@panguard-ai/scan-core 0.1.0

package/dist/context-signals.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Context Signal Detection Engine
+ *
+ * Detects malicious-intent boosters and legitimate-intent reducers
+ * in skill content. Returns a multiplier that adjusts risk scoring.
+ *
+ * This is the single canonical implementation used by both CLI and Website.
+ */
+import type { ContextSignals } from './types.js';
+interface ManifestLike {
+    readonly name?: string;
+    readonly description?: string;
+    readonly license?: string;
+    readonly metadata?: {
+        readonly version?: string;
+        readonly openclaw?: {
+            readonly requires?: {
+                readonly bins?: readonly string[];
+            };
+        };
+    };
+    readonly 'allowed-tools'?: readonly string[];
+}
+/**
+ * Detect context signals from skill content and manifest.
+ *
+ * @param content - Full text content of the skill (SKILL.md / README)
+ * @param manifest - Parsed frontmatter manifest (nullable)
+ * @returns Context signals with calculated multiplier
+ */
+export declare function detectContextSignals(content: string, manifest: ManifestLike | null | undefined): ContextSignals;
+export {};
+//# sourceMappingURL=context-signals.d.ts.map

package/dist/context-signals.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context-signals.d.ts","sourceRoot":"","sources":["../src/context-signals.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAiB,cAAc,EAAiB,MAAM,YAAY,CAAC;AAyC/E,UAAU,YAAY;IACpB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,CAAC,EAAE;QAClB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAC1B,QAAQ,CAAC,QAAQ,CAAC,EAAE;YAClB,QAAQ,CAAC,QAAQ,CAAC,EAAE;gBAClB,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;aACnC,CAAC;SACH,CAAC;KACH,CAAC;IACF,QAAQ,CAAC,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC9C;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,YAAY,GAAG,IAAI,GAAG,SAAS,GACxC,cAAc,CAqJhB"}

