@telora/daemon 0.15.37 → 0.15.40

package/dist/scanners/signatures.js

@@ -0,0 +1,140 @@
+/**
+ * npm audit signatures scanner -- security scan engine plugin.
+ *
+ * Runs `npm audit signatures --json` against the product's repo and converts
+ * each unverified or invalid-signature entry into a FindingDraft. Signature
+ * verification has no npm-provided severity tier, so every finding is marked
+ * 'medium' -- a signature problem is always actionable, but not on its own a
+ * critical-severity issue without further context.
+ *
+ * Pattern reference: verification-engine.ts (dep-injection seam for spawn).
+ *
+ * @module scanners/signatures
+ */
+import { spawn } from 'node:child_process';
+const DEFAULT_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+/** Default implementation: spawn the real npm CLI in the repo. */
+const defaultRunNpmAuditSignatures = (cwd) => new Promise((resolve, reject) => {
+    const child = spawn('npm', ['audit', 'signatures', '--json'], {
+        cwd,
+        stdio: ['ignore', 'pipe', 'pipe'],
+    });
+    let stdout = '';
+    let stderr = '';
+    child.stdout?.on('data', (chunk) => {
+        stdout += chunk.toString('utf8');
+    });
+    child.stderr?.on('data', (chunk) => {
+        stderr += chunk.toString('utf8');
+    });
+    const timer = setTimeout(() => {
+        try {
+            child.kill('SIGKILL');
+        }
+        catch { /* ignore */ }
+    }, DEFAULT_TIMEOUT_MS);
+    child.on('error', (err) => {
+        clearTimeout(timer);
+        reject(err);
+    });
+    child.on('close', (code) => {
+        clearTimeout(timer);
+        resolve({ stdout, stderr, exitCode: code });
+    });
+});
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function stringField(record, key) {
+    const v = record[key];
+    return typeof v === 'string' ? v : undefined;
+}
+function numberField(record, key) {
+    const v = record[key];
+    return typeof v === 'number' && Number.isFinite(v) ? v : undefined;
+}
+function entriesFromArray(value, fallbackReason) {
+    if (!Array.isArray(value))
+        return [];
+    const out = [];
+    for (const item of value) {
+        if (!isRecord(item))
+            continue;
+        const name = stringField(item, 'name');
+        const version = stringField(item, 'version');
+        if (!name || !version)
+            continue;
+        const reason = stringField(item, 'reason') ?? fallbackReason;
+        out.push({ name, version, raw: item, reason });
+    }
+    return out;
+}
+/**
+ * Parse the npm audit signatures JSON envelope. Tolerates shape variations
+ * across npm versions -- `invalid` and `missing` may be absent or empty.
+ * Throws if the payload is not valid JSON or not an object.
+ */
+export function parseSignaturesReport(stdout) {
+    const trimmed = stdout.trim();
+    if (trimmed.length === 0) {
+        throw new Error('npm audit signatures produced empty output');
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(trimmed);
+    }
+    catch (err) {
+        throw new Error(`failed to parse npm audit signatures JSON: ${err.message}`);
+    }
+    if (!isRecord(parsed)) {
+        throw new Error('npm audit signatures JSON root is not an object');
+    }
+    const invalid = entriesFromArray(parsed.invalid, 'invalid_signature');
+    const missing = entriesFromArray(parsed.missing, 'missing');
+    // Best-effort total. npm has shipped a few different field names over the
+    // years (`packagesAudited`, `count`, etc.). Fall back to invalid+missing
+    // when nothing usable is reported.
+    const totalChecked = numberField(parsed, 'packagesAudited') ??
+        numberField(parsed, 'totalChecked') ??
+        (isRecord(parsed.count) ? numberField(parsed.count, 'total') : undefined) ??
