npm - @zigrivers/scaffold - Versions diffs - 3.28.0 → 3.30.0 - Mend

@zigrivers/scaffold 3.28.0 → 3.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (721) hide show

package/dist/knowledge-freshness/source-url-validator.js ADDED Viewed

@@ -0,0 +1,304 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import net from 'node:net';
+import yaml from 'js-yaml';
+/**
+ * Reject URLs that could be used for SSRF from the operator's machine or CI.
+ *
+ * Knowledge entries (including project-local overrides under
+ * `.scaffold/knowledge/`) are author-controlled markdown. Without a guard, a
+ * malicious merged source entry could direct `fetchAndHash` (used by both
+ * prefilter and audit-apply) or the audit meta-prompt's `WebFetch` at
+ * localhost, link-local, private RFC1918, or `file://` URLs and exfiltrate
+ * data from internal services.
+ *
+ * This guard runs at TWO points:
+ *   1. inside `fetchAndHash` — covers prefilter and apply on the operator side
+ *     (every redirect hop is re-validated; see `fetchAndHash`)
+ *   2. inside `runEntryAudit` — covers the meta-prompt's WebFetch call before
+ *      the URL ever reaches the `claude -p` subprocess
+ *
+ * Round-3 F-001; round-4 F-001 hardens the IPv6 and IPv4-mapped paths.
+ */
+// Named-host blocklist (regexes operate on the lowercased un-bracketed host).
+// IPv4 numeric ranges are handled by isBlockedIPv4 below using octet math —
+// regex matching can't fully express CGNAT / benchmark / multicast / reserved.
+const BLOCKED_HOST_PATTERNS = [
+    /^localhost$/i,
+];
+/**
+ * Parse a dotted-quad IPv4 string to its four octets. Returns null if it
+ * isn't a valid IPv4 literal.
+ */
+function parseIPv4(addr) {
+    const parts = addr.split('.');
+    if (parts.length !== 4)
+        return null;
+    const out = [];
+    for (const p of parts) {
+        if (!/^\d{1,3}$/.test(p))
+            return null;
+        const n = Number(p);
+        if (n < 0 || n > 255)
+            return null;
+        out.push(n);
+    }
+    return [out[0], out[1], out[2], out[3]];
+}
+/**
+ * Return true if a dotted-quad IPv4 string is NOT globally routable
+ * (round-9 F-001). Covers every IANA-reserved IPv4 range, not just RFC1918.
+ * The validator now allowlists "is public?" rather than blocklisting a
+ * named-range set, so future spec additions (e.g. a new reserved block) don't
+ * silently slip past until someone notices.
+ *
+ * Ranges blocked:
+ *   0.0.0.0/8         this network / unspecified
+ *   10.0.0.0/8        private RFC1918
+ *   100.64.0.0/10     CGNAT (RFC6598)
+ *   127.0.0.0/8       loopback
+ *   169.254.0.0/16    link-local
+ *   172.16.0.0/12     private RFC1918
+ *   192.0.0.0/24      IETF protocol assignments
+ *   192.0.2.0/24      TEST-NET-1
+ *   192.88.99.0/24    6to4 relay anycast (deprecated)
+ *   192.168.0.0/16    private RFC1918
+ *   198.18.0.0/15     benchmark
+ *   198.51.100.0/24   TEST-NET-2
+ *   203.0.113.0/24    TEST-NET-3
+ *   224.0.0.0/4       multicast
+ *   240.0.0.0/4       reserved (incl. 255.255.255.255 broadcast)
+ */
+function isBlockedIPv4(addr) {
+    const octets = parseIPv4(addr);
+    if (!octets)
+        return false;
+    const [a, b] = octets;
+    if (a === 0)
+        return true; // 0.0.0.0/8
+    if (a === 10)
+        return true; // 10.0.0.0/8
+    if (a === 100 && b >= 64 && b <= 127)
+        return true; // 100.64.0.0/10
+    if (a === 127)
+        return true; // 127.0.0.0/8
+    if (a === 169 && b === 254)
+        return true; // 169.254.0.0/16
+    if (a === 172 && b >= 16 && b <= 31)
+        return true; // 172.16.0.0/12
+    if (a === 192 && b === 0 && octets[2] === 0)
+        return true; // 192.0.0.0/24
+    if (a === 192 && b === 0 && octets[2] === 2)
+        return true; // 192.0.2.0/24
+    if (a === 192 && b === 88 && octets[2] === 99)
+        return true; // 192.88.99.0/24
+    if (a === 192 && b === 168)
+        return true; // 192.168.0.0/16
+    if (a === 198 && (b === 18 || b === 19))
+        return true; // 198.18.0.0/15
+    if (a === 198 && b === 51 && octets[2] === 100)
+        return true; // 198.51.100.0/24
+    if (a === 203 && b === 0 && octets[2] === 113)
+        return true; // 203.0.113.0/24
+    if (a >= 224 && a <= 239)
+        return true; // 224.0.0.0/4
+    if (a >= 240)
+        return true; // 240.0.0.0/4 + 255.255.255.255
+    return false;
+}
+/**
+ * Block IPv6 loopback / link-local / unique-local / IPv4-mapped private.
