autoremediator 0.2.2 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/README.md +16 -1
  2. package/dist/{chunk-DQKT2CUG.js → chunk-GBOD3DV6.js} +739 -159
  3. package/dist/chunk-GBOD3DV6.js.map +1 -0
  4. package/dist/cli.d.ts +5 -0
  5. package/dist/cli.js +55 -17
  6. package/dist/cli.js.map +1 -1
  7. package/dist/index.d.ts +77 -11
  8. package/dist/index.js +3 -1
  9. package/dist/mcp/server.d.ts +292 -0
  10. package/dist/mcp/server.js +120 -16
  11. package/dist/mcp/server.js.map +1 -1
  12. package/dist/openapi/server.d.ts +445 -1
  13. package/dist/openapi/server.js +215 -54
  14. package/dist/openapi/server.js.map +1 -1
  15. package/package.json +1 -1
  16. package/dist/chunk-DQKT2CUG.js.map +0 -1
package/dist/chunk-GBOD3DV6.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/remediation/pipeline.ts","../src/platform/config.ts","../src/platform/package-manager.ts","../src/remediation/tools/lookup-cve.ts","../src/intelligence/sources/osv.ts","../src/intelligence/sources/github-advisory.ts","../src/intelligence/sources/nvd.ts","../src/intelligence/sources/cisa-kev.ts","../src/intelligence/sources/epss.ts","../src/intelligence/sources/cve-services.ts","../src/intelligence/sources/gitlab-advisory.ts","../src/intelligence/sources/certcc.ts","../src/intelligence/sources/deps-dev.ts","../src/intelligence/sources/ossf-scorecard.ts","../src/intelligence/sources/external-feeds.ts","../src/remediation/tools/check-inventory.ts","../src/remediation/tools/check-version-match.ts","../src/remediation/tools/find-fixed-version.ts","../src/intelligence/sources/registry.ts","../src/remediation/tools/apply-version-bump.ts","../src/platform/policy.ts","../src/platform/repo-lock.ts","../src/remediation/tools/fetch-package-source.ts","../src/remediation/tools/generate-patch.ts","../src/remediation/tools/apply-patch-file.ts","../src/scanner/index.ts","../src/scanner/adapters/npm-audit.ts","../src/scanner/adapters/yarn-audit.ts","../src/scanner/adapters/sarif.ts","../src/platform/evidence.ts","../src/platform/idempotency.ts","../src/api.ts"],"sourcesContent":["/**\n * Autoremediator agentic loop\n *\n * Orchestrates the full CVE patching pipeline using Vercel AI SDK's\n * generateText with a tool-calling loop.\n *\n * Phase 1 tools: lookup-cve → check-inventory → check-version-match\n * → find-fixed-version → apply-version-bump\n * Phase 4 tools: fetch-package-source → generate-patch → apply-patch-file\n */\nimport { generateText } from \"ai\";\nimport { existsSync, readFileSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport semver from \"semver\";\nimport { createModel, resolveProvider } from \"../platform/config.js\";\nimport { detectPackageManager } from \"../platform/package-manager.js\";\nimport { lookupCveTool } from \"./tools/lookup-cve.js\";\nimport { checkInventoryTool } from \"./tools/check-inventory.js\";\nimport { checkVersionMatchTool } from \"./tools/check-version-match.js\";\nimport { findFixedVersionTool } from \"./tools/find-fixed-version.js\";\nimport { applyVersionBumpTool } from \"./tools/apply-version-bump.js\";\nimport { fetchPackageSourceTool } from \"./tools/fetch-package-source.js\";\nimport { generatePatchTool } from \"./tools/generate-patch.js\";\nimport { applyPatchFileTool } from \"./tools/apply-patch-file.js\";\nimport { lookupCveOsv } from \"../intelligence/sources/osv.js\";\nimport { lookupCveGitHub, mergeGhDataIntoCveDetails } from \"../intelligence/sources/github-advisory.js\";\nimport { enrichWithNvd } from \"../intelligence/sources/nvd.js\";\nimport { findSafeUpgradeVersion } from \"../intelligence/sources/registry.js\";\nimport type { RemediateOptions, RemediationReport, PatchResult, VulnerablePackage, CveDetails } from \"../platform/types.js\";\n\nexport async function runRemediationPipeline(\n cveId: string,\n options: RemediateOptions = {}\n): Promise<RemediationReport> {\n const provider = resolveProvider(options);\n if (provider === \"local\") {\n return runLocalRemediationPipeline(cveId, options);\n }\n\n const cwd = options.cwd ?? process.cwd();\n const packageManager = options.packageManager ?? detectPackageManager(cwd);\n const preview = options.preview ?? false;\n const dryRun = (options.dryRun ?? false) || preview;\n const runTests = options.runTests ?? false;\n const policy = options.policy ?? \"\";\n const patchesDir = options.patchesDir || \"./patches\";\n\n const model = await createModel(options);\n\n const systemPrompt = loadOrchestrationPrompt({\n cveId,\n cwd,\n dryRun,\n runTests,\n policy,\n patchesDir,\n packageManager,\n });\n\n const prompt = `Patch vulnerable dependencies affected by ${cveId} in the project at: ${cwd}. Package manager: ${packageManager}.`;\n\n const collectedResults: PatchResult[] = [];\n const vulnerablePackages: VulnerablePackage[] = [];\n let cveDetails: CveDetails | null = null;\n let agentSteps = 0;\n\n const applyVersionBumpToolForRun = preview\n ? {\n ...applyVersionBumpTool,\n execute: async (input: Record<string, unknown>) =>\n (applyVersionBumpTool as any).execute({ ...input, dryRun: true }),\n } as typeof applyVersionBumpTool\n : applyVersionBumpTool;\n const applyPatchFileToolForRun = preview\n ? {\n ...applyPatchFileTool,\n execute: async (input: Record<string, unknown>) =>\n (applyPatchFileTool as any).execute({ ...input, dryRun: true }),\n } as typeof applyPatchFileTool\n : applyPatchFileTool;\n\n const result = await generateText({\n model,\n system: systemPrompt,\n prompt,\n tools: {\n \"lookup-cve\": lookupCveTool,\n \"check-inventory\": checkInventoryTool,\n \"check-version-match\": checkVersionMatchTool,\n \"find-fixed-version\": findFixedVersionTool,\n \"apply-version-bump\": applyVersionBumpToolForRun,\n \"fetch-package-source\": fetchPackageSourceTool,\n \"generate-patch\": generatePatchTool,\n \"apply-patch-file\": applyPatchFileToolForRun,\n },\n maxSteps: 25,\n onStepFinish(stepResult) {\n agentSteps += 1;\n\n const { toolResults } = stepResult;\n\n for (const tr of toolResults ?? []) {\n const toolResult = tr.result as Record<string, unknown> | undefined;\n\n if (tr.toolName === \"lookup-cve\" && toolResult?.data) {\n cveDetails = toolResult.data as CveDetails;\n }\n if (tr.toolName === \"check-version-match\" && toolResult?.vulnerablePackages) {\n vulnerablePackages.push(...(toolResult.vulnerablePackages as VulnerablePackage[]));\n }\n if (tr.toolName === \"apply-version-bump\") {\n collectedResults.push(toolResult as unknown as PatchResult);\n }\n\n if (tr.toolName === \"apply-patch-file\" && toolResult) {\n const validation = toolResult.validation as\n | { passed?: boolean; error?: string }\n | undefined;\n const message =\n typeof toolResult.message === \"string\"\n ? toolResult.message\n : typeof toolResult.error === \"string\"\n ? toolResult.error\n : \"Patch-file strategy finished.\";\n\n collectedResults.push({\n packageName:\n typeof toolResult.packageName === \"string\"\n ? toolResult.packageName\n : \"unknown-package\",\n strategy: \"patch-file\",\n fromVersion:\n typeof toolResult.vulnerableVersion === \"string\"\n ? toolResult.vulnerableVersion\n : \"unknown\",\n patchFilePath:\n typeof toolResult.patchFilePath === \"string\"\n ? toolResult.patchFilePath\n : typeof toolResult.patchPath === \"string\"\n ? toolResult.patchPath\n : undefined,\n applied: Boolean(toolResult.applied),\n dryRun: Boolean(toolResult.dryRun),\n message,\n validation:\n validation && typeof validation.passed === \"boolean\"\n ? {\n passed: validation.passed,\n error: typeof validation.error === \"string\" ? validation.error : undefined,\n }\n : undefined,\n });\n }\n }\n },\n });\n\n return {\n cveId,\n cveDetails,\n vulnerablePackages,\n results: collectedResults,\n agentSteps,\n