+        invalid.length + missing.length;
+    return { invalid, missing, totalChecked };
+}
+export function createSignaturesScanner(deps) {
+    return {
+        iocClass: 'signatures',
+        async scan(ctx) {
+            const { stdout, exitCode } = await deps.runNpmAuditSignatures(ctx.repoPath);
+            const report = parseSignaturesReport(stdout);
+            const findings = [];
+            const emit = (entry) => {
+                findings.push({
+                    iocClass: 'signatures',
+                    severity: 'medium',
+                    identifier: `${entry.name}@${entry.version}`,
+                    payload: {
+                        ...entry.raw,
+                        reason: entry.reason,
+                    },
+                });
+            };
+            for (const entry of report.invalid)
+                emit(entry);
+            for (const entry of report.missing)
+                emit(entry);
+            const coverage = {
+                packages_checked: report.totalChecked,
+                unverified: report.invalid.length + report.missing.length,
+                missing: report.missing.length,
+                invalid: report.invalid.length,
+                npm_exit_code: exitCode,
+            };
+            return { findings, coverage };
+        },
+    };
+}
+/** Default scanner wired to the real npm CLI. */
+export const signaturesScanner = createSignaturesScanner({
+    runNpmAuditSignatures: defaultRunNpmAuditSignatures,
+});
+//# sourceMappingURL=signatures.js.map

package/dist/scanners/signatures.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signatures.js","sourceRoot":"","sources":["../../src/scanners/signatures.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAoB3C,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AAEtD,kEAAkE;AAClE,MAAM,4BAA4B,GAA0B,CAAC,GAAG,EAAE,EAAE,CAClE,IAAI,OAAO,CAA2B,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;IACxD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,YAAY,EAAE,QAAQ,CAAC,EAAE;QAC5D,GAAG;QACH,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;KAClC,CAAC,CAAC;IAEH,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,MAAM,GAAG,EAAE,CAAC;IAEhB,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;QACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;QACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;QAC5B,IAAI,CAAC;YAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;IACvD,CAAC,EAAE,kBAAkB,CAAC,CAAC;IAEvB,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;QACxB,YAAY,CAAC,KAAK,CAAC,CAAC;QACpB,MAAM,CAAC,GAAG,CAAC,CAAC;IACd,CAAC,CAAC,CAAC;IACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;QACzB,YAAY,CAAC,KAAK,CAAC,CAAC;QACpB,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAaL,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,WAAW,CAAC,MAA+B,EAAE,GAAW;IAC/D,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IACtB,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC/C,CAAC;AAED,SAAS,WAAW,CAAC,MAA+B,EAAE,GAAW;IAC/D,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IACtB,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACrE,CAAC;AAED,SAAS,gBAAgB,CACvB,KAAc,EACd,cAAsB;IAEtB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACrC,MAAM,GAAG,GAAqB,EAAE,CAAC;IACjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,SAAS;QAC9B,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACvC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC7C,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO;YAAE,SAAS;QAChC,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,cAAc,CAAC;QAC7D,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAc;IAKlD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,8CAA+C,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1F,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACtE,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAE5D,0EAA0E;IAC1E,yEAAyE;IACzE,mCAAmC;IACnC,MAAM,YAAY,GAChB,WAAW,CAAC,MAAM,EAAE,iBAAiB,CAAC;QACtC,WAAW,CAAC,MAAM,EAAE,cAAc,CAAC;QACnC,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACzE,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAElC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;AAC5C,CAAC;AAUD,MAAM,UAAU,uBAAuB,CAAC,IAA2B;IACjE,OAAO;QACL,QAAQ,EAAE,YAAY;QACtB,KAAK,CAAC,IAAI,CAAC,GAAgB;YACzB,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC5E,MAAM,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;YAE7C,MAAM,QAAQ,GAAmB,EAAE,CAAC;YACpC,MAAM,IAAI,GAAG,CAAC,KAAqB,EAAE,EAAE;gBACrC,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,QAAQ;oBAClB,UAAU,EAAE,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,EAAE;oBAC5C,OAAO,EAAE;wBACP,GAAG,KAAK,CAAC,GAAG;wBACZ,MAAM,EAAE,KAAK,CAAC,MAAM;qBACrB;iBACF,CAAC,CAAC;YACL,CAAC,CAAC;YACF,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO;gBAAE,IAAI,CAAC,KAAK,CAAC,CAAC;YAChD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO;gBAAE,IAAI,CAAC,KAAK,CAAC,CAAC;YAEhD,MAAM,QAAQ,GAA4B;gBACxC,gBAAgB,EAAE,MAAM,CAAC,YAAY;gBACrC,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM;gBACzD,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM;gBAC9B,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM;gBAC9B,aAAa,EAAE,QAAQ;aACxB,CAAC;YAEF,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;QAChC,CAAC;KACF,CAAC;AACJ,CAAC;AAED,iDAAiD;AACjD,MAAM,CAAC,MAAM,iBAAiB,GAAY,uBAAuB,CAAC;IAChE,qBAAqB,EAAE,4BAA4B;CACpD,CAAC,CAAC"}

package/dist/scanners/workflow.d.ts

@@ -0,0 +1,34 @@
+/**
+ * GitHub Actions workflow scanner -- security-scan engine plugin.
