@vyuhlabs/dxkit 2.10.0 → 2.11.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +122 -0
- package/dist/allowlist/cli.d.ts +23 -23
- package/dist/allowlist/cli.d.ts.map +1 -1
- package/dist/allowlist/cli.js +72 -34
- package/dist/allowlist/cli.js.map +1 -1
- package/dist/allowlist/file.d.ts +7 -1
- package/dist/allowlist/file.d.ts.map +1 -1
- package/dist/allowlist/file.js +7 -1
- package/dist/allowlist/file.js.map +1 -1
- package/dist/analysis-result.d.ts +10 -0
- package/dist/analysis-result.d.ts.map +1 -1
- package/dist/analyzers/cache.d.ts +1 -0
- package/dist/analyzers/cache.d.ts.map +1 -1
- package/dist/analyzers/cache.js +69 -0
- package/dist/analyzers/cache.js.map +1 -1
- package/dist/analyzers/security/aggregator.d.ts +90 -90
- package/dist/analyzers/security/aggregator.d.ts.map +1 -1
- package/dist/analyzers/security/aggregator.js +140 -56
- package/dist/analyzers/security/aggregator.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts +2 -0
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +30 -4
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/types.d.ts +29 -7
- package/dist/analyzers/security/types.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.d.ts +133 -20
- package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.js +194 -20
- package/dist/analyzers/tools/fingerprint.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts +2 -2
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +7 -1
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +28 -0
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
- package/dist/analyzers/tools/grep-secrets.js +22 -12
- package/dist/analyzers/tools/grep-secrets.js.map +1 -1
- package/dist/analyzers/tools/salt.d.ts +68 -0
- package/dist/analyzers/tools/salt.d.ts.map +1 -0
- package/dist/{baseline → analyzers/tools}/salt.js +59 -18
- package/dist/analyzers/tools/salt.js.map +1 -0
- package/dist/analyzers/tools/semgrep.d.ts +7 -7
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +14 -7
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +4 -4
- package/dist/baseline/baseline-file.d.ts +9 -2
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +14 -0
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -0
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +78 -2
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +1 -1
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +3 -1
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts +20 -13
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +51 -20
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/migrate.d.ts +94 -0
- package/dist/baseline/migrate.d.ts.map +1 -0
- package/dist/baseline/migrate.js +238 -0
- package/dist/baseline/migrate.js.map +1 -0
- package/dist/baseline/producers/security.d.ts +9 -9
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js +16 -4
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/types.d.ts +145 -95
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +30 -26
- package/dist/baseline/types.js.map +1 -1
- package/dist/explore/context-hook-format.d.ts +55 -0
- package/dist/explore/context-hook-format.d.ts.map +1 -0
- package/dist/explore/context-hook-format.js +153 -0
- package/dist/explore/context-hook-format.js.map +1 -0
- package/dist/explore/context-hook.d.ts +8 -18
- package/dist/explore/context-hook.d.ts.map +1 -1
- package/dist/explore/context-hook.js +24 -87
- package/dist/explore/context-hook.js.map +1 -1
- package/dist/explore/finding-context.d.ts +17 -0
- package/dist/explore/finding-context.d.ts.map +1 -1
- package/dist/explore/finding-context.js +34 -0
- package/dist/explore/finding-context.js.map +1 -1
- package/dist/explore/queries.d.ts +32 -15
- package/dist/explore/queries.d.ts.map +1 -1
- package/dist/explore/queries.js +36 -6
- package/dist/explore/queries.js.map +1 -1
- package/dist/ingest/normalize.d.ts +1 -1
- package/dist/ingest/normalize.d.ts.map +1 -1
- package/dist/ingest/normalize.js +5 -1