summary: result.text,\n correlation: {\n requestId: options.requestId,\n sessionId: options.sessionId,\n parentRunId: options.parentRunId,\n },\n };\n}\n\nasync function runLocalRemediationPipeline(\n cveId: string,\n options: RemediateOptions = {}\n): Promise<RemediationReport> {\n const cwd = options.cwd ?? process.cwd();\n const packageManager = options.packageManager ?? detectPackageManager(cwd);\n const preview = options.preview ?? false;\n const dryRun = (options.dryRun ?? false) || preview;\n const runTests = options.runTests ?? false;\n const policy = options.policy ?? \"\";\n\n const collectedResults: PatchResult[] = [];\n const vulnerablePackages: VulnerablePackage[] = [];\n let cveDetails: CveDetails | null = null;\n let agentSteps = 0;\n\n const normalizedId = cveId.toUpperCase();\n const [osvDetails, ghPackages] = await Promise.all([\n lookupCveOsv(normalizedId),\n lookupCveGitHub(normalizedId).catch(() => []),\n ]);\n agentSteps += 2;\n\n if (!osvDetails && ghPackages.length === 0) {\n return {\n cveId,\n cveDetails: null,\n vulnerablePackages,\n results: collectedResults,\n agentSteps,\n summary: `Local mode failed at lookup-cve: ${normalizedId} not found in OSV or GitHub advisory data.`,\n correlation: {\n requestId: options.requestId,\n sessionId: options.sessionId,\n parentRunId: options.parentRunId,\n },\n };\n }\n\n cveDetails = osvDetails ?? {\n id: normalizedId,\n summary: \"Details sourced from GitHub Advisory Database.\",\n severity: \"UNKNOWN\",\n references: [],\n affectedPackages: [],\n };\n\n if (ghPackages.length > 0) {\n cveDetails = mergeGhDataIntoCveDetails(cveDetails, ghPackages);\n }\n cveDetails = await enrichWithNvd(cveDetails);\n\n if (cveDetails.affectedPackages.length === 0) {\n return {\n cveId,\n cveDetails,\n vulnerablePackages,\n results: collectedResults,\n agentSteps,\n summary: `Local mode lookup succeeded but no npm affected packages were found for ${normalizedId}.`,\n correlation: {\n requestId: options.requestId,\n sessionId: options.sessionId,\n parentRunId: options.parentRunId,\n },\n };\n }\n\n const inventory = await (checkInventoryTool as any).execute({ cwd, packageManager });\n agentSteps += 1;\n\n if (inventory?.error) {\n return {\n cveId,\n cveDetails,\n vulnerablePackages,\n results: collectedResults,\n agentSteps,\n summary: `Local mode failed at check-inventory: ${inventory.error}`,\n correlation: {\n requestId: options.requestId,\n sessionId: options.sessionId,\n parentRunId: options.parentRunId,\n },\n };\n }\n\n const installedPackages = (inventory.packages ?? []) as Array<{\n name: string;\n version: string;\n type: \"direct\" | \"indirect\";\n }>;\n\n for (const affected of cveDetails.affectedPackages) {\n if (!affected || typeof affected !== \"object\") continue;\n if (!affected.name || !affected.vulnerableRange) continue;\n if (affected.ecosystem !== \"npm\") continue;\n const matches = installedPackages.filter((p) => p.name === affected.name);\n for (const installed of matches) {\n if (!semver.valid(installed.version)) continue;\n let isVulnerable = false;\n try {\n isVulnerable = semver.satisfies(installed.version, affected.vulnerableRange, {\n includePrerelease: false,\n });\n } catch {\n continue;\n }\n if (isVulnerable) {\n vulnerablePackages.push({ installed, affected });\n }\n }\n }\n agentSteps += 1;\n\n for (const vulnerable of vulnerablePackages) {\n const pkg = vulnerable.installed;\n const firstPatchedVersion = vulnerable.affected.firstPatchedVersion;\n\n if (pkg.type === \"indirect\") {\n collectedResults.push({\n packageName: pkg.name,\n strategy: \"none\",\n fromVersion: pkg.version,\n applied: false,\n dryRun,\n message: `\"${pkg.name}\" is an indirect dependency; automatic version bump is limited to direct dependencies in local mode.