@oculum/scanner 1.0.9 → 1.0.11

package/dist/layer2/dangerous-functions/index.js

@@ -0,0 +1,621 @@
+"use strict";
+/**
+ * Layer 2: Dangerous Function Call Analysis
+ *
+ * Detects usage of dangerous functions that can lead to security vulnerabilities.
+ * This module orchestrates detection across multiple specialized modules.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DANGEROUS_FUNCTIONS = void 0;
+exports.detectDangerousFunctions = detectDangerousFunctions;
+const context_helpers_1 = require("../../utils/context-helpers");
+// Pattern definitions
+const patterns_1 = require("./patterns");
+// Child process detection
+const child_process_1 = require("./child-process");
+// DOM/XSS detection
+const dom_xss_1 = require("./dom-xss");
+// JSON.parse detection
+const json_parse_1 = require("./json-parse");
+// Math.random detection
+const math_random_1 = require("./math-random");
+// Request validation detection
+const request_validation_1 = require("./request-validation");
+// Utilities
+const control_flow_1 = require("./utils/control-flow");
+const schema_validation_1 = require("./utils/schema-validation");
+const helpers_1 = require("./utils/helpers");
+// Re-export types and patterns for external use
+var patterns_2 = require("./patterns");
+Object.defineProperty(exports, "DANGEROUS_FUNCTIONS", { enumerable: true, get: function () { return patterns_2.DANGEROUS_FUNCTIONS; } });
+/**
+ * Main detection function for dangerous function calls
+ */
+function detectDangerousFunctions(content, filePath) {
+    const vulnerabilities = [];
+    // Skip scanner/fixture files to avoid self-detection
+    if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath)) {
+        return vulnerabilities;
+    }
+    const lines = content.split('\n');
+    const isTestFile = (0, context_helpers_1.isTestOrMockFile)(filePath);
+    lines.forEach((line, index) => {
+        // Skip comment lines
+        if ((0, context_helpers_1.isComment)(line))
+            return;
+        for (const funcPattern of patterns_1.DANGEROUS_FUNCTIONS) {
+            // Check language filter
+            if (!(0, patterns_1.matchesLanguage)(filePath, funcPattern.languages))
+                continue;
+            const regex = new RegExp(funcPattern.pattern.source, funcPattern.pattern.flags);
+            if (regex.test(line)) {
+                // Special handling for innerHTML patterns
+                if (funcPattern.name === 'innerHTML assignment' ||
+                    funcPattern.name === 'dangerouslySetInnerHTML') {
+                    handleInnerHTMLPattern(funcPattern, line, content, index, filePath, isTestFile, vulnerabilities);
+                    break;
+                }
+                // Note: JSON.parse is now handled by standalone detectJSONParseSafe() function
+                // which provides better source-aware severity classification
+                // Special handling for eval and Function constructor
+                if (funcPattern.name === 'eval() usage' ||
+                    funcPattern.name === 'Function constructor') {
+                    if (handleEvalPattern(funcPattern, line, content, index, filePath, isTestFile, vulnerabilities)) {
+                        break;
+                    }
+                    continue;
+                }
+                // Special handling for child_process exec - verify it's not RegExp.exec
+                if (funcPattern.name === 'child_process exec') {
+                    if (handleChildProcessPattern(funcPattern, line, content, index, filePath, isTestFile, vulnerabilities)) {
+                        break;
+                    }
+                    continue;
+                }
+                // Special handling for SQL patterns - check for whitelist validation
+                if (funcPattern.name === 'Raw SQL query construction' ||
+                    funcPattern.name === 'SQL template literal') {
+                    handleSQLPattern(funcPattern, line, content, index, filePath, isTestFile, vulnerabilities);
+                    break;
+                }
+                // Special handling for dynamic file paths - check for path traversal protection
+                if (funcPattern.name === 'Dynamic file path' ||
+                    funcPattern.name === 'Path traversal risk') {
+                    handleFilePathPattern(funcPattern, line, content, index, filePath, isTestFile, vulnerabilities);
+                    break;
+                }
+                // Special handling for Math.random
+                if (funcPattern.name === 'Math.random for security') {
+                    handleMathRandomPattern(funcPattern, line, content, index, filePath, isTestFile, vulnerabilities);
+                    break;
+                }
+                // Standard handling for all other patterns
+                handleStandardPattern(funcPattern, line, index, filePath, isTestFile, vulnerabilities);
+                break; // Only report once per line
+            }
+        }
+    });
+    // Additional standalone checks (not in DANGEROUS_FUNCTIONS array)
+    // JSON.parse source-aware detection
+    (0, json_parse_1.detectJSONParseSafe)(content, filePath, isTestFile, vulnerabilities);
+    // request.json() / req.json() schema validation suggestion
+    (0, request_validation_1.detectRequestJsonValidation)(content, filePath, isTestFile, vulnerabilities);
+    return vulnerabilities;
+}
+/**
+ * Handle innerHTML/dangerouslySetInnerHTML patterns
+ */
+function handleInnerHTMLPattern(funcPattern, line, content, index, filePath, isTestFile, vulnerabilities) {
+    // Check if this is a style element (CSS injection is not XSS)
+    if ((0, dom_xss_1.isStyleElementInnerHTML)(line, content, index)) {
+        // Style elements with CSS are safe - don't report anything
