiB;QAC5B,OAAO,EAAE,MAAM;QACf,IAAI,EAAE;YACJ,WAAW,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK;YACvD,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK;YACvD,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK;YACvD,eAAe,EAAE,KAAK,EAAE,mBAAmB,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK;YACpE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK;SACrE;QACD,KAAK,EAAE;YACL,IAAI,EAAE,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE;YACtE,SAAS,EAAE,EAAE,QAAQ,EAAE,CAAC,WAAW,CAAC,EAAE,cAAc,EAAE,EAAE,EAAE;YAC1D,OAAO,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE;SAC/B;QACD,UAAU,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE,EAAE;QAC9E,QAAQ,EAAE,EAAE,QAAQ,EAAE,IAAI,GAAG,EAAE,EAAE;QACjC,MAAM,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,EAAE;QAC1F,aAAa,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE;QAC/C,IAAI,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE;KAClE,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,YAAsC,EAAE;IAC1D,OAAO;QACL,SAAS,EAAE,iBAAiB;QAC5B,OAAO,EAAE,CAAC,QAAQ,CAAC;QACnB,OAAO,EAAE,EAAE;QACX,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,EAAE;QAClF,OAAO,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE;QAC9E,KAAK,EAAE;YACL,IAAI,EAAE,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,cAAc,EAAE,EAAE,EAAE;YACtE,SAAS,EAAE,EAAE,QAAQ,EAAE,CAAC,WAAW,CAAC,EAAE,cAAc,EAAE,EAAE,EAAE;YAC1D,OAAO,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE;SAC/B;QACD,KAAK,EAAE,EAAE,oBAAoB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE;QACzD,WAAW,EAAE,wBAAwB;QACrC,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,MAAM,aAAa,GAAG,qFAAqF,CAAC;AAC5G,MAAM,gBAAgB,GAAG;;;;EAIvB,CAAC;AACH,MAAM,YAAY,GAAG;;;EAGnB,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;IAClD,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAE5B,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,KAAK,GAAG,WAAW,CAAC,qCAAqC,EAAE,aAAa,CAAC,CAAC;QAChF,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,KAAK,GAAG,WAAW,CAAC,mCAAmC,EAAE,aAAa,CAAC,CAAC;QAC9E,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,WAAW,CAAC,8BAA8B,EAAE,aAAa,CAAC,CAAC;QACzE,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,KAAK,GAAG,WAAW,CAAC,qCAAqC,EAAE,aAAa,CAAC,CAAC;QAChF,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,KAAK,GAAG,WAAW,CAAC,kCAAkC,EAAE,aAAa,CAAC,CAAC;QAC7E,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,KAAK,GAAG,WAAW,CAAC,iCAAiC,EAAE,aAAa,EAAE;YAC1E,QAAQ,EAAE,qBAAqB;SAChC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,KAAK,GAAG,WAAW,CAAC,gCAAgC,EAAE,aAAa,CAAC,CAAC;QAC3E,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,KAAK,GAAG,WAAW,CAAC,sBAAsB,EAAE,aAAa,EAAE;YAC/D,QAAQ,EAAE,SAAS;SACpB,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,aAAa,CAAC,CAAC;QACnE,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAE5B,EAAE,CAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,KAAK,GAAG,WAAW,CAAC,0BAA0B,EAAE,aAAa,EAAE;YACnE,QAAQ,EAAE,cAAc;SACzB,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,KAAK,GAAG,WAAW,CAAC,yCAAyC,EAAE,aAAa,EAAE;YAClF,QAAQ,EAAE,6BAA6B;SACxC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,kCAAkC,EAAE,aAAa,EAAE;YAC3E,QAAQ,EAAE,sBAAsB;SACjC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAE5B,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,KAAK,GAAG,WAAW,CAAC,yBAAyB,EAAE,aAAa,EAAE;YAClE,QAAQ,EAAE,aAAa;SACxB,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,MAAM,KAAK,GAAG,WAAW,CAAC,6BAA6B,EAAE,aAAa,EAAE;YACtE,QAAQ,EAAE,iBAAiB;SAC5B,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,aAAa,EAAE;YACjE,QAAQ,EAAE,YAAY;YACtB,KAAK,EAAE,KAAK;SACb,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,aAAa,EAAE;YACjE,UAAU,EAAE,iBAAiB,