@opensip-cli/tool-trivy 0.1.15

package/dist/__tests__/worker-e2e.test.js

@@ -0,0 +1,339 @@
+/**
+ * Tier-2 worker E2E (ADR-0090 D6 Tier 2) — install / discover / dispatch the trivy
+ * adapter over a REAL forked worker, end-to-end against the BUILT CLI.
+ *
+ * Trivy is the SARIF adapter, so this also proves the shared `ingestSarif` read
+ * path through the FULL installed-tool dispatch:
+ *   - the trivy package is presented as a genuinely INSTALLED npm tool in a
+ *     throwaway project (symlinked into its `node_modules` so the worker resolves
+ *     the adapter's workspace deps from the monorepo via realpath);
+ *   - `OPENSIP_CLI_ALLOW_INSTALLED_TOOLS` trusts it (installed tools are
+ *     deny-by-default);
+ *   - a FAKE `trivy` binary on PATH makes the run deterministic: it copies the
+ *     committed golden SARIF to `--output` and exits 0 — Trivy exits 0 EVEN WITH
+ *     findings, so the CLI's nonzero exit comes from the findings DERIVED FROM THE
+ *     PARSED SARIF, not from the process exit (the Trivy exit-model proof). The
+ *     worker fork curates its env to an allow-list, so the golden path is forwarded
+ *     via the documented `OPENSIP_CLI_TOOL_ENV_PASSTHROUGH`.
+ *
+ * `opensip trivy` forks a worker that re-discovers + imports the real runtime and
+ * runs the scan loop; this suite asserts the worker→host result + host-side
+ * effects: normalized signals match the golden (with the RECOVERED severities —
+ * `critical` from CVSS 9.8, not `high` from `level:"error"`), the raw SARIF
+ * artifact lands at `.runtime/artifacts/trivy/<runId>/trivy.sarif` with mode 0600,
+ * the `--json` envelope is well-formed, the session row persists with provenance,
+ * and the full gate ratchet (gate-save → clean compare → net-new vuln surfaces)
+ * works.
+ *
+ * Requires `pnpm build` first (the CLI dist + the trivy dist). Missing builds FAIL
+ * loudly (no silent skip).
+ */
+import { execFileSync } from 'node:child_process';
+import { cpSync, existsSync, mkdirSync, mkdtempSync, readdirSync, readFileSync, rmSync, statSync, symlinkSync, writeFileSync, } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { afterAll, beforeAll, describe, expect, it } from 'vitest';
+const HERE = dirname(fileURLToPath(import.meta.url));
+// .../packages/tool-trivy/src/__tests__ → repo root is four levels up.
+const REPO_ROOT = join(HERE, '..', '..', '..', '..');
+const CLI_DIST = join(REPO_ROOT, 'packages', 'cli', 'dist', 'index.js');
+const TRIVY_PKG_DIR = join(REPO_ROOT, 'packages', 'tool-trivy');
+const FIXTURES = join(TRIVY_PKG_DIR, '__fixtures__');
+const GOLDEN_PATH = join(FIXTURES, 'trivy-golden.sarif');
+const TRIVY_STABLE_ID = 'a26ea0eb-ee3b-4e22-a3f3-7e1f93e16000';
+const EXPECTED = JSON.parse(readFileSync(join(FIXTURES, 'expected-signals.json'), 'utf8'));
+let projectDir;
+let binDir;
+let baseEnv;
+/** Run the built CLI as a child process, capturing stdout/stderr + exit code. */
+function runCli(args, extraEnv = {}, cwd = projectDir) {
+    try {
+        const stdout = execFileSync('node', [CLI_DIST, ...args], {
+            cwd,
+            env: { ...process.env, ...baseEnv, ...extraEnv },
+            encoding: 'utf8',
+            maxBuffer: 32 * 1024 * 1024,
+        });
+        return { stdout, stderr: '', status: 0 };
+    }
+    catch (error) {
+        const e = error;
+        return { stdout: e.stdout ?? '', stderr: e.stderr ?? '', status: e.status ?? 1 };
+    }
+}
+/** Scaffold a throwaway opensip-cli project that resolves the installed trivy tool. */
+function makeTrivyProject() {
+    const dir = mkdtempSync(join(tmpdir(), 'opensip-trivy-gate-'));
+    writeFileSync(join(dir, 'opensip-cli.config.yml'), 'schemaVersion: 1\ntargets: {}\n', 'utf8');
+    const scopeDir = join(dir, 'node_modules', '@opensip-cli');
+    mkdirSync(scopeDir, { recursive: true });
+    symlinkSync(TRIVY_PKG_DIR, join(scopeDir, 'tool-trivy'), 'dir');
+    return dir;
+}
+/** Read the `--json` outcome wrapper (`{ kind, status, exitCode, envelope?, data? }`) from a run. */
+function outcomeJson(run) {
+    return JSON.parse(run.stdout);
+}
+beforeAll(() => {
+    if (!existsSync(CLI_DIST)) {
+        throw new Error(`built CLI not found at ${CLI_DIST} — run \`pnpm build\` first`);
+    }
+    if (!existsSync(join(TRIVY_PKG_DIR, 'dist', 'index.js'))) {
+        throw new Error('built tool-trivy dist not found — run `pnpm build` first');
+    }
+    projectDir = mkdtempSync(join(tmpdir(), 'opensip-trivy-e2e-'));
+    // Project marker so the worker's `scope: 'project'` bootstrap resolves a project.
+    writeFileSync(join(projectDir, 'opensip-cli.config.yml'), 'schemaVersion: 1\ntargets: {}\n', 'utf8');
+    // Present the REAL trivy package as an installed npm tool. A SYMLINK (not a copy)
+    // so the worker resolves the adapter's `@opensip-cli/*` workspace deps from the
+    // monorepo via realpath — a copy would orphan them.
+    const scopeDir = join(projectDir, 'node_modules', '@opensip-cli');
+    mkdirSync(scopeDir, { recursive: true });
+    symlinkSync(TRIVY_PKG_DIR, join(scopeDir, 'tool-trivy'), 'dir');
+    // A FAKE trivy on PATH for determinism (copies the golden SARIF to --output,
+    // exits 0). PATH is auto-forwarded into the worker fork's curated env.
