@sentinel-atl/scanner 0.3.0

package/README.md

@@ -0,0 +1,104 @@
+# @sentinel-atl/scanner
+
+MCP server security scanner — npm audit meets AI agent trust verification.
+
+Analyzes MCP server packages for dependency vulnerabilities, dangerous code patterns, permission requirements, and publisher identity. Produces a 0–100 trust score and can issue/verify Sentinel Trust Certificates (STCs).
+
+## Install
+
+```bash
+npm install @sentinel-atl/scanner
+```
+
+## Quick Start
+
+```ts
+import { scan, issueSTC } from '@sentinel-atl/scanner';
+
+// Full security scan
+const report = await scan({ packageName: 'some-mcp-server' });
+console.log(report.trustScore.overall); // 0-100
+console.log(report.trustScore.grade);   // A-F
+
+// Issue a Sentinel Trust Certificate
+const stc = await issueSTC({
+  issuer: { did: 'did:key:z6Mk...' },
+  subject: { packageName: 'some-mcp-server', packageVersion: '1.0.0' },
+  findings: report.findings,
+});
+```
+
+## Security Analysis
+
+The scanner runs 4 sub-scanners and aggregates results into a single trust score:
+
+### 1. Dependency Vulnerabilities
+
+```ts
+import { scanDependencies } from '@sentinel-atl/scanner';
+const result = await scanDependencies('/path/to/package');
+// Integrates with npm audit
+```
+
+### 2. Code Pattern Analysis
+
+```ts
+import { scanCodePatterns } from '@sentinel-atl/scanner';
+const result = await scanCodePatterns('/path/to/package');
+// Detects: eval, child_process, fs, net, exfiltration, obfuscation
+```
+
+### 3. Permission Analysis
+
+```ts
+import { scanPermissions } from '@sentinel-atl/scanner';
+const result = await scanPermissions('/path/to/package');
+// Analyzes: filesystem, network, process, crypto, environment, native
+```
+
+### 4. Publisher Identity
+
+```ts
+import { scanPublisher } from '@sentinel-atl/scanner';
+const result = await scanPublisher('express');
+// Checks npm registry: maintainers, downloads, repository presence
+```
+
+## Trust Score
+
+```ts
+import { computeTrustScore } from '@sentinel-atl/scanner';
+
+const score = computeTrustScore(findings);
+// { overall: 82, grade: 'B', breakdown: { dependencies, codePatterns, permissions, publisher } }
+```
+
+Grading scale: **A** (90–100), **B** (80–89), **C** (70–79), **D** (60–69), **F** (0–59).
+
+## Sentinel Trust Certificates (STC)
+
+STCs are signed attestations of a scan result — the core artifact of the Sentinel trust ecosystem.
+
+```ts
+import { issueSTC, verifySTC } from '@sentinel-atl/scanner';
+
+// Issue
+const stc = await issueSTC({ issuer, subject, findings });
+
+// Verify
+const result = verifySTC(stc);
+// { valid: true, expired: false, ... }
+```
+
+## MCP Tool Probing
+
+```ts
+import { probeTools } from '@sentinel-atl/scanner';
+
+const result = await probeTools('http://localhost:4000/sse');
+// Returns tool definitions with permission analysis
+```
+
+## License
+
+MIT

package/dist/dependency-scanner.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Dependency scanner — checks for known vulnerabilities via npm audit.
+ */
+import type { Finding } from './scanner.js';
+export interface VulnerablePackage {
+    name: string;
+    severity: 'critical' | 'high' | 'moderate' | 'low' | 'info';
+    title: string;
+    url?: string;
+    range?: string;
+    fixAvailable: boolean;
+}
+export interface DependencyScanResult {
+    vulnerabilities: VulnerablePackage[];
+    totalDependencies: number;
+    findings: Finding[];
+}
+/**
+ * Run `npm audit --json` against a package directory and parse results.
+ */
+export declare function scanDependencies(packagePath: string): Promise<DependencyScanResult>;
+//# sourceMappingURL=dependency-scanner.d.ts.map