- package/dist/ingest/normalize.js.map +1 -1
- package/dist/ingest/sarif.d.ts.map +1 -1
- package/dist/ingest/sarif.js +16 -7
- package/dist/ingest/sarif.js.map +1 -1
- package/dist/ingest/types.d.ts +23 -12
- package/dist/ingest/types.d.ts.map +1 -1
- package/dist/languages/capabilities/types.d.ts +64 -53
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/capabilities/types.js +4 -4
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +49 -0
- package/dist/update.js.map +1 -1
- package/dist/upgrade.d.ts.map +1 -1
- package/dist/upgrade.js +2 -1
- package/dist/upgrade.js.map +1 -1
- package/package.json +6 -3
- package/templates/.claude/skills/dxkit-update/SKILL.md +45 -4
- package/dist/baseline/salt.d.ts +0 -45
- package/dist/baseline/salt.d.ts.map +0 -1
- package/dist/baseline/salt.js.map +0 -1
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"migrate.d.ts","sourceRoot":"","sources":["../../src/baseline/migrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAQH,OAAO,KAAK,EACV,aAAa,EACb,aAAa,EACb,qBAAqB,EAEtB,MAAM,SAAS,CAAC;AAEjB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAExD,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,UAAU,EAAE,qBAAqB,CAAC;IAC3C,QAAQ,CAAC,QAAQ,EAAE,qBAAqB,CAAC;IACzC;gEAC4D;IAC5D,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,6EAA6E;IAC7E,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IACnC;;oCAEgC;IAChC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC;wEACoE;IACpE,QAAQ,CAAC,iBAAiB,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IAC1D;6DACyD;IACzD,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CACtC;AAED;;;;;;;;GAQG;AACH,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,aAAa,GAAG,aAAa,GAAG,SAAS,CA2C5F;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,aAAa,CAAC,aAAa,CAAC,EACrC,IAAI,EAAE,qBAAqB,GAC1B,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAWrB;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAC/B,GAAG,EAAE,MAAM,EACX,YAAY,SAAS,GACpB,qBAAqB,GAAG,IAAI,CAkB9B;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CAAC,IAAI,EAAE;IAC1C,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,IAAI,EAAE,qBAAqB,CAAC;IACrC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;CAC5B,GAAG,OAAO,CAAC,eAAe,CAAC,CAoD3B"}
|
|
@@ -0,0 +1,238 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Identity-scheme migrator — carries a repo's baseline + allowlist across
|
|
4
|
+
* a finding-identity scheme change so an upgrade is a single command
|
|
5
|
+
* instead of a manual re-baseline + re-allowlist.
|
|
6
|
+
*
|
|
7
|
+
* The mechanism rests on two properties:
|
|
8
|
+
*
|
|
9
|
+
* 1. `identityFor` can compute ANY shipped scheme (see
|
|
10
|
+
* `finding-identity.ts`), so for each current finding we can derive
|
|
11
|
+
* both its OLD-scheme id and its NEW-scheme id.
|
|
12
|
+
* 2. A current scan's baseline entries already carry the NEW (current)
|
|
13
|
+
* scheme id; recomputing the OLD id from each entry's metadata yields
|
|
14
|
+
* an `old → new` remap built from one scan, with no dependency on the
|
|
15
|
+
* stale artifact's stored ids.
|
|
16
|
+
*
|
|
17
|
+
* From that remap we:
|
|
18
|
+
* - rewrite the allowlist's `fingerprint`s onto the new scheme
|
|
19
|
+
* (preserving every reviewed suppression decision), and
|
|
20
|
+
* - regenerate the baseline with fresh new-scheme ids.
|
|
21
|
+
*
|
|
22
|
+
* Allowlist entries whose fingerprint matches neither the remap NOR a
|
|
23
|
+
* current finding's id are surfaced as `unmapped` (the finding they
|
|
24
|
+
* suppressed is gone — already-stale entries), never silently dropped.
|
|
25
|
+
*
|
|
26
|
+
* This is general across schemes: only the version-VARYING finding kinds
|
|
27
|
+
* change id between two schemes (everything else maps to itself and is
|
|
28
|
+
* left untouched), and `identityFor` + the retained prior-scheme id
|
|
29
|
+
* functions handle any `from → to` pair. A future scheme needs no new
|
|
30
|
+
* wiring here.