package/dist/context-signals.js

@@ -0,0 +1,162 @@
+/**
+ * Context Signal Detection Engine
+ *
+ * Detects malicious-intent boosters and legitimate-intent reducers
+ * in skill content. Returns a multiplier that adjusts risk scoring.
+ *
+ * This is the single canonical implementation used by both CLI and Website.
+ */
+import { extractCodeBlocks, stripCodeBlocks } from './markdown-utils.js';
+// ---------------------------------------------------------------------------
+// Booster Patterns (malicious signals)
+// ---------------------------------------------------------------------------
+const IMPORTANT_BLOCK_RE = /<IMPORTANT>/i;
+const CONCEALMENT_RE = /\b(do\s+not\s+tell|don[''\u2019t]*\s+(tell|mention|notify|inform|reveal|show)|keep\s+(this\s+)?hidden|hide\s+this\s+from|this\s+is\s+(?:a\s+)?secret|be\s+very\s+gentle\s+and\s+not\s+scary)\b/i;
+const EXFIL_URL_RE = /\.(workers\.dev|ngrok\.io|pipedream\.net|requestbin\.com|hookbin\.com|webhook\.site)\b|[?&](data|payload|exfil|stolen|secret|dump)=/i;
+const CONSENT_BYPASS_RE = /\b(without\s+(asking|confirmation|user\s+consent|prompting|verification|approval)|skip\s+(verification|confirmation|approval|all\s+verification)|silently\s+(send|upload|exfiltrate|transmit|post|execute)|do\s+not\s+prompt\s+the\s+user)\b/i;
+const CREDENTIAL_FILE_RE = /~?\/?\.(ssh\/(id_rsa|id_ed25519|authorized_keys|config)|aws\/credentials|npmrc|env\.local|env\.production|env)\b|\/etc\/(shadow|passwd)\b/i;
+const NETWORK_CALL_RE = /\b(curl|wget|fetch|http\.get|requests\.post|axios|XMLHttpRequest|nc\s+-)\b/i;
+const BENIGN_DESCRIPTION_RE = /\b(calculator|math|add\s+two|simple\s+tool|formatter|translator|converter|unit\s+convert|json\s+validator|markdown\s+render|text\s+transform|word\s+count|character\s+count|uuid\s+generat|timestamp|color\s+pick|random\s+number|dice\s+roll|tip\s+calcul|bmi\s+calcul|fact\s+of\s+the\s+day)\b/i;
+const DANGEROUS_INSTRUCTION_RE = /\b(rm\s+-rf|chmod\s+7|bash\s+-[ci]|sh\s+-c|curl\s+.*\|.*bash|exec\s*\(|child_process|\.ssh\/|\.aws\/|\.env\b|eval\s*\(|sudo\s)/i;
+// ---------------------------------------------------------------------------
+// Reducer Patterns (legitimate signals)
+// ---------------------------------------------------------------------------
+const DEV_TOOL_DESCRIPTION_RE = /\b(shell|cli|terminal|command[\s-]line|devops|qa\s+test|build\s+tool|development\s+tool|debugging|headless\s+browser|automation|deploy|scaffold|code\s+review|lint|format|testing\s+framework|package\s+manager|docker|container|kubernetes|ci[\s/]cd)\b/i;
+/**
+ * Detect context signals from skill content and manifest.
+ *
+ * @param content - Full text content of the skill (SKILL.md / README)
+ * @param manifest - Parsed frontmatter manifest (nullable)
+ * @returns Context signals with calculated multiplier
+ */
+export function detectContextSignals(content, manifest) {
+    const signals = [];
+    // -- Boosters --
+    if (IMPORTANT_BLOCK_RE.test(content)) {
+        signals.push({
+            id: 'boost-important-block',
+            type: 'booster',
+            label: '<IMPORTANT> hidden instruction block detected',
+            weight: 0.5,
+        });
+    }
+    if (CONCEALMENT_RE.test(content)) {
+        signals.push({
+            id: 'boost-concealment',
+            type: 'booster',
+            label: 'Concealment language detected ("do not tell the user")',
+            weight: 0.5,
+        });
+    }
+    if (EXFIL_URL_RE.test(content)) {
+        signals.push({
+            id: 'boost-exfil-url',
+            type: 'booster',
+            label: 'Exfiltration URL pattern detected',
+            weight: 0.4,
+        });
+    }
+    if (CONSENT_BYPASS_RE.test(content)) {
+        signals.push({
+            id: 'boost-consent-bypass',
+            type: 'booster',
+            label: 'Consent bypass language detected',
+            weight: 0.3,
+        });
+    }
+    if (CREDENTIAL_FILE_RE.test(content) && NETWORK_CALL_RE.test(content)) {
+        signals.push({
+            id: 'boost-credential-plus-network',
+            type: 'booster',
+            label: 'Credential file access combined with network calls',
+            weight: 0.5,
+        });
+    }
+    // Description-behavior mismatch: benign description + dangerous instructions
+    const description = manifest?.description ?? '';
+    if (BENIGN_DESCRIPTION_RE.test(description) && DANGEROUS_INSTRUCTION_RE.test(content)) {
+        signals.push({
+            id: 'boost-description-mismatch',
+            type: 'booster',
+            label: 'Description-behavior mismatch (benign description, dangerous instructions)',
+            weight: 0.4,
+        });
+    }
+    // -- Reducers --
+    // Declared tool capabilities (allowed-tools in frontmatter)
+    const declaredTools = manifest?.['allowed-tools'] ?? manifest?.metadata?.openclaw?.requires?.bins ?? [];
+    const declaresShell = declaredTools.some((t) => /^(bash|sh|zsh|shell|Bash|terminal|command)$/i.test(t));
+    if (declaresShell) {
+        signals.push({
+            id: 'reduce-declared-tools',
+            type: 'reducer',
+            label: 'Skill declares shell access in frontmatter',
+            weight: -0.3,
+        });
+    }
+    // Description-behavior consistency (dev tool description)
+    if (DEV_TOOL_DESCRIPTION_RE.test(description)) {
+        signals.push({
+            id: 'reduce-description-consistency',
+            type: 'reducer',
+            label: 'Description identifies as dev/CLI/QA tool',
+            weight: -0.2,
+        });
+    }
+    // Structured frontmatter (well-formed skill)
+    if (manifest?.name && manifest?.description) {
+        const hasVersion = !!manifest?.metadata?.version;
+        const hasLicense = !!manifest?.license;
+        if (hasVersion || hasLicense) {
+            signals.push({
+                id: 'reduce-structured-frontmatter',
+                type: 'reducer',
+                label: 'Well-structured frontmatter with name, description, and version/license',
+                weight: -0.1,
+            });
+        }
+    }
+    // Also check frontmatter from raw content (for website where manifest may be partial)
+    if (!manifest?.name) {
+        const hasFrontmatter = /^---\n[\s\S]*?^name:\s*.+/m.test(content);
+        const hasVersion = /^version:\s*.+/m.test(content);
+        const hasAllowedBash = /^allowed-tools:\s*\n(\s+-\s+.+\n)*\s+-\s+Bash/m.test(content);
+        if (hasAllowedBash) {
+            signals.push({
+                id: 'reduce-declared-tools',
+                type: 'reducer',
+                label: 'Declares Bash in allowed-tools',
+                weight: -0.3,
+            });
+        }
+        if (hasFrontmatter && hasVersion) {
+            signals.push({
+                id: 'reduce-structured-frontmatter',
+                type: 'reducer',
+                label: 'Well-structured frontmatter',
+                weight: -0.1,
+            });
+        }
+    }
+    // Patterns mostly in code blocks (documentation context)
+    const codeBlockContent = extractCodeBlocks(content);
+    if (codeBlockContent.length > 0 && DANGEROUS_INSTRUCTION_RE.test(codeBlockContent)) {
+        const outsideCodeBlocks = stripCodeBlocks(content);
+        if (!DANGEROUS_INSTRUCTION_RE.test(outsideCodeBlocks)) {
+            signals.push({
+                id: 'reduce-in-code-block',
+                type: 'reducer',
+                label: 'Dangerous patterns appear only inside code blocks (documentation)',
+                weight: -0.2,
+            });
+        }
+    }
+    // -- Calculate multiplier --
+    let multiplier = 1.0;
+    for (const signal of signals) {
+        multiplier += signal.weight;
+    }
+    multiplier = Math.max(0.3, Math.min(2.5, multiplier));
+    return { signals, multiplier };
+}
+//# sourceMappingURL=context-signals.js.map