+ * `addr` is the un-bracketed hostname.
+ */
+/**
+ * Comprehensive IPv6 non-global classifier (round-9 F-001 expansion).
+ *
+ * Blocks:
+ *   ::             unspecified
+ *   ::1            loopback
+ *   ::ffff:0:0/96  IPv4-mapped (covers both dotted and hex forms; legitimate
+ *                  public servers don't expose endpoints via this range)
+ *   100::/64       discard prefix
+ *   2001::/23      IETF protocol assignments (Teredo, ORCHIDv2)
+ *   2001:db8::/32  documentation
+ *   2002::/16      6to4 anycast (deprecated)
+ *   fc00::/7       unique local (fc.. and fd..)
+ *   fe80::/10      link-local
+ *   fec0::/10      site-local (deprecated)
+ *   ff00::/8       multicast
+ */
+function isBlockedIPv6(addr) {
+    const lower = addr.toLowerCase();
+    if (lower === '::' || lower === '::1')
+        return true;
+    if (/^::ffff:/.test(lower))
+        return true; // IPv4-mapped
+    if (/^100:0?:0?:0?:/.test(lower) || lower.startsWith('100::'))
+        return true; // discard 100::/64
+    // 2001::/23 — first 23 bits are 0010 0000 0000 0001 0000 000 → "2001:0" .. "2001:1"
+    if (/^2001:[01]\w{0,2}:/.test(lower))
+        return true;
+    if (/^2001:0?db8:/.test(lower) || lower.startsWith('2001:db8:'))
+        return true; // documentation
+    if (/^2002:/.test(lower))
+        return true; // 6to4 anycast
+    if (/^f[cd]\w*:/.test(lower))
+        return true; // fc00::/7 ULA
+    if (/^fe[89ab]\w*:/.test(lower))
+        return true; // fe80::/10 link-local
+    if (/^fec[0-9a-f]:/.test(lower))
+        return true; // fec0::/10 site-local
+    if (/^ff/.test(lower))
+        return true; // ff00::/8 multicast
+    return false;
+}
+export function validateSourceUrl(raw) {
+    let url;
+    try {
+        url = new URL(raw);
+    }
+    catch {
+        return { ok: false, reason: `not a parseable URL: "${raw}"` };
+    }
+    if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+        return { ok: false, reason: `disallowed protocol "${url.protocol}" — only http(s) is permitted` };
+    }
+    // The URL parser may return an IPv6 host either bracketed ("[fd00::1]") or
+    // unbracketed depending on the Node/WHATWG version. Normalize before
+    // classifying so the same value paths both old and new behavior.
+    let host = url.hostname;
+    if (host.startsWith('[') && host.endsWith(']'))
+        host = host.slice(1, -1);
+    host = host.toLowerCase();
+    const ipKind = net.isIP(host); // 0 = not an IP literal, 4 = IPv4, 6 = IPv6
+    if (ipKind === 4) {
+        if (isBlockedIPv4(host)) {
+            return { ok: false, reason: `blocked IPv4 host "${host}" (private/loopback/link-local)` };
+        }
+        return { ok: true, url };
+    }
+    if (ipKind === 6) {
+        if (isBlockedIPv6(host)) {
+            return { ok: false, reason: `blocked IPv6 host "${host}" (loopback/link-local/ULA/v4-mapped private)` };
+        }
+        return { ok: true, url };
+    }
+    // Non-IP hostname: match the named-pattern blocklist (e.g. "localhost").
+    // The IPv4 regex set also runs here so a hostname that happens to look
+    // like a dotted quad (unusual but legal) is caught.
+    for (const pat of BLOCKED_HOST_PATTERNS) {
+        if (pat.test(host)) {
+            return { ok: false, reason: `blocked host "${host}" (matches SSRF guard pattern)` };
+        }
+    }
+    return { ok: true, url };
+}
+export const defaultResolver = async (host) => {
+    // Use `dns.lookup(..., { all: true })` rather than `resolve4`/`resolve6`
+    // (round-6 F-002). `lookup()` consults the SAME path that `fetch()` will
+    // use — system resolver, /etc/hosts, NSS — so a hostname that routes via
+    // /etc/hosts to 127.0.0.1 surfaces here, not just in true DNS.
