@oculum/scanner 1.0.12 → 1.0.14

package/dist/detect/secrets/config-mcp-audit.js

@@ -0,0 +1,243 @@
+"use strict";
+/**
+ * Layer 1: MCP Configuration Audit
+ * Detects security issues in MCP configuration files
+ *
+ * Scans:
+ * - mcp.json, *.mcp.json
+ * - .mcp/config.json
+ * - mcpServers in package.json
+ *
+ * Detects:
+ * - Secrets in MCP config (API keys, tokens in args)
+ * - Overpermissive settings (disabled approval, infinite timeouts)
+ * - Insecure transport (http:// instead of https://)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectMCPConfigIssues = detectMCPConfigIssues;
+const file_classifier_1 = require("../../parse/file-classifier");
+// Base confidence for MCP configuration audit findings
+const BASE_CONFIDENCE = 0.50;
+// ============================================================================
+// Configuration File Detection
+// ============================================================================
+/**
+ * Check if file is an MCP configuration file
+ */
+function isMCPConfigFile(filePath) {
+    const mcpConfigPatterns = [
+        /mcp\.json$/i,
+        /\.mcp\.json$/i,
+        /\.mcp\/config\.json$/i,
+        /mcp[-_]?config\.json$/i,
+        /claude[-_]?desktop[-_]?config\.json$/i,
+    ];
+    return mcpConfigPatterns.some(p => p.test(filePath));
+}
+/**
+ * Check if file might contain mcpServers configuration (package.json, etc.)
+ */
+function mightContainMCPConfig(filePath, content) {
+    if (filePath.endsWith('package.json')) {
+        return content.includes('mcpServers') || content.includes('mcp');
+    }
+    if (filePath.endsWith('.json')) {
+        return content.includes('mcpServers') || content.includes('"command"') ||
+            content.includes('"args"') || content.includes('"url"');
+    }
+    return false;
+}
+/**
+ * MCP Configuration Security Patterns
+ */
+const MCP_CONFIG_PATTERNS = [
+    // Secrets in args array
+    {
+        name: 'API key in MCP server args',
+        pattern: /"args"\s*:\s*\[[^\]]*(?:api[_-]?key|API[_-]?KEY|apiKey)[=:]["'][^"']+["'][^\]]*\]/gi,
+        category: 'ai_mcp_config_secrets',
+        baseSeverity: 'critical',
+        description: 'API key found in MCP server arguments. Secrets should not be stored in configuration files.',
+        suggestedFix: 'Use environment variables for secrets: ["--api-key", "${ANTHROPIC_API_KEY}"] or use a secrets manager.',
+    },
+    // Secret/token in args
+    {
+        name: 'Secret token in MCP server args',
+        pattern: /"args"\s*:\s*\[[^\]]*(?:secret|token|password|credential|auth)[=:]["'][^"']+["'][^\]]*\]/gi,
+        category: 'ai_mcp_config_secrets',
+        baseSeverity: 'critical',
+        description: 'Secret or token found in MCP server arguments. This could be exposed in logs or version control.',
+        suggestedFix: 'Move secrets to environment variables or a secrets manager.',
+    },
+    // Hardcoded bearer token
+    {
+        name: 'Bearer token in MCP config',
+        pattern: /"(?:auth|authorization|header)"\s*:\s*["'][Bb]earer\s+[A-Za-z0-9_-]+["']/gi,
+        category: 'ai_mcp_config_secrets',
+        baseSeverity: 'critical',
+        description: 'Bearer token hardcoded in MCP configuration. This is a security risk.',
+        suggestedFix: 'Use environment variable reference: "Bearer ${MCP_TOKEN}"',
+    },
+    // Environment variable with actual value (not reference)
+    {
+        name: 'Environment variable with hardcoded value',
+        pattern: /"env"\s*:\s*\{[^}]*(?:KEY|TOKEN|SECRET|PASSWORD)\s*"\s*:\s*"(?!\$\{)[^"]+"/gi,
+        category: 'ai_mcp_config_secrets',
+        baseSeverity: 'high',
+        description: 'Environment variable set to hardcoded secret value in MCP config.',
+        suggestedFix: 'Set environment variables outside the config file or use a secrets manager.',
+    },
+    // Disabled approval requirement
+    {
+        name: 'Tool approval disabled',
+        pattern: /"requireApproval"\s*:\s*false/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'medium',
+        description: 'Tool approval is disabled. AI can execute tools without user confirmation.',
+        suggestedFix: 'Enable tool approval for sensitive operations: "requireApproval": true',
