@oculum/scanner 1.0.14 → 1.0.15

package/dist/detect/ast-rules/ssrf-ast.js

@@ -0,0 +1,573 @@
+"use strict";
+/**
+ * AST-Based SSRF (Server-Side Request Forgery) Detection
+ *
+ * Migrates structural/ssrf-detection.ts from regex to AST.
+ * Detects user input flowing to HTTP request sinks.
+ *
+ * AST advantages:
+ * - Tracks variable-mediated taint through assignments and destructuring
+ * - Resolves function call targets (fetch, axios.get, got, etc.) from AST
+ * - Detects template literal interpolation with user input in URLs
+ * - Understands allowlist mitigation patterns from AST
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const ast_1 = require("../../parse/ast");
+const index_1 = require("./index");
+const call_analysis_1 = require("./helpers/call-analysis");
+const user_input_1 = require("./helpers/user-input");
+const file_classifier_1 = require("../../parse/file-classifier");
+const context_detection_1 = require("./helpers/context-detection");
+const python_helpers_1 = require("./helpers/python-helpers");
+// ============================================================================
+// Helpers
+// ============================================================================
+/** HTTP request sinks */
+function isHTTPSink(node) {
+    const target = (0, call_analysis_1.resolveCallTarget)(node);
+    if (!target)
+        return false;
+    // fetch(...) — skip if inside a framework fetch wrapper (tRPC, Apollo, etc.)
+    if (target.name === 'fetch' && !target.object) {
+        if (isFrameworkFetchWrapper(node))
+            return false;
+        return true;
+    }
+    // axios.get/post/put/delete/patch/head/options/request(...)
+    if (/^axios$/.test(target.object ?? '') && /^(get|post|put|delete|patch|head|options|request)$/.test(target.name))
+        return true;
+    // got(...)
+    if (target.name === 'got' && !target.object)
+        return true;
+    // undici.request(...)
+    if (target.object === 'undici' && target.name === 'request')
+        return true;
+    // http.get/request(...), https.get/request(...)
+    if (/^https?$/.test(target.object ?? '') && /^(get|request)$/.test(target.name))
+        return true;
+    return false;
+}
+/** Redirect sinks */
+function isRedirectSink(node) {
+    const target = (0, call_analysis_1.resolveCallTarget)(node);
+    if (!target)
+        return false;
+    // res.redirect(...)
+    if (/^(res|response)$/.test(target.object ?? '') && target.name === 'redirect')
+        return true;
+    // redirect(...)
+    if (target.name === 'redirect' && !target.object)
+        return true;
+    return false;
+}
+/** Check if client-side file */
+function isClientSideFile(root, filePath, content) {
+    if ((0, context_detection_1.getFileDirective)(root) === 'use client')
+        return true;
+    if (/\/components\//.test(filePath) && !/express\(\)/.test(content) && (0, context_detection_1.getFileDirective)(root) !== 'use server') {
+        return true;
+    }
+    return false;
+}
+/** Check for SSRF mitigations in surrounding context */
+function hasSSRFMitigation(root, node) {
+    // Walk up to enclosing function
+    let current = node.parent;
+    let fnBody = null;
+    while (current) {
+        if (current.type === 'function_declaration' || current.type === 'arrow_function' || current.type === 'function_expression' || current.type === 'method_definition' || current.type === 'function_definition') {
+            fnBody = current.childForFieldName('body') ?? current;
+            break;
+        }
+        current = current.parent;
+    }
+    if (!fnBody)
+        fnBody = root;
+    const bodyText = fnBody.text;
+    // Allowlist validation
+    if (/(?:allowed|safe|valid|permitted)(?:Hosts|Domains|Urls|Origins)/i.test(bodyText))
+        return true;
+    if (/allowList|allowlist|whitelist|whiteList/.test(bodyText))
+        return true;
+    // Inline allowlist: allowed.some/includes + startsWith/includes/===
+    if (/\b(?:allowed|valid|safe|permitted)\b.*\.(?:some|includes|every)\b/.test(bodyText) &&
+        /(?:startsWith|includes|===|match)/.test(bodyText))
+        return true;
+    // Guard clause: if (url not in array) return/throw
+    if (/\bnot\s+in\b|\bnot_in\b|\.(?:some|includes)\(/.test(bodyText) &&
+        /\breturn\b.*(?:4\d\d|forbidden|not.?allowed)/i.test(bodyText))
+        return true;
+    // URL validation with host/origin check
+    if (/new\s+URL\(/.test(bodyText) && /\.(?:hostname|host|origin)/.test(bodyText))
+        return true;
+    // IP range checking
+    if (/isPrivateIP|isPrivate|isInternal|isLocalhost/i.test(bodyText))
+        return true;
+    // Python URL validation
+    if (/urlparse|urllib\.parse|validators\.url|validate_url/i.test(bodyText))
+        return true;
+    return false;
+}
+/** Config object name patterns */
+const CONFIG_OBJECT_RE = /^(appCfg|config|settings|cfg|appConfig|dify_config|serverConfig|envConfig)$/i;
+/** Config URL property patterns */
+const CONFIG_URL_PROP_RE = /url|host|base|origin|endpoint|domain|callback|redirect/i;
+/** Check if a node represents a config-controlled URL (not user input) */
+function isConfigControlledURL(node) {
+    // Config object access: appCfg.SITE_URL, config.API_BASE, settings.callbackUrl
+    if (node.type === 'member_expression') {
+        const obj = node.childForFieldName('object');
+        const prop = node.childForFieldName('property');
+        if (obj && prop) {
+            if (CONFIG_OBJECT_RE.test(obj.text) && CONFIG_URL_PROP_RE.test(prop.text))
+                return true;
+        }
+    }
