@q32/signal-scanner 0.1.0 → 0.1.1

package/dist/intel.js

@@ -0,0 +1,480 @@
+// URL threat-intelligence correlation for the signal scanner.
+//
+// Runtime-agnostic: depends only on the WHATWG `fetch`, `URL`, and standard
+// timers, so it runs unchanged in Node and in Cloudflare Workers. Everything
+// environment-specific (the fetch implementation, API keys, bounds) is injected
+// through `UrlIntelConfig` — there are no `process.env` or node imports here.
+//
+// It takes the URLs/hosts a scan discovered, correlates them against open and
+// keyed reputation sources, and returns both normalized scanner `Finding`s and a
+// per-source result so callers can show which feeds ran, matched, or failed.
+import { matchCachedFeeds } from "./feeds.js";
+// Live API hits are treated as strong evidence; cached feeds carry their own band.
+const LIVE_INTEL_SCORE = 95;
+const DEFAULT_MAX_HOSTS = 100;
+const DEFAULT_MAX_URLS = 100;
+const DEFAULT_TIMEOUT_MS = 4000;
+const DEFAULT_USER_AGENT = "q32-signal-scanner/0.1";
+/**
+ * Correlate discovered URLs/hosts against threat-intelligence sources.
+ * Never throws for individual source failures — a failed source is reported
+ * with `status: "error"` so callers can surface it instead of treating a feed
+ * outage as a clean result.
+ */
+export async function checkUrlIntel(input, config = {}) {
+    const maxHosts = config.maxHosts ?? DEFAULT_MAX_HOSTS;
+    const maxUrls = config.maxUrls ?? DEFAULT_MAX_URLS;
+    const urls = dedupe(input.urls ?? []).slice(0, maxUrls);
+    const hosts = dedupe([...(input.hosts ?? []), ...hostsFromUrls(urls)]).slice(0, maxHosts);
+    if (config.disabled) {
+        return { sources: [], matches: [], findings: [] };
+    }
+    const ctx = {
+        // Must be bound to globalThis: calling it as ctx.fetch(...) otherwise makes
+        // `this` the context object, which Cloudflare rejects (Illegal Invocation).
+        fetch: config.fetchImpl ?? globalThis.fetch.bind(globalThis),
+        timeoutMs: config.timeoutMs ?? DEFAULT_TIMEOUT_MS,
+        userAgent: config.userAgent ?? DEFAULT_USER_AGENT,
+        googleSafeBrowsingKey: config.googleSafeBrowsingKey,
+        abuseChAuthKey: config.abuseChAuthKey,
+        storage: config.storage
+    };
+    // The cached-feed source only joins when storage is wired — we don't list a
+    // source we can't query.
+    const activeSources = ctx.storage ? [...INTEL_SOURCES, CACHED_FEEDS_SOURCE] : INTEL_SOURCES;
+    const sources = await Promise.all(activeSources.map((source) => source.run({ urls, hosts }, ctx)));
+    const matches = sources.flatMap((source) => source.matches);
+    const findings = matches.map((match, index) => findingForMatch(match, index));
+    return { sources, matches, findings };
+}
+/** Derive intel targets (urls + registrable hosts) from a scanner report's URL inventory. */
+export function intelTargetsFromUrls(urls) {
+    const normalized = urls.map((url) => url.normalized).filter(Boolean);
+    return { urls: dedupe(normalized), hosts: dedupe(hostsFromUrls(normalized)) };
+}
+const INTEL_SOURCES = [
+    {
+        source: "urlhaus",
+        provider: "URLhaus",
+        async run(input, ctx) {
+            const base = { source: "urlhaus", provider: "URLhaus" };
+            const matches = [];
+            let lastError;
+            for (const host of input.hosts) {
+                const r = await guarded(() => queryUrlhausHost(host, ctx));
+                if (r.error)
+                    lastError = r.error;
+                else if (r.value)
+                    matches.push(r.value);
+            }
+            for (const url of input.urls) {
+                const r = await guarded(() => queryUrlhausUrl(url, ctx));
+                if (r.error)
+                    lastError = r.error;
+                else if (r.value)
+                    matches.push(r.value);
+            }
+            return settle(base, input.urls.length, input.hosts.length, matches, lastError);
+        }
+    },
+    {
+        source: "threatfox",
+        provider: "ThreatFox",
+        async run(input, ctx) {
+            const base = { source: "threatfox", provider: "ThreatFox" };
+            const matches = [];
+            let lastError;
+            for (const host of input.hosts) {
+                const r = await guarded(() => queryThreatFoxHost(host, ctx));
+                if (r.error)
+                    lastError = r.error;
+                else if (r.value)
+                    matches.push(r.value);
+            }
+            return settle(base, 0, input.hosts.length, matches, lastError);
+        }
+    },
+    {
+        source: "google-safebrowsing",
+        provider: "Google Safe Browsing",
+        async run(input, ctx) {
+            const base = { source: "google-safebrowsing", provider: "Google Safe Browsing" };
+            if (!ctx.googleSafeBrowsingKey) {
+                return { ...base, status: "error", reason: "Google Safe Browsing key not configured", urlsChecked: input.urls.length, hostsChecked: 0, matches: [] };
+            }
+            const r = await guarded(() => queryGoogleSafeBrowsing(input.urls, ctx));
+            if (r.error) {
+                return { ...base, status: "error", reason: r.error, urlsChecked: input.urls.length, hostsChecked: 0, matches: [] };
+            }
+            const matches = r.value ?? [];
+            return settle(base, input.urls.length, 0, matches, undefined);
+        }
+    }
+];
+// Matches crawled hosts against the cached blocklist feed index in storage.