+        // CSS cannot execute JavaScript, so there's no XSS risk
+        return;
+    }
+    // Check if this uses static content only - skip entirely (safe)
+    if ((0, dom_xss_1.isStaticHTMLContent)(line, content, index)) {
+        return; // Static HTML is safe - no finding needed
+    }
+    // Check if DOMPurify or similar sanitization is used - skip entirely (safe)
+    if ((0, dom_xss_1.hasDOMPurifySanitization)(line, content, index)) {
+        return; // Sanitized HTML is safe - no finding needed
+    }
+    // Check if this is a static bootstrap script (e.g., theme/font loader) - skip entirely (safe)
+    if ((0, dom_xss_1.isStaticBootstrapScript)(line, content, index)) {
+        return; // Static bootstrap scripts are safe - no finding needed
+    }
+    // Check if this is in LLM prompt context (not XSS - it's prompt injection)
+    if ((0, dom_xss_1.isLLMPromptContext)(line, content, filePath)) {
+        vulnerabilities.push({
+            id: `dangerous-func-${filePath}-${index + 1}-prompt-injection`,
+            filePath,
+            lineNumber: index + 1,
+            lineContent: line.trim(),
+            severity: 'info',
+            category: 'ai_pattern',
+            title: 'Potential prompt injection risk',
+            description: 'User content is being used in an LLM prompt context. This is NOT XSS (the content goes to an AI, not a DOM). However, untrusted content in prompts may lead to prompt injection attacks.',
+            suggestedFix: 'Consider input validation, content filtering, or structured prompts to limit prompt injection risk.',
+            confidence: 'low',
+            layer: 2,
+        });
+        return;
+    }
+    // Dynamic content - full severity, needs AI validation
+    let severity = funcPattern.severity;
+    if (isTestFile) {
+        severity = 'low';
+    }
+    vulnerabilities.push({
+        id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+        filePath,
+        lineNumber: index + 1,
+        lineContent: line.trim(),
+        severity,
+        category: 'dangerous_function',
+        title: funcPattern.name,
+        description: funcPattern.description +
+            ' This appears to use dynamic content which increases XSS risk.' +
+            (isTestFile ? ' (in test file)' : ''),
+        suggestedFix: funcPattern.suggestedFix,
+        confidence: isTestFile ? 'low' : 'high',
+        layer: 2,
+        requiresAIValidation: true, // Dynamic HTML needs validation
+    });
+}
+/**
+ * Handle eval and Function constructor patterns
+ * Returns true if a finding was added, false otherwise
+ */
+function handleEvalPattern(funcPattern, line, content, index, filePath, isTestFile, vulnerabilities) {
+    // Check if "eval" or "Function" appears inside a string literal
+    // e.g., const docs = "Don't use eval() in production"
+    // This is NOT an actual eval call, just documentation/comments
+    const evalInsideStringPattern = /(['"`])(?:[^\\]|\\.)*?\beval\s*\(.*?\1/;
+    const functionInsideStringPattern = /(['"`])(?:[^\\]|\\.)*?\bFunction\s*\(.*?\1/;
+    if (evalInsideStringPattern.test(line) || functionInsideStringPattern.test(line)) {
+        return true; // Skip - this is just a string mentioning eval, not actual eval()
+    }
+    // Suppress entirely in test files - test files legitimately test eval behavior
+    if (isTestFile) {
+        return true; // Skip reporting entirely
+    }
+    // Check if eval is inside a test assertion (expect(), test(), it(), describe())
+    const testAssertionPattern = /\b(expect|test|it|describe)\s*\(/;
+    if (testAssertionPattern.test(line)) {
+        return true; // Skip reporting - this is testing eval behavior
+    }
+    // Check if inputs are static literals (low risk) - skip entirely
+    if ((0, helpers_1.hasOnlyStaticInputs)(line, content, index)) {
+        return true; // Static eval is safe enough - no finding needed
+    }
+    vulnerabilities.push({
+        id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+        filePath,
+        lineNumber: index + 1,
+        lineContent: line.trim(),
+        severity: funcPattern.severity,
+        category: 'dangerous_function',
+        title: funcPattern.name,
+        description: funcPattern.description,
+        suggestedFix: funcPattern.suggestedFix,
+        confidence: 'high',
+        layer: 2,
+        requiresAIValidation: true, // Code execution patterns need validation
+    });
+    return true;
+}
+/**
+ * Handle child_process exec patterns
+ * Returns true if a finding was added, false otherwise
+ */
+function handleChildProcessPattern(funcPattern, line, content, index, filePath, isTestFile, vulnerabilities) {
+    // First check if this is actually from child_process (not RegExp.exec)
+    const isExecMatch = /\bexec\s*\(/.test(line);
+    const isOtherMatch = /\b(execSync|spawn|spawnSync|execFile)\s*\(/.test(line);
+    if (isExecMatch && !isOtherMatch) {
+        // This matched 'exec(' - verify it's from child_process
+        if (!(0, child_process_1.isChildProcessExec)(content, line)) {
+            // This is RegExp.exec or similar - skip
+            return false;
+        }
+    }
+    else if (isOtherMatch) {
+        // This matched spawn/execSync/etc - verify child_process import
+        if (!(0, child_process_1.isChildProcessSpawn)(content, line)) {
+            // No child_process import - skip
+            return false;
+        }
+    }
+    // Check if arguments are validated via allowlist
+    const lines = content.split('\n');
+    const contextStart = Math.max(0, index - 15);
+    const contextEnd = Math.min(lines.length, index + 5);
+    const context = lines.slice(contextStart, contextEnd).join('\n');
+    // Detect allowlist validation patterns before exec/spawn