+    binDir = mkdtempSync(join(tmpdir(), 'opensip-trivy-bin-'));
+    cpSync(join(FIXTURES, 'fake-trivy'), join(binDir, 'trivy'));
+    execFileSync('chmod', ['+x', join(binDir, 'trivy')]);
+    baseEnv = {
+        PATH: `${binDir}:${process.env.PATH ?? ''}`,
+        // The committed fake binary reads the golden path from here; forward it through
+        // the worker fork's env allow-list via the documented passthrough.
+        FAKE_TRIVY_GOLDEN: GOLDEN_PATH,
+        OPENSIP_CLI_TOOL_ENV_PASSTHROUGH: 'FAKE_TRIVY_GOLDEN',
+        // Installed tools are deny-by-default — trust the trivy id (the admission check
+        // keys on `opensipTools.id`; the UUID is included to match the ADR-0048 stable
+        // id convention).
+        OPENSIP_CLI_ALLOW_INSTALLED_TOOLS: `${TRIVY_STABLE_ID} trivy`,
+    };
+});
+afterAll(() => {
+    if (projectDir !== undefined)
+        rmSync(projectDir, { recursive: true, force: true });
+    if (binDir !== undefined)
+        rmSync(binDir, { recursive: true, force: true });
+});
+describe('trivy worker E2E — opensip trivy (real forked worker)', () => {
+    let scan;
+    let envelope;
+    beforeAll(() => {
+        scan = runCli(['trivy', '--json']);
+        const outcome = outcomeJson(scan);
+        envelope = outcome.envelope;
+    });
+    it('forks a worker and emits a well-formed signal envelope for trivy', () => {
+        expect(envelope.tool).toBe('trivy');
+        expect(envelope.runId).toMatch(/^RUN_/);
+        // The fake binary exits 0, but the parsed SARIF has critical/high findings ⇒ the
+        // verdict FAILS and the CLI exits 1 (findings derived from SARIF, not exit code).
+        expect(envelope.verdict.passed).toBe(false);
+        expect(scan.status).toBe(1);
+    });
+    it('normalizes the worker SARIF output to the golden signal shapes (recovered severities)', () => {
+        const shapes = envelope.signals.map((s) => ({
+            ruleId: s.ruleId,
+            severity: s.severity,
+            message: s.message,
+            file: s.filePath,
+            line: s.line,
+            column: s.column,
+        }));
+        expect(shapes).toEqual(EXPECTED);
+        // The headline recovery: a level:"error" + security-severity:"9.8" finding is
+        // `critical`, NOT `high` (which level alone would give).
+        const certifi = envelope.signals.find((s) => s.ruleId === 'CVE-2023-37920');
+        expect(certifi?.severity).toBe('critical');
+    });
+    it('stamps message-hash fingerprints + provenance + recovered native severity worker-side', () => {
+        for (const s of envelope.signals) {
+            expect(s.fingerprint).toMatch(/^[0-9a-f]{64}$/);
+            const provenance = s.metadata.provenance;
+            expect(provenance.tool).toBe('trivy');
+            expect(provenance.adapterPackage).toBe('@opensip-cli/tool-trivy');
+        }
+        const certifi = envelope.signals.find((s) => s.ruleId === 'CVE-2023-37920');
+        expect(certifi?.metadata.securitySeverity).toBe('9.8');
+        expect(certifi?.metadata.nativeLevel).toBe('error');
+        const misconfig = envelope.signals.find((s) => s.ruleId === 'DS002');
+        expect(misconfig?.metadata.nativeLevel).toBe('warning');
+    });
+    it('lands the raw SARIF artifact under .runtime/artifacts/trivy/<runId>/trivy.sarif with mode 0600', () => {
+        const runDir = join(projectDir, 'opensip-cli', '.runtime', 'artifacts', 'trivy');
+        expect(existsSync(runDir)).toBe(true);
+        const runs = readdirSync(runDir);
+        expect(runs.length).toBeGreaterThan(0);
+        const artifact = join(runDir, runs[0], 'trivy.sarif');
+        expect(existsSync(artifact)).toBe(true);
+        // Owner-only read/write (0600) — the artifact carries the raw scanner output.
+        expect(statSync(artifact).mode & 0o777).toBe(0o600);
+        // The persisted artifact is the byte-preserved golden (three SARIF results).
+        const doc = JSON.parse(readFileSync(artifact, 'utf8'));
+        expect(doc.runs[0].results).toHaveLength(3);
+    });
+    it('persists a session row with the trivy tool + provenance payload', () => {
+        const list = runCli(['sessions', 'list', '--json']);
+        expect(list.status).toBe(0);
+        const outcome = outcomeJson(list);
+        const data = outcome.data;
+        const sessions = data?.sessions ?? [];
+        const trivyRow = sessions.find((s) => s.tool === 'trivy');
+        expect(trivyRow).toBeDefined();
+        expect(trivyRow?.passed).toBe(false);
+        const payload = trivyRow?.payload;
+        expect(payload?.binary?.path).toContain('trivy');
+        expect(payload?.findings).toBe(3);
+    });
+});
+describe('trivy worker E2E — doctor / version diagnostics', () => {
+    it('doctor --json reports a ready, resolved binary (exit 0)', () => {
+        const run = runCli(['trivy', 'doctor', '--json']);
+        expect(run.status).toBe(0);
+        const report = outcomeJson(run).data;
+        expect(report.tool).toBe('trivy');
+        expect(report.ready).toBe(true);
+        expect(report.binary.found).toBe(true);
+        expect(report.version.detected).toBe('0.50.1');
+        expect(report.version.status).toBe('ok');
+    });
+    it('doctor reports NOT ready (exit 2) when the resolved binary is missing', () => {
+        // Pin the binary to a non-existent absolute path via the env layer (which beats
+        // PATH and hard-misses) so resolution fails WITHOUT breaking the toolchain/worker
+        // fork. Forward the pin into the worker (doctor probes worker-side) via the
+        // documented passthrough.