+// Only included in the run when config.storage is provided.
+const CACHED_FEEDS_SOURCE = {
+    source: "cached-feeds",
+    provider: "Blocklist feeds",
+    async run(input, ctx) {
+        const base = { source: "cached-feeds", provider: "Blocklist feeds" };
+        if (!ctx.storage)
+            return { ...base, status: "clean", urlsChecked: 0, hostsChecked: 0, matches: [] };
+        const r = await guarded(() => matchCachedFeeds(ctx.storage, input.hosts));
+        if (r.error) {
+            return { ...base, status: "error", reason: r.error, urlsChecked: 0, hostsChecked: input.hosts.length, matches: [] };
+        }
+        const matches = (r.value ?? []).map((m) => ({
+            source: "cached-feeds",
+            provider: m.source ? `Blocklist: ${m.source}` : "Blocklist feeds",
+            host: m.host,
+            score: m.score,
+            detail: { feed: m.feedId, feed_source: m.source }
+        }));
+        return settle(base, 0, input.hosts.length, matches, undefined);
+    }
+};
+function settle(base, urlsChecked, hostsChecked, matches, errorReason) {
+    if (matches.length)
+        return { ...base, status: "match", urlsChecked, hostsChecked, matches };
+    if (errorReason)
+        return { ...base, status: "error", reason: errorReason, urlsChecked, hostsChecked, matches: [] };
+    return { ...base, status: "clean", urlsChecked, hostsChecked, matches: [] };
+}
+async function guarded(query) {
+    try {
+        return { value: await query() };
+    }
+    catch (error) {
+        return { error: error instanceof Error ? error.message : "lookup failed" };
+    }
+}
+// ---- Sources -------------------------------------------------------------
+async function queryUrlhausHost(host, ctx) {
+    if (isPrivateOrLocalHost(host))
+        return null;
+    // Multi-tenant hosts (cloud buckets, CDNs, app-hosting platforms) collect
+    // feed entries for OTHER tenants' malicious objects. A site that merely loads
+    // an asset from such a host must not inherit that reputation — only an
+    // exact-URL match (an object the site actually loads) convicts. See
+    // queryUrlhausUrl, which still runs against the crawled URL inventory.
+    if (isMultiTenantHost(host))
+        return null;
+    const response = await postForm("https://urlhaus-api.abuse.ch/v1/host/", { host }, ctx);
+    if (!response || response.query_status !== "ok")
+        return null;
+    const urls = Array.isArray(response.urls) ? response.urls : [];
+    // A host appearing in URLhaus is not automatically malware infrastructure:
+    // popular hosts (open redirectors, file hosts) collect entries when a single
+    // URL is abused. Score by how live and how recent the evidence is — a dead,
+    // years-old entry on an otherwise-legitimate host is weak signal, while a
+    // currently-online recent listing is a strong conviction.
+    const { score, basis, onlineCount } = urlhausHostStrength(urls);
+    return {
+        source: "urlhaus",
+        provider: "URLhaus",
+        host,
+        score,
+        detail: {
+            query_status: response.query_status,
+            url_count: urls.length,
+            online_count: onlineCount,
+            score_basis: basis,
+            sample: urls.slice(0, 5)
+        }
+    };
+}
+const RECENT_INTEL_DAYS = 90;
+/** Grade a URLhaus host listing by liveness and recency of its URLs. */
+function urlhausHostStrength(urls) {
+    let anyOnline = false;
+    let recentOnline = false;
+    let recentOffline = false;
+    let onlineCount = 0;
+    for (const u of urls) {
+        const online = String(u?.url_status ?? "").toLowerCase() === "online";
+        const age = daysSince(u?.date_added);
+        const recent = age !== null && age <= RECENT_INTEL_DAYS;
+        if (online) {
+            anyOnline = true;
+            onlineCount += 1;
+            if (recent)
+                recentOnline = true;
+        }
+        else if (recent) {
+            recentOffline = true;
+        }
+    }
+    if (recentOnline)
+        return { score: 95, basis: "online_recent", onlineCount };
+    if (anyOnline)
+        return { score: 75, basis: "online_aged", onlineCount };
+    if (recentOffline)
+        return { score: 45, basis: "offline_recent", onlineCount };
+    return { score: 20, basis: "offline_aged", onlineCount };
+}
+async function queryUrlhausUrl(url, ctx) {
+    const host = hostOf(url);
+    if (!host || isPrivateOrLocalHost(host))
+        return null;
+    const response = await postForm("https://urlhaus-api.abuse.ch/v1/url/", { url }, ctx);
+    if (!response || response.query_status !== "ok")
+        return null;
+    return {
+        source: "urlhaus",
+        provider: "URLhaus",
+        url,
+        host,
+        score: LIVE_INTEL_SCORE,
+        detail: {
+            query_status: response.query_status,
+            threat: response.threat,
+            url_status: response.url_status,
+            tags: Array.isArray(response.tags) ? response.tags : []
+        }
+    };
+}
+async function queryThreatFoxHost(host, ctx) {
+    if (isPrivateOrLocalHost(host))
+        return null;
+    const response = await postJson("https://threatfox-api.abuse.ch/api/v1/", { query: "search_ioc", search_term: host }, ctx);
+    if (!response || response.query_status !== "ok")
+        return null;
+    const data = Array.isArray(response.data) ? response.data : [];
+    const target = host.toLowerCase();
+    // ThreatFox `search_ioc` is a SUBSTRING search: querying "google.com" returns
+    // IOCs that merely contain that string — "guard-google.com",
+    // "google.com-x18-...sslip.io", a malware file on "drive.google.com", etc.
