agentlint 0.1.0

package/dist/rules/filesystem.js

@@ -0,0 +1,227 @@
+"use strict";
+/**
+ * Filesystem Rules (FS)
+ * Rules for detecting filesystem access risks
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.filesystemRules = exports.CrossBoundaryWriteRule = exports.SensitivePathWriteRule = exports.UnscopedWriteAccessRule = void 0;
+const base_1 = require("./base");
+// Sensitive paths that should trigger alerts
+const SENSITIVE_PATHS = [
+    '.git/',
+    '.git\\',
+    '.github/workflows/',
+    '.github\\workflows\\',
+    '.env',
+    '.ssh/',
+    '.ssh\\',
+    '~/.ssh/',
+    'id_rsa',
+    'id_ed25519',
+    'credentials',
+    'secrets',
+    '.npmrc',
+    '.pypirc',
+    '.docker/config.json',
+    '.kube/config',
+    '.aws/credentials',
+];
+/**
+ * FS-001: Unscoped Write Access
+ * Agent writes to filesystem without a restricted path scope
+ */
+class UnscopedWriteAccessRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'FS-001',
+            group: 'filesystem',
+            severity: 'high',
+            title: 'Unscoped Write Access',
+            description: 'Agent has write access to the filesystem without a restricted path scope. This enables repo corruption, credential overwrite, and CI manipulation.',
+            recommendation: 'Restrict write access to specific directories (e.g., src/**, tests/**). Never allow unrestricted write access.',
+            tags: ['filesystem', 'write', 'permissions'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, capabilitySummary, minConfidence } = context;
+        // Check for unscoped write patterns in actions
+        for (const action of document.actions) {
+            if (action.type !== 'file_write')
+                continue;
+            const paths = action.filesystem?.paths || [];
+            for (const path of paths) {
+                if (this.isUnscopedPath(path)) {
+                    const confidence = action.evidence[0]?.confidence || 0.9;
+                    if (confidence < minConfidence)
+                        continue;
+                    const finding = this.createFinding(document, action.anchors, `Unscoped write access detected: "${path}". This allows writing to any file in the repository.`, action.evidence, confidence);
+                    finding.related_actions.push({
+                        action_type: action.type,
+                        context: action.context,
+                        summary: action.summary,
+                        anchors: action.anchors,
+                    });
+                    findings.push(finding);
+                }
+            }
+        }
+        // Check capability summary
+        if (capabilitySummary.filesystem.write.some(p => this.isUnscopedPath(p))) {
+            // Only add if no action-level finding exists
+            if (findings.length === 0) {
+                const finding = this.createFinding(document, { start_line: 1, end_line: 1 }, 'Document declares unscoped filesystem write access.', [
+                    {
+                        kind: 'heuristic',
+                        value: `Write paths: ${capabilitySummary.filesystem.write.join(', ')}`,
+                        confidence: 0.8,
+                    },
+                ], 0.8);
+                findings.push(finding);
+            }
+        }
+        return findings;
+    }
+    isUnscopedPath(path) {
+        // Check for patterns that indicate unrestricted access
+        const unscopedPatterns = [
+            '**/*',
+            '**',
+            '*',
+            './',
+            '/',
+            '..',
+            '../',
+        ];
+        const normalizedPath = path.trim().toLowerCase();
+        return unscopedPatterns.some(p => normalizedPath === p || normalizedPath.startsWith(p));
+    }
+}
+exports.UnscopedWriteAccessRule = UnscopedWriteAccessRule;
+/**
+ * FS-002: Sensitive Path Write
+ * Writes to known sensitive locations
+ */
+class SensitivePathWriteRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'FS-002',
+            group: 'filesystem',
+            severity: 'high',
+            title: 'Sensitive Path Write',
+            description: 'Agent can write to known sensitive locations such as .git/, .github/workflows/, .env, or ~/.ssh/. This is a direct escalation or persistence vector.',
+            recommendation: 'Remove write access to sensitive paths. If necessary, require explicit user approval for each write operation.',
+            tags: ['filesystem', 'sensitive', 'security'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, minConfidence } = context;
+        for (const action of document.actions) {
+            if (action.type !== 'file_write')
