@kevinrabun/judges 3.23.10 → 3.23.13

package/dist/evaluators/security.js

@@ -0,0 +1,529 @@
+import { getLangFamily, testCode } from "./shared.js";
+/**
+ * General Security Posture evaluator.
+ *
+ * Produces SEC-prefixed findings for broad security anti-patterns:
+ * insecure data flows, weak cryptography, missing security controls,
+ * and unsafe code patterns across all supported languages.
+ *
+ * Complements domain-specific judges (CYBER, AUTH, DATA) by providing
+ * a holistic security assessment.
+ */
+export function analyzeSecurity(code, language) {
+    const findings = [];
+    let ruleNum = 1;
+    const prefix = "SEC";
+    const lang = getLangFamily(language);
+    const lines = code.split("\n");
+    // ── SEC-001: Untrusted input in database query construction ────────────
+    // Broad pattern: SQL keywords + string interpolation/concatenation
+    {
+        const sqlDataFlowLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            // Require 2+ SQL keywords on the same line to avoid matching UI labels
+            // like "Select ${user.name}" which contain a single SQL keyword.
+            const sqlKeywords = line.match(/\b(?:SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|SET|VALUES|INTO|JOIN|ORDER\s+BY|GROUP\s+BY)\b/gi) || [];
+            if (sqlKeywords.length < 2)
+                continue;
+            if (/\$\{/.test(line) || // template literal interpolation
+                /\+\s*\w/.test(line) || // string concatenation
+                /f["']/.test(line) || // Python f-string
+                /\.format\s*\(/.test(line) || // Python .format()
+                /String\.format/i.test(line) || // Java String.format
+                /fmt\.Sprintf/i.test(line) || // Go fmt.Sprintf
+                /%s/.test(line) // printf-style interpolation
+            ) {
+                sqlDataFlowLines.push(i + 1);
+            }
+        }
+        if (sqlDataFlowLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "critical",
+                title: "Untrusted input flows into database query construction",
+                description: "Database queries are built using dynamic string operations (concatenation, interpolation, or formatting) which can introduce injection vulnerabilities when user-controlled data is included.",
+                lineNumbers: sqlDataFlowLines,
+                recommendation: "Use parameterized queries or prepared statements exclusively. Separate SQL structure from data values.",
+                reference: "CWE-89",
+                suggestedFix: "Replace string building with parameterized queries: db.query('SELECT * FROM t WHERE id = $1', [id]).",
+                confidence: 0.9,
+            });
+        }
+    }
+    // ── SEC-002: Weak cryptographic algorithm for sensitive operations ──────
+    {
+        const weakCryptoLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (/\b(?:md5|sha1|sha-1|DES|RC4|RC2|Blowfish)\b/i.test(line) &&
+                /\b(?:password|passwd|hash|digest|crypt|sign|verify|secret|token|credential)\b/i.test(line)) {
+                weakCryptoLines.push(i + 1);
+            }
+            // Also catch createHash('md5') or hashlib.md5() near password context
+            if (/(?:createHash|hashlib\.|MessageDigest\.getInstance|Hash(?:Algorithm)?)\s*\(\s*['"]?(?:md5|sha-?1)['"]?\s*\)/i.test(line)) {
+                const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 4)).join("\n");
+                if (/password|passwd|credential|secret|user/i.test(ctx)) {
+                    weakCryptoLines.push(i + 1);
+                }
+            }
+        }
+        const uniqueLines = [...new Set(weakCryptoLines)].sort((a, b) => a - b);
+        if (uniqueLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "high",
+                title: "Weak cryptographic algorithm used for sensitive operations",
+                description: "A cryptographically weak algorithm (MD5, SHA-1, DES, RC4) is used in a security-sensitive context. These algorithms have known collision or brute-force vulnerabilities.",
+                lineNumbers: uniqueLines,
+                recommendation: "Use bcrypt, scrypt, or Argon2 for password hashing. Use SHA-256+ or AES-256-GCM for general cryptographic operations.",
+                reference: "CWE-327 / CWE-328",
+                suggestedFix: "Replace MD5/SHA1 with bcrypt for passwords: await bcrypt.hash(password, 12). For general hashing use SHA-256.",
+                confidence: 0.9,
+            });
+        }
+    }
+    // ── SEC-003: Uncontrolled file system access with dynamic paths ─────────
+    {
+        const fsAccessLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (/\b(?:readFile|readFileSync|createReadStream|writeFile|writeFileSync|readdir|unlink|stat|access|open|sendFile|fs\.\w+)\s*\(/i.test(line) ||
+                /\b(?:os\.(?:Open|ReadFile)|ioutil\.ReadFile|File\.(?:read|open|new)|file_get_contents|fopen)\s*\(/i.test(line)) {
+                // Check if user input is involved (exclude compound identifiers like InputDir, userHome)
+                const ctx = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 2)).join("\n");
+                if (/(?:req\.|request\.|params\.|query\.|body\.|args\.|argv|\binput\s*[=:[(.]|\buser\s*[=:[(.])/i.test(ctx) &&
+                    /(?:\+|`[^`]*\$\{|\.format|path\.join|Path\.Combine|filepath\.Join|os\.path\.join)/i.test(ctx)) {
+                    fsAccessLines.push(i + 1);
+                }
+            }
+        }
+        if (fsAccessLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "critical",
+                title: "Uncontrolled file system access with dynamic path construction",
+                description: "File system operations use paths constructed from external input without validation, potentially allowing access to arbitrary files via directory traversal sequences.",
+                lineNumbers: fsAccessLines,
+                recommendation: "Validate and canonicalize file paths. Ensure resolved paths stay within an allowed base directory. Reject paths containing '..' sequences.",
+                reference: "CWE-22 / CWE-73",
+                suggestedFix: "Validate: const safe = path.resolve(BASE, userInput); if (!safe.startsWith(BASE)) throw new Error('blocked');",
+                confidence: 0.9,
+            });
+        }
+    }
+    // ── SEC-004: Sensitive data transmitted over unencrypted channel ────────
+    {
+        const httpInsecureLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (/["'`]http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0|example\.com|test)[^"'`\s]+/i.test(line)) {