package/dist/dependency-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependency-scanner.d.ts","sourceRoot":"","sources":["../src/dependency-scanner.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,MAAM,CAAC;IAC5D,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,OAAO,CAAC;CACvB;AAED,MAAM,WAAW,oBAAoB;IACnC,eAAe,EAAE,iBAAiB,EAAE,CAAC;IACrC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,OAAO,EAAE,CAAC;CACrB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAoDzF"}

package/dist/dependency-scanner.js

@@ -0,0 +1,70 @@
+/**
+ * Dependency scanner — checks for known vulnerabilities via npm audit.
+ */
+import { execFile } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+/**
+ * Run `npm audit --json` against a package directory and parse results.
+ */
+export async function scanDependencies(packagePath) {
+    const findings = [];
+    const vulnerabilities = [];
+    // Check if package-lock.json exists (npm audit requires it)
+    const lockPath = join(packagePath, 'package-lock.json');
+    if (!existsSync(lockPath)) {
+        return { vulnerabilities: [], totalDependencies: 0, findings };
+    }
+    try {
+        const auditOutput = await runNpmAudit(packagePath);
+        const audit = JSON.parse(auditOutput);
+        const totalDependencies = audit.metadata?.totalDependencies ?? 0;
+        // Parse npm audit v2 format
+        if (audit.vulnerabilities) {
+            for (const [name, info] of Object.entries(audit.vulnerabilities)) {
+                const vuln = {
+                    name,
+                    severity: info.severity ?? 'info',
+                    title: info.via?.[0]?.title ?? info.via?.[0] ?? 'Unknown vulnerability',
+                    url: info.via?.[0]?.url,
+                    range: info.range,
+                    fixAvailable: !!info.fixAvailable,
+                };
+                vulnerabilities.push(vuln);
+                const severityMap = {
+                    critical: 'critical',
+                    high: 'high',
+                    moderate: 'medium',
+                    low: 'low',
+                    info: 'info',
+                };
+                findings.push({
+                    severity: severityMap[vuln.severity] ?? 'info',
+                    category: 'vulnerability',
+                    title: `Vulnerable dependency: ${name}`,
+                    description: typeof vuln.title === 'string' ? vuln.title : `Vulnerability in ${name}`,
+                    evidence: vuln.url,
+                });
+            }
+        }
+        return { vulnerabilities, totalDependencies, findings };
+    }
+    catch {
+        // npm audit failed — could be no lockfile, network issue, etc.
+        return { vulnerabilities: [], totalDependencies: 0, findings };
+    }
+}
+function runNpmAudit(cwd) {
+    return new Promise((resolve, reject) => {
+        execFile('npm', ['audit', '--json', '--omit=dev'], { cwd, maxBuffer: 10 * 1024 * 1024 }, (error, stdout) => {
+            // npm audit exits with non-zero when vulnerabilities exist, but still outputs JSON
+            if (stdout) {
+                resolve(stdout);
+            }
+            else {
+                reject(error ?? new Error('npm audit produced no output'));
+            }
+        });
+    });
+}
+//# sourceMappingURL=dependency-scanner.js.map