+    const dns = await import('node:dns');
+    try {
+        const results = await dns.promises.lookup(host, { all: true });
+        return results.map((r) => r.address);
+    }
+    catch {
+        return [];
+    }
+};
+export async function assertSafeSourceUrlWithDns(raw, resolver = defaultResolver) {
+    const url = assertSafeSourceUrl(raw);
+    let host = url.hostname;
+    if (host.startsWith('[') && host.endsWith(']'))
+        host = host.slice(1, -1);
+    // For raw IP literals the sync guard already validated; return it as the
+    // only "resolved" IP so the caller pinning logic still has one address.
+    if (net.isIP(host) !== 0)
+        return { url, ips: [host] };
+    const ips = await resolver(host);
+    if (ips.length === 0) {
+        throw new Error(`[knowledge-freshness] DNS-rebinding guard: "${host}" has no resolvable address. ` +
+            'Refusing to fetch hosts with no A/AAAA records — silent passes would let typos or ' +
+            'placeholder URLs through CI gates.');
+    }
+    for (const ip of ips) {
+        const kind = net.isIP(ip);
+        if (kind === 4 && isBlockedIPv4(ip)) {
+            throw new Error(`[knowledge-freshness] DNS-rebinding guard: "${host}" resolves to blocked IPv4 ${ip}. ` +
+                'Source URLs that route to private networks are rejected even if the hostname looks public.');
+        }
+        if (kind === 6 && isBlockedIPv6(ip)) {
+            throw new Error(`[knowledge-freshness] DNS-rebinding guard: "${host}" resolves to blocked IPv6 ${ip}. ` +
+                'Source URLs that route to private networks are rejected even if the hostname looks public.');
+        }
+    }
+    return { url, ips };
+}
+/**
+ * Throws if the URL would route to a restricted target. Use at every external
+ * fetch boundary; the helper is intentionally identical for prefilter, apply,
+ * and meta-prompt dispatch so one guard covers all three callsites.
+ */
+export function assertSafeSourceUrl(raw) {
+    const result = validateSourceUrl(raw);
+    if (!result.ok) {
+        throw new Error(`[knowledge-freshness] refusing to fetch source URL — ${result.reason}. ` +
+            'Source URLs in knowledge entries are author-controlled; the SSRF guard prevents ' +
+            'redirecting fetches at localhost / private / link-local / file targets.');
+    }
+    return result.url;
+}
+export function loadAuthoritativeAllowlist(projectRoot) {
+    const file = path.join(projectRoot, 'docs', 'knowledge-freshness', 'authoritative-sources.yaml');
+    if (!fs.existsSync(file))
+        return { hosts: [], github_repos: [] };
+    try {
+        const parsed = yaml.load(fs.readFileSync(file, 'utf8'), { schema: yaml.JSON_SCHEMA });
+        if (!parsed || typeof parsed !== 'object')
+            return { hosts: [], github_repos: [] };
+        return {
+            hosts: Array.isArray(parsed.hosts)
+                ? parsed.hosts.filter((s) => typeof s === 'string')
+                : [],
+            github_repos: Array.isArray(parsed.github_repos)
+                ? parsed.github_repos.filter((s) => typeof s === 'string')
+                : [],
+        };
+    }
+    catch {
+        return { hosts: [], github_repos: [] };
+    }
+}
+/**
+ * Returns true if `url`'s host (or github repo path) appears in the allowlist.
+ * Decision #4 (locked): off-allowlist sources warn, not block.
+ */
+export function isAllowlistedSource(url, allowlist) {
+    const host = url.hostname;
+    for (const entry of allowlist.hosts) {
+        // Hosts can be a bare hostname ("owasp.org") or a host+path prefix
+        // ("ietf.org/rfc"). Match the host strictly; if a path prefix is given,
+        // require the URL pathname to begin with that prefix.
+        const slash = entry.indexOf('/');
+        if (slash === -1) {
+            if (host === entry || host.endsWith('.' + entry))
+                return true;
+        }
+        else {
+            const h = entry.slice(0, slash);
+            const p = '/' + entry.slice(slash + 1);
+            if ((host === h || host.endsWith('.' + h)) && url.pathname.startsWith(p))
+                return true;
+        }
+    }
+    if (host === 'github.com' || host.endsWith('.github.com')) {
+        // GitHub allowlist matches by `<owner>/<repo>` path prefix.