+                const ctx = lines.slice(Math.max(0, i - 2), Math.min(lines.length, i + 3)).join("\n");
+                if (/\b(?:fetch|axios|request|http\.get|requests\.|urllib|HttpClient|curl|api|auth|login|password|token|payment|secret|key|credential)\b/i.test(ctx)) {
+                    httpInsecureLines.push(i + 1);
+                }
+            }
+        }
+        if (httpInsecureLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "high",
+                title: "Sensitive data transmitted over unencrypted channel",
+                description: "HTTP (non-TLS) URLs are used in contexts involving sensitive operations or data. Network traffic can be intercepted by attackers on the same network.",
+                lineNumbers: httpInsecureLines,
+                recommendation: "Use HTTPS for all production endpoints. Enforce TLS for any communication involving authentication, tokens, or sensitive data.",
+                reference: "CWE-319 / CWE-523",
+                suggestedFix: "Replace http:// with https:// for all production endpoints.",
+                confidence: 0.85,
+            });
+        }
+    }
+    // ── SEC-005: API endpoint without input validation or sanitization ──────
+    {
+        const hasEndpoints = testCode(code, /app\.(?:get|post|put|patch|delete)\s*\(/gi) ||
+            testCode(code, /@(?:app\.route|Get|Post|Put|Patch|Delete|RequestMapping)\b/gi) ||
+            testCode(code, /router\.(?:get|post|put|patch|delete)\s*\(/gi) ||
+            testCode(code, /func\s+\w+\s*\(\s*w\s+http\.ResponseWriter/gi);
+        const hasValidation = testCode(code, /\b(?:joi|zod|yup|ajv|validate|validator|class-validator|express-validator)\b/gi) ||
+            testCode(code, /\b(?:parseInt|parseFloat|Number\(|isNaN|typeof\s+\w+\s*[!=]==?\s*["'](?:string|number|boolean)["'])\b/gi) ||
+            testCode(code, /\b(?:Schema|schema|ValidationError|validate|sanitize|escape|trim)\b/gi) ||
+            testCode(code, /\.(?:required|min|max|length|email|url|uuid|regex|pattern|matches)\s*\(/gi) ||
+            // Pydantic / FastAPI / Django form/serializer validation
+            testCode(code, /\b(?:BaseModel|Field\s*\(|EmailStr|HttpUrl|constr|conint|confloat|Serializer|Form\b|ModelForm\b)\b/gi);
+        if (hasEndpoints && !hasValidation && lines.length > 10) {
+            // Find the endpoint handler lines
+            const endpointLines = [];
+            for (let i = 0; i < lines.length; i++) {
+                if (/app\.(?:get|post|put|patch|delete)\s*\(|router\.(?:get|post|put|patch|delete)\s*\(/i.test(lines[i])) {
+                    endpointLines.push(i + 1);
+                }
+            }
+            if (endpointLines.length > 0) {
+                findings.push({
+                    ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                    severity: "high",
+                    title: "API endpoint processes external input without validation",
+                    description: "Endpoint handlers accept and use external input (request body, query parameters, URL parameters) without any visible input validation or sanitization.",
+                    lineNumbers: endpointLines,
+                    recommendation: "Add input validation using a schema library (Joi, Zod, Yup) or built-in validation. Validate types, ranges, formats, and lengths for all input fields.",
+                    reference: "CWE-20: Improper Input Validation",
+                    suggestedFix: "Add schema validation: const schema = z.object({ field: z.string().min(1).max(100) }); const data = schema.parse(req.body);",
+                    confidence: 0.7,
+                });
+            }
+        }
+    }
+    // ── SEC-006: Missing essential security middleware ──────────────────────
+    {
+        const hasExpress = testCode(code, /express\(\)|require\s*\(\s*['"]express['"]\s*\)|from\s+['"]express['"]/gi);
+        const hasHelmet = testCode(code, /helmet\b/gi);
+        const hasCors = testCode(code, /\bcors\b/gi);
+        const hasCsrf = testCode(code, /csrf|csurf/gi);
+        const hasRateLimit = testCode(code, /rate.?limit/gi);
+        if (hasExpress && !hasHelmet && lines.length > 10) {
+            const expressLines = [];
+            for (let i = 0; i < lines.length; i++) {
+                if (/express\(\)|require\s*\(\s*['"]express['"]\)/i.test(lines[i])) {
+                    expressLines.push(i + 1);
+                }
+            }
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "high",
+                title: "Web framework missing essential security hardening",
+                description: "Express/Node.js application does not use security middleware (Helmet) to set protective HTTP headers (CSP, HSTS, X-Frame-Options, etc.)." +
+                    (!hasCors ? " CORS configuration is also missing." : "") +
+                    (!hasCsrf ? " CSRF protection is not configured." : "") +
+                    (!hasRateLimit ? " Rate limiting is not configured." : ""),
+                lineNumbers: expressLines.length > 0 ? expressLines : undefined,
+                recommendation: "Add helmet() middleware for security headers, CORS configuration, CSRF protection, and rate limiting.",
+                reference: "OWASP Secure Headers Project",
+                suggestedFix: "Add: app.use(helmet()); app.use(cors({ origin: ALLOWED_ORIGINS })); app.use(csrf()); app.use(rateLimit({ windowMs: 15*60*1000, max: 100 }));",
+                confidence: 0.75,
+            });
+        }
+    }
+    // ── SEC-007: Server-side request to user-controlled URL ────────────────
+    {
+        const ssrfLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            // Direct: fetch(req.query.url) / axios.get(req.body.url)
+            if (/\b(?:fetch|axios|http\.get|https\.get|requests\.get|urllib|HttpClient|WebClient|reqwest|httpx|aiohttp)\s*\(/i.test(line) &&
+                /(?:req\.|request\.|params\.|query\.|body\.|args\.|input)/i.test(line)) {
+                ssrfLines.push(i + 1);
+            }
+            // Indirect: variable assigned from req, then used in fetch
+            if (/\b(?:fetch|axios|http\.get|https\.get|requests\.get|requests\.request)\s*\(\s*(\w+)/i.test(line)) {
+                const match = line.match(/\b(?:fetch|axios|http\.get|requests\.get)\s*\(\s*(\w+)/i);
+                if (match) {
+                    const varName = match[1];
+                    if (varName && !/^['"`]/.test(varName) && varName !== "undefined" && varName !== "null") {
+                        const ctx = lines.slice(Math.max(0, i - 10), i).join("\n");
