@opensip-cli/tool-gitleaks 0.1.15

package/dist/__tests__/worker-e2e.test.js

@@ -0,0 +1,425 @@
+/**
+ * Tier-2 worker E2E (ADR-0090 D6 Tier 2) — install / discover / dispatch the
+ * gitleaks adapter over a REAL forked worker, end-to-end against the BUILT CLI.
+ *
+ * Unlike the in-process Tier-1 suites, this proves the FULL installed-tool path:
+ *   - the gitleaks package is presented as a genuinely INSTALLED npm tool in a
+ *     throwaway project (symlinked into its `node_modules` so the worker resolves
+ *     the adapter's workspace deps from the monorepo via realpath);
+ *   - `OPENSIP_CLI_ALLOW_INSTALLED_TOOLS` trusts it (installed tools are
+ *     deny-by-default);
+ *   - a FAKE `gitleaks` binary on PATH makes the run deterministic (it copies the
+ *     committed golden to `--report-path` and exits 1, like real gitleaks on
+ *     findings). The worker fork curates its env to an allow-list, so the golden
+ *     path is forwarded via the documented `OPENSIP_CLI_TOOL_ENV_PASSTHROUGH`.
+ *
+ * `opensip gitleaks` forks a worker that re-discovers + imports the real runtime
+ * and runs the scan loop; this suite asserts the worker→host result + the
+ * host-side effects: normalized signals match the golden, the raw artifact lands
+ * at `.runtime/artifacts/gitleaks/<runId>/gitleaks.json` with mode 0600, the
+ * `--json` envelope is well-formed, the session row persists with provenance, and
+ * — the load-bearing negative — NO raw `Secret`/`Match` substring ever reaches the
+ * emitted worker→host payload.
+ *
+ * Requires `pnpm build` first (the CLI dist + the gitleaks dist). Missing builds
+ * FAIL loudly (no silent skip).
+ */
+import { execFileSync } from 'node:child_process';
+import { cpSync, existsSync, mkdirSync, mkdtempSync, readdirSync, readFileSync, rmSync, statSync, symlinkSync, writeFileSync, } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { afterAll, beforeAll, describe, expect, it } from 'vitest';
+const HERE = dirname(fileURLToPath(import.meta.url));
+// .../packages/tool-gitleaks/src/__tests__ → repo root is four levels up.
+const REPO_ROOT = join(HERE, '..', '..', '..', '..');
+const CLI_DIST = join(REPO_ROOT, 'packages', 'cli', 'dist', 'index.js');
+const GITLEAKS_PKG_DIR = join(REPO_ROOT, 'packages', 'tool-gitleaks');
+const FIXTURES = join(GITLEAKS_PKG_DIR, '__fixtures__');
+const GOLDEN_PATH = join(FIXTURES, 'gitleaks-golden.json');
+const GITLEAKS_STABLE_ID = 'cd08f737-ce8e-4813-9259-b4ffeb954268';
+const EXPECTED = JSON.parse(readFileSync(join(FIXTURES, 'expected-signals.json'), 'utf8'));
+// The raw matched-credential strings that must NEVER reach the emitted payload.
+const RAW_SECRETS = ['AKIAIOSFODNN7EXAMPLE', 'glpat-XXXXXXXXXXXXXXXXXXXX', 'aws_key ='];
+let projectDir;
+let binDir;
+let baseEnv;
+/** Run the built CLI as a child process, capturing stdout/stderr + exit code. */
+function runCli(args, extraEnv = {}, cwd = projectDir) {
+    try {
+        const stdout = execFileSync('node', [CLI_DIST, ...args], {
+            cwd,
+            env: { ...process.env, ...baseEnv, ...extraEnv },
+            encoding: 'utf8',
+            maxBuffer: 32 * 1024 * 1024,
+        });
+        return { stdout, stderr: '', status: 0 };
+    }
+    catch (error) {
+        const e = error;
+        return { stdout: e.stdout ?? '', stderr: e.stderr ?? '', status: e.status ?? 1 };
+    }
+}
+/** Scaffold a throwaway opensip-cli project that resolves the installed gitleaks tool. */
+function makeGitleaksProject() {
+    const dir = mkdtempSync(join(tmpdir(), 'opensip-gitleaks-gate-'));
+    writeFileSync(join(dir, 'opensip-cli.config.yml'), 'schemaVersion: 1\ntargets: {}\n', 'utf8');
+    const scopeDir = join(dir, 'node_modules', '@opensip-cli');
+    mkdirSync(scopeDir, { recursive: true });
+    symlinkSync(GITLEAKS_PKG_DIR, join(scopeDir, 'tool-gitleaks'), 'dir');
+    return dir;
+}
+/** Parse the `--json` outcome wrapper (`{ kind, status, exitCode, envelope?, data? }`). */
+function parseOutcome(stdout) {
+    return JSON.parse(stdout);
+}
+beforeAll(() => {
+    if (!existsSync(CLI_DIST)) {
+        throw new Error(`built CLI not found at ${CLI_DIST} — run \`pnpm build\` first`);
+    }
+    if (!existsSync(join(GITLEAKS_PKG_DIR, 'dist', 'index.js'))) {
+        throw new Error('built tool-gitleaks dist not found — run `pnpm build` first');
+    }
+    projectDir = mkdtempSync(join(tmpdir(), 'opensip-gitleaks-e2e-'));
+    // Project marker so the worker's `scope: 'project'` bootstrap resolves a project.
+    writeFileSync(join(projectDir, 'opensip-cli.config.yml'), 'schemaVersion: 1\ntargets: {}\n', 'utf8');
+    // Present the REAL gitleaks package as an installed npm tool. A SYMLINK (not a
+    // copy) so the worker resolves the adapter's `@opensip-cli/*` workspace deps
+    // from the monorepo via realpath — a copy would orphan them.