+        for (const repo of allowlist.github_repos) {
+            if (url.pathname.startsWith('/' + repo))
+                return true;
+        }
+    }
+    return false;
+}
+//# sourceMappingURL=source-url-validator.js.map

package/dist/knowledge-freshness/source-url-validator.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"source-url-validator.js","sourceRoot":"","sources":["../../src/knowledge-freshness/source-url-validator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAA;AACxB,OAAO,IAAI,MAAM,WAAW,CAAA;AAC5B,OAAO,GAAG,MAAM,UAAU,CAAA;AAC1B,OAAO,IAAI,MAAM,SAAS,CAAA;AAE1B;;;;;;;;;;;;;;;;;GAiBG;AAEH,8EAA8E;AAC9E,4EAA4E;AAC5E,+EAA+E;AAC/E,MAAM,qBAAqB,GAAa;IACtC,cAAc;CACf,CAAA;AAED;;;GAGG;AACH,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACnC,MAAM,GAAG,GAAa,EAAE,CAAA;IACxB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAA;QACrC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAA;QACnB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG;YAAE,OAAO,IAAI,CAAA;QACjC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACb,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;AACzC,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;IAC9B,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACzB,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAA;IACrB,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA,CAAqC,YAAY;IACzE,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,IAAI,CAAA,CAAoC,aAAa;IAC1E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAA,CAAY,gBAAgB;IAC7E,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAA,CAAmC,cAAc;IAC3E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAA,CAAsB,iBAAiB;IAC9E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAA,CAAa,gBAAgB;IAC7E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA,CAAK,eAAe;IAC5E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA,CAAK,eAAe;IAC5E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,EAAE,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,EAAE;QAAE,OAAO,IAAI,CAAA,CAAG,iBAAiB;IAC9E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAA,CAAsB,iBAAiB;IAC9E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;QAAE,OAAO,IAAI,CAAA,CAAS,gBAAgB;IAC7E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,EAAE,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAA,CAAE,kBAAkB;IAC/E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAA,CAAG,iBAAiB;IAC9E,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAA,CAAwB,cAAc;IAC3E,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAA,CAAoC,gCAAgC;IAC7F,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;GAGG;AACH;;;;;;;;;;;;;;;;GAgBG;AACH,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAA;IAChC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,KAAK;QAAE,OAAO,IAAI,CAAA;IAClD,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA,CAA0B,cAAc;IAC/E,IAAI,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA,CAAE,mBAAmB;IAC/F,oFAAoF;IACpF,IAAI,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACjD,IAAI,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAA,CAAC,gBAAgB;IAC7F,IAAI,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA,CAA4B,eAAe;IAChF,IAAI,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA,CAAwB,eAAe;IAChF,IAAI,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA,CAAqB,uBAAuB;IACxF,IAAI,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA,CAAqB,uBAAuB;IACxF,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA,CAA+B,qBAAqB;IACtF,OAAO,KAAK,CAAA;AACd,CAAC;AAID,MAAM,UAAU,iBAAiB,CAAC,GAAW;IAC3C,IAAI,GAAQ,CAAA;IACZ,IAAI,CAAC;QAAC,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;IAAC,CAAC;IAC1B,MAAM,CAAC;QACL,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,GAAG,GAAG,EAAE,CAAA;IAC/D,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,GAAG,CAAC,QAAQ,+BAA+B,EAAE,CAAA;IACnG,CAAC;IAED,2EAA2E;IAC3E,qEAAqE;IACrE,iEAAiE;IACjE,IAAI,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAA;IACvB,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IACxE,IAAI,GAAG,IAAI,CAAC,WAAW,EAAE,CAAA;IAEzB,MAAM,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA,CAAC,4CAA4C;IAC1E,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;QACjB,IAAI,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,IAAI,iCAAiC,EAAE,CAAA;QAC3F,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAA;IAC1B,CAAC;IACD,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;QACjB,IAAI,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,IAAI,+CAA+C,EAAE,CAAA;QACzG,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAA;IAC1B,CAAC;IAED,yEAAyE;IACzE,uEAAuE;IACvE,oDAAoD;IACpD,KAAK,MAAM,GAAG,IAAI,qBAAqB,EAAE,CAAC;QACxC,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACnB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,IAAI,gCAAgC,EAAE,CAAA;QACrF,CAAC;IACH,