@vaultcompass/vault-guard-core 1.0.0

package/dist/utils/entropy.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Compute Shannon entropy (bits per character) for a string.
+ *
+ * High-entropy strings (≥ ~3.5 bits/char) look random — the hallmark of a
+ * generated secret.  Low-entropy strings (< 3.5 bits/char) are readable
+ * words, git SHAs composed of a small alphabet, or repetitive padding.
+ *
+ * Used as a secondary gate for broad "generic" patterns that cannot be
+ * anchored to a vendor-specific prefix.
+ */
+export declare function shannonEntropy(value: string): number;
+/**
+ * Default entropy threshold for generic / catch-all patterns.
+ * Values below this are likely false positives (readable words, hex hashes…).
+ */
+export declare const DEFAULT_ENTROPY_THRESHOLD = 3.5;
+//# sourceMappingURL=entropy.d.ts.map

package/dist/utils/entropy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entropy.d.ts","sourceRoot":"","sources":["../../src/utils/entropy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAgBpD;AAED;;;GAGG;AACH,eAAO,MAAM,yBAAyB,MAAM,CAAC"}

package/dist/utils/entropy.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_ENTROPY_THRESHOLD = void 0;
+exports.shannonEntropy = shannonEntropy;
+/**
+ * Compute Shannon entropy (bits per character) for a string.
+ *
+ * High-entropy strings (≥ ~3.5 bits/char) look random — the hallmark of a
+ * generated secret.  Low-entropy strings (< 3.5 bits/char) are readable
+ * words, git SHAs composed of a small alphabet, or repetitive padding.
+ *
+ * Used as a secondary gate for broad "generic" patterns that cannot be
+ * anchored to a vendor-specific prefix.
+ */
+function shannonEntropy(value) {
+    if (value.length === 0)
+        return 0;
+    const freq = {};
+    for (const ch of value) {
+        freq[ch] = (freq[ch] ?? 0) + 1;
+    }
+    let h = 0;
+    const len = value.length;
+    for (const count of Object.values(freq)) {
+        const p = count / len;
+        h -= p * Math.log2(p);
+    }
+    return h;
+}
+/**
+ * Default entropy threshold for generic / catch-all patterns.
+ * Values below this are likely false positives (readable words, hex hashes…).
+ */
+exports.DEFAULT_ENTROPY_THRESHOLD = 3.5;
+//# sourceMappingURL=entropy.js.map

package/dist/utils/entropy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entropy.js","sourceRoot":"","sources":["../../src/utils/entropy.ts"],"names":[],"mappings":";;;AAUA,wCAgBC;AA1BD;;;;;;;;;GASG;AACH,SAAgB,cAAc,CAAC,KAAa;IAC1C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAEjC,MAAM,IAAI,GAA2B,EAAE,CAAC;IACxC,KAAK,MAAM,EAAE,IAAI,KAAK,EAAE,CAAC;QACvB,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC;IACzB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IAED,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;GAGG;AACU,QAAA,yBAAyB,GAAG,GAAG,CAAC"}

package/dist/utils/file-utils.d.ts

@@ -0,0 +1,39 @@
+import { DiagnosticBus } from '../diagnostics';
+/**
+ * Build a filter from `config.ignore.paths` / `config.ignore.patterns` entries.
+ *
+ * Patterns follow gitignore syntax (handled by the `ignore` package). Paths are
+ * matched against file paths relative to `root` so that patterns like
+ * `packages/**\/__tests__\/**` work as expected from the repo root.
+ *
+ * @returns A predicate that returns `true` when a file should be **excluded**.
+ */
+export declare function buildConfigIgnoreFilter(patterns: string[], root: string): (filePath: string) => boolean;
+/**
+ * Drop all cached `.gitignore` matchers. Call after long-lived processes
+ * detect an out-of-band change that `mtime` cannot observe, or in tests.
+ */
+export declare function clearGitignoreCache(): void;
+/**
+ * Get all files in directory recursively (async version)
+ */
+export declare function getAllFilesAsync(dirPath: string, visited?: Set<string>, verbose?: boolean, bus?: DiagnosticBus): Promise<string[]>;
+/**
+ * Get all files in directory recursively (sync version for backwards compatibility)
+ */
+export declare function getAllFiles(dirPath: string, visited?: Set<string>, verbose?: boolean, bus?: DiagnosticBus): string[];
+/**
+ * Get files to scan (filters out ignored directories/files) - async version
+ *
+ * @param configIgnorePatterns - gitignore-style patterns from `config.ignore.paths`
+ *   / `config.ignore.patterns`. Matched relative to `targetPath`.
+ */
+export declare function getFilesToScanAsync(targetPath: string, verbose?: boolean, bus?: DiagnosticBus, configIgnorePatterns?: string[]): Promise<string[]>;
+/**
+ * Get files to scan (filters out ignored directories/files) - sync version
+ *
+ * @param configIgnorePatterns - gitignore-style patterns from `config.ignore.paths`
+ *   / `config.ignore.patterns`. Matched relative to `targetPath`.
+ */
+export declare function getFilesToScan(targetPath: string, verbose?: boolean, bus?: DiagnosticBus, configIgnorePatterns?: string[]): string[];
+//# sourceMappingURL=file-utils.d.ts.map