package/dist/dependency-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependency-scanner.js","sourceRoot":"","sources":["../src/dependency-scanner.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAkBjC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,WAAmB;IACxD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,eAAe,GAAwB,EAAE,CAAC;IAEhD,4DAA4D;IAC5D,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAC;IACxD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,eAAe,EAAE,EAAE,EAAE,iBAAiB,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC;IACjE,CAAC;IAED,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,WAAW,CAAC,CAAC;QACnD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAEtC,MAAM,iBAAiB,GAAG,KAAK,CAAC,QAAQ,EAAE,iBAAiB,IAAI,CAAC,CAAC;QAEjE,4BAA4B;QAC5B,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;YAC1B,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,eAAe,CAAyB,EAAE,CAAC;gBACzF,MAAM,IAAI,GAAsB;oBAC9B,IAAI;oBACJ,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,MAAM;oBACjC,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,uBAAuB;oBACvE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG;oBACvB,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,YAAY,EAAE,CAAC,CAAC,IAAI,CAAC,YAAY;iBAClC,CAAC;gBACF,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAE3B,MAAM,WAAW,GAAwC;oBACvD,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,MAAM;oBACZ,QAAQ,EAAE,QAAQ;oBAClB,GAAG,EAAE,KAAK;oBACV,IAAI,EAAE,MAAM;iBACb,CAAC;gBAEF,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,MAAM;oBAC9C,QAAQ,EAAE,eAAe;oBACzB,KAAK,EAAE,0BAA0B,IAAI,EAAE;oBACvC,WAAW,EAAE,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,oBAAoB,IAAI,EAAE;oBACrF,QAAQ,EAAE,IAAI,CAAC,GAAG;iBACnB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,QAAQ,EAAE,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,+DAA+D;QAC/D,OAAO,EAAE,eAAe,EAAE,EAAE,EAAE,iBAAiB,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC;IACjE,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,QAAQ,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;YACzG,mFAAmF;YACnF,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,CAAC,MAAM,CAAC,CAAC;YAClB,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,24 @@
+/**
+ * @sentinel-atl/scanner — MCP Server Security Scanner
+ *
+ * "npm audit for MCP servers."
+ *
+ * Static analysis engine that scans MCP server packages for:
+ * 1. Dependency vulnerabilities (npm audit integration)
+ * 2. Dangerous code patterns (eval, child_process, fs, net, exfiltration)
+ * 3. Obfuscation detection (encoded payloads, minified code in src)
+ * 4. Permission scope analysis (what system resources does it access?)
+ * 5. Publisher identity verification (npm registry checks)
+ *
+ * Produces a TrustScore (0-100) and a ScanReport with detailed findings.
+ */
+export { scan, type ScanOptions, type ScanReport, type TrustScore, type Finding, type FindingSeverity, type FindingCategory, } from './scanner.js';
+export { scanDependencies, type DependencyScanResult, type VulnerablePackage, } from './dependency-scanner.js';
+export { scanCodePatterns, type PatternScanResult, type CodePattern, type PatternCategory, } from './pattern-scanner.js';
+export { scanPermissions, type PermissionScanResult, type DetectedPermission, type PermissionKind, } from './permission-scanner.js';
+export { computeTrustScore, type ScoreBreakdown, } from './trust-score.js';
+export { issueSTC, verifySTC, type SentinelTrustCertificate, type STCIssuer, type STCSubject, type STCFindingSummary, type STCProof, type STCVerifyResult, type IssueSTCOptions, } from './stc.js';
+export { resolvePackage, cleanupPackage, type ResolvedPackage, } from './package-resolver.js';
+export { probeTools, type ToolProbeResult, type MCPTool, type ProbeOptions, } from './tool-prober.js';
+export { scanPublisher, type PublisherInfo, type PublisherScanResult, } from './publisher-scanner.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,IAAI,EACJ,KAAK,WAAW,EAChB,KAAK,UAAU,EACf,KAAK,UAAU,EACf,KAAK,OAAO,EACZ,KAAK,eAAe,EACpB,KAAK,eAAe,GACrB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,gBAAgB,EAChB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,GACvB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,gBAAgB,EAChB,KAAK,iBAAiB,EACtB,KAAK,WAAW,EAChB,KAAK,eAAe,GACrB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,eAAe,EACf,KAAK,oBAAoB,EACzB,KAAK,kBAAkB,EACvB,KAAK,cAAc,GACpB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,iBAAiB,EACjB,KAAK,cAAc,GACpB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,QAAQ,EACR,SAAS,EACT,KAAK,wBAAwB,EAC7B,KAAK,SAAS,EACd,KAAK,UAAU,EACf,KAAK,iBAAiB,EACtB,KAAK,QAAQ,EACb,KAAK,eAAe,EACpB,KAAK,eAAe,GACrB,MAAM,UAAU,CAAC;AAElB,OAAO,EACL,cAAc,EACd,cAAc,EACd,KAAK,eAAe,GACrB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EACL,UAAU,EACV,KAAK,eAAe,EACpB,KAAK,OAAO,EACZ,KAAK,YAAY,GAClB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,aAAa,EACb,KAAK,aAAa,EAClB,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC"}