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAA;AAC1B,CAAC;AASD,MAAM,CAAC,MAAM,eAAe,GAAa,KAAK,EAAE,IAAI,EAAE,EAAE;IACtD,yEAAyE;IACzE,yEAAyE;IACzE,yEAAyE;IACzE,+DAA+D;IAC/D,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAA;IACpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAA;QAC9D,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAA;IACX,CAAC;AACH,CAAC,CAAA;AAgBD,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,GAAW,EACX,WAAqB,eAAe;IAEpC,MAAM,GAAG,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAA;IACpC,IAAI,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAA;IACvB,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IACxE,yEAAyE;IACzE,wEAAwE;IACxE,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,CAAA;IACrD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAA;IAChC,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,+CAA+C,IAAI,+BAA+B;YAClF,oFAAoF;YACpF,oCAAoC,CACrC,CAAA;IACH,CAAC;IACD,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QACzB,IAAI,IAAI,KAAK,CAAC,IAAI,aAAa,CAAC,EAAE,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CACb,+CAA+C,IAAI,8BAA8B,EAAE,IAAI;gBACvF,4FAA4F,CAC7F,CAAA;QACH,CAAC;QACD,IAAI,IAAI,KAAK,CAAC,IAAI,aAAa,CAAC,EAAE,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CACb,+CAA+C,IAAI,8BAA8B,EAAE,IAAI;gBACvF,4FAA4F,CAC7F,CAAA;QACH,CAAC;IACH,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,CAAA;AACrB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAW;IAC7C,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAA;IACrC,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,wDAAwD,MAAM,CAAC,MAAM,IAAI;YACzE,kFAAkF;YAClF,yEAAyE,CAC1E,CAAA;IACH,CAAC;IACD,OAAO,MAAM,CAAC,GAAG,CAAA;AACnB,CAAC;AAWD,MAAM,UAAU,0BAA0B,CAAC,WAAmB;IAC5D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,qBAAqB,EAAE,4BAA4B,CAAC,CAAA;IAChG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,CAAA;IAChE,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,CACzD,CAAA;QAC3B,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;YAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,CAAA;QACjF,OAAO;YACL,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC;gBAChC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;gBAChE,CAAC,CAAC,EAAE;YACN,YAAY,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC;gBAC9C,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;gBACvE,CAAC,CAAC,EAAE;SACP,CAAA;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,CAAA;IACxC,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAQ,EAAE,SAAoB;IAChE,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAA;IACzB,KAAK,MAAM,KAAK,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;QACpC,mEAAmE;QACnE,wEAAwE;QACxE,sDAAsD;QACtD,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAChC,IAAI,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC;YACjB,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,GAAG,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAA;QAC/D,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAA;YAC/B,MAAM,CAAC,GAAG,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAA;YACtC,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAA;QACvF,CAAC;IACH,CAAC;IACD,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QAC1D,4DAA4D;QAC5D,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC;YAC1C,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,GAAG,GAAG,IAAI,CAAC;gBAAE,OAAO,IAAI,CAAA;QACtD,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC"}

package/dist/knowledge-freshness/source-url-validator.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=source-url-validator.test.d.ts.map

package/dist/knowledge-freshness/source-url-validator.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"source-url-validator.test.d.ts","sourceRoot":"","sources":["../../src/knowledge-freshness/source-url-validator.test.ts"],"names":[],"mappings":""}

package/dist/knowledge-freshness/source-url-validator.test.js ADDED Viewed

@@ -0,0 +1,167 @@
+import { describe, it, expect } from 'vitest';
+import { validateSourceUrl, assertSafeSourceUrl, isAllowlistedSource, } from './source-url-validator.js';
+describe('validateSourceUrl', () => {
+    it('accepts public https URLs', () => {
+        const r = validateSourceUrl('https://owasp.org/Top10/');
+        expect(r.ok).toBe(true);
+    });
+    it('accepts public http URLs', () => {
+        const r = validateSourceUrl('http://example.com/x');
+        expect(r.ok).toBe(true);
+    });
+    it('rejects file:// URLs', () => {
+        const r = validateSourceUrl('file:///etc/passwd');
+        expect(r.ok).toBe(false);
+        if (!r.ok)
+            expect(r.reason).toMatch(/protocol/);
+    });
+    it('rejects localhost', () => {
+        const r = validateSourceUrl('http://localhost:8080/health');
+        expect(r.ok).toBe(false);
+    });