package/dist/utils/file-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-utils.d.ts","sourceRoot":"","sources":["../../src/utils/file-utils.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE/C;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,MAAM,EAAE,EAClB,IAAI,EAAE,MAAM,GACX,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAQ/B;AAgBD;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C;AA2JD;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,MAAM,EACf,OAAO,cAAoB,EAC3B,OAAO,UAAQ,EACf,GAAG,CAAC,EAAE,aAAa,GAClB,OAAO,CAAC,MAAM,EAAE,CAAC,CAmEnB;AAED;;GAEG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,MAAM,EACf,OAAO,cAAoB,EAC3B,OAAO,UAAQ,EACf,GAAG,CAAC,EAAE,aAAa,GAClB,MAAM,EAAE,CAgEV;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,MAAM,EAClB,OAAO,UAAQ,EACf,GAAG,CAAC,EAAE,aAAa,EACnB,oBAAoB,GAAE,MAAM,EAAO,GAClC,OAAO,CAAC,MAAM,EAAE,CAAC,CAOnB;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,UAAU,EAAE,MAAM,EAClB,OAAO,UAAQ,EACf,GAAG,CAAC,EAAE,aAAa,EACnB,oBAAoB,GAAE,MAAM,EAAO,GAClC,MAAM,EAAE,CAOV"}