+ *
+ * Detects the `pull_request_target` + checkout-head + cache-write pattern
+ * that lets a fork PR's untrusted code execute with the base repo's
+ * elevated permissions and secrets, and persists artifacts (caches)
+ * back to the base repo. This is the canonical "pwn request" supply
+ * chain vulnerability.
+ *
+ * Matched when ALL three are true for a single job:
+ *   1. Workflow `on:` includes `pull_request_target` (string | array | object).
+ *   2. The job contains an `actions/checkout@*` step whose `with.ref` is
+ *      one of `${{ github.event.pull_request.head.sha }}` or
+ *      `${{ github.event.pull_request.head.ref }}`.
+ *   3. The job contains a cache-write step:
+ *        - `actions/cache@*` (any non-`restore`-suffixed action), or
+ *        - `actions/setup-*` step with `with.cache: true` (or any truthy
+ *          string), or
+ *        - any step after the head-ref checkout whose `with.cache` is truthy.
+ *
+ * Pattern reference: verification-engine.ts (Deps + default factory).
+ *
+ * @module scanners/workflow
+ */
+import type { Scanner } from '../security-scan-engine.js';
+export interface WorkflowScannerDeps {
+    /** List workflow files in the repo's `.github/workflows/` directory. */
+    readWorkflowsDir: (repoPath: string) => Promise<string[]>;
+    /** Read a workflow file's contents as UTF-8. */
+    readFile: (path: string) => Promise<string>;
+}
+export declare function createWorkflowScanner(deps?: WorkflowScannerDeps): Scanner;
+export declare const workflowScanner: Scanner;
+//# sourceMappingURL=workflow.d.ts.map

package/dist/scanners/workflow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workflow.d.ts","sourceRoot":"","sources":["../../src/scanners/workflow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAKH,OAAO,KAAK,EAAyC,OAAO,EAAE,MAAM,4BAA4B,CAAC;AAMjG,MAAM,WAAW,mBAAmB;IAClC,wEAAwE;IACxE,gBAAgB,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1D,gDAAgD;IAChD,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CAC7C;AAmKD,wBAAgB,qBAAqB,CAAC,IAAI,GAAE,mBAAiC,GAAG,OAAO,CA4DtF;AAWD,eAAO,MAAM,eAAe,EAAE,OAAiC,CAAC"}

package/dist/scanners/workflow.js

@@ -0,0 +1,239 @@
+/**
+ * GitHub Actions workflow scanner -- security-scan engine plugin.
+ *
+ * Detects the `pull_request_target` + checkout-head + cache-write pattern
+ * that lets a fork PR's untrusted code execute with the base repo's
+ * elevated permissions and secrets, and persists artifacts (caches)
+ * back to the base repo. This is the canonical "pwn request" supply
+ * chain vulnerability.
+ *
+ * Matched when ALL three are true for a single job:
+ *   1. Workflow `on:` includes `pull_request_target` (string | array | object).
+ *   2. The job contains an `actions/checkout@*` step whose `with.ref` is
+ *      one of `${{ github.event.pull_request.head.sha }}` or
+ *      `${{ github.event.pull_request.head.ref }}`.
+ *   3. The job contains a cache-write step:
+ *        - `actions/cache@*` (any non-`restore`-suffixed action), or
+ *        - `actions/setup-*` step with `with.cache: true` (or any truthy
+ *          string), or
+ *        - any step after the head-ref checkout whose `with.cache` is truthy.
+ *
+ * Pattern reference: verification-engine.ts (Deps + default factory).