+    // Env var URL patterns: process.env.*_URL, *_BASE, *_HOST, *_ORIGIN
+    if (node.type === 'member_expression' && /^process\.env\.\w+(?:_URL|_BASE|_HOST|_ORIGIN|_ENDPOINT|_DOMAIN)$/i.test(node.text)) {
+        return true;
+    }
+    // Template literals / concatenation where first part is config-controlled
+    if (node.type === 'template_string') {
+        const firstChild = node.children[0];
+        // Check first interpolation for config access
+        for (const child of node.children) {
+            if (child.type === 'template_substitution') {
+                const expr = child.namedChildren[0];
+                if (expr && isConfigControlledURL(expr))
+                    return true;
+                break; // only check the first interpolation (the base URL part)
+            }
+        }
+    }
+    if (node.type === 'binary_expression') {
+        const left = node.childForFieldName('left');
+        if (left && isConfigControlledURL(left))
+            return true;
+    }
+    return false;
+}
+/** Check if a fetch() call is inside a framework fetch wrapper (tRPC, Apollo, etc.) */
+function isFrameworkFetchWrapper(node) {
+    let current = node.parent;
+    while (current) {
+        if (current.type === 'function_declaration' || current.type === 'arrow_function' ||
+            current.type === 'function_expression' || current.type === 'method_definition') {
+            const bodyNode = current.childForFieldName('body') ?? current;
+            const bodyText = bodyNode.text;
+            // tRPC fetch wrappers
+            if (/httpLink|httpBatchLink|httpBatchStreamLink|splitLink/.test(bodyText))
+                return true;
+            // Apollo fetch wrappers
+            if (/createHttpLink|ApolloLink|new HttpLink/.test(bodyText))
+                return true;
+            // Generic fetch wrappers with baseUrl
+            const fnName = current.childForFieldName('name')?.text ?? '';
+            if (/^(fetcher|customFetch)$/i.test(fnName) && /baseUrl|baseURL/.test(bodyText))
+                return true;
+        }
+        current = current.parent;
+    }
+    return false;
+}
+/** Check if argument contains user input (directly or via template literal) */
+function argHasUserInput(arg) {
+    if ((0, user_input_1.isUserInputExpression)(arg))
+        return true;
+    // Template literal with user input interpolation
+    if (arg.type === 'template_string') {
+        let found = false;
+        (0, ast_1.walkAST)(arg, (n) => {
+            if (n.type === 'template_substitution') {
+                const expr = n.namedChildren[0];
+                if (expr && (0, user_input_1.isUserInputExpression)(expr))
+                    found = true;
+            }
+            return false;
+        });
+        return found;
+    }
+    // String concatenation with user input
+    if (arg.type === 'binary_expression') {
+        let found = false;
+        (0, ast_1.walkAST)(arg, (n) => {
+            if ((0, user_input_1.isUserInputExpression)(n))
+                found = true;
+            return false;
+        });
+        return found;
+    }
+    // Identifier: resolve variable assignment to check for user input
+    if (arg.type === 'identifier') {
+        const name = arg.text;
+        // Walk up to find enclosing function body
+        let fnBody = null;
+        let cur = arg.parent;
+        while (cur) {
+            if (/function_declaration|arrow_function|function_expression|method_definition/.test(cur.type)) {
+                fnBody = cur.childForFieldName('body') ?? cur;
+                break;
+            }
+            cur = cur.parent;
+        }
+        if (fnBody) {
+            // Search for `name = <expr>` where <expr> is user input
+            let resolved = false;
+            (0, ast_1.walkAST)(fnBody, (n) => {
+                if (resolved)
+                    return true;
+                if (n.type === 'variable_declarator') {
+                    const declName = n.childForFieldName('name');
+                    const declValue = n.childForFieldName('value');
+                    if (declName?.text === name && declValue) {
+                        // Unwrap `as` / `satisfies` type assertions
+                        let val = declValue;
+                        if (val.type === 'as_expression' || val.type === 'satisfies_expression') {
+                            val = val.namedChildren[0] ?? val;
+                        }
+                        if ((0, user_input_1.isUserInputExpression)(val) || /\bformData\.get\b|\breq\.(query|body|params)\b|\brequest\.\b/i.test(val.text)) {
+                            resolved = true;
+                        }
+                    }
+                }
+                return false;
+            });
+            if (resolved)
+                return true;
+        }
+    }
+    return false;
+}
+/** Python HTTP request sinks */
+function isPythonHTTPSink(node) {
+    const target = (0, python_helpers_1.resolvePythonCallTarget)(node);
+    if (!target)
+        return false;
+    // requests.get/post/put/delete/patch/head/options/request(...)
+    if (target.object === 'requests' && /^(get|post|put|delete|patch|head|options|request)$/.test(target.name))
+        return true;
+    // httpx.get/post/...
+    if (target.object === 'httpx' && /^(get|post|put|delete|patch|head|options|request)$/.test(target.name))
+        return true;
+    // urllib.request.urlopen(...)
+    if (/urllib/.test(node.text) && /urlopen/.test(node.text))
+        return true;
+    // aiohttp session: session.get/post(...)