`,\n });\n continue;\n }\n\n if (!firstPatchedVersion) {\n collectedResults.push({\n packageName: pkg.name,\n strategy: \"none\",\n fromVersion: pkg.version,\n applied: false,\n dryRun,\n message: `No firstPatchedVersion available for ${pkg.name}; cannot resolve deterministic upgrade in local mode.`,\n });\n continue;\n }\n\n const safeVersion = await findSafeUpgradeVersion(\n pkg.name,\n pkg.version,\n firstPatchedVersion,\n vulnerable.affected.vulnerableRange\n );\n agentSteps += 1;\n\n if (!safeVersion) {\n collectedResults.push({\n packageName: pkg.name,\n strategy: \"none\",\n fromVersion: pkg.version,\n applied: false,\n dryRun,\n message: `No safe upgrade version found for ${pkg.name}.`,\n });\n continue;\n }\n\n const applyResult = (await (applyVersionBumpTool as any).execute({\n cwd,\n packageManager,\n packageName: pkg.name,\n fromVersion: pkg.version,\n toVersion: safeVersion,\n dryRun,\n policy,\n runTests,\n })) as PatchResult;\n agentSteps += 1;\n\n collectedResults.push(applyResult);\n }\n\n const appliedCount = collectedResults.filter((r) => r.applied).length;\n const unresolvedCount = collectedResults.filter((r) => !r.applied && !r.dryRun).length;\n const dryRunCount = collectedResults.filter((r) => r.dryRun).length;\n\n return {\n cveId,\n cveDetails,\n vulnerablePackages,\n results: collectedResults,\n agentSteps,\n summary: `Local mode completed: vulnerable=${vulnerablePackages.length}, applied=${appliedCount}, dryRun=${dryRunCount}, unresolved=${unresolvedCount}`,\n correlation: {\n requestId: options.requestId,\n sessionId: options.sessionId,\n parentRunId: options.parentRunId,\n },\n };\n}\n\ninterface PromptContext {\n cveId: string;\n cwd: string;\n packageManager: \"npm\" | \"pnpm\" | \"yarn\";\n dryRun: boolean;\n runTests: boolean;\n policy: string;\n patchesDir: string;\n}\n\nfunction loadOrchestrationPrompt(ctx: PromptContext): string {\n const promptPath = join(process.cwd(), \".github\", \"instructions\", \"orchestration.instructions.md\");\n\n if (!existsSync(promptPath)) {\n return `You are autoremediator, an agentic security remediation system for Node.js package dependencies.\nWorking directory: ${ctx.cwd}\n Package manager: ${ctx.packageManager}\nDry run: ${ctx.dryRun}\nRun tests: ${ctx.runTests}\nPolicy: ${ctx.policy || \"undefined\"}\nPatches dir: ${ctx.patchesDir}\n\nRequired sequence:\n1. lookup-cve\n2. check-inventory\n3. check-version-match\n4. find-fixed-version\n5. apply-version-bump\n\nFallback sequence (when strategy=\"none\"):\n1. fetch-package-source\n2. generate-patch\n3. apply-patch-file\n\nAlways respect dryRun and policy constraints.`;\n }\n\n const template = readFileSync(promptPath, \"utf8\");\n return template\n .replaceAll(\"{{cveId}}\", ctx.cveId)\n .replaceAll(\"{{cwd}}\", ctx.cwd)\n .replaceAll(\"{{packageManager}}\", ctx.packageManager)\n .replaceAll(\"{{dryRun}}\", String(ctx.dryRun))\n .replaceAll(\"{{runTests}}\", String(ctx.runTests))\n .replaceAll(\"{{policy}}\", ctx.policy || \"undefined\")\n .replaceAll(\"{{patchesDir}}\", ctx.patchesDir);\n}\n","import type { LanguageModelV1 } from \"ai\";\nimport type { RemediateOptions } from \"./types.js\";\n\nexport type SupportedProvider = \"openai\" | \"anthropic\" | \"local\";\n\n/**\n * Reads configuration from environment variables with option overrides.\n * Does NOT import provider packages — those are dynamically imported so\n * that missing optional peer deps don't blow up at startup.\n */\nexport function resolveProvider(options: RemediateOptions = {}): SupportedProvider {\n const raw =\n options.llmProvider ??\n process.env.AUTOREMEDIATOR_LLM_PROVIDER ??\n \"openai\";\n\n if (raw !== \"openai\" && raw !== \"anthropic\" && raw !== \"local\") {\n throw new Error(\n `Unsupported LLM provider \"${raw}\". Set AUTOREMEDIATOR_LLM_PROVIDER to \"openai\", \"anthropic\", or \"local\".