+    it('rejects 127.0.0.1', () => {
+        const r = validateSourceUrl('http://127.0.0.1/x');
+        expect(r.ok).toBe(false);
+    });
+    it('rejects 10.0.0.0/8 private', () => {
+        const r = validateSourceUrl('http://10.0.0.1/x');
+        expect(r.ok).toBe(false);
+    });
+    it('rejects 192.168.0.0/16 private', () => {
+        const r = validateSourceUrl('http://192.168.1.1/x');
+        expect(r.ok).toBe(false);
+    });
+    it('rejects 169.254.0.0/16 link-local', () => {
+        const r = validateSourceUrl('http://169.254.169.254/latest/meta-data/');
+        expect(r.ok).toBe(false);
+    });
+    it('rejects 172.16.0.0/12 private', () => {
+        const r = validateSourceUrl('http://172.20.0.1/x');
+        expect(r.ok).toBe(false);
+    });
+    it('accepts 8.8.8.8 (public IP)', () => {
+        const r = validateSourceUrl('http://8.8.8.8/');
+        expect(r.ok).toBe(true);
+    });
+    it('rejects unparseable URL', () => {
+        const r = validateSourceUrl('not a url');
+        expect(r.ok).toBe(false);
+    });
+    it('rejects ftp:// scheme', () => {
+        const r = validateSourceUrl('ftp://example.com/x');
+        expect(r.ok).toBe(false);
+    });
+    // Round-4 F-001: IPv6 hardening
+    it('rejects IPv6 loopback [::1]', () => {
+        expect(validateSourceUrl('http://[::1]/').ok).toBe(false);
+    });
+    it('rejects IPv6 link-local [fe80::1]', () => {
+        expect(validateSourceUrl('http://[fe80::1]/').ok).toBe(false);
+    });
+    it('rejects IPv6 ULA [fd00::1]', () => {
+        expect(validateSourceUrl('http://[fd00::1]/').ok).toBe(false);
+    });
+    it('rejects IPv6 ULA [fc00::1]', () => {
+        expect(validateSourceUrl('http://[fc00::1]/').ok).toBe(false);
+    });
+    it('rejects IPv4-mapped IPv6 loopback [::ffff:127.0.0.1]', () => {
+        expect(validateSourceUrl('http://[::ffff:127.0.0.1]/').ok).toBe(false);
+    });
+    it('rejects IPv4-mapped IPv6 private [::ffff:10.0.0.1]', () => {
+        expect(validateSourceUrl('http://[::ffff:10.0.0.1]/').ok).toBe(false);
+    });
+    it('rejects IPv4-mapped IPv6 link-local [::ffff:169.254.169.254]', () => {
+        expect(validateSourceUrl('http://[::ffff:169.254.169.254]/').ok).toBe(false);
+    });
+    it('accepts public IPv6 [2606:4700:4700::1111] (Cloudflare)', () => {
+        expect(validateSourceUrl('http://[2606:4700:4700::1111]/').ok).toBe(true);
+    });
+    it('rejects IPv6 unspecified [::]', () => {
+        expect(validateSourceUrl('http://[::]/').ok).toBe(false);
+    });
+    // Round-9 F-001: broader public-IP classifier
+    it('rejects CGNAT range (100.64.0.0/10)', () => {
+        expect(validateSourceUrl('http://100.64.0.1/').ok).toBe(false);
+        expect(validateSourceUrl('http://100.127.255.254/').ok).toBe(false);
+    });
+    it('accepts 100.63.x.x and 100.128.x.x (boundaries outside CGNAT)', () => {
+        expect(validateSourceUrl('http://100.63.0.1/').ok).toBe(true);
+        expect(validateSourceUrl('http://100.128.0.1/').ok).toBe(true);
+    });
+    it('rejects IPv4 benchmark range (198.18.0.0/15)', () => {
+        expect(validateSourceUrl('http://198.18.0.1/').ok).toBe(false);
+        expect(validateSourceUrl('http://198.19.255.254/').ok).toBe(false);
+    });
+    it('rejects IPv4 TEST-NET ranges (192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24)', () => {
+        expect(validateSourceUrl('http://192.0.2.1/').ok).toBe(false);
+        expect(validateSourceUrl('http://198.51.100.1/').ok).toBe(false);
+        expect(validateSourceUrl('http://203.0.113.1/').ok).toBe(false);
+    });
+    it('rejects IPv4 multicast (224.0.0.0/4) and reserved (240.0.0.0/4)', () => {
+        expect(validateSourceUrl('http://224.0.0.1/').ok).toBe(false);
+        expect(validateSourceUrl('http://239.255.255.255/').ok).toBe(false);
+        expect(validateSourceUrl('http://240.0.0.1/').ok).toBe(false);
+        expect(validateSourceUrl('http://255.255.255.255/').ok).toBe(false);
+    });
+    it('rejects 0.0.0.0/8 (this network)', () => {
+        expect(validateSourceUrl('http://0.0.0.0/').ok).toBe(false);
+        expect(validateSourceUrl('http://0.1.2.3/').ok).toBe(false);
+    });
+    it('rejects 192.0.0.0/24 (IETF protocol assignments)', () => {
+        expect(validateSourceUrl('http://192.0.0.1/').ok).toBe(false);
+    });
+    it('accepts 8.8.8.8, 1.1.1.1, 93.184.216.34 (globally routable)', () => {
+        expect(validateSourceUrl('http://8.8.8.8/').ok).toBe(true);
+        expect(validateSourceUrl('http://1.1.1.1/').ok).toBe(true);
+        expect(validateSourceUrl('http://93.184.216.34/').ok).toBe(true);
+    });
+    it('rejects IPv6 multicast [ff02::1]', () => {
+        expect(validateSourceUrl('http://[ff02::1]/').ok).toBe(false);
+    });
+    it('rejects IPv6 documentation [2001:db8::1]', () => {