+    },
+    // Auto-approve all
+    {
+        name: 'Auto-approve all tools',
+        pattern: /"autoApprove"\s*:\s*(?:true|"\*"|"all"|\["\*"\])/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'high',
+        description: 'All tools are auto-approved. This bypasses user confirmation for all operations.',
+        suggestedFix: 'Limit auto-approval to specific safe tools: "autoApprove": ["read_file", "list_files"]',
+    },
+    // Infinite or very long timeout
+    {
+        name: 'Unlimited tool timeout',
+        pattern: /"(?:toolTimeout|timeout)"\s*:\s*(?:0|null|"infinite"|999999+)/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'medium',
+        description: 'Tool timeout is disabled or very long. Tools could run indefinitely.',
+        suggestedFix: 'Set a reasonable timeout: "toolTimeout": 30000 (30 seconds)',
+    },
+    // HTTP URL (not HTTPS)
+    {
+        name: 'Insecure HTTP transport',
+        pattern: /"(?:url|endpoint|server)"\s*:\s*"http:\/\/(?!localhost|127\.0\.0\.1)[^"]+"/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'medium',
+        description: 'MCP server uses insecure HTTP transport. Data could be intercepted.',
+        suggestedFix: 'Use HTTPS for MCP server URLs: "url": "https://..."',
+    },
+    // Wildcard allowed tools
+    {
+        name: 'Wildcard tool permissions',
+        pattern: /"(?:allowedTools|tools|permissions)"\s*:\s*(?:\["\*"\]|"\*"|"all")/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'medium',
+        description: 'All tools are allowed without restriction. Consider limiting to specific tools.',
+        suggestedFix: 'Explicitly list allowed tools: "allowedTools": ["search", "read_file"]',
+    },
+    // Privileged mode enabled
+    {
+        name: 'Privileged mode enabled',
+        pattern: /"(?:privileged|sudo|admin|root)"\s*:\s*true/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'high',
+        description: 'MCP server running in privileged mode. This grants elevated permissions.',
+        suggestedFix: 'Disable privileged mode unless absolutely necessary. Apply principle of least privilege.',
+    },
+    // Disabled security features
+    {
+        name: 'Security feature disabled',
+        pattern: /"(?:secure|tls|verify|validation|sandbox)"\s*:\s*false/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'medium',
+        description: 'Security feature is explicitly disabled in MCP configuration.',
+        suggestedFix: 'Enable security features: "secure": true, "validation": true',
+    },
+    // Command injection risk in args
+    {
+        name: 'Shell command in MCP args',
+        pattern: /"args"\s*:\s*\[[^\]]*(?:sh\s+-c|bash\s+-c|cmd\s+\/c|powershell)[^\]]*\]/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'high',
+        description: 'MCP server args contain shell command execution. This is a command injection risk.',
+        suggestedFix: 'Avoid shell command execution in MCP args. Use direct command invocation.',
+    },
+];
+// ============================================================================
+// Main Detection Function
+// ============================================================================
+/**
+ * Main detection function for MCP configuration audit
+ */
+function detectMCPConfigIssues(content, filePath, options) {
+    const vulnerabilities = [];
+    // Skip non-applicable files
+    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    if ((0, file_classifier_1.isDocumentationFile)(filePath))
+        return vulnerabilities;
+    // Only scan MCP config files or files that might contain MCP config
+    if (!isMCPConfigFile(filePath) && !mightContainMCPConfig(filePath, content)) {
+        return vulnerabilities;
+    }
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    const isTestFile = (0, file_classifier_1.isTestOrMockFile)(filePath);
+    const isExample = (0, file_classifier_1.isExampleDirectory)(filePath);
+    // Track findings to avoid duplicates
+    const seenFindings = new Set();
+    for (const pattern of MCP_CONFIG_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, file_classifier_1.isComment)(lineContent))
+                continue;
+            // Create dedup key