+    const scopeDir = join(projectDir, 'node_modules', '@opensip-cli');
+    mkdirSync(scopeDir, { recursive: true });
+    symlinkSync(GITLEAKS_PKG_DIR, join(scopeDir, 'tool-gitleaks'), 'dir');
+    // A FAKE gitleaks on PATH for determinism (copies the golden to --report-path,
+    // exits 1). PATH is auto-forwarded into the worker fork's curated env.
+    binDir = mkdtempSync(join(tmpdir(), 'opensip-gitleaks-bin-'));
+    cpSync(join(FIXTURES, 'fake-gitleaks'), join(binDir, 'gitleaks'));
+    execFileSync('chmod', ['+x', join(binDir, 'gitleaks')]);
+    baseEnv = {
+        PATH: `${binDir}:${process.env.PATH ?? ''}`,
+        // The committed fake binary reads the golden path from here; forward it
+        // through the worker fork's env allow-list via the documented passthrough.
+        FAKE_GITLEAKS_GOLDEN: GOLDEN_PATH,
+        OPENSIP_CLI_TOOL_ENV_PASSTHROUGH: 'FAKE_GITLEAKS_GOLDEN',
+        // Installed tools are deny-by-default — trust the gitleaks id (the admission
+        // check keys on `opensipTools.id`; the UUID is included to match the
+        // ADR-0048 stable id convention).
+        OPENSIP_CLI_ALLOW_INSTALLED_TOOLS: `${GITLEAKS_STABLE_ID} gitleaks`,
+    };
+});
+afterAll(() => {
+    if (projectDir !== undefined)
+        rmSync(projectDir, { recursive: true, force: true });
+    if (binDir !== undefined)
+        rmSync(binDir, { recursive: true, force: true });
+});
+describe('gitleaks worker E2E — opensip gitleaks (real forked worker)', () => {
+    let scan;
+    let envelope;
+    beforeAll(() => {
+        scan = runCli(['gitleaks', '--json']);
+        const outcome = parseOutcome(scan.stdout);
+        envelope = outcome.envelope;
+    });
+    it('forks a worker and emits a well-formed signal envelope for gitleaks', () => {
+        expect(envelope.tool).toBe('gitleaks');
+        expect(envelope.runId).toMatch(/^RUN_/);
+        // High-severity secrets ⇒ the run FAILS; the gate exit is non-zero (findings).
+        expect(envelope.verdict.passed).toBe(false);
+        expect(scan.status).toBe(1);
+    });
+    it('normalizes the worker scan output to the golden signal shapes', () => {
+        const shapes = envelope.signals.map((s) => ({
+            ruleId: s.ruleId,
+            severity: s.severity,
+            message: s.message,
+            file: s.filePath,
+            ...(s.line === undefined ? {} : { line: s.line }),
+            ...(s.column === undefined ? {} : { column: s.column }),
+        }));
+        expect(shapes).toEqual(EXPECTED);
+    });
+    it('stamps message-hash fingerprints + provenance worker-side', () => {
+        for (const s of envelope.signals) {
+            expect(s.fingerprint).toMatch(/^[0-9a-f]{64}$/);
+            const provenance = s.metadata.provenance;
+            expect(provenance.tool).toBe('gitleaks');
+            expect(provenance.adapterPackage).toBe('@opensip-cli/tool-gitleaks');
+        }
+    });
+    it('lands the raw artifact under .runtime/artifacts/gitleaks/<runId>/gitleaks.json with mode 0600 in a 0700 dir', () => {
+        const runDir = join(projectDir, 'opensip-cli', '.runtime', 'artifacts', 'gitleaks');
+        expect(existsSync(runDir)).toBe(true);
+        const runs = readdirSync(runDir);
+        expect(runs.length).toBeGreaterThan(0);
+        const perRunDir = join(runDir, runs[0]);
+        const artifact = join(perRunDir, 'gitleaks.json');
+        // A1: the fake binary does NOT `mkdir -p` its --report-path dir — this artifact
+        // exists only because the host `ensureArtifactDir` seam created the per-run dir
+        // BEFORE the scan. A missing seam would ENOENT the fake's `cp` (no artifact).
+        expect(existsSync(artifact)).toBe(true);
+        // A7: the per-run dir is owner-only (0700) so a scanner's umask-default report is
+        // not world-traversable; the artifact file itself is 0600 (host atomic re-write).
+        expect(statSync(perRunDir).mode & 0o777).toBe(0o700);
+        expect(statSync(artifact).mode & 0o777).toBe(0o600);
+        // The persisted artifact is the byte-preserved golden.
+        expect(JSON.parse(readFileSync(artifact, 'utf8'))).toHaveLength(2);
+    });
+    it('NEVER lets a raw Secret/Match substring reach the emitted worker→host payload', () => {
+        for (const raw of RAW_SECRETS) {
+            expect(scan.stdout).not.toContain(raw);
+        }
+        expect(scan.stdout).not.toContain('"Match"');
+        // The masked preview IS present (the finding stays identifiable).
+        expect(scan.stdout).toContain('AKIA…');
+        expect(scan.stdout).toContain('glpa…');
+    });
+    it('persists a session row with the gitleaks tool + provenance payload', () => {
+        const list = runCli(['sessions', 'list', '--json']);
+        expect(list.status).toBe(0);
+        const outcome = parseOutcome(list.stdout);
+        const data = outcome.data;
+        const sessions = data?.sessions ?? [];
+        const gitleaksRow = sessions.find((s) => s.tool === 'gitleaks');
+        expect(gitleaksRow).toBeDefined();
+        expect(gitleaksRow?.passed).toBe(false);
+        const payload = gitleaksRow?.payload;
+        expect(payload?.binary?.path).toContain('gitleaks');
+        expect(payload?.findings).toBe(2);
+    });
+    // A2: the session payload must carry grouped `checks[]` + a populated `summary`
+    // so the HTML report renders the leaked credentials instead of "this run was
+    // clean. Every rule passed" (the dashboard groups `payload.checks[]` and reads
+    // `payload.summary` for its clean/dirty decision).