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;SACrD,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,aAAa,EAAE;YACjE,UAAU,EAAE,iBAAiB,CAAC,EAAE,kBAAkB,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC;SACtE,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAE5B,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,gBAAgB,EAAE;YACpE,OAAO,EAAE,gBAAgB;YACzB,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;SACxD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,KAAK,GAAG,WAAW,CAAC,yBAAyB,EAAE,YAAY,EAAE;YACjE,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;SACxD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,KAAK,GAAG,WAAW,CAAC,uBAAuB,EAAE,aAAa,EAAE;YAChE,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;SACxD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;IAC/C,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAE5B,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,gBAAgB,EAAE;YACpE,OAAO,EAAE,gBAAgB;YACzB,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;SAC3E,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,KAAK,GAAG,WAAW,CAAC,yBAAyB,EAAE,YAAY,EAAE;YACjE,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;SAC3E,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,KAAK,GAAG,WAAW,CAAC,uBAAuB,EAAE,aAAa,EAAE;YAChE,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;SAC3E,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wEAAwE,EAAE,GAAG,EAAE;QAChF,MAAM,KAAK,GAAG,WAAW,CAAC,uBAAuB,EAAE,gBAAgB,EAAE;YACnE,OAAO,EAAE,gBAAgB;YACzB,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;SAC5E,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,MAAM,GAAG,UAAU,CAAC;YACxB,KAAK,EAAE,EAAE,oBAAoB,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE;SACtD,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,gBAAgB,EAAE;YACpE,OAAO,EAAE,gBAAgB;YACzB,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;SACxD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,uCAAuC;QACvC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AAExE,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAE5B,EAAE,CAAC,6DAA6D,EAAE,GAAG,EAAE;QACrE,MAAM,KAAK,GAAG,WAAW,CAAC,yBAAyB,EAAE,aAAa,EAAE;YAClE,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;YACvD,YAAY,EAAE,EAAE,MAAM,EAAE,oBAAoB,EAAE,IAAI,EAAE,CAAC,EAAE;SACxD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,kEAAkE;QAClE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QACpD,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,qCAAqC,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE;;;;;;CAMvD,EAAE;YACG,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;YACvD,YAAY,EAAE,EAAE,MAAM,EAAE,oBAAoB,EAAE,IAAI,EAAE,CAAC,EAAE;SACxD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QACnD,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4EAA4E,EAAE,GAAG,EAAE;QACpF,MAAM,KAAK,GAAG,WAAW,CAAC,uBAAuB,EAAE,aAAa,EAAE;YAChE,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;YACvD,qBAAqB,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,4BAA4B,EAAE;SACtE,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,qCAAqC;QACrC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,KAAK,GAAG,WAAW,CAAC,wBAAwB,EAAE,aAAa,EAAE;YACjE,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;YACvD,YAAY,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE;SACjD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,KAAK,GAAG,WAAW,CAAC,2BAA2B,EAAE;;;;;CAK1D,EAAE;YACG,UAAU,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;YACvD,YAAY,EAAE,EAAE,MAAM,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC,EAAE;SACvD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACjD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,6DAA6D;QAC7D,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/rules/tenancy-scope-missing.d.ts