+        expect(validateSourceUrl('http://[2001:db8::1]/').ok).toBe(false);
+    });
+    it('rejects IPv6 6to4 anycast [2002::1]', () => {
+        expect(validateSourceUrl('http://[2002::1]/').ok).toBe(false);
+    });
+    it('accepts Cloudflare public IPv6 [2606:4700::6810:84e5]', () => {
+        expect(validateSourceUrl('http://[2606:4700::6810:84e5]/').ok).toBe(true);
+    });
+});
+describe('assertSafeSourceUrl', () => {
+    it('throws on a blocked URL', () => {
+        expect(() => assertSafeSourceUrl('http://127.0.0.1/')).toThrow(/refusing to fetch/);
+    });
+    it('returns the URL on success', () => {
+        const url = assertSafeSourceUrl('https://owasp.org/Top10/#section');
+        expect(url.hostname).toBe('owasp.org');
+    });
+});
+describe('isAllowlistedSource', () => {
+    const allowlist = {
+        hosts: ['owasp.org', 'ietf.org/rfc', 'anthropic.com/docs'],
+        github_repos: ['modelcontextprotocol/specification'],
+    };
+    it('matches a bare hostname', () => {
+        expect(isAllowlistedSource(new URL('https://owasp.org/Top10/'), allowlist)).toBe(true);
+    });
+    it('matches a subdomain of a bare hostname', () => {
+        expect(isAllowlistedSource(new URL('https://docs.owasp.org/x'), allowlist)).toBe(true);
+    });
+    it('matches a host+path-prefix entry', () => {
+        expect(isAllowlistedSource(new URL('https://ietf.org/rfc/rfc6749.html'), allowlist)).toBe(true);
+    });
+    it('rejects a host+path-prefix when path is wrong', () => {
+        expect(isAllowlistedSource(new URL('https://ietf.org/about/'), allowlist)).toBe(false);
+    });
+    it('matches a curated github repo', () => {
+        expect(isAllowlistedSource(new URL('https://github.com/modelcontextprotocol/specification/blob/main/spec.md'), allowlist)).toBe(true);
+    });
+    it('rejects a github repo not in the allowlist', () => {
+        expect(isAllowlistedSource(new URL('https://github.com/some-random/repo'), allowlist)).toBe(false);
+    });
+    it('rejects a non-allowlisted host', () => {
+        expect(isAllowlistedSource(new URL('https://stackoverflow.com/q/1'), allowlist)).toBe(false);
+    });
+});
+//# sourceMappingURL=source-url-validator.test.js.map

package/dist/knowledge-freshness/source-url-validator.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"source-url-validator.test.js","sourceRoot":"","sources":["../../src/knowledge-freshness/source-url-validator.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAC7C,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,2BAA2B,CAAA;AAElC,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,GAAG,iBAAiB,CAAC,0BAA0B,CAAC,CAAA;QACvD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACzB,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,CAAC,GAAG,iBAAiB,CAAC,sBAAsB,CAAC,CAAA;QACnD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACzB,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,CAAC,GAAG,iBAAiB,CAAC,oBAAoB,CAAC,CAAA;QACjD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QACxB,IAAI,CAAC,CAAC,CAAC,EAAE;YAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;IACjD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,MAAM,CAAC,GAAG,iBAAiB,CAAC,8BAA8B,CAAC,CAAA;QAC3D,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,MAAM,CAAC,GAAG,iBAAiB,CAAC,oBAAoB,CAAC,CAAA;QACjD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,GAAG,iBAAiB,CAAC,mBAAmB,CAAC,CAAA;QAChD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,GAAG,iBAAiB,CAAC,sBAAsB,CAAC,CAAA;QACnD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,CAAC,GAAG,iBAAiB,CAAC,0CAA0C,CAAC,CAAA;QACvE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,GAAG,iBAAiB,CAAC,qBAAqB,CAAC,CAAA;QAClD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,CAAC,GAAG,iBAAiB,CAAC,iBAAiB,CAAC,CAAA;QAC9C,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACzB,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAA;QACxC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,uBAAuB,EAAE,GAAG,EAAE;QAC/B,MAAM,CAAC,GAAG,iBAAiB,CAAC,qBAAqB,CAAC,CAAA;QAClD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,gCAAgC;IAChC,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,CAAC,iBAAiB,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC3D,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC/D,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC/D,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC/D,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,MAAM,CAAC,iBAAiB,CAAC,4BAA4B,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACxE,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,CAAC,iBAAiB,CAAC,2BAA2B,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACvE,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,CAAC,iBAAiB,CAAC,kCAAkC