+                        const assignRe = new RegExp(`(?:const|let|var|\\w+)\\s*${varName}\\s*[:=]\\s*.*(?:req\\.|request\\.|params\\.|query\\.|body\\.|args\\.|input|url)`, "i");
+                        if (assignRe.test(ctx)) {
+                            ssrfLines.push(i + 1);
+                        }
+                    }
+                }
+            }
+        }
+        const uniqueSsrf = [...new Set(ssrfLines)].sort((a, b) => a - b);
+        if (uniqueSsrf.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "high",
+                title: "Server-side HTTP request to user-controlled destination",
+                description: "A URL derived from user input is passed to a server-side HTTP client, allowing attackers to probe internal services, cloud metadata endpoints (169.254.169.254), or exfiltrate data.",
+                lineNumbers: uniqueSsrf,
+                recommendation: "Validate URLs against an allowlist of permitted domains. Block internal/private IP ranges. Use a URL parser to verify the scheme and host before making requests.",
+                reference: "CWE-918",
+                suggestedFix: "Validate: const url = new URL(input); if (!ALLOWED_HOSTS.includes(url.hostname)) throw new Error('blocked');",
+                confidence: 0.85,
+            });
+        }
+    }
+    // ── SEC-008: Unsafe recursive object merge allowing property injection ──
+    {
+        const mergeLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            // Object.assign, spread, _.merge, _.extend, deep merge with user input
+            if (/(?:Object\.assign|deepMerge|deepExtend|_\.merge|_\.extend|_\.defaultsDeep|lodash\.merge|merge\(|extend\()\s*\(/i.test(line) &&
+                /(?:req\.|request\.|body\.|params\.|query\.|input|user)/i.test(line)) {
+                mergeLines.push(i + 1);
+            }
+            // Recursive property assignment from user input
+            if (/\[.*(?:req\.|request\.|body\.|input|key|prop)\s*\]/i.test(line) && /\s*=\s*/.test(line)) {
+                const ctx = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 3)).join("\n");
+                if (/\b(?:for|while|forEach|Object\.keys|Object\.entries)\b/i.test(ctx)) {
+                    mergeLines.push(i + 1);
+                }
+            }
+        }
+        if (mergeLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "high",
+                title: "Unsafe recursive object merge allowing property injection",
+                description: "User-controlled input is merged into objects via recursive merge/extend operations, allowing attackers to inject __proto__, constructor, or prototype properties to modify object behavior globally.",
+                lineNumbers: mergeLines,
+                recommendation: "Use a merge function that blocks prototype keys. Validate/whitelist allowed properties before merging. Freeze prototypes where possible.",
+                reference: "CWE-1321",
+                suggestedFix: "Filter dangerous keys: const safeData = Object.fromEntries(Object.entries(input).filter(([k]) => !['__proto__', 'constructor', 'prototype'].includes(k)));",
+                confidence: 0.85,
+            });
+        }
+    }
+    // ── SEC-009: Token verification without algorithm restriction ───────────
+    {
+        const jwtLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (/jwt\.verify|jwt\.decode|jose\.jwtVerify|jsonwebtoken/i.test(line)) {
+                const ctx = lines.slice(Math.max(0, i - 2), Math.min(lines.length, i + 5)).join("\n");
+                // Check if algorithms is specified in options
+                if (!/algorithms\s*[=:]/.test(ctx) && !/algorithm\s*[=:]/.test(ctx)) {
+                    jwtLines.push(i + 1);
+                }
+                // Check for 'none' algorithm explicitly allowed
+                if (/['"]none['"]/i.test(ctx)) {
+                    jwtLines.push(i + 1);
+                }
+            }
+            // Java/C# JWT verification without algorithm check
+            if (/JwtParser|JWTVerifier|TokenValidationParameters|JwtSecurityTokenHandler/i.test(line)) {
+                const ctx = lines.slice(i, Math.min(lines.length, i + 8)).join("\n");
+                if (!/(?:algorithms|signatureAlgorithm|ValidAlgorithms)\s*[=:]/i.test(ctx)) {
+                    jwtLines.push(i + 1);
+                }
+            }
+        }
+        const uniqueJwt = [...new Set(jwtLines)].sort((a, b) => a - b);
+        if (uniqueJwt.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "critical",
+                title: "Token verification without algorithm restriction",
+                description: "JWT/token verification does not restrict the allowed signing algorithms. This can allow 'none' algorithm attacks where an attacker submits unsigned tokens that are accepted as valid.",
+                lineNumbers: uniqueJwt,
+                recommendation: "Always specify allowed algorithms explicitly: jwt.verify(token, secret, { algorithms: ['HS256'] }). Never allow the 'none' algorithm.",
+                reference: "CWE-345 / CWE-347",
+                suggestedFix: "Add algorithm restriction: jwt.verify(token, secret, { algorithms: ['HS256'] });",
+                confidence: 0.9,
+            });
+        }
+    }
+    // ── SEC-010: Direct user input in data modification without field filtering ──
+    {
+        const massAssignLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            // req.body spread into DB operations
+            if (/(?:\.create|\.update\w*|\.insert|\.findOneAndUpdate|\.updateOne|\.save|\.set|Model\.\w+|db\.\w+)\s*\(/i.test(line) &&
+                /(?:req\.body|request\.body|\.\.\.req\.body|\.\.\.request\.body|\breq\.body\b)/i.test(line)) {
+                massAssignLines.push(i + 1);
+            }
+            // Spread in object literal for DB
+            if (/\{\s*\.\.\.req\.body|\{\s*\.\.\.request\.body/i.test(line)) {
+                const ctx = lines.slice(i, Math.min(lines.length, i + 5)).join("\n");
+                if (/(?:\.create|\.update|\.save|query|Model)/i.test(ctx)) {
+                    massAssignLines.push(i + 1);
+                }
+            }
+        }
+        const uniqueMass = [...new Set(massAssignLines)].sort((a, b) => a - b);
+        if (uniqueMass.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "high",
+                title: "Direct user input in data modification without field filtering",
+                description: "Request body is passed directly to database create/update operations without field whitelisting. Attackers can inject unexpected fields (isAdmin, role, price) to escalate privileges.",