+        const run = runCli(['trivy', 'doctor', '--json'], {
+            OPENSIP_TRIVY_BIN: '/nonexistent/path/to/trivy',
+            OPENSIP_CLI_TOOL_ENV_PASSTHROUGH: 'FAKE_TRIVY_GOLDEN OPENSIP_TRIVY_BIN',
+        });
+        expect(run.status).toBe(2);
+        const report = outcomeJson(run).data;
+        expect(report.ready).toBe(false);
+        expect(report.binary.found).toBe(false);
+    });
+    it('version --json prints the resolved trivy binary version', () => {
+        const run = runCli(['trivy', 'version', '--json']);
+        expect(run.status).toBe(0);
+        const report = outcomeJson(run).data;
+        expect(report.found).toBe(true);
+        expect(report.version).toBe('0.50.1');
+    });
+});
+describe('trivy worker E2E — installed tools are deny-by-default', () => {
+    it('without the trust allowlist, `opensip trivy` is not admitted', () => {
+        const run = runCli(['trivy', '--json'], { OPENSIP_CLI_ALLOW_INSTALLED_TOOLS: '' });
+        // Deny-by-default: the command never mounts (unknown command / not found), so
+        // the scan does NOT run.
+        expect(run.status).not.toBe(0);
+        expect(`${run.stdout}${run.stderr}`.toLowerCase()).toMatch(/unknown command|not found|trivy/);
+    });
+});
+/**
+ * §4.12 ratchet acceptance — the FULL baseline/gate loop over a REAL forked worker.
+ * The substrate wires `--gate-save` / `--gate-compare` once (ADR-0036), so the trivy
+ * adapter inherits it. This proves: capture a baseline → an unchanged re-scan is
+ * clean (exit 0) → a NET-NEW vulnerability surfaces and fails (exit ≠ 0).
+ *
+ * Runs in its OWN throwaway project so the baseline + sessions are isolated from the
+ * scan suites above. The fake binary copies `FAKE_TRIVY_GOLDEN` to `--output`;
+ * pointing it at an AUGMENTED golden (the three originals + one new SARIF result +
+ * rule) is how the "regression" run injects a net-new finding.
+ */
+describe('trivy worker E2E — full gate ratchet (§4.12)', () => {
+    let gateProject;
+    let augmentedGolden;
+    let save;
+    let compareClean;
+    let compareRegressed;
+    beforeAll(() => {
+        gateProject = makeTrivyProject();
+        // The augmented golden = the committed three findings + one NET-NEW SARIF result
+        // (a distinct ruleId/message ⇒ a distinct message-hash fingerprint ⇒ the ratchet
+        // sees it as net-new, not unchanged). A matching rule descriptor carries its CVSS.
+        const original = JSON.parse(readFileSync(GOLDEN_PATH, 'utf8'));
+        const run0 = original.runs[0];
+        run0.tool.driver.rules.push({
+            id: 'CVE-2024-99999',
+            name: 'LanguageSpecificPackageVulnerability',
+            shortDescription: { text: 'axios: Server-Side Request Forgery' },
+            helpUri: 'https://avd.aquasec.com/nvd/cve-2024-99999',
+            defaultConfiguration: { level: 'error' },
+            properties: { 'security-severity': '8.6', tags: ['vulnerability', 'security', 'HIGH'] },
+        });
+        run0.results.push({
+            ruleId: 'CVE-2024-99999',
+            ruleIndex: 3,
+            level: 'error',
+            message: { text: 'axios: Server-Side Request Forgery' },
+            locations: [
+                {
+                    physicalLocation: {
+                        artifactLocation: { uri: 'requirements.txt', uriBaseId: 'ROOTPATH' },
+                        region: { startLine: 1, startColumn: 1 },
+                    },
+                },
+            ],
+        });
+        augmentedGolden = join(gateProject, 'augmented-golden.sarif');
+        writeFileSync(augmentedGolden, JSON.stringify(original), 'utf8');
+        // 1) Capture the baseline (three findings). The findings gate (ADR-0020) makes
+        //    gate-save itself exit 1 — it records the baseline AND honours the verdict.
+        save = runCli(['trivy', '--gate-save'], {}, gateProject);
+        // 2) Re-scan the SAME golden and compare → no net-new ⇒ clean (exit 0).
+        compareClean = runCli(['trivy', '--gate-compare'], {}, gateProject);
+        // 3) Compare against the augmented golden → one net-new finding ⇒ degraded.
+        compareRegressed = runCli(['trivy', '--gate-compare'], { FAKE_TRIVY_GOLDEN: augmentedGolden }, gateProject);
+    });
+    afterAll(() => {
+        if (gateProject !== undefined)
+            rmSync(gateProject, { recursive: true, force: true });
+    });
+    it('--gate-save records the baseline and persists a session', () => {
+        // The findings gate makes gate-save exit 1 (critical/high findings present), but
+        // the baseline IS written — proven by the clean compare below.
+        expect(save.status).toBe(1);
+        const list = runCli(['sessions', 'list', '--json'], {}, gateProject);
+        const data = outcomeJson(list).data;
+        const trivyRows = (data.sessions ?? []).filter((s) => s.tool === 'trivy');
+        expect(trivyRows.length).toBeGreaterThanOrEqual(1);
+    });
+    it('--gate-compare on the SAME scan is a clean no-op (exit 0, no regression)', () => {
+        // Pre-existing findings recorded in the baseline are NOT a regression — only
+        // net-new findings fail the ratchet. The clean exit also proves gate-save wrote
+        // the baseline (the missing-baseline → exit 2 contract is asserted directly in
+        // the "typed exit-class survives the worker boundary" suite below).
+        expect(compareRegressed).toBeDefined();
+        expect(compareClean.status).toBe(0);
+        expect(`${compareClean.stdout}${compareClean.stderr}`).toMatch(/STABLE|no change/i);
+    });
+    it('--gate-compare surfaces a NET-NEW vulnerability and exits non-zero (degraded)', () => {
+        expect(compareRegressed.status).not.toBe(0);
+        const out = `${compareRegressed.stdout}${compareRegressed.stderr}`;
+        // The net-new advisory is named in the diff; the verdict footer says DEGRADED.
