@oculum/scanner 1.0.12 → 1.0.14

package/dist/detect/secrets/config-audit.js

@@ -0,0 +1,410 @@
+"use strict";
+/**
+ * Layer 1: Configuration Auditing
+ * Scans configuration files for security misconfigurations
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CONFIG_RULES = void 0;
+exports.auditConfiguration = auditConfiguration;
+exports.enrichPostinstallFindings = enrichPostinstallFindings;
+const registry_clients_1 = require("../../shared/registry-clients");
+// Base confidence for configuration audit findings
+const BASE_CONFIDENCE = 0.50;
+// Configuration audit rules
+exports.CONFIG_RULES = [
+    // Dockerfile rules
+    {
+        name: 'Docker running as root',
+        filePatterns: ['Dockerfile', '*.dockerfile'],
+        check: (content) => {
+            const violations = [];
+            const lines = content.split('\n');
+            // Check if USER instruction exists
+            const hasUserInstruction = lines.some(line => line.trim().toUpperCase().startsWith('USER '));
+            // Check for explicit root user
+            lines.forEach((line, index) => {
+                if (line.trim().toUpperCase() === 'USER ROOT') {
+                    violations.push({
+                        line: index + 1,
+                        lineContent: line.trim(),
+                        message: 'Container explicitly runs as root user',
+                        severity: 'high',
+                    });
+                }
+            });
+            // If no USER instruction at all, flag it
+            if (!hasUserInstruction && lines.length > 5) {
+                violations.push({
+                    line: 1,
+                    lineContent: 'Dockerfile',
+                    message: 'No USER instruction found - container will run as root by default',
+                    severity: 'medium',
+                });
+            }
+            return violations;
+        },
+    },
+    {
+        name: 'Hardcoded secrets in Docker build args',
+        filePatterns: ['Dockerfile', '*.dockerfile', 'docker-compose.yml', 'docker-compose.yaml'],
+        check: (content) => {
+            const violations = [];
+            const lines = content.split('\n');
+            // Pattern: ARG/ENV VAR_NAME="value" where value is NOT empty or a variable reference
+            // Skip: empty defaults (""), variable expansion ($VAR, ${VAR}), shell variable references
+            const sensitiveArgPattern = /ARG\s+\w*(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)\w*\s*=\s*["']([^"'$]+)["']/i;
+            const sensitiveEnvPattern = /ENV\s+\w*(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)\w*\s*=\s*["']([^"'$]+)["']/i;
+            const dockerComposePattern = /^\s*(PASSWORD|SECRET|KEY|TOKEN)\s*[:=]\s*["']?([^"'\s${\n]+)/i;
+            lines.forEach((line, index) => {
+                // Check ARG statements
+                const argMatch = line.match(sensitiveArgPattern);
+                if (argMatch) {
+                    const value = argMatch[2];
+                    // Skip if value is empty or looks like a placeholder instruction
+                    if (value && value.length > 0 && !/^(changeme|replace|your[_-]|xxx)/i.test(value)) {
+                        violations.push({
+                            line: index + 1,
+                            lineContent: line.trim(),
+                            message: 'Hardcoded sensitive value in build argument - use build-time secrets or runtime environment variables',
+                            severity: 'medium', // Downgraded from critical - these are defaults that should be overridden
+                        });
+                    }
+                    return;
+                }
+                // Skip ENV statements that just reference ARG variables (ENV VAR="$VAR")
+                if (/ENV\s+\w+\s*=\s*["']\$\w+["']/i.test(line)) {
+                    return;
+                }
+                // Check ENV statements with actual hardcoded values
+                const envMatch = line.match(sensitiveEnvPattern);
+                if (envMatch) {
+                    const value = envMatch[2];
+                    if (value && value.length > 0) {
+                        violations.push({