+            const dedupKey = `${filePath}:${lineNumber}:${pattern.category}`;
+            if (seenFindings.has(dedupKey))
+                continue;
+            seenFindings.add(dedupKey);
+            let severity = pattern.baseSeverity;
+            let description = pattern.description;
+            const notes = [];
+            // Check if value is an environment variable reference (safer)
+            if (/\$\{[A-Z_]+\}|\$[A-Z_]+/.test(lineContent)) {
+                if (pattern.category === 'ai_mcp_config_secrets') {
+                    severity = 'low';
+                    notes.push('Uses environment variable reference (safer pattern)');
+                }
+            }
+            // Downgrade test files
+            if (isTestFile) {
+                severity = 'info';
+                notes.push('in test file');
+            }
+            // Downgrade example/demo directories
+            if (isExample && severity !== 'info') {
+                severity = 'info';
+                notes.push('in example/demo directory');
+            }
+            // Build final description
+            if (notes.length > 0) {
+                description += ` (${notes.join('; ')})`;
+            }
+            vulnerabilities.push({
+                id: `mcp-config-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: pattern.category,
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: pattern.category === 'ai_mcp_config_secrets' ? 'high' : 'medium',
+                baseConfidence: BASE_CONFIDENCE,
+                layer: 1,
+                source: 'secrets',
+                requiresAIValidation: severity !== 'info' && severity !== 'low',
+            });
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=config-mcp-audit.js.map

package/dist/detect/secrets/config-mcp-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-mcp-audit.js","sourceRoot":"","sources":["../../../src/detect/secrets/config-mcp-audit.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AAqLH,sDAwFC;AAzQD,iEAMoC;AAEpC,uDAAuD;AACvD,MAAM,eAAe,GAAG,IAAI,CAAA;AAE5B,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E;;GAEG;AACH,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,iBAAiB,GAAG;QACxB,aAAa;QACb,eAAe;QACf,uBAAuB;QACvB,wBAAwB;QACxB,uCAAuC;KACxC,CAAA;IACD,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,QAAgB,EAAE,OAAe;IAC9D,IAAI,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACtC,OAAO,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAClE,CAAC;IACD,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC/D,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;IAChE,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAeD;;GAEG;AACH,MAAM,mBAAmB,GAAuB;IAC9C,wBAAwB;IACxB;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,qFAAqF;QAC9F,QAAQ,EAAE,uBAAuB;QACjC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,6FAA6F;QAC1G,YAAY,EAAE,wGAAwG;KACvH;IACD,uBAAuB;IACvB;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,4FAA4F;QACrG,QAAQ,EAAE,uBAAuB;QACjC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,kGAAkG;QAC/G,YAAY,EAAE,6DAA6D;KAC5E;IACD,yBAAyB;IACzB;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,4EAA4E;QACrF,QAAQ,EAAE,uBAAuB;QACjC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,uEAAuE;QACpF,YAAY,EAAE,2DAA2D;KAC1E;IACD,yDAAyD;IACzD;QACE,IAAI,EAAE,2CAA2C;QACjD,OAAO,EAAE,8EAA8E;QACvF,QAAQ,EAAE,uBAAuB;QACjC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,mEAAmE;QAChF,YAAY,EAAE,6EAA6E;KAC5F;IACD,gCAAgC;IAChC;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,iCAAiC;QAC1C,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,4EAA4E;QACzF,YAAY,EAAE,wEAAwE;KACvF;IACD,mBAAmB;IACnB;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,oDAAoD;QAC7D,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,kFAAkF;QAC/F,YAAY,EAAE,wFAAwF;KACvG;IACD,gCAAgC;IAChC;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,iEAAiE;QAC1E,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,sEAAsE;QACnF,YAAY,EAAE,6DAA6D;KAC5E;IACD,uBAAuB;IACvB;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,8EAA8E;QACvF,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,qEAAqE;QAClF,YAAY,EAAE,qDAAqD;KACpE;IACD,yBAAyB;IACzB;