+        expect(out).toContain('CVE-2024-99999');
+        expect(out).toMatch(/DEGRADED|Added/i);
+    });
+});
+/**
+ * A5/A6 — the typed exit-class must survive the worker boundary on the host-RPC
+ * REJECT path too. `--gate-compare` with NO saved baseline makes the host
+ * `compareBaseline` seam reject with a ConfigurationError (BASELINE_MISSING). That
+ * rejection crosses the worker IPC as a structured reply; before the fix the worker
+ * shim rebuilt a PLAIN Error → SystemError → exit 1, silently losing the frozen
+ * exit-2 config contract. This asserts the contract end-to-end over a REAL fork.
+ */
+describe('trivy worker E2E — gate-compare with no baseline exits 2 (A5/A6)', () => {
+    it('`opensip trivy --gate-compare` before any --gate-save exits 2 (not 1)', () => {
+        // A fresh project with NO baseline captured: the compareBaseline host seam
+        // rejects ConfigurationError(BASELINE_MISSING) over the host-RPC channel.
+        const freshProject = makeTrivyProject();
+        try {
+            const run = runCli(['trivy', '--gate-compare'], {}, freshProject);
+            expect(run.status).toBe(2);
+            expect(`${run.stdout}${run.stderr}`).toMatch(/baseline|gate-save/i);
+        }
+        finally {
+            rmSync(freshProject, { recursive: true, force: true });
+        }
+    });
+});
+//# sourceMappingURL=worker-e2e.test.js.map

package/dist/__tests__/worker-e2e.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"worker-e2e.test.js","sourceRoot":"","sources":["../../src/__tests__/worker-e2e.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EACL,MAAM,EACN,UAAU,EACV,SAAS,EACT,WAAW,EACX,WAAW,EACX,YAAY,EACZ,MAAM,EACN,QAAQ,EACR,WAAW,EACX,aAAa,GACd,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAEnE,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACrD,uEAAuE;AACvE,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;AACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;AACxE,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;AAChE,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;AACrD,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAC;AAEzD,MAAM,eAAe,GAAG,sCAAsC,CAAC;AAE/D,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,uBAAuB,CAAC,EAAE,MAAM,CAAC,CAOtF,CAAC;AAQJ,IAAI,UAAkB,CAAC;AACvB,IAAI,MAAc,CAAC;AACnB,IAAI,OAA+B,CAAC;AAEpC,iFAAiF;AACjF,SAAS,MAAM,CAAC,IAAc,EAAE,WAAmC,EAAE,EAAE,GAAG,GAAG,UAAU;IACrF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,EAAE;YACvD,GAAG;YACH,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,QAAQ,EAAE;YAChD,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAC3C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,GAAG,KAA8D,CAAC;QACzE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;IACnF,CAAC;AACH,CAAC;AAED,uFAAuF;AACvF,SAAS,gBAAgB;IACvB,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,qBAAqB,CAAC,CAAC,CAAC;IAC/D,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,wBAAwB,CAAC,EAAE,iCAAiC,EAAE,MAAM,CAAC,CAAC;IAC9F,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;IAC3D,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,WAAW,CAAC,aAAa,EAAE,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC;IAChE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,qGAAqG;AACrG,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAA4B,CAAC;AAC3D,CAAC;AAED,SAAS,CAAC,GAAG,EAAE;IACb,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,6BAA6B,CAAC,CAAC;IACnF,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IAED,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,oBAAoB,CAAC,CAAC,CAAC;IAC/D,kFAAkF;IAClF,aAAa,CACX,IAAI,CAAC,UAAU,EAAE,wBAAwB,CAAC,EAC1C,iCAAiC,EACjC,MAAM,CACP,CAAC;IACF,kFAAkF;IAClF,gFAAgF;IAChF,oDAAoD;IACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;IAClE,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,WAAW,CAAC,aAAa,EAAE,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC;IAEhE,6EAA6E;IAC7E,uEAAuE;IACvE,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,oBAAoB,CAAC,CAAC,CAAC;IAC3D,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC5D,YAAY,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;IAErD,OAAO,GAAG;QACR,IAAI,EAAE,GAAG,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE;QAC3C,gFAAgF;QAChF,mEAAmE;QACnE,iBAAiB,EAAE,WAAW;QAC9B,gCAAgC,EAAE,mBAAmB;QACrD,gFAAgF;QAChF,+EAA+E;QAC/E,kBAAkB;QAClB,iCAAiC,EAAE,GAAG,eAAe,QAAQ;KAC9D,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,GAAG,EAAE;IACZ,IAAI,UAAU,KAAK,SAAS;QAAE,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACnF,IAAI,MAAM,KAAK,SAAS;QAAE,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC7E,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uDAAuD,EAAE,GAAG,EAAE;IACrE,IAAI,IAAY,CAAC;IACjB,IAAI,QAcH,CAAC;IAEF,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,GAAG,MAAM,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QACnC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;QAClC,QAAQ,GAAG,OAAO,CAAC,QAA2B,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,GAAG,EAAE;QAC1E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACxC,iFAAiF;QACjF,kFAAkF;QAClF,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uFAAuF,EAAE,GAAG,EAAE;QAC/F,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC1C,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,IAAI,EAAE,CAAC,CAAC,QAAQ;YAChB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,MAAM,EAAE,CAAC,CAAC,MAAM;SACjB,CAAC,CAAC,CAAC;QACJ,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACjC,8EAA8E;QAC9E,yDAAyD;QACzD,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,gBAAgB,CAAC,CAAC;QAC5E,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uFAAuF,EAAE,GAAG,EAAE;QAC/F,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACjC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;YAChD,MAAM,UAAU,GAAG,CAAC,CAAC,QAAQ,CAAC,UAAsD,CAAC;YACrF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACtC,MAAM,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACpE,CAAC;QACD,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,gBAAgB,CAAC,CAAC;QAC5E,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,gBAAgB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvD,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpD,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC;QACrE,