+                            line: index + 1,
+                            lineContent: line.trim(),
+                            message: 'Hardcoded sensitive value in environment variable',
+                            severity: 'high',
+                        });
+                    }
+                    return;
+                }
+                // Check docker-compose patterns
+                if (dockerComposePattern.test(line)) {
+                    const match = line.match(dockerComposePattern);
+                    if (match && match[2] && match[2].length > 0) {
+                        violations.push({
+                            line: index + 1,
+                            lineContent: line.trim(),
+                            message: 'Hardcoded sensitive value in docker-compose configuration',
+                            severity: 'high',
+                        });
+                    }
+                }
+            });
+            return violations;
+        },
+    },
+    // CORS configuration
+    {
+        name: 'Permissive CORS configuration',
+        filePatterns: ['*.ts', '*.js', '*.tsx', '*.jsx', 'next.config.*', 'vercel.json', '*.yaml', '*.yml'],
+        check: (content) => {
+            const violations = [];
+            const lines = content.split('\n');
+            const corsPatterns = [
+                /['"]Access-Control-Allow-Origin['"]\s*[,:]\s*['"]\*['"]/i,
+                /cors\s*\(\s*\{\s*origin\s*:\s*['"]\*['"]/i,
+                /origin\s*:\s*['"]\*['"]/i,
+                /allowedOrigins?\s*[=:]\s*\[\s*['"]\*['"]/i,
+                /Access-Control-Allow-Origin:\s*\*/i,
+            ];
+            lines.forEach((line, index) => {
+                for (const pattern of corsPatterns) {
+                    if (pattern.test(line)) {
+                        violations.push({
+                            line: index + 1,
+                            lineContent: line.trim(),
+                            message: 'Permissive CORS policy allows requests from any origin (*)',
+                            severity: 'medium',
+                        });
+                        break;
+                    }
+                }
+            });
+            return violations;
+        },
+    },
+    // GitHub Actions secrets exposure
+    {
+        name: 'GitHub Actions security issues',
+        filePatterns: ['.github/workflows/*.yml', '.github/workflows/*.yaml'],
+        check: (content) => {
+            const violations = [];
+            const lines = content.split('\n');
+            // Check for pull_request_target with checkout
+            const hasPRTarget = content.includes('pull_request_target');
+            const hasCheckout = content.includes('actions/checkout');
+            if (hasPRTarget && hasCheckout) {
+                const checkoutLine = lines.findIndex(l => l.includes('actions/checkout'));
+                violations.push({
+                    line: checkoutLine + 1,
+                    lineContent: lines[checkoutLine]?.trim() || '',
+                    message: 'Using actions/checkout with pull_request_target can expose secrets to untrusted code',
+                    severity: 'high',
+                });
+            }
+            // Check for hardcoded secrets
+            lines.forEach((line, index) => {
+                if (/env:\s*\w+\s*=\s*['"][^$]/.test(line) &&
+                    /(SECRET|TOKEN|KEY|PASSWORD)/i.test(line)) {
+                    violations.push({
+                        line: index + 1,
+                        lineContent: line.trim(),
+                        message: 'Potential hardcoded secret in GitHub Actions workflow',
+                        severity: 'critical',
+                    });
+                }
+            });
+            return violations;
+        },
+    },
+    // Next.js security config
+    {
+        name: 'Next.js security configuration',
+        filePatterns: ['next.config.js', 'next.config.ts', 'next.config.mjs'],
+        check: (content) => {
+            const violations = [];
+            const lines = content.split('\n');
+            // Only flag if poweredByHeader is explicitly set to true (not if missing)