+ *
+ * @module scanners/workflow
+ */
+import { readdir, readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { parse as parseYaml } from 'yaml';
+const WORKFLOW_EXTENSIONS = ['.yml', '.yaml'];
+const CHECKOUT_REF_HEAD_SHA = '${{ github.event.pull_request.head.sha }}';
+const CHECKOUT_REF_HEAD_REF = '${{ github.event.pull_request.head.ref }}';
+// ---------------------------------------------------------------------------
+// Defaults -- real fs
+// ---------------------------------------------------------------------------
+const defaultDeps = {
+    readWorkflowsDir: async (repoPath) => {
+        const dir = join(repoPath, '.github', 'workflows');
+        let entries;
+        try {
+            entries = await readdir(dir);
+        }
+        catch {
+            return [];
+        }
+        return entries
+            .filter((name) => WORKFLOW_EXTENSIONS.some((ext) => name.endsWith(ext)))
+            .map((name) => join(dir, name));
+    },
+    readFile: (path) => readFile(path, 'utf8'),
+};
+// ---------------------------------------------------------------------------
+// Type guards -- narrow `unknown` parsed YAML
+// ---------------------------------------------------------------------------
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function isStringArray(value) {
+    return Array.isArray(value) && value.every((v) => typeof v === 'string');
+}
+/** Returns true when the workflow `on:` declaration includes pull_request_target. */
+function hasPullRequestTargetTrigger(on) {
+    if (typeof on === 'string')
+        return on === 'pull_request_target';
+    if (isStringArray(on))
+        return on.includes('pull_request_target');
+    if (isRecord(on))
+        return Object.prototype.hasOwnProperty.call(on, 'pull_request_target');
+    return false;
+}
+function asStep(value) {
+    if (!isRecord(value))
+        return null;
+    const step = {};
+    if (typeof value.uses === 'string')
+        step.uses = value.uses;
+    if (typeof value.run === 'string')
+        step.run = value.run;
+    if (typeof value.name === 'string')
+        step.name = value.name;
+    if (isRecord(value.with))
+        step.with = value.with;
+    return step;
+}
+function getActionName(uses) {
+    // Strip @ref and any subpath after a slash beyond owner/repo. We only need
+    // the canonical `owner/repo` (or `owner/repo/path`) for prefix matching.
+    const atIdx = uses.indexOf('@');
+    return atIdx >= 0 ? uses.slice(0, atIdx) : uses;
+}
+function isCheckoutAction(step) {
+    if (!step.uses)
+        return false;
+    return getActionName(step.uses) === 'actions/checkout';
+}
+function getCheckoutRef(step) {
+    const ref = step.with?.ref;
+    return typeof ref === 'string' ? ref : null;
+}
+function checkoutTargetsForkHead(step) {
+    const ref = getCheckoutRef(step);
+    if (ref === null)
+        return false;
+    return ref === CHECKOUT_REF_HEAD_SHA || ref === CHECKOUT_REF_HEAD_REF;
+}
+/** True when `with.cache` is set to a truthy value (boolean true or any non-empty/non-false string). */
+function hasTruthyCacheInput(step) {
+    const cache = step.with?.cache;
+    if (cache === true)
+        return true;
+    if (typeof cache === 'string') {
+        const normalized = cache.trim().toLowerCase();
+        return normalized.length > 0 && normalized !== 'false' && normalized !== '0';
+    }
+    return false;
+}
+function isCacheWriteStep(step) {
+    if (step.uses) {
+        const action = getActionName(step.uses);
+        // `actions/cache@v4` writes by default. `actions/cache/restore` only restores.
+        if (action === 'actions/cache')
+            return true;
+        // `actions/setup-node`, `actions/setup-python`, etc. with cache: true.
+        if (action.startsWith('actions/setup-') && hasTruthyCacheInput(step))
+            return true;
+    }
+    // Any step that opts into a cache via with.cache (e.g. third-party setup actions).