package/dist/utils/file-utils.js

@@ -0,0 +1,442 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildConfigIgnoreFilter = buildConfigIgnoreFilter;
+exports.clearGitignoreCache = clearGitignoreCache;
+exports.getAllFilesAsync = getAllFilesAsync;
+exports.getAllFiles = getAllFiles;
+exports.getFilesToScanAsync = getFilesToScanAsync;
+exports.getFilesToScan = getFilesToScan;
+const fs_1 = __importStar(require("fs"));
+const path_1 = __importDefault(require("path"));
+const ignore_1 = __importDefault(require("ignore"));
+/**
+ * Build a filter from `config.ignore.paths` / `config.ignore.patterns` entries.
+ *
+ * Patterns follow gitignore syntax (handled by the `ignore` package). Paths are
+ * matched against file paths relative to `root` so that patterns like
+ * `packages/**\/__tests__\/**` work as expected from the repo root.
+ *
+ * @returns A predicate that returns `true` when a file should be **excluded**.
+ */
+function buildConfigIgnoreFilter(patterns, root) {
+    if (patterns.length === 0)
+        return () => false;
+    const ig = (0, ignore_1.default)().add(patterns);
+    return (filePath) => {
+        const rel = path_1.default.relative(root, path_1.default.resolve(filePath)).split(path_1.default.sep).join('/');
+        if (!rel || rel.startsWith('..') || path_1.default.isAbsolute(rel))
+            return false;
+        return ig.ignores(rel);
+    };
+}
+const GITIGNORE_CACHE_MAX = 32;
+const gitignoreCache = new Map();
+/**
+ * Drop all cached `.gitignore` matchers. Call after long-lived processes
+ * detect an out-of-band change that `mtime` cannot observe, or in tests.
+ */
+function clearGitignoreCache() {
+    gitignoreCache.clear();
+}
+function touchCache(key, entry) {
+    gitignoreCache.delete(key);
+    gitignoreCache.set(key, { ...entry, lastUsed: Date.now() });
+    while (gitignoreCache.size > GITIGNORE_CACHE_MAX) {
+        const oldest = gitignoreCache.keys().next().value;
+        if (oldest === undefined)
+            break;
+        gitignoreCache.delete(oldest);
+    }
+}
+function isStale(entry) {
+    for (let i = 0; i < entry.watchPaths.length; i++) {
+        const p = entry.watchPaths[i];
+        const expected = entry.mtimesMs[i];
+        try {
+            if (fs_1.default.statSync(p).mtimeMs !== expected)
+                return true;
+        }
+        catch {
+            return true;
+        }
+    }
+    return false;
+}
+function findGitRoot(startDir) {
+    let dir = path_1.default.resolve(startDir);
+    while (true) {
+        if (fs_1.default.existsSync(path_1.default.join(dir, '.git'))) {
+            return dir;
+        }
+        const parent = path_1.default.dirname(dir);
+        if (parent === dir)
+            return null;
+        dir = parent;
+    }
+}
+function filesystemRootFor(resolvedPath) {
+    return path_1.default.parse(resolvedPath).root;
+}
+/** Prefix a single `.gitignore` line for rules defined in a subdirectory. */
+function qualifyGitignoreLine(line, posixPrefix) {
+    if (!posixPrefix)
+        return line;
+    const trimmed = line.trimEnd();
+    if (!trimmed || trimmed.startsWith('#'))
+        return line;
+    const neg = trimmed.startsWith('!');
+    const body = neg ? trimmed.slice(1) : trimmed;
+    if (!body)
+        return line;
+    let out;
+    if (body.startsWith('/')) {
+        out = `${posixPrefix}${body}`;
+    }
+    else if (body.includes('/')) {
+        out = `${posixPrefix}/${body}`;
+    }
+    else {
+        out = `${posixPrefix}/**/${body}`;
+    }
+    return neg ? `!${out}` : out;
+}
+function qualifyGitignoreContent(content, posixPrefix) {
+    if (!posixPrefix)
+        return content;
+    return content.split('\n').map(l => qualifyGitignoreLine(l, posixPrefix)).join('\n');
+}
+/**
+ * Walk upward from `resolvedScan` through `stopAt` (inclusive), collect each
+ * `.gitignore`, then return entries in shallow-to-deep order for merging.
+ */
+function collectGitignoreChain(resolvedScan, stopAt) {
+    const stop = path_1.default.resolve(stopAt);
+    const raw = [];
+    let dir = path_1.default.resolve(resolvedScan);
+    while (true) {
+        const absGitignore = path_1.default.join(dir, '.gitignore');
+        if (fs_1.default.existsSync(absGitignore)) {
+            try {
+                raw.push({
+                    dir,
+                    absGitignore,
+                    content: fs_1.default.readFileSync(absGitignore, 'utf-8'),
+                });
+            }
+            catch {
+                /* unreadable .gitignore — treat as absent */
+            }
+        }
+        if (dir === stop)
+            break;
+        const parent = path_1.default.dirname(dir);
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    raw.reverse();