|
|
31
|
+
*/
|
|
32
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
33
|
+
if (k2 === undefined) k2 = k;
|
|
34
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
35
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
36
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
37
|
+
}
|
|
38
|
+
Object.defineProperty(o, k2, desc);
|
|
39
|
+
}) : (function(o, m, k, k2) {
|
|
40
|
+
if (k2 === undefined) k2 = k;
|
|
41
|
+
o[k2] = m[k];
|
|
42
|
+
}));
|
|
43
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
44
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
45
|
+
}) : function(o, v) {
|
|
46
|
+
o["default"] = v;
|
|
47
|
+
});
|
|
48
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
49
|
+
var ownKeys = function(o) {
|
|
50
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
51
|
+
var ar = [];
|
|
52
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
53
|
+
return ar;
|
|
54
|
+
};
|
|
55
|
+
return ownKeys(o);
|
|
56
|
+
};
|
|
57
|
+
return function (mod) {
|
|
58
|
+
if (mod && mod.__esModule) return mod;
|
|
59
|
+
var result = {};
|
|
60
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
61
|
+
__setModuleDefault(result, mod);
|
|
62
|
+
return result;
|
|
63
|
+
};
|
|
64
|
+
})();
|
|
65
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
66
|
+
exports.baselineEntryToIdentityInput = baselineEntryToIdentityInput;
|
|
67
|
+
exports.buildIdentityRemap = buildIdentityRemap;
|
|
68
|
+
exports.detectStaleScheme = detectStaleScheme;
|
|
69
|
+
exports.migrateIdentity = migrateIdentity;
|
|
70
|
+
const fs = __importStar(require("fs"));
|
|
71
|
+
const create_1 = require("./create");
|
|
72
|
+
const baseline_file_1 = require("./baseline-file");
|
|
73
|
+
const finding_identity_1 = require("./finding-identity");
|
|
74
|
+
const sanitize_1 = require("./sanitize");
|
|
75
|
+
const types_1 = require("./types");
|
|
76
|
+
const file_1 = require("../allowlist/file");
|
|
77
|
+
/**
|
|
78
|
+
* Reconstruct the `IdentityInput` a baseline entry was minted from, so its
|
|
79
|
+
* id can be recomputed under a different scheme. Fidelity is sufficient to
|
|
80
|
+
* reproduce any scheme's id: `contentAnchor` is intentionally omitted —
|
|
81
|
+
* only the v2 code/secret path consumes it, and an entry's stored `id`
|
|
82
|
+
* already IS its current-scheme id (we never recompute the current id, only
|
|
83
|
+
* the prior one, which no scheme derives from the anchor). Returns
|
|
84
|
+
* `undefined` for sanitized entries (identity-only, no metadata).
|
|
85
|
+
*/
|
|
86
|
+
function baselineEntryToIdentityInput(entry) {
|
|
87
|
+
if ((0, sanitize_1.isSanitized)(entry))
|
|
88
|
+
return undefined;
|
|
89
|
+
const e = entry;
|
|
90
|
+
switch (e.kind) {
|
|
91
|
+
case 'secret':
|
|
92
|
+
case 'code':
|
|
93
|
+
case 'config':
|
|
94
|
+
return { kind: e.kind, tool: e.tool, rule: e.rule, file: e.file, line: e.line };
|
|
95
|
+
case 'dep-vuln':
|
|
96
|
+
return {
|
|
97
|
+
kind: 'dep-vuln',
|
|
98
|
+
package: e.package,
|
|
99
|
+
installedVersion: e.installedVersion,
|
|
100
|
+
id: e.advisoryId,
|
|
101
|
+
};
|
|
102
|
+
case 'duplication':
|
|
103
|
+
return {
|
|
104
|
+
kind: 'duplication',
|
|
105
|
+
fileA: e.fileA,
|
|
106
|
+
fileB: e.fileB,
|
|
107
|
+
lines: e.lines,
|
|
108
|
+
startLineA: e.startLineA,
|
|
109
|
+
startLineB: e.startLineB,
|
|
110
|
+
};
|
|
111
|
+
case 'coverage-gap':
|
|
112
|
+
return { kind: 'coverage-gap', file: e.file, symbol: e.symbol, lineRange: e.lineRange };
|
|
113
|
+
case 'test-gap':
|
|
114
|
+
return { kind: 'test-gap', file: e.file, risk: e.risk };
|
|
115
|
+
case 'hygiene':
|
|
116
|
+
return { kind: 'hygiene', file: e.file, line: e.line, marker: e.marker };
|
|
117
|
+
case 'test-file-degradation':
|
|
118
|
+
return { kind: 'test-file-degradation', file: e.file, status: e.status };
|
|
119
|
+
case 'god-file':
|
|
120
|
+
return { kind: 'god-file', file: e.file };
|
|
121
|
+
case 'stale-file':
|
|
122
|
+
return { kind: 'stale-file', file: e.file, suffix: e.suffix };
|
|
123
|
+
case 'large-file':
|
|
124
|
+
return { kind: 'large-file', file: e.file };
|
|
125
|
+
case 'secret-hmac':
|
|
126
|
+
return { kind: 'secret-hmac', tool: e.tool, rule: e.rule, hmac: e.hmac };
|
|
127
|
+
case 'stale-allow':
|
|
128
|
+
return { kind: 'stale-allow', file: e.file, line: e.line, category: e.category };
|
|
129
|
+
}
|
|
130
|
+
}
|
|
131
|
+
/**
|
|
132
|
+
* Build an `old → new` id remap from a current scan's entries. Each
|
|
133
|
+
* entry's own `id` is the new (current) scheme id; the old id is
|
|
134
|
+
* recomputed from its reconstructed input. Only ids that actually change
|
|
135
|
+
* between the two schemes enter the map — version-independent kinds map to
|
|
136
|
+
* themselves and are skipped. Pure.