+    it('persists a grouped session payload (checks[] + summary) so the report is NOT falsely clean', () => {
+        const list = runCli(['sessions', 'list', '--json']);
+        const data = parseOutcome(list.stdout).data;
+        const gitleaksRow = (data.sessions ?? []).find((s) => s.tool === 'gitleaks');
+        const payload = gitleaksRow?.payload;
+        // Grouped per-rule detail is present (the two golden secrets are two rules).
+        expect(Array.isArray(payload?.checks)).toBe(true);
+        expect(payload?.checks?.length).toBe(2);
+        expect(payload?.checks?.every((c) => c.passed === false)).toBe(true);
+        // The dashboard's clean test (`errors === 0 && warnings === 0`) is FALSE here.
+        expect(payload?.summary?.errors).toBe(2);
+        const clean = (payload?.summary?.errors ?? 0) === 0 && (payload?.summary?.warnings ?? 0) === 0;
+        expect(clean).toBe(false);
+    });
+    // A2 secret hygiene: the newly-persisted per-finding text must NOT leak a raw
+    // credential into the stored payload (redaction happens at ingest, before the
+    // envelope/payload build — prove it holds through to the persisted row).
+    it('NEVER persists a raw Secret/Match into the session payload (only the masked preview)', () => {
+        const list = runCli(['sessions', 'list', '--json']);
+        const data = parseOutcome(list.stdout).data;
+        const gitleaksRow = (data.sessions ?? []).find((s) => s.tool === 'gitleaks');
+        const payloadBlob = JSON.stringify(gitleaksRow?.payload ?? {});
+        for (const raw of RAW_SECRETS)
+            expect(payloadBlob).not.toContain(raw);
+        expect(payloadBlob).not.toContain('"Match"');
+        expect(payloadBlob).not.toContain('"Secret"');
+        // The masked preview survives so the finding stays identifiable in the report.
+        expect(payloadBlob).toContain('AKIA…');
+    });
+});
+describe('gitleaks worker E2E — doctor / version diagnostics', () => {
+    it('doctor --json reports a ready, resolved binary (exit 0)', () => {
+        const run = runCli(['gitleaks', 'doctor', '--json']);
+        expect(run.status).toBe(0);
+        const report = parseOutcome(run.stdout).data;
+        expect(report.tool).toBe('gitleaks');
+        expect(report.ready).toBe(true);
+        expect(report.binary.found).toBe(true);
+        expect(report.version.detected).toBe('8.18.4');
+        expect(report.version.status).toBe('ok');
+    });
+    it('doctor reports NOT ready (exit 2) when the resolved binary is missing', () => {
+        // Pin the binary to a non-existent absolute path via the env layer (which
+        // beats PATH and hard-misses) so resolution fails WITHOUT breaking the
+        // toolchain/worker fork. Forward the pin into the worker (doctor probes
+        // worker-side) via the documented passthrough.
+        const run = runCli(['gitleaks', 'doctor', '--json'], {
+            OPENSIP_GITLEAKS_BIN: '/nonexistent/path/to/gitleaks',
+            OPENSIP_CLI_TOOL_ENV_PASSTHROUGH: 'FAKE_GITLEAKS_GOLDEN OPENSIP_GITLEAKS_BIN',
+        });
+        expect(run.status).toBe(2);
+        const report = parseOutcome(run.stdout).data;
+        expect(report.ready).toBe(false);
+        expect(report.binary.found).toBe(false);
+    });
+    it('version --json prints the resolved gitleaks binary version', () => {
+        const run = runCli(['gitleaks', 'version', '--json']);
+        expect(run.status).toBe(0);
+        const report = parseOutcome(run.stdout).data;
+        expect(report.found).toBe(true);
+        expect(report.version).toBe('8.18.4');
+    });
+});
+/**
+ * A5/A6 — the typed exit-class must survive the worker boundary. The scan handler
+ * runs in a FORKED worker; a `ConfigurationError` it throws (binary-not-found) must
+ * arrive at the host as exit 2, the SAME contract `doctor` and the in-process
+ * bundled path honour. Before the fix the worker IPC flattened the typed error to
+ * a generic `tool-handler-throw` → SystemError → exit 1, silently losing the
+ * frozen exit-2 contract; NO E2E asserted the scan exit code.
+ */
+describe('gitleaks worker E2E — typed exit-class survives the worker boundary (A5/A6)', () => {
+    it('`opensip gitleaks` with a binary-not-found ConfigurationError exits 2 (not 1)', () => {
+        // Pin the binary to a non-existent absolute path so resolution hard-misses
+        // worker-side and the run loop throws ConfigurationError(ADAPTER.BINARY.NOT_FOUND).
+        const run = runCli(['gitleaks', '--json'], {
+            OPENSIP_GITLEAKS_BIN: '/nonexistent/path/to/gitleaks',
+            OPENSIP_CLI_TOOL_ENV_PASSTHROUGH: 'FAKE_GITLEAKS_GOLDEN OPENSIP_GITLEAKS_BIN',
+        });
+        expect(run.status).toBe(2);
+    });
+    it('`opensip gitleaks` with no opensip-cli project exits 2 (not 1)', () => {
+        // A project-less run has no targeting root to scan — the exit-2 config contract.
+        const noProject = mkdtempSync(join(tmpdir(), 'opensip-gitleaks-noproj-'));
+        const scopeDir = join(noProject, 'node_modules', '@opensip-cli');
+        mkdirSync(scopeDir, { recursive: true });
+        symlinkSync(GITLEAKS_PKG_DIR, join(scopeDir, 'tool-gitleaks'), 'dir');
+        try {
+            const run = runCli(['gitleaks', '--json'], {}, noProject);
+            expect(run.status).toBe(2);
+        }
+        finally {
+            rmSync(noProject, { recursive: true, force: true });
+        }
+    });
+});
+describe('gitleaks worker E2E — installed tools are deny-by-default', () => {
+    it('without the trust allowlist, `opensip gitleaks` is not admitted', () => {
+        const run = runCli(['gitleaks', '--json'], { OPENSIP_CLI_ALLOW_INSTALLED_TOOLS: '' });
+        // Deny-by-default: the command never mounts (unknown command / not found),
+        // so the scan does NOT run.