+    if (/aiohttp/.test(node.text) && /\.(get|post|put|delete|patch|head)\(/.test(node.text))
+        return true;
+    return false;
+}
+/** Python redirect sinks */
+function isPythonRedirectSink(node) {
+    const target = (0, python_helpers_1.resolvePythonCallTarget)(node);
+    if (!target)
+        return false;
+    // Flask/Django: redirect(url)
+    if (target.name === 'redirect' && target.type === 'direct')
+        return true;
+    // Django: HttpResponseRedirect(url)
+    if (target.name === 'HttpResponseRedirect' && target.type === 'direct')
+        return true;
+    return false;
+}
+/** Check if a Python argument contains user input (directly or via f-string/concat) */
+function pyArgHasUserInput(arg) {
+    if ((0, python_helpers_1.isPythonUserInputExpression)(arg))
+        return true;
+    // f-string with user input interpolation
+    if ((0, python_helpers_1.isPythonFString)(arg)) {
+        const { dynamicParts } = (0, python_helpers_1.getPythonFStringParts)(arg);
+        return dynamicParts.some(p => {
+            const expr = p.namedChildren[0];
+            return expr ? (0, python_helpers_1.isPythonUserInputExpression)(expr) : false;
+        });
+    }
+    // String concatenation with user input
+    if (arg.type === 'binary_operator') {
+        let found = false;
+        (0, ast_1.walkAST)(arg, (n) => {
+            if ((0, python_helpers_1.isPythonUserInputExpression)(n))
+                found = true;
+            return false;
+        });
+        return found;
+    }
+    return false;
+}
+// ============================================================================
+// AST Rule: Direct SSRF (user input in HTTP sinks)
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-ssrf-direct',
+    title: 'SSRF: User input in HTTP request',
+    description: 'User-controlled input flows to a server-side HTTP request, risking SSRF attacks against internal services or cloud metadata endpoints',
+    severity: 'high',
+    category: 'ssrf',
+    suggestedFix: 'Validate the URL against an allowlist of permitted domains. Block requests to private IP ranges and cloud metadata endpoints.',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'high',
+    baseConfidence: 0.40,
+    layer: 2,
+    source: 'structural',
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isTestOrMockFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isExampleDirectory)(ast.filePath) || (0, file_classifier_1.isExampleFile)(ast.filePath))
+            return [];
+        const matches = [];
+        const root = ast.tree.rootNode;
+        // --- Python ---
+        if (ast.language === 'python') {
+            if (!/requests\.|httpx\.|urllib|aiohttp|urlopen/.test(content))
+                return [];
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'call')) {
+                if (!isPythonHTTPSink(node))
+                    continue;
+                const args = (0, python_helpers_1.getPythonCallArguments)(node);
+                if (args.length === 0)
+                    continue;
+                if (pyArgHasUserInput(args[0])) {
+                    if (hasSSRFMitigation(root, node))
+                        continue;
+                    matches.push({
+                        node,
+                        severity: 'high',
+                        note: 'User-controlled input flows directly to a server-side HTTP request.',
+                    });
+                }
+            }
+            return matches;
+        }
+        // --- JavaScript/TypeScript ---
+        if (isClientSideFile(root, ast.filePath, content))
+            return [];
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            if (!isHTTPSink(node))
+                continue;
+            const args = (0, call_analysis_1.getCallArguments)(node);
+            if (args.length === 0)
+                continue;
+            // Skip config-controlled URLs (not user input)
+            if (isConfigControlledURL(args[0]))
+                continue;
+            // Check if first arg (URL) contains user input
+            if (argHasUserInput(args[0])) {
+                if (hasSSRFMitigation(root, node))
+                    continue;
+                matches.push({
+                    node,
+                    severity: 'high',
+                    note: 'User-controlled input flows directly to a server-side HTTP request.',
+                });
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Open Redirect
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-ssrf-redirect',
+    title: 'Open redirect: User input in redirect',
+    description: 'User-controlled input is used in a server redirect, risking phishing via open redirect',
+    severity: 'high',
+    category: 'ssrf',
+    suggestedFix: 'Validate redirect URLs against an allowlist of permitted paths or domains. Use relative paths instead of absolute URLs.',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'high',
+    baseConfidence: 0.40,
+    layer: 2,
+    source: 'structural',
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isTestOrMockFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isExampleDirectory)(ast.filePath) || (0, file_classifier_1.isExampleFile)(ast.filePath))
+            return [];
+        const matches = [];
+        const root = ast.tree.rootNode;
+        // --- Python ---
+        if (ast.language === 'python') {
+            if (!/\bredirect\b|HttpResponseRedirect/.test(content))
+                return [];
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'call')) {
+                if (!isPythonRedirectSink(node))