+    return raw;
+}
+function buildIgnoreFilter(resolvedScanRoot) {
+    const gitRoot = findGitRoot(resolvedScanRoot);
+    const stopAt = gitRoot ?? filesystemRootFor(resolvedScanRoot);
+    const chain = collectGitignoreChain(resolvedScanRoot, stopAt);
+    const ig = (0, ignore_1.default)();
+    for (const { dir, content } of chain) {
+        const relDir = path_1.default.relative(stopAt, dir).split(path_1.default.sep).join('/');
+        const posixPrefix = relDir === '' || relDir === '.' ? '' : relDir;
+        ig.add(qualifyGitignoreContent(content, posixPrefix));
+    }
+    const watchPaths = chain.map(c => c.absGitignore);
+    const mtimesMs = watchPaths.map(p => {
+        try {
+            return fs_1.default.statSync(p).mtimeMs;
+        }
+        catch {
+            return -1;
+        }
+    });
+    const tester = (filePath) => {
+        const rel = path_1.default.relative(stopAt, path_1.default.resolve(filePath)).split(path_1.default.sep).join('/');
+        if (rel.startsWith('..') || path_1.default.isAbsolute(rel)) {
+            return false;
+        }
+        const posixPath = rel === '' ? '.' : rel;
+        return ig.ignores(posixPath);
+    };
+    return {
+        lastUsed: Date.now(),
+        tester,
+        watchPaths,
+        mtimesMs,
+    };
+}
+function getGitignoreTester(scanRoot) {
+    const key = path_1.default.resolve(scanRoot);
+    const hit = gitignoreCache.get(key);
+    if (hit && !isStale(hit)) {
+        touchCache(key, hit);
+        return hit.tester;
+    }
+    const built = buildIgnoreFilter(key);
+    touchCache(key, built);
+    return built.tester;
+}
+/**
+ * Get all files in directory recursively (async version)
+ */
+async function getAllFilesAsync(dirPath, visited = new Set(), verbose = false, bus) {
+    const files = [];
+    try {
+        try {
+            await fs_1.promises.access(dirPath);
+        }
+        catch {
+            if (bus) {
+                bus.add({
+                    code: 'fs.permission_denied',
+                    severity: 'warning',
+                    ctx: { dir: dirPath },
+                });
+            }
+            return files;
+        }
+        const realPath = fs_1.default.realpathSync(dirPath);
+        if (visited.has(realPath)) {
+            return files;
+        }
+        visited.add(realPath);
+        const items = await fs_1.promises.readdir(dirPath);
+        for (const item of items) {
+            try {
+                const fullPath = path_1.default.join(dirPath, item);
+                const lstat = await fs_1.promises.lstat(fullPath);
+                if (lstat.isSymbolicLink()) {
+                    continue;
+                }
+                if (lstat.isDirectory() && !shouldIgnoreDirectory(item)) {
+                    const subFiles = await getAllFilesAsync(fullPath, visited, verbose, bus);
+                    files.push(...subFiles);
+                }
+                else if (lstat.isFile() && !shouldIgnoreFile(fullPath)) {
+                    files.push(fullPath);
+                }
+            }
+            catch (error) {
+                if (bus) {
+                    bus.add({
+                        code: 'fs.permission_denied',
+                        severity: 'warning',
+                        ctx: { path: path_1.default.join(dirPath, item), detail: String(error) },
+                    });
+                }
+                if (verbose) {
+                    console.error(`Warning: Cannot access ${path_1.default.join(dirPath, item)}:`, error);
+                }
+            }
+        }
+    }
+    catch (error) {
+        if (bus) {
+            bus.add({
+                code: 'fs.permission_denied',
+                severity: 'warning',
+                ctx: { dir: dirPath, detail: String(error) },
+            });
+        }
+        if (verbose) {
+            console.error(`Warning: Cannot read directory ${dirPath}:`, error);
+        }
+    }
+    return files;
+}
+/**
+ * Get all files in directory recursively (sync version for backwards compatibility)
+ */
+function getAllFiles(dirPath, visited = new Set(), verbose = false, bus) {
+    const files = [];
+    try {
+        if (!fs_1.default.existsSync(dirPath)) {
+            if (bus) {
+                bus.add({
+                    code: 'fs.permission_denied',
+                    severity: 'warning',
+                    ctx: { dir: dirPath },
+                });
+            }
+            return files;
+        }
+        const realPath = fs_1.default.realpathSync(dirPath);
+        if (visited.has(realPath)) {
+            return files;
+        }
+        visited.add(realPath);
+        const items = fs_1.default.readdirSync(dirPath);
+        for (const item of items) {