+        expect(run.status).not.toBe(0);
+        expect(`${run.stdout}${run.stderr}`.toLowerCase()).toMatch(/unknown command|not found|gitleaks/);
+    });
+});
+/**
+ * §4.12 ratchet acceptance — the FULL baseline/gate loop over a REAL forked worker.
+ * The substrate wires `--gate-save` / `--gate-compare` once (ADR-0036), so the
+ * gitleaks adapter inherits it. This proves: capture a baseline → an unchanged
+ * re-scan is clean (exit 0) → a NET-NEW secret surfaces and fails (exit ≠ 0).
+ *
+ * Runs in its OWN throwaway project so the baseline + sessions are isolated from
+ * the scan suites above. The fake binary copies `FAKE_GITLEAKS_GOLDEN` to
+ * `--report-path`; pointing it at an AUGMENTED golden (the two originals + one new
+ * finding) is how the "regression" run injects a net-new finding.
+ */
+describe('gitleaks worker E2E — full gate ratchet (§4.12)', () => {
+    let gateProject;
+    let augmentedGolden;
+    let save;
+    let compareClean;
+    let compareRegressed;
+    beforeAll(() => {
+        gateProject = makeGitleaksProject();
+        // The augmented golden = the committed two findings + one NET-NEW secret in a
+        // new file/rule (a distinct message-hash fingerprint ⇒ the ratchet sees it as
+        // net-new, not unchanged).
+        const original = JSON.parse(readFileSync(GOLDEN_PATH, 'utf8'));
+        const augmented = [
+            ...original,
+            {
+                Description: 'Stripe Access Token',
+                StartLine: 7,
+                EndLine: 7,
+                StartColumn: 14,
+                EndColumn: 45,
+                Match: 'stripe = sk_live_NEWFAKEKEYDONOTUSE',
+                Secret: 'sk_live_NEWFAKEKEYDONOTUSE',
+                File: 'src/payments.ts',
+                RuleID: 'stripe-access-token',
+                Tags: [],
+                Fingerprint: 'src/payments.ts:stripe-access-token:7',
+            },
+        ];
+        augmentedGolden = join(gateProject, 'augmented-golden.json');
+        writeFileSync(augmentedGolden, JSON.stringify(augmented), 'utf8');
+        // 1) Capture the baseline (two findings). The findings gate (ADR-0020) makes
+        //    gate-save itself exit 1 — it records the baseline AND honours the verdict.
+        save = runCli(['gitleaks', '--gate-save'], {}, gateProject);
+        // 2) Re-scan the SAME golden and compare → no net-new ⇒ clean (exit 0).
+        compareClean = runCli(['gitleaks', '--gate-compare'], {}, gateProject);
+        // 3) Compare against the augmented golden → one net-new finding ⇒ degraded.
+        compareRegressed = runCli(['gitleaks', '--gate-compare'], { FAKE_GITLEAKS_GOLDEN: augmentedGolden }, gateProject);
+    });
+    afterAll(() => {
+        if (gateProject !== undefined)
+            rmSync(gateProject, { recursive: true, force: true });
+    });
+    it('--gate-save records the baseline and persists a session', () => {
+        // The findings gate makes gate-save exit 1 (two high-severity secrets present),
+        // but the baseline IS written — proven by the clean compare below.
+        expect(save.status).toBe(1);
+        const list = runCli(['sessions', 'list', '--json'], {}, gateProject);
+        const data = parseOutcome(list.stdout).data;
+        const gitleaksRows = (data.sessions ?? []).filter((s) => s.tool === 'gitleaks');
+        expect(gitleaksRows.length).toBeGreaterThanOrEqual(1);
+    });
+    it('--gate-compare on the SAME scan is a clean no-op (exit 0, no regression)', () => {
+        // Pre-existing findings recorded in the baseline are NOT a regression — only
+        // net-new findings fail the ratchet. The clean exit also proves gate-save wrote
+        // the baseline (a missing baseline would throw ConfigurationError → exit 2).
+        expect(compareRegressed).toBeDefined();
+        expect(compareClean.status).toBe(0);
+        expect(`${compareClean.stdout}${compareClean.stderr}`).toMatch(/STABLE|no change/i);
+    });
+    it('--gate-compare surfaces a NET-NEW finding and exits non-zero (degraded)', () => {
+        expect(compareRegressed.status).not.toBe(0);
+        const out = `${compareRegressed.stdout}${compareRegressed.stderr}`;
+        // The net-new secret is named in the diff; the verdict footer says DEGRADED.
+        expect(out).toContain('stripe-access-token');
+        expect(out).toMatch(/DEGRADED|Added/i);
+        // The raw secret never leaks into the gate output.
+        expect(out).not.toContain('sk_live_NEWFAKEKEYDONOTUSE');
+    });
+});
+/**
+ * A3 acceptance — the scanner must NEVER re-walk opensip's own persisted reports
+ * under `.runtime/`. Uses a WALKING fake that actually scans `--source` and
+ * re-detects `OPENSIP_TEST_SECRET` in any non-excluded file (so a prior run's
+ * report would mint a net-new fingerprint), honoring the SAME `--config` allowlist
+ * marker the substrate injects. Without the A3 fix the first `--gate-compare`
+ * re-detects the gate-save run's report (a new runId path) and degrades; with it,
+ * two consecutive compares over an UNCHANGED project stay clean.
+ */
+describe('gitleaks worker E2E — A3 no-churn over the .runtime artifact store', () => {
+    let churnProject;
+    let walkBinDir;
+    let save;
+    let compare1;
+    let compare2;
+    beforeAll(() => {
+        walkBinDir = mkdtempSync(join(tmpdir(), 'opensip-gitleaks-walk-bin-'));
+        cpSync(join(FIXTURES, 'fake-gitleaks-walking'), join(walkBinDir, 'gitleaks'));
+        execFileSync('chmod', ['+x', join(walkBinDir, 'gitleaks')]);
+        churnProject = makeGitleaksProject();
+        // Exactly one real secret planted in the project source tree.