+                    continue;
+                const args = (0, python_helpers_1.getPythonCallArguments)(node);
+                if (args.length === 0)
+                    continue;
+                if (pyArgHasUserInput(args[0])) {
+                    if (hasSSRFMitigation(root, node))
+                        continue;
+                    matches.push({
+                        node,
+                        severity: 'high',
+                        note: 'User-controlled input used in redirect call.',
+                    });
+                }
+            }
+            return matches;
+        }
+        // --- JavaScript/TypeScript ---
+        if (isClientSideFile(root, ast.filePath, content))
+            return [];
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            if (!isRedirectSink(node))
+                continue;
+            const args = (0, call_analysis_1.getCallArguments)(node);
+            if (args.length === 0)
+                continue;
+            // Skip config-controlled redirect URLs
+            if (isConfigControlledURL(args[0]))
+                continue;
+            if (argHasUserInput(args[0])) {
+                if (hasSSRFMitigation(root, node))
+                    continue;
+                matches.push({
+                    node,
+                    severity: 'high',
+                    note: 'User-controlled input used in redirect call.',
+                });
+            }
+        }
+        return matches;
+    },
+});
+// ============================================================================
+// AST Rule: Variable-mediated SSRF
+// ============================================================================
+(0, index_1.registerASTRule)({
+    id: 'ast-ssrf-mediated',
+    title: 'SSRF: Variable-mediated user input in HTTP request',
+    description: 'User input assigned to a variable flows to an HTTP request sink',
+    severity: 'medium',
+    category: 'ssrf',
+    suggestedFix: 'Validate the URL against an allowlist before making the request. Block private IP ranges.',
+    languages: ['javascript', 'typescript', 'tsx', 'python'],
+    confidence: 'medium',
+    baseConfidence: 0.40,
+    layer: 2,
+    source: 'structural',
+    requiresAIValidation: false,
+    detect(ast, content, nodeIndex) {
+        if ((0, file_classifier_1.isScannerOrFixtureFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isTestOrMockFile)(ast.filePath))
+            return [];
+        if ((0, file_classifier_1.isExampleDirectory)(ast.filePath) || (0, file_classifier_1.isExampleFile)(ast.filePath))
+            return [];
+        const matches = [];
+        const root = ast.tree.rootNode;
+        // --- Python ---
+        if (ast.language === 'python') {
+            if (!/requests\.|httpx\.|urllib|aiohttp|urlopen|redirect|HttpResponseRedirect/.test(content))
+                return [];
+            // Pass 1: Collect tainted variables (assigned from user input)
+            const taintedVars = new Map();
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'assignment')) {
+                const left = node.childForFieldName('left');
+                const right = node.childForFieldName('right');
+                if (left?.type === 'identifier' && right && (0, python_helpers_1.isPythonUserInputExpression)(right)) {
+                    taintedVars.set(left.text, node);
+                }
+            }
+            if (taintedVars.size === 0)
+                return [];
+            // Pass 2: Check if tainted vars flow to HTTP/redirect sinks
+            for (const node of (0, index_1.getNodes)(nodeIndex, 'call')) {
+                if (!isPythonHTTPSink(node) && !isPythonRedirectSink(node))
+                    continue;
+                const args = (0, python_helpers_1.getPythonCallArguments)(node);
+                if (args.length === 0)
+                    continue;
+                const firstArg = args[0];
+                let taintedVar = null;
+                (0, ast_1.walkAST)(firstArg, (n) => {
+                    if (n.type === 'identifier' && taintedVars.has(n.text)) {
+                        taintedVar = n.text;
+                    }
+                    return false;
+                });
+                if (taintedVar && !hasSSRFMitigation(root, node)) {
+                    matches.push({
+                        node,
+                        severity: 'medium',
+                        note: `User input assigned to '${taintedVar}' flows to HTTP request sink.`,
+                    });
+                }
+            }
+            return matches;
+        }
+        // --- JavaScript/TypeScript ---
+        if (isClientSideFile(root, ast.filePath, content))
+            return [];
+        // Pass 1: Collect tainted variables (assigned from user input)
+        const taintedVars = new Map(); // varName -> assignment node
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'variable_declarator', 'assignment_expression')) {
+            // const url = req.body.url
+            if (node.type === 'variable_declarator') {
+                const nameNode = node.childForFieldName('name');
+                const valueNode = node.childForFieldName('value');
+                if (nameNode && valueNode && (0, user_input_1.isUserInputExpression)(valueNode)) {
+                    taintedVars.set(nameNode.text, node);
+                }
+                // Destructuring: const { url } = req.body
+                if (nameNode?.type === 'object_pattern' && valueNode && (0, user_input_1.isUserInputExpression)(valueNode)) {