+            try {
+                const fullPath = path_1.default.join(dirPath, item);
+                const lstat = fs_1.default.lstatSync(fullPath);
+                if (lstat.isSymbolicLink()) {
+                    continue;
+                }
+                if (lstat.isDirectory() && !shouldIgnoreDirectory(item)) {
+                    files.push(...getAllFiles(fullPath, visited, verbose, bus));
+                }
+                else if (lstat.isFile() && !shouldIgnoreFile(fullPath)) {
+                    files.push(fullPath);
+                }
+            }
+            catch (error) {
+                if (bus) {
+                    bus.add({
+                        code: 'fs.permission_denied',
+                        severity: 'warning',
+                        ctx: { path: path_1.default.join(dirPath, item), detail: String(error) },
+                    });
+                }
+                if (verbose) {
+                    console.error(`Warning: Cannot access ${path_1.default.join(dirPath, item)}:`, error);
+                }
+            }
+        }
+    }
+    catch (error) {
+        if (bus) {
+            bus.add({
+                code: 'fs.permission_denied',
+                severity: 'warning',
+                ctx: { dir: dirPath, detail: String(error) },
+            });
+        }
+        if (verbose) {
+            console.error(`Warning: Cannot read directory ${dirPath}:`, error);
+        }
+    }
+    return files;
+}
+/**
+ * Get files to scan (filters out ignored directories/files) - async version
+ *
+ * @param configIgnorePatterns - gitignore-style patterns from `config.ignore.paths`
+ *   / `config.ignore.patterns`. Matched relative to `targetPath`.
+ */
+async function getFilesToScanAsync(targetPath, verbose = false, bus, configIgnorePatterns = []) {
+    const allFiles = await getAllFilesAsync(targetPath, new Set(), verbose, bus);
+    const gitignoreTester = getGitignoreTester(targetPath);
+    const configIgnoreTester = buildConfigIgnoreFilter(configIgnorePatterns, targetPath);
+    return allFiles.filter(file => !shouldIgnoreFile(file, gitignoreTester) && !configIgnoreTester(file));
+}
+/**
+ * Get files to scan (filters out ignored directories/files) - sync version
+ *
+ * @param configIgnorePatterns - gitignore-style patterns from `config.ignore.paths`
+ *   / `config.ignore.patterns`. Matched relative to `targetPath`.
+ */
+function getFilesToScan(targetPath, verbose = false, bus, configIgnorePatterns = []) {
+    const allFiles = getAllFiles(targetPath, new Set(), verbose, bus);
+    const gitignoreTester = getGitignoreTester(targetPath);
+    const configIgnoreTester = buildConfigIgnoreFilter(configIgnorePatterns, targetPath);
+    return allFiles.filter(file => !shouldIgnoreFile(file, gitignoreTester) && !configIgnoreTester(file));
+}
+function shouldIgnoreDirectory(name) {
+    const ignoreDirs = [
+        'node_modules',
+        '.git',
+        'dist',
+        'build',
+        'coverage',
+        '.next',
+        '.turbo',
+        // Vendored / generated trees: third-party or tool-managed content where
+        // matches are not the user's secrets and the volume drowns real findings.
+        '.yarn',
+        'vendor',
+        '.venv',
+        'venv',
+        '__pycache__',
+        '.mypy_cache',
+        '.pytest_cache',
+        '.gradle',
+        '.svelte-kit',
+    ];
+    return ignoreDirs.includes(name);
+}
+/**
+ * Minified / bundled / generated single-file artifacts. These are never
+ * hand-authored, routinely committed, and a major false-positive source:
+ * broad key shapes (e.g. `AKIA…`) occur by chance inside large minified blobs.
+ */
+function isGeneratedArtifact(basename) {
+    return (/\.min\.(js|mjs|cjs|css)$/.test(basename) ||
+        /\.bundle\.(js|mjs|cjs)$/.test(basename) ||
+        basename === '.pnp.cjs' ||
+        basename === '.pnp.loader.mjs');
+}
+function shouldIgnoreFile(filePath, gitignoreTester) {
+    const ext = path_1.default.extname(filePath);
+    const ignoreExts = [
+        '.png',
+        '.jpg',
+        '.jpeg',
+        '.gif',
+        '.ico',
+        '.pdf',
+        '.zip',
+        '.tar',
+        '.gz',
+        '.lock',
+        '.log',
+        '.map',
+    ];
+    if (ignoreExts.includes(ext)) {
+        return true;
+    }
+    const basename = path_1.default.basename(filePath);
+    if (basename === 'package-lock.json' || basename === 'pnpm-lock.yaml' || basename === 'yarn.lock') {
+        return true;
+    }
+    if (isGeneratedArtifact(basename)) {
+        return true;
+    }
+    if (gitignoreTester && gitignoreTester(filePath)) {
+        return true;
+    }
+    return false;
+}
+//# sourceMappingURL=file-utils.js.map