+            if (content.includes('poweredByHeader: true') || content.includes('poweredByHeader:true')) {
+                const lineIndex = lines.findIndex(l => l.includes('poweredByHeader'));
+                violations.push({
+                    line: lineIndex >= 0 ? lineIndex + 1 : 1,
+                    lineContent: lines[lineIndex]?.trim() || 'poweredByHeader: true',
+                    message: 'poweredByHeader is enabled - consider setting to false to hide X-Powered-By header',
+                    severity: 'low',
+                });
+            }
+            // Check for exposed source maps in production
+            lines.forEach((line, index) => {
+                if (/productionBrowserSourceMaps\s*:\s*true/.test(line)) {
+                    violations.push({
+                        line: index + 1,
+                        lineContent: line.trim(),
+                        message: 'Production source maps are enabled - this exposes your source code',
+                        severity: 'medium',
+                    });
+                }
+            });
+            return violations;
+        },
+    },
+    // Package.json security
+    {
+        name: 'Package.json security issues',
+        filePatterns: ['package.json'],
+        check: (content) => {
+            const violations = [];
+            try {
+                const pkg = JSON.parse(content);
+                // Check for postinstall scripts that could be malicious
+                if (pkg.scripts?.postinstall || pkg.scripts?.preinstall) {
+                    const lines = content.split('\n');
+                    const scriptLine = lines.findIndex(l => l.includes('"postinstall"') || l.includes('"preinstall"'));
+                    violations.push({
+                        line: scriptLine + 1,
+                        lineContent: lines[scriptLine]?.trim() || '',
+                        message: 'Pre/post install scripts can execute arbitrary code - review carefully',
+                        severity: 'low',
+                    });
+                }
+                // Check for wildcard dependencies
+                const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+                const lines = content.split('\n');
+                // Get the package's own npm scope to detect internal monorepo deps
+                const ownScope = pkg.name?.startsWith('@') ? pkg.name.split('/')[0] : null;
+                // Also detect common org scope from other dependencies (for packages without scoped names)
+                // If we see @org/foo and @org/bar in deps, @org is likely the monorepo's scope
+                const scopeCounts = {};
+                for (const depName of Object.keys(allDeps)) {
+                    if (depName.startsWith('@')) {
+                        const scope = depName.split('/')[0];
+                        scopeCounts[scope] = (scopeCounts[scope] || 0) + 1;
+                    }
+                }
+                // Find the most common scope (likely the monorepo's org scope)
+                const inferredScope = Object.entries(scopeCounts)
+                    .filter(([, count]) => count >= 2) // At least 2 deps from same scope
+                    .sort((a, b) => b[1] - a[1])[0]?.[0] || null;
+                for (const [name, version] of Object.entries(allDeps)) {
+                    if (version === '*' || version === 'latest') {
+                        // Skip internal monorepo packages:
+                        // 1. Same npm scope as the package itself
+                        // 2. Or same scope as other workspace packages (inferred from multiple deps)
+                        const depScope = name.startsWith('@') ? name.split('/')[0] : null;
+                        // Check if this is a workspace package
+                        const isWorkspacePackage = (ownScope && depScope === ownScope) ||
+                            (inferredScope && depScope === inferredScope && version === '*');
+                        if (isWorkspacePackage) {
+                            continue;
+                        }
+                        const depLine = lines.findIndex(l => l.includes(`"${name}"`));
+                        violations.push({