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gGAAgG,EAAE,GAAG,EAAE;QACxG,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,aAAa,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;QACjF,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtC,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACvC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,aAAa,CAAC,CAAC;QACtD,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxC,8EAA8E;QAC9E,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpD,6EAA6E;QAC7E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAEpD,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,GAAG,EAAE;QACzE,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,IAAI,GAAG,OAAO,CAAC,IAA4D,CAAC;QAClF,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;QACtC,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC;QAC1D,MAAM,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;QAC/B,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,QAAQ,EAAE,OAA4D,CAAC;QACvF,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACjD,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,iDAAiD,EAAE,GAAG,EAAE;IAC/D,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;QAClD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,IAK/B,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,gFAAgF;QAChF,kFAAkF;QAClF,4EAA4E;QAC5E,0BAA0B;QAC1B,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC,EAAE;YAChD,iBAAiB,EAAE,4BAA4B;YAC/C,gCAAgC,EAAE,qCAAqC;SACxE,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,IAAsD,CAAC;QACvF,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC;QACnD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,IAA4C,CAAC;QAC7E,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,wDAAwD,EAAE,GAAG,EAAE;IACtE,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,EAAE,iCAAiC,EAAE,EAAE,EAAE,CAAC,CAAC;QACnF,8EAA8E;QAC9E,yBAAyB;QACzB,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC,OAAO,CAAC,iCAAiC,CAAC,CAAC;IAChG,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH;;;;;;;;;;GAUG;AACH,QAAQ,CAAC,8CAA8C,EAAE,GAAG,EAAE;IAC5D,IAAI,WAAmB,CAAC;IACxB,IAAI,eAAuB,CAAC;IAC5B,IAAI,IAAY,CAAC;IACjB,IAAI,YAAoB,CAAC;IACzB,IAAI,gBAAwB,CAAC;IAE7B,SAAS,CAAC,GAAG,EAAE;QACb,WAAW,GAAG,gBAAgB,EAAE,CAAC;QAEjC,iFAAiF;QACjF,iFAAiF;QACjF,mFAAmF;QACnF,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,WAAW,EAAE,MAAM,CAAC,CAK5D,CAAC;QACF,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC9B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;YAC1B,EAAE,EAAE,gBAAgB;YACpB,IAAI,EAAE,sCAAsC;YAC5C,gBAAgB,EAAE,EAAE,IAAI,EAAE,oCAAoC,EAAE;YAChE,OAAO,EAAE,4CAA4C;YACrD,oBAAoB,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE;YACxC,UAAU,EAAE,EAAE,mBAAmB,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,eAAe,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE;SACxF,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;YAChB,MAAM,EAAE,gBAAgB;YACxB,SAAS,EAAE,CAAC;YACZ,KAAK,EAAE,OAAO;YACd,OAAO,EAAE,EAAE,IAAI,EAAE,oCAAoC,EAAE;YACvD,SAAS,EAAE;gBACT;oBACE,gBAAgB,EAAE;wBAChB,gBAAgB,EAAE,EAAE,GAAG,EAAE,kBAAkB,EAAE,SAAS,EAAE,UAAU,EAAE;wBACpE,MAAM,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE;qBACzC;iBACF;aACF;SACF,CAAC,CAAC;QACH,eAAe,GAAG,IAAI,CAAC,WAAW,EAAE,wBAAwB,CAAC,CAAC;QAC9D,aAAa,CAAC,eAAe,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,CAAC;QAEjE,+EAA+E;QAC/E,gFAAgF;QAChF,IAAI,GAAG,MAAM,CAAC,CAAC,OAAO,EAAE,aAAa,CAAC,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QACzD,wEAAwE;QACxE,YAAY,GAAG,MAAM,CAAC,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QACpE,4EAA4E;QAC5E,gBAAgB,GAAG,MAAM,CACvB,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAC3B,EAAE,iBAAiB,EAAE,eAAe,EAAE,EACtC,WAAW,CACZ,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,GAAG,EAAE;QACZ,IAAI,WAAW,KAAK,SAAS;YAAE,MAAM,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACvF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,iFAAiF;QACjF,+DAA+D;QAC/D,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;QACrE,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,IAAgD,CAAC;QAChF,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC;QAC1E,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,6EAA6E;QAC7E,gFAAgF;QAChF,+EAA+E;QAC/E,oEAAoE;QACpE,MAAM,CAAC,gBAAgB,CAAC,CAAC,WAAW,EAAE,CAAC;QACvC,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,CAAC,GAAG,YAAY,CAAC,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACtF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+EAA+E,EAAE,GAAG,EAAE;QACvF,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,GAAG,gBAAgB,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,EAAE,CAAC;QACnE,+EAA+E;QAC/E,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH;;;;;;;GAOG;AACH,QAAQ,CAAC,kEAAkE,EAAE,GAAG,EAAE;IAChF,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,2EAA2E;QAC3E,0EAA0E;QAC1E,MAAM,YAAY,GAAG,gBAAgB,EAAE,CAAC;QACxC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,EAAE,EAAE,YAAY,CAAC,CAAC;YAClE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC3B,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;QACtE,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * `@opensip-cli/tool-trivy` public barrel.
+ *
+ * Re-exports the `tool` descriptor the host loads by name through the installed
+ * external-tool worker-dispatch path (`mod.tool`), plus a `default` alias and the
+ * identity/stable-id constants. There is NO per-adapter SARIF parser: Trivy routes
+ * its SARIF output through the substrate's shared `ingestSarif` (the single SARIF
+ * read path, ADR-0091). The adapter internals are otherwise not public API.
+ */
+export { tool, tool as default, TRIVY_IDENTITY, TRIVY_STABLE_ID } from './tool.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,IAAI,EAAE,IAAI,IAAI,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC"}

package/dist/index.js

@@ -0,0 +1,11 @@
+/**
+ * `@opensip-cli/tool-trivy` public barrel.
+ *
+ * Re-exports the `tool` descriptor the host loads by name through the installed
+ * external-tool worker-dispatch path (`mod.tool`), plus a `default` alias and the
+ * identity/stable-id constants. There is NO per-adapter SARIF parser: Trivy routes
+ * its SARIF output through the substrate's shared `ingestSarif` (the single SARIF
+ * read path, ADR-0091). The adapter internals are otherwise not public API.
+ */
+export { tool, tool as default, TRIVY_IDENTITY, TRIVY_STABLE_ID } from './tool.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,IAAI,EAAE,IAAI,IAAI,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC"}

package/dist/tool.d.ts

@@ -0,0 +1,87 @@
+/**
+ * `@opensip-cli/tool-trivy` Tool descriptor (ADR-0090 / ADR-0091 / ADR-0092).
+ *
+ * The third External Tool Adapter — and the FIRST real consumer of the substrate's
+ * shared `ingestSarif`. It wraps the user-installed `trivy` vulnerability +
+ * misconfiguration scanner as an ordinary opensip-cli `Tool` via {@link
+ * defineExternalToolAdapter}. The substrate owns binary resolution, the run loop
+ * (resolve → execFile → ingest → normalize → persist via the host artifact seam),
+ * provenance, and the auto-added `doctor`/`version` commands; this module declares
+ * only the trivy identity, the wrapped binary, and the `scan` command (args only).
+ *
+ * Unlike gitleaks/osv-scanner (JSON adapters with a per-adapter `parse`), Trivy is
+ * the SARIF adapter: its `scan` command declares `output: { kind: 'sarif' }` and
+ * OMITS `parse`. The substrate's shared `ingestSarif` reads the SARIF 2.1.0 log,
+ * recovering each finding's four-bucket severity from the rule descriptor's
+ * `properties["security-severity"]` (a CVSS number) BEFORE the lossy `level`
+ * fallback (the OpenSIP SARIF writer collapses critical AND high → `error`, so a
+ * `9.8` result with `level:"error"` must normalize to `critical`, not `high`).
+ *
+ * Layer 4: imports the substrate + `@opensip-cli/core` ONLY — never the CLI,
+ * output, or any other adapter (dependency-cruiser enforced). The
+ * `single-sarif-ingest` rule means this adapter MUST NOT parse SARIF itself; it
+ * relies on the one substrate reader.
+ *
+ * This is an OPT-IN, installed tool (NOT in `bundled-tools.manifest.json`): the
+ * host never imports this runtime; an `opensip trivy` invocation forks a worker
+ * that re-discovers + imports it and runs the handler. Installed tools are
+ * deny-by-default — a run needs `OPENSIP_CLI_ALLOW_INSTALLED_TOOLS` to include the
+ * trivy id.
+ */
+import type { Tool, ToolIdentity } from '@opensip-cli/core';
+import type { AdapterRunContext } from '@opensip-cli/external-tool-adapter';
+/** Human identity (`opensip trivy`). No aliases. */
+export declare const TRIVY_IDENTITY: ToolIdentity;
+/** Stable UUID identity (ADR-0048); mirrors `opensipTools.stableId` in package.json. */
+export declare const TRIVY_STABLE_ID = "a26ea0eb-ee3b-4e22-a3f3-7e1f93e16000";
+/**
+ * Normalize the `trivy --version` stdout to a bare semver. Trivy prints a
+ * multi-line banner whose first line is e.g. `Version: 0.50.1` (followed by the
+ * vulnerability/Java DB metadata); take the first semver-shaped token and strip a
+ * leading `v`.
+ *
+ * VERIFY-against-installed-binary: exact `trivy --version` output format.
+ */
+export declare function parseTrivyVersion(stdout: string): string;
+/**
+ * Build the trivy scan argv (no shell — args are passed to `execFile`). Scans the
+ * project filesystem (`fs <root>`) for vulnerabilities + secrets + misconfigurations
+ * and writes a SARIF 2.1.0 report to the host-owned artifact path the substrate
+ * composes for this run.
+ *
+ * Scanner selection (A8): `trivy fs` defaults to `vuln,secret` ONLY — misconfig is
+ * OFF unless requested. The adapter advertises misconfig (metadata, docs, the DS002
+ * golden), so it MUST pass `--scanners vuln,secret,misconfig` or a real run would
+ * silently emit zero misconfig findings while the fixtures assert them. VERIFY-
+ * against-installed-trivy: the `--scanners` value set + name across versions.
+ *
+ * Local-only posture (ADR-0092): Trivy fetches its vulnerability DB from GHCR on
+ * first run, so the scan is pinned offline with `--skip-db-update`,
+ * `--skip-java-db-update`, `--offline-scan`, and — because the misconfig scanner
+ * pulls a separate "checks" bundle from GHCR — `--skip-check-update`. This REQUIRES
+ * a pre-populated cache (the vuln DB AND, for misconfig, the checks bundle); the
+ * adapter's `doctor`/`installHint` notes the cache caveat.
+ *
+ * VERIFY-against-installed-binary: the local-only flag set across versions.
+ * Trivy is NOT passed `--exit-code` — it exits 0 even with findings, and the
+ * substrate derives findings from the parsed SARIF (any nonzero is a fault).
+ */
+export declare function buildScanArgs(ctx: AdapterRunContext): readonly string[];
+/**
+ * A3: build trivy's exclusion of opensip's own `.runtime` artifact store. Trivy
+ * takes a directory skip via `--skip-dirs`; the substrate supplies the path and
+ * the run loop appends the flag (no user-facing flag, so the command manifest is
+ * unchanged). VERIFY-against-installed-binary: `--skip-dirs` accepts an absolute
+ * path / glob and may be passed after the positional scan root.
+ */
+export declare function buildTrivyExclude(input: {
+    readonly excludePath: string;
+}): {
+    readonly args: readonly string[];
+};
+/**
+ * The trivy external-tool adapter `Tool`. The host loads it by name through the
+ * installed-tool worker-dispatch path (the barrel re-exports it as `tool`).