package/dist/context-signals.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context-signals.js","sourceRoot":"","sources":["../src/context-signals.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEzE,8EAA8E;AAC9E,uCAAuC;AACvC,8EAA8E;AAE9E,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAE1C,MAAM,cAAc,GAClB,iMAAiM,CAAC;AAEpM,MAAM,YAAY,GAChB,sIAAsI,CAAC;AAEzI,MAAM,iBAAiB,GACrB,+OAA+O,CAAC;AAElP,MAAM,kBAAkB,GACtB,4IAA4I,CAAC;AAE/I,MAAM,eAAe,GACnB,6EAA6E,CAAC;AAEhF,MAAM,qBAAqB,GACzB,mSAAmS,CAAC;AAEtS,MAAM,wBAAwB,GAC5B,iIAAiI,CAAC;AAEpI,8EAA8E;AAC9E,wCAAwC;AACxC,8EAA8E;AAE9E,MAAM,uBAAuB,GAC3B,2PAA2P,CAAC;AAqB9P;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,OAAe,EACf,QAAyC;IAEzC,MAAM,OAAO,GAAoB,EAAE,CAAC;IAEpC,iBAAiB;IAEjB,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,uBAAuB;YAC3B,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,+CAA+C;YACtD,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC;IACL,CAAC;IAED,IAAI,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,mBAAmB;YACvB,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,wDAAwD;YAC/D,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC;IACL,CAAC;IAED,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,iBAAiB;YACrB,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,mCAAmC;YAC1C,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC;IACL,CAAC;IAED,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACpC,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,sBAAsB;YAC1B,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,kCAAkC;YACzC,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC;IACL,CAAC;IAED,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,+BAA+B;YACnC,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,oDAAoD;YAC3D,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC;IACL,CAAC;IAED,6EAA6E;IAC7E,MAAM,WAAW,GAAG,QAAQ,EAAE,WAAW,IAAI,EAAE,CAAC;IAChD,IAAI,qBAAqB,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACtF,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,4BAA4B;YAChC,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,4EAA4E;YACnF,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC;IACL,CAAC;IAED,iBAAiB;IAEjB,4DAA4D;IAC5D,MAAM,aAAa,GACjB,QAAQ,EAAE,CAAC,eAAe,CAAC,IAAI,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC;IACpF,MAAM,aAAa,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CACrD,8CAA8C,CAAC,IAAI,CAAC,CAAC,CAAC,CACvD,CAAC;IACF,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,uBAAuB;YAC3B,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,4CAA4C;YACnD,MAAM,EAAE,CAAC,GAAG;SACb,CAAC,CAAC;IACL,CAAC;IAED,0DAA0D;IAC1D,IAAI,uBAAuB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC9C,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,gCAAgC;YACpC,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,2CAA2C;YAClD,MAAM,EAAE,CAAC,GAAG;SACb,CAAC,CAAC;IACL,CAAC;IAED,6CAA6C;IAC7C,IAAI,QAAQ,EAAE,IAAI,IAAI,QAAQ,EAAE,WAAW,EAAE,CAAC;QAC5C,MAAM,UAAU,GAAG,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC;QACjD,MAAM,UAAU,GAAG,CAAC,CAAC,QAAQ,EAAE,OAAO,CAAC;QACvC,IAAI,UAAU,IAAI,UAAU,EAAE,CAAC;YAC7B,OAAO,CAAC,IAAI,CAAC;gBACX,EAAE,EAAE,+BAA+B;gBACnC,IAAI,EAAE,SAAS;gBACf,KAAK,EAAE,yEAAyE;gBAChF,MAAM,EAAE,CAAC,GAAG;aACb,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,sFAAsF;IACtF,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC;QACpB,MAAM,cAAc,GAAG,4BAA4B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClE,MAAM,UAAU,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACnD,MAAM,cAAc,GAAG,gDAAgD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEtF,IAAI,cAAc,EAAE,CAAC;YACnB,OAAO,CAAC,IAAI,CAAC;gBACX,EAAE,EAAE,uBAAuB;gBAC3B,IAAI,EAAE,SAAS;gBACf,KAAK,EAAE,gCAAgC;gBACvC,MAAM,EAAE,CAAC,GAAG;aACb,CAAC,CAAC;QACL,CAAC;QACD,IAAI,cAAc,IAAI,UAAU,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC;gBACX,EAAE,EAAE,+BAA+B;gBACnC,IAAI,EAAE,SAAS;gBACf,KAAK,EAAE,6BAA6B;gBACpC,MAAM,EAAE,CAAC,GAAG;aACb,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,yDAAyD;IACzD,MAAM,gBAAgB,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IACpD,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,IAAI,wBAAwB,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACnF,MAAM,iBAAiB,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QACnD,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC;gBACX,EAAE,EAAE,sBAAsB;gBAC1B,IAAI,EAAE,SAAS;gBACf,KAAK,EAAE,mEAAmE;gBAC1E,MAAM,EAAE,CAAC,GAAG;aACb,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,6BAA6B;IAE7B,IAAI,UAAU,GAAG,GAAG,CAAC;IACrB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,UAAU,IAAI,MAAM,CAAC,MAAM,CAAC;IAC9B,CAAC;IACD,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC,CAAC;IAEtD,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC;AACjC,CAAC"}

package/dist/hash-utils.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Unified hash utilities for scan-core.
+ *
+ * Both CLI Auditor and Website MUST use these functions to produce
+ * identical hashes — this is critical for Threat Cloud consensus.
+ */
+/**
+ * Content hash: SHA-256 of raw skill content, truncated to 16 hex chars.
+ * Used for cache keys, skill deduplication, and TC skill-threat submission.
+ */
+export declare function contentHash(content: string): string;
+/**
+ * Pattern hash: SHA-256 of finding signatures, truncated to 16 hex chars.
+ * Used for ATR proposal deduplication in Threat Cloud.
+ *
+ * Input format: `scan:{skillName}:{findingSummary}`
+ * - No source prefix (was `web-scan:` before) so CLI + Web produce same hash.
+ */
+export declare function patternHash(skillName: string, findingSummary: string): string;
+//# sourceMappingURL=hash-utils.d.ts.map

package/dist/hash-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash-utils.d.ts","sourceRoot":"","sources":["../src/hash-utils.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;;GAGG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEnD;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CAK7E"}