+                            line: depLine + 1,
+                            lineContent: lines[depLine]?.trim() || '',
+                            message: `Dependency "${name}" uses wildcard/latest version - pin to specific version`,
+                            severity: 'medium',
+                        });
+                    }
+                }
+            }
+            catch {
+                // Invalid JSON, skip
+            }
+            return violations;
+        },
+    },
+];
+// Check if file matches any of the patterns
+function matchesFilePattern(filePath, patterns) {
+    const fileName = filePath.split('/').pop() || '';
+    return patterns.some(pattern => {
+        if (pattern.includes('*')) {
+            const regex = new RegExp('^' + pattern.replace(/\*/g, '.*').replace(/\./g, '\\.') + '$', 'i');
+            return regex.test(fileName) || regex.test(filePath);
+        }
+        return fileName === pattern || filePath.endsWith(pattern);
+    });
+}
+function auditConfiguration(content, filePath, options) {
+    const vulnerabilities = [];
+    for (const rule of exports.CONFIG_RULES) {
+        if (matchesFilePattern(filePath, rule.filePatterns)) {
+            const violations = rule.check(content, filePath);
+            for (const violation of violations) {
+                vulnerabilities.push({
+                    id: `config-${filePath}-${violation.line}-${rule.name}`,
+                    filePath,
+                    lineNumber: violation.line,
+                    lineContent: violation.lineContent,
+                    severity: violation.severity,
+                    category: 'insecure_config',
+                    title: rule.name,
+                    description: violation.message,
+                    suggestedFix: getConfigFix(rule.name, violation),
+                    confidence: 'high',
+                    baseConfidence: BASE_CONFIDENCE,
+                    layer: 1,
+                    source: 'secrets',
+                });
+            }
+        }
+    }
+    return vulnerabilities;
+}
+function getConfigFix(ruleName, violation) {
+    const fixes = {
+        'Docker running as root': 'Add a USER instruction to run as a non-root user: USER node',
+        'Hardcoded secrets in Docker build args': 'Use Docker secrets or pass values at runtime via environment variables',
+        'Permissive CORS configuration': 'Specify allowed origins explicitly instead of using wildcard (*)',
+        'GitHub Actions security issues': 'Use secrets context (${{ secrets.NAME }}) for sensitive values',
+        'Next.js security configuration': 'Review Next.js security best practices and configure headers appropriately',
+        'Package.json security issues': 'Pin dependencies to specific versions and review install scripts',
+    };
+    return fixes[ruleName] || 'Review and fix the security configuration';
+}
+// ===== Postinstall Enrichment via NPM Registry Lookup =====
+/** Extract the command string from a postinstall line like: "postinstall": "patch-package" */
+function extractPostinstallCommand(lineContent) {
+    const match = lineContent.match(/"(?:postinstall|preinstall)"\s*:\s*"([^"]+)"/);
+    return match?.[1] || null;
+}
+/** Extract the main binary/package from a script command */
+function extractScriptBinary(command) {
+    const trimmed = command.trim();
+    // Skip npm/npx wrapper to get the actual tool
+    if (trimmed.startsWith('npx ')) {
+        const parts = trimmed.slice(4).trim().split(/\s+/);
+        return parts[0] || null;
+    }
+    if (trimmed.startsWith('npm run ') || trimmed.startsWith('npm exec ')) {
+        return null; // Can't determine — it's a local script
+    }
+    if (trimmed.startsWith('node ') || trimmed.startsWith('sh ') || trimmed.startsWith('bash ')) {
+        return null; // Local script execution
+    }
+    // Direct command: "patch-package", "husky install", "prisma generate"
+    const parts = trimmed.split(/\s+/);
+    return parts[0] || null;
+}
+function formatDownloads(n) {
+    if (n >= 1000000)
+        return `${(n / 1000000).toFixed(1)}M`;
+    if (n >= 1000)
+        return `${(n / 1000).toFixed(0)}k`;
+    return `${n}`;
+}
+/**