`\n );\n }\n return raw as SupportedProvider;\n}\n\nexport function resolveModelName(\n provider: SupportedProvider,\n options: RemediateOptions = {}\n): string {\n if (options.model) return options.model;\n if (process.env.AUTOREMEDIATOR_MODEL) return process.env.AUTOREMEDIATOR_MODEL;\n\n const defaults: Record<SupportedProvider, string> = {\n openai: \"gpt-4o\",\n anthropic: \"claude-sonnet-4-5\",\n local: \"local\",\n };\n return defaults[provider];\n}\n\n/** Dynamically instantiates the LLM model at runtime. */\nexport async function createModel(options: RemediateOptions = {}): Promise<LanguageModelV1> {\n const provider = resolveProvider(options);\n\n if (provider === \"local\") {\n throw new Error(\n \"Local provider does not create a language model. Use the deterministic pipeline path instead.\"\n );\n }\n\n const modelName = resolveModelName(provider, options);\n\n if (provider === \"openai\") {\n const apiKey = process.env.OPENAI_API_KEY;\n if (!apiKey) {\n throw new Error(\n \"OPENAI_API_KEY environment variable is required when using the openai provider.\"\n );\n }\n const { createOpenAI } = await import(\"@ai-sdk/openai\");\n const openai = createOpenAI({ apiKey });\n return openai(modelName) as LanguageModelV1;\n }\n\n if (provider === \"anthropic\") {\n const apiKey = process.env.ANTHROPIC_API_KEY;\n if (!apiKey) {\n throw new Error(\n \"ANTHROPIC_API_KEY environment variable is required when using the anthropic provider.\"\n );\n }\n const { createAnthropic } = await import(\"@ai-sdk/anthropic\");\n const anthropic = createAnthropic({ apiKey });\n return anthropic(modelName) as LanguageModelV1;\n }\n\n throw new Error(`Unhandled provider: ${provider}`);\n}\n\nexport interface NvdConfig {\n apiKey?: string;\n}\n\nexport function getNvdConfig(): NvdConfig {\n return {\n apiKey: process.env.AUTOREMEDIATOR_NVD_API_KEY,\n };\n}\n\nexport function getGitHubToken(): string | undefined {\n return process.env.GITHUB_TOKEN;\n}\n\nexport interface IntelligenceSourceConfig {\n gitLabAdvisoryApi?: string;\n certCcSearchUrl?: string;\n epssApi?: string;\n cveServicesApi?: string;\n depsDevApi?: string;\n scorecardApi?: string;\n vendorAdvisoryFeeds: string[];\n commercialFeeds: string[];\n commercialFeedToken?: string;\n}\n\nexport function getIntelligenceSourceConfig(): IntelligenceSourceConfig {\n return {\n gitLabAdvisoryApi:\n process.env.AUTOREMEDIATOR_GITLAB_ADVISORY_API ??\n \"https://advisories.gitlab.com/api/v1/advisories\",\n certCcSearchUrl:\n process.env.AUTOREMEDIATOR_CERTCC_SEARCH_URL ??\n \"https://www.kb.cert.org/vuls/search\",\n epssApi:\n process.env.AUTOREMEDIATOR_EPSS_API ??\n \"https://api.first.org/data/v1/epss\",\n cveServicesApi:\n process.env.AUTOREMEDIATOR_CVE_SERVICES_API ??\n \"https://cveawg.mitre.org/api/cve\",\n depsDevApi:\n process.env.AUTOREMEDIATOR_DEPSDEV_API ??\n \"https://api.deps.dev/v3\",\n scorecardApi:\n process.env.AUTOREMEDIATOR_SCORECARD_API ??\n \"https://api.securityscorecards.dev\",\n vendorAdvisoryFeeds: (process.env.AUTOREMEDIATOR_VENDOR_ADVISORY_FEEDS ?? \"\")\n .split(\",\")\n .map((v) => v.trim())\n .filter(Boolean),\n commercialFeeds: (process.env.AUTOREMEDIATOR_COMMERCIAL_FEEDS ?? \"\")\n .split(\",\")\n .map((v) => v.trim())\n .filter(Boolean),\n commercialFeedToken: process.env.AUTOREMEDIATOR_COMMERCIAL_FEED_TOKEN,\n };\n}\n","import { existsSync } from \"node:fs\";\nimport { join } from \"node:path\";\n\nexport type PackageManager = \"npm\" | \"pnpm\" | \"yarn\";\n\nexport interface PackageManagerCommands {\n install: string[];\n installPreferOffline: string[];\n installDev: (pkg: string) => string[];\n test: string[];\n list: string[];\n lockfileName: string;\n}\n\nexport function detectPackageManager(cwd: string): PackageManager {\n if (existsSync(join(cwd, \"pnpm-lock.yaml\"))) return \"pnpm\";\n if (existsSync(join(cwd, \"yarn.lock\"))) return \"yarn\";\n return \"npm\";\n}\n\nexport function