+                continue;
+            const sensitivePaths = action.filesystem?.sensitive_paths_touched || [];
+            const paths = action.filesystem?.paths || [];
+            // Check explicitly marked sensitive paths
+            for (const sensitivePath of sensitivePaths) {
+                const confidence = action.evidence[0]?.confidence || 0.9;
+                if (confidence < minConfidence)
+                    continue;
+                const finding = this.createFinding(document, action.anchors, `Write access to sensitive path: "${sensitivePath}". This could lead to privilege escalation or persistence.`, action.evidence, confidence);
+                finding.related_actions.push({
+                    action_type: action.type,
+                    context: action.context,
+                    summary: action.summary,
+                    anchors: action.anchors,
+                });
+                findings.push(finding);
+            }
+            // Also check paths directly
+            for (const path of paths) {
+                if (this.isSensitivePath(path) && !sensitivePaths.includes(path)) {
+                    const confidence = action.evidence[0]?.confidence || 0.85;
+                    if (confidence < minConfidence)
+                        continue;
+                    const finding = this.createFinding(document, action.anchors, `Write access to sensitive path: "${path}".`, [
+                        {
+                            kind: 'heuristic',
+                            value: `Sensitive path pattern matched: ${path}`,
+                            confidence,
+                        },
+                    ], confidence);
+                    finding.related_actions.push({
+                        action_type: action.type,
+                        context: action.context,
+                        summary: action.summary,
+                        anchors: action.anchors,
+                    });
+                    findings.push(finding);
+                }
+            }
+        }
+        return findings;
+    }
+    isSensitivePath(path) {
+        const normalizedPath = path.toLowerCase();
+        return SENSITIVE_PATHS.some(sp => normalizedPath.includes(sp.toLowerCase()));
+    }
+}
+exports.SensitivePathWriteRule = SensitivePathWriteRule;
+/**
+ * FS-003: Cross-Boundary Write
+ * Agent writes outside declared project scope
+ */
+class CrossBoundaryWriteRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'FS-003',
+            group: 'filesystem',
+            severity: 'medium',
+            title: 'Cross-Boundary Write',
+            description: 'Agent can write outside the declared project scope, such as parent directories or sibling repositories.',
+            recommendation: 'Restrict write access to the project directory. Never allow writes to parent or sibling directories.',
+            tags: ['filesystem', 'scope', 'boundary'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, minConfidence } = context;
+        for (const action of document.actions) {
+            if (action.type !== 'file_write')
+                continue;
+            const paths = action.filesystem?.paths || [];
+            for (const path of paths) {
+                if (this.isCrossBoundaryPath(path)) {
+                    const confidence = action.evidence[0]?.confidence || 0.8;
+                    if (confidence < minConfidence)
+                        continue;
+                    const finding = this.createFinding(document, action.anchors, `Cross-boundary write access detected: "${path}". This path is outside the project scope.`, action.evidence, confidence);
+                    finding.related_actions.push({
+                        action_type: action.type,
+                        context: action.context,
+                        summary: action.summary,
+                        anchors: action.anchors,
+                    });
+                    findings.push(finding);
+                }
+            }
+        }
+        return findings;
+    }
+    isCrossBoundaryPath(path) {
+        // Check for parent directory access or absolute paths outside project
+        return (path.includes('../') ||
+            path.includes('..\\') ||
+            path.startsWith('/') ||
+            path.startsWith('~') ||
+            /^[A-Z]:\\/i.test(path));
+    }
+}
+exports.CrossBoundaryWriteRule = CrossBoundaryWriteRule;
+// Export all filesystem rules
+exports.filesystemRules = [
+    new UnscopedWriteAccessRule(),
+    new SensitivePathWriteRule(),
+    new CrossBoundaryWriteRule(),
+];
+//# sourceMappingURL=filesystem.js.map