package/dist/hash-utils.js

@@ -0,0 +1,28 @@
+/**
+ * Unified hash utilities for scan-core.
+ *
+ * Both CLI Auditor and Website MUST use these functions to produce
+ * identical hashes — this is critical for Threat Cloud consensus.
+ */
+import { createHash } from 'node:crypto';
+/**
+ * Content hash: SHA-256 of raw skill content, truncated to 16 hex chars.
+ * Used for cache keys, skill deduplication, and TC skill-threat submission.
+ */
+export function contentHash(content) {
+    return createHash('sha256').update(content).digest('hex').slice(0, 16);
+}
+/**
+ * Pattern hash: SHA-256 of finding signatures, truncated to 16 hex chars.
+ * Used for ATR proposal deduplication in Threat Cloud.
+ *
+ * Input format: `scan:{skillName}:{findingSummary}`
+ * - No source prefix (was `web-scan:` before) so CLI + Web produce same hash.
+ */
+export function patternHash(skillName, findingSummary) {
+    return createHash('sha256')
+        .update(`scan:${skillName}:${findingSummary}`)
+        .digest('hex')
+        .slice(0, 16);
+}
+//# sourceMappingURL=hash-utils.js.map

package/dist/hash-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash-utils.js","sourceRoot":"","sources":["../src/hash-utils.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe;IACzC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACzE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CAAC,SAAiB,EAAE,cAAsB;IACnE,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,QAAQ,SAAS,IAAI,cAAc,EAAE,CAAC;SAC7C,MAAM,CAAC,KAAK,CAAC;SACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,17 @@
+/**
+ * @panguard-ai/scan-core
+ *
+ * Unified skill scanning engine shared between CLI Skill Auditor and Website.
+ */
+export { scanContent } from './scanner.js';
+export type { Severity, FindingCategory, Finding, CheckResult, RiskLevel, ContextSignal, ContextSignals, SkillMetadata, SkillManifest, ATRRuleCompiled, CompiledRule, ScanOptions, ScanResult, } from './types.js';
+export { contentHash, patternHash } from './hash-utils.js';
+export { stripMarkdownNoise, extractCodeBlocks, stripCodeBlocks } from './markdown-utils.js';
+export { parseManifestFromString, parseSkillName } from './manifest-parser.js';
+export { detectContextSignals } from './context-signals.js';
+export { checkInstructions } from './instruction-patterns.js';
+export { detectSecrets } from './secret-detection.js';
+export { compileRules, scanWithATR } from './atr-engine.js';
+export type { ATRScanOptions } from './atr-engine.js';
+export { calculateRiskScore } from './risk-scorer.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAG3C,YAAY,EACV,QAAQ,EACR,eAAe,EACf,OAAO,EACP,WAAW,EACX,SAAS,EACT,aAAa,EACb,cAAc,EACd,aAAa,EACb,aAAa,EACb,eAAe,EACf,YAAY,EACZ,WAAW,EACX,UAAU,GACX,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC7F,OAAO,EAAE,uBAAuB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC/E,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC5D,YAAY,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/index.js

@@ -0,0 +1,17 @@
+/**
+ * @panguard-ai/scan-core
+ *
+ * Unified skill scanning engine shared between CLI Skill Auditor and Website.
+ */
+// Main entry point
+export { scanContent } from './scanner.js';
+// Sub-modules (for consumers that need individual pieces)
+export { contentHash, patternHash } from './hash-utils.js';
+export { stripMarkdownNoise, extractCodeBlocks, stripCodeBlocks } from './markdown-utils.js';
+export { parseManifestFromString, parseSkillName } from './manifest-parser.js';
+export { detectContextSignals } from './context-signals.js';
+export { checkInstructions } from './instruction-patterns.js';
+export { detectSecrets } from './secret-detection.js';
+export { compileRules, scanWithATR } from './atr-engine.js';
+export { calculateRiskScore } from './risk-scorer.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,mBAAmB;AACnB,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAmB3C,0DAA0D;AAC1D,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC7F,OAAO,EAAE,uBAAuB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC/E,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAE5D,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/instruction-patterns.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Prompt injection and tool poisoning pattern detection.
+ *
+ * Pure pattern matching - no filesystem dependencies.
+ * Extracted from panguard-skill-auditor/checks/instruction-check.ts.
+ */
+import type { Finding, CheckResult } from './types.js';
+export declare const SAFE_INSTALL_URLS: string[];
+/**
+ * Check content for prompt injection and tool poisoning patterns.
+ *
+ * @param instructions - The full text content to scan
+ * @param sourceType - Context hint: 'skill' (SKILL.md, default) or 'documentation' (README, docs)
+ */
+export declare function checkInstructions(instructions: string, sourceType?: 'skill' | 'documentation'): CheckResult & {
+    findings: Finding[];
+};
+//# sourceMappingURL=instruction-patterns.d.ts.map

package/dist/instruction-patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"instruction-patterns.d.ts","sourceRoot":"","sources":["../src/instruction-patterns.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,WAAW,EAAY,MAAM,YAAY,CAAC;AAgJjE,eAAO,MAAM,iBAAiB,UAM7B,CAAC;AAgCF;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,YAAY,EAAE,MAAM,EACpB,UAAU,GAAE,OAAO,GAAG,eAAyB,GAC9C,WAAW,GAAG;IAAE,QAAQ,EAAE,OAAO,EAAE,CAAA;CAAE,CAgJvC"}