getPackageManagerCommands(pm: PackageManager): PackageManagerCommands {\n if (pm === \"pnpm\") {\n return {\n install: [\"pnpm\", \"install\"],\n installPreferOffline: [\"pnpm\", \"install\", \"--prefer-offline\"],\n installDev: (pkg: string) => [\"pnpm\", \"add\", \"-D\", pkg],\n test: [\"pnpm\", \"test\"],\n list: [\"pnpm\", \"list\", \"--json\", \"--depth\", \"99\"],\n lockfileName: \"pnpm-lock.yaml\",\n };\n }\n\n if (pm === \"yarn\") {\n return {\n install: [\"yarn\", \"install\"],\n installPreferOffline: [\"yarn\", \"install\"],\n installDev: (pkg: string) => [\"yarn\", \"add\", \"--dev\", pkg],\n test: [\"yarn\", \"test\"],\n list: [\"yarn\", \"list\", \"--json\"],\n lockfileName: \"yarn.lock\",\n };\n }\n\n return {\n install: [\"npm\", \"install\"],\n installPreferOffline: [\"npm\", \"install\", \"--prefer-offline\"],\n installDev: (pkg: string) => [\"npm\", \"install\", \"--save-dev\", pkg],\n test: [\"npm\", \"test\"],\n list: [\"npm\", \"list\", \"--json\", \"--all\"],\n lockfileName: \"package-lock.json\",\n };\n}\n\nexport function parseListOutput(pm: PackageManager, stdout: string): Map<string, string> {\n const versions = new Map<string, string>();\n\n if (!stdout.trim()) return versions;\n\n if (pm === \"yarn\") {\n const lines = stdout\n .split(\"\\n\")\n .map((l) => l.trim())\n .filter(Boolean);\n\n for (const line of lines) {\n try {\n const obj = JSON.parse(line) as { type?: string; data?: { trees?: Array<{ name?: string }> } };\n if (obj.type !== \"tree\") continue;\n\n for (const tree of obj.data?.trees ?? []) {\n const raw = tree.name ?? \"\";\n const at = raw.lastIndexOf(\"@\");\n if (at <= 0) continue;\n const name = raw.slice(0, at);\n const version = raw.slice(at + 1);\n if (name && version) {\n versions.set(name, version);\n }\n }\n } catch {\n // Ignore non-json lines from yarn output.\n }\n }\n return versions;\n }\n\n let parsed: unknown;\n try {\n parsed = JSON.parse(stdout);\n } catch {\n return versions;\n }\n\n const root = Array.isArray(parsed) ? parsed[0] : parsed;\n\n type DependencyTree = {\n version?: string;\n dependencies?: Record<string, DependencyTree>;\n };\n\n function collectDependencies(tree?: Record<string, DependencyTree>): void {\n if (!tree) return;\n\n for (const [name, entry] of Object.entries(tree)) {\n if (!entry || typeof entry !== \"object\") continue;\n const version = entry.version;\n if (typeof version === \"string\" && version) {\n versions.set(name, version);\n }\n collectDependencies(entry.dependencies);\n }\n }\n\n collectDependencies((root as { dependencies?: Record<string, DependencyTree> } | undefined)?.dependencies);\n\n return versions;\n}","/**\n * Tool: lookup-cve\n *\n * Fetches CVE details from OSV (primary) and GitHub Advisory (secondary),\n * merges them, and optionally enriches with supplemental intelligence data.\n */\nimport { tool } from \"ai\";\nimport { z } from \"zod\";\nimport { lookupCveOsv } from \"../../intelligence/sources/osv.js\";\nimport { lookupCveGitHub, mergeGhDataIntoCveDetails } from \"../../intelligence/sources/github-advisory.js\";\nimport { enrichWithNvd } from \"../../intelligence/sources/nvd.js\";\nimport { enrichWithCisaKev } from \"../../intelligence/sources/cisa-kev.js\";\nimport { enrichWithEpss } from \"../../intelligence/sources/epss.js\";\nimport { enrichWithCveServices } from \"../../intelligence/sources/cve-services.js\";\nimport { enrichWithGitLabAdvisory } from \"../../intelligence/sources/gitlab-advisory.js\";\nimport { enrichWithCertCc } from \"../../intelligence/sources/certcc.js\";\nimport { enrichWithDepsDev } from \"../../intelligence/sources/deps-dev.js\";\nimport { enrichWithOssfScorecard } from \"../../intelligence/sources/ossf-scorecard.js\";\nimport { enrichWithExternalFeeds } from \"../../intelligence/sources/external-feeds.js\";\nimport type { CveDetails } from \"../../platform/types.js\";\n\nexport const lookupCveTool = tool({\n description:\n \"Look up a CVE ID and return the list of affected npm packages, their vulnerable version ranges, and the first patched version. Always call this first.