package/dist/rules/filesystem.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"filesystem.js","sourceRoot":"","sources":["../../src/rules/filesystem.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAGH,iCAAkC;AAGlC,6CAA6C;AAC7C,MAAM,eAAe,GAAG;IACtB,OAAO;IACP,QAAQ;IACR,oBAAoB;IACpB,sBAAsB;IACtB,MAAM;IACN,OAAO;IACP,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,YAAY;IACZ,aAAa;IACb,SAAS;IACT,QAAQ;IACR,SAAS;IACT,qBAAqB;IACrB,cAAc;IACd,kBAAkB;CACnB,CAAC;AAEF;;;GAGG;AACH,MAAa,uBAAwB,SAAQ,eAAQ;IACnD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,QAAQ;YACZ,KAAK,EAAE,YAAY;YACnB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,uBAAuB;YAC9B,WAAW,EACT,oJAAoJ;YACtJ,cAAc,EACZ,gHAAgH;YAClH,IAAI,EAAE,CAAC,YAAY,EAAE,OAAO,EAAE,aAAa,CAAC;SAC7C,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;QAE/D,+CAA+C;QAC/C,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YAE3C,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC;YAC7C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9B,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,IAAI,GAAG,CAAC;oBACzD,IAAI,UAAU,GAAG,aAAa;wBAAE,SAAS;oBAEzC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,oCAAoC,IAAI,uDAAuD,EAC/F,MAAM,CAAC,QAAQ,EACf,UAAU,CACX,CAAC;oBAEF,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC;wBAC3B,WAAW,EAAE,MAAM,CAAC,IAAI;wBACxB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;qBACxB,CAAC,CAAC;oBAEH,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,IAAI,iBAAiB,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACzE,6CAA6C;YAC7C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAC9B,qDAAqD,EACrD;oBACE;wBACE,IAAI,EAAE,WAAW;wBACjB,KAAK,EAAE,gBAAgB,iBAAiB,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;wBACtE,UAAU,EAAE,GAAG;qBAChB;iBACF,EACD,GAAG,CACJ,CAAC;gBACF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,cAAc,CAAC,IAAY;QACjC,uDAAuD;QACvD,MAAM,gBAAgB,GAAG;YACvB,MAAM;YACN,IAAI;YACJ,GAAG;YACH,IAAI;YACJ,GAAG;YACH,IAAI;YACJ,KAAK;SACN,CAAC;QAEF,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACjD,OAAO,gBAAgB,CAAC,IAAI,CAC1B,CAAC,CAAC,EAAE,CAAC,cAAc,KAAK,CAAC,IAAI,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC,CAC1D,CAAC;IACJ,CAAC;CACF;AA1FD,0DA0FC;AAED;;;GAGG;AACH,MAAa,sBAAuB,SAAQ,eAAQ;IAClD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,QAAQ;YACZ,KAAK,EAAE,YAAY;YACnB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,sBAAsB;YAC7B,WAAW,EACT,sJAAsJ;YACxJ,cAAc,EACZ,gHAAgH;YAClH,IAAI,EAAE,CAAC,YAAY,EAAE,WAAW,EAAE,UAAU,CAAC;SAC9C,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;QAE5C,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YAE3C,MAAM,cAAc,GAAG,MAAM,CAAC,UAAU,EAAE,uBAAuB,IAAI,EAAE,CAAC;YACxE,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC;YAE7C,0CAA0C;YAC1C,KAAK,MAAM,aAAa,IAAI,cAAc,EAAE,CAAC;gBAC3C,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,IAAI,GAAG,CAAC;gBACzD,IAAI,UAAU,GAAG,aAAa;oBAAE,SAAS;gBAEzC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,oCAAoC,aAAa,4DAA4D,EAC7G,MAAM,CAAC,QAAQ,EACf,UAAU,CACX,CAAC;gBAEF,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC;oBAC3B,WAAW,EAAE,MAAM,CAAC,IAAI;oBACxB,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;iBACxB,CAAC,CAAC;gBAEH,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;YAED,4BAA4B;YAC5B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;oBACjE,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,IAAI,IAAI,CAAC;oBAC1D,IAAI,UAAU,GAAG,aAAa;wBAAE,SAAS;oBAEzC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,oCAAoC,IAAI,IAAI,EAC5C;wBACE;4BACE,IAAI,EAAE,WAAW;4BACjB,KAAK,EAAE,mCAAmC,IAAI,EAAE;4BAChD,UAAU;yBACX;qBACF,EACD,UAAU,CACX,CAAC;oBAEF,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC;wBAC3B,WAAW,EAAE,MAAM,CAAC,IAAI;wBACxB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;qBACxB,CAAC,CAAC;oBAEH,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,eAAe,CAAC,IAAY;QAClC,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAC1C,OAAO,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAC/B,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,CAC1C,CAAC;IACJ,CAAC;CACF;AAzFD,wDAyFC;AAED;;;GAGG;AACH,MAAa,sBAAuB,SAAQ,eAAQ;IAClD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,QAAQ;YACZ,KAAK,EAAE,YAAY;YACnB,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,sBAAsB;YAC7B,WAAW,EACT,yGAAyG;YAC3G,cAAc,EACZ,sGAAsG;YACxG,IAAI,EAAE,CAAC,YAAY,EAAE,OAAO,EAAE,UAAU,CAAC;SAC1C,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;QAE5C,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YAE3C,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC;YAC7C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC;oBACnC,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,IAAI,GAAG,CAAC;oBACzD,IAAI,UAAU,GAAG,aAAa;wBAAE,SAAS;oBAEzC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,0CAA0C,IAAI,4CAA4C,EAC1F,MAAM,CAAC,QAAQ,EACf,UAAU,CACX,CAAC;oBAEF,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC;wBAC3B,WAAW,EAAE,MAAM,CAAC,IAAI;wBACxB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;qBACxB,CAAC,CAAC;oBAEH,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,mBAAmB,CAAC,IAAY;QACtC,sEAAsE;QACtE,OAAO,CACL,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;YACpB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;YACrB,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YACpB,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YACpB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CACxB,CAAC;IACJ,CAAC;CACF;AA7DD,wDA6DC;AAED,8BAA8B;AACjB,QAAA,eAAe,GAAG;IAC7B,IAAI,uBAAuB,EAAE;IAC7B,IAAI,sBAAsB,EAAE;IAC5B,IAAI,sBAAsB,EAAE;CAC7B,CAAC"}