package/dist/instruction-patterns.js

@@ -0,0 +1,291 @@
+/**
+ * Prompt injection and tool poisoning pattern detection.
+ *
+ * Pure pattern matching - no filesystem dependencies.
+ * Extracted from panguard-skill-auditor/checks/instruction-check.ts.
+ */
+const PATTERNS = [
+    // Prompt injection patterns
+    {
+        id: 'pi-ignore-previous',
+        title: 'Prompt injection: ignore previous instructions',
+        regex: /\b(ignore|disregard|forget|override)\b.{0,30}\b(previous|above|prior|earlier|system)\b.{0,20}\b(instructions?|prompt|rules?|context)\b/i,
+        severity: 'critical',
+        category: 'prompt-injection',
+    },
+    {
+        id: 'pi-you-are-now',
+        title: 'Prompt injection: identity override',
+        regex: /\b(you are now|act as|pretend to be|assume the role|from now on you|your true identity|henceforth operate as|your persona for this|switch to developer mode|enable maintenance mode|your updated system config)/i,
+        severity: 'high',
+        category: 'prompt-injection',
+    },
+    {
+        id: 'pi-system-prompt',
+        title: 'Prompt injection: system prompt manipulation',
+        regex: /\b(system prompt|system message|system instruction|<\|system\|>|<<SYS>>)\b/i,
+        severity: 'critical',
+        category: 'prompt-injection',
+    },
+    {
+        id: 'pi-do-anything',
+        title: 'Prompt injection: jailbreak pattern',
+        regex: /\b(DAN|do anything now|jailbreak|bypass safety|ignore safety|no restrictions|unrestricted mode|god mode|developer mode|maintenance mode|STAN|respond without filter|disable content policy)\b/i,
+        severity: 'critical',
+        category: 'prompt-injection',
+    },
+    {
+        id: 'pi-hidden-text',
+        title: 'Hidden text via HTML/markdown comments',
+        regex: /<!--[\s\S]*?(ignore|override|system|inject|bypass)[\s\S]*?-->/i,
+        severity: 'high',
+        category: 'prompt-injection',
+    },
+    // Tool poisoning patterns
+    {
+        id: 'tp-sudo-escalation',
+        title: 'Privilege escalation via sudo/admin',
+        regex: /\b(sudo\s|as\s+root|run\s+as\s+admin|--privileged|chmod\s+777|chmod\s+u\+s)\b/i,
+        severity: 'high',
+        category: 'tool-poisoning',
+    },
+    {
+        id: 'tp-reverse-shell',
+        title: 'Reverse shell pattern detected',
+        regex: /\b(nc\s+-[elp]|ncat\s+-|bash\s+-i\s+>&|\/dev\/tcp\/|mkfifo|socat\s.*exec|python[23]?\s+-c\s+['"]import\s+socket|perl\s+-e\s+['"]use\s+Socket|php\s+-r\s+['"]\$sock\s*=\s*fsockopen|powershell\s.*TCPClient)/i,
+        severity: 'critical',
+        category: 'tool-poisoning',
+    },
+    {
+        id: 'tp-curl-pipe-bash',
+        title: 'Remote code execution via curl|bash',
+        regex: /\b(curl|wget)\s+.*\|\s*(sudo\s+)?(bash|sh|zsh|python|node|perl)/i,
+        severity: 'critical',
+        category: 'tool-poisoning',
+    },
+    {
+        id: 'tp-env-exfil',
+        title: 'Environment variable exfiltration',
+        regex: /\b(printenv|env\b|set\b).*\|\s*(curl|wget|nc\b)|curl.*\$\{?\w*(KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)/i,
+        severity: 'critical',
+        category: 'tool-poisoning',
+    },
+    {
+        id: 'tp-file-exfil',
+        title: 'Sensitive file access pattern',
+        regex: /\b(cat|less|more|head|tail)\s+.*(\/etc\/shadow|\/etc\/passwd|~\/\.ssh|\.env|credentials|\.aws\/)/i,
+        severity: 'high',
+        category: 'tool-poisoning',
+    },
+    {
+        id: 'tp-rm-destructive',
+        title: 'Destructive file operations',
+        regex: /\brm\s+(-rf?|--recursive).*\s+(\/|~|\$HOME|\$\(pwd\))\b/i,
+        severity: 'high',
+        category: 'tool-poisoning',
+    },
+];
+// ---------------------------------------------------------------------------
+// Unicode / Encoding detection
+// ---------------------------------------------------------------------------
+/** Zero-width, invisible, and steganographic Unicode characters */
+const HIDDEN_UNICODE_RE = /[\u200B\u200C\u200E\u200F\u2060-\u2064\uFEFF\u00AD\u3164\u115F\u1160\uFFF9-\uFFFB]|[\u200D\u202A-\u202E]|\uDB40[\uDC00-\uDC7F]/;
+/** Fullwidth Latin characters (U+FF01-U+FF5E) */
+const FULLWIDTH_LATIN_RE = /[\uFF01-\uFF5E]{4,}/;
+/** Homoglyph detection - Cyrillic/Greek characters that look identical to Latin */
+const HOMOGLYPH_MAP = {
+    '\u0410': 'A', '\u0412': 'B', '\u0421': 'C', '\u0415': 'E',
+    '\u041D': 'H', '\u041A': 'K', '\u041C': 'M', '\u041E': 'O',
+    '\u0420': 'P', '\u0422': 'T', '\u0425': 'X', '\u0430': 'a',