+ */
+export declare const tool: Tool;
+//# sourceMappingURL=tool.d.ts.map

package/dist/tool.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool.d.ts","sourceRoot":"","sources":["../src/tool.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAKH,OAAO,KAAK,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AAE5E,oDAAoD;AACpD,eAAO,MAAM,cAAc,EAAE,YAE5B,CAAC;AAEF,wFAAwF;AACxF,eAAO,MAAM,eAAe,yCAAyC,CAAC;AAEtE;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAKxD;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,iBAAiB,GAAG,SAAS,MAAM,EAAE,CAevE;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE;IAAE,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GAAG;IAC1E,QAAQ,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;CAClC,CAEA;AAED;;;GAGG;AACH,eAAO,MAAM,IAAI,EAAE,IA8CjB,CAAC"}

package/dist/tool.js

@@ -0,0 +1,152 @@
+/**
+ * `@opensip-cli/tool-trivy` Tool descriptor (ADR-0090 / ADR-0091 / ADR-0092).
+ *
+ * The third External Tool Adapter — and the FIRST real consumer of the substrate's
+ * shared `ingestSarif`. It wraps the user-installed `trivy` vulnerability +
+ * misconfiguration scanner as an ordinary opensip-cli `Tool` via {@link
+ * defineExternalToolAdapter}. The substrate owns binary resolution, the run loop
+ * (resolve → execFile → ingest → normalize → persist via the host artifact seam),
+ * provenance, and the auto-added `doctor`/`version` commands; this module declares
+ * only the trivy identity, the wrapped binary, and the `scan` command (args only).
+ *
+ * Unlike gitleaks/osv-scanner (JSON adapters with a per-adapter `parse`), Trivy is
+ * the SARIF adapter: its `scan` command declares `output: { kind: 'sarif' }` and
+ * OMITS `parse`. The substrate's shared `ingestSarif` reads the SARIF 2.1.0 log,
+ * recovering each finding's four-bucket severity from the rule descriptor's
+ * `properties["security-severity"]` (a CVSS number) BEFORE the lossy `level`
+ * fallback (the OpenSIP SARIF writer collapses critical AND high → `error`, so a
+ * `9.8` result with `level:"error"` must normalize to `critical`, not `high`).
+ *
+ * Layer 4: imports the substrate + `@opensip-cli/core` ONLY — never the CLI,
+ * output, or any other adapter (dependency-cruiser enforced). The
+ * `single-sarif-ingest` rule means this adapter MUST NOT parse SARIF itself; it
+ * relies on the one substrate reader.
+ *
+ * This is an OPT-IN, installed tool (NOT in `bundled-tools.manifest.json`): the
+ * host never imports this runtime; an `opensip trivy` invocation forks a worker
+ * that re-discovers + imports it and runs the handler. Installed tools are
+ * deny-by-default — a run needs `OPENSIP_CLI_ALLOW_INSTALLED_TOOLS` to include the
+ * trivy id.
+ */
+import { readPackageVersion } from '@opensip-cli/core';
+import { defineExternalToolAdapter } from '@opensip-cli/external-tool-adapter';
+/** Human identity (`opensip trivy`). No aliases. */
+export const TRIVY_IDENTITY = {
+    name: 'trivy',
+};
+/** Stable UUID identity (ADR-0048); mirrors `opensipTools.stableId` in package.json. */
+export const TRIVY_STABLE_ID = 'a26ea0eb-ee3b-4e22-a3f3-7e1f93e16000';
+/**
+ * Normalize the `trivy --version` stdout to a bare semver. Trivy prints a
+ * multi-line banner whose first line is e.g. `Version: 0.50.1` (followed by the
+ * vulnerability/Java DB metadata); take the first semver-shaped token and strip a
+ * leading `v`.
+ *
+ * VERIFY-against-installed-binary: exact `trivy --version` output format.
+ */
+export function parseTrivyVersion(stdout) {
+    // Fully bounded ({1,5} digit runs, {1,2} dotted segments) so the matcher is
+    // linear — major.minor[.patch], optional leading `v`.
+    const match = /v?(\d{1,5}(?:\.\d{1,5}){1,2})/.exec(stdout);
+    return match?.[1] ?? stdout.trim();
+}
+/**
+ * Build the trivy scan argv (no shell — args are passed to `execFile`). Scans the
+ * project filesystem (`fs <root>`) for vulnerabilities + secrets + misconfigurations
+ * and writes a SARIF 2.1.0 report to the host-owned artifact path the substrate
+ * composes for this run.
+ *
+ * Scanner selection (A8): `trivy fs` defaults to `vuln,secret` ONLY — misconfig is
+ * OFF unless requested. The adapter advertises misconfig (metadata, docs, the DS002
+ * golden), so it MUST pass `--scanners vuln,secret,misconfig` or a real run would
+ * silently emit zero misconfig findings while the fixtures assert them. VERIFY-
+ * against-installed-trivy: the `--scanners` value set + name across versions.
+ *
+ * Local-only posture (ADR-0092): Trivy fetches its vulnerability DB from GHCR on
+ * first run, so the scan is pinned offline with `--skip-db-update`,
+ * `--skip-java-db-update`, `--offline-scan`, and — because the misconfig scanner
+ * pulls a separate "checks" bundle from GHCR — `--skip-check-update`. This REQUIRES
+ * a pre-populated cache (the vuln DB AND, for misconfig, the checks bundle); the
+ * adapter's `doctor`/`installHint` notes the cache caveat.
+ *
+ * VERIFY-against-installed-binary: the local-only flag set across versions.
+ * Trivy is NOT passed `--exit-code` — it exits 0 even with findings, and the
+ * substrate derives findings from the parsed SARIF (any nonzero is a fault).
+ */
+export function buildScanArgs(ctx) {
+    return [
+        'fs',
+        '--scanners',
+        'vuln,secret,misconfig',
+        '--format',
+        'sarif',
+        '--output',
+        ctx.artifactPath('trivy.sarif'),
+        '--skip-db-update',
+        '--skip-java-db-update',
+        '--offline-scan',
+        '--skip-check-update',
+        ctx.projectRoot,
+    ];
+}
+/**
+ * A3: build trivy's exclusion of opensip's own `.runtime` artifact store. Trivy
+ * takes a directory skip via `--skip-dirs`; the substrate supplies the path and
+ * the run loop appends the flag (no user-facing flag, so the command manifest is
+ * unchanged). VERIFY-against-installed-binary: `--skip-dirs` accepts an absolute
+ * path / glob and may be passed after the positional scan root.