package/dist/utils/file-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-utils.js","sourceRoot":"","sources":["../../src/utils/file-utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAeA,0DAWC;AAoBD,kDAEC;AA8JD,4CAwEC;AAKD,kCAqEC;AAQD,kDAYC;AAQD,wCAYC;AAxYD,yCAAgD;AAChD,gDAAwB;AACxB,oDAA4B;AAI5B;;;;;;;;GAQG;AACH,SAAgB,uBAAuB,CACrC,QAAkB,EAClB,IAAY;IAEZ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC;IAC9C,MAAM,EAAE,GAAG,IAAA,gBAAM,GAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAClC,OAAO,CAAC,QAAgB,EAAW,EAAE;QACnC,MAAM,GAAG,GAAG,cAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,cAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,cAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClF,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,cAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QACvE,OAAO,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAY/B,MAAM,cAAc,GAAG,IAAI,GAAG,EAA8B,CAAC;AAE7D;;;GAGG;AACH,SAAgB,mBAAmB;IACjC,cAAc,CAAC,KAAK,EAAE,CAAC;AACzB,CAAC;AAED,SAAS,UAAU,CAAC,GAAW,EAAE,KAAyB;IACxD,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3B,cAAc,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,GAAG,KAAK,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC5D,OAAO,cAAc,CAAC,IAAI,GAAG,mBAAmB,EAAE,CAAC;QACjD,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;QAClD,IAAI,MAAM,KAAK,SAAS;YAAE,MAAM;QAChC,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED,SAAS,OAAO,CAAC,KAAyB;IACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACjD,MAAM,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QACnC,IAAI,CAAC;YACH,IAAI,YAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,QAAgB;IACnC,IAAI,GAAG,GAAG,cAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACjC,OAAO,IAAI,EAAE,CAAC;QACZ,IAAI,YAAE,CAAC,UAAU,CAAC,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;YAC1C,OAAO,GAAG,CAAC;QACb,CAAC;QACD,MAAM,MAAM,GAAG,cAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,MAAM,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QAChC,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,YAAoB;IAC7C,OAAO,cAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC;AACvC,CAAC;AAQD,6EAA6E;AAC7E,SAAS,oBAAoB,CAAC,IAAY,EAAE,WAAmB;IAC7D,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAErD,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAC9C,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,IAAI,GAAW,CAAC;IAChB,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,GAAG,GAAG,GAAG,WAAW,GAAG,IAAI,EAAE,CAAC;IAChC,CAAC;SAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9B,GAAG,GAAG,GAAG,WAAW,IAAI,IAAI,EAAE,CAAC;IACjC,CAAC;SAAM,CAAC;QACN,GAAG,GAAG,GAAG,WAAW,OAAO,IAAI,EAAE,CAAC;IACpC,CAAC;IACD,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;AAC/B,CAAC;AAED,SAAS,uBAAuB,CAAC,OAAe,EAAE,WAAmB;IACnE,IAAI,CAAC,WAAW;QAAE,OAAO,OAAO,CAAC;IACjC,OAAO,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,oBAAoB,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACvF,CAAC;AAED;;;GAGG;AACH,SAAS,qBAAqB,CAAC,YAAoB,EAAE,MAAc;IACjE,MAAM,IAAI,GAAG,cAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAClC,MAAM,GAAG,GAA0B,EAAE,CAAC;IACtC,IAAI,GAAG,GAAG,cAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAErC,OAAO,IAAI,EAAE,CAAC;QACZ,MAAM,YAAY,GAAG,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QAClD,IAAI,YAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAChC,IAAI,CAAC;gBACH,GAAG,CAAC,IAAI,CAAC;oBACP,GAAG;oBACH,YAAY;oBACZ,OAAO,EAAE,YAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC;iBAChD,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,6CAA6C;YAC/C,CAAC;QACH,CAAC;QACD,IAAI,GAAG,KAAK,IAAI;YAAE,MAAM;QACxB,MAAM,MAAM,GAAG,cAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,MAAM,KAAK,GAAG;YAAE,MAAM;QAC1B,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;IAED,GAAG,CAAC,OAAO,EAAE,CAAC;IACd,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,iBAAiB,CAAC,gBAAwB;IACjD,MAAM,OAAO,GAAG,WAAW,CAAC,gBAAgB,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,OAAO,IAAI,iBAAiB,CAAC,gBAAgB,CAAC,CAAC;IAC9D,MAAM,KAAK,GAAG,qBAAqB,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAE9D,MAAM,EAAE,GAAG,IAAA,gBAAM,GAAE,CAAC;IACpB,KAAK,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,KAAK,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,cAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,cAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpE,MAAM,WAAW,GAAG,MAAM,KAAK,EAAE,IAAI,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;QAClE,EAAE,CAAC,GAAG,CAAC,uBAAuB,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QAClC,IAAI,CAAC;YACH,OAAO,YAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,CAAC,CAAC;QACZ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,CAAC,QAAgB,EAAW,EAAE;QAC3C,MAAM,GAAG,GAAG,cAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,cAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,cAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpF,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,cAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACjD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,SAAS,GAAG,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QACzC,OAAO,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC/B,CAAC,CAAC;IAEF,OAAO;QACL,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE;QACpB,MAAM;QACN,UAAU;QACV,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,MAAM,GAAG,GAAG,cAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACrB,OAAO,GAAG,CAAC,MAAM,CAAC;IACpB,CAAC;IACD,MAAM,KAAK,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IACrC,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACvB,OAAO,KAAK,CAAC,MAAM,CAAC;AACtB,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,gBAAgB,CACpC,OAAe,EACf,UAAU,IAAI,GAAG,EAAU,EAC3B,OAAO,GAAG,KAAK,EACf,GAAmB;IAEnB,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,CAAC;QACH,IAAI,CAAC;YACH,MAAM,aAAU,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,GAAG,EAAE,CAAC;gBACR,GAAG,CAAC,GAAG,CAAC;oBACN,IAAI,EAAE,sBAAsB;oBAC5B,QAAQ,EAAE,SAAS;oBACnB,GAAG,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE;iBACtB,CAAC,CAAC;YACL,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,QAAQ,GAAG,YAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