package/dist/index.js

@@ -0,0 +1,24 @@
+/**
+ * @sentinel-atl/scanner — MCP Server Security Scanner
+ *
+ * "npm audit for MCP servers."
+ *
+ * Static analysis engine that scans MCP server packages for:
+ * 1. Dependency vulnerabilities (npm audit integration)
+ * 2. Dangerous code patterns (eval, child_process, fs, net, exfiltration)
+ * 3. Obfuscation detection (encoded payloads, minified code in src)
+ * 4. Permission scope analysis (what system resources does it access?)
+ * 5. Publisher identity verification (npm registry checks)
+ *
+ * Produces a TrustScore (0-100) and a ScanReport with detailed findings.
+ */
+export { scan, } from './scanner.js';
+export { scanDependencies, } from './dependency-scanner.js';
+export { scanCodePatterns, } from './pattern-scanner.js';
+export { scanPermissions, } from './permission-scanner.js';
+export { computeTrustScore, } from './trust-score.js';
+export { issueSTC, verifySTC, } from './stc.js';
+export { resolvePackage, cleanupPackage, } from './package-resolver.js';
+export { probeTools, } from './tool-prober.js';
+export { scanPublisher, } from './publisher-scanner.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,IAAI,GAOL,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,gBAAgB,GAGjB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,gBAAgB,GAIjB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,eAAe,GAIhB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,iBAAiB,GAElB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,QAAQ,EACR,SAAS,GAQV,MAAM,UAAU,CAAC;AAElB,OAAO,EACL,cAAc,EACd,cAAc,GAEf,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EACL,UAAU,GAIX,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,aAAa,GAGd,MAAM,wBAAwB,CAAC"}

package/dist/package-resolver.d.ts

@@ -0,0 +1,30 @@
+/**
+ * NPM package resolver — download and extract npm packages for scanning.
+ *
+ * Supports:
+ * - npm package names: "@modelcontextprotocol/server-filesystem"
+ * - npm package@version: "@scope/name@1.2.3"
+ * - Local paths: "./my-server" or "/abs/path"
+ * - GitHub URLs (future): "github:user/repo"
+ */
+export interface ResolvedPackage {
+    /** Absolute path to the extracted package directory */
+    path: string;
+    /** Package name from package.json */
+    name: string;
+    /** Package version from package.json */
+    version: string;
+    /** Source type */
+    source: 'npm' | 'local';
+    /** Whether we need to clean up (true for npm downloads) */
+    isTemporary: boolean;
+}
+/**
+ * Resolve a package specifier to a local directory ready for scanning.
+ */
+export declare function resolvePackage(specifier: string): Promise<ResolvedPackage>;
+/**
+ * Clean up a temporary package directory.
+ */
+export declare function cleanupPackage(resolved: ResolvedPackage): Promise<void>;
+//# sourceMappingURL=package-resolver.d.ts.map

package/dist/package-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"package-resolver.d.ts","sourceRoot":"","sources":["../src/package-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAQH,MAAM,WAAW,eAAe;IAC9B,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,qCAAqC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,wCAAwC;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB;IAClB,MAAM,EAAE,KAAK,GAAG,OAAO,CAAC;IACxB,2DAA2D;IAC3D,WAAW,EAAE,OAAO,CAAC;CACtB;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAmBhF;AA6CD;;GAEG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAM7E"}