+    // None of those make google.com itself malicious. Only domain/IP IOCs whose
+    // host EXACTLY equals the queried host actually convict that host. URL IOCs
+    // flag one path on a (possibly shared) host and are not a host-level verdict.
+    const exact = data.filter((ioc) => {
+        const type = String(ioc?.ioc_type ?? "");
+        if (type !== "domain" && type !== "ip:port" && type !== "ip")
+            return false;
+        return iocHost(ioc?.ioc) === target;
+    });
+    if (!exact.length)
+        return null;
+    return {
+        source: "threatfox",
+        provider: "ThreatFox",
+        host,
+        score: LIVE_INTEL_SCORE,
+        detail: {
+            query_status: response.query_status,
+            ioc_count: exact.length,
+            sample: exact.slice(0, 5)
+        }
+    };
+}
+/** Extract a bare host from a ThreatFox IOC string (url, domain, or host:port). */
+function iocHost(ioc) {
+    if (!ioc)
+        return null;
+    const s = String(ioc).trim();
+    if (s.includes("://"))
+        return hostOf(s);
+    const host = s.split("/")[0].split(":")[0];
+    return host ? host.toLowerCase() : null;
+}
+/** Age in days of an abuse.ch timestamp ("2024-11-12 06:08:05 UTC"), or null. */
+function daysSince(value) {
+    if (!value)
+        return null;
+    const t = Date.parse(String(value).replace(" UTC", "Z").replace(" ", "T"));
+    if (Number.isNaN(t))
+        return null;
+    return (Date.now() - t) / 86_400_000;
+}
+// One batched request covers every discovered URL.
+async function queryGoogleSafeBrowsing(urls, ctx) {
+    const entries = urls.filter((url) => {
+        const host = hostOf(url);
+        return host && !isPrivateOrLocalHost(host);
+    });
+    if (!entries.length)
+        return [];
+    const response = await postJson(`https://safebrowsing.googleapis.com/v4/threatMatches:find?key=${encodeURIComponent(ctx.googleSafeBrowsingKey ?? "")}`, {
+        client: { clientId: "q32-signal-scanner", clientVersion: "0.1" },
+        threatInfo: {
+            threatTypes: ["MALWARE", "SOCIAL_ENGINEERING", "UNWANTED_SOFTWARE", "POTENTIALLY_HARMFUL_APPLICATION"],
+            platformTypes: ["ANY_PLATFORM"],
+            threatEntryTypes: ["URL"],
+            threatEntries: entries.slice(0, 500).map((url) => ({ url }))
+        }
+    }, ctx);
+    if (!response || !Array.isArray(response.matches))
+        return [];
+    return response.matches.map((match) => ({
+        source: "google-safebrowsing",
+        provider: "Google Safe Browsing",
+        url: typeof match?.threat?.url === "string" ? match.threat.url : undefined,
+        host: hostOf(String(match?.threat?.url ?? "")) ?? undefined,
+        score: LIVE_INTEL_SCORE,
+        detail: {
+            threat_type: match?.threatType,
+            platform_type: match?.platformType,
+            cache_duration: match?.cacheDuration
+        }
+    }));
+}
+// ---- Findings ------------------------------------------------------------
+/** Map an evidence score (0-100) onto the lib's severity/confidence buckets. */
+export function severityForScore(score) {
+    if (score >= 85)
+        return "high";
+    if (score >= 60)
+        return "medium";
+    if (score >= 40)
+        return "low";
+    return "info";
+}
+function findingForMatch(match, index) {
+    const locationValue = match.url ?? match.host ?? "unknown";
+    const ruleId = `intel.${match.source}`;
+    const scoreModel = { base: match.score, tags: ["hosting", "url"] };
+    return {
+        id: `${ruleId}:${index}`,
+        ruleId,
+        severity: severityForScore(match.score),
+        confidence: match.score >= 80 ? "high" : "medium",
+        score: match.score,
+        scoreModel,
+        title: `Known-bad ${match.url ? "URL" : "host"} flagged by ${match.provider}`,
+        description: `${match.provider} threat intelligence matched a crawled ${match.url ? "URL" : "host"} (score ${match.score}).`,
+        locationType: "url",
+        locationValue,
+        metadata: { intel_source: match.source, provider: match.provider, host: match.host, url: match.url, score: match.score, ...match.detail }
+    };
+}
+// ---- HTTP + host helpers -------------------------------------------------
+// abuse.ch (URLhaus + ThreatFox) require an Auth-Key header. Send it to those
+// hosts only; never leak it to other endpoints (e.g. Safe Browsing).