1B,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEtB,MAAM,KAAK,GAAG,MAAM,aAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAEhD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,cAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;gBAC1C,MAAM,KAAK,GAAG,MAAM,aAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;gBAE/C,IAAI,KAAK,CAAC,cAAc,EAAE,EAAE,CAAC;oBAC3B,SAAS;gBACX,CAAC;gBAED,IAAI,KAAK,CAAC,WAAW,EAAE,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;oBACxD,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;oBACzE,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;gBAC1B,CAAC;qBAAM,IAAI,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACzD,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,GAAG,EAAE,CAAC;oBACR,GAAG,CAAC,GAAG,CAAC;wBACN,IAAI,EAAE,sBAAsB;wBAC5B,QAAQ,EAAE,SAAS;wBACnB,GAAG,EAAE,EAAE,IAAI,EAAE,cAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE;qBAC/D,CAAC,CAAC;gBACL,CAAC;gBACD,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,KAAK,CAAC,0BAA0B,cAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;gBAC9E,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,GAAG,EAAE,CAAC;YACR,GAAG,CAAC,GAAG,CAAC;gBACN,IAAI,EAAE,sBAAsB;gBAC5B,QAAQ,EAAE,SAAS;gBACnB,GAAG,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE;aAC7C,CAAC,CAAC;QACL,CAAC;QACD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,KAAK,CAAC,kCAAkC,OAAO,GAAG,EAAE,KAAK,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAgB,WAAW,CACzB,OAAe,EACf,UAAU,IAAI,GAAG,EAAU,EAC3B,OAAO,GAAG,KAAK,EACf,GAAmB;IAEnB,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,CAAC;QACH,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,IAAI,GAAG,EAAE,CAAC;gBACR,GAAG,CAAC,GAAG,CAAC;oBACN,IAAI,EAAE,sBAAsB;oBAC5B,QAAQ,EAAE,SAAS;oBACnB,GAAG,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE;iBACtB,CAAC,CAAC;YACL,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,QAAQ,GAAG,YAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1B,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEtB,MAAM,KAAK,GAAG,YAAE,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAEtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,cAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;gBAC1C,MAAM,KAAK,GAAG,YAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;gBAErC,IAAI,KAAK,CAAC,cAAc,EAAE,EAAE,CAAC;oBAC3B,SAAS;gBACX,CAAC;gBAED,IAAI,KAAK,CAAC,WAAW,EAAE,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;oBACxD,KAAK,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;gBAC9D,CAAC;qBAAM,IAAI,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACzD,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,GAAG,EAAE,CAAC;oBACR,GAAG,CAAC,GAAG,CAAC;wBACN,IAAI,EAAE,sBAAsB;wBAC5B,QAAQ,EAAE,SAAS;wBACnB,GAAG,EAAE,EAAE,IAAI,EAAE,cAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE;qBAC/D,CAAC,CAAC;gBACL,CAAC;gBACD,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,KAAK,CAAC,0BAA0B,cAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;gBAC9E,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,GAAG,EAAE,CAAC;YACR,GAAG,CAAC,GAAG,CAAC;gBACN,IAAI,EAAE,sBAAsB;gBAC5B,QAAQ,EAAE,SAAS;gBACnB,GAAG,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE;aAC7C,CAAC,CAAC;QACL,CAAC;QACD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,KAAK,CAAC,kCAAkC,OAAO,GAAG,EAAE,KAAK,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,mBAAmB,CACvC,UAAkB,EAClB,OAAO,GAAG,KAAK,EACf,GAAmB,EACnB,uBAAiC,EAAE;IAEnC,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,UAAU,EAAE,IAAI,GAAG,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;IAC7E,MAAM,eAAe,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IACvD,MAAM,kBAAkB,GAAG,uBAAuB,CAAC,oBAAoB,EAAE,UAAU,CAAC,CAAC;IACrF,OAAO,QAAQ,CAAC,MAAM,CACpB,IAAI,CAAC,EAAE,CAAC,CAAC,gBAAgB,CAAC,IAAI,EAAE,eAAe,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAC9E,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,cAAc,CAC5B,UAAkB,EAClB,OAAO,GAAG,KAAK,EACf,GAAmB,EACnB,uBAAiC,EAAE;IAEnC,MAAM,QAAQ,GAAG,WAAW,CAAC,UAAU,EAAE,IAAI,GAAG,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;IAClE,MAAM,eAAe,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IACvD,MAAM,kBAAkB,GAAG,uBAAuB,CAAC,oBAAoB,EAAE,UAAU,CAAC,CAAC;IACrF,OAAO,QAAQ,CAAC,MAAM,CACpB,IAAI,CAAC,EAAE,CAAC,CAAC,gBAAgB,CAAC,IAAI,EAAE,eAAe,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAC9E,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY;IACzC,MAAM,UAAU,GAAG;QACjB,cAAc;QACd,MAAM;QACN,MAAM;QACN,OAAO;QACP,UAAU;QACV,OAAO;QACP,QAAQ;QACR,wEAAwE;QACxE,0EAA0E;QAC1E,OAAO;QACP,QAAQ;QACR,OAAO;QACP,MAAM;QACN,aAAa;QACb,aAAa;QACb,eAAe;QACf,SAAS;QACT,aAAa;KACd,CAAC;IACF,OAAO,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACnC,CAAC;AAED;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,OAAO,CACL,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC;QACzC,yBAAyB,CAAC,IAAI,CAAC,QAAQ,CAAC;QACxC,QAAQ,KAAK,UAAU;QACvB,QAAQ,KAAK,iBAAiB,CAC/B,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CACvB,QAAgB,EAChB,eAA+C;IAE/C,MAAM,GAAG,GAAG,cAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,MAAM,UAAU,GAAG;QACjB,MAAM;QACN,MAAM;QACN,OAAO;QACP,MAAM;QACN,MAAM;QACN,MAAM;QACN,MAAM;QACN,MAAM;QACN,KAAK;QACL,OAAO;QACP,MAAM;QACN,MAAM;KACP,CAAC;IAEF,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,QAAQ,GAAG,cAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,QAAQ,KAAK,mBAAmB,IAAI,QAAQ,KAAK,gBAAgB,IAAI,QAAQ,KAAK,WAAW,EAAE,CAAC;QAClG,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,eAAe,IAAI,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/utils/git-utils.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Return absolute paths of files staged for commit (cached index vs HEAD).
+ * Excludes deleted paths; only returns paths that still exist on disk.
+ *
+ * Throws `GitError` on git failure rather than returning an empty list.
+ * Returning `[]` silently on git failure would produce a false "✅ nothing
+ * staged" result in pre-commit, letting secrets through undetected.
+ */
+export declare function getGitStagedFilePaths(cwd?: string): string[];
+/** True when `cwd` is inside a work tree with a `.git` directory or file. */
+export declare function isInsideGitWorkTree(cwd?: string): boolean;
+//# sourceMappingURL=git-utils.d.ts.map