+                    for (const prop of nameNode.namedChildren) {
+                        if (prop.type === 'shorthand_property_identifier_pattern') {
+                            taintedVars.set(prop.text, node);
+                        }
+                        else if (prop.type === 'pair_pattern') {
+                            const value = prop.childForFieldName('value');
+                            if (value)
+                                taintedVars.set(value.text, node);
+                        }
+                    }
+                }
+            }
+            // url = req.body.url (assignment)
+            if (node.type === 'assignment_expression') {
+                const left = node.childForFieldName('left');
+                const right = node.childForFieldName('right');
+                if (left && right && left.type === 'identifier' && (0, user_input_1.isUserInputExpression)(right)) {
+                    taintedVars.set(left.text, node);
+                }
+            }
+        }
+        if (taintedVars.size === 0)
+            return [];
+        // Pass 2: Check if tainted vars flow to HTTP sinks
+        for (const node of (0, index_1.getNodes)(nodeIndex, 'call_expression')) {
+            if (!isHTTPSink(node) && !isRedirectSink(node))
+                continue;
+            const args = (0, call_analysis_1.getCallArguments)(node);
+            if (args.length === 0)
+                continue;
+            const firstArg = args[0];
+            // Skip config-controlled URLs
+            if (isConfigControlledURL(firstArg))
+                continue;
+            // Check if the argument references a tainted variable
+            let taintedVar = null;
+            (0, ast_1.walkAST)(firstArg, (n) => {
+                if (n.type === 'identifier' && taintedVars.has(n.text)) {
+                    taintedVar = n.text;
+                }
+                return false;
+            });
+            if (taintedVar && !hasSSRFMitigation(root, node)) {
+                matches.push({
+                    node,
+                    severity: 'medium',
+                    note: `User input assigned to '${taintedVar}' flows to HTTP request sink.`,
+                });
+            }
+        }
+        return matches;
+    },
+});
+//# sourceMappingURL=ssrf-ast.js.map

package/dist/detect/ast-rules/ssrf-ast.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf-ast.js","sourceRoot":"","sources":["../../../src/detect/ast-rules/ssrf-ast.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAGH,yCAAyC;AACzC,mCAAsF;AAEtF,2DAA6F;AAC7F,qDAA4D;AAC5D,iEAAyH;AACzH,mEAA8D;AAC9D,6DAAkM;AAElM,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,yBAAyB;AACzB,SAAS,UAAU,CAAC,IAAuB;IACzC,MAAM,MAAM,GAAG,IAAA,iCAAiB,EAAC,IAAI,CAAC,CAAA;IACtC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IAEzB,6EAA6E;IAC7E,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9C,IAAI,uBAAuB,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAA;QAC/C,OAAO,IAAI,CAAA;IACb,CAAC;IAED,4DAA4D;IAC5D,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,IAAI,oDAAoD,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IAE9H,WAAW;IACX,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM;QAAE,OAAO,IAAI,CAAA;IAExD,sBAAsB;IACtB,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,IAAI,CAAA;IAExE,gDAAgD;IAChD,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,IAAI,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IAE5F,OAAO,KAAK,CAAA;AACd,CAAC;AAED,qBAAqB;AACrB,SAAS,cAAc,CAAC,IAAuB;IAC7C,MAAM,MAAM,GAAG,IAAA,iCAAiB,EAAC,IAAI,CAAC,CAAA;IACtC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IAEzB,oBAAoB;IACpB,IAAI,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU;QAAE,OAAO,IAAI,CAAA;IAE3F,gBAAgB;IAChB,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,IAAI,CAAC,MAAM,CAAC,MAAM;QAAE,OAAO,IAAI,CAAA;IAE7D,OAAO,KAAK,CAAA;AACd,CAAC;AAED,gCAAgC;AAChC,SAAS,gBAAgB,CAAC,IAAuB,EAAE,QAAgB,EAAE,OAAe;IAClF,IAAI,IAAA,oCAAgB,EAAC,IAAI,CAAC,KAAK,YAAY;QAAE,OAAO,IAAI,CAAA;IACxD,IAAI,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,IAAA,oCAAgB,EAAC,IAAI,CAAC,KAAK,YAAY,EAAE,CAAC;QAC/G,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,wDAAwD;AACxD,SAAS,iBAAiB,CAAC,IAAuB,EAAE,IAAuB;IACzE,gCAAgC;IAChC,IAAI,OAAO,GAA6B,IAAI,CAAC,MAAM,CAAA;IACnD,IAAI,MAAM,GAA6B,IAAI,CAAA;IAC3C,OAAO,OAAO,EAAE,CAAC;QACf,IAAI,OAAO,CAAC,IAAI,KAAK,sBAAsB,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,IAAI,OAAO,CAAC,IAAI,KAAK,qBAAqB,IAAI,OAAO,CAAC,IAAI,KAAK,mBAAmB,IAAI,OAAO,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;YAC7M,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,IAAI,OAAO,CAAA;YACrD,MAAK;QACP,CAAC;QACD,OAAO,GAAG,OAAO,CAAC,MAAM,CAAA;IAC1B,CAAC;IACD,IAAI,CAAC,MAAM;QAAE,MAAM,GAAG,IAAI,CAAA;IAE1B,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAA;IAE5B,uBAAuB;IACvB,IAAI,iEAAiE,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAA;IACjG,IAAI,yCAAyC,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAA;IACzE,oEAAoE;IACpE,IAAI,mEAAmE,CAAC,IAAI,CAAC,QAAQ,CAAC;QAClF,mCAAmC,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAA;IACnE,mDAAmD;IACnD,IAAI,+CAA+C,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC9D,+CAA+C,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAA;IAE/E,wCAAwC;IACxC,IAAI,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,4BAA4B,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAA;IAE5F,oBAAoB;IACpB,IAAI,+CAA+C,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAA;IAE/E,wBAAwB;IACxB,IAAI,sDAAsD,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAA;IAEtF,OAAO,KAAK,CAAA;AACd,CAAC;AAED,kCAAkC;AAClC,MAAM,gBAAgB,GAAG,8EAA8E,CAAA;AACvG,mCAAmC;AACnC,MAAM,kBAAkB,GAAG,yDAAyD,CAAA;AAEpF,0EAA0E;AAC1E,SAAS,qBAAqB,CAAC,IAAuB;IACpD,+EAA+E;IAC/E,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAA;QAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAA;QAC/C,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;YAChB,IAAI,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO,IAAI,CAAA;QACxF,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB,IAAI,oEAAoE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9H,OAAO,IAAI,CAAA;IACb,CAAC;IAED,0EAA0E;IAC1E,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QACpC,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAA;QACnC,8CAA8C;QAC9C,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClC,IAAI,KAAK,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;gBAC3C,MAAM,IAAI,GAAG,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAA;gBACnC,IAAI,IAAI,IAAI,qBAAqB,CAAC,IAAI,CAAC;oBAAE,OAAO,IAAI,CAAA;gBACpD,MAAK,CAAC,yDAAyD;YACjE,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAA;QAC3C,IAAI,IAAI,IAAI,qBAAqB,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAA;IACtD,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,uFAAuF;AACvF,SAAS,uBAAuB,CAAC,IAAuB;IACtD,IAAI,OAAO,GAA6B,IAAI,CAAC,MAAM,CAAA;IACnD,OAAO,OAAO,EAAE,CAAC;QACf,IAAI,OAAO,CAAC,IAAI,KAAK,sBAAsB,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB;YAC5E,OAAO,CAAC,IAAI,KAAK,qBAAqB,IAAI,OAAO,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;YACnF,MAAM,QAAQ,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,IAAI,OAAO,CAAA;YAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAA;YAE9B,sBAAsB;YACtB,IAAI,sDAAsD,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,OAAO,IAAI,CAAA;YACtF,wBAAwB;YACxB,IAAI,wCAAwC,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,OAAO,IAAI,CAAA;YACxE,sCAAsC;YACtC,MAAM,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,IAAI,IAAI,EAAE,CAAA;YAC5D,IAAI,0BAA0B,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,OAAO,IAAI,CAAA;QAC9F,CAAC;QACD,OAAO,GAAG,OAAO,CAAC,MAAM,CAAA;IAC1B,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,+EAA+E;AAC/E,SAAS,eAAe,CAAC,GAAsB;IAC7C,IAAI,IAAA,kCAAqB,EAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAE3C,iDAAiD;IACjD,IAAI,GAAG,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QACnC,IAAI,KAAK,GAAG,KAAK,CAAA;QACjB,IAAA,aAAO,EAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE;YACjB,IAAI,CAAC,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;gBACvC,MAAM,IAAI,GAAG,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAA;gBAC/B,IAAI,IAAI,IAAI,IAAA,kCAAqB,EAAC,IAAI,CAAC;oBAAE,KAAK,GAAG,IAAI,CAAA;YACvD,CAAC;YACD,OAAO,KAAK,CAAA;QACd,CAAC,CAAC,CAAA;QACF,OAAO,KAAK,CAAA;IACd,CAAC;IAED,uCAAuC;IACvC,IAAI,GAAG,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;QACrC,IAAI,KAAK,GAAG,KAAK,CAAA;QACjB,IAAA,aAAO,EAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE;YACjB,IAAI,IAAA,kCAAqB,EAAC,CAAC,CAAC;gBAAE,KAAK,GAAG,IAAI,CAAA;YAC1C,OAAO,KAAK,CAAA;QACd,CAAC,CAAC,CAAA;QACF,OAAO,KAAK,CAAA;IACd,CAAC;IAED,kEAAkE;IAClE,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAA;QACrB,0CAA0C;QAC1C,IAAI,MAAM,GAA6B,IAAI,CAAA;QAC3C,IAAI,GAAG,GAA6B,GAAG,CAAC,MAAM,CAAA;QAC9C,OAAO,GAAG,EAAE,CAAC;YACX,IAAI,2EAA2E,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/F,MAAM,GAAG,GAAG,CAAC,iBAAiB,CAAC,MAAM,CAAC,IAAI,GAAG,CAAA;gBAC7C,MAAK;YACP,CAAC;YACD,GAAG,GAAG,GAAG,CAAC,MAAM,CAAA;QAClB,CAAC;QACD,IAAI,MAAM,EAAE,CAAC;YACX,wDAAwD;YACxD,IAAI,QAAQ,GAAG,KAAK,CAAA;YACpB,IAAA,aAAO,EAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE;gBACpB,IAAI,QAAQ;oBAAE,OAAO,IAAI,CAAA;gBACzB,IAAI,CAAC,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;oBACrC,MAAM,QAAQ,GAAG,CAAC,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAA;oBAC5C,MAAM,SAAS,GAAG,CAAC,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAA;oBAC9C,IAAI,QAAQ,EAAE,IAAI,KAAK,IAAI,IAAI,SAAS,EAAE,CAAC;wBACzC,4CAA4C;wBAC5C,IAAI,GAAG,GAAG,SAAS,CAAA;wBACnB,IAAI,GAAG,CAAC,IAAI,KAAK,eAAe,IAAI,GAAG,CAAC,IAAI,KAAK,sBAAsB,EAAE,CAAC;4BACxE,GAAG,GAAG,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,GAAG,CAAA;wBACnC,CAAC;wBACD,IAAI,IAAA,kCAAqB,EAAC,GAAG,CAAC,IAAI,+DAA+D,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;4BACjH,QAAQ,GAAG,IAAI,CAAA;wBACjB,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO,KAAK,CAAA;YACd,CAAC,CAAC,CAAA;YACF,IAAI,QAAQ;gBAAE,OAAO,IAAI,CAAA;QAC3B,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,gCAAgC;AAChC,SAAS,gBAAgB,CAAC,IAAuB;IAC/C,MAAM,MAAM,GAAG,IAAA,wCAAuB,EAAC,IAAI,CAAC,CAAA;IAC5C,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IAEzB,+DAA+D;IAC/D,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU,IAAI,oDAAoD,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvH,qBAAqB;IACrB,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,IAAI,oDAAoD,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IAEpH,8BAA8B;IAC9B,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IAEtE,yCAAyC;IACzC,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,sCAAsC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IAEpG,OAAO,KAAK,CAAA;AACd,CAAC;AAED,4BAA4B;AAC5B,SAAS,oBAAoB,CAAC,IAAuB;IACnD,MAAM,MAAM,GAAG,IAAA,wCAAuB,EAAC,IAAI,CAAC,CAAA;IAC5C,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IAEzB,8BAA8B;IAC9B,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAA;IAEvE,oCAAoC;IACpC,IAAI,MAAM,CAAC,IAAI,KAAK,sBAAsB,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAA;IAEnF,OAAO,KAAK,CAAA;AACd,CAAC;AAED,uFAAuF;AACvF,SAAS,iBAAiB,CAAC,GAAsB;IAC/C,IAAI,IAAA,4CAA2B,EAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEjD,yCAAyC;IACzC,IAAI,IAAA,gCAAe,EAAC,