package/dist/package-resolver.js

@@ -0,0 +1,105 @@
+/**
+ * NPM package resolver — download and extract npm packages for scanning.
+ *
+ * Supports:
+ * - npm package names: "@modelcontextprotocol/server-filesystem"
+ * - npm package@version: "@scope/name@1.2.3"
+ * - Local paths: "./my-server" or "/abs/path"
+ * - GitHub URLs (future): "github:user/repo"
+ */
+import { execFile } from 'node:child_process';
+import { mkdtemp, readFile, rm } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join, resolve, isAbsolute } from 'node:path';
+/**
+ * Resolve a package specifier to a local directory ready for scanning.
+ */
+export async function resolvePackage(specifier) {
+    // Check if it's a local path (starts with . or / or is absolute, or exists on disk)
+    const absPath = resolve(specifier);
+    if (specifier.startsWith('.') || specifier.startsWith('/') || isAbsolute(specifier) || existsSync(absPath)) {
+        if (!existsSync(absPath)) {
+            throw new Error(`Local path not found: ${absPath}`);
+        }
+        const pkg = await readPackageJson(absPath);
+        return {
+            path: absPath,
+            name: pkg.name ?? 'unknown',
+            version: pkg.version ?? '0.0.0',
+            source: 'local',
+            isTemporary: false,
+        };
+    }
+    // npm package
+    return resolveFromNpm(specifier);
+}
+/**
+ * Download a package from npm registry and extract it.
+ */
+async function resolveFromNpm(specifier) {
+    const tmpDir = await mkdtemp(join(tmpdir(), 'sentinel-scan-'));
+    try {
+        // Use `npm pack` to download the tarball, then extract
+        await execPromise('npm', ['pack', specifier, '--pack-destination', tmpDir], { cwd: tmpDir });
+        // Find the .tgz file
+        const { readdir } = await import('node:fs/promises');
+        const files = await readdir(tmpDir);
+        const tgz = files.find(f => f.endsWith('.tgz'));
+        if (!tgz) {
+            throw new Error(`npm pack did not produce a tarball for: ${specifier}`);
+        }
+        // Extract
+        await execPromise('tar', ['xzf', join(tmpDir, tgz), '-C', tmpDir]);
+        // npm pack extracts to a `package/` subdirectory
+        const packageDir = join(tmpDir, 'package');
+        if (!existsSync(packageDir)) {
+            throw new Error('Extracted package directory not found');
+        }
+        const pkg = await readPackageJson(packageDir);
+        return {
+            path: packageDir,
+            name: pkg.name ?? specifier,
+            version: pkg.version ?? '0.0.0',
+            source: 'npm',
+            isTemporary: true,
+        };
+    }
+    catch (err) {
+        // Clean up on failure
+        await rm(tmpDir, { recursive: true, force: true }).catch(() => { });
+        throw new Error(`Failed to resolve npm package "${specifier}": ${err.message}`);
+    }
+}
+/**
+ * Clean up a temporary package directory.
+ */
+export async function cleanupPackage(resolved) {
+    if (resolved.isTemporary) {
+        // Go up one directory from 'package/' to the tmp dir
+        const tmpDir = join(resolved.path, '..');
+        await rm(tmpDir, { recursive: true, force: true }).catch(() => { });
+    }
+}
+async function readPackageJson(dir) {
+    try {
+        const raw = await readFile(join(dir, 'package.json'), 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return {};
+    }
+}
+function execPromise(cmd, args, options) {
+    return new Promise((resolve, reject) => {
+        execFile(cmd, args, { ...options, maxBuffer: 10 * 1024 * 1024, timeout: 60_000 }, (error, stdout, stderr) => {
+            if (error) {
+                reject(new Error(`${cmd} ${args.join(' ')} failed: ${stderr || error.message}`));
+            }
+            else {
+                resolve(stdout);
+            }
+        });
+    });
+}
+//# sourceMappingURL=package-resolver.js.map