|
|
137
|
+
*/
|
|
138
|
+
function buildIdentityRemap(entries, from) {
|
|
139
|
+
const remap = new Map();
|
|
140
|
+
for (const entry of entries) {
|
|
141
|
+
const input = baselineEntryToIdentityInput(entry);
|
|
142
|
+
if (!input)
|
|
143
|
+
continue;
|
|
144
|
+
// The migrator legitimately recomputes a prior-scheme id to build the
|
|
145
|
+
// remap — it consumes identity, it doesn't mint a new finding kind.
|
|
146
|
+
const fromId = (0, finding_identity_1.identityFor)(input, from); // rule10-producer-ok
|
|
147
|
+
if (fromId !== entry.id)
|
|
148
|
+
remap.set(fromId, entry.id);
|
|
149
|
+
}
|
|
150
|
+
return remap;
|
|
151
|
+
}
|
|
152
|
+
/**
|
|
153
|
+
* Detect whether a repo's committed artifacts (baseline + allowlist) were
|
|
154
|
+
* written under an OLDER identity scheme than the current one, returning
|
|
155
|
+
* the scheme to migrate FROM (today only `'v1'`), or `null` when
|
|
156
|
+
* everything is already current / there's nothing to migrate. A
|
|
157
|
+
* lightweight probe — reads the stamped `identityScheme` (absent ⇒ `'v1'`)
|
|
158
|
+
* without re-scanning. Used by `vyuh-dxkit update` to decide whether to
|
|
159
|
+
* run the migrator after an upgrade.
|
|
160
|
+
*/
|
|
161
|
+
function detectStaleScheme(cwd, baselineName = 'main') {
|
|
162
|
+
const found = new Set();
|
|
163
|
+
const blPath = (0, baseline_file_1.pathForBaseline)(cwd, baselineName);
|
|
164
|
+
if (fs.existsSync(blPath)) {
|
|
165
|
+
try {
|
|
166
|
+
const raw = JSON.parse(fs.readFileSync(blPath, 'utf8'));
|
|
167
|
+
found.add(raw.identityScheme ?? 'v1');
|
|
168
|
+
}
|
|
169
|
+
catch {
|
|
170
|
+
/* unreadable baseline — leave migration to an explicit re-baseline */
|
|
171
|
+
}
|
|
172
|
+
}
|
|
173
|
+
const allowlist = (0, file_1.loadAllowlist)(cwd);
|
|
174
|
+
if (allowlist && allowlist.entries.length > 0)
|
|
175
|
+
found.add(allowlist.identityScheme ?? 'v1');
|
|
176
|
+
if (found.has('v1') && types_1.CURRENT_IDENTITY_SCHEME !== 'v1')
|
|
177
|
+
return 'v1';
|
|
178
|
+
return null;
|
|
179
|
+
}
|
|
180
|
+
/**
|
|
181
|
+
* Migrate a repo's baseline + allowlist from `from` scheme to the current
|
|
182
|
+
* scheme: one scan, rewrite the allowlist through the remap, regenerate
|
|
183
|
+
* the baseline (only if one exists). Idempotent in spirit — running it
|
|
184
|
+
* when already current produces an empty remap and a re-stamped baseline.
|
|
185
|
+
* Returns a summary the caller renders.
|
|
186
|
+
*/
|
|
187
|
+
async function migrateIdentity(opts) {
|
|
188
|
+
const { cwd } = opts;
|
|
189
|
+
const to = types_1.CURRENT_IDENTITY_SCHEME;
|
|
190
|
+
// One scan: entries carry the new-scheme ids; the remap recomputes the
|
|
191
|
+
// old id per entry.