\",\n parameters: z.object({\n cveId: z\n .string()\n .regex(/^CVE-\\d{4}-\\d+$/i, \"Must be a valid CVE ID like CVE-2021-23337\"),\n }),\n execute: async ({ cveId }): Promise<{ success: boolean; data?: CveDetails; error?: string }> => {\n const normalizedId = cveId.toUpperCase();\n\n // Fan out to OSV + GitHub Advisory in parallel\n const [osvDetails, ghPackages] = await Promise.all([\n lookupCveOsv(normalizedId),\n lookupCveGitHub(normalizedId),\n ]);\n\n if (!osvDetails && ghPackages.length === 0) {\n return {\n success: false,\n error: `CVE \"${normalizedId}\" was not found in OSV or GitHub Advisory databases. It may be too new, or not affect npm packages.`,\n };\n }\n\n // Start from OSV result or construct a minimal shell from GH data\n let details: CveDetails = osvDetails ?? {\n id: normalizedId,\n summary: \"Details sourced from GitHub Advisory Database.\",\n severity: \"UNKNOWN\",\n references: [],\n affectedPackages: [],\n };\n\n // Merge GitHub Advisory data (adds firstPatchedVersion, fills gaps)\n if (ghPackages.length > 0) {\n details = mergeGhDataIntoCveDetails(details, ghPackages);\n }\n\n const sourceHealth: Record<string, { attempted: boolean; changed: boolean; error?: string }> = {};\n\n const applyEnricher = async (\n sourceName: string,\n enricher: (input: CveDetails) => Promise<CveDetails>\n ): Promise<void> => {\n const before = JSON.stringify(details);\n try {\n details = await enricher(details);\n const after = JSON.stringify(details);\n sourceHealth[sourceName] = {\n attempted: true,\n changed: before !== after,\n };\n } catch (error) {\n sourceHealth[sourceName] = {\n attempted: true,\n changed: false,\n error: error instanceof Error ? error.message : String(error),\n };\n }\n };\n\n await applyEnricher(\"nvd\", enrichWithNvd);\n await applyEnricher(\"cisa-kev\", enrichWithCisaKev);\n await applyEnricher(\"epss\", enrichWithEpss);\n await applyEnricher(\"cve-services\", enrichWithCveServices);\n await applyEnricher(\"gitlab-advisory\", enrichWithGitLabAdvisory);\n await applyEnricher(\"certcc\", enrichWithCertCc);\n await applyEnricher(\"deps-dev\", enrichWithDepsDev);\n await applyEnricher(\"ossf-scorecard\", enrichWithOssfScorecard);\n await applyEnricher(\"external-feeds\", enrichWithExternalFeeds);\n\n details.intelligence = {\n ...(details.intelligence ?? {}),\n sourceHealth,\n };\n\n if (details.affectedPackages.length === 0) {\n return {\n success: false,\n error: `CVE \"${normalizedId}\" was found but has no npm-specific affected packages listed. It may affect a different ecosystem.`,\n };\n }\n\n return { success: true, data: details };\n },\n});\n","/**\n * OSV API client (https://osv.dev)\n *\n * Used as the primary source for CVE → affected npm package mapping.\n * No auth required. SEMVER event ranges are machine-readable.\n */\nimport type { AffectedPackage, CveDetails } from \"../../platform/types.js\";\n\nconst OSV_BASE = \"https://api.osv.dev/v1\";\n\n// ---------------------------------------------------------------------------\n// Raw OSV response types\n// ---------------------------------------------------------------------------\n\ninterface OsvSemverEvent {\n introduced?: string;\n fixed?: string;\n last_affected?: string;\n limit?: string;\n}\n\ninterface OsvRange {\n type: \"SEMVER\" | \"GIT\" | \"ECOSYSTEM\";\n events: OsvSemverEvent[];\n repo?: string;\n}\n\ninterface OsvAffected {\n package: {\n name: string;\n ecosystem: string;\n purl?: string;\n };\n ranges?: OsvRange[];\n versions?: string[];\n database_specific?: Record<string, unknown>;\n ecosystem_specific?: Record<string, unknown>;\n}\n\ninterface OsvVulnerability {\n id: string;\n aliases?: string[];\n summary?: string;\n details?: string;\n severity?: Array<{\n type: string;\n score: string;\n }>;\n affected?: OsvAffected[];\n references?: Array<{ type: string; url: string }>;\n schema_version?: string;\n modified?: string;\n published?: string;\n}\n\n// ---------------------------------------------------------------------------\n// Public API\n// ---------------------------------------------------------------------------\n\n/**\n * Fetch a vulnerability by CVE ID (or any OSV/GHSA ID).