+ */
+export function buildTrivyExclude(input) {
+    return { args: ['--skip-dirs', input.excludePath] };
+}
+/**
+ * The trivy external-tool adapter `Tool`. The host loads it by name through the
+ * installed-tool worker-dispatch path (the barrel re-exports it as `tool`).
+ */
+export const tool = defineExternalToolAdapter({
+    identity: TRIVY_IDENTITY,
+    metadata: {
+        id: TRIVY_STABLE_ID,
+        version: readPackageVersion(import.meta.url),
+        description: 'Vulnerability + misconfig scanning via Trivy',
+        adapterPackage: '@opensip-cli/tool-trivy',
+    },
+    binary: {
+        command: 'trivy',
+        versionArgs: ['--version'],
+        versionParse: parseTrivyVersion,
+        // `trivy fs --format sarif --output` is stable from 0.40. VERIFY-against-
+        // installed-binary (the local-only flag names have shifted across versions).
+        minVersion: '0.40.0',
+        // Operator pin (config `binaries.trivy.path` / `OPENSIP_TRIVY_BIN`) beats
+        // PATH; resolution never fetches a binary.
+        resolution: ['config', 'path'],
+        installHint: 'Install trivy: https://aquasecurity.github.io/trivy/latest/getting-started/installation/ (brew install trivy). Pre-populate the offline caches: the vuln DB (e.g. `trivy image --download-db-only`) AND, for misconfiguration scanning, the checks bundle (e.g. run `trivy fs .` once online so the misconfig checks are cached).',
+    },
+    // Trivy queries its LOCAL vuln DB cache via execFile with --offline-scan — no
+    // network, no credentials at scan time (the DB cache must be pre-populated).
+    network: 'local-only',
+    commands: [
+        {
+            name: 'scan',
+            description: 'Scan the project filesystem for vulnerabilities and misconfigurations (Trivy)',
+            args: buildScanArgs,
+            // SARIF adapter: no `parse` — the substrate's shared `ingestSarif` reads it,
+            // recovering severity from `driver.rules[ruleIndex].properties["security-severity"]`.
+            output: { kind: 'sarif', path: 'trivy.sarif' },
+            // A3: never re-walk opensip's own persisted reports under `.runtime/` (see
+            // {@link buildTrivyExclude}).
+            excludeScan: buildTrivyExclude,
+            // ADR-0091 Phase-0 decision 4 (Trivy): Trivy exits `0` even WITH findings (no
+            // `--exit-code` passed), so findings are derived from the parsed SARIF, not the
+            // exit code. Only `0` is clean; there is NO findings code; any nonzero (>= 1)
+            // is a genuine fault. (Passing `--exit-code 1` would collide findings-1 with
+            // error-1 — the gitleaks sharp edge — so it is deliberately omitted.)
+            exitCodes: { ok: [0], findings: [], errorFrom: 1 },
+        },
+    ],
+    // Scanner output is line-volatile → the line-shift-tolerant message hash, not the
+    // host `ruleId|file|line|col` default. Stamped worker-side in the run loop.
+    fingerprintStrategy: 'message-hash',
+});
+//# sourceMappingURL=tool.js.map

package/dist/tool.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool.js","sourceRoot":"","sources":["../src/tool.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAK/E,oDAAoD;AACpD,MAAM,CAAC,MAAM,cAAc,GAAiB;IAC1C,IAAI,EAAE,OAAO;CACd,CAAC;AAEF,wFAAwF;AACxF,MAAM,CAAC,MAAM,eAAe,GAAG,sCAAsC,CAAC;AAEtE;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAc;IAC9C,4EAA4E;IAC5E,sDAAsD;IACtD,MAAM,KAAK,GAAG,+BAA+B,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC3D,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;AACrC,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,aAAa,CAAC,GAAsB;IAClD,OAAO;QACL,IAAI;QACJ,YAAY;QACZ,uBAAuB;QACvB,UAAU;QACV,OAAO;QACP,UAAU;QACV,GAAG,CAAC,YAAY,CAAC,aAAa,CAAC;QAC/B,kBAAkB;QAClB,uBAAuB;QACvB,gBAAgB;QAChB,qBAAqB;QACrB,GAAG,CAAC,WAAW;KAChB,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAuC;IAGvE,OAAO,EAAE,IAAI,EAAE,CAAC,aAAa,EAAE,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,IAAI,GAAS,yBAAyB,CAAC;IAClD,QAAQ,EAAE,cAAc;IACxB,QAAQ,EAAE;QACR,EAAE,EAAE,eAAe;QACnB,OAAO,EAAE,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;QAC5C,WAAW,EAAE,8CAA8C;QAC3D,cAAc,EAAE,yBAAyB;KAC1C;IACD,MAAM,EAAE;QACN,OAAO,EAAE,OAAO;QAChB,WAAW,EAAE,CAAC,WAAW,CAAC;QAC1B,YAAY,EAAE,iBAAiB;QAC/B,0EAA0E;QAC1E,6EAA6E;QAC7E,UAAU,EAAE,QAAQ;QACpB,0EAA0E;QAC1E,2CAA2C;QAC3C,UAAU,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC;QAC9B,WAAW,EACT,mUAAmU;KACtU;IACD,8EAA8E;IAC9E,6EAA6E;IAC7E,OAAO,EAAE,YAAY;IACrB,QAAQ,EAAE;QACR;YACE,IAAI,EAAE,MAAM;YACZ,WAAW,EAAE,+EAA+E;YAC5F,IAAI,EAAE,aAAa;YACnB,6EAA6E;YAC7E,sFAAsF;YACtF,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE;YAC9C,2EAA2E;YAC3E,8BAA8B;YAC9B,WAAW,EAAE,iBAAiB;YAC9B,8EAA8E;YAC9E,gFAAgF;YAChF,8EAA8E;YAC9E,6EAA6E;YAC7E,sEAAsE;YACtE,SAAS,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE;SACnD;KACF;IACD,kFAAkF;IAClF,4EAA4E;IAC5E,mBAAmB,EAAE,cAAc;CACpC,CAAC,CAAC"}