+    const hasArgAllowlist = /allowedArgs\.includes\s*\(/i.test(context) ||
+        /if\s*\(\s*!?allowedArgs\.includes/i.test(context) ||
+        /if\s*\(\s*!?\w+Args\.includes/i.test(context) ||
+        /validArgs\.includes/i.test(context) ||
+        // ALLOWED_COMMANDS pattern (common naming convention)
+        /ALLOWED_\w+\.includes\s*\(/i.test(context) ||
+        /if\s*\(\s*!?ALLOWED_\w+\.includes/i.test(context) ||
+        // allowedCommands, validCommands, safeCommands
+        /allowed(?:Commands?|Cmds?)\.includes\s*\(/i.test(context) ||
+        /valid(?:Commands?|Cmds?)\.includes\s*\(/i.test(context) ||
+        /safe(?:Commands?|Cmds?)\.includes\s*\(/i.test(context) ||
+        // Generic whitelist/allowlist check
+        /(?:whitelist|allowlist)\.includes\s*\(/i.test(context);
+    // execFile with hardcoded command is safe (safer than exec)
+    const isExecFileWithHardcodedCmd = /execFile\s*\(\s*['"][^'"]+['"]/i.test(line);
+    if (hasArgAllowlist || isExecFileWithHardcodedCmd) {
+        return true; // Allowlisted or execFile with hardcoded command - safe
+    }
+    if ((0, helpers_1.hasOnlyStaticInputs)(line, content, index)) {
+        return true; // Static command is safe - no finding needed
+    }
+    // Dynamic command - report with standard severity
+    let severity = funcPattern.severity;
+    let confidence = 'high';
+    if (isTestFile) {
+        if (severity === 'critical') {
+            severity = 'medium';
+        }
+        else if (severity === 'high') {
+            severity = 'low';
+        }
+        else {
+            severity = 'info';
+        }
+        confidence = 'low';
+    }
+    vulnerabilities.push({
+        id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+        filePath,
+        lineNumber: index + 1,
+        lineContent: line.trim(),
+        severity,
+        category: 'dangerous_function',
+        title: funcPattern.name,
+        description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
+        suggestedFix: funcPattern.suggestedFix,
+        confidence,
+        layer: 2,
+    });
+    return true;
+}
+/**
+ * Handle SQL injection patterns
+ */
+function handleSQLPattern(funcPattern, line, content, index, filePath, isTestFile, vulnerabilities) {
+    // Check for whitelist validation - skip entirely (safe)
+    if ((0, schema_validation_1.hasSQLWhitelistValidation)(content, index)) {
+        return; // Whitelist validated - safe, no finding needed
+    }
+    // Check for ORM methods (not raw SQL) - skip entirely (safe)
+    // Prisma: prisma.user.findMany({ where: {...} })
+    // Sequelize: Model.findAll({ where: {...} })
+    // TypeORM: repository.find({ where: {...} })
+    const ormMethodPattern = /\.(findMany|findUnique|findFirst|findAll|find|create|update|delete|upsert)\s*\(\s*\{/i;
+    if (ormMethodPattern.test(line)) {
+        return; // ORM method - safe, no finding needed
+    }
+    // Check for parameterized queries - skip entirely (safe)
+    // e.g., db.query('SELECT * FROM users WHERE id = $1', [userId])
+    const parameterizedQueryPattern = /\.\s*(query|execute)\s*\(\s*['"`][^${}]+['"`]\s*,\s*\[/;
+    if (parameterizedQueryPattern.test(line)) {
+        return; // Parameterized query - safe, no finding needed
+    }
+    // No whitelist - report with standard severity
+    let severity = funcPattern.severity;
+    let confidence = 'high';
+    if (isTestFile) {
+        if (severity === 'critical') {
+            severity = 'medium';
+        }
+        else if (severity === 'high') {
+            severity = 'low';
+        }
+        else {
+            severity = 'info';
+        }
+        confidence = 'low';
+    }
+    vulnerabilities.push({
+        id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+        filePath,
+        lineNumber: index + 1,
+        lineContent: line.trim(),
+        severity,
+        category: 'dangerous_function',
+        title: funcPattern.name,
+        description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
+        suggestedFix: funcPattern.suggestedFix,
+        confidence,
+        layer: 2,
+    });
+}
+/**
+ * Handle dynamic file path patterns
+ */
+function handleFilePathPattern(funcPattern, line, content, index, filePath, isTestFile, vulnerabilities) {
+    // Check file context for CLI/tooling (lower risk)
+    const isCLITool = /\/(cli|scripts?|tools?|bin)\//i.test(filePath) ||
+        /cli\.(ts|js)$/i.test(filePath);
+    // Check for GitHub Action context (workflow-controlled paths)
+    const isGitHubAction = /\/(github-action|actions?)\//i.test(filePath) ||
+        /action\.(ts|js)$/i.test(filePath);
+    // Check for utility/helper file context (called by trusted code)
+    const isUtilityFile = /\/(utils?|helpers?|lib|common|shared)\//i.test(filePath) ||
+        /(util(s)?|helper(s)?|checksum|hash)\.(ts|js)$/i.test(filePath);
+    // Get surrounding context for protection check
+    const lines = content.split('\n');
+    const contextStart = Math.max(0, index - 10);
+    const contextEnd = Math.min(lines.length, index + 10);
+    const context = lines.slice(contextStart, contextEnd).join('\n');
+    // Check if path comes from directory iteration (fs.readdir, fs.readdirSync)
+    // These paths are filesystem-controlled, not user input
+    const hasDirectoryIteration = /\b(readdir|readdirSync|opendir|opendirSync)\s*\(/.test(content) &&
+        (/for\s*\(\s*(const|let|var)\s+\w+\s+of/.test(context) ||
+            /\.forEach\s*\(/.test(context) ||
+            /entry\.(name|isFile|isDirectory)/.test(context) ||
+            /dirent\.(name|isFile|isDirectory)/.test(context));
+    if ((0, helpers_1.hasPathTraversalProtection)(context, line)) {
+        vulnerabilities.push({
+            id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+            filePath,