|
|
192
|
+
const scan = await (0, create_1.gatherCurrentScan)({ cwd, verbose: opts.verbose });
|
|
193
|
+
const remap = buildIdentityRemap(scan.findings, opts.from);
|
|
194
|
+
const currentIds = new Set(scan.findings.map((f) => f.id));
|
|
195
|
+
// Rewrite the allowlist, preserving reviewed decisions.
|
|
196
|
+
const allowlist = (0, file_1.loadAllowlist)(cwd);
|
|
197
|
+
let remapped = 0;
|
|
198
|
+
let unchanged = 0;
|
|
199
|
+
const unmapped = [];
|
|
200
|
+
if (allowlist) {
|
|
201
|
+
const entries = allowlist.entries.map((entry) => {
|
|
202
|
+
const next = remap.get(entry.fingerprint);
|
|
203
|
+
if (next !== undefined) {
|
|
204
|
+
remapped++;
|
|
205
|
+
return { ...entry, fingerprint: next };
|
|
206
|
+
}
|
|
207
|
+
// Not in the remap: either it already matches a current finding
|
|
208
|
+
// (version-independent kind / already current scheme) — leave it —
|
|
209
|
+
// or it matches nothing (the suppressed finding is gone) — flag it.
|
|
210
|
+
if (currentIds.has(entry.fingerprint))
|
|
211
|
+
unchanged++;
|
|
212
|
+
else
|
|
213
|
+
unmapped.push(entry);
|
|
214
|
+
return entry;
|
|
215
|
+
});
|
|
216
|
+
(0, file_1.saveAllowlist)(cwd, { ...allowlist, identityScheme: to, entries });
|
|
217
|
+
}
|
|
218
|
+
// Regenerate the baseline with fresh new-scheme ids + stamped scheme —
|
|
219
|
+
// but only if one already exists. A repo with no committed baseline
|
|
220
|
+
// (ref-based posture) shouldn't gain one as a side effect of migrating;
|
|
221
|
+
// its allowlist still gets remapped above.
|
|
222
|
+
const baselineName = opts.baselineName ?? 'main';
|
|
223
|
+
const hasBaseline = fs.existsSync((0, baseline_file_1.pathForBaseline)(cwd, baselineName));
|
|
224
|
+
const created = hasBaseline
|
|
225
|
+
? await (0, create_1.createBaseline)({ cwd, name: baselineName, force: true, verbose: opts.verbose })
|
|
226
|
+
: null;
|
|
227
|
+
return {
|
|
228
|
+
fromScheme: opts.from,
|
|
229
|
+
toScheme: to,
|
|
230
|
+
remapSize: remap.size,
|
|
231
|
+
allowlistTotal: allowlist?.entries.length ?? 0,
|
|
232
|
+
allowlistRemapped: remapped,
|
|
233
|
+
allowlistUnchanged: unchanged,
|
|
234
|
+
allowlistUnmapped: unmapped,
|
|
235
|
+
baselinePath: created?.path ?? null,
|
|
236
|
+
};
|
|
237
|
+
}
|
|
238
|
+
//# sourceMappingURL=migrate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"migrate.js","sourceRoot":"","sources":["../../src/baseline/migrate.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+CH,oEA2CC;AASD,gDAcC;AAWD,8CAqBC;AASD,0CAyDC;AAjND,uCAAyB;AACzB,qCAA6D;AAC7D,mDAAkD;AAClD,yDAAiD;AACjD,yCAAyC;AACzC,mCAAkD;AAOlD,4CAAiE;AAwBjE;;;;;;;;GAQG;AACH,SAAgB,4BAA4B,CAAC,KAAoB;IAC/D,IAAI,IAAA,sBAAW,EAAC,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IACzC,MAAM,CAAC,GAAG,KAA0B,CAAC;IACrC,QAAQ,CAAC,CAAC,IAAI,EAAE,CAAC;QACf,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ;YACX,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAClF,KAAK,UAAU;YACb,OAAO;gBACL,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;gBACpC,EAAE,EAAE,CAAC,CAAC,UAAU;aACjB,CAAC;QACJ,KAAK,aAAa;YAChB,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,UAAU,EAAE,CAAC,CAAC,UAAU;aACzB,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC;QAC1F,KAAK,UAAU;YACb,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC1D,KAAK,SAAS;YACZ,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;QAC3E,KAAK,uBAAuB;YAC1B,OAAO,EAAE,IAAI,