+function abuseChHeaders(url, ctx) {
+    if (!ctx.abuseChAuthKey || !/\.abuse\.ch$/i.test(safeHost(url)))
+        return {};
+    return { "Auth-Key": ctx.abuseChAuthKey };
+}
+function safeHost(url) {
+    try {
+        return new URL(url).hostname.toLowerCase();
+    }
+    catch {
+        return "";
+    }
+}
+async function postForm(url, body, ctx) {
+    const response = await ctx.fetch(url, {
+        method: "POST",
+        headers: { "content-type": "application/x-www-form-urlencoded", "user-agent": ctx.userAgent, ...abuseChHeaders(url, ctx) },
+        body: new URLSearchParams(body),
+        signal: AbortSignal.timeout(ctx.timeoutMs)
+    });
+    if (!response.ok)
+        throw new Error(`${url} responded ${response.status}`);
+    const parsed = await response.json();
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+}
+async function postJson(url, body, ctx) {
+    const response = await ctx.fetch(url, {
+        method: "POST",
+        headers: { "content-type": "application/json", "user-agent": ctx.userAgent, ...abuseChHeaders(url, ctx) },
+        body: JSON.stringify(body),
+        signal: AbortSignal.timeout(ctx.timeoutMs)
+    });
+    if (!response.ok)
+        throw new Error(`${url} responded ${response.status}`);
+    const parsed = await response.json();
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+}
+function hostOf(url) {
+    try {
+        return new URL(url).hostname.toLowerCase();
+    }
+    catch {
+        return null;
+    }
+}
+function hostsFromUrls(urls) {
+    const hosts = [];
+    for (const url of urls) {
+        const host = hostOf(url);
+        if (host)
+            hosts.push(host);
+    }
+    return hosts;
+}
+function dedupe(values) {
+    return [...new Set(values.filter(Boolean))];
+}
+// Hosts that serve content for many independent tenants under one name: cloud
+// object storage, file sharing, CDNs that publish arbitrary packages/content,
+// and app/site-hosting platforms (one tenant per subdomain). One tenant's
+// malicious object is not evidence about a different tenant, so these are never
+// convicted at the host level — only an exact-URL match counts.
+const MULTI_TENANT_HOST_EXACT = new Set([
+    "storage.googleapis.com",
+    "firebasestorage.googleapis.com",
+    "drive.google.com",
+    "docs.google.com",
+    "s3.amazonaws.com",
+    "raw.githubusercontent.com",
+    "gist.githubusercontent.com",
+    "objects.githubusercontent.com",
+    "cdn.jsdelivr.net",
+    "unpkg.com",
+    "files.catbox.moe",
+    "cdn.discordapp.com",
+    "media.discordapp.net"
+]);
+const MULTI_TENANT_HOST_SUFFIXES = [
+    // Cloud object storage
+    ".amazonaws.com",
+    ".blob.core.windows.net",
+    ".r2.dev",
+    ".r2.cloudflarestorage.com",
+    ".digitaloceanspaces.com",
+    ".googleusercontent.com",
+    ".dropboxusercontent.com",
+    // CDNs serving arbitrary tenant/package content
+    ".cloudfront.net",
+    ".akamaihd.net",
+    ".b-cdn.net",
+    ".fastly.net",
+    // App / site hosting platforms (one tenant per subdomain)
+    ".web.app",
+    ".firebaseapp.com",
+    ".netlify.app",
+    ".vercel.app",
+    ".github.io",
+    ".herokuapp.com",
+    ".pages.dev",
+    ".workers.dev",
+    ".azurewebsites.net",
+    ".appspot.com",
+    ".glitch.me",
+    ".repl.co",
+    ".surge.sh"
+];
+export function isMultiTenantHost(host) {
+    const lower = host.toLowerCase();
+    if (MULTI_TENANT_HOST_EXACT.has(lower))
+        return true;
+    return MULTI_TENANT_HOST_SUFFIXES.some((suffix) => lower.endsWith(suffix));
+}
+export function isPrivateOrLocalHost(host) {
+    const lower = host.toLowerCase();
+    if (lower === "localhost" || lower.endsWith(".localhost") || lower.endsWith(".local"))
+        return true;
+    if (/^\d+\.\d+\.\d+\.\d+$/.test(lower)) {
+        const parts = lower.split(".").map(Number);
+        return (parts[0] === 10 ||
+            parts[0] === 127 ||
+            (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) ||
+            (parts[0] === 192 && parts[1] === 168) ||
+            (parts[0] === 169 && parts[1] === 254));
+    }
+    return lower === "::1" || lower.startsWith("fc") || lower.startsWith("fd") || lower.startsWith("fe80");
+}
+//# sourceMappingURL=intel.js.map

package/dist/intel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"intel.js","sourceRoot":"","sources":["../src/intel.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,EAAE;AACF,4EAA4E;AAC5E,6EAA6E;AAC7E,gFAAgF;AAChF,8EAA8E;AAC9E,EAAE;AACF,8EAA8E;AAC9E,iFAAiF;AACjF,6EAA6E;AAI7E,OAAO,EAAE,gBAAgB,EAAqB,MAAM,YAAY,CAAC;AAqEjE,mFAAmF;AACnF,MAAM,gBAAgB,GAAG,EAAE,CAAC;AAQ5B,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAC9B,MAAM,gBAAgB,GAAG,GAAG,CAAC;AAC7B,MAAM,kBAAkB,GAAG,IAAI,CAAC;AAChC,MAAM,kBAAkB,GAAG,wBAAwB,CAAC;AAEpD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAoB,EAAE,SAAyB,EAAE;IACnF,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,iBAAiB,CAAC;IACtD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,gBAAgB,CAAC;IACnD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACxD,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAE1F,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IACpD,CAAC;IAED,MAAM,GAAG,GAAiB;QACxB,4EAA4E;QAC5E,4EAA4E;QAC5E,KAAK,EAAE,MAAM,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC;QAC5D,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,kBAAkB;QACjD,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,kBAAkB;QACjD,qBAAqB,EAAE,MAAM,CAAC,qBAAqB;QACnD,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC;IAEF,4EAA4E;IAC5E,yBAAyB;IACzB,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,aAAa,EAAE,mBAAmB,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC;IAC5F,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;IACnG,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC5D,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,eAAe,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;IAC9E,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;AACxC,CAAC;AAED,6FAA6F;AAC7F,MAAM,UAAU,oBAAoB,CAAC,IAAmC;IACtE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACrE,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;AAChF,CAAC;AAED,MAAM,aAAa,GAAkB;IACnC;QACE,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE,SAAS;QACnB,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG;YAClB,MAAM,IAAI,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;YACxD,MAAM,OAAO,GAAiB,EAAE,CAAC;YACjC,IAAI,SAA6B,CAAC;YAClC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;gBAC/B,MAAM,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,CAAC,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;gBAC3D,IAAI,CAAC,CAAC,KAAK;oBAAE,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC;qBAC5B,IAAI,CAAC,CAAC,KAAK;oBAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YAC1C,CAAC;YACD,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;gBAC7B,MAAM,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;gBACzD,IAAI,CAAC,CAAC,KAAK;oBAAE,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC;qBAC5B,IAAI,CAAC,CAAC,KAAK;oBAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YAC1C,CAAC;YACD,OAAO,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;QACjF,CAAC;KACF;IACD;QACE,MAAM,EAAE,WAAW;QACnB,QAAQ,EAAE,WAAW;QACrB,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG;YAClB,MAAM,IAAI,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;YAC5D,MAAM,OAAO,GAAiB,EAAE,CAAC;YACjC,IAAI,SAA6B,CAAC;YAClC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;gBAC/B,MAAM,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,CAAC,kBAAkB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;gBAC7D,IAAI,CAAC,CAAC,KAAK;oBAAE,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC;qBAC5B,IAAI,CAAC,CAAC,KAAK;oBAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YAC1C,CAAC;YACD,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;QACjE,CAAC;KACF;IACD;QACE,MAAM,EAAE,qBAAqB;QAC7B,QAAQ,EAAE,sBAAsB;QAChC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG;YAClB,MAAM,IAAI,GAAG,EAAE,MAAM,EAAE,qBAAqB,EAAE,QAAQ,EAAE,sBAAsB,EAAE,CAAC;YACjF,IAAI,CAAC,GAAG,CAAC,qBAAqB,EAAE,CAAC;gBAC/B,OAAO,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,yCAAyC,EAAE,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;YACvJ,CAAC;YACD,MAAM,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,CAAC,uBAAuB,CAAC,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;YACxE,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;gBACZ,OAAO,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,KAAK,EAAE,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;YACrH,CAAC;YACD,MAAM,OAAO,GAAI,CAAC,CAAC,KAA6B,IAAI,EAAE,CAAC;YACvD,OAAO,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;QAChE,CAAC;KACF;CACF,CAAC;AAEF,4EAA4E;AAC5E,4DAA4D;AAC5D,MAAM,mBAAmB,GAAgB;IACvC,MAAM,EAAE,cAAc;IACtB,QAAQ,EAAE,iBAAiB;IAC3B,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG;QAClB,MAAM,IAAI,GAAG,EAAE,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,iBAAiB,EAAE,CAAC;QACrE,IAAI,CAAC,GAAG,CAAC,OAAO;YAAE,OAAO,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACpG,MAAM,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,CAAC,gBAAgB,CAAC,GAAG,CAAC,OAAQ,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;QAC3E,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACZ,OAAO,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACtH,CAAC;QACD,MAAM,OAAO,GAAiB,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACxD,MAAM,EAAE,cAAc;YACtB,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,iBAAiB;YACjE,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,KAAK,EAAE,CAAC,CAAC,KAAK;YACd,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;SAClD,CAAC,CAAC,CAAC;QACJ,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IACjE,CAAC;CACF,CAAC;AAEF,SAAS,MAAM,CACb,IAA0C,EAC1C,WAAmB,EACnB,YAAoB,EACpB,OAAqB,EACrB,WAA+B;IAE/B,IAAI,OAAO,CAAC,MAAM;QAAE,OAAO,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC;IAC5F,IAAI,WAAW;QAAE,OAAO,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IAClH,OAAO,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;AAC9E,CAAC;AAED,KAAK,UAAU,OAAO,CAAI,KAAuB;IAC/C,IAAI,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,MAAM,KAAK,EAAE,EAAE,CAAC;IAClC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,EAAE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC;IAC7E,CAAC;AACH,CAAC;AAED,6EAA6E;AAE7E,KAAK,UAAU,gBAAgB,CAAC,IAAY,EAAE,GAAiB;IAC7D,IAAI,oBAAoB,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,0EAA0E;IAC1E,8EAA8E;IAC9E,uEAAuE;IACvE,oEAAoE;IACpE,uEAAuE;IACvE,IAAI,iBAAiB,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACzC,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,uCAAuC,EAAE,EAAE,IAAI,EAAE,EAAE,GAAG,CAAC,CAAC;IACxF,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,YAAY,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,IAAI,GAAU,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,2EAA2E;IAC3E,6EAA6E;IAC7E,4EAA4E;IAC5E,0EAA0E;IAC1E,0DAA0D;IAC1D,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAChE,OAAO;QACL,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE,SAAS;QACnB,IAAI;QACJ,KAAK;QACL,MAAM,EAAE;YACN,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,SAAS,EAAE,IAAI,CAAC,MAAM;YACtB,YAAY,EAAE,WAAW;YACzB,WAAW,EAAE,KAAK;YAClB,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;SACzB;KACF,CAAC;AACJ,CAAC;AAED,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B,wEAAwE;AACxE,SAAS,mBAAmB,CAAC,IAAW;IACtC,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,CAAC;QACtE,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;QACrC,MAAM,MAAM,GAAG,GAAG,KAAK,IAAI,IAAI,GAAG,IAAI,iBAAiB,CAAC;QACxD,IAAI,MAAM,EAAE,CAAC;YACX,SAAS,GAAG,IAAI,CAAC;YACjB,WAAW,IAAI,CAAC,CAAC;YACjB,IAAI,MAAM;gBAAE,YAAY,GAAG,IAAI,CAAC;QAClC,CAAC;aAAM,IAAI,MAAM,EAAE,CAAC;YAClB,aAAa,GAAG,IAAI,CAAC;QACvB,CAAC;IACH,CAAC;IACD,IAAI,YAAY;QAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,CAAC;IAC5E,IAAI,SAAS;QAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,CAAC;IACvE,IAAI,aAAa;QAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,gBAAgB,EAAE,WAAW,EAAE,CAAC;IAC9E,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC;AAC3D,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,GAAW,EAAE,GAAiB;IAC3D,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IACzB,IAAI,CAAC,IAAI,IAAI,oBAAoB,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,sCAAsC,EAAE,EAAE,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;IACtF,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,YAAY,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC7D,OAAO;QACL,MAAM,EAAE,SAAS;QACjB,QAAQ,EAAE,SAAS;QACnB,GAAG;QACH,IAAI;QACJ,KAAK,EAAE,gBAAgB;QACvB,MAAM,EAAE;YACN,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;SACxD;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,IAAY,EAAE,GAAiB;IAC/D,IAAI,oBAAoB,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,wCAAwC,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,GAAG,CAAC,CAAC;IAC3H,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,YAAY,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC7D,MAAM,IAAI,GAAU,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IAClC,8EAA8E;IAC9E,6DAA6D;IAC7D,2EAA2E;IAC3E,4EAA4E;IAC5E,4EAA4E;IAC5E,8EAA8E;IAC9E,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QAChC,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC;QACzC,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;QAC3E,OAAO,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,KAAK,MAAM,CAAC;IACtC,CAAC,CAAC,CAAC;IACH,IAAI,CAAC,KAAK,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAC/B,OAAO;QACL,MAAM,EAAE,WAAW;QACnB,QAAQ,EAAE,WAAW;QACrB,IAAI;QACJ,KAAK,EAAE,gBAAgB;QACvB,MAAM,EAAE;YACN,YAAY,EAAE,QAAQ,CAAC,YAAY;YACnC,SAAS,EAAE,KAAK,CAAC,MAAM;YACvB,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;SAC1B;KACF,CAAC;AACJ,CAAC;AAED,mFAAmF;AACnF,SAAS,OAAO,CAAC,GAAY;IAC3B,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1C,CAAC;AAED,iFAAiF;AACjF,SAAS,SAAS,CAAC,KAAc;IAC/B,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;IAC3E,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACjC,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,GAAG,UAAU,CAAC;AACvC,CAAC;AAED,mDAAmD;AACnD,KAAK,UAAU,uBAAuB,CAAC,IAAc,EAAE,GAAiB;IACtE,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QAClC,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QACzB,OAAO,IAAI,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IACH,IAAI,CAAC,OAAO,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAC7B,iEAAiE,kBAAkB,CAAC,GAAG,CAAC,qBAAqB,IAAI,EAAE,CAAC,EAAE,EACtH;QACE,MAAM,EAAE,EAAE,QAAQ,EAAE,oBAAoB,EAAE,aAAa,EAAE,KAAK,EAAE;QAChE,UAAU,EAAE;YACV,WAAW,EAAE,CAAC,SAAS,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,iCAAiC,CAAC;YACtG,aAAa,EAAE,CAAC,cAAc,CAAC;YAC/B,gBAAgB,EAAE,CAAC,KAAK,CAAC;YACzB,aAAa,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;SAC7D;KACF,EACD,GAAG,CACJ,CAAC;IACF,IAAI,CAAC,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,CAAC;IAC7D,OAAO,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,KAAU,EAAE,EAAE,CAAC,CAAC;QAC3C,MAAM,EAAE,qBAAqB;QAC7B,QAAQ,EAAE,sBAAsB;QAChC,GAAG,EAAE,OAAO,KAAK,EAAE,MAAM,EAAE,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;QAC1E,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,SAAS;QAC3D,KAAK,EAAE,gBAAgB;QACvB,MAAM,EAAE;YACN,WAAW,EAAE,KAAK,EAAE,UAAU;YAC9B,aAAa,EAAE,KAAK,EAAE,YAAY;YAClC,cAAc,EAAE,KAAK,EAAE,aAAa;SACrC;KACF,CAAC,CAAC,CAAC;AACN,CAAC;AAED,6EAA6E;AAE7E,gFAAgF;AAChF,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAC;IACjC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,eAAe,CAAC,KAAiB,EAAE,KAAa;IACvD,MAAM,aAAa,GAAG,KAAK,CAAC,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,SAAS,CAAC;IAC3D,MAAM,MAAM,GAAG,SAAS,KAAK,CAAC,MAAM,EAAE,CAAC;IACvC,MAAM,UAAU,GAAmB,EAAE,IAAI,EAAE,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,CAAC;IACnF,OAAO;QACL,EAAE,EAAE,GAAG,MAAM,IAAI,KAAK,EAAE;QACxB,MAAM;QACN,QAAQ,EAAE,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC;QACvC,UAAU,EAAE,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAE,MAAqB,CAAC,CAAC,CAAE,QAAuB;QACjF,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,UAAU;QACV,KAAK,EAAE,aAAa,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,eAAe,KAAK,CAAC,QAAQ,EAAE;QAC7E,WAAW,EAAE,GAAG,KAAK,CAAC,QAAQ,0CAA0C,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,WAAW,KAAK,CAAC,KAAK,IAAI;QAC5H,YAAY,EAAE,KAAK;QACnB,aAAa;QACb,QAAQ,EAAE,EAAE,YAAY,EAAE,KAAK,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,GAAG,KAAK,CAAC,MAAM,EAAE;KAC1I,CAAC;AACJ,CAAC;AAED,6EAA6E;AAE7E,8EAA8E;AAC9E,qEAAqE;AACrE,SAAS,cAAc,CAAC,GAAW,EAAE,GAAiB;IACpD,IAAI,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAAE,OAAO,EAAE,CAAC;IAC3E,OAAO,EAAE,UAAU,EAAE,GAAG,CAAC,cAAc,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,GAAW,EAAE,IAA4B,EAAE,GAAiB;IAClF,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE;QACpC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE,YAAY,EAAE,GAAG,CAAC,SAAS,EAAE,GAAG,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE;QAC1H,IAAI,EAAE,IAAI,eAAe,CAAC,IAAI,CAAC;QAC/B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC;KAC3C,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,cAAc,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACzE,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACrC,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAE,MAA8B,CAAC,CAAC,CAAC,IAAI,CAAC;AACjH,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,GAAW,EAAE,IAA6B,EAAE,GAAiB;IACnF,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE;QACpC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,YAAY,EAAE,GAAG,CAAC,SAAS,EAAE,GAAG,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE;QACzG,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;QAC1B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC;KAC3C,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,cAAc,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACzE,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACrC,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAE,MAA8B,CAAC,CAAC,CAAC,IAAI,CAAC;AACjH,CAAC;AAED,SAAS,MAAM,CAAC,GAAW;IACzB,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,IAAc;IACnC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QACzB,IAAI,IAAI;YAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,MAAM,CAAC,MAAgB;IAC9B,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED,8EAA8E;AAC9E,8EAA8E;AAC9E,0EAA0E;AAC1E,gFAAgF;AAChF,gEAAgE;AAChE,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,wBAAwB;IACxB,gCAAgC;IAChC,kBAAkB;IAClB,iBAAiB;IACjB,kBAAkB;IAClB,2BAA2B;IAC3B,4BAA4B;IAC5B,+BAA+B;IAC/B,kBAAkB;IAClB,WAAW;IACX,kBAAkB;IAClB,oBAAoB;IACpB,sBAAsB;CACvB,CAAC,CAAC;AAEH,MAAM,0BAA0B,GAAG;IACjC,uBAAuB;IACvB,gBAAgB;IAChB,wBAAwB;IACxB,SAAS;IACT,2BAA2B;IAC3B,yBAAyB;IACzB,wBAAwB;IACxB,yBAAyB;IACzB,gDAAgD;IAChD,iBAAiB;IACjB,eAAe;IACf,YAAY;IACZ,aAAa;IACb,0DAA0D;IAC1D,UAAU;IACV,kBAAkB;IAClB,cAAc;IACd,aAAa;IACb,YAAY;IACZ,gBAAgB;IAChB,YAAY;IACZ,cAAc;IACd,oBAAoB;IACpB,cAAc;IACd,YAAY;IACZ,UAAU;IACV,WAAW;CACZ,CAAC;AAEF,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,uBAAuB,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,OAAO,0BAA0B,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAY;IAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,KAAK,KAAK,WAAW,IAAI,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IACnG,IAAI,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC3C,OAAO,CACL,KAAK,CAAC,CAAC,CAAC,KAAK,EAAE;YACf,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG;YAChB,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACtD,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC;YACtC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CACvC,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,KAAK,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AACzG,CAAC"}

package/dist/node-tls.d.ts

@@ -0,0 +1,8 @@
+import type { TlsMetadata } from "./index.js";
+export interface CollectTlsMetadataOptions {
+    port?: number;
+    timeoutMs?: number;
+    rejectUnauthorized?: boolean;
+}
+export declare function collectTlsMetadata(target: string | URL, options?: CollectTlsMetadataOptions): Promise<TlsMetadata | undefined>;
+//# sourceMappingURL=node-tls.d.ts.map

package/dist/node-tls.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"node-tls.d.ts","sourceRoot":"","sources":["../src/node-tls.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,MAAM,WAAW,yBAAyB;IACxC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,EAAE,OAAO,GAAE,yBAA8B,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAoCxI"}

package/dist/node-tls.js

@@ -0,0 +1,48 @@
+import { connect } from "node:tls";
+export async function collectTlsMetadata(target, options = {}) {
+    const url = typeof target === "string" ? new URL(target.includes("://") ? target : `https://${target}`) : target;
+    if (url.protocol !== "https:")
+        return undefined;
+    const port = options.port ?? (url.port ? Number(url.port) : 443);
+    const timeoutMs = options.timeoutMs ?? 5_000;
+    return await new Promise((resolve) => {
+        const socket = connect({
+            host: url.hostname,
+            port,
+            servername: url.hostname,
+            rejectUnauthorized: options.rejectUnauthorized ?? false,
+            timeout: timeoutMs
+        });