@@ -0,0 +1,5 @@
+import type { NextIndex } from "../next/types.js";
+import type { Finding, ProdcheckConfig } from "../engine/types.js";
+export declare const RULE_ID = "TENANCY-SCOPE-MISSING";
+export declare function run(index: NextIndex, config: ProdcheckConfig): Finding[];
+//# sourceMappingURL=tenancy-scope-missing.d.ts.map

package/dist/rules/tenancy-scope-missing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenancy-scope-missing.d.ts","sourceRoot":"","sources":["../../src/rules/tenancy-scope-missing.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAGnE,eAAO,MAAM,OAAO,0BAA0B,CAAC;AAY/C,wBAAgB,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,EAAE,CAkDxE"}

package/dist/rules/tenancy-scope-missing.js

@@ -0,0 +1,149 @@
+import { readFileSync } from "node:fs";
+import path from "node:path";
+import fg from "fast-glob";
+export const RULE_ID = "TENANCY-SCOPE-MISSING";
+/**
+ * Prisma methods that modify or read data and should be tenant-scoped.
+ */
+const PRISMA_SCOPED_METHODS = [
+    "findUnique", "findFirst", "findMany",
+    "update", "updateMany",
+    "delete", "deleteMany",
+    "upsert",
+];
+export function run(index, config) {
+    // Only run if the repo uses Prisma
+    if (!index.deps.hasPrisma)
+        return [];
+    // Only run if we can confirm the repo has tenant fields
+    const orgFields = config.hints.tenancy.orgFieldNames;
+    if (!repoHasTenancy(index.rootDir))
+        return [];
+    const findings = [];
+    const severity = config.rules[RULE_ID]?.severity ?? "critical";
+    // Check for Prisma middleware that enforces tenancy globally
+    if (hasPrismaMiddlewareScoping(index.rootDir, orgFields)) {
+        // If middleware handles it, skip — or add a low-confidence informational finding
+        return [];
+    }
+    // Scan all files in include paths for Prisma calls
+    const files = fg.globSync(config.include, {
+        cwd: index.rootDir,
+        ignore: ["**/node_modules/**", ...config.exclude],
+    });
+    for (const file of files) {
+        const src = readSource(index.rootDir, file);
+        if (!src)
+            continue;
+        const unscopedCalls = findUnscopedPrismaCalls(src, orgFields);
+        for (const call of unscopedCalls) {
+            findings.push({
+                ruleId: RULE_ID,
+                severity,
+                confidence: call.confidence,
+                confidenceRationale: call.confidenceRationale,
+                message: `Prisma ${call.method}() call may lack tenant scoping`,
+                file,
+                line: call.line,
+                snippet: call.snippet,
+                evidence: call.evidence,
+                remediation: [
+                    `Add ${orgFields[0] ?? "orgId"} to the where clause`,
+                    "Use a tenant-aware repository helper or Prisma extension",
+                    "If tenancy is enforced via Prisma middleware or RLS, add a waiver",
+                ],
+                tags: ["tenancy", "prisma"],
+            });
+        }
+    }
+    return findings;
+}
+function findUnscopedPrismaCalls(src, orgFields) {
+    const results = [];
+    const lines = src.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const method of PRISMA_SCOPED_METHODS) {
+            const pattern = new RegExp(`\\.(${method})\\s*\\(`);
+            const match = pattern.exec(line);
+            if (!match)
+                continue;
+            // Look at surrounding context (current line + next 10 lines) for the where clause
+            const context = lines.slice(i, Math.min(i + 15, lines.length)).join("\n");
+            // Check if any org field appears in the where clause context
+            const hasOrgField = orgFields.some((field) => {
+                const fieldPattern = new RegExp(`\\b${field}\\b`);
+                return fieldPattern.test(context);
+            });
+            if (hasOrgField)
+                continue; // Scoped — skip
+            // Determine confidence
+            const evidence = [`prisma.*.${method}() without ${orgFields.join("/")} in where clause`];
+            let confidence;
+            let confidenceRationale;
+            if (method === "delete" || method === "deleteMany" || method === "update" || method === "updateMany") {
+                confidence = "high";
+                confidenceRationale = `High: ${method}() is a write operation without tenant scoping field in where clause`;
+                evidence.push("write operation without tenant scoping is high risk");
+            }
+            else {
+                confidence = "med";
+                confidenceRationale = `Medium: ${method}() is a read without tenant scoping (could be intentional for admin views)`;
+            }
+            const snippet = line.trim().slice(0, 120);
+            results.push({
+                method,
+                line: i + 1,
+                confidence,
+                confidenceRationale,
+                snippet,
+                evidence,
+            });
+        }
+    }
+    return results;
+}
+/**
+ * Check if the Prisma schema or codebase has evidence of multi-tenancy.
+ */
+function repoHasTenancy(rootDir) {
+    // Check Prisma schema for tenant fields
+    const schemaFiles = fg.globSync("prisma/schema.prisma", { cwd: rootDir });
+    if (schemaFiles.length > 0) {
+        const schema = readSource(rootDir, schemaFiles[0]);
+        if (schema && /orgId|tenantId|workspaceId|organizationId/i.test(schema)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Check if Prisma middleware enforces tenancy globally.
+ */
+function hasPrismaMiddlewareScoping(rootDir, orgFields) {
+    // Look for Prisma middleware or extension files
+    const candidates = fg.globSync(["**/prisma/**/*.{ts,js}", "**/lib/prisma*.{ts,js}", "**/db*.{ts,js}"], { cwd: rootDir, ignore: ["**/node_modules/**"] });
+    for (const file of candidates) {
+        const src = readSource(rootDir, file);
+        if (!src)
+            continue;
+        // Look for $use() middleware or $extends() with query extensions
+        const hasMiddleware = /\$use\s*\(/.test(src) || /\$extends\s*\(/.test(src);
+        if (!hasMiddleware)
+            continue;
+        // Check if it references org fields
+        const hasOrgFieldRef = orgFields.some((f) => src.includes(f));
+        if (hasOrgFieldRef)
+            return true;
+    }
+    return false;
+}
+function readSource(rootDir, file) {
+    try {
+        return readFileSync(path.join(rootDir, file), "utf8");
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=tenancy-scope-missing.js.map