+ * Enrich postinstall findings with npm registry data.
+ * Auto-dismisses known safe packages, escalates unknown ones.
+ */
+async function enrichPostinstallFindings(findings) {
+    const result = [];
+    for (const finding of findings) {
+        // Only process postinstall-related config findings
+        if (finding.category !== 'insecure_config' ||
+            !finding.description.includes('install scripts')) {
+            result.push(finding);
+            continue;
+        }
+        // Extract the command from the postinstall script
+        const command = extractPostinstallCommand(finding.lineContent);
+        if (!command) {
+            result.push(finding);
+            continue;
+        }
+        // Get the package name that runs this command
+        const scriptBinary = extractScriptBinary(command);
+        if (scriptBinary) {
+            const metadata = await (0, registry_clients_1.fetchNPMMetadata)(scriptBinary);
+            if (metadata) {
+                const weeklyDownloads = metadata.downloads?.weekly || 0;
+                const ageDays = (0, registry_clients_1.calculatePackageAgeDays)(metadata.time?.created);
+                // Auto-dismiss: very popular and established
+                if (weeklyDownloads >= 1000000 && ageDays >= 365) {
+                    continue; // Skip this finding entirely
+                }
+                // Trusted: popular and not brand new
+                if (weeklyDownloads >= 100000 && ageDays >= 180) {
+                    finding.severity = 'info';
+                    finding.description = `postinstall runs "${command}" (${scriptBinary}: ${formatDownloads(weeklyDownloads)}/week, ${Math.floor(ageDays / 365)}+ years old)`;
+                    result.push(finding);
+                    continue;
+                }
+                // Moderate: some usage
+                if (weeklyDownloads >= 10000 && ageDays >= 90) {
+                    finding.severity = 'low';
+                    result.push(finding);
+                    continue;
+                }
+                // Suspicious: low downloads or very new
+                finding.severity = 'medium';
+                finding.description = `postinstall runs "${command}" — ${scriptBinary} has only ${formatDownloads(weeklyDownloads)} weekly downloads (${ageDays} days old). Review carefully.`;
+                result.push(finding);
+                continue;
+            }
+            else {
+                // Package not found on npm — escalate
+                finding.severity = 'high';
+                finding.description = `postinstall runs "${command}" — "${scriptBinary}" not found on npm registry. Possible supply chain risk.`;
+                result.push(finding);
+                continue;
+            }
+        }
+        // Couldn't extract binary, keep as-is
+        result.push(finding);
+    }
+    return result;
+}
+//# sourceMappingURL=config-audit.js.map

package/dist/detect/secrets/config-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-audit.js","sourceRoot":"","sources":["../../../src/detect/secrets/config-audit.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AA4TH,gDAgCC;AAsDD,8DAqEC;AAndD,oEAAyF;AAEzF,mDAAmD;AACnD,MAAM,eAAe,GAAG,IAAI,CAAA;AAE5B,4BAA4B;AACf,QAAA,YAAY,GAAiB;IACxC,mBAAmB;IACnB;QACE,IAAI,EAAE,wBAAwB;QAC9B,YAAY,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;QAC5C,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,mCAAmC;YACnC,MAAM,kBAAkB,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3C,IAAI,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAC9C,CAAA;YAED,+BAA+B;YAC/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,WAAW,EAAE,CAAC;oBAC9C,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,KAAK,GAAG,CAAC;wBACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,OAAO,EAAE,wCAAwC;wBACjD,QAAQ,EAAE,MAAM;qBACjB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,yCAAyC;YACzC,IAAI,CAAC,kBAAkB,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5C,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,CAAC;oBACP,WAAW,EAAE,YAAY;oBACzB,OAAO,EAAE,mEAAmE;oBAC5E,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAA;YACJ,CAAC;YAED,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD;QACE,IAAI,EAAE,wCAAwC;QAC9C,YAAY,EAAE,CAAC,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,qBAAqB,CAAC;QACzF,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,qFAAqF;YACrF,0FAA0F;YAC1F,MAAM,mBAAmB,GAAG,6EAA6E,CAAA;YACzG,MAAM,mBAAmB,GAAG,6EAA6E,CAAA;YACzG,MAAM,oBAAoB,GAAG,+DAA+D,CAAA;YAE5F,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,uBAAuB;gBACvB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAA;gBAChD,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAA;oBACzB,iEAAiE;oBACjE,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,mCAAmC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;wBAClF,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,KAAK,GAAG,CAAC;4BACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,OAAO,EAAE,uGAAuG;4BAChH,QAAQ,EAAE,QAAQ,EAAG,0EAA0E;yBAChG,CAAC,CAAA;oBACJ,CAAC;oBACD,OAAM;gBACR,CAAC;gBAED,yEAAyE;gBACzE,IAAI,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChD,OAAM;gBACR,CAAC;gBAED,oDAAoD;gBACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAA;gBAChD,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAA;oBACzB,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAC9B,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,KAAK,GAAG,CAAC;4BACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,OAAO,EAAE,mDAAmD;4BAC5D,QAAQ,EAAE,MAAM;yBACjB,CAAC,CAAA;oBACJ,CAAC;oBACD,OAAM;gBACR,CAAC;gBAED,gCAAgC;gBAChC,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;oBAC9C,IAAI,KAAK,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAC7C,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,KAAK,GAAG,CAAC;4BACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,OAAO,EAAE,2DAA2D;4BACpE,QAAQ,EAAE,MAAM;yBACjB,CAAC,CAAA;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD,qBAAqB;IACrB;QACE,IAAI,EAAE,+BAA+B;QACrC,YAAY,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO,CAAC;QACnG,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,MAAM,YAAY,GAAG;gBACnB,0DAA0D;gBAC1D,2CAA2C;gBAC3C,0BAA0B;gBAC1B,2CAA2C;gBAC3C,oCAAoC;aACrC,CAAA;YAED,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;oBACnC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvB,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,KAAK,GAAG,CAAC;4BACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,OAAO,EAAE,4DAA4D;4BACrE,QAAQ,EAAE,QAAQ;yBACnB,CAAC,CAAA;wBACF,MAAK;oBACP,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD,kCAAkC;IAClC;QACE,IAAI,EAAE,gCAAgC;QACtC,YAAY,EAAE,CAAC,yBAAyB,EAAE,0BAA0B,CAAC;QACrE,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,8CAA8C;YAC9C,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAA;YAC3D,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAA;YAExD,IAAI,WAAW,IAAI,WAAW,EAAE,CAAC;gBAC/B,MAAM,YAAY,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CAAA;gBACzE,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,YAAY,GAAG,CAAC;oBACtB,WAAW,EAAE,KAAK,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE;oBAC9C,OAAO,EAAE,sFAAsF;oBAC/F,QAAQ,EAAE,MAAM;iBACjB,CAAC,CAAA;YACJ,CAAC;YAED,8BAA8B;YAC9B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,IAAI,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC;oBACtC,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9C,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,KAAK,GAAG,CAAC;wBACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,OAAO,EAAE,uDAAuD;wBAChE,QAAQ,EAAE,UAAU;qBACrB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD,0BAA0B;IAC1B;QACE,IAAI,EAAE,gCAAgC;QACtC,YAAY,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,iBAAiB,CAAC;QACrE,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,0EAA0E;YAC1E,IAAI,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC;gBAC1F,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAA;gBACrE,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACxC,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,IAAI,uBAAuB;oBAChE,OAAO,EAAE,oFAAoF;oBAC7F,QAAQ,EAAE,KAAK;iBAChB,CAAC,CAAA;YACJ,CAAC;YAED,8CAA8C;YAC9C,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,IAAI,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACxD,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,KAAK,GAAG,CAAC;wBACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,OAAO,EAAE,oEAAoE;wBAC7E,QAAQ,EAAE,QAAQ;qBACnB