+            lineNumber: index + 1,
+            lineContent: line.trim(),
+            severity: 'info',
+            category: 'dangerous_function',
+            title: funcPattern.name + ' (protected)',
+            description: 'Dynamic file path with path traversal protection detected. Verify the protection is complete and covers all attack vectors.',
+            suggestedFix: 'Ensure path normalization and base directory checks are applied consistently.',
+            confidence: 'low',
+            layer: 2,
+        });
+        return;
+    }
+    // Directory iteration paths are filesystem-controlled (not user input)
+    if (hasDirectoryIteration) {
+        // Skip entirely - paths from fs.readdir are not user-controlled
+        return;
+    }
+    // GitHub Action paths are workflow-controlled (not arbitrary user input)
+    if (isGitHubAction) {
+        vulnerabilities.push({
+            id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+            filePath,
+            lineNumber: index + 1,
+            lineContent: line.trim(),
+            severity: 'info',
+            category: 'dangerous_function',
+            title: funcPattern.name + ' (GitHub Action)',
+            description: 'Dynamic file path in GitHub Action. Paths are typically controlled by workflow configuration, not arbitrary user input.',
+            suggestedFix: 'Verify paths come from trusted action inputs or environment variables.',
+            confidence: 'low',
+            layer: 2,
+        });
+        return;
+    }
+    // CLI tools with dynamic paths are lower risk (trusted operator)
+    if (isCLITool) {
+        vulnerabilities.push({
+            id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+            filePath,
+            lineNumber: index + 1,
+            lineContent: line.trim(),
+            severity: 'info',
+            category: 'dangerous_function',
+            title: funcPattern.name + ' (CLI tool)',
+            description: 'Dynamic file path in CLI tool. CLI tools typically have trusted operators, but consider adding path validation if user input is involved.',
+            suggestedFix: 'Add path validation if accepting paths from untrusted sources.',
+            confidence: 'low',
+            layer: 2,
+        });
+        return;
+    }
+    // Utility/helper files with function parameters are lower risk (called by trusted code)
+    // Check if path variable appears to be a function parameter, not from request
+    const hasRequestData = /req\.(params|query|body)|request\.(params|query|body)/i.test(context);
+    if (isUtilityFile && !hasRequestData) {
+        // Skip entirely - utility functions receive paths from trusted callers
+        return;
+    }
+    // Standard handling for unprotected paths
+    let severity = funcPattern.severity;
+    let confidence = 'high';
+    if (isTestFile) {
+        if (severity === 'critical') {
+            severity = 'medium';
+        }
+        else if (severity === 'high') {
+            severity = 'low';
+        }
+        else {
+            severity = 'info';
+        }
+        confidence = 'low';
+    }
+    vulnerabilities.push({
+        id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+        filePath,
+        lineNumber: index + 1,
+        lineContent: line.trim(),
+        severity,
+        category: 'dangerous_function',
+        title: funcPattern.name,
+        description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
+        suggestedFix: funcPattern.suggestedFix,
+        confidence,
+        layer: 2,
+    });
+}
+/**
+ * Handle Math.random patterns with context-aware severity
+ */
+function handleMathRandomPattern(funcPattern, line, content, index, filePath, isTestFile, vulnerabilities) {
+    // Skip entirely for certain contexts
+    if ((0, math_random_1.shouldSkipMathRandom)(content, filePath, index)) {
+        return;
+    }
+    // Analyze context
+    const functionName = (0, control_flow_1.extractFunctionContext)(content, index);
+    const functionIntent = (0, math_random_1.classifyFunctionIntent)(functionName);
+    const toStringPattern = (0, math_random_1.analyzeToStringPattern)(line);
+    const variableName = (0, math_random_1.extractMathRandomVariableName)(line);
+    const variableRisk = (0, math_random_1.classifyVariableNameRisk)(variableName);
+    const context = (0, math_random_1.analyzeMathRandomContext)(content, filePath, index);
+    // Determine severity based on all factors
+    let severity;
+    let confidence;
+    let description;
+    let suggestedFix;
+    let explanation = '';
+    // Variable name indicates security risk - check this FIRST before toString patterns
+    // This ensures 'secret', 'token', 'key' etc. are always flagged as high
+    if (variableRisk === 'high') {
+        severity = 'high';
+        confidence = 'high';
+        // Update context description to indicate security context
+        context.contextDescription = 'security-sensitive variable';
+        description = `Math.random() assigned to security-sensitive variable '${variableName}'. Math.random() is NOT cryptographically secure.`;
+        suggestedFix =
+            'Use crypto.randomBytes() or crypto.getRandomValues() for security-sensitive values.';
+    }
+    // Security-sensitive contexts get high severity
+    else if (context.inSecurityContext || functionIntent === 'security') {
+        severity = 'high';
+        confidence = 'high';
+        description =
+            'Math.random() is being used in a security-sensitive context. This is NOT cryptographically secure and should be replaced.';
+        suggestedFix =
+            'Use crypto.randomBytes() for Node.js or crypto.getRandomValues() for browsers.';
+    }