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;QAC3E,KAAK,UAAU;YACb,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5C,KAAK,YAAY;YACf,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;QAChE,KAAK,YAAY;YACf,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9C,KAAK,aAAa;YAChB,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3E,KAAK,aAAa;YAChB,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;IACrF,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,kBAAkB,CAChC,OAAqC,EACrC,IAA2B;IAE3B,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,4BAA4B,CAAC,KAAK,CAAC,CAAC;QAClD,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,sEAAsE;QACtE,oEAAoE;QACpE,MAAM,MAAM,GAAG,IAAA,8BAAW,EAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,qBAAqB;QAC9D,IAAI,MAAM,KAAK,KAAK,CAAC,EAAE;YAAE,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,iBAAiB,CAC/B,GAAW,EACX,YAAY,GAAG,MAAM;IAErB,MAAM,KAAK,GAAG,IAAI,GAAG,EAAyB,CAAC;IAC/C,MAAM,MAAM,GAAG,IAAA,+BAAe,EAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAClD,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,CAErD,CAAC;YACF,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,cAAc,IAAI,IAAI,CAAC,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,sEAAsE;QACxE,CAAC;IACH,CAAC;IACD,MAAM,SAAS,GAAG,IAAA,oBAAa,EAAC,GAAG,CAAC,CAAC;IACrC,IAAI,SAAS,IAAI,SAAS,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,cAAc,IAAI,IAAI,CAAC,CAAC;IAE3F,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,+BAAuB,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACrE,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,eAAe,CAAC,IAKrC;IACC,MAAM,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IACrB,MAAM,EAAE,GAAG,+BAAuB,CAAC;IAEnC,uEAAuE;IACvE,oBAAoB;IACpB,MAAM,IAAI,GAAG,MAAM,IAAA,0BAAiB,EAAC,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACrE,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3D,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAE3D,wDAAwD;IACxD,MAAM,SAAS,GAAG,IAAA,oBAAa,EAAC,GAAG,CAAC,CAAC;IACrC,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YAC9C,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;YAC1C,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,QAAQ,EAAE,CAAC;gBACX,OAAO,EAAE,GAAG,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;YACzC,CAAC;YACD,gEAAgE;YAChE,mEAAmE;YACnE,oEAAoE;YACpE,IAAI,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC;gBAAE,SAAS,EAAE,CAAC;;gBAC9C,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC1B,OAAO,KAAK,CAAC;QACf,CAAC,CAAC,CAAC;QACH,IAAA,oBAAa,EAAC,GAAG,EAAE,EAAE,GAAG,SAAS,EAAE,cAAc,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,uEAAuE;IACvE,oEAAoE;IACpE,wEAAwE;IACxE,2CAA2C;IAC3C,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,MAAM,CAAC;IACjD,MAAM,WAAW,GAAG,EAAE,CAAC,UAAU,CAAC,IAAA,+BAAe,EAAC,GAAG,EAAE,YAAY,CAAC,CAAC,CAAC;IACtE,MAAM,OAAO,GAAG,WAAW;QACzB,CAAC,CAAC,MAAM,IAAA,uBAAc,EAAC,EAAE,GAAG,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;QACvF,CAAC,CAAC,IAAI,CAAC;IAET,OAAO;QACL,UAAU,EAAE,IAAI,CAAC,IAAI;QACrB,QAAQ,EAAE,EAAE;QACZ,SAAS,EAAE,KAAK,CAAC,IAAI;QACrB,cAAc,EAAE,SAAS,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC;QAC9C,iBAAiB,EAAE,QAAQ;QAC3B,kBAAkB,EAAE,SAAS;QAC7B,iBAAiB,EAAE,QAAQ;QAC3B,YAAY,EAAE,OAAO,EAAE,IAAI,IAAI,IAAI;KACpC,CAAC;AACJ,CAAC"}
|
|
@@ -11,10 +11,10 @@
|
|
|
11
11
|
* Four `BaselineEntry` kinds are derived here, matching the four
|
|
12
12
|
* categories the aggregator emits:
|
|
13
13
|