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,EAAE,YAAY,EAAE,GAAG,IAAA,sCAAqB,EAAC,GAAG,CAAC,CAAA;QACnD,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;YAC3B,MAAM,IAAI,GAAG,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAA;YAC/B,OAAO,IAAI,CAAC,CAAC,CAAC,IAAA,4CAA2B,EAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;QACzD,CAAC,CAAC,CAAA;IACJ,CAAC;IAED,uCAAuC;IACvC,IAAI,GAAG,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QACnC,IAAI,KAAK,GAAG,KAAK,CAAA;QACjB,IAAA,aAAO,EAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE;YACjB,IAAI,IAAA,4CAA2B,EAAC,CAAC,CAAC;gBAAE,KAAK,GAAG,IAAI,CAAA;YAChD,OAAO,KAAK,CAAA;QACd,CAAC,CAAC,CAAA;QACF,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,+EAA+E;AAC/E,mDAAmD;AACnD,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,iBAAiB;IACrB,KAAK,EAAE,kCAAkC;IACzC,WAAW,EAAE,uIAAuI;IACpJ,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,MAAM;IAChB,YAAY,EAAE,+HAA+H;IAC7I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,CAAC;IACxD,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,YAAY;IACpB,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,IAAA,wCAAsB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QACnD,IAAI,IAAA,kCAAgB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAC7C,IAAI,IAAA,oCAAkB,EAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAA,+BAAa,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAE9E,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAE9B,iBAAiB;QACjB,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9B,IAAI,CAAC,2CAA2C,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,OAAO,EAAE,CAAA;YAEzE,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,MAAM,CAAC,EAAE,CAAC;gBAChD,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC;oBAAE,SAAQ;gBAErC,MAAM,IAAI,GAAG,IAAA,uCAAsB,EAAC,IAAI,CAAC,CAAA;gBACzC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;oBAAE,SAAQ;gBAE/B,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC/B,IAAI,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC;wBAAE,SAAQ;oBAE3C,OAAO,CAAC,IAAI,CAAC;wBACX,IAAI;wBACJ,QAAQ,EAAE,MAAM;wBAChB,IAAI,EAAE,qEAAqE;qBAC5E,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;YAED,OAAO,OAAO,CAAA;QAChB,CAAC;QAED,gCAAgC;QAChC,IAAI,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAE5D,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC3D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAE/B,MAAM,IAAI,GAAG,IAAA,gCAAgB,EAAC,IAAI,CAAC,CAAA;YACnC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAQ;YAE/B,+CAA+C;YAC/C,IAAI,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAE,SAAQ;YAE5C,+CAA+C;YAC/C,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC7B,IAAI,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC;oBAAE,SAAQ;gBAE3C,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,qEAAqE;iBAC5E,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA;AAEF,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,mBAAmB;IACvB,KAAK,EAAE,uCAAuC;IAC9C,WAAW,EAAE,wFAAwF;IACrG,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,MAAM;IAChB,YAAY,EAAE,yHAAyH;IACvI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,CAAC;IACxD,UAAU,EAAE,MAAM;IAClB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,YAAY;IACpB,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,IAAA,wCAAsB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QACnD,IAAI,IAAA,kCAAgB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAC7C,IAAI,IAAA,oCAAkB,EAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAA,+BAAa,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAE9E,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAE9B,iBAAiB;QACjB,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9B,IAAI,CAAC,mCAAmC,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,OAAO,EAAE,CAAA;YAEjE,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,MAAM,CAAC,EAAE,CAAC;gBAChD,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC;oBAAE,SAAQ;gBAEzC,MAAM,IAAI,GAAG,IAAA,uCAAsB,EAAC,IAAI,CAAC,CAAA;gBACzC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;oBAAE,SAAQ;gBAE/B,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC/B,IAAI,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC;wBAAE,SAAQ;oBAE3C,OAAO,CAAC,IAAI,CAAC;wBACX,IAAI;wBACJ,QAAQ,EAAE,MAAM;wBAChB,IAAI,EAAE,8CAA8C;qBACrD,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;YAED,OAAO,OAAO,CAAA;QAChB,CAAC;QAED,gCAAgC;QAChC,IAAI,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAE5D,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC3D,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAEnC,MAAM,IAAI,GAAG,IAAA,gCAAgB,EAAC,IAAI,CAAC,CAAA;YACnC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAQ;YAE/B,uCAAuC;YACvC,IAAI,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAAE,SAAQ;YAE5C,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC7B,IAAI,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC;oBAAE,SAAQ;gBAE3C,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,8CAA8C;iBACrD,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA;AAEF,+EAA+E;AAC/E,mCAAmC;AACnC,+EAA+E;AAE/E,IAAA,uBAAe,EAAC;IACd,EAAE,EAAE,mBAAmB;IACvB,KAAK,EAAE,oDAAoD;IAC3D,WAAW,EAAE,iEAAiE;IAC9E,QAAQ,EAAE,QAAQ;IAClB,QAAQ,EAAE,MAAM;IAChB,YAAY,EAAE,2FAA2F;IACzG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,CAAC;IACxD,UAAU,EAAE,QAAQ;IACpB,cAAc,EAAE,IAAI;IACpB,KAAK,EAAE,CAAC;IACR,MAAM,EAAE,YAAY;IACpB,oBAAoB,EAAE,KAAK;IAC3B,MAAM,CAAC,GAAc,EAAE,OAAe,EAAE,SAAqB;QAC3D,IAAI,IAAA,wCAAsB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QACnD,IAAI,IAAA,kCAAgB,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAC7C,IAAI,IAAA,oCAAkB,EAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,IAAA,+BAAa,EAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAA;QAE9E,MAAM,OAAO,GAAmB,EAAE,CAAA;QAClC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAA;QAE9B,iBAAiB;QACjB,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9B,IAAI,CAAC,yEAAyE,CAAC,IAAI,CAAC,OAAO,CAAC;gBAAE,OAAO,EAAE,CAAA;YAEvG,+DAA+D;YAC/D,MAAM,WAAW,GAAG,IAAI,GAAG,EAA6B,CAAA;YAExD,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,YAAY,CAAC,EAAE,CAAC;gBACtD,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAA;gBAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAA;gBAC7C,IAAI,IAAI,EAAE,IAAI,KAAK,YAAY,IAAI,KAAK,IAAI,IAAA,4CAA2B,EAAC,KAAK,CAAC,EAAE,CAAC;oBAC/E,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;gBAClC,CAAC;YACH,CAAC;YAED,IAAI,WAAW,CAAC,IAAI,KAAK,CAAC;gBAAE,OAAO,EAAE,CAAA;YAErC,4DAA4D;YAC5D,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,MAAM,CAAC,EAAE,CAAC;gBAChD,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC;oBAAE,SAAQ;gBAEpE,MAAM,IAAI,GAAG,IAAA,uCAAsB,EAAC,IAAI,CAAC,CAAA;gBACzC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;oBAAE,SAAQ;gBAE/B,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;gBAExB,IAAI,UAAU,GAAkB,IAAI,CAAA;gBACpC,IAAA,aAAO,EAAC,QAAQ,EAAE,CAAC,CAAC,EAAE,EAAE;oBACtB,IAAI,CAAC,CAAC,IAAI,KAAK,YAAY,IAAI,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvD,UAAU,GAAG,CAAC,CAAC,IAAI,CAAA;oBACrB,CAAC;oBACD,OAAO,KAAK,CAAA;gBACd,CAAC,CAAC,CAAA;gBAEF,IAAI,UAAU,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;oBACjD,OAAO,CAAC,IAAI,CAAC;wBACX,IAAI;wBACJ,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,2BAA2B,UAAU,+BAA+B;qBAC3E,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;YAED,OAAO,OAAO,CAAA;QAChB,CAAC;QAED,gCAAgC;QAChC,IAAI,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC;YAAE,OAAO,EAAE,CAAA;QAE5D,+DAA+D;QAC/D,MAAM,WAAW,GAAG,IAAI,GAAG,EAA6B,CAAA,CAAC,6BAA6B;QAEtF,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,qBAAqB,EAAE,uBAAuB,CAAC,EAAE,CAAC;YACxF,2BAA2B;YAC3B,IAAI,IAAI,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;gBACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAA;gBAC/C,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAA;gBACjD,IAAI,QAAQ,IAAI,SAAS,IAAI,IAAA,kCAAqB,EAAC,SAAS,CAAC,EAAE,CAAC;oBAC9D,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;gBACtC,CAAC;gBAED,0CAA0C;gBAC1C,IAAI,QAAQ,EAAE,IAAI,KAAK,gBAAgB,IAAI,SAAS,IAAI,IAAA,kCAAqB,EAAC,SAAS,CAAC,EAAE,CAAC;oBACzF,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;wBAC1C,IAAI,IAAI,CAAC,IAAI,KAAK,uCAAuC,EAAE,CAAC;4BAC1D,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;wBAClC,CAAC;6BAAM,IAAI,IAAI,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;4BACxC,MAAM,KAAK,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAA;4BAC7C,IAAI,KAAK;gCAAE,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;wBAC9C,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,kCAAkC;YAClC,IAAI,IAAI,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;gBAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAA;gBAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAA;gBAC7C,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAA,kCAAqB,EAAC,KAAK,CAAC,EAAE,CAAC;oBAChF,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;gBAClC,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,WAAW,CAAC,IAAI,KAAK,CAAC;YAAE,OAAO,EAAE,CAAA;QAErC,mDAAmD;QACnD,KAAK,MAAM,IAAI,IAAI,IAAA,gBAAQ,EAAC,SAAU,EAAE,iBAAiB,CAAC,EAAE,CAAC;YAC3D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAExD,MAAM,IAAI,GAAG,IAAA,gCAAgB,EAAC,IAAI,CAAC,CAAA;YACnC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAQ;YAE/B,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;YAExB,8BAA8B;YAC9B,IAAI,qBAAqB,CAAC,QAAQ,CAAC;gBAAE,SAAQ;YAE7C,sDAAsD;YACtD,IAAI,UAAU,GAAkB,IAAI,CAAA;YACpC,IAAA,aAAO,EAAC,QAAQ,EAAE,CAAC,CAAC,EAAE,EAAE;gBACtB,IAAI,CAAC,CAAC,IAAI,KAAK,YAAY,IAAI,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvD,UAAU,GAAG,CAAC,CAAC,IAAI,CAAA;gBACrB,CAAC;gBACD,OAAO,KAAK,CAAA;YACd,CAAC,CAAC,CAAA;YAEF,IAAI,UAAU,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;gBACjD,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,2BAA2B,UAAU,+BAA+B;iBAC3E,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;CACF,CAAC,CAAA"}

package/dist/detect/ast-rules/taint-fix-templates.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Taint-Specific Fix Templates
+ *
+ * Provides context-specific fix steps for taint flow findings based on
+ * source type, sink type, and taint kind. Returns 3-5 actionable steps
+ * instead of generic "Sanitize or validate user input" advice.
+ */
+import type { TaintSourceType, TaintSinkType, TaintKind } from '../../taint/types';
+/**
+ * Get context-specific fix steps for a taint finding.
+ *
+ * @param sourceType - The taint source type (e.g., 'http_body', 'llm_output')
+ * @param sinkType - The taint sink type (e.g., 'sql_query', 'eval')
+ * @param taintKind - The taint kind (e.g., 'sql', 'xss', 'command')
+ * @returns Array of 3-5 actionable fix steps
+ */
+export declare function getTaintFixSteps(sourceType: TaintSourceType | string, sinkType: TaintSinkType | string, taintKind: TaintKind): string[];
+//# sourceMappingURL=taint-fix-templates.d.ts.map

package/dist/detect/ast-rules/taint-fix-templates.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint-fix-templates.d.ts","sourceRoot":"","sources":["../../../src/detect/ast-rules/taint-fix-templates.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAA;AA8DlF;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,eAAe,GAAG,MAAM,EACpC,QAAQ,EAAE,aAAa,GAAG,MAAM,EAChC,SAAS,EAAE,SAAS,GACnB,MAAM,EAAE,CAyBV"}