+    // Test contexts get info severity
+    else if (context.inTestContext) {
+        severity = 'info';
+        confidence = 'low';
+        description =
+            'Math.random() in test context. Acceptable for test data generation.';
+        suggestedFix = 'No change needed for test data.';
+    }
+    // UUID/CAPTCHA generation - legitimate use
+    else if (functionIntent === 'uuid' || functionIntent === 'captcha') {
+        severity = 'info';
+        confidence = 'low';
+        description = `Math.random() used for ${functionIntent === 'uuid' ? 'ID generation' : 'CAPTCHA/puzzle'} (not security-sensitive).`;
+        suggestedFix =
+            'For truly unique IDs, consider crypto.randomUUID(). For security tokens, use crypto.randomBytes().';
+    }
+    // Demo/seed data - legitimate use
+    else if (functionIntent === 'demo') {
+        severity = 'info';
+        confidence = 'low';
+        description =
+            'Math.random() for demo/seed data generation. Acceptable for non-production data.';
+        suggestedFix = 'No change needed for demo/seed data.';
+    }
+    // Short UI IDs (.toString(36).substring(2,9)) - info
+    else if (toStringPattern.intent === 'short-ui-id') {
+        severity = 'info';
+        confidence = 'low';
+        explanation = ` (${toStringPattern.truncationLength || '?'}-char string)`;
+        // Override context description for UI IDs
+        context.contextDescription = 'UI identifier generation';
+        description = `Math.random() generating short UI identifier${explanation}. Acceptable for React keys, temp IDs.`;
+        suggestedFix =
+            'For security tokens, use crypto.randomBytes(). For unique IDs, crypto.randomUUID().';
+    }
+    // Business IDs (.toString(36) with medium truncation) - low
+    else if (toStringPattern.intent === 'business-id') {
+        severity = 'low';
+        confidence = 'low';
+        explanation = variableName ? ` (variable: ${variableName})` : '';
+        description = `Math.random() generating business identifier${explanation}. Verify this is not used for security purposes.`;
+        suggestedFix =
+            'For business IDs, crypto.randomUUID() is preferred. For security tokens, use crypto.randomBytes().';
+    }
+    // Full token (.toString(36) without truncation) - severity based on variable name
+    else if (toStringPattern.intent === 'full-token') {
+        // Note: high-risk variable names are already handled above
+        if (variableRisk === 'low') {
+            severity = 'low';
+            confidence = 'low';
+        }
+        else {
+            severity = 'medium';
+            confidence = 'medium';
+        }
+        explanation = variableName ? ` (variable: ${variableName})` : '';
+        description = `Math.random() generating full-length random string${explanation}. This pattern is often used for security tokens.`;
+        suggestedFix =
+            'Use crypto.randomBytes() for security tokens. Use crypto.randomUUID() for unique IDs.';
+    }
+    // Business logic context - low
+    else if (context.inBusinessLogicContext) {
+        severity = 'low';
+        confidence = 'low';
+        description =
+            'Math.random() in business logic context (backoff, sampling, experiments). Verify this is not for security.';
+        suggestedFix =
+            'If used for security, replace with crypto.randomBytes(). Otherwise, usage is acceptable.';
+    }
+    // Unknown context - medium
+    else {
+        severity = 'medium';
+        confidence = 'medium';
+        description =
+            'Math.random() is being used. Verify this is not for security-critical purposes like tokens, session IDs, or cryptographic operations.';
+        suggestedFix =
+            'If used for security, replace with crypto.randomBytes(). For unique IDs, use crypto.randomUUID()';
+    }
+    // Update title with context
+    const title = `Math.random() in ${context.contextDescription}${explanation}`;
+    vulnerabilities.push({
+        id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+        filePath,
+        lineNumber: index + 1,
+        lineContent: line.trim(),
+        severity,
+        category: 'dangerous_function',
+        title,
+        description,
+        suggestedFix,
+        confidence,
+        layer: 2,
+    });
+}
+/**
+ * Handle standard patterns without special logic
+ */
+function handleStandardPattern(funcPattern, line, index, filePath, isTestFile, vulnerabilities) {
+    let severity = funcPattern.severity;
+    let confidence = 'high';
+    if (isTestFile) {
+        if (severity === 'critical') {
+            severity = 'medium';
+        }
+        else if (severity === 'high') {
+            severity = 'low';
+        }
+        else {
+            severity = 'info';
+        }
+        confidence = 'low';
+    }
+    vulnerabilities.push({
+        id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+        filePath,
+        lineNumber: index + 1,
+        lineContent: line.trim(),
+        severity,
+        category: 'dangerous_function',
+        title: funcPattern.name,
+        description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
+        suggestedFix: funcPattern.suggestedFix,
+        confidence,
+        layer: 2,
+    });
+}
+//# sourceMappingURL=index.js.map