+        mkdirSync(join(churnProject, 'src'), { recursive: true });
+        writeFileSync(join(churnProject, 'src', 'leak.txt'), 'token = OPENSIP_TEST_SECRET\n', 'utf8');
+        // Override PATH so the WALKING fake is the resolved `gitleaks`.
+        const env = { PATH: `${walkBinDir}:${process.env.PATH ?? ''}` };
+        save = runCli(['gitleaks', '--gate-save'], env, churnProject);
+        compare1 = runCli(['gitleaks', '--gate-compare'], env, churnProject);
+        compare2 = runCli(['gitleaks', '--gate-compare'], env, churnProject);
+    });
+    afterAll(() => {
+        if (churnProject !== undefined)
+            rmSync(churnProject, { recursive: true, force: true });
+        if (walkBinDir !== undefined)
+            rmSync(walkBinDir, { recursive: true, force: true });
+    });
+    it('captures a baseline of exactly the planted secret (gate-save exits 1 on findings)', () => {
+        expect(save.status).toBe(1);
+    });
+    it('two consecutive --gate-compare cycles over the UNCHANGED project stay clean (exit 0)', () => {
+        // Without the A3 exclusion, each compare re-detects the prior run's persisted
+        // report under `.runtime/` (a NEW runId path ⇒ net-new fingerprint ⇒ degraded,
+        // exit ≠ 0). The exclusion keeps the scanner off `.runtime`, so the only finding
+        // is the unchanged planted secret → no net-new → exit 0, repeatably.
+        expect(compare1.status).toBe(0);
+        expect(compare2.status).toBe(0);
+    });
+});
+//# sourceMappingURL=worker-e2e.test.js.map

package/dist/__tests__/worker-e2e.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"worker-e2e.test.js","sourceRoot":"","sources":["../../src/__tests__/worker-e2e.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EACL,MAAM,EACN,UAAU,EACV,SAAS,EACT,WAAW,EACX,WAAW,EACX,YAAY,EACZ,MAAM,EACN,QAAQ,EACR,WAAW,EACX,aAAa,GACd,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAEnE,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACrD,0EAA0E;AAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;AACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;AACxE,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;AACtE,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,EAAE,cAAc,CAAC,CAAC;AACxD,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,EAAE,sBAAsB,CAAC,CAAC;AAE3D,MAAM,kBAAkB,GAAG,sCAAsC,CAAC;AAElE,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,uBAAuB,CAAC,EAAE,MAAM,CAAC,CAOtF,CAAC;AAEJ,gFAAgF;AAChF,MAAM,WAAW,GAAG,CAAC,sBAAsB,EAAE,4BAA4B,EAAE,WAAW,CAAC,CAAC;AAQxF,IAAI,UAAkB,CAAC;AACvB,IAAI,MAAc,CAAC;AACnB,IAAI,OAA+B,CAAC;AAEpC,iFAAiF;AACjF,SAAS,MAAM,CAAC,IAAc,EAAE,WAAmC,EAAE,EAAE,GAAG,GAAG,UAAU;IACrF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,EAAE;YACvD,GAAG;YACH,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,QAAQ,EAAE;YAChD,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAC3C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,GAAG,KAA8D,CAAC;QACzE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;IACnF,CAAC;AACH,CAAC;AAED,0FAA0F;AAC1F,SAAS,mBAAmB;IAC1B,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;IAClE,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,wBAAwB,CAAC,EAAE,iCAAiC,EAAE,MAAM,CAAC,CAAC;IAC9F,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;IAC3D,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,WAAW,CAAC,gBAAgB,EAAE,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,EAAE,KAAK,CAAC,CAAC;IACtE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,2FAA2F;AAC3F,SAAS,YAAY,CAAC,MAAc;IAClC,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAA4B,CAAC;AACvD,CAAC;AAED,SAAS,CAAC,GAAG,EAAE;IACb,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,6BAA6B,CAAC,CAAC;IACnF,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,gBAAgB,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;IACjF,CAAC;IAED,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,uBAAuB,CAAC,CAAC,CAAC;IAClE,kFAAkF;IAClF,aAAa,CACX,IAAI,CAAC,UAAU,EAAE,wBAAwB,CAAC,EAC1C,iCAAiC,EACjC,MAAM,CACP,CAAC;IACF,+EAA+E;IAC/E,6EAA6E;IAC7E,6DAA6D;IAC7D,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;IAClE,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,WAAW,CAAC,gBAAgB,EAAE,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,EAAE,KAAK,CAAC,CAAC;IAEtE,+EAA+E;IAC/E,uEAAuE;IACvE,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,uBAAuB,CAAC,CAAC,CAAC;IAC9D,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;IAClE,YAAY,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC;IAExD,OAAO,GAAG;QACR,IAAI,EAAE,GAAG,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE;QAC3C,wEAAwE;QACxE,2EAA2E;QAC3E,oBAAoB,EAAE,WAAW;QACjC,gCAAgC,EAAE,sBAAsB;QACxD,6EAA6E;QAC7E,qEAAqE;QACrE,kCAAkC;QAClC,iCAAiC,EAAE,GAAG,kBAAkB,WAAW;KACpE,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,GAAG,EAAE;IACZ,IAAI,UAAU,KAAK,SAAS;QAAE,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACnF,IAAI,MAAM,KAAK,SAAS;QAAE,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC7E,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,6DAA6D,EAAE,GAAG,EAAE;IAC3E,IAAI,IAAY,CAAC;IACjB,IAAI,QAcH,CAAC;IAEF,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1C,QAAQ,GAAG,OAAO,CAAC,QAA2B,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,GAAG,EAAE;QAC7E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACvC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACxC,+EAA+E;QAC/E,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC1C,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,IAAI,EAAE,CAAC,CAAC,QAAQ;YAChB,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACjD,GAAG,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;SACxD,CAAC,CAAC,CAAC;QACJ,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACjC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;YAChD,MAAM,UAAU,GAAG,CAAC,CAAC,QAAQ,CAAC,UAAsD,CAAC;YACrF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACzC,MAAM,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;QACvE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6GAA6G,EAAE,GAAG,EAAE;QACrH,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,aAAa,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;QACpF,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtC,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACvC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;QAClD,gFAAgF;QAChF,gFAAgF;QAChF,8EAA8E;QAC9E,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxC,kFAAkF;QAClF,kFAAkF;QAClF,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrD,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpD,uDAAuD;QACvD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+EAA+E,EAAE,GAAG,EAAE;QACvF,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACzC,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAC7C,kEAAkE;QAClE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,GAAG,EAAE;QAC5E,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,IAA4D,CAAC;QAClF,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;QACtC,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;QAChE,MAAM,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;QAClC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxC,MAAM,OAAO,GAAG,WAAW,EAAE,OAA4D,CAAC;QAC1F,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACpD,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,gFAAgF;IAChF,6EAA6E;IAC7E,+EAA+E;IAC/E,mDAAmD;IACnD,EAAE,CAAC,4FAA4F,EAAE,GAAG,EAAE;QACpG,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAgD,CAAC;QACxF,MAAM,WAAW,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;QAC7E,MAAM,OAAO,GAAG,WAAW,EAAE,OAG5B,CAAC;QACF,6EAA6E;QAC7E,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClD,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrE,+EAA+E;QAC/E,MAAM,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzC,MAAM,KAAK,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC;QAC/F,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,8EAA8E;IAC9E,8EAA8E;IAC9E,yEAAyE;IACzE,EAAE,CAAC,sFAAsF,EAAE,GAAG,EAAE;QAC9F,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAgD,CAAC;QACxF,MAAM,WAAW,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;QAC7E,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC;QAC/D,KAAK,MAAM,GAAG,IAAI,WAAW;YAAE,MAAM,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACtE,MAAM,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAC7C,MAAM,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAC9C,+EAA+E;QAC/E,MAAM,CAAC,WAAW,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oDAAoD,EAAE,GAAG,EAAE;IAClE,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;QACrD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAKvC,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,0EAA0E;QAC1E,uEAAuE;QACvE,wEAAwE;QACxE,+CAA+C;QAC/C,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,CAAC,EAAE;YACnD,oBAAoB,EAAE,+BAA+B;YACrD,gCAAgC,EAAE,2CAA2C;SAC9E,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAsD,CAAC;QAC/F,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC;QACtD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAA4C,CAAC;QACrF,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH;;;;;;;GAOG;AACH,QAAQ,CAAC,6EAA6E,EAAE,GAAG,EAAE;IAC3F,EAAE,CAAC,+EAA+E,EAAE,GAAG,EAAE;QACvF,2EAA2E;QAC3E,oFAAoF;QACpF,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE;YACzC,oBAAoB,EAAE,+BAA+B;YACrD,gCAAgC,EAAE,2CAA2C;SAC9E,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,iFAAiF;QACjF,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,0BAA0B,CAAC,CAAC,CAAC;QAC1E,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;QACjE,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzC,WAAW,CAAC,gBAAgB,EAAE,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,EAAE,KAAK,CAAC,CAAC;QACtE,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,SAAS,CAAC,CAAC;YAC1D,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,2DAA2D,EAAE,GAAG,EAAE;IACzE,EAAE,CAAC,iEAAiE,EAAE,GAAG,EAAE;QACzE,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,iCAAiC,EAAE,EAAE,EAAE,CAAC,CAAC;QACtF,2EAA2E;QAC3E,4BAA4B;QAC5B,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC,OAAO,CACxD,oCAAoC,CACrC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH;;;;;;;;;;GAUG;AACH,QAAQ,CAAC,iDAAiD,EAAE,GAAG,EAAE;IAC/D,IAAI,WAAmB,CAAC;IACxB,IAAI,eAAuB,CAAC;IAC5B,IAAI,IAAY,CAAC;IACjB,IAAI,YAAoB,CAAC;IACzB,IAAI,gBAAwB,CAAC;IAE7B,SAAS,CAAC,GAAG,EAAE;QACb,WAAW,GAAG,mBAAmB,EAAE,CAAC;QAEpC,8EAA8E;QAC9E,8EAA8E;QAC9E,2BAA2B;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,WAAW,EAAE,MAAM,CAAC,CAA8B,CAAC;QAC5F,MAAM,SAAS,GAAG;YAChB,GAAG,QAAQ;YACX;gBACE,WAAW,EAAE,qBAAqB;gBAClC,SAAS,EAAE,CAAC;gBACZ,OAAO,EAAE,CAAC;gBACV,WAAW,EAAE,EAAE;gBACf,SAAS,EAAE,EAAE;gBACb,KAAK,EAAE,qCAAqC;gBAC5C,MAAM,EAAE,4BAA4B;gBACpC,IAAI,EAAE,iBAAiB;gBACvB,MAAM,EAAE,qBAAqB;gBAC7B,IAAI,EAAE,EAAE;gBACR,WAAW,EAAE,uCAAuC;aACrD;SACF,CAAC;QACF,eAAe,GAAG,IAAI,CAAC,WAAW,EAAE,uBAAuB,CAAC,CAAC;QAC7D,aAAa,CAAC,eAAe,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC;QAElE,6EAA6E;QAC7E,gFAAgF;QAChF,IAAI,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,aAAa,CAAC,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QAC5D,wEAAwE;QACxE,YAAY,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,gBAAgB,CAAC,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QACvE,4EAA4E;QAC5E,gBAAgB,GAAG,MAAM,CACvB,CAAC,UAAU,EAAE,gBAAgB,CAAC,EAC9B,EAAE,oBAAoB,EAAE,eAAe,EAAE,EACzC,WAAW,CACZ,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,GAAG,EAAE;QACZ,IAAI,WAAW,KAAK,SAAS;YAAE,MAAM,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACvF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,gFAAgF;QAChF,mEAAmE;QACnE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QACrE,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAgD,CAAC;QACxF,MAAM,YAAY,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;QAChF,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,6EAA6E;QAC7E,gFAAgF;QAChF,6EAA6E;QAC7E,MAAM,CAAC,gBAAgB,CAAC,CAAC,WAAW,EAAE,CAAC;QACvC,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,CAAC,GAAG,YAAY,CAAC,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACtF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yEAAyE,EAAE,GAAG,EAAE;QACjF,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,GAAG,gBAAgB,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,EAAE,CAAC;QACnE,6EAA6E;QAC7E,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;QAC7C,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QACvC,mDAAmD;QACnD,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH;;;;;;;;GAQG;AACH,QAAQ,CAAC,oEAAoE,EAAE,GAAG,EAAE;IAClF,IAAI,YAAoB,CAAC;IACzB,IAAI,UAAkB,CAAC;IACvB,IAAI,IAAY,CAAC;IACjB,IAAI,QAAgB,CAAC;IACrB,IAAI,QAAgB,CAAC;IAErB,SAAS,CAAC,GAAG,EAAE;QACb,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,4BAA4B,CAAC,CAAC,CAAC;QACvE,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,uBAAuB,CAAC,EAAE,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC;QAC9E,YAAY,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC;QAE5D,YAAY,GAAG,mBAAmB,EAAE,CAAC;QACrC,8DAA8D;QAC9D,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,aAAa,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,EAAE,UAAU,CAAC,EAAE,+BAA+B,EAAE,MAAM,CAAC,CAAC;QAE9F,gEAAgE;QAChE,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,EAAE,CAAC;QAChE,IAAI,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,aAAa,CAAC,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QAC9D,QAAQ,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,gBAAgB,CAAC,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;QACrE,QAAQ,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,gBAAgB,CAAC,EAAE,GAAG,EAAE,YAAY,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,GAAG,EAAE;QACZ,IAAI,YAAY,KAAK,SAAS;YAAE,MAAM,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACvF,IAAI,UAAU,KAAK,SAAS;YAAE,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACrF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mFAAmF,EAAE,GAAG,EAAE;QAC3F,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sFAAsF,EAAE,GAAG,EAAE;QAC9F,8EAA8E;QAC9E,+EAA+E;QAC/E,iFAAiF;QACjF,qEAAqE;QACrE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAChC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * `@opensip-cli/tool-gitleaks` public barrel.
+ *
+ * Re-exports the `tool` descriptor the host loads by name through the installed
+ * external-tool worker-dispatch path (`mod.tool`), plus a `default` alias and the
+ * pure `parseGitleaksJson` normalizer (consumed by the acceptance tests). The
+ * adapter internals are otherwise not public API.
+ */
+export { tool, tool as default, GITLEAKS_IDENTITY, GITLEAKS_STABLE_ID } from './tool.js';
+export { parseGitleaksJson } from './parse-gitleaks-json.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,EAAE,IAAI,EAAE,IAAI,IAAI,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AACzF,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/index.js

@@ -0,0 +1,11 @@
+/**
+ * `@opensip-cli/tool-gitleaks` public barrel.
+ *
+ * Re-exports the `tool` descriptor the host loads by name through the installed
+ * external-tool worker-dispatch path (`mod.tool`), plus a `default` alias and the
+ * pure `parseGitleaksJson` normalizer (consumed by the acceptance tests). The
+ * adapter internals are otherwise not public API.
+ */
+export { tool, tool as default, GITLEAKS_IDENTITY, GITLEAKS_STABLE_ID } from './tool.js';
+export { parseGitleaksJson } from './parse-gitleaks-json.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,EAAE,IAAI,EAAE,IAAI,IAAI,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AACzF,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/parse-gitleaks-json.d.ts

@@ -0,0 +1,26 @@
+/**
+ * @fileoverview Gitleaks JSON → normalized `Signal[]` (ADR-0090 §4, brief §4).
+ *
+ * Gitleaks emits a BARE JSON ARRAY of findings (`[]` when clean). Each finding
+ * carries the live credential in two fields — `Secret` (the raw secret) and
+ * `Match` (the surrounding region, which INCLUDES the secret). Neither may EVER
+ * reach `Signal.message`, `Signal.metadata` in raw form, or any egress payload:
+ * this parser stores ONLY a {@link redactSecret} preview of `Secret` and drops
+ * `Match` entirely. The secret-egress negative test proves no raw substring
+ * survives.
+ *
+ * Stock gitleaks emits NO severity (every secret is treated as `high`); the
+ * native-severity slot records `null` so a downstream reader knows the four-bucket
+ * `high` is the adapter's constant map, not a scanner label.
+ *
+ * Pure: defensive JSON navigation (never throws on malformed input → `[]`).
+ */
+import type { Signal } from '@opensip-cli/core';
+import type { AdapterRunContext, ParsedScannerOutput } from '@opensip-cli/external-tool-adapter';
+/**
+ * Parse gitleaks JSON output into normalized signals. A clean run (`[]`) yields
+ * no findings; every secret maps to a `high`-severity `security` signal with a
+ * REDACTED secret preview and no raw credential anywhere.
+ */
+export declare function parseGitleaksJson(raw: ParsedScannerOutput, _ctx: AdapterRunContext): readonly Signal[];
+//# sourceMappingURL=parse-gitleaks-json.d.ts.map

package/dist/parse-gitleaks-json.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parse-gitleaks-json.d.ts","sourceRoot":"","sources":["../src/parse-gitleaks-json.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAYH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,KAAK,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAC;AA+DjG;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,GAAG,EAAE,mBAAmB,EACxB,IAAI,EAAE,iBAAiB,GACtB,SAAS,MAAM,EAAE,CAOnB"}

package/dist/parse-gitleaks-json.js

@@ -0,0 +1,88 @@
+/**
+ * @fileoverview Gitleaks JSON → normalized `Signal[]` (ADR-0090 §4, brief §4).