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
17
|
-
*
|
|
14
|
+
* - `findingsByCategory.secret` → kind: 'secret'
|
|
15
|
+
* - `findingsByCategory.code` → kind: 'code'
|
|
16
|
+
* - `findingsByCategory.config` → kind: 'config'
|
|
17
|
+
* - `findingsByCategory.dependency`→ kind: 'dep-vuln'
|
|
18
18
|
*
|
|
19
19
|
* The location-based `secret` entries are sufficient for tracking a
|
|
20
20
|
* secret that stays in the same file. The companion `secret-hmac`
|
|
@@ -41,13 +41,13 @@ import type { SecurityAggregate } from '../../analyzers/security/aggregator';
|
|
|
41
41
|
import type { RichBaselineEntry } from '../types';
|
|
42
42
|
export interface SecurityProducerOptions {
|
|
43
43
|
/** Repo path; used by `computeContentHashFromCommit` to invoke
|
|
44
|
-
*
|
|
44
|
+
* `git show`. Omitting it disables content-hash stamping. */
|
|
45
45
|
readonly cwd?: string;
|
|
46
46
|
/** Commit SHA the baseline is anchored to. When the working tree
|
|
47
|
-
*
|
|
48
|
-
*
|
|
49
|
-
*
|
|
50
|
-
*
|
|
47
|
+
* has uncommitted changes, callers may pass `'HEAD'` so the hash
|
|
48
|
+
* reflects committed state — content-hash matching against a
|
|
49
|
+
* later run will still work as long as both sides read the same
|
|
50
|
+
* SHA. */
|
|
51
51
|
readonly commitSha?: string;
|
|
52
52
|
}
|
|
53
53
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EACV,iBAAiB,EAKlB,MAAM,UAAU,CAAC;AAElB,MAAM,WAAW,uBAAuB;IACtC;
|
|
1
|
+
{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EACV,iBAAiB,EAKlB,MAAM,UAAU,CAAC;AAElB,MAAM,WAAW,uBAAuB;IACtC;iEAC6D;IAC7D,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB;;;;cAIU;IACV,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;GAIG;AACH,wBAAgB,kCAAkC,CAChD,SAAS,EAAE,iBAAiB,EAC5B,OAAO,GAAE,uBAA4B,GACpC,iBAAiB,EAAE,CA6GrB"}
|
|
@@ -12,10 +12,10 @@
|
|
|
12
12
|
* Four `BaselineEntry` kinds are derived here, matching the four
|
|
13
13
|
* categories the aggregator emits:
|
|
14
14
|
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
17
|
-
*
|
|
18
|
-
*
|
|
15
|
+
* - `findingsByCategory.secret` → kind: 'secret'
|
|
16
|
+
* - `findingsByCategory.code` → kind: 'code'
|
|
17
|
+
* - `findingsByCategory.config` → kind: 'config'
|
|
18
|
+
* - `findingsByCategory.dependency`→ kind: 'dep-vuln'
|
|
19
19
|
*
|
|
20
20
|
* The location-based `secret` entries are sufficient for tracking a
|
|
21
21
|
* secret that stays in the same file. The companion `secret-hmac`
|
|
@@ -62,6 +62,10 @@ function securityAggregateToBaselineEntries(aggregate, options = {}) {
|
|
|
62
62
|
rule: f.rule,
|
|
63
63
|
file: f.file,
|
|
64
64
|
line: f.line,
|
|
65
|
+
// Content-anchored identity: the aggregator stamped the final content anchor (secret HMAC)
|
|
66
|
+
// on the finding; pass it so identityFor recomputes the SAME id the
|
|
67
|
+
// finding carries. Absent → identityFor falls back to the line hash.
|
|
68
|
+
...(f.contentAnchor !== undefined ? { contentAnchor: f.contentAnchor } : {}),
|
|
65
69
|
};
|
|
66
70
|
const contentHash = stamp(f.file, f.line);
|
|
67
71
|
out.push({
|
|
@@ -84,6 +88,9 @@ function securityAggregateToBaselineEntries(aggregate, options = {}) {
|
|
|
84
88
|
rule: f.rule,
|
|
85
89
|
file: f.file,
|
|
86
90
|
line: f.line,
|
|
91
|
+
// Content-anchored identity: the (scope, spanHash, ordinal) content anchor the aggregator
|
|
92
|
+
// built; passing it reproduces the finding's content fingerprint.