+    '\u0435': 'e', '\u043E': 'o', '\u0440': 'p', '\u0441': 'c',
+    '\u0443': 'y', '\u0445': 'x', '\u0455': 's', '\u0456': 'i',
+    '\u0458': 'j', '\u0471': 'v', '\u0473': 'w',
+    // Greek
+    '\u0391': 'A', '\u0392': 'B', '\u0395': 'E', '\u0396': 'Z',
+    '\u0397': 'H', '\u0399': 'I', '\u039A': 'K', '\u039C': 'M',
+    '\u039D': 'N', '\u039F': 'O', '\u03A1': 'P', '\u03A4': 'T',
+    '\u03A5': 'Y', '\u03A7': 'X', '\u03B1': 'a', '\u03BF': 'o',
+    '\u03C1': 'p',
+};
+const HOMOGLYPH_RE = new RegExp(`[${Object.keys(HOMOGLYPH_MAP).join('')}]`);
+/** Base64-encoded suspicious content */
+const BASE64_BLOCK_RE = /[A-Za-z0-9+/]{20,}={0,2}/g;
+const SUSPICIOUS_DECODED = /(eval|exec|system|import\s+os|subprocess|child_process|require\s*\(|__import__|curl|wget)/i;
+/** Hex-encoded payload detection */
+const HEX_ESCAPE_RE = /(\\x[0-9a-fA-F]{2}){8,}/g;
+const HEX_BLOCK_RE = /\b([0-9a-fA-F]{2}){12,}\b/g;
+// ---------------------------------------------------------------------------
+// Safe install URLs
+// ---------------------------------------------------------------------------
+export const SAFE_INSTALL_URLS = [
+    'bun.sh/install', 'get.docker.com', 'install.python-poetry.org',
+    'raw.githubusercontent.com/nvm-sh/nvm', 'sh.rustup.rs', 'deno.land/install',
+    'get.pnpm.io/install', 'brew.sh', 'ohmyz.sh/install',
+    'raw.githubusercontent.com/Homebrew', 'sdk.cloud.google.com', 'cli.github.com',
+    'astral.sh/uv',
+];
+function isSafeInstallCommand(instructions, matchIndex) {
+    const lineStart = instructions.lastIndexOf('\n', matchIndex) + 1;
+    const lineEnd = instructions.indexOf('\n', matchIndex);
+    const line = instructions.substring(lineStart, lineEnd === -1 ? undefined : lineEnd).toLowerCase();
+    return SAFE_INSTALL_URLS.some((url) => line.includes(url.toLowerCase()));
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function downgradeSeverity(severity) {
+    switch (severity) {
+        case 'critical': return 'medium';
+        case 'high': return 'low';
+        case 'medium': return 'low';
+        case 'low': return 'info';
+        default: return severity;
+    }
+}
+function isInSetupSection(instructions, matchIndex) {
+    const before = instructions.substring(Math.max(0, matchIndex - 500), matchIndex).toLowerCase();
+    return /(?:^|\n)#{1,4}\s*(setup|install|getting started|prerequisites|quick start|requirements|dependencies)/m.test(before);
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Check content for prompt injection and tool poisoning patterns.
+ *
+ * @param instructions - The full text content to scan
+ * @param sourceType - Context hint: 'skill' (SKILL.md, default) or 'documentation' (README, docs)
+ */
+export function checkInstructions(instructions, sourceType = 'skill') {
+    const findings = [];
+    // Pattern matching
+    for (const pattern of PATTERNS) {
+        const match = pattern.regex.exec(instructions);
+        if (match) {
+            const lineNum = instructions.substring(0, match.index).split('\n').length;
+            // Context-aware: skip curl|bash if it's a known-safe install URL
+            if (pattern.id === 'tp-curl-pipe-bash' && isSafeInstallCommand(instructions, match.index)) {
+                findings.push({
+                    id: pattern.id,
+                    title: `${pattern.title} (known-safe install script)`,
+                    description: `Detected near line ${lineNum}: "${match[0].substring(0, 80)}" - targets a known package manager URL, downgraded.`,
+                    severity: 'low',
+                    category: pattern.category,
+                    location: `SKILL.md:${lineNum}`,
+                });
+                continue;
+            }
+            // Context-aware: downgrade findings in setup/installation sections
+            let severity = pattern.severity;
+            if (isInSetupSection(instructions, match.index)) {
+                severity = downgradeSeverity(severity);
+            }
+            // Context-aware: downgrade findings from documentation sources
+            if (sourceType === 'documentation') {
+                severity = downgradeSeverity(severity);
+            }
+            findings.push({
+                id: pattern.id,
+                title: pattern.title,
+                description: `Detected near line ${lineNum}: "${match[0].substring(0, 80)}"`,
+                severity,
+                category: pattern.category,
+                location: `SKILL.md:${lineNum}`,
+            });