+    if (hasTruthyCacheInput(step))
+        return true;
+    return false;
+}
+function analyzeJob(job) {
+    const result = {
+        hasCheckoutOfForkHead: false,
+        cacheWriteAfterCheckout: false,
+        matchedLines: [],
+    };
+    if (!isRecord(job))
+        return result;
+    const steps = job.steps;
+    if (!Array.isArray(steps))
+        return result;
+    let sawForkHeadCheckout = false;
+    for (const raw of steps) {
+        const step = asStep(raw);
+        if (!step)
+            continue;
+        if (isCheckoutAction(step) && checkoutTargetsForkHead(step)) {
+            sawForkHeadCheckout = true;
+            result.hasCheckoutOfForkHead = true;
+            const ref = getCheckoutRef(step) ?? '';
+            result.matchedLines.push(`uses: ${step.uses} with ref: ${ref}`);
+            continue;
+        }
+        if (sawForkHeadCheckout && isCacheWriteStep(step)) {
+            result.cacheWriteAfterCheckout = true;
+            if (step.uses) {
+                const cache = step.with?.cache;
+                const cacheNote = cache !== undefined ? ` (cache: ${String(cache)})` : '';
+                result.matchedLines.push(`uses: ${step.uses}${cacheNote}`);
+            }
+            else {
+                result.matchedLines.push(`step: ${step.name ?? '(unnamed)'} with cache`);
+            }
+        }
+    }
+    return result;
+}
+// ---------------------------------------------------------------------------
+// Factory
+// ---------------------------------------------------------------------------
+const PATTERN_LABEL = 'pull_request_target + checkout-head + cache-write';
+export function createWorkflowScanner(deps = defaultDeps) {
+    return {
+        iocClass: 'workflow',
+        async scan(ctx) {
+            const files = await deps.readWorkflowsDir(ctx.repoPath);
+            const findings = [];
+            let parseErrors = 0;
+            for (const file of files) {
+                let raw;
+                try {
+                    raw = await deps.readFile(file);
+                }
+                catch {
+                    parseErrors += 1;
+                    continue;
+                }
+                let parsed;
+                try {
+                    parsed = parseYaml(raw);
+                }
+                catch {
+                    parseErrors += 1;
+                    continue;
+                }
+                if (!isRecord(parsed))
+                    continue;
+                if (!hasPullRequestTargetTrigger(parsed.on))
+                    continue;
+                const jobs = parsed.jobs;
+                if (!isRecord(jobs))
+                    continue;
+                const workflowFileName = baseName(file);
+                for (const [jobName, jobValue] of Object.entries(jobs)) {
+                    const analysis = analyzeJob(jobValue);
+                    if (!analysis.hasCheckoutOfForkHead || !analysis.cacheWriteAfterCheckout)
+                        continue;
+                    findings.push({
+                        iocClass: 'workflow',
+                        severity: 'high',
+                        identifier: `${workflowFileName}:${jobName}`,
+                        payload: {
+                            workflow: workflowFileName,
+                            job: jobName,
+                            pattern: PATTERN_LABEL,
+                            matched_lines: analysis.matchedLines,
+                        },
+                    });
+                }
+            }
+            return {
+                findings,
+                coverage: {
+                    workflows_scanned: files.length,
+                    risky_patterns: findings.length,
+                    parse_errors: parseErrors,
+                },
+            };
+        },
+    };
+}
+function baseName(p) {
+    const slash = p.lastIndexOf('/');
+    return slash >= 0 ? p.slice(slash + 1) : p;
+}
+// ---------------------------------------------------------------------------
+// Default scanner -- real fs IO
+// ---------------------------------------------------------------------------
+export const workflowScanner = createWorkflowScanner();
+//# sourceMappingURL=workflow.js.map