package/dist/rules/hook.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Hook & Automation Rules (HOOK)
+ * Rules for detecting risks in automated hooks
+ */
+import { Finding } from '../ir/types';
+import { BaseRule } from './base';
+import { RuleContext } from './types';
+/**
+ * HOOK-001: Auto-Triggered Hook with Side Effects
+ * Hooks that run automatically and perform side effects
+ */
+export declare class AutoTriggeredHookRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+}
+/**
+ * HOOK-002: Hidden Hook Activation
+ * Hooks defined without clear documentation or discoverability
+ */
+export declare class HiddenHookActivationRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+}
+export declare const hookRules: (AutoTriggeredHookRule | HiddenHookActivationRule)[];
+//# sourceMappingURL=hook.d.ts.map

package/dist/rules/hook.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hook.d.ts","sourceRoot":"","sources":["../../src/rules/hook.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAClC,OAAO,EAAE,WAAW,EAAkB,MAAM,SAAS,CAAC;AAEtD;;;GAGG;AACH,qBAAa,qBAAsB,SAAQ,QAAQ;;IAejD,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;CA2D1C;AAED;;;GAGG;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;;IAepD,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;CAuC1C;AAGD,eAAO,MAAM,SAAS,sDAGrB,CAAC"}

package/dist/rules/hook.js

@@ -0,0 +1,112 @@
+"use strict";
+/**
+ * Hook & Automation Rules (HOOK)
+ * Rules for detecting risks in automated hooks
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hookRules = exports.HiddenHookActivationRule = exports.AutoTriggeredHookRule = void 0;
+const base_1 = require("./base");
+/**
+ * HOOK-001: Auto-Triggered Hook with Side Effects
+ * Hooks that run automatically and perform side effects
+ */
+class AutoTriggeredHookRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'HOOK-001',
+            group: 'hook',
+            severity: 'high',
+            title: 'Auto-Triggered Hook with Side Effects',
+            description: 'Hooks that run automatically and perform shell execution, file writes, or network calls. Users do not explicitly approve hooks.',
+            recommendation: 'Remove side effects from automatic hooks, or convert to interactive skills that require user approval.',
+            tags: ['hook', 'automation', 'side-effects'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, minConfidence } = context;
+        // Only applies to hook context
+        if (document.doc_type !== 'hook') {
+            return findings;
+        }
+        // Check if the hook has side effects
+        const sideEffectActions = document.actions.filter(a => a.type === 'shell_exec' ||
+            a.type === 'file_write' ||
+            a.type === 'network_call');
+        if (sideEffectActions.length === 0) {
+            return findings;
+        }
+        // Check if hook is auto-triggered (not manual)
+        const isAutoTriggered = document.context_profile.triggers.some(t => t.type !== 'manual' && t.type !== 'unknown');
+        if (!isAutoTriggered && document.context_profile.triggers.length > 0) {
+            return findings;
+        }
+        // Report the hook
+        const triggerTypes = document.context_profile.triggers
+            .map(t => t.type)
+            .join(', ');
+        for (const action of sideEffectActions) {
+            const confidence = action.evidence[0]?.confidence || 0.9;
+            if (confidence < minConfidence)
+                continue;
+            const finding = this.createFinding(document, action.anchors, `Auto-triggered hook (${triggerTypes}) performs ${action.type}: ${action.summary}`, action.evidence, confidence);
+            finding.related_actions.push({
+                action_type: action.type,
+                context: action.context,
+                summary: action.summary,
+                anchors: action.anchors,
+            });
+            findings.push(finding);
+        }
+        return findings;
+    }
+}
+exports.AutoTriggeredHookRule = AutoTriggeredHookRule;
+/**
+ * HOOK-002: Hidden Hook Activation
+ * Hooks defined without clear documentation or discoverability
+ */
+class HiddenHookActivationRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'HOOK-002',
+            group: 'hook',
+            severity: 'medium',
+            title: 'Hidden Hook Activation',
+            description: 'Hooks defined without clear documentation or discoverability. This makes it difficult to audit agent behavior.',
+            recommendation: 'Document all hooks clearly. Include trigger conditions and expected behavior in comments or documentation.',
+            tags: ['hook', 'documentation', 'discoverability'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, minConfidence } = context;
+        // Only applies to hook context
+        if (document.doc_type !== 'hook') {
+            return findings;
+        }
+        // Check if hook has triggers defined
+        const hasClearTriggers = document.context_profile.triggers.some(t => t.type !== 'unknown');
+        // Check if hook has documentation/comments
+        const hasDocumentation = document.instruction_blocks.length > 0 ||
+            (document.declared_intents && document.declared_intents.length > 0);
+        if (!hasClearTriggers && !hasDocumentation) {
+            const finding = this.createFinding(document, { start_line: 1, end_line: 1 }, 'Hook lacks clear trigger documentation or discoverability.', [
+                {
+                    kind: 'heuristic',
+                    value: 'No trigger type or documentation detected',
+                    confidence: 0.7,
+                },
+            ], 0.7);
+            findings.push(finding);
+        }
+        return findings;
+    }
+}
+exports.HiddenHookActivationRule = HiddenHookActivationRule;
+// Export all hook rules
+exports.hookRules = [
+    new AutoTriggeredHookRule(),
+    new HiddenHookActivationRule(),
+];
+//# sourceMappingURL=hook.js.map