|
|
93
|
+
...(f.contentAnchor !== undefined ? { contentAnchor: f.contentAnchor } : {}),
|
|
87
94
|
};
|
|
88
95
|
const contentHash = stamp(f.file, f.line);
|
|
89
96
|
out.push({
|
|
@@ -106,6 +113,10 @@ function securityAggregateToBaselineEntries(aggregate, options = {}) {
|
|
|
106
113
|
rule: f.rule,
|
|
107
114
|
file: f.file,
|
|
108
115
|
line: f.line,
|
|
116
|
+
// Content-anchored identity: config (.env-in-git, whole-file at line 0) stays on the
|
|
117
|
+
// line-stable path — the aggregator leaves its anchor unset — so this
|
|
118
|
+
// is normally undefined and identity is unchanged from v1.
|
|
119
|
+
...(f.contentAnchor !== undefined ? { contentAnchor: f.contentAnchor } : {}),
|
|
109
120
|
};
|
|
110
121
|
// Whole-file findings (`.env in git`) carry line 0; content-hash
|
|
111
122
|
// is meaningless for them and `stamp` returns undefined.
|
|
@@ -129,6 +140,7 @@ function securityAggregateToBaselineEntries(aggregate, options = {}) {
|
|
|
129
140
|
package: f.package,
|
|
130
141
|
installedVersion: f.installedVersion,
|
|
131
142
|
id: f.id,
|
|
143
|
+
...(f.aliases !== undefined ? { aliases: f.aliases } : {}),
|
|
132
144
|
};
|
|
133
145
|
const entry = {
|
|
134
146
|
id: (0, finding_identity_1.identityFor)(input),
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"security.js","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;;AA8BH,
|
|
1
|
+
{"version":3,"file":"security.js","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;;AA8BH,gFAgHC;AA5ID,kDAA+D;AAE/D,0DAAkD;AAqBlD;;;;GAIG;AACH,SAAgB,kCAAkC,CAChD,SAA4B,EAC5B,UAAmC,EAAE;IAErC,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,MAAM,KAAK,GAAG,CAAC,IAAY,EAAE,IAAY,EAAsB,EAAE;QAC/D,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QACtE,MAAM,IAAI,GAAG,IAAA,2CAA4B,EAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACtF,OAAO,IAAI,IAAI,SAAS,CAAC;IAC3B,CAAC,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,MAAM,KAAK,GAAwB;YACjC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,2FAA2F;YAC3F,oEAAoE;YACpE,qEAAqE;YACrE,GAAG,CAAC,CAAC,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7E,CAAC;QACF,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,CAAC,CAAC,oBAAoB,IAAI,CAAC,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC;gBAC7D,CAAC,CAAC,EAAE,oBAAoB,EAAE,CAAC,CAAC,oBAAoB,EAAE;gBAClD,CAAC,CAAC,EAAE,CAAC;SACR,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,KAAK,GAAsB;YAC/B,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,0FAA0F;YAC1F,kEAAkE;YAClE,GAAG,CAAC,CAAC,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7E,CAAC;QACF,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,CAAC,CAAC,oBAAoB,IAAI,CAAC,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC;gBAC7D,CAAC,CAAC,EAAE,oBAAoB,EAAE,CAAC,CAAC,oBAAoB,EAAE;gBAClD,CAAC,CAAC,EAAE,CAAC;SACR,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,MAAM,KAAK,GAAwB;YACjC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,qFAAqF;YACrF,sEAAsE;YACtE,2DAA2D;YAC3D,GAAG,CAAC,CAAC,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7E,CAAC;QACF,iEAAiE;QACjE,yDAAyD;QACzD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,CAAC,CAAC,oBAAoB,IAAI,CAAC,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC;gBAC7D,CAAC,CAAC,EAAE,oBAAoB,EAAE,CAAC,CAAC,oBAAoB,EAAE;gBAClD,CAAC,CAAC,EAAE,CAAC;SACR,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC;QACxD,MAAM,KAAK,GAAyB;YAClC,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;YACpC,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,GAAG,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC3D,CAAC;QACF,MAAM,KAAK,GAAsB;YAC/B,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,UAAU,EAAE,CAAC,CAAC,EAAE;YAChB,GAAG,CAAC,CAAC,CAAC,gBAAgB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtF,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}
|