package/dist/scanners/workflow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workflow.js","sourceRoot":"","sources":["../../src/scanners/workflow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAc1C,MAAM,mBAAmB,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAE9C,MAAM,qBAAqB,GAAG,2CAA2C,CAAC;AAC1E,MAAM,qBAAqB,GAAG,2CAA2C,CAAC;AAE1E,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,MAAM,WAAW,GAAwB;IACvC,gBAAgB,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;QACnD,IAAI,OAAiB,CAAC;QACtB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,OAAO,OAAO;aACX,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;aACvE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;IACpC,CAAC;IACD,QAAQ,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CAC3C,CAAC;AAEF,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;AAC3E,CAAC;AAED,qFAAqF;AACrF,SAAS,2BAA2B,CAAC,EAAW;IAC9C,IAAI,OAAO,EAAE,KAAK,QAAQ;QAAE,OAAO,EAAE,KAAK,qBAAqB,CAAC;IAChE,IAAI,aAAa,CAAC,EAAE,CAAC;QAAE,OAAO,EAAE,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;IACjE,IAAI,QAAQ,CAAC,EAAE,CAAC;QAAE,OAAO,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,EAAE,qBAAqB,CAAC,CAAC;IACzF,OAAO,KAAK,CAAC;AACf,CAAC;AAYD,SAAS,MAAM,CAAC,KAAc;IAC5B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,MAAM,IAAI,GAAiB,EAAE,CAAC;IAC9B,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;QAAE,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IAC3D,IAAI,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ;QAAE,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC;IACxD,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;QAAE,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IAC3D,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC;QAAE,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IACjD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,2EAA2E;IAC3E,yEAAyE;IACzE,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAChC,OAAO,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAClD,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAkB;IAC1C,IAAI,CAAC,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAC7B,OAAO,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,kBAAkB,CAAC;AACzD,CAAC;AAED,SAAS,cAAc,CAAC,IAAkB;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC;IAC3B,OAAO,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AAC9C,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAkB;IACjD,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAC/B,OAAO,GAAG,KAAK,qBAAqB,IAAI,GAAG,KAAK,qBAAqB,CAAC;AACxE,CAAC;AAED,wGAAwG;AACxG,SAAS,mBAAmB,CAAC,IAAkB;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC;IAC/B,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAChC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC9C,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,KAAK,OAAO,IAAI,UAAU,KAAK,GAAG,CAAC;IAC/E,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAkB;IAC1C,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxC,+EAA+E;QAC/E,IAAI,MAAM,KAAK,eAAe;YAAE,OAAO,IAAI,CAAC;QAC5C,uEAAuE;QACvE,IAAI,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,IAAI,mBAAmB,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IACpF,CAAC;IACD,mFAAmF;IACnF,IAAI,mBAAmB,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,KAAK,CAAC;AACf,CAAC;AAQD,SAAS,UAAU,CAAC,GAAY;IAC9B,MAAM,MAAM,GAAgB;QAC1B,qBAAqB,EAAE,KAAK;QAC5B,uBAAuB,EAAE,KAAK;QAC9B,YAAY,EAAE,EAAE;KACjB,CAAC;IACF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,MAAM,CAAC;IAClC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;IACxB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAEzC,IAAI,mBAAmB,GAAG,KAAK,CAAC;IAChC,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,uBAAuB,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5D,mBAAmB,GAAG,IAAI,CAAC;YAC3B,MAAM,CAAC,qBAAqB,GAAG,IAAI,CAAC;YACpC,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACvC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,cAAc,GAAG,EAAE,CAAC,CAAC;YAChE,SAAS;QACX,CAAC;QAED,IAAI,mBAAmB,IAAI,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;YAClD,MAAM,CAAC,uBAAuB,GAAG,IAAI,CAAC;YACtC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBACd,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC;gBAC/B,MAAM,SAAS,GAAG,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,YAAY,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC1E,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,GAAG,SAAS,EAAE,CAAC,CAAC;YAC7D,