+                lineNumbers: uniqueMass,
+                recommendation: "Explicitly pick allowed fields: const { name, email } = req.body; Model.update({ name, email }). Use DTOs or validation schemas.",
+                reference: "CWE-915",
+                suggestedFix: "Whitelist fields: const { name, email } = req.body; await Model.update({ name, email });",
+                confidence: 0.85,
+            });
+        }
+    }
+    // ── SEC-011: Unvalidated redirect destination ──────────────────────────
+    {
+        const redirectLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (/(?:res\.redirect|response\.redirect|Response\.Redirect|redirect\(|sendRedirect|header\s*\(\s*['"]Location)/i.test(line) &&
+                /(?:req\.|request\.|params\.|query\.|body\.|args\.|input|url)/i.test(line)) {
+                redirectLines.push(i + 1);
+            }
+            // Indirect: redirect with a variable from user input
+            if (/(?:res\.redirect|response\.redirect|redirect)\s*\(\s*(\w+)/i.test(line)) {
+                const match = line.match(/(?:res\.redirect|response\.redirect|redirect)\s*\(\s*(\w+)/i);
+                if (match) {
+                    const varName = match[1];
+                    if (varName &&
+                        !/^['"`]/.test(varName) &&
+                        varName !== "undefined" &&
+                        varName !== "null" &&
+                        varName.length > 1) {
+                        const ctx = lines.slice(Math.max(0, i - 8), i).join("\n");
+                        const assignRe = new RegExp(`(?:const|let|var)?\\s*${varName}\\s*[:=]\\s*.*(?:req\\.|request\\.|query\\.|params\\.|body\\.)`, "i");
+                        if (assignRe.test(ctx)) {
+                            redirectLines.push(i + 1);
+                        }
+                    }
+                }
+            }
+        }
+        const uniqueRedirect = [...new Set(redirectLines)].sort((a, b) => a - b);
+        if (uniqueRedirect.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "high",
+                title: "Unvalidated redirect to user-controlled destination",
+                description: "HTTP redirect uses a URL derived from user input without validation. Attackers can redirect users to phishing sites or malicious pages.",
+                lineNumbers: uniqueRedirect,
+                recommendation: "Validate redirect URLs against an allowlist of permitted destinations. Only allow relative paths or known domains.",
+                reference: "CWE-601",
+                suggestedFix: "Validate: const url = new URL(target, req.headers.origin); if (!ALLOWED_HOSTS.includes(url.hostname)) throw new Error('blocked');",
+                confidence: 0.85,
+            });
+        }
+    }
+    // ── SEC-012: Non-constant-time secret comparison ───────────────────────
+    {
+        const timingLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (/(?:===?|!==?)\s*(?:signature|secret|token|hmac|hash|digest|apiKey|api_key|expected|computed)/i.test(line) ||
+                /(?:signature|secret|token|hmac|hash|digest|apiKey|api_key|expected|computed)\s*(?:===?|!==?)/i.test(line)) {
+                const ctx = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 6)).join("\n");
+                if (!/timingSafeEqual|constantTimeCompare|hmac\.Equal|secure_compare|constant_time_compare|compare_digest|MessageDigest\.isEqual/i.test(ctx)) {
+                    timingLines.push(i + 1);
+                }
+            }
+        }
+        if (timingLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "high",
+                title: "Non-constant-time comparison of cryptographic material",
+                description: "Secrets, tokens, or signatures are compared using standard equality operators which leak timing information. Attackers can determine correct values byte-by-byte by measuring response time differences.",
+                lineNumbers: timingLines,
+                recommendation: "Use constant-time comparison functions: crypto.timingSafeEqual() (Node.js), hmac.Equal() (Go), hmac.compare_digest() (Python).",
+                reference: "CWE-208",
+                suggestedFix: "Replace === with: crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));",
+                confidence: 0.85,
+            });
+        }
+    }
+    // ── SEC-013: XML processing without entity restriction ─────────────────
+    {
+        const xxeLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            // Java: DocumentBuilderFactory, SAXParserFactory, XMLInputFactory without setFeature
+            if (/(?:DocumentBuilderFactory|SAXParserFactory|XMLInputFactory|XMLReader|TransformerFactory)\.new/i.test(line)) {
+                const ctx = lines.slice(i, Math.min(lines.length, i + 10)).join("\n");
+                if (!/setFeature\s*\(.*(?:FEATURE_SECURE_PROCESSING|XMLConstants\.FEATURE_SECURE_PROCESSING|disallow-doctype-decl|external-general-entities)/i.test(ctx) &&
+                    !/setProperty.*ACCESS_EXTERNAL/i.test(ctx)) {
+                    xxeLines.push(i + 1);
+                }
+            }
+            // Python: xml.etree, lxml without defused
+            if (/(?:ElementTree\.parse|etree\.parse|minidom\.parse|xml\.sax\.parse|lxml\.etree)\s*\(/i.test(line)) {
+                const fullCode = lines.join("\n");
+                if (!/defusedxml|defused/i.test(fullCode)) {
+                    xxeLines.push(i + 1);
+                }
+            }
+            // C#: XmlReader, XmlDocument without DtdProcessing.Prohibit
+            if (/(?:XmlReader\.Create|XmlDocument\(\)|XDocument\.Load)\b/i.test(line)) {
+                const ctx = lines.slice(i, Math.min(lines.length, i + 8)).join("\n");
+                if (!/DtdProcessing\.Prohibit|DtdProcessing\s*=\s*DtdProcessing\.Prohibit|ProhibitDtd/i.test(ctx)) {
+                    xxeLines.push(i + 1);
+                }
+            }
+        }
+        if (xxeLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "critical",
+                title: "XML processing without external entity restriction",
+                description: "XML parsers are used without disabling external entity resolution, enabling XXE attacks that can read local files, perform SSRF, or cause denial of service.",
+                lineNumbers: xxeLines,
+                recommendation: "Disable external entity processing: set FEATURE_SECURE_PROCESSING, disallow-doctype-decl, or use defusedxml (Python). In C#, set DtdProcessing.Prohibit.",
+                reference: "CWE-611",