+ *
+ * Gitleaks emits a BARE JSON ARRAY of findings (`[]` when clean). Each finding
+ * carries the live credential in two fields — `Secret` (the raw secret) and
+ * `Match` (the surrounding region, which INCLUDES the secret). Neither may EVER
+ * reach `Signal.message`, `Signal.metadata` in raw form, or any egress payload:
+ * this parser stores ONLY a {@link redactSecret} preview of `Secret` and drops
+ * `Match` entirely. The secret-egress negative test proves no raw substring
+ * survives.
+ *
+ * Stock gitleaks emits NO severity (every secret is treated as `high`); the
+ * native-severity slot records `null` so a downstream reader knows the four-bucket
+ * `high` is the adapter's constant map, not a scanner label.
+ *
+ * Pure: defensive JSON navigation (never throws on malformed input → `[]`).
+ */
+import { createSignal } from '@opensip-cli/core';
+import { asArray, asObject, getNumber, getString, redactSecret, withNativeSeverity, } from '@opensip-cli/external-tool-adapter';
+/** Read the parsed finding array from the descriptor payload, defensively. */
+function findingArray(raw) {
+    // The run loop pre-parses JSON for `kind: 'json'`; fall back to the raw bytes
+    // (the acceptance-harness path) so the parser is total either way.
+    const json = raw.json ?? safeParse(raw.raw);
+    return asArray(json) ?? [];
+}
+function safeParse(text) {
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Normalize one gitleaks finding to a {@link Signal}. Returns `undefined` for a
+ * non-object entry so a malformed element is skipped rather than throwing.
+ */
+function normalizeFinding(entry) {
+    const finding = asObject(entry);
+    if (finding === undefined)
+        return undefined;
+    const ruleId = getString(finding, 'RuleID') ?? 'gitleaks-secret';
+    const message = getString(finding, 'Description') ?? `Secret detected (${ruleId})`;
+    const file = getString(finding, 'File') ?? '';
+    const line = getNumber(finding, 'StartLine');
+    const column = getNumber(finding, 'StartColumn');
+    // SECRET HYGIENE: `Secret` is masked to a short non-reversible preview; `Match`
+    // (which embeds the secret) is NEVER read into the bag. The metadata carries no
+    // raw credential bytes.
+    const secretPreview = redactSecret(getString(finding, 'Secret'));
+    const metadata = withNativeSeverity({
+        nativeFingerprint: getString(finding, 'Fingerprint') ?? null,
+        entropy: getNumber(finding, 'Entropy') ?? null,
+        tags: asArray(finding.Tags) ?? [],
+        ...(secretPreview.length > 0 ? { secretPreview } : {}),
+    }, 
+    // Stock gitleaks emits no severity — record `null` beside the constant `high`.
+    null);
+    return createSignal({
+        source: 'gitleaks',
+        category: 'security',
+        severity: 'high',
+        ruleId,
+        message,
+        code: {
+            file,
+            ...(line === undefined ? {} : { line }),
+            ...(column === undefined ? {} : { column }),
+        },
+        metadata,
+    });
+}
+/**
+ * Parse gitleaks JSON output into normalized signals. A clean run (`[]`) yields
+ * no findings; every secret maps to a `high`-severity `security` signal with a
+ * REDACTED secret preview and no raw credential anywhere.
+ */
+export function parseGitleaksJson(raw, _ctx) {
+    const signals = [];
+    for (const entry of findingArray(raw)) {
+        const signal = normalizeFinding(entry);
+        if (signal !== undefined)
+            signals.push(signal);
+    }
+    return signals;
+}
+//# sourceMappingURL=parse-gitleaks-json.js.map

package/dist/parse-gitleaks-json.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"parse-gitleaks-json.js","sourceRoot":"","sources":["../src/parse-gitleaks-json.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EACL,OAAO,EACP,QAAQ,EACR,SAAS,EACT,SAAS,EACT,YAAY,EACZ,kBAAkB,GACnB,MAAM,oCAAoC,CAAC;AAK5C,8EAA8E;AAC9E,SAAS,YAAY,CAAC,GAAwB;IAC5C,8EAA8E;IAC9E,mEAAmE;IACnE,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5C,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;AAC7B,CAAC;AAED,SAAS,SAAS,CAAC,IAAY;IAC7B,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAY,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,KAAc;IACtC,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAChC,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAE5C,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,iBAAiB,CAAC;IACjE,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,EAAE,aAAa,CAAC,IAAI,oBAAoB,MAAM,GAAG,CAAC;IACnF,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9C,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IAEjD,gFAAgF;IAChF,gFAAgF;IAChF,wBAAwB;IACxB,MAAM,aAAa,GAAG,YAAY,CAAC,SAAS,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IAEjE,MAAM,QAAQ,GAAG,kBAAkB,CACjC;QACE,iBAAiB,EAAE,SAAS,CAAC,OAAO,EAAE,aAAa,CAAC,IAAI,IAAI;QAC5D,OAAO,EAAE,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,IAAI,IAAI;QAC9C,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE;QACjC,GAAG,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACvD;IACD,+EAA+E;IAC/E,IAAI,CACL,CAAC;IAEF,OAAO,YAAY,CAAC;QAClB,MAAM,EAAE,UAAU;QAClB,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,MAAM;QAChB,MAAM;QACN,OAAO;QACP,IAAI,EAAE;YACJ,IAAI;YACJ,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;YACvC,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC;SAC5C;QACD,QAAQ;KACT,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAC/B,GAAwB,EACxB,IAAuB;IAEvB,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,KAAK,IAAI,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACvC,IAAI,MAAM,KAAK,SAAS;YAAE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}