package/dist/rules/hook.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hook.js","sourceRoot":"","sources":["../../src/rules/hook.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAGH,iCAAkC;AAGlC;;;GAGG;AACH,MAAa,qBAAsB,SAAQ,eAAQ;IACjD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,UAAU;YACd,KAAK,EAAE,MAAM;YACb,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,uCAAuC;YAC9C,WAAW,EACT,iIAAiI;YACnI,cAAc,EACZ,wGAAwG;YAC1G,IAAI,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,cAAc,CAAC;SAC7C,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;QAE5C,+BAA+B;QAC/B,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACjC,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,qCAAqC;QACrC,MAAM,iBAAiB,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,CAC/C,CAAC,CAAC,EAAE,CACF,CAAC,CAAC,IAAI,KAAK,YAAY;YACvB,CAAC,CAAC,IAAI,KAAK,YAAY;YACvB,CAAC,CAAC,IAAI,KAAK,cAAc,CAC5B,CAAC;QAEF,IAAI,iBAAiB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnC,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,+CAA+C;QAC/C,MAAM,eAAe,GAAG,QAAQ,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,CAC5D,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,CACjD,CAAC;QAEF,IAAI,CAAC,eAAe,IAAI,QAAQ,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrE,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,kBAAkB;QAClB,MAAM,YAAY,GAAG,QAAQ,CAAC,eAAe,CAAC,QAAQ;aACnD,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;aAChB,IAAI,CAAC,IAAI,CAAC,CAAC;QAEd,KAAK,MAAM,MAAM,IAAI,iBAAiB,EAAE,CAAC;YACvC,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,IAAI,GAAG,CAAC;YACzD,IAAI,UAAU,GAAG,aAAa;gBAAE,SAAS;YAEzC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,wBAAwB,YAAY,cAAc,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,OAAO,EAAE,EAClF,MAAM,CAAC,QAAQ,EACf,UAAU,CACX,CAAC;YAEF,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC;gBAC3B,WAAW,EAAE,MAAM,CAAC,IAAI;gBACxB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;aACxB,CAAC,CAAC;YAEH,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AA1ED,sDA0EC;AAED;;;GAGG;AACH,MAAa,wBAAyB,SAAQ,eAAQ;IACpD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,UAAU;YACd,KAAK,EAAE,MAAM;YACb,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,wBAAwB;YAC/B,WAAW,EACT,gHAAgH;YAClH,cAAc,EACZ,4GAA4G;YAC9G,IAAI,EAAE,CAAC,MAAM,EAAE,eAAe,EAAE,iBAAiB,CAAC;SACnD,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;QAE5C,+BAA+B;QAC/B,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACjC,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,qCAAqC;QACrC,MAAM,gBAAgB,GAAG,QAAQ,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,CAC7D,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAC1B,CAAC;QAEF,2CAA2C;QAC3C,MAAM,gBAAgB,GACpB,QAAQ,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC;YACtC,CAAC,QAAQ,CAAC,gBAAgB,IAAI,QAAQ,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAEtE,IAAI,CAAC,gBAAgB,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,EAAE,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAC9B,4DAA4D,EAC5D;gBACE;oBACE,IAAI,EAAE,WAAW;oBACjB,KAAK,EAAE,2CAA2C;oBAClD,UAAU,EAAE,GAAG;iBAChB;aACF,EACD,GAAG,CACJ,CAAC;YAEF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAtDD,4DAsDC;AAED,wBAAwB;AACX,QAAA,SAAS,GAAG;IACvB,IAAI,qBAAqB,EAAE;IAC3B,IAAI,wBAAwB,EAAE;CAC/B,CAAC"}

package/dist/rules/index.d.ts

@@ -0,0 +1,12 @@
+export * from './types';
+export * from './base';
+export * from './execution';
+export * from './filesystem';
+export * from './network';
+export * from './secrets';
+export * from './hook';
+export * from './instruction';
+export * from './scope';
+export * from './observability';
+export * from './engine';
+//# sourceMappingURL=index.d.ts.map