package/dist/layer2/dangerous-functions/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/index.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAyDH,4DA8JC;AApND,iEAKoC;AAEpC,sBAAsB;AACtB,yCAImB;AAEnB,0BAA0B;AAC1B,mDAAyE;AAEzE,oBAAoB;AACpB,uCAMkB;AAElB,uBAAuB;AACvB,6CAAkD;AAElD,wBAAwB;AACxB,+CAQsB;AAEtB,+BAA+B;AAC/B,6DAAkE;AAElE,YAAY;AACZ,uDAA6D;AAC7D,iEAAqE;AACrE,6CAAiF;AAEjF,gDAAgD;AAChD,uCAA+E;AAAtE,+GAAA,mBAAmB,OAAA;AAE5B;;GAEG;AACH,SAAgB,wBAAwB,CACtC,OAAe,EACf,QAAgB;IAEhB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,qDAAqD;IACrD,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC,EAAE,CAAC;QACrC,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAE7C,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,qBAAqB;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,KAAK,MAAM,WAAW,IAAI,8BAAmB,EAAE,CAAC;YAC9C,wBAAwB;YACxB,IAAI,CAAC,IAAA,0BAAe,EAAC,QAAQ,EAAE,WAAW,CAAC,SAAS,CAAC;gBAAE,SAAQ;YAE/D,MAAM,KAAK,GAAG,IAAI,MAAM,CACtB,WAAW,CAAC,OAAO,CAAC,MAAM,EAC1B,WAAW,CAAC,OAAO,CAAC,KAAK,CAC1B,CAAA;YAED,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,0CAA0C;gBAC1C,IACE,WAAW,CAAC,IAAI,KAAK,sBAAsB;oBAC3C,WAAW,CAAC,IAAI,KAAK,yBAAyB,EAC9C,CAAC;oBACD,sBAAsB,CACpB,WAAW,EACX,IAAI,EACJ,OAAO,EACP,KAAK,EACL,QAAQ,EACR,UAAU,EACV,eAAe,CAChB,CAAA;oBACD,MAAK;gBACP,CAAC;gBAED,+EAA+E;gBAC/E,6DAA6D;gBAE7D,qDAAqD;gBACrD,IACE,WAAW,CAAC,IAAI,KAAK,cAAc;oBACnC,WAAW,CAAC,IAAI,KAAK,sBAAsB,EAC3C,CAAC;oBACD,IACE,iBAAiB,CACf,WAAW,EACX,IAAI,EACJ,OAAO,EACP,KAAK,EACL,QAAQ,EACR,UAAU,EACV,eAAe,CAChB,EACD,CAAC;wBACD,MAAK;oBACP,CAAC;oBACD,SAAQ;gBACV,CAAC;gBAED,wEAAwE;gBACxE,IAAI,WAAW,CAAC,IAAI,KAAK,oBAAoB,EAAE,CAAC;oBAC9C,IACE,yBAAyB,CACvB,WAAW,EACX,IAAI,EACJ,OAAO,EACP,KAAK,EACL,QAAQ,EACR,UAAU,EACV,eAAe,CAChB,EACD,CAAC;wBACD,MAAK;oBACP,CAAC;oBACD,SAAQ;gBACV,CAAC;gBAED,qEAAqE;gBACrE,IACE,WAAW,CAAC,IAAI,KAAK,4BAA4B;oBACjD,WAAW,CAAC,IAAI,KAAK,sBAAsB,EAC3C,CAAC;oBACD,gBAAgB,CACd,WAAW,EACX,IAAI,EACJ,OAAO,EACP,KAAK,EACL,QAAQ,EACR,UAAU,EACV,eAAe,CAChB,CAAA;oBACD,MAAK;gBACP,CAAC;gBAED,gFAAgF;gBAChF,IACE,WAAW,CAAC,IAAI,KAAK,mBAAmB;oBACxC,WAAW,CAAC,IAAI,KAAK,qBAAqB,EAC1C,CAAC;oBACD,qBAAqB,CACnB,WAAW,EACX,IAAI,EACJ,OAAO,EACP,KAAK,EACL,QAAQ,EACR,UAAU,EACV,eAAe,CAChB,CAAA;oBACD,MAAK;gBACP,CAAC;gBAED,mCAAmC;gBACnC,IAAI,WAAW,CAAC,IAAI,KAAK,0BAA0B,EAAE,CAAC;oBACpD,uBAAuB,CACrB,WAAW,EACX,IAAI,EACJ,OAAO,EACP,KAAK,EACL,QAAQ,EACR,UAAU,EACV,eAAe,CAChB,CAAA;oBACD,MAAK;gBACP,CAAC;gBAED,2CAA2C;gBAC3C,qBAAqB,CACnB,WAAW,EACX,IAAI,EACJ,KAAK,EACL,QAAQ,EACR,UAAU,EACV,eAAe,CAChB,CAAA;gBACD,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,kEAAkE;IAElE,oCAAoC;IACpC,IAAA,gCAAmB,EAAC,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,eAAe,CAAC,CAAA;IAEnE,2DAA2D;IAC3D,IAAA,gDAA2B,EAAC,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,eAAe,CAAC,CAAA;IAE3E,OAAO,eAAe,CAAA;AACxB,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAC7B,WAAqC,EACrC,IAAY,EACZ,OAAe,EACf,KAAa,EACb,QAAgB,EAChB,UAAmB,EACnB,eAAgC;IAEhC,8DAA8D;IAC9D,IAAI,IAAA,iCAAuB,EAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;QAClD,2DAA2D;QAC3D,wDAAwD;QACxD,OAAM;IACR,CAAC;IAED,gEAAgE;IAChE,IAAI,IAAA,6BAAmB,EAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;QAC9C,OAAM,CAAC,0CAA0C;IACnD,CAAC;IAED,4EAA4E;IAC5E,IAAI,IAAA,kCAAwB,EAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;QACnD,OAAM,CAAC,6CAA6C;IACtD,CAAC;IAED,8FAA8F;IAC9F,IAAI,IAAA,iCAAuB,EAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;QAClD,OAAM,CAAC,wDAAwD;IACjE,CAAC;IAED,2EAA2E;IAC3E,IAAI,IAAA,4BAAkB,EAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;QAChD,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,kBAAkB,QAAQ,IAAI,KAAK,GAAG,CAAC,mBAAmB;YAC9D,QAAQ;YACR,UAAU,EAAE,KAAK,GAAG,CAAC;YACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;YACxB,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,YAAY;YACtB,KAAK,EAAE,iCAAiC;YACxC,WAAW,EACT,0LAA0L;YAC5L,YAAY,EACV,qGAAqG;YACvG,UAAU,EAAE,KAAK;YACjB,KAAK,EAAE,CAAC;SACT,CAAC,CAAA;QACF,OAAM;IACR,CAAC;IAED,uDAAuD;IACvD,IAAI,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAA;IACnC,IAAI,UAAU,EAAE,CAAC;QACf,QAAQ,GAAG,KAAK,CAAA;IAClB,CAAC;IAED,eAAe,CAAC,IAAI,CAAC;QACnB,EAAE,EAAE,kBAAkB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE;QACjE,QAAQ;QACR,UAAU,EAAE,KAAK,GAAG,CAAC;QACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;QACxB,QAAQ;QACR,QAAQ,EAAE,oBAAoB;QAC9B,KAAK,EAAE,WAAW,CAAC,IAAI;QACvB,WAAW,EACT,WAAW,CAAC,WAAW;YACvB,gEAAgE;YAChE,CAAC,UAAU,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC;QACvC,YAAY,EAAE,WAAW,CAAC,YAAY;QACtC,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM;QACvC,KAAK,EAAE,CAAC;QACR,oBAAoB,EAAE,IAAI,EAAE,gCAAgC;KAC7D,CAAC,CAAA;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB,CACxB,WAAqC,EACrC,IAAY,EACZ,OAAe,EACf,KAAa,EACb,QAAgB,EAChB,UAAmB,EACnB,eAAgC;IAEhC,gEAAgE;IAChE,sDAAsD;IACtD,+DAA+D;IAC/D,MAAM,uBAAuB,GAAG,wCAAwC,CAAA;IACxE,MAAM,2BAA2B,GAAG,4CAA4C,CAAA;IAChF,IAAI,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACjF,OAAO,IAAI,CAAA,CAAC,kEAAkE;IAChF,CAAC;IAED,+EAA+E;IAC/E,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,IAAI,CAAA,CAAC,0BAA0B;IACxC,CAAC;IAED,gFAAgF;IAChF,MAAM,oBAAoB,GAAG,kCAAkC,CAAA;IAC/D,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,OAAO,IAAI,CAAA,CAAC,iDAAiD;IAC/D,CAAC;IAED,iEAAiE;IACjE,IAAI,IAAA,6BAAmB,EAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;QAC9C,OAAO,IAAI,CAAA,CAAC,iDAAiD;IAC/D,CAAC;IAED,eAAe,CAAC,IAAI,CAAC;QACnB,EAAE,EAAE,kBAAkB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE;QACjE,QAAQ;QACR,UAAU,EAAE,KAAK,GAAG,CAAC;QACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;QACxB,QAAQ,EAAE,WAAW,CAAC,QAAQ;QAC9B,QAAQ,EAAE,oBAAoB;QAC9B,KAAK,EAAE,WAAW,CAAC,IAAI;QACvB,WAAW,EAAE,WAAW,CAAC,WAAW;QACpC,YAAY,EAAE,WAAW,CAAC,YAAY;QACtC,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,CAAC;QACR,oBAAoB,EAAE,IAAI,EAAE,0CAA0C;KACvE,CAAC,CAAA;IACF,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;GAGG;AACH,SAAS,yBAAyB,CAChC,WAAqC,EACrC,IAAY,EACZ,OAAe,EACf,KAAa,EACb,QAAgB,EAChB,UAAmB,EACnB,eAAgC;IAEhC,uEAAuE;IACvE,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAC5C,MAAM,YAAY,GAAG,4CAA4C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAE5E,IAAI,WAAW,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,wDAAwD;QACxD,IAAI,CAAC,IAAA,kCAAkB,EAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC;YACvC,wCAAwC;YACxC,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;SAAM,IAAI,YAAY,EAAE,CAAC;QACxB,gEAAgE;QAChE,IAAI,CAAC,IAAA,mCAAmB,EAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC;YACxC,iCAAiC;YACjC,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,CAAA;IAC5C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,CAAC,CAAC,CAAA;IACpD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEhE,yDAAyD;IACzD,MAAM,eAAe,GACnB,6BAA6B,CAAC,IAAI,CAAC,OAAO,CAAC;QAC3C,oCAAoC,CAAC,IAAI,CAAC,OAAO,CAAC;QAClD,gCAAgC,CAAC,IAAI,CAAC,OAAO,CAAC;QAC9C,sBAAsB,CAAC,IAAI,CAAC,OAAO,CAAC;QACpC,sDAAsD;QACtD,6BAA6B,CAAC,IAAI,CAAC,OAAO,CAAC;QAC3C,oCAAoC,CAAC,IAAI,CAAC,OAAO,CAAC;QAClD,+CAA+C;QAC/C,4CAA4C,CAAC,IAAI,CAAC,OAAO,CAAC;QAC1D,0CAA0C,CAAC,IAAI,CAAC,OAAO,CAAC;QACxD,yCAAyC,CAAC,IAAI,CAAC,OAAO,CAAC;QACvD,oCAAoC;QACpC,yCAAyC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAEzD,4DAA4D;IAC5D,MAAM,0BAA0B,GAAG,iCAAiC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAE/E,IAAI,eAAe,IAAI,0BAA0B,EAAE,CAAC;QAClD,OAAO,IAAI,CAAA,CAAC,wDAAwD;IACtE,CAAC;IAED,IAAI,IAAA,6BAAmB,EAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;QAC9C,OAAO,IAAI,CAAA,CAAC,6CAA6C;IAC3D,CAAC;IAED,kDAAkD;IAClD,IAAI,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAA;IACnC,IAAI,UAAU,GAA8B,MAAM,CAAA;IAElD,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;YAC5B,QAAQ,GAAG,QAAQ,CAAA;QACrB,CAAC;aAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/B,QAAQ,GAAG,KAAK,CAAA;QAClB,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,MAAM,CAAA;QACnB,CAAC;QACD,UAAU,GAAG,KAAK,CAAA;IACpB,CAAC;IAED,eAAe,CAAC,IAAI,CAAC;QACnB,EAAE,EAAE,kBAAkB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE;QACjE,QAAQ;QACR,UAAU,EAAE,KAAK,GAAG,CAAC;QACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;QACxB,QAAQ;QACR,QAAQ,EAAE,oBAAoB;QAC9B,KAAK,EAAE,WAAW,CAAC,IAAI;QACvB,WAAW,EAAE,WAAW,CAAC,WAAW,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5E,YAAY,EAAE,WAAW,CAAC,YAAY;QACtC,UAAU;QACV,KAAK,EAAE,CAAC;KACT,CAAC,CAAA;IACF,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,WAAqC,EACrC,IAAY,EACZ,OAAe,EACf,KAAa,EACb,QAAgB,EAChB,UAAmB,EACnB,eAAgC;IAEhC,wDAAwD;IACxD,IAAI,IAAA,6CAAyB,EAAC,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;QAC9C,OAAM,CAAC,gDAAgD;IACzD,CAAC;IAED,6DAA6D;IAC7D,iDAAiD;IACjD,6CAA6C;IAC7C,6CAA6C;IAC7C,MAAM,gBAAgB,GAAG,uFAAuF,CAAA;IAChH,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,OAAM,CAAC,uCAAuC;IAChD,CAAC;IAED,yDAAyD;IACzD,gEAAgE;IAChE,MAAM,yBAAyB,GAAG,wDAAwD,CAAA;IAC1F,IAAI,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACzC,OAAM,CAAC,gDAAgD;IACzD,CAAC;IAED,+CAA+C;IAC/C,IAAI,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAA;IACnC,IAAI,UAAU,GAA8B,MAAM,CAAA;IAElD,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;YAC5B,QAAQ,GAAG,QAAQ,CAAA;QACrB,CAAC;aAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/B,QAAQ,GAAG,KAAK,CAAA;QAClB,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,MAAM,CAAA;QACnB,CAAC;QACD,UAAU,GAAG,KAAK,CAAA;IACpB,CAAC;IAED,eAAe,CAAC,IAAI,CAAC;QACnB,EAAE,EAAE,kBAAkB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE;QACjE,QAAQ;QACR,UAAU,EAAE,KAAK,GAAG,CAAC;QACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;QACxB,QAAQ;QACR,QAAQ,EAAE,oBAAoB;QAC9B,KAAK,EAAE,WAAW,CAAC,IAAI;QACvB,WAAW,EAAE,WAAW,CAAC,WAAW,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5E,YAAY,EAAE,WAAW,CAAC,YAAY;QACtC,UAAU;QACV,KAAK,EAAE,CAAC;KACT,CAAC,CAAA;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,WAAqC,EACrC,IAAY,EACZ,OAAe,EACf,KAAa,EACb,QAAgB,EAChB,UAAmB,EACnB,eAAgC;IAEhC,kDAAkD;IAClD,MAAM,SAAS,GACb,gCAAgC,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC/C,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;IAEjC,8DAA8D;IAC9D,MAAM,cAAc,GAClB,+BAA+B,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC9C,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;IAEpC,iEAAiE;IACjE,MAAM,aAAa,GACjB,0CAA0C,CAAC,IAAI,CAAC,QAAQ,CAAC;QACzD,gDAAgD,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;IAEjE,+CAA+C;IAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,CAAA;IAC5C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,EAAE,CAAC,CAAA;IACrD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEhE,4EAA4E;IAC5E,wDAAwD;IACxD,MAAM,qBAAqB,GACzB,kDAAkD,CAAC,IAAI,CAAC,OAAO,CAAC;QAChE,CAAC,uCAAuC,CAAC,IAAI,CAAC,OAAO,CAAC;YACrD,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC;YAC9B,kCAAkC,CAAC,IAAI,CAAC,OAAO,CAAC;YAChD,mCAAmC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;IAErD,IAAI,IAAA,oCAA0B,EAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC;QAC9C,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,kBAAkB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE;YACjE,QAAQ;YACR,UAAU,EAAE,KAAK,GAAG,CAAC;YACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;YACxB,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,oBAAoB;YAC9B,KAAK,EAAE,WAAW,CAAC,IAAI,GAAG,cAAc;YACxC,WAAW,EACT,6HAA6H;YAC/H,YAAY,EACV,+EAA+E;YACjF,UAAU,EAAE,KAAK;YACjB,KAAK,EAAE,CAAC;SACT,CAAC,CAAA;QACF,OAAM;IACR,CAAC;IAED,uEAAuE;IACvE,IAAI,qBAAqB,EAAE,CAAC;QAC1B,gEAAgE;QAChE,OAAM;IACR,CAAC;IAED,yEAAyE;IACzE,IAAI,cAAc,EAAE,CAAC;QACnB,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,kBAAkB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE;YACjE,QAAQ;YACR,UAAU,EAAE,KAAK,GAAG,CAAC;YACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;YACxB,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,oBAAoB;YAC9B,KAAK,EAAE,WAAW,CAAC,IAAI,GAAG,kBAAkB;YAC5C,WAAW,EACT,yHAAyH;YAC3H,YAAY,EACV,wEAAwE;YAC1E,UAAU,EAAE,KAAK;YACjB,KAAK,EAAE,CAAC;SACT,CAAC,CAAA;QACF,OAAM;IACR,CAAC;IAED,iEAAiE;IACjE,IAAI,SAAS,EAAE,CAAC;QACd,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,kBAAkB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE;YACjE,QAAQ;YACR,UAAU,EAAE,KAAK,GAAG,CAAC;YACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;YACxB,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,oBAAoB;YAC9B,KAAK,EAAE,WAAW,CAAC,IAAI,GAAG,aAAa;YACvC,WAAW,EACT,2IAA2I;YAC7I,YAAY,EACV,gEAAgE;YAClE,UAAU,EAAE,KAAK;YACjB,KAAK,EAAE,CAAC;SACT,CAAC,CAAA;QACF,OAAM;IACR,CAAC;IAED,wFAAwF;IACxF,8EAA8E;IAC9E,MAAM,cAAc,GAAG,wDAAwD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAC7F,IAAI,aAAa,IAAI,CAAC,cAAc,EAAE,CAAC;QACrC,uEAAuE;QACvE,OAAM;IACR,CAAC;IAED,0CAA0C;IAC1C,IAAI,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAA;IACnC,IAAI,UAAU,GAA8B,MAAM,CAAA;IAElD,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;YAC5B,QAAQ,GAAG,QAAQ,CAAA;QACrB,CAAC;aAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/B,QAAQ,GAAG,KAAK,CAAA;QAClB,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,MAAM,CAAA;QACnB,CAAC;QACD,UAAU,GAAG,KAAK,CAAA;IACpB,CAAC;IAED,eAAe,CAAC,IAAI,CAAC;QACnB,EAAE,EAAE,kBAAkB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE;QACjE,QAAQ;QACR,UAAU,EAAE,KAAK,GAAG,CAAC;QACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;QACxB,QAAQ;QACR,QAAQ,EAAE,oBAAoB;QAC9B,KAAK,EAAE,WAAW,CAAC,IAAI;QACvB,WAAW,EAAE,WAAW,CAAC,WAAW,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5E,YAAY,EAAE,WAAW,CAAC,YAAY;QACtC,UAAU;QACV,KAAK,EAAE,CAAC;KACT,CAAC,CAAA;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAC9B,WAAqC,EACrC,IAAY,EACZ,OAAe,EACf,KAAa,EACb,QAAgB,EAChB,UAAmB,EACnB,eAAgC;IAEhC,qCAAqC;IACrC,IAAI,IAAA,kCAAoB,EAAC,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,CAAC;QACnD,OAAM;IACR,CAAC;IAED,kBAAkB;IAClB,MAAM,YAAY,GAAG,IAAA,qCAAsB,EAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAC3D,MAAM,cAAc,GAAG,IAAA,oCAAsB,EAAC,YAAY,CAAC,CAAA;IAC3D,MAAM,eAAe,GAAG,IAAA,oCAAsB,EAAC,IAAI,CAAC,CAAA;IACpD,MAAM,YAAY,GAAG,IAAA,2CAA6B,EAAC,IAAI,CAAC,CAAA;IACxD,MAAM,YAAY,GAAG,IAAA,sCAAwB,EAAC,YAAY,CAAC,CAAA;IAC3D,MAAM,OAAO,GAAG,IAAA,sCAAwB,EAAC,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAA;IAElE,0CAA0C;IAC1C,IAAI,QAA+B,CAAA;IACnC,IAAI,UAAqC,CAAA;IACzC,IAAI,WAAmB,CAAA;IACvB,IAAI,YAAoB,CAAA;IACxB,IAAI,WAAW,GAAG,EAAE,CAAA;IAEpB,oFAAoF;IACpF,wEAAwE;IACxE,IAAI,YAAY,KAAK,MAAM,EAAE,CAAC;QAC5B,QAAQ,GAAG,MAAM,CAAA;QACjB,UAAU,GAAG,MAAM,CAAA;QACnB,0DAA0D;QAC1D,OAAO,CAAC,kBAAkB,GAAG,6BAA6B,CAAA;QAC1D,WAAW,GAAG,0DAA0D,YAAY,mDAAmD,CAAA;QACvI,YAAY;YACV,qFAAqF,CAAA;IACzF,CAAC;IACD,gDAAgD;SAC3C,IAAI,OAAO,CAAC,iBAAiB,IAAI,cAAc,KAAK,UAAU,EAAE,CAAC;QACpE,QAAQ,GAAG,MAAM,CAAA;QACjB,UAAU,GAAG,MAAM,CAAA;QACnB,WAAW;YACT,2HAA2H,CAAA;QAC7H,YAAY;YACV,gFAAgF,CAAA;IACpF,CAAC;IACD,kCAAkC;SAC7B,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QAC/B,QAAQ,GAAG,MAAM,CAAA;QACjB,UAAU,GAAG,KAAK,CAAA;QAClB,WAAW;YACT,qEAAqE,CAAA;QACvE,YAAY,GAAG,iCAAiC,CAAA;IAClD,CAAC;IACD,2CAA2C;SACtC,IAAI,cAAc,KAAK,MAAM,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACnE,QAAQ,GAAG,MAAM,CAAA;QACjB,UAAU,GAAG,KAAK,CAAA;QAClB,WAAW,GAAG,0BAA0B,cAAc,KAAK,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,gBAAgB,4BAA4B,CAAA;QAClI,YAAY;YACV,oGAAoG,CAAA;IACxG,CAAC;IACD,kCAAkC;SAC7B,IAAI,cAAc,KAAK,MAAM,EAAE,CAAC;QACnC,QAAQ,GAAG,MAAM,CAAA;QACjB,UAAU,GAAG,KAAK,CAAA;QAClB,WAAW;YACT,kFAAkF,CAAA;QACpF,YAAY,GAAG,sCAAsC,CAAA;IACvD,CAAC;IACD,qDAAqD;SAChD,IAAI,eAAe,CAAC,MAAM,KAAK,aAAa,EAAE,CAAC;QAClD,QAAQ,GAAG,MAAM,CAAA;QACjB,UAAU,GAAG,KAAK,CAAA;QAClB,WAAW,GAAG,KAAK,eAAe,CAAC,gBAAgB,IAAI,GAAG,eAAe,CAAA;QACzE,0CAA0C;QAC1C,OAAO,CAAC,kBAAkB,GAAG,0BAA0B,CAAA;QACvD,WAAW,GAAG,+CAA+C,WAAW,wCAAwC,CAAA;QAChH,YAAY;YACV,qFAAqF,CAAA;IACzF,CAAC;IACD,4DAA4D;SACvD,IAAI,eAAe,CAAC,MAAM,KAAK,aAAa,EAAE,CAAC;QAClD,QAAQ,GAAG,KAAK,CAAA;QAChB,UAAU,GAAG,KAAK,CAAA;QAClB,WAAW,GAAG,YAAY,CAAC,CAAC,CAAC,eAAe,YAAY,GAAG,CAAC,CAAC,CAAC,EAAE,CAAA;QAChE,WAAW,GAAG,+CAA+C,WAAW,kDAAkD,CAAA;QAC1H,YAAY;YACV,oGAAoG,CAAA;IACxG,CAAC;IACD,kFAAkF;SAC7E,IAAI,eAAe,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;QACjD,2DAA2D;QAC3D,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;YAC3B,QAAQ,GAAG,KAAK,CAAA;YAChB,UAAU,GAAG,KAAK,CAAA;QACpB,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,QAAQ,CAAA;YACnB,UAAU,GAAG,QAAQ,CAAA;QACvB,CAAC;QACD,WAAW,GAAG,YAAY,CAAC,CAAC,CAAC,eAAe,YAAY,GAAG,CAAC,CAAC,CAAC,EAAE,CAAA;QAChE,WAAW,GAAG,qDAAqD,WAAW,mDAAmD,CAAA;QACjI,YAAY;YACV,uFAAuF,CAAA;IAC3F,CAAC;IACD,+BAA+B;SAC1B,IAAI,OAAO,CAAC,sBAAsB,EAAE,CAAC;QACxC,QAAQ,GAAG,KAAK,CAAA;QAChB,UAAU,GAAG,KAAK,CAAA;QAClB,WAAW;YACT,4GAA4G,CAAA;QAC9G,YAAY;YACV,0FAA0F,CAAA;IAC9F,CAAC;IACD,2BAA2B;SACtB,CAAC;QACJ,QAAQ,GAAG,QAAQ,CAAA;QACnB,UAAU,GAAG,QAAQ,CAAA;QACrB,WAAW;YACT,uIAAuI,CAAA;QACzI,YAAY;YACV,kGAAkG,CAAA;IACtG,CAAC;IAED,4BAA4B;IAC5B,MAAM,KAAK,GAAG,oBAAoB,OAAO,CAAC,kBAAkB,GAAG,WAAW,EAAE,CAAA;IAE5E,eAAe,CAAC,IAAI,CAAC;QACnB,EAAE,EAAE,kBAAkB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE;QACjE,QAAQ;QACR,UAAU,EAAE,KAAK,GAAG,CAAC;QACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;QACxB,QAAQ;QACR,QAAQ,EAAE,oBAAoB;QAC9B,KAAK;QACL,WAAW;QACX,YAAY;QACZ,UAAU;QACV,KAAK,EAAE,CAAC;KACT,CAAC,CAAA;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,WAAqC,EACrC,IAAY,EACZ,KAAa,EACb,QAAgB,EAChB,UAAmB,EACnB,eAAgC;IAEhC,IAAI,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAA;IACnC,IAAI,UAAU,GAA8B,MAAM,CAAA;IAElD,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;YAC5B,QAAQ,GAAG,QAAQ,CAAA;QACrB,CAAC;aAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/B,QAAQ,GAAG,KAAK,CAAA;QAClB,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,MAAM,CAAA;QACnB,CAAC;QACD,UAAU,GAAG,KAAK,CAAA;IACpB,CAAC;IAED,eAAe,CAAC,IAAI,CAAC;QACnB,EAAE,EAAE,kBAAkB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,EAAE;QACjE,QAAQ;QACR,UAAU,EAAE,KAAK,GAAG,CAAC;QACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;QACxB,QAAQ;QACR,QAAQ,EAAE,oBAAoB;QAC9B,KAAK,EAAE,WAAW,CAAC,IAAI;QACvB,WAAW,EAAE,WAAW,CAAC,WAAW,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5E,YAAY,EAAE,WAAW,CAAC,YAAY;QACtC,UAAU;QACV,KAAK,EAAE,CAAC;KACT,CAAC,CAAA;AACJ,CAAC"}