package/dist/utils/git-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-utils.d.ts","sourceRoot":"","sources":["../../src/utils/git-utils.ts"],"names":[],"mappings":"AAKA;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,GAAE,MAAsB,GAAG,MAAM,EAAE,CAuB3E;AAED,6EAA6E;AAC7E,wBAAgB,mBAAmB,CAAC,GAAG,GAAE,MAAsB,GAAG,OAAO,CAWxE"}

package/dist/utils/git-utils.js

@@ -0,0 +1,55 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getGitStagedFilePaths = getGitStagedFilePaths;
+exports.isInsideGitWorkTree = isInsideGitWorkTree;
+const child_process_1 = require("child_process");
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const errors_1 = require("../errors");
+/**
+ * Return absolute paths of files staged for commit (cached index vs HEAD).
+ * Excludes deleted paths; only returns paths that still exist on disk.
+ *
+ * Throws `GitError` on git failure rather than returning an empty list.
+ * Returning `[]` silently on git failure would produce a false "✅ nothing
+ * staged" result in pre-commit, letting secrets through undetected.
+ */
+function getGitStagedFilePaths(cwd = process.cwd()) {
+    const cmd = 'git diff --cached --name-only --diff-filter=ACMRT';
+    let out;
+    try {
+        out = (0, child_process_1.execSync)(cmd, {
+            cwd,
+            encoding: 'utf-8',
+            stdio: ['ignore', 'pipe', 'pipe'],
+        });
+    }
+    catch (err) {
+        throw new errors_1.GitError(`Failed to list staged files — is this a git repository? (cwd: ${cwd})\n` +
+            `Run 'git status' to verify.\nUnderlying error: ${String(err)}`, cmd, err);
+    }
+    return out
+        .split('\n')
+        .map((line) => line.trim())
+        .filter(Boolean)
+        .map((rel) => path_1.default.resolve(cwd, rel))
+        .filter((abs) => fs_1.default.existsSync(abs) && fs_1.default.statSync(abs).isFile());
+}
+/** True when `cwd` is inside a work tree with a `.git` directory or file. */
+function isInsideGitWorkTree(cwd = process.cwd()) {
+    try {
+        (0, child_process_1.execSync)('git rev-parse --is-inside-work-tree', {
+            cwd,
+            encoding: 'utf-8',
+            stdio: ['ignore', 'pipe', 'pipe'],
+        });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=git-utils.js.map

package/dist/utils/git-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-utils.js","sourceRoot":"","sources":["../../src/utils/git-utils.ts"],"names":[],"mappings":";;;;;AAaA,sDAuBC;AAGD,kDAWC;AAlDD,iDAAyC;AACzC,4CAAoB;AACpB,gDAAwB;AACxB,sCAAqC;AAErC;;;;;;;GAOG;AACH,SAAgB,qBAAqB,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAC/D,MAAM,GAAG,GAAG,mDAAmD,CAAC;IAChE,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,IAAA,wBAAQ,EAAC,GAAG,EAAE;YAClB,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,iBAAQ,CAChB,iEAAiE,GAAG,KAAK;YACvE,kDAAkD,MAAM,CAAC,GAAG,CAAC,EAAE,EACjE,GAAG,EACH,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,GAAG;SACP,KAAK,CAAC,IAAI,CAAC;SACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;SAC1B,MAAM,CAAC,OAAO,CAAC;SACf,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,cAAI,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;SACpC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,YAAE,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,YAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AACtE,CAAC;AAED,6EAA6E;AAC7E,SAAgB,mBAAmB,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAC7D,IAAI,CAAC;QACH,IAAA,wBAAQ,EAAC,qCAAqC,EAAE;YAC9C,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/utils/path-severity.d.ts

@@ -0,0 +1,17 @@
+import type { SecretMatch } from '../types';
+/**
+ * Return `true` when `filePath` looks like a test or fixture file.
+ */
+export declare function isTestFilePath(filePath: string): boolean;
+/**
+ * Downgrade low-precision generic pattern findings to `'low'` severity when
+ * they appear inside a test / fixture file.
+ *
+ * Rationale: password assignments, bearer tokens, and generic api-key patterns
+ * are common in test scaffolding (`const password = 'Admin1234!'`) and are
+ * rarely real leaked credentials in that context. Vendor-anchored patterns
+ * (aws-access, anthropic, stripe, …) are unaffected — a real key in a test
+ * file is still worth a `critical` alert.
+ */
+export declare function applyPathAwareSeverity(matches: SecretMatch[], filePath: string): SecretMatch[];
+//# sourceMappingURL=path-severity.d.ts.map

package/dist/utils/path-severity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-severity.d.ts","sourceRoot":"","sources":["../../src/utils/path-severity.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AA2D5C;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAKxD;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,WAAW,EAAE,EACtB,QAAQ,EAAE,MAAM,GACf,WAAW,EAAE,CASf"}