package/dist/rules/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,cAAc,QAAQ,CAAC;AACvB,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,QAAQ,CAAC;AACvB,cAAc,eAAe,CAAC;AAC9B,cAAc,SAAS,CAAC;AACxB,cAAc,iBAAiB,CAAC;AAChC,cAAc,UAAU,CAAC"}

package/dist/rules/index.js

@@ -0,0 +1,28 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./types"), exports);
+__exportStar(require("./base"), exports);
+__exportStar(require("./execution"), exports);
+__exportStar(require("./filesystem"), exports);
+__exportStar(require("./network"), exports);
+__exportStar(require("./secrets"), exports);
+__exportStar(require("./hook"), exports);
+__exportStar(require("./instruction"), exports);
+__exportStar(require("./scope"), exports);
+__exportStar(require("./observability"), exports);
+__exportStar(require("./engine"), exports);
+//# sourceMappingURL=index.js.map

package/dist/rules/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,0CAAwB;AACxB,yCAAuB;AACvB,8CAA4B;AAC5B,+CAA6B;AAC7B,4CAA0B;AAC1B,4CAA0B;AAC1B,yCAAuB;AACvB,gDAA8B;AAC9B,0CAAwB;AACxB,kDAAgC;AAChC,2CAAyB"}

package/dist/rules/instruction.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Instruction Integrity Rules (INST)
+ * Rules for detecting instruction override and bypass patterns
+ */
+import { Finding } from '../ir/types';
+import { BaseRule } from './base';
+import { RuleContext } from './types';
+/**
+ * INST-001: Instruction Override Patterns
+ * Patterns that instruct the agent to ignore rules or disable safeguards
+ */
+export declare class InstructionOverrideRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+}
+/**
+ * INST-002: Self-Modifying Rules
+ * Agent instructed to modify its own configuration or rules
+ */
+export declare class SelfModifyingRulesRule extends BaseRule {
+    constructor();
+    evaluate(context: RuleContext): Finding[];
+}
+export declare const instructionRules: (InstructionOverrideRule | SelfModifyingRulesRule)[];
+//# sourceMappingURL=instruction.d.ts.map

package/dist/rules/instruction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"instruction.d.ts","sourceRoot":"","sources":["../../src/rules/instruction.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAClC,OAAO,EAAE,WAAW,EAAkB,MAAM,SAAS,CAAC;AA2BtD;;;GAGG;AACH,qBAAa,uBAAwB,SAAQ,QAAQ;;IAenD,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;CA2D1C;AAED;;;GAGG;AACH,qBAAa,sBAAuB,SAAQ,QAAQ;;IAelD,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,EAAE;CAqE1C;AAGD,eAAO,MAAM,gBAAgB,sDAG5B,CAAC"}