+                suggestedFix: "Java: factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); Python: import defusedxml.ElementTree as ET",
+                confidence: 0.9,
+            });
+        }
+    }
+    // ── SEC-014: Unsafe memory operations without safety documentation ─────
+    if (lang === "rust") {
+        const unsafeLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            if (/\bunsafe\s*\{/.test(lines[i])) {
+                unsafeLines.push(i + 1);
+            }
+        }
+        if (unsafeLines.length > 0) {
+            const fullCode = lines.join("\n");
+            if (!/\/\/\s*SAFETY\s*:|\/\/\s*UNSAFE\s*:/i.test(fullCode)) {
+                findings.push({
+                    ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                    severity: "high",
+                    title: "Unsafe memory operations without safety invariant documentation",
+                    description: "Unsafe code blocks bypass memory safety guarantees without documenting the safety invariants that must hold. This risks buffer overflows, use-after-free, and data races.",
+                    lineNumbers: unsafeLines,
+                    recommendation: "Document safety invariants with // SAFETY: comments. Minimize unsafe scope. Prefer safe abstractions where possible.",
+                    reference: "CWE-119 / CWE-787",
+                    suggestedFix: "Add: // SAFETY: <explain why this is safe> above each unsafe block.",
+                    confidence: 0.85,
+                });
+            }
+        }
+    }
+    // ── SEC-015: Deserialization of untrusted data ─────────────────────────
+    {
+        const deserLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            // Python pickle/yaml/marshal
+            if (/\b(?:pickle\.loads?|yaml\.(?:load|unsafe_load)|marshal\.loads?)\s*\(/i.test(line)) {
+                deserLines.push(i + 1);
+            }
+            // Java ObjectInputStream
+            if (/\b(?:ObjectInputStream|XMLDecoder|readObject|readUnshared)\b/i.test(line)) {
+                deserLines.push(i + 1);
+            }
+            // PHP unserialize
+            if (/\bunserialize\s*\(/i.test(line)) {
+                deserLines.push(i + 1);
+            }
+            // Ruby Marshal.load
+            if (/\bMarshal\.load\b/i.test(line)) {
+                deserLines.push(i + 1);
+            }
+            // .NET BinaryFormatter
+            if (/\bBinaryFormatter\.Deserialize\b/i.test(line)) {
+                deserLines.push(i + 1);
+            }
+        }
+        if (deserLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum).padStart(3, "0")}`,
+                severity: "critical",
+                title: "Deserialization of data from untrusted sources",
+                description: "Unsafe deserialization functions (pickle, ObjectInputStream, Marshal, BinaryFormatter) process data that may originate from untrusted sources, enabling remote code execution.",
+                lineNumbers: deserLines,
+                recommendation: "Never deserialize untrusted data. Use JSON for data exchange with schema validation. Avoid pickle, ObjectInputStream, Marshal for user-facing inputs.",
+                reference: "CWE-502",
+                suggestedFix: "Replace with safe alternatives: JSON with schema validation, data transfer objects, or type-safe serialization formats.",
+                confidence: 0.9,
+            });
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=security.js.map

package/dist/evaluators/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/evaluators/security.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEtD;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY,EAAE,QAAgB;IAC5D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,KAAK,CAAC;IACrB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IACrC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE/B,0EAA0E;IAC1E,mEAAmE;IACnE,CAAC;QACC,MAAM,gBAAgB,GAAa,EAAE,CAAC;QACtC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,uEAAuE;YACvE,iEAAiE;YACjE,MAAM,WAAW,GACf,IAAI,CAAC,KAAK,CAAC,6FAA6F,CAAC,IAAI,EAAE,CAAC;YAClH,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC;gBAAE,SAAS;YACrC,IACE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,iCAAiC;gBACtD,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,uBAAuB;gBAC/C,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,kBAAkB;gBACxC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,mBAAmB;gBACjD,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,qBAAqB;gBACrD,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,iBAAiB;gBAC/C,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,6BAA6B;cAC7C,CAAC;gBACD,gBAAgB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;QACD,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,wDAAwD;gBAC/D,WAAW,EACT,+LAA+L;gBACjM,WAAW,EAAE,gBAAgB;gBAC7B,cAAc,EACZ,wGAAwG;gBAC1G,SAAS,EAAE,QAAQ;gBACnB,YAAY,EACV,sGAAsG;gBACxG,UAAU,EAAE,GAAG;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,CAAC;QACC,MAAM,eAAe,GAAa,EAAE,CAAC;QACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IACE,8CAA8C,CAAC,IAAI,CAAC,IAAI,CAAC;gBACzD,gFAAgF,CAAC,IAAI,CAAC,IAAI,CAAC,EAC3F,CAAC;gBACD,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC9B,CAAC;YACD,sEAAsE;YACtE,IACE,8GAA8G,CAAC,IAAI,CACjH,IAAI,CACL,EACD,CAAC;gBACD,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACtF,IAAI,yCAAyC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACxD,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;QACH,CAAC;QACD,MAAM,WAAW,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACxE,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,4DAA4D;gBACnE,WAAW,EACT,0KAA0K;gBAC5K,WAAW,EAAE,WAAW;gBACxB,cAAc,EACZ,uHAAuH;gBACzH,SAAS,EAAE,mBAAmB;gBAC9B,YAAY,EACV,+GAA+G;gBACjH,UAAU,EAAE,GAAG;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,CAAC;QACC,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IACE,6HAA6H,CAAC,IAAI,CAChI,IAAI,CACL;gBACD,oGAAoG,CAAC,IAAI,CAAC,IAAI,CAAC,EAC/G,CAAC;gBACD,yFAAyF;gBACzF,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACtF,IACE,6FAA6F,CAAC,IAAI,CAAC,GAAG,CAAC;oBACvG,oFAAoF,CAAC,IAAI,CAAC,GAAG,CAAC,EAC9F,CAAC;oBACD,aAAa,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC5B,CAAC;YACH,CAAC;QACH,CAAC;QACD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,gEAAgE;gBACvE,WAAW,EACT,wKAAwK;gBAC1K,WAAW,EAAE,aAAa;gBAC1B,cAAc,EACZ,4IAA4I;gBAC9I,SAAS,EAAE,iBAAiB;gBAC5B,YAAY,EACV,+GAA+G;gBACjH,UAAU,EAAE,GAAG;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,CAAC;QACC,MAAM,iBAAiB,GAAa,EAAE,CAAC;QACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,iFAAiF,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACjG,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACtF,IACE,sIAAsI,CAAC,IAAI,CACzI,GAAG,CACJ,EACD,CAAC;oBACD,iBAAiB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;QACD,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjC,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,qDAAqD;gBAC5D,WAAW,EACT,uJAAuJ;gBACzJ,WAAW,EAAE,iBAAiB;gBAC9B,cAAc,EACZ,gIAAgI;gBAClI,SAAS,EAAE,mBAAmB;gBAC9B,YAAY,EAAE,6DAA6D;gBAC3E,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,CAAC;QACC,MAAM,YAAY,GAChB,QAAQ,CAAC,IAAI,EAAE,2CAA2C,CAAC;YAC3D,QAAQ,CAAC,IAAI,EAAE,8DAA8D,CAAC;YAC9E,QAAQ,CAAC,IAAI,EAAE,8CAA8C,CAAC;YAC9D,QAAQ,CAAC,IAAI,EAAE,8CAA8C,CAAC,CAAC;QACjE,MAAM,aAAa,GACjB,QAAQ,CAAC,IAAI,EAAE,gFAAgF,CAAC;YAChG,QAAQ,CACN,IAAI,EACJ,yGAAyG,CAC1G;YACD,QAAQ,CAAC,IAAI,EAAE,uEAAuE,CAAC;YACvF,QAAQ,CAAC,IAAI,EAAE,2EAA2E,CAAC;YAC3F,yDAAyD;YACzD,QAAQ,CACN,IAAI,EACJ,sGAAsG,CACvG,CAAC;QAEJ,IAAI,YAAY,IAAI,CAAC,aAAa,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACxD,kCAAkC;YAClC,MAAM,aAAa,GAAa,EAAE,CAAC;YACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,qFAAqF,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACzG,aAAa,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC5B,CAAC;YACH,CAAC;YACD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7B,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACzD,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,0DAA0D;oBACjE,WAAW,EACT,wJAAwJ;oBAC1J,WAAW,EAAE,aAAa;oBAC1B,cAAc,EACZ,wJAAwJ;oBAC1J,SAAS,EAAE,mCAAmC;oBAC9C,YAAY,EACV,6HAA6H;oBAC/H,UAAU,EAAE,GAAG;iBAChB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,CAAC;QACC,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,EAAE,0EAA0E,CAAC,CAAC;QAC9G,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;QAC/C,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;QAC/C,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;QAErD,IAAI,UAAU,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAClD,MAAM,YAAY,GAAa,EAAE,CAAC;YAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,+CAA+C,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACnE,YAAY,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC3B,CAAC;YACH,CAAC;YACD,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,oDAAoD;gBAC3D,WAAW,EACT,0IAA0I;oBAC1I,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,sCAAsC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACxD,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,qCAAqC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvD,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,mCAAmC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5D,WAAW,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;gBAC/D,cAAc,EACZ,uGAAuG;gBACzG,SAAS,EAAE,8BAA8B;gBACzC,YAAY,EACV,8IAA8I;gBAChJ,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,CAAC;QACC,MAAM,SAAS,GAAa,EAAE,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,yDAAyD;YACzD,IACE,8GAA8G,CAAC,IAAI,CACjH,IAAI,CACL;gBACD,2DAA2D,CAAC,IAAI,CAAC,IAAI,CAAC,EACtE,CAAC;gBACD,SAAS,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACxB,CAAC;YACD,2DAA2D;YAC3D,IAAI,sFAAsF,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtG,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;gBACpF,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACzB,IAAI,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,OAAO,KAAK,WAAW,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;wBACxF,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;wBAC3D,MAAM,QAAQ,GAAG,IAAI,MAAM,CACzB,6BAA6B,OAAO,kFAAkF,EACtH,GAAG,CACJ,CAAC;wBACF,IAAI,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;4BACvB,SAAS,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;wBACxB,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,MAAM,UAAU,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACjE,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,yDAAyD;gBAChE,WAAW,EACT,sLAAsL;gBACxL,WAAW,EAAE,UAAU;gBACvB,cAAc,EACZ,mKAAmK;gBACrK,SAAS,EAAE,SAAS;gBACpB,YAAY,EACV,8GAA8G;gBAChH,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,CAAC;QACC,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,uEAAuE;YACvE,IACE,iHAAiH,CAAC,IAAI,CACpH,IAAI,CACL;gBACD,yDAAyD,CAAC,IAAI,CAAC,IAAI,CAAC,EACpE,CAAC;gBACD,UAAU,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACzB,CAAC;YACD,gDAAgD;YAChD,IAAI,qDAAqD,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7F,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACtF,IAAI,yDAAyD,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACxE,UAAU,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;QACD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,2DAA2D;gBAClE,WAAW,EACT,sMAAsM;gBACxM,WAAW,EAAE,UAAU;gBACvB,cAAc,EACZ,0IAA0I;gBAC5I,SAAS,EAAE,UAAU;gBACrB,YAAY,EACV,4JAA4J;gBAC9J,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,CAAC;QACC,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,uDAAuD,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvE,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACtF,8CAA8C;gBAC9C,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACpE,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBACvB,CAAC;gBACD,gDAAgD;gBAChD,IAAI,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC9B,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;YACD,mDAAmD;YACnD,IAAI,0EAA0E,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1F,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACrE,IAAI,CAAC,2DAA2D,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC3E,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;QACH,CAAC;QACD,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,kDAAkD;gBACzD,WAAW,EACT,wLAAwL;gBAC1L,WAAW,EAAE,SAAS;gBACtB,cAAc,EACZ,uIAAuI;gBACzI,SAAS,EAAE,mBAAmB;gBAC9B,YAAY,EAAE,kFAAkF;gBAChG,UAAU,EAAE,GAAG;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,gFAAgF;IAChF,CAAC;QACC,MAAM,eAAe,GAAa,EAAE,CAAC;QACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,qCAAqC;YACrC,IACE,wGAAwG,CAAC,IAAI,CAC3G,IAAI,CACL;gBACD,gFAAgF,CAAC,IAAI,CAAC,IAAI,CAAC,EAC3F,CAAC;gBACD,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC9B,CAAC;YACD,kCAAkC;YAClC,IAAI,gDAAgD,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChE,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACrE,IAAI,2CAA2C,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC1D,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;QACH,CAAC;QACD,MAAM,UAAU,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACvE,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,gEAAgE;gBACvE,WAAW,EACT,wLAAwL;gBAC1L,WAAW,EAAE,UAAU;gBACvB,cAAc,EACZ,kIAAkI;gBACpI,SAAS,EAAE,SAAS;gBACpB,YAAY,EAAE,0FAA0F;gBACxG,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,CAAC;QACC,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