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC9E,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,MAAM,CAAC,iBAAiB,CAAC,gCAAgC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAC3E,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,iBAAiB,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC1D,CAAC,CAAC,CAAA;IAEF,8CAA8C;IAC9C,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,CAAC,iBAAiB,CAAC,oBAAoB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC9D,MAAM,CAAC,iBAAiB,CAAC,yBAAyB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACrE,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,CAAC,iBAAiB,CAAC,oBAAoB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC7D,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAChE,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,CAAC,iBAAiB,CAAC,oBAAoB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC9D,MAAM,CAAC,iBAAiB,CAAC,wBAAwB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACpE,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,8EAA8E,EAAE,GAAG,EAAE;QACtF,MAAM,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7D,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAChE,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACjE,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,iEAAiE,EAAE,GAAG,EAAE;QACzE,MAAM,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7D,MAAM,CAAC,iBAAiB,CAAC,yBAAyB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QACnE,MAAM,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC7D,MAAM,CAAC,iBAAiB,CAAC,yBAAyB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACrE,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC3D,MAAM,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC7D,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC/D,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,6DAA6D,EAAE,GAAG,EAAE;QACrE,MAAM,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC1D,MAAM,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC1D,MAAM,CAAC,iBAAiB,CAAC,uBAAuB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAClE,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC/D,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,CAAC,iBAAiB,CAAC,uBAAuB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACnE,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,CAAC,iBAAiB,CAAC,mBAAmB,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC/D,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,CAAC,iBAAiB,CAAC,gCAAgC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAC3E,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA;AAEF,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,GAAG,EAAE,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAA;IACrF,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,GAAG,GAAG,mBAAmB,CAAC,kCAAkC,CAAC,CAAA;QACnE,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IACxC,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA;AAEF,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,MAAM,SAAS,GAAG;QAChB,KAAK,EAAE,CAAC,WAAW,EAAE,cAAc,EAAE,oBAAoB,CAAC;QAC1D,YAAY,EAAE,CAAC,oCAAoC,CAAC;KACrD,CAAA;IAED,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,mBAAmB,CAAC,IAAI,GAAG,CAAC,0BAA0B,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACxF,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,CAAC,mBAAmB,CAAC,IAAI,GAAG,CAAC,0BAA0B,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACxF,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,mBAAmB,CAAC,IAAI,GAAG,CAAC,mCAAmC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACjG,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,CAAC,mBAAmB,CAAC,IAAI,GAAG,CAAC,yBAAyB,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACxF,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CACJ,mBAAmB,CACjB,IAAI,GAAG,CAAC,yEAAyE,CAAC,EAClF,SAAS,CACV,CACF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACd,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,CACJ,mBAAmB,CAAC,IAAI,GAAG,CAAC,qCAAqC,CAAC,EAAE,SAAS,CAAC,CAC/E,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACf,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,mBAAmB,CAAC,IAAI,GAAG,CAAC,+BAA+B,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IAC9F,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/dist/observability/checks/lens-i-knowledge-gaps.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { LensFn } from '../engine/checks/runner.js';
+export declare const lensIKnowledgeGaps: LensFn;
+//# sourceMappingURL=lens-i-knowledge-gaps.d.ts.map

package/dist/observability/checks/lens-i-knowledge-gaps.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"lens-i-knowledge-gaps.d.ts","sourceRoot":"","sources":["../../../src/observability/checks/lens-i-knowledge-gaps.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AAuCxD,eAAO,MAAM,kBAAkB,EAAE,MA8JhC,CAAA"}