package/dist/rules/tenancy-scope-missing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenancy-scope-missing.js","sourceRoot":"","sources":["../../src/rules/tenancy-scope-missing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,WAAW,CAAC;AAK3B,MAAM,CAAC,MAAM,OAAO,GAAG,uBAAuB,CAAC;AAE/C;;GAEG;AACH,MAAM,qBAAqB,GAAG;IAC5B,YAAY,EAAE,WAAW,EAAE,UAAU;IACrC,QAAQ,EAAE,YAAY;IACtB,QAAQ,EAAE,YAAY;IACtB,QAAQ;CACT,CAAC;AAEF,MAAM,UAAU,GAAG,CAAC,KAAgB,EAAE,MAAuB;IAC3D,mCAAmC;IACnC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,CAAC;IAErC,wDAAwD;IACxD,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC;IACrD,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,CAAC;IAE9C,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,QAAQ,IAAI,UAAU,CAAC;IAE/D,6DAA6D;IAC7D,IAAI,0BAA0B,CAAC,KAAK,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC;QACzD,iFAAiF;QACjF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,mDAAmD;IACnD,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,EAAE;QACxC,GAAG,EAAE,KAAK,CAAC,OAAO;QAClB,MAAM,EAAE,CAAC,oBAAoB,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC;KAClD,CAAC,CAAC;IAEH,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC5C,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,MAAM,aAAa,GAAG,uBAAuB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAC9D,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,OAAO;gBACf,QAAQ;gBACR,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;gBAC7C,OAAO,EAAE,UAAU,IAAI,CAAC,MAAM,iCAAiC;gBAC/D,IAAI;gBACJ,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,WAAW,EAAE;oBACX,OAAO,SAAS,CAAC,CAAC,CAAC,IAAI,OAAO,sBAAsB;oBACpD,0DAA0D;oBAC1D,mEAAmE;iBACpE;gBACD,IAAI,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC;aAC5B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAWD,SAAS,uBAAuB,CAC9B,GAAW,EACX,SAAmB;IAEnB,MAAM,OAAO,GAAmB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,KAAK,MAAM,MAAM,IAAI,qBAAqB,EAAE,CAAC;YAC3C,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,OAAO,MAAM,UAAU,CAAC,CAAC;YACpD,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,kFAAkF;YAClF,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAE1E,6DAA6D;YAC7D,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;gBAC3C,MAAM,YAAY,GAAG,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC;gBAClD,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACpC,CAAC,CAAC,CAAC;YAEH,IAAI,WAAW;gBAAE,SAAS,CAAC,gBAAgB;YAE3C,uBAAuB;YACvB,MAAM,QAAQ,GAAa,CAAC,YAAY,MAAM,cAAc,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YACnG,IAAI,UAAsB,CAAC;YAC3B,IAAI,mBAA2B,CAAC;YAEhC,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,YAAY,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;gBACrG,UAAU,GAAG,MAAM,CAAC;gBACpB,mBAAmB,GAAG,SAAS,MAAM,sEAAsE,CAAC;gBAC5G,QAAQ,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YACvE,CAAC;iBAAM,CAAC;gBACN,UAAU,GAAG,KAAK,CAAC;gBACnB,mBAAmB,GAAG,WAAW,MAAM,4EAA4E,CAAC;YACtH,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAE1C,OAAO,CAAC,IAAI,CAAC;gBACX,MAAM;gBACN,IAAI,EAAE,CAAC,GAAG,CAAC;gBACX,UAAU;gBACV,mBAAmB;gBACnB,OAAO;gBACP,QAAQ;aACT,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,OAAe;IACrC,wCAAwC;IACxC,MAAM,WAAW,GAAG,EAAE,CAAC,QAAQ,CAAC,sBAAsB,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IAC1E,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;QACnD,IAAI,MAAM,IAAI,4CAA4C,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACxE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,0BAA0B,CAAC,OAAe,EAAE,SAAmB;IACtE,gDAAgD;IAChD,MAAM,UAAU,GAAG,EAAE,CAAC,QAAQ,CAC5B,CAAC,wBAAwB,EAAE,wBAAwB,EAAE,gBAAgB,CAAC,EACtE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,oBAAoB,CAAC,EAAE,CACjD,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,iEAAiE;QACjE,MAAM,aAAa,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3E,IAAI,CAAC,aAAa;YAAE,SAAS;QAE7B,oCAAoC;QACpC,MAAM,cAAc,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9D,IAAI,cAAc;YAAE,OAAO,IAAI,CAAC;IAClC,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,UAAU,CAAC,OAAe,EAAE,IAAY;IAC/C,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/rules/wrapper-unrecognized.d.ts

@@ -0,0 +1,5 @@
+import type { NextIndex } from "../next/types.js";
+import type { Finding, ProdcheckConfig } from "../engine/types.js";
+export declare const RULE_ID = "WRAPPER-UNRECOGNIZED";
+export declare function run(index: NextIndex, config: ProdcheckConfig): Finding[];
+//# sourceMappingURL=wrapper-unrecognized.d.ts.map

package/dist/rules/wrapper-unrecognized.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wrapper-unrecognized.d.ts","sourceRoot":"","sources":["../../src/rules/wrapper-unrecognized.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAGnE,eAAO,MAAM,OAAO,yBAAyB,CAAC;AAU9C,wBAAgB,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,EAAE,CAoFxE"}