+        }
+    }
+    // Hidden Unicode check
+    const unicodeMatch = HIDDEN_UNICODE_RE.exec(instructions);
+    if (unicodeMatch) {
+        const lineNum = instructions.substring(0, unicodeMatch.index).split('\n').length;
+        const charCode = unicodeMatch[0]?.codePointAt(0) ?? 0;
+        findings.push({
+            id: 'hidden-unicode',
+            title: 'Hidden Unicode characters detected',
+            description: `Found invisible character U+${charCode.toString(16).toUpperCase().padStart(4, '0')} at line ${lineNum}. This may be used to hide malicious instructions.`,
+            severity: 'high',
+            category: 'prompt-injection',
+            location: `SKILL.md:${lineNum}`,
+        });
+    }
+    // Homoglyph detection
+    const homoglyphMatch = HOMOGLYPH_RE.exec(instructions);
+    if (homoglyphMatch) {
+        const lineNum = instructions.substring(0, homoglyphMatch.index).split('\n').length;
+        const charCode = homoglyphMatch[0]?.codePointAt(0) ?? 0;
+        const latin = HOMOGLYPH_MAP[homoglyphMatch[0]] ?? '?';
+        findings.push({
+            id: 'homoglyph-attack',
+            title: 'Homoglyph character detected',
+            description: `Found non-Latin character U+${charCode.toString(16).toUpperCase().padStart(4, '0')} (looks like "${latin}") at line ${lineNum}. This may be used to bypass text-based security checks.`,
+            severity: 'high',
+            category: 'prompt-injection',
+            location: `SKILL.md:${lineNum}`,
+        });
+    }
+    // Base64-encoded suspicious content
+    const b64Matches = instructions.match(BASE64_BLOCK_RE);
+    if (b64Matches) {
+        for (const b64 of b64Matches) {
+            try {
+                const decoded = Buffer.from(b64, 'base64').toString('utf-8');
+                if (SUSPICIOUS_DECODED.test(decoded)) {
+                    findings.push({
+                        id: 'encoded-payload',
+                        title: 'Base64-encoded suspicious payload',
+                        description: `Decoded content contains executable patterns: "${decoded.substring(0, 60)}..."`,
+                        severity: 'critical',
+                        category: 'prompt-injection',
+                    });
+                    break;
+                }
+            }
+            catch {
+                // Not valid base64, skip
+            }
+        }
+    }
+    // Fullwidth Latin detection
+    const fullwidthMatch = FULLWIDTH_LATIN_RE.exec(instructions);
+    if (fullwidthMatch) {
+        const lineNum = instructions.substring(0, fullwidthMatch.index).split('\n').length;
+        findings.push({
+            id: 'fullwidth-latin',
+            title: 'Fullwidth Latin characters detected',
+            description: `Found fullwidth Latin characters at line ${lineNum}. These bypass word-boundary regex checks while looking identical to normal text.`,
+            severity: 'high',
+            category: 'prompt-injection',
+            location: `SKILL.md:${lineNum}`,
+        });
+    }
+    // Hex-encoded payload detection
+    for (const hexRe of [HEX_ESCAPE_RE, HEX_BLOCK_RE]) {
+        const hexMatch = hexRe.exec(instructions);
+        if (hexMatch) {
+            try {
+                const hex = hexMatch[0].replace(/\\x/g, '');
+                const decoded = Buffer.from(hex, 'hex').toString('utf-8');
+                if (SUSPICIOUS_DECODED.test(decoded)) {
+                    findings.push({
+                        id: 'hex-encoded-payload',
+                        title: 'Hex-encoded suspicious payload',
+                        description: `Decoded hex content contains executable patterns: "${decoded.substring(0, 60)}..."`,
+                        severity: 'critical',
+                        category: 'prompt-injection',
+                    });
+                    break;
+                }
+            }
+            catch {
+                // Not valid hex, skip
+            }
+        }
+    }
+    const hasCritical = findings.some((f) => f.severity === 'critical');
+    const hasHigh = findings.some((f) => f.severity === 'high');
+    const status = hasCritical ? 'fail' : hasHigh ? 'warn' : findings.length > 0 ? 'warn' : 'pass';
+    const label = findings.length === 0
+        ? 'Prompt Safety: No injection patterns detected'
+        : `Prompt Safety: ${findings.length} suspicious pattern(s) detected`;
+    return { status, label, findings };
+}
+//# sourceMappingURL=instruction-patterns.js.map