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,sEAAsE;QAC/E,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,iFAAiF;QAC9F,YAAY,EAAE,wEAAwE;KACvF;IACD,0BAA0B;IAC1B;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,+CAA+C;QACxD,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,0EAA0E;QACvF,YAAY,EAAE,0FAA0F;KACzG;IACD,6BAA6B;IAC7B;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,0DAA0D;QACnE,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,+DAA+D;QAC5E,YAAY,EAAE,8DAA8D;KAC7E;IACD,iCAAiC;IACjC;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,2EAA2E;QACpF,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,oFAAoF;QACjG,YAAY,EAAE,2EAA2E;KAC1F;CACF,CAAA;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,qBAAqB,CACnC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,4BAA4B;IAC5B,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAC5D,IAAI,IAAA,qCAAmB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAEzD,oEAAoE;IACpE,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,qBAAqB,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;QAC5E,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC3D,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAC7C,MAAM,SAAS,GAAG,IAAA,oCAAkB,EAAC,QAAQ,CAAC,CAAA;IAE9C,qCAAqC;IACrC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAA;IAEtC,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QACvE,IAAI,KAAK,CAAA;QAET,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAA;YACvE,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;YAEvD,gBAAgB;YAChB,IAAI,IAAA,2BAAS,EAAC,WAAW,CAAC;gBAAE,SAAQ;YAEpC,mBAAmB;YACnB,MAAM,QAAQ,GAAG,GAAG,QAAQ,IAAI,UAAU,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAA;YAChE,IAAI,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC;gBAAE,SAAQ;YACxC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;YAE1B,IAAI,QAAQ,GAAG,OAAO,CAAC,YAAY,CAAA;YACnC,IAAI,WAAW,GAAG,OAAO,CAAC,WAAW,CAAA;YACrC,MAAM,KAAK,GAAa,EAAE,CAAA;YAE1B,8DAA8D;YAC9D,IAAI,yBAAyB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBAChD,IAAI,OAAO,CAAC,QAAQ,KAAK,uBAAuB,EAAE,CAAC;oBACjD,QAAQ,GAAG,KAAK,CAAA;oBAChB,KAAK,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAA;gBACnE,CAAC;YACH,CAAC;YAED,uBAAuB;YACvB,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,GAAG,MAAM,CAAA;gBACjB,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;YAC5B,CAAC;YAED,qCAAqC;YACrC,IAAI,SAAS,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACrC,QAAQ,GAAG,MAAM,CAAA;gBACjB,KAAK,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAA;YACzC,CAAC;YAED,0BAA0B;YAC1B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACrB,WAAW,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAA;YACzC,CAAC;YAED,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,cAAc,QAAQ,IAAI,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE;gBAC/E,QAAQ;gBACR,UAAU;gBACV,WAAW;gBACX,QAAQ;gBACR,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,KAAK,EAAE,OAAO,CAAC,IAAI;gBACnB,WAAW;gBACX,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,UAAU,EAAE,OAAO,CAAC,QAAQ,KAAK,uBAAuB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;gBAC5E,cAAc,EAAE,eAAe;gBAC/B,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,SAAkB;gBAC1B,oBAAoB,EAAE,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,KAAK;aAChE,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/secrets/entropy.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Layer 1: High-Entropy String Detection
+ * Uses Shannon entropy to detect potential secrets that don't match known patterns
+ */
+import type { Vulnerability } from '../../shared/types';
+import type { ParsedFile } from '../../shared/parsed-file';
+export declare function calculateEntropy(str: string): number;
+export declare function detectHighEntropyStrings(content: string, filePath: string, options?: {
+    parsed?: ParsedFile;
+}): Vulnerability[];
+//# sourceMappingURL=entropy.d.ts.map

package/dist/detect/secrets/entropy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entropy.d.ts","sourceRoot":"","sources":["../../../src/detect/secrets/entropy.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAc1D,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD;AAopBD,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CAmKjB"}