+        const done = (metadata) => {
+            socket.removeAllListeners();
+            socket.destroy();
+            resolve(metadata);
+        };
+        socket.once("secureConnect", () => {
+            const certificate = socket.getPeerCertificate();
+            if (!certificate || Object.keys(certificate).length === 0)
+                return done(undefined);
+            done({
+                authorized: socket.authorized,
+                authorizationError: socket.authorizationError ? String(socket.authorizationError) : null,
+                issuer: distinguishedName(certificate.issuer),
+                subject: distinguishedName(certificate.subject),
+                validFrom: certificate.valid_from,
+                validTo: certificate.valid_to,
+                fingerprint256: certificate.fingerprint256,
+                serialNumber: certificate.serialNumber
+            });
+        });
+        socket.once("timeout", () => done(undefined));
+        socket.once("error", () => done(undefined));
+    });
+}
+function distinguishedName(value) {
+    if (!value)
+        return undefined;
+    const entries = Object.entries(value)
+        .filter(([, item]) => typeof item === "string" && item)
+        .map(([key, item]) => `${key}=${item}`);
+    return entries.length ? entries.join(", ") : undefined;
+}
+//# sourceMappingURL=node-tls.js.map

package/dist/node-tls.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"node-tls.js","sourceRoot":"","sources":["../src/node-tls.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAUnC,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAoB,EAAE,UAAqC,EAAE;IACpG,MAAM,GAAG,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IACjH,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IAChD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,KAAK,CAAC;IAE7C,OAAO,MAAM,IAAI,OAAO,CAA0B,CAAC,OAAO,EAAE,EAAE;QAC5D,MAAM,MAAM,GAAG,OAAO,CAAC;YACrB,IAAI,EAAE,GAAG,CAAC,QAAQ;YAClB,IAAI;YACJ,UAAU,EAAE,GAAG,CAAC,QAAQ;YACxB,kBAAkB,EAAE,OAAO,CAAC,kBAAkB,IAAI,KAAK;YACvD,OAAO,EAAE,SAAS;SACnB,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,CAAC,QAAsB,EAAQ,EAAE;YAC5C,MAAM,CAAC,kBAAkB,EAAE,CAAC;YAC5B,MAAM,CAAC,OAAO,EAAE,CAAC;YACjB,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpB,CAAC,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,GAAG,EAAE;YAChC,MAAM,WAAW,GAAG,MAAM,CAAC,kBAAkB,EAAE,CAAC;YAChD,IAAI,CAAC,WAAW,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC;YAClF,IAAI,CAAC;gBACH,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,IAAI;gBACxF,MAAM,EAAE,iBAAiB,CAAC,WAAW,CAAC,MAAM,CAAC;gBAC7C,OAAO,EAAE,iBAAiB,CAAC,WAAW,CAAC,OAAO,CAAC;gBAC/C,SAAS,EAAE,WAAW,CAAC,UAAU;gBACjC,OAAO,EAAE,WAAW,CAAC,QAAQ;gBAC7B,cAAc,EAAE,WAAW,CAAC,cAAc;gBAC1C,YAAY,EAAE,WAAW,CAAC,YAAY;aACvC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAgC;IACzD,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC;SAClC,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC;SACtD,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,CAAC;IAC1C,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACzD,CAAC"}

package/dist/render.d.ts

@@ -0,0 +1,26 @@
+import { type BehaviorReport } from "./dynamic.js";
+/** Self-contained input for the in-isolate core: HTML + already-fetched external script bodies. */
+export interface RenderInput {
+    html: string;
+    url?: string;
+    externalScripts?: string[];
+}
+/** Runs renderDom — in-process by default, or inside an isolate (isolated-vm / Dynamic Worker). */
+export type RenderInvoke = (input: RenderInput) => RenderResult | Promise<RenderResult>;
+export interface RenderOptions {
+    url?: string;
+    /** Fetch an external script body (caller provides IO + egress). Omit to skip externals. */
+    fetchScript?: (absoluteUrl: string) => Promise<string | null>;
+    /** Where renderDom runs (caller's isolate). Default: in-process (trusted/synthetic use only). */
+    invoke?: RenderInvoke;
+    maxExternalScripts?: number;
+}
+export interface RenderResult {
+    /** Serialized DOM after scripts ran — feed this to the static scanner. */
+    html: string;
+    /** Behaviors recorded while scripts ran. */
+    report: BehaviorReport;
+}
+export declare function renderAndScan(html: string, options?: RenderOptions): Promise<RenderResult>;
+export declare function renderDom(input: RenderInput): RenderResult;
+//# sourceMappingURL=render.d.ts.map

package/dist/render.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"render.d.ts","sourceRoot":"","sources":["../src/render.ts"],"names":[],"mappings":"AAiBA,OAAO,EAA8C,KAAK,cAAc,EAAuB,MAAM,cAAc,CAAC;AAKpH,mGAAmG;AACnG,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,mGAAmG;AACnG,MAAM,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,WAAW,KAAK,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;AAExF,MAAM,WAAW,aAAa;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,2FAA2F;IAC3F,WAAW,CAAC,EAAE,CAAC,WAAW,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC9D,iGAAiG;IACjG,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,YAAY;IAC3B,0EAA0E;IAC1E,IAAI,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,MAAM,EAAE,cAAc,CAAC;CACxB;AASD,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,GAAE,aAAkB,GAAG,OAAO,CAAC,YAAY,CAAC,CA0BpG;AAMD,wBAAgB,SAAS,CAAC,KAAK,EAAE,WAAW,GAAG,YAAY,CA0B1D"}