package/dist/package-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"package-resolver.js","sourceRoot":"","sources":["../src/package-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAetD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,SAAiB;IACpD,oFAAoF;IACpF,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IACnC,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3G,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,yBAAyB,OAAO,EAAE,CAAC,CAAC;QACtD,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,CAAC;QAC3C,OAAO;YACL,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,SAAS;YAC3B,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,OAAO;YAC/B,MAAM,EAAE,OAAO;YACf,WAAW,EAAE,KAAK;SACnB,CAAC;IACJ,CAAC;IAED,cAAc;IACd,OAAO,cAAc,CAAC,SAAS,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,cAAc,CAAC,SAAiB;IAC7C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,gBAAgB,CAAC,CAAC,CAAC;IAE/D,IAAI,CAAC;QACH,uDAAuD;QACvD,MAAM,WAAW,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,SAAS,EAAE,oBAAoB,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC;QAE7F,qBAAqB;QACrB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QACrD,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;QACpC,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAChD,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,2CAA2C,SAAS,EAAE,CAAC,CAAC;QAC1E,CAAC;QAED,UAAU;QACV,MAAM,WAAW,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;QAEnE,iDAAiD;QACjD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QAC3C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,eAAe,CAAC,UAAU,CAAC,CAAC;QAE9C,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,SAAS;YAC3B,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,OAAO;YAC/B,MAAM,EAAE,KAAK;YACb,WAAW,EAAE,IAAI;SAClB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,sBAAsB;QACtB,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACnE,MAAM,IAAI,KAAK,CAAC,kCAAkC,SAAS,MAAO,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IAC7F,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAyB;IAC5D,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;QACzB,qDAAqD;QACrD,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACzC,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IACrE,CAAC;AACH,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,GAAW;IACxC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAW,EAAE,IAAc,EAAE,OAA0B;IAC1E,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,QAAQ,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,GAAG,OAAO,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YAC1G,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,IAAI,KAAK,CAAC,GAAG,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,MAAM,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACnF,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,MAAM,CAAC,CAAC;YAClB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/pattern-scanner.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Code pattern scanner — detects dangerous patterns via regex-based static analysis.
+ *
+ * Categories:
+ * - dangerous-pattern: eval(), new Function(), dynamic require
+ * - obfuscation: hex-encoded strings, base64 payloads, packed code
+ * - exfiltration: HTTP calls to external domains, DNS lookups, socket connections
+ */
+import type { Finding } from './scanner.js';
+export type PatternCategory = 'dangerous-pattern' | 'obfuscation' | 'exfiltration';
+export interface CodePattern {
+    name: string;
+    category: PatternCategory;
+    severity: Finding['severity'];
+    pattern: RegExp;
+    description: string;
+}
+export interface PatternScanResult {
+    totalFiles: number;
+    totalLines: number;
+    matchedPatterns: Array<{
+        pattern: string;
+        file: string;
+        line: number;
+        evidence: string;
+    }>;
+    findings: Finding[];
+}
+export declare function scanCodePatterns(packagePath: string, extensions: string[]): Promise<PatternScanResult>;
+//# sourceMappingURL=pattern-scanner.d.ts.map

package/dist/pattern-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pattern-scanner.d.ts","sourceRoot":"","sources":["../src/pattern-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,MAAM,eAAe,GAAG,mBAAmB,GAAG,aAAa,GAAG,cAAc,CAAC;AAEnF,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,eAAe,CAAC;IAC1B,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,KAAK,CAAC;QACrB,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;IACH,QAAQ,EAAE,OAAO,EAAE,CAAC;CACrB;AAkGD,wBAAsB,gBAAgB,CACpC,WAAW,EAAE,MAAM,EACnB,UAAU,EAAE,MAAM,EAAE,GACnB,OAAO,CAAC,iBAAiB,CAAC,CAsD5B"}