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,IAAI,WAAW,aAAa,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,aAAa,GAAG,mDAAmD,CAAC;AAE1E,MAAM,UAAU,qBAAqB,CAAC,OAA4B,WAAW;IAC3E,OAAO;QACL,QAAQ,EAAE,UAAU;QACpB,KAAK,CAAC,IAAI,CAAC,GAAgB;YACzB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACxD,MAAM,QAAQ,GAAmB,EAAE,CAAC;YACpC,IAAI,WAAW,GAAG,CAAC,CAAC;YAEpB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,GAAW,CAAC;gBAChB,IAAI,CAAC;oBACH,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAClC,CAAC;gBAAC,MAAM,CAAC;oBACP,WAAW,IAAI,CAAC,CAAC;oBACjB,SAAS;gBACX,CAAC;gBAED,IAAI,MAAe,CAAC;gBACpB,IAAI,CAAC;oBACH,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;gBAC1B,CAAC;gBAAC,MAAM,CAAC;oBACP,WAAW,IAAI,CAAC,CAAC;oBACjB,SAAS;gBACX,CAAC;gBAED,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAAE,SAAS;gBAChC,IAAI,CAAC,2BAA2B,CAAC,MAAM,CAAC,EAAE,CAAC;oBAAE,SAAS;gBAEtD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;gBACzB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAE9B,MAAM,gBAAgB,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;gBACxC,KAAK,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvD,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;oBACtC,IAAI,CAAC,QAAQ,CAAC,qBAAqB,IAAI,CAAC,QAAQ,CAAC,uBAAuB;wBAAE,SAAS;oBAEnF,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,UAAU;wBACpB,QAAQ,EAAE,MAAM;wBAChB,UAAU,EAAE,GAAG,gBAAgB,IAAI,OAAO,EAAE;wBAC5C,OAAO,EAAE;4BACP,QAAQ,EAAE,gBAAgB;4BAC1B,GAAG,EAAE,OAAO;4BACZ,OAAO,EAAE,aAAa;4BACtB,aAAa,EAAE,QAAQ,CAAC,YAAY;yBACrC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,OAAO;gBACL,QAAQ;gBACR,QAAQ,EAAE;oBACR,iBAAiB,EAAE,KAAK,CAAC,MAAM;oBAC/B,cAAc,EAAE,QAAQ,CAAC,MAAM;oBAC/B,YAAY,EAAE,WAAW;iBAC1B;aACF,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,CAAS;IACzB,MAAM,KAAK,GAAG,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAE9E,MAAM,CAAC,MAAM,eAAe,GAAY,qBAAqB,EAAE,CAAC"}

package/dist/security-auto-inject.d.ts

@@ -0,0 +1,114 @@
+/**
+ * Severity-gated auto-injection for security findings.
+ *
+ * When the scanner engine writes a finding at or above the configured
+ * auto_inject_severity_threshold, this module:
+ *   1. Resolves the product's Security focus (focus_kind='security').
+ *   2. Creates or reuses an entity node representing the vulnerable surface.
+ *   3. Creates an injection node on the focus's reality tree with
+ *      statement = advisory summary; targets the entity node via a
+ *      reality_tree_edge of kind 'targets'.
+ *   4. Creates a delivery on the Security focus linked to the injection
+ *      via the delivery's injection_id column.
+ *   5. Sets finding.linked_injection_id.
+ *   6. Writes a security_finding_audit row with action='auto_injected'.
+ *
+ * Below-threshold findings are not auto-injected; the FindingsView UI
+ * offers click-to-remediate that calls this same function with a
+ * `force: true` flag (single code path for both auto and manual).
+ *
+ * Suppressed findings (suppression jsonb non-null and not expired) are
+ * skipped entirely.
+ *
+ * @module security-auto-inject
+ */
+import type { Severity } from './security-scan-engine.js';
+export interface FindingForInjection {
+    id: string;
+    organizationId: string;
+    productId: string;
+    iocClass: string;
+    severity: Severity;
+    identifier: string;
+    payload: Record<string, unknown>;
+    status: 'open' | 'resolved' | 'suppressed';
+    suppression: Record<string, unknown> | null;
+    linkedInjectionId: string | null;
+}
+export interface AutoInjectOptions {
+    /** Threshold from the scan config (default 'critical'). */
+    autoInjectThreshold: Severity;
+    /**
+     * When true, bypass the severity threshold (used by the UI's
+     * 'Click to remediate' button on below-threshold findings). The
+     * suppression and already-linked checks still apply.
+     */
+    force?: boolean;
+    /** Actor user id, if the action came from a UI button rather than the daemon. */
+    actorUserId?: string;
+}
+export interface AutoInjectDeps {
+    /** Look up the Security focus id + tree id for a product. */
+    resolveSecurityFocus: (productId: string) => Promise<{
+        focusId: string;
+        treeId: string;
+    } | null>;
+    /**
+     * Create or find an entity node representing the vulnerable surface
+     * (one per identifier per focus, deduplicated server-side).