package/dist/rules/instruction.js

@@ -0,0 +1,162 @@
+"use strict";
+/**
+ * Instruction Integrity Rules (INST)
+ * Rules for detecting instruction override and bypass patterns
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.instructionRules = exports.SelfModifyingRulesRule = exports.InstructionOverrideRule = void 0;
+const base_1 = require("./base");
+// Patterns that indicate instruction override attempts
+const OVERRIDE_PATTERNS = [
+    /ignore\s+(?:all\s+)?(?:previous\s+)?(?:instructions?|rules?)/i,
+    /disregard\s+(?:all\s+)?(?:previous\s+)?(?:rules?|instructions?)/i,
+    /forget\s+(?:all\s+)?(?:previous\s+)?(?:instructions?|rules?)/i,
+    /override\s+(?:all\s+)?(?:rules?|restrictions?|safeguards?)/i,
+    /bypass\s+(?:all\s+)?(?:safety\s+)?(?:rules?|restrictions?|safeguards?)/i,
+    /disable\s+(?:all\s+)?(?:safety\s+)?(?:safeguards?|restrictions?)/i,
+    /rewrite\s+(?:your\s+)?(?:rules?|instructions?)/i,
+    /new\s+system\s+prompt/i,
+    /you\s+are\s+now\s+(?:a\s+)?(?:new|different)/i,
+    /pretend\s+(?:you\s+are|that)/i,
+    /act\s+as\s+if\s+(?:you\s+have\s+no|there\s+are\s+no)/i,
+    /from\s+now\s+on,?\s+(?:ignore|forget|disregard)/i,
+];
+// Patterns that indicate self-modification
+const SELF_MODIFY_PATTERNS = [
+    /(?:modify|edit|change|update|rewrite)\s+(?:your(?:self)?|this\s+)?(?:rules?|config|instructions?|settings?)/i,
+    /add\s+(?:new\s+)?(?:rules?|instructions?)\s+to\s+(?:your(?:self)?|this)/i,
+    /(?:delete|remove)\s+(?:existing\s+)?(?:rules?|restrictions?)/i,
+    /reconfigure\s+(?:your(?:self)?|the\s+agent)/i,
+    /change\s+(?:your\s+)?(?:behavior|capabilities)/i,
+];
+/**
+ * INST-001: Instruction Override Patterns
+ * Patterns that instruct the agent to ignore rules or disable safeguards
+ */
+class InstructionOverrideRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'INST-001',
+            group: 'instruction',
+            severity: 'high',
+            title: 'Instruction Override Patterns',
+            description: 'Patterns that instruct the agent to ignore previous rules, rewrite governance, or disable safeguards. This is a governance bypass attempt.',
+            recommendation: 'Remove instruction override patterns. Agent configurations should not attempt to bypass safety measures.',
+            tags: ['instruction', 'override', 'governance', 'jailbreak'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, minConfidence } = context;
+        // Check instruction blocks
+        for (const block of document.instruction_blocks) {
+            for (const pattern of OVERRIDE_PATTERNS) {
+                const match = block.text.match(pattern);
+                if (match) {
+                    const finding = this.createFinding(document, block.anchors, `Instruction override pattern detected: "${match[0]}"`, [
+                        {
+                            kind: 'regex',
+                            value: match[0],
+                            confidence: 0.95,
+                        },
+                    ], 0.95);
+                    findings.push(finding);
+                    break; // One finding per block
+                }
+            }
+        }
+        // Check actions for override patterns (from parser detection)
+        for (const action of document.actions) {
+            if (action.type !== 'unknown')
+                continue;
+            if (!action.summary.includes('Instruction override'))
+                continue;
+            const confidence = action.evidence[0]?.confidence || 0.9;
+            if (confidence < minConfidence)
+                continue;
+            // Avoid duplicate findings
+            const isDuplicate = findings.some(f => f.location.start_line === action.anchors.start_line &&
+                f.location.path === document.path);
+            if (!isDuplicate) {
+                const finding = this.createFinding(document, action.anchors, `Instruction override pattern detected in action.`, action.evidence, confidence);
+                findings.push(finding);
+            }
+        }
+        return findings;
+    }
+}
+exports.InstructionOverrideRule = InstructionOverrideRule;
+/**
+ * INST-002: Self-Modifying Rules
+ * Agent instructed to modify its own configuration or rules
+ */
+class SelfModifyingRulesRule extends base_1.BaseRule {
+    constructor() {
+        super({
+            id: 'INST-002',
+            group: 'instruction',
+            severity: 'high',
+            title: 'Self-Modifying Rules',
+            description: 'Agent is instructed to modify its own configuration, rules, or behavior. This creates unpredictable governance risks.',
+            recommendation: 'Agent configurations should be immutable during execution. Remove self-modification instructions.',
+            tags: ['instruction', 'self-modify', 'governance'],
+        });
+    }
+    evaluate(context) {
+        const findings = [];
+        const { document, minConfidence } = context;
+        // Check instruction blocks for self-modification patterns
+        for (const block of document.instruction_blocks) {
+            for (const pattern of SELF_MODIFY_PATTERNS) {
+                const match = block.text.match(pattern);
+                if (match) {
+                    const finding = this.createFinding(document, block.anchors, `Self-modification pattern detected: "${match[0]}"`, [
+                        {
+                            kind: 'regex',
+                            value: match[0],
+                            confidence: 0.9,
+                        },
+                    ], 0.9);
+                    findings.push(finding);
+                    break; // One finding per block
+                }
+            }
+        }
+        // Check if document has actions that write to agent config locations
+        const agentConfigPaths = [
+            '.claude/',
+            '.cursorrules',
+            'CLAUDE.md',
+            'AGENTS.md',
+        ];
+        for (const action of document.actions) {
+            if (action.type !== 'file_write')
+                continue;
+            const paths = action.filesystem?.paths || [];
+            for (const path of paths) {
+                const normalizedPath = path.toLowerCase();
+                if (agentConfigPaths.some(p => normalizedPath.includes(p))) {
+                    const confidence = action.evidence[0]?.confidence || 0.85;
+                    if (confidence < minConfidence)
+                        continue;
+                    const finding = this.createFinding(document, action.anchors, `Self-modification detected: writes to agent configuration path "${path}"`, action.evidence, confidence);
+                    finding.related_actions.push({
+                        action_type: action.type,
+                        context: action.context,
+                        summary: action.summary,
+                        anchors: action.anchors,
+                    });
+                    findings.push(finding);
+                }
+            }
+        }
+        return findings;
+    }
+}
+exports.SelfModifyingRulesRule = SelfModifyingRulesRule;
+// Export all instruction rules
+exports.instructionRules = [
+    new InstructionOverrideRule(),
+    new SelfModifyingRulesRule(),
+];
+//# sourceMappingURL=instruction.js.map