package/dist/pattern-scanner.js

@@ -0,0 +1,178 @@
+/**
+ * Code pattern scanner — detects dangerous patterns via regex-based static analysis.
+ *
+ * Categories:
+ * - dangerous-pattern: eval(), new Function(), dynamic require
+ * - obfuscation: hex-encoded strings, base64 payloads, packed code
+ * - exfiltration: HTTP calls to external domains, DNS lookups, socket connections
+ */
+import { readFile, readdir } from 'node:fs/promises';
+import { join, relative } from 'node:path';
+// ─── Pattern Definitions ─────────────────────────────────────────────
+const PATTERNS = [
+    // Dangerous execution patterns
+    {
+        name: 'eval-usage',
+        category: 'dangerous-pattern',
+        severity: 'critical',
+        pattern: /\beval\s*\(/g,
+        description: 'eval() can execute arbitrary code — a major security risk',
+    },
+    {
+        name: 'new-function',
+        category: 'dangerous-pattern',
+        severity: 'critical',
+        pattern: /new\s+Function\s*\(/g,
+        description: 'new Function() is equivalent to eval()',
+    },
+    {
+        name: 'dynamic-import-variable',
+        category: 'dangerous-pattern',
+        severity: 'high',
+        pattern: /import\s*\(\s*[^'"]/g,
+        description: 'Dynamic import with variable — could load arbitrary modules',
+    },
+    {
+        name: 'child-process-exec',
+        category: 'dangerous-pattern',
+        severity: 'high',
+        pattern: /(?:exec|execSync|spawn|spawnSync|fork)\s*\(/g,
+        description: 'Shell command execution detected',
+    },
+    {
+        name: 'process-env-access',
+        category: 'dangerous-pattern',
+        severity: 'medium',
+        pattern: /process\.env\[/g,
+        description: 'Dynamic environment variable access',
+    },
+    // Obfuscation patterns
+    {
+        name: 'hex-string-long',
+        category: 'obfuscation',
+        severity: 'high',
+        pattern: /["']\\x[0-9a-fA-F]{2}(?:\\x[0-9a-fA-F]{2}){7,}["']/g,
+        description: 'Long hex-encoded string — possible obfuscated payload',
+    },
+    {
+        name: 'base64-long-literal',
+        category: 'obfuscation',
+        severity: 'medium',
+        pattern: /atob\s*\(\s*["'][A-Za-z0-9+/=]{50,}["']\s*\)/g,
+        description: 'Base64 decode of a long literal — possible hidden payload',
+    },
+    {
+        name: 'char-code-array',
+        category: 'obfuscation',
+        severity: 'medium',
+        pattern: /String\.fromCharCode\s*\(\s*(?:\d+\s*,\s*){5,}/g,
+        description: 'String.fromCharCode with many values — possible obfuscation',
+    },
+    // Exfiltration patterns
+    {
+        name: 'fetch-external',
+        category: 'exfiltration',
+        severity: 'high',
+        pattern: /(?:fetch|axios|got|node-fetch|request)\s*\(\s*[`"']https?:\/\//g,
+        description: 'HTTP request to external URL',
+    },
+    {
+        name: 'dns-lookup',
+        category: 'exfiltration',
+        severity: 'medium',
+        pattern: /dns\.(?:lookup|resolve|resolve4|resolve6)\s*\(/g,
+        description: 'DNS lookup — could be used for DNS exfiltration',
+    },
+    {
+        name: 'websocket-connection',
+        category: 'exfiltration',
+        severity: 'medium',
+        pattern: /new\s+WebSocket\s*\(/g,
+        description: 'WebSocket connection — could be used for data exfiltration',
+    },
+    {
+        name: 'net-socket',
+        category: 'exfiltration',
+        severity: 'high',
+        pattern: /(?:net|tls)\.(?:createConnection|connect|createServer)\s*\(/g,
+        description: 'Low-level network socket — could send data anywhere',
+    },
+];
+// ─── Scanner ─────────────────────────────────────────────────────────
+export async function scanCodePatterns(packagePath, extensions) {
+    const files = await collectSourceFiles(packagePath, extensions);
+    const findings = [];
+    const matchedPatterns = [];
+    let totalLines = 0;
+    for (const filePath of files) {
+        const content = await readFile(filePath, 'utf-8');
+        const lines = content.split('\n');
+        totalLines += lines.length;
+        const relPath = relative(packagePath, filePath);
+        for (const pattern of PATTERNS) {
+            // Reset regex state
+            pattern.pattern.lastIndex = 0;
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                // Reset for each line
+                pattern.pattern.lastIndex = 0;
+                if (pattern.pattern.test(line)) {
+                    const trimmed = line.trim();
+                    // Skip matches in comments
+                    if (trimmed.startsWith('//') || trimmed.startsWith('*') || trimmed.startsWith('/*')) {
+                        continue;
+                    }
+                    matchedPatterns.push({
+                        pattern: pattern.name,
+                        file: relPath,
+                        line: i + 1,
+                        evidence: trimmed.slice(0, 120),
+                    });
+                    findings.push({
+                        severity: pattern.severity,
+                        category: pattern.category,
+                        title: `${pattern.name} in ${relPath}:${i + 1}`,
+                        description: pattern.description,
+                        file: relPath,
+                        line: i + 1,
+                        evidence: trimmed.slice(0, 120),
+                    });
+                }
+            }
+        }
+    }
+    return {
+        totalFiles: files.length,
+        totalLines,
+        matchedPatterns,
+        findings,
+    };
+}
+// ─── File Collection ─────────────────────────────────────────────────
+async function collectSourceFiles(dir, extensions, basePath) {
+    basePath ??= dir;
+    const files = [];
+    let entries;
+    try {
+        entries = await readdir(dir, { withFileTypes: true });
+    }
+    catch {
+        return files;
+    }
+    for (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {
+        const fullPath = join(dir, entry.name);
+        const relPath = relative(basePath, fullPath);
+        // Skip common non-source directories
+        if (entry.isDirectory()) {
+            if (['node_modules', 'dist', '.git', '.turbo', 'coverage', '__pycache__'].includes(entry.name)) {
+                continue;
+            }
+            files.push(...await collectSourceFiles(fullPath, extensions, basePath));
+        }
+        else if (entry.isFile() && extensions.some(ext => entry.name.endsWith(ext))) {
+            files.push(fullPath);
+        }
+    }
+    return files;
+}
+//# sourceMappingURL=pattern-scanner.js.map