IACE,6GAA6G,CAAC,IAAI,CAChH,IAAI,CACL;gBACD,+DAA+D,CAAC,IAAI,CAAC,IAAI,CAAC,EAC1E,CAAC;gBACD,aAAa,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC5B,CAAC;YACD,qDAAqD;YACrD,IAAI,6DAA6D,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7E,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;gBACxF,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACzB,IACE,OAAO;wBACP,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC;wBACvB,OAAO,KAAK,WAAW;wBACvB,OAAO,KAAK,MAAM;wBAClB,OAAO,CAAC,MAAM,GAAG,CAAC,EAClB,CAAC;wBACD,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;wBAC1D,MAAM,QAAQ,GAAG,IAAI,MAAM,CACzB,yBAAyB,OAAO,gEAAgE,EAChG,GAAG,CACJ,CAAC;wBACF,IAAI,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;4BACvB,aAAa,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;wBAC5B,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,MAAM,cAAc,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACzE,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9B,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,qDAAqD;gBAC5D,WAAW,EACT,yIAAyI;gBAC3I,WAAW,EAAE,cAAc;gBAC3B,cAAc,EACZ,oHAAoH;gBACtH,SAAS,EAAE,SAAS;gBACpB,YAAY,EACV,mIAAmI;gBACrI,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,CAAC;QACC,MAAM,WAAW,GAAa,EAAE,CAAC;QACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IACE,+FAA+F,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC1G,+FAA+F,CAAC,IAAI,CAAC,IAAI,CAAC,EAC1G,CAAC;gBACD,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACtF,IACE,CAAC,6HAA6H,CAAC,IAAI,CACjI,GAAG,CACJ,EACD,CAAC;oBACD,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,CAAC;YACH,CAAC;QACH,CAAC;QACD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,wDAAwD;gBAC/D,WAAW,EACT,0MAA0M;gBAC5M,WAAW,EAAE,WAAW;gBACxB,cAAc,EACZ,gIAAgI;gBAClI,SAAS,EAAE,SAAS;gBACpB,YAAY,EAAE,2EAA2E;gBACzF,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,CAAC;QACC,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,qFAAqF;YACrF,IAAI,gGAAgG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChH,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACtE,IACE,CAAC,yIAAyI,CAAC,IAAI,CAC7I,GAAG,CACJ;oBACD,CAAC,+BAA+B,CAAC,IAAI,CAAC,GAAG,CAAC,EAC1C,CAAC;oBACD,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;YACD,0CAA0C;YAC1C,IAAI,sFAAsF,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtG,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAClC,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC1C,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;YACD,4DAA4D;YAC5D,IAAI,0DAA0D,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1E,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACrE,IAAI,CAAC,kFAAkF,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBAClG,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;QACH,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,oDAAoD;gBAC3D,WAAW,EACT,8JAA8J;gBAChK,WAAW,EAAE,QAAQ;gBACrB,cAAc,EACZ,0JAA0J;gBAC5J,SAAS,EAAE,SAAS;gBACpB,YAAY,EACV,qHAAqH;gBACvH,UAAU,EAAE,GAAG;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpB,MAAM,WAAW,GAAa,EAAE,CAAC;QACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,IAAI,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACnC,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QACD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,IAAI,CAAC,sCAAsC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3D,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACzD,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,iEAAiE;oBACxE,WAAW,EACT,2KAA2K;oBAC7K,WAAW,EAAE,WAAW;oBACxB,cAAc,EACZ,sHAAsH;oBACxH,SAAS,EAAE,mBAAmB;oBAC9B,YAAY,EAAE,qEAAqE;oBACnF,UAAU,EAAE,IAAI;iBACjB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,CAAC;QACC,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,6BAA6B;YAC7B,IAAI,uEAAuE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvF,UAAU,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACzB,CAAC;YACD,yBAAyB;YACzB,IAAI,+DAA+D,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/E,UAAU,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACzB,CAAC;YACD,kBAAkB;YAClB,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,UAAU,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACzB,CAAC;YACD,oBAAoB;YACpB,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACpC,UAAU,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACzB,CAAC;YACD,uBAAuB;YACvB,IAAI,mCAAmC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,UAAU,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QACD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACvD,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,gDAAgD;gBACvD,WAAW,EACT,gLAAgL;gBAClL,WAAW,EAAE,UAAU;gBACvB,cAAc,EACZ,uJAAuJ;gBACzJ,SAAS,EAAE,SAAS;gBACpB,YAAY,EACV,yHAAyH;gBAC3H,UAAU,EAAE,GAAG;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/evaluators/shared.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"shared.d.ts","sourceRoot":"","sources":["../../src/evaluators/shared.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,eAAe,EACf,eAAe,EACf,eAAe,EACf,OAAO,EAEP,OAAO,EACP,YAAY,EACZ,UAAU,EACX,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAS,MAAM,yBAAyB,CAAC;AAGhF,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,CAAC;AAW1C;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEnD;AAOD,MAAM,MAAM,YAAY,GACpB,MAAM,GACN,QAAQ,GACR,OAAO,GACP,SAAS,GACT,KAAK,GACL,eAAe,GACf,kBAAkB,GAClB,QAAQ,GACR,SAAS,CAAC;AAEd;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,YAAY,CAmM5F;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,YAAY,GAAG,OAAO,CAErE;AAID,+EAA+E;AAC/E,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC;AAEvC,6DAA6D;AAC7D,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,iBAAiB,CAAC;IAC7B,uEAAuE;IACvE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,4DAA4D;IAC5D,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,kEAAkE;IAClE,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;CACpB;AA+BD;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,oBAAoB,EAAE,CAqB5E;AAED;;;;;;;;;GASG;AACH,wBAAgB,8BAA8B,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,oBAAoB,EAAE,GAAG,MAAM,CAiDzG;AAkDD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,iBAAiB,EAAE,CAMlE;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,EAAE,CAqCpF;AAcD;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEnD;AAcD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEzD;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE1D;AAED;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOjD;AAYD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CA8G5D;AA6BD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAI/D;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,SAAI,GAAG,