package/dist/rules/instruction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"instruction.js","sourceRoot":"","sources":["../../src/rules/instruction.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAGH,iCAAkC;AAGlC,uDAAuD;AACvD,MAAM,iBAAiB,GAAG;IACxB,+DAA+D;IAC/D,kEAAkE;IAClE,+DAA+D;IAC/D,6DAA6D;IAC7D,yEAAyE;IACzE,mEAAmE;IACnE,iDAAiD;IACjD,wBAAwB;IACxB,+CAA+C;IAC/C,+BAA+B;IAC/B,uDAAuD;IACvD,kDAAkD;CACnD,CAAC;AAEF,2CAA2C;AAC3C,MAAM,oBAAoB,GAAG;IAC3B,8GAA8G;IAC9G,0EAA0E;IAC1E,+DAA+D;IAC/D,8CAA8C;IAC9C,iDAAiD;CAClD,CAAC;AAEF;;;GAGG;AACH,MAAa,uBAAwB,SAAQ,eAAQ;IACnD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,UAAU;YACd,KAAK,EAAE,aAAa;YACpB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,+BAA+B;YACtC,WAAW,EACT,4IAA4I;YAC9I,cAAc,EACZ,0GAA0G;YAC5G,IAAI,EAAE,CAAC,aAAa,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,CAAC;SAC7D,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;QAE5C,2BAA2B;QAC3B,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,kBAAkB,EAAE,CAAC;YAChD,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;gBACxC,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBACxC,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,KAAK,CAAC,OAAO,EACb,2CAA2C,KAAK,CAAC,CAAC,CAAC,GAAG,EACtD;wBACE;4BACE,IAAI,EAAE,OAAO;4BACb,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;4BACf,UAAU,EAAE,IAAI;yBACjB;qBACF,EACD,IAAI,CACL,CAAC;oBAEF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;oBACvB,MAAM,CAAC,wBAAwB;gBACjC,CAAC;YACH,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS;gBAAE,SAAS;YACxC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC;gBAAE,SAAS;YAE/D,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,IAAI,GAAG,CAAC;YACzD,IAAI,UAAU,GAAG,aAAa;gBAAE,SAAS;YAEzC,2BAA2B;YAC3B,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAC/B,CAAC,CAAC,EAAE,CACF,CAAC,CAAC,QAAQ,CAAC,UAAU,KAAK,MAAM,CAAC,OAAO,CAAC,UAAU;gBACnD,CAAC,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,CAAC,IAAI,CACpC,CAAC;YAEF,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,kDAAkD,EAClD,MAAM,CAAC,QAAQ,EACf,UAAU,CACX,CAAC;gBAEF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AA1ED,0DA0EC;AAED;;;GAGG;AACH,MAAa,sBAAuB,SAAQ,eAAQ;IAClD;QACE,KAAK,CAAC;YACJ,EAAE,EAAE,UAAU;YACd,KAAK,EAAE,aAAa;YACpB,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,sBAAsB;YAC7B,WAAW,EACT,uHAAuH;YACzH,cAAc,EACZ,mGAAmG;YACrG,IAAI,EAAE,CAAC,aAAa,EAAE,aAAa,EAAE,YAAY,CAAC;SACnD,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,OAAoB;QAC3B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;QAE5C,0DAA0D;QAC1D,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,kBAAkB,EAAE,CAAC;YAChD,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;gBAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBACxC,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,KAAK,CAAC,OAAO,EACb,wCAAwC,KAAK,CAAC,CAAC,CAAC,GAAG,EACnD;wBACE;4BACE,IAAI,EAAE,OAAO;4BACb,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;4BACf,UAAU,EAAE,GAAG;yBAChB;qBACF,EACD,GAAG,CACJ,CAAC;oBAEF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;oBACvB,MAAM,CAAC,wBAAwB;gBACjC,CAAC;YACH,CAAC;QACH,CAAC;QAED,qEAAqE;QACrE,MAAM,gBAAgB,GAAG;YACvB,UAAU;YACV,cAAc;YACd,WAAW;YACX,WAAW;SACZ,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACtC,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YAE3C,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC;YAC7C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC1C,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3D,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,IAAI,IAAI,CAAC;oBAC1D,IAAI,UAAU,GAAG,aAAa;wBAAE,SAAS;oBAEzC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAChC,QAAQ,EACR,MAAM,CAAC,OAAO,EACd,mEAAmE,IAAI,GAAG,EAC1E,MAAM,CAAC,QAAQ,EACf,UAAU,CACX,CAAC;oBAEF,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC;wBAC3B,WAAW,EAAE,MAAM,CAAC,IAAI;wBACxB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;qBACxB,CAAC,CAAC;oBAEH,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AApFD,wDAoFC;AAED,+BAA+B;AAClB,QAAA,gBAAgB,GAAG;IAC9B,IAAI,uBAAuB,EAAE;IAC7B,IAAI,sBAAsB,EAAE;CAC7B,CAAC"}