package/dist/pattern-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pattern-scanner.js","sourceRoot":"","sources":["../src/pattern-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAQ,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAW,MAAM,WAAW,CAAC;AAyBpD,wEAAwE;AAExE,MAAM,QAAQ,GAAkB;IAC9B,+BAA+B;IAC/B;QACE,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,mBAAmB;QAC7B,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,cAAc;QACvB,WAAW,EAAE,2DAA2D;KACzE;IACD;QACE,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,mBAAmB;QAC7B,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,sBAAsB;QAC/B,WAAW,EAAE,wCAAwC;KACtD;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,mBAAmB;QAC7B,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,sBAAsB;QAC/B,WAAW,EAAE,6DAA6D;KAC3E;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,mBAAmB;QAC7B,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,8CAA8C;QACvD,WAAW,EAAE,kCAAkC;KAChD;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,mBAAmB;QAC7B,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,iBAAiB;QAC1B,WAAW,EAAE,qCAAqC;KACnD;IAED,uBAAuB;IACvB;QACE,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,qDAAqD;QAC9D,WAAW,EAAE,uDAAuD;KACrE;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,+CAA+C;QACxD,WAAW,EAAE,2DAA2D;KACzE;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,iDAAiD;QAC1D,WAAW,EAAE,6DAA6D;KAC3E;IAED,wBAAwB;IACxB;QACE,IAAI,EAAE,gBAAgB;QACtB,QAAQ,EAAE,cAAc;QACxB,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,iEAAiE;QAC1E,WAAW,EAAE,8BAA8B;KAC5C;IACD;QACE,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,cAAc;QACxB,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,iDAAiD;QAC1D,WAAW,EAAE,iDAAiD;KAC/D;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,cAAc;QACxB,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,uBAAuB;QAChC,WAAW,EAAE,4DAA4D;KAC1E;IACD;QACE,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,cAAc;QACxB,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,8DAA8D;QACvE,WAAW,EAAE,qDAAqD;KACnE;CACF,CAAC;AAEF,wEAAwE;AAExE,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,WAAmB,EACnB,UAAoB;IAEpB,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IAChE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,eAAe,GAAyC,EAAE,CAAC;IACjE,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,UAAU,IAAI,KAAK,CAAC,MAAM,CAAC;QAC3B,MAAM,OAAO,GAAG,QAAQ,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAEhD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,oBAAoB;YACpB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAE9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,sBAAsB;gBACtB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBAC9B,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;oBAC5B,2BAA2B;oBAC3B,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;wBACpF,SAAS;oBACX,CAAC;oBAED,eAAe,CAAC,IAAI,CAAC;wBACnB,OAAO,EAAE,OAAO,CAAC,IAAI;wBACrB,IAAI,EAAE,OAAO;wBACb,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;qBAChC,CAAC,CAAC;oBAEH,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,KAAK,EAAE,GAAG,OAAO,CAAC,IAAI,OAAO,OAAO,IAAI,CAAC,GAAG,CAAC,EAAE;wBAC/C,WAAW,EAAE,OAAO,CAAC,WAAW;wBAChC,IAAI,EAAE,OAAO;wBACb,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;qBAChC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,UAAU,EAAE,KAAK,CAAC,MAAM;QACxB,UAAU;QACV,eAAe;QACf,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,wEAAwE;AAExE,KAAK,UAAU,kBAAkB,CAC/B,GAAW,EACX,UAAoB,EACpB,QAAiB;IAEjB,QAAQ,KAAK,GAAG,CAAC;IACjB,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QACzE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAE7C,qCAAqC;QACrC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,IAAI,CAAC,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/F,SAAS;YACX,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,kBAAkB,CAAC,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC1E,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,EAAE,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YAC9E,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}