+     */
+    upsertEntityNode: (input: {
+        treeId: string;
+        organizationId: string;
+        label: string;
+        payload: Record<string, unknown>;
+    }) => Promise<{
+        nodeId: string;
+    }>;
+    /**
+     * Create an injection node + targets edge in a single compound op.
+     */
+    createInjection: (input: {
+        treeId: string;
+        organizationId: string;
+        statement: string;
+        targetNodeId: string;
+        sourcePayload: Record<string, unknown>;
+    }) => Promise<{
+        nodeId: string;
+    }>;
+    /**
+     * Materialize a delivery on the Security focus, linked to the injection.
+     */
+    createDelivery: (input: {
+        focusId: string;
+        productId: string;
+        organizationId: string;
+        name: string;
+        description: string;
+        injectionNodeId: string;
+    }) => Promise<{
+        deliveryId: string;
+    }>;
+    /** Update the finding row with its new linked_injection_id. */
+    linkFinding: (findingId: string, injectionNodeId: string) => Promise<void>;
+    /** Append a finding audit row. */
+    writeAudit: (input: {
+        findingId: string;
+        organizationId: string;
+        action: 'auto_injected' | 'manually_remediated';
+        actorUserId?: string;
+        reason?: string;
+        payload?: Record<string, unknown>;
+    }) => Promise<void>;
+}
+/** Returns true when `severity` is at or above `threshold`. */
+export declare function meetsThreshold(severity: Severity, threshold: Severity): boolean;
+export interface ProcessNewFindingResult {
+    status: 'injected' | 'skipped_below_threshold' | 'skipped_already_linked' | 'skipped_suppressed' | 'skipped_no_security_focus';
+    injectionNodeId?: string;
+    deliveryId?: string;
+}
+export declare function processNewFinding(finding: FindingForInjection, options: AutoInjectOptions, deps: AutoInjectDeps): Promise<ProcessNewFindingResult>;
+export declare function buildDefaultAutoInjectDeps(): AutoInjectDeps;
+//# sourceMappingURL=security-auto-inject.d.ts.map

package/dist/security-auto-inject.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-auto-inject.d.ts","sourceRoot":"","sources":["../src/security-auto-inject.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAGH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAM1D,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,EAAE,MAAM,GAAG,UAAU,GAAG,YAAY,CAAC;IAC3C,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC5C,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;CAClC;AAED,MAAM,WAAW,iBAAiB;IAChC,2DAA2D;IAC3D,mBAAmB,EAAE,QAAQ,CAAC;IAC9B;;;;OAIG;IACH,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,iFAAiF;IACjF,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC7B,6DAA6D;IAC7D,oBAAoB,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC;QACnD,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;KAChB,GAAG,IAAI,CAAC,CAAC;IACV;;;OAGG;IACH,gBAAgB,EAAE,CAAC,KAAK,EAAE;QACxB,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE,MAAM,CAAC;QACvB,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAClC,KAAK,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClC;;OAEG;IACH,eAAe,EAAE,CAAC,KAAK,EAAE;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE,MAAM,CAAC;QACvB,SAAS,EAAE,MAAM,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACxC,KAAK,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClC;;OAEG;IACH,cAAc,EAAE,CAAC,KAAK,EAAE;QACtB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,cAAc,EAAE,MAAM,CAAC;QACvB,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;KACzB,KAAK,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtC,+DAA+D;IAC/D,WAAW,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E,kCAAkC;IAClC,UAAU,EAAE,CAAC,KAAK,EAAE;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,cAAc,EAAE,MAAM,CAAC;QACvB,MAAM,EAAE,eAAe,GAAG,qBAAqB,CAAC;QAChD,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACnC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrB;AAaD,+DAA+D;AAC/D,wBAAgB,cAAc,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,GAAG,OAAO,CAE/E;AAyCD,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,UAAU,GAAG,yBAAyB,GAAG,wBAAwB,GAAG,oBAAoB,GAAG,2BAA2B,CAAC;IAC/H,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,mBAAmB,EAC5B,OAAO,EAAE,iBAAiB,EAC1B,IAAI,EAAE,cAAc,GACnB,OAAO,CAAC,uBAAuB,CAAC,CA4DlC;AAMD,wBAAgB,0BAA0B,IAAI,cAAc,CAyB3D"}