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD,wBAAwB;IACxB;QACE,IAAI,EAAE,8BAA8B;QACpC,YAAY,EAAE,CAAC,cAAc,CAAC;QAC9B,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YAExC,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;gBAE/B,wDAAwD;gBACxD,IAAI,GAAG,CAAC,OAAO,EAAE,WAAW,IAAI,GAAG,CAAC,OAAO,EAAE,UAAU,EAAE,CAAC;oBACxD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;oBACjC,MAAM,UAAU,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CACrC,CAAC,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,CAC1D,CAAA;oBACD,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,UAAU,GAAG,CAAC;wBACpB,WAAW,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE;wBAC5C,OAAO,EAAE,wEAAwE;wBACjF,QAAQ,EAAE,KAAK;qBAChB,CAAC,CAAA;gBACJ,CAAC;gBAED,kCAAkC;gBAClC,MAAM,OAAO,GAAG,EAAE,GAAG,GAAG,CAAC,YAAY,EAAE,GAAG,GAAG,CAAC,eAAe,EAAE,CAAA;gBAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAEjC,mEAAmE;gBACnE,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;gBAE1E,2FAA2F;gBAC3F,+EAA+E;gBAC/E,MAAM,WAAW,GAA2B,EAAE,CAAA;gBAC9C,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC3C,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;wBAC5B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;wBACnC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAA;oBACpD,CAAC;gBACH,CAAC;gBACD,+DAA+D;gBAC/D,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;qBAC9C,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,kCAAkC;qBACpE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAA;gBAE9C,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;oBACtD,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;wBAC5C,mCAAmC;wBACnC,0CAA0C;wBAC1C,6EAA6E;wBAC7E,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;wBAEjE,uCAAuC;wBACvC,MAAM,kBAAkB,GACtB,CAAC,QAAQ,IAAI,QAAQ,KAAK,QAAQ,CAAC;4BACnC,CAAC,aAAa,IAAI,QAAQ,KAAK,aAAa,IAAI,OAAO,KAAK,GAAG,CAAC,CAAA;wBAElE,IAAI,kBAAkB,EAAE,CAAC;4BACvB,SAAQ;wBACV,CAAC;wBAED,MAAM,OAAO,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAA;wBAC7D,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,OAAO,GAAG,CAAC;4BACjB,WAAW,EAAE,KAAK,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE;4BACzC,OAAO,EAAE,eAAe,IAAI,0DAA0D;4BACtF,QAAQ,EAAE,QAAQ;yBACnB,CAAC,CAAA;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,qBAAqB;YACvB,CAAC;YAED,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;CACF,CAAA;AAED,4CAA4C;AAC5C,SAAS,kBAAkB,CAAC,QAAgB,EAAE,QAAkB;IAC9D,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAA;IAEhD,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;QAC7B,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,IAAI,MAAM,CACtB,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,EAC9D,GAAG,CACJ,CAAA;YACD,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACrD,CAAC;QACD,OAAO,QAAQ,KAAK,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;IAC3D,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,SAAgB,kBAAkB,CAChC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,KAAK,MAAM,IAAI,IAAI,oBAAY,EAAE,CAAC;QAChC,IAAI,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACpD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;YAEhD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;gBACnC,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,UAAU,QAAQ,IAAI,SAAS,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE;oBACvD,QAAQ;oBACR,UAAU,EAAE,SAAS,CAAC,IAAI;oBAC1B,WAAW,EAAE,SAAS,CAAC,WAAW;oBAClC,QAAQ,EAAE,SAAS,CAAC,QAAQ;oBAC5B,QAAQ,EAAE,iBAAiB;oBAC3B,KAAK,EAAE,IAAI,CAAC,IAAI;oBAChB,WAAW,EAAE,SAAS,CAAC,OAAO;oBAC9B,YAAY,EAAE,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC;oBAChD,UAAU,EAAE,MAAM;oBAClB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,SAAkB;iBACzB,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB,EAAE,SAA0B;IAChE,MAAM,KAAK,GAA2B;QACpC,wBAAwB,EAAE,6DAA6D;QACvF,wCAAwC,EAAE,wEAAwE;QAClH,+BAA+B,EAAE,kEAAkE;QACnG,gCAAgC,EAAE,gEAAgE;QAClG,gCAAgC,EAAE,4EAA4E;QAC9G,8BAA8B,EAAE,kEAAkE;KACnG,CAAA;IAED,OAAO,KAAK,CAAC,QAAQ,CAAC,IAAI,2CAA2C,CAAA;AACvE,CAAC;AAED,6DAA6D;AAE7D,8FAA8F;AAC9F,SAAS,yBAAyB,CAAC,WAAmB;IACpD,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAA;IAC/E,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAA;AAC3B,CAAC;AAED,4DAA4D;AAC5D,SAAS,mBAAmB,CAAC,OAAe;IAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAA;IAE9B,8CAA8C;IAC9C,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QAClD,OAAO,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAA;IACzB,CAAC;IACD,IAAI,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACtE,OAAO,IAAI,CAAA,CAAC,wCAAwC;IACtD,CAAC;IACD,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5F,OAAO,IAAI,CAAA,CAAC,yBAAyB;IACvC,CAAC;IAED,sEAAsE;IACtE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAClC,OAAO,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAA;AACzB,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,IAAI,CAAC,IAAI,OAAS;QAAE,OAAO,GAAG,CAAC,CAAC,GAAG,OAAS,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAA;IAC3D,IAAI,CAAC,IAAI,IAAK;QAAE,OAAO,GAAG,CAAC,CAAC,GAAG,IAAK,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAA;IACnD,OAAO,GAAG,CAAC,EAAE,CAAA;AACf,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,yBAAyB,CAC7C,QAAyB;IAEzB,MAAM,MAAM,GAAoB,EAAE,CAAA;IAElC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,mDAAmD;QACnD,IAAI,OAAO,CAAC,QAAQ,KAAK,iBAAiB;YACtC,CAAC,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACrD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;YACpB,SAAQ;QACV,CAAC;QAED,kDAAkD;QAClD,MAAM,OAAO,GAAG,yBAAyB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;QAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;YACpB,SAAQ;QACV,CAAC;QAED,8CAA8C;QAC9C,MAAM,YAAY,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAA;QAEjD,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,QAAQ,GAAG,MAAM,IAAA,mCAAgB,EAAC,YAAY,CAAC,CAAA;YAErD,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,eAAe,GAAG,QAAQ,CAAC,SAAS,EAAE,MAAM,IAAI,CAAC,CAAA;gBACvD,MAAM,OAAO,GAAG,IAAA,0CAAuB,EAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;gBAE/D,6CAA6C;gBAC7C,IAAI,eAAe,IAAI,OAAS,IAAI,OAAO,IAAI,GAAG,EAAE,CAAC;oBACnD,SAAQ,CAAC,6BAA6B;gBACxC,CAAC;gBAED,qCAAqC;gBACrC,IAAI,eAAe,IAAI,MAAO,IAAI,OAAO,IAAI,GAAG,EAAE,CAAC;oBACjD,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAA;oBACzB,OAAO,CAAC,WAAW,GAAG,qBAAqB,OAAO,MAAM,YAAY,KAAK,eAAe,CAAC,eAAe,CAAC,UAAU,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,cAAc,CAAA;oBAC1J,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;oBACpB,SAAQ;gBACV,CAAC;gBAED,uBAAuB;gBACvB,IAAI,eAAe,IAAI,KAAM,IAAI,OAAO,IAAI,EAAE,EAAE,CAAC;oBAC/C,OAAO,CAAC,QAAQ,GAAG,KAAK,CAAA;oBACxB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;oBACpB,SAAQ;gBACV,CAAC;gBAED,wCAAwC;gBACxC,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAA;gBAC3B,OAAO,CAAC,WAAW,GAAG,qBAAqB,OAAO,OAAO,YAAY,aAAa,eAAe,CAAC,eAAe,CAAC,sBAAsB,OAAO,+BAA+B,CAAA;gBAC9K,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;gBACpB,SAAQ;YACV,CAAC;iBAAM,CAAC;gBACN,sCAAsC;gBACtC,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAA;gBACzB,OAAO,CAAC,WAAW,GAAG,qBAAqB,OAAO,QAAQ,YAAY,0DAA0D,CAAA;gBAChI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;gBACpB,SAAQ;YACV,CAAC;QACH,CAAC;QAED,sCAAsC;QACtC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IACtB,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/detect/secrets/config-mcp-audit.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Layer 1: MCP Configuration Audit
+ * Detects security issues in MCP configuration files
+ *
+ * Scans:
+ * - mcp.json, *.mcp.json
+ * - .mcp/config.json
+ * - mcpServers in package.json
+ *
+ * Detects:
+ * - Secrets in MCP config (API keys, tokens in args)
+ * - Overpermissive settings (disabled approval, infinite timeouts)
+ * - Insecure transport (http:// instead of https://)
+ */
+import type { Vulnerability } from '../../shared/types';
+import type { ParsedFile } from '../../shared/parsed-file';
+/**
+ * Main detection function for MCP configuration audit
+ */
+export declare function detectMCPConfigIssues(content: string, filePath: string, options?: {
+    parsed?: ParsedFile;
+}): Vulnerability[];
+//# sourceMappingURL=config-mcp-audit.d.ts.map

package/dist/detect/secrets/config-mcp-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-mcp-audit.d.ts","sourceRoot":"","sources":["../../../src/detect/secrets/config-mcp-audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAgD,MAAM,oBAAoB,CAAA;AACrG,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AA+K1D;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CAoFjB"}