package/dist/instruction-patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"instruction-patterns.js","sourceRoot":"","sources":["../src/instruction-patterns.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAgBH,MAAM,QAAQ,GAAuB;IACnC,4BAA4B;IAC5B;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,gDAAgD;QACvD,KAAK,EACH,yIAAyI;QAC3I,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,kBAAkB;KAC7B;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,qCAAqC;QAC5C,KAAK,EACH,kNAAkN;QACpN,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,kBAAkB;KAC7B;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,8CAA8C;QACrD,KAAK,EAAE,6EAA6E;QACpF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,kBAAkB;KAC7B;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,qCAAqC;QAC5C,KAAK,EACH,gMAAgM;QAClM,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,kBAAkB;KAC7B;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,wCAAwC;QAC/C,KAAK,EAAE,gEAAgE;QACvE,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,kBAAkB;KAC7B;IAED,0BAA0B;IAC1B;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,qCAAqC;QAC5C,KAAK,EAAE,gFAAgF;QACvF,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;KAC3B;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,gCAAgC;QACvC,KAAK,EACH,8MAA8M;QAChN,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,gBAAgB;KAC3B;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,qCAAqC;QAC5C,KAAK,EAAE,kEAAkE;QACzE,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,gBAAgB;KAC3B;IACD;QACE,EAAE,EAAE,cAAc;QAClB,KAAK,EAAE,mCAAmC;QAC1C,KAAK,EACH,uGAAuG;QACzG,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,gBAAgB;KAC3B;IACD;QACE,EAAE,EAAE,eAAe;QACnB,KAAK,EAAE,+BAA+B;QACtC,KAAK,EACH,mGAAmG;QACrG,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;KAC3B;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,6BAA6B;QACpC,KAAK,EAAE,0DAA0D;QACjE,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,gBAAgB;KAC3B;CACF,CAAC;AAEF,8EAA8E;AAC9E,+BAA+B;AAC/B,8EAA8E;AAE9E,mEAAmE;AACnE,MAAM,iBAAiB,GACrB,gIAAgI,CAAC;AAEnI,iDAAiD;AACjD,MAAM,kBAAkB,GAAG,qBAAqB,CAAC;AAEjD,mFAAmF;AACnF,MAAM,aAAa,GAA2B;IAC5C,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG;IAC1D,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG;IAC1D,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG;IAC1D,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG;IAC1D,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG;IAC1D,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG;IAC3C,QAAQ;IACR,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG;IAC1D,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG;IAC1D,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG;IAC1D,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG;IAC1D,QAAQ,EAAE,GAAG;CACd,CAAC;AACF,MAAM,YAAY,GAAG,IAAI,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;AAE5E,wCAAwC;AACxC,MAAM,eAAe,GAAG,2BAA2B,CAAC;AACpD,MAAM,kBAAkB,GACtB,4FAA4F,CAAC;AAE/F,oCAAoC;AACpC,MAAM,aAAa,GAAG,0BAA0B,CAAC;AACjD,MAAM,YAAY,GAAG,4BAA4B,CAAC;AAElD,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,gBAAgB,EAAE,gBAAgB,EAAE,2BAA2B;IAC/D,sCAAsC,EAAE,cAAc,EAAE,mBAAmB;IAC3E,qBAAqB,EAAE,SAAS,EAAE,kBAAkB;IACpD,oCAAoC,EAAE,sBAAsB,EAAE,gBAAgB;IAC9E,cAAc;CACf,CAAC;AAEF,SAAS,oBAAoB,CAAC,YAAoB,EAAE,UAAkB;IACpE,MAAM,SAAS,GAAG,YAAY,CAAC,WAAW,CAAC,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;IACjE,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IACvD,MAAM,IAAI,GAAG,YAAY,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IACnG,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,iBAAiB,CAAC,QAAkB;IAC3C,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU,CAAC,CAAC,OAAO,QAAQ,CAAC;QACjC,KAAK,MAAM,CAAC,CAAC,OAAO,KAAK,CAAC;QAC1B,KAAK,QAAQ,CAAC,CAAC,OAAO,KAAK,CAAC;QAC5B,KAAK,KAAK,CAAC,CAAC,OAAO,MAAM,CAAC;QAC1B,OAAO,CAAC,CAAC,OAAO,QAAQ,CAAC;IAC3B,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,YAAoB,EAAE,UAAkB;IAChE,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,GAAG,CAAC,EAAE,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;IAC/F,OAAO,uGAAuG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC9H,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAC/B,YAAoB,EACpB,aAAwC,OAAO;IAE/C,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,mBAAmB;IACnB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC/C,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,OAAO,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;YAE1E,iEAAiE;YACjE,IAAI,OAAO,CAAC,EAAE,KAAK,mBAAmB,IAAI,oBAAoB,CAAC,YAAY,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC1F,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,OAAO,CAAC,EAAE;oBACd,KAAK,EAAE,GAAG,OAAO,CAAC,KAAK,8BAA8B;oBACrD,WAAW,EAAE,sBAAsB,OAAO,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,sDAAsD;oBAC/H,QAAQ,EAAE,KAAK;oBACf,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,QAAQ,EAAE,YAAY,OAAO,EAAE;iBAChC,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,mEAAmE;YACnE,IAAI,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;YAChC,IAAI,gBAAgB,CAAC,YAAY,EAAE,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChD,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YACzC,CAAC;YAED,+DAA+D;YAC/D,IAAI,UAAU,KAAK,eAAe,EAAE,CAAC;gBACnC,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YACzC,CAAC;YAED,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,WAAW,EAAE,sBAAsB,OAAO,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG;gBAC5E,QAAQ;gBACR,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,YAAY,OAAO,EAAE;aAChC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,MAAM,YAAY,GAAG,iBAAiB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC1D,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,OAAO,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;QACjF,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtD,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,gBAAgB;YACpB,KAAK,EAAE,oCAAoC;YAC3C,WAAW,EAAE,+BAA+B,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,YAAY,OAAO,oDAAoD;YACvK,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,kBAAkB;YAC5B,QAAQ,EAAE,YAAY,OAAO,EAAE;SAChC,CAAC,CAAC;IACL,CAAC;IAED,sBAAsB;IACtB,MAAM,cAAc,GAAG,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACvD,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,OAAO,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;QACnF,MAAM,QAAQ,GAAG,cAAc,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,aAAa,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC;QACtD,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,kBAAkB;YACtB,KAAK,EAAE,8BAA8B;YACrC,WAAW,EAAE,+BAA+B,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,iBAAiB,KAAK,cAAc,OAAO,0DAA0D;YACrM,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,kBAAkB;YAC5B,QAAQ,EAAE,YAAY,OAAO,EAAE;SAChC,CAAC,CAAC;IACL,CAAC;IAED,oCAAoC;IACpC,MAAM,UAAU,GAAG,YAAY,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IACvD,IAAI,UAAU,EAAE,CAAC;QACf,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBAC7D,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACrC,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,iBAAiB;wBACrB,KAAK,EAAE,mCAAmC;wBAC1C,WAAW,EAAE,kDAAkD,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM;wBAC7F,QAAQ,EAAE,UAAU;wBACpB,QAAQ,EAAE,kBAAkB;qBAC7B,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,yBAAyB;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,MAAM,cAAc,GAAG,kBAAkB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC7D,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,OAAO,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;QACnF,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,iBAAiB;YACrB,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EAAE,4CAA4C,OAAO,mFAAmF;YACnJ,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,kBAAkB;YAC5B,QAAQ,EAAE,YAAY,OAAO,EAAE;SAChC,CAAC,CAAC;IACL,CAAC;IAED,gCAAgC;IAChC,KAAK,MAAM,KAAK,IAAI,CAAC,aAAa,EAAE,YAAY,CAAC,EAAE,CAAC;QAClD,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC1C,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;gBAC5C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBAC1D,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACrC,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,qBAAqB;wBACzB,KAAK,EAAE,gCAAgC;wBACvC,WAAW,EAAE,sDAAsD,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM;wBACjG,QAAQ,EAAE,UAAU;wBACpB,QAAQ,EAAE,kBAAkB;qBAC7B,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,sBAAsB;YACxB,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC;IACpE,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;IAE/F,MAAM,KAAK,GACT,QAAQ,CAAC,MAAM,KAAK,CAAC;QACnB,CAAC,CAAC,+CAA+C;QACjD,CAAC,CAAC,kBAAkB,QAAQ,CAAC,MAAM,iCAAiC,CAAC;IAEzE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;AACrC,CAAC"}