MAAM,CAIrF;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,CAAC,EAAE;IAAE,YAAY,CAAC,EAAE,OAAO,CAAC;IAAC,kBAAkB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9D,MAAM,EAAE,CAcV;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,MAAM,GAAG,KAAK,EAAE,MAAM,CAAC,CAAC,EAC9D,IAAI,CAAC,EAAE;IAAE,YAAY,CAAC,EAAE,OAAO,CAAC;IAAC,kBAAkB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9D,MAAM,EAAE,CAQV;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU,CAE1D;AAID;;;GAGG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,MAAM,CAAC,EAAE,YAAY,GAAG,OAAO,EAAE,CAsDjF;AAID;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAsC1D;AAED,wBAAgB,cAAc,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAuBzE;AAED,wBAAgB,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAUzE;AAID,wBAAgB,YAAY,CAAC,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,MAAM,CAqBjH;AAED,wBAAgB,oBAAoB,CAClC,WAAW,EAAE,eAAe,EAAE,EAC9B,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,GAChB,MAAM,CAmBR;AAID;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,eAAe,GAAG,MAAM,CAmCxE;AA+BD,wBAAgB,kCAAkC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAQzE;AAED,wBAAgB,kCAAkC,IAAI,OAAO,CAE5D;AAED,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CA4BnE;AAED;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAyB9D;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,eAAe,GAAG,MAAM,CAiC9E"}
+{"version":3,"file":"shared.d.ts","sourceRoot":"","sources":["../../src/evaluators/shared.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,eAAe,EACf,eAAe,EACf,eAAe,EACf,OAAO,EAEP,OAAO,EACP,YAAY,EACZ,UAAU,EACX,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAS,MAAM,yBAAyB,CAAC;AAGhF,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,CAAC;AAW1C;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEnD;AAOD,MAAM,MAAM,YAAY,GACpB,MAAM,GACN,QAAQ,GACR,OAAO,GACP,SAAS,GACT,KAAK,GACL,eAAe,GACf,kBAAkB,GAClB,QAAQ,GACR,SAAS,CAAC;AAEd;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,YAAY,CA4M5F;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,YAAY,GAAG,OAAO,CAErE;AAID,+EAA+E;AAC/E,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC;AAEvC,6DAA6D;AAC7D,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,iBAAiB,CAAC;IAC7B,uEAAuE;IACvE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,4DAA4D;IAC5D,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,kEAAkE;IAClE,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;CACpB;AA+BD;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,oBAAoB,EAAE,CAqB5E;AAED;;;;;;;;;GASG;AACH,wBAAgB,8BAA8B,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,oBAAoB,EAAE,GAAG,MAAM,CAiDzG;AAkDD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,iBAAiB,EAAE,CAMlE;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,EAAE,CAqCpF;AAcD;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEnD;AAcD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEzD;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE1D;AAED;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAcjD;AAYD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CA8G5D;AA6BD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAI/D;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,SAAI,GAAG,MAAM,CAIrF;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,IAAI,CAAC,EAAE;IAAE,YAAY,CAAC,EAAE,OAAO,CAAC;IAAC,kBAAkB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9D,MAAM,EAAE,CAcV;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,MAAM,GAAG,KAAK,EAAE,MAAM,CAAC,CAAC,EAC9D,IAAI,CAAC,EAAE;IAAE,YAAY,CAAC,EAAE,OAAO,CAAC;IAAC,kBAAkB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9D,MAAM,EAAE,CAQV;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU,CAE1D;AAID;;;GAGG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,MAAM,CAAC,EAAE,YAAY,GAAG,OAAO,EAAE,CAsDjF;AAID;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAsC1D;AAED,wBAAgB,cAAc,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAuBzE;AAED,wBAAgB,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAUzE;AAID,wBAAgB,YAAY,CAAC,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,MAAM,CAqBjH;AAED,wBAAgB,oBAAoB,CAClC,WAAW,EAAE,eAAe,EAAE,EAC9B,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,GAChB,MAAM,CAmBR;AAID;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,eAAe,GAAG,MAAM,CAmCxE;AA+BD,wBAAgB,kCAAkC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAQzE;AAED,wBAAgB,kCAAkC,IAAI,OAAO,CAE5D;AAED,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CA4BnE;AAED;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAyB9D;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,eAAe,GAAG,MAAM,CAiC9E"}

package/dist/evaluators/shared.js

@@ -127,8 +127,13 @@ export function classifyFile(code, language, filePath) {
     if (scoringPatterns >= 2 && regexLiteralCount >= 3) {
         return "analysis-tool";
     }
-    // Health-check endpoints detected by content (lightweight route returning 200/ok)
-    if (/(?:\/health|\/ready|\/live|\/ping|\/status)\b/i.test(code) &&
+    // Health-check endpoints detected by content (lightweight route returning 200/ok).
+    // Only classify as utility when the file is a dedicated health-check module —
+    // if it defines multiple routes it is a real server that happens to include
+    // a health endpoint.
+    const routeHandlerCount = (code.match(/\bapp\.(?:get|post|put|delete|patch|use)\s*\(|router\.(?:get|post|put|delete|patch|use)\s*\(|@app\.route\s*\(|@(?:Get|Post|Put|Delete)Mapping\s*\(/gi) || []).length;
+    if (routeHandlerCount <= 1 &&
+        /(?:\/health|\/ready|\/live|\/ping|\/status)\b/i.test(code) &&
         lineCount < 50 &&
         // Bound [^\n] to {0,200} to prevent polynomial backtracking when a line
         // contains many 'return' sub-strings (CodeQL js/polynomial-redos).
@@ -465,7 +470,14 @@ export function isLikelyCLI(code) {
     // Shebang or process.argv / commander / yargs / meow patterns
     return (/^#!\/usr\/bin\/env\s/m.test(code) ||
         /\bprocess\.argv\b/.test(code) ||
-        /\b(?:commander|yargs|meow|cac|citty|clipanion)\b/i.test(code));
+        /\b(?:commander|yargs|meow|cac|citty|clipanion)\b/i.test(code) ||
+        // Go CLI: flag package, cobra, urfave/cli
+        /\bflag\.(?:String|Int|Bool|Float|Parse|Args)\b/.test(code) ||
+        /\b(?:cobra|urfave\/cli)\b/i.test(code) ||
+        // Python CLI: argparse, click, typer
+        /\b(?:argparse|@click\.|typer\.)\b/.test(code) ||
+        // Rust CLI: clap
+        /\bclap::/.test(code));
 }
 // ─── Comment & String Stripping ──────────────────────────────────────────────
 // Provides `stripCommentsAndStrings()` which replaces all comments and string