\n * Returns null if the CVE is not found in OSV.\n */\nexport async function fetchOsvVuln(cveId: string): Promise<OsvVulnerability | null> {\n const url = `${OSV_BASE}/vulns/${encodeURIComponent(cveId)}`;\n const res = await fetch(url, {\n headers: { Accept: \"application/json\" },\n });\n\n if (res.status === 404) return null;\n if (!res.ok) {\n throw new Error(`OSV API error ${res.status} for ${cveId}: ${await res.text()}`);\n }\n\n return res.json() as Promise<OsvVulnerability>;\n}\n\n/**\n * Convert an OSV SEMVER range event array to a semver range string.\n * OSV uses ordered [introduced, fixed) events.\n * e.g. [{ introduced: \"0\" }, { fixed: \"4.17.21\" }] → \">=0.0.0 <4.17.21\"\n */\nfunction osvEventsToSemverRange(events: OsvSemverEvent[]): string {\n const parts: string[] = [];\n\n for (const event of events) {\n if (event.introduced !== undefined) {\n const v = event.introduced === \"0\" ? \"0.0.0\" : event.introduced;\n parts.push(`>=${v}`);\n }\n if (event.fixed !== undefined) {\n parts.push(`<${event.fixed}`);\n }\n if (event.last_affected !== undefined) {\n parts.push(`<=${event.last_affected}`);\n }\n }\n\n return parts.join(\" \") || \">=0.0.0\";\n}\n\n/**\n * Parse an OSV vulnerability into autoremediator's CveDetails shape,\n * filtering affected entries to npm ecosystem only.\n */\nexport function parseOsvVuln(vuln: OsvVulnerability): CveDetails {\n const npmAffected: AffectedPackage[] = [];\n\n for (const affected of vuln.affected ?? []) {\n const ecosystem = affected.package?.ecosystem;\n const packageName = affected.package?.name;\n if (!ecosystem || typeof ecosystem !== \"string\") continue;\n if (!packageName || typeof packageName !== \"string\") continue;\n if (ecosystem.toLowerCase() !== \"npm\") continue;\n\n // Find the best SEMVER range\n const semverRange = affected.ranges?.find((r) => r.type === \"SEMVER\");\n const vulnerableRange = semverRange\n ? osvEventsToSemverRange(semverRange.events)\n : \">=0.0.0\";\n\n // Derive firstPatchedVersion from the \"fixed\" event\n const fixedEvent = semverRange?.events.find((e) => e.fixed !== undefined);\n\n npmAffected.push({\n name: packageName,\n ecosystem: \"npm\",\n vulnerableRange,\n firstPatchedVersion: fixedEvent?.fixed,\n source: \"osv\",\n });\n }\n\n // Best-effort severity from CVSS score string (e.g. \"CVSS:3.1/.../7.5\")\n const severity = deriveSeverity(vuln.severity);\n\n return {\n id: vuln.id,\n summary: vuln.summary ?? vuln.details ?? \"No summary available.\",\n severity,\n references: vuln.references?.map((r) => r.url) ?? [],\n affectedPackages: npmAffected,\n };\n}\n\nfunction deriveSeverity(\n severityEntries?: OsvVulnerability[\"severity\"]\n): CveDetails[\"severity\"] {\n if (!severityEntries?.length) return \"UNKNOWN\";\n\n // Prefer CVSS_V3 type\n const cvssEntry =\n severityEntries.find((s) => s.type === \"CVSS_V3\") ?? severityEntries[0];\n\n // Extract base score from vector string, e.g. \"CVSS:3.1/AV:N/AC:L/.../7.5/...\"\n const scoreMatch = cvssEntry.score.match(/(\\d+\\.\\d+)$/);\n if (scoreMatch) {\n const score = parseFloat(scoreMatch[1]);\n if (score >= 9.0) return \"CRITICAL\";\n if (score >= 7.0) return \"HIGH\";\n if (score >= 4.0) return \"MEDIUM\";\n return \"LOW\";\n }\n\n return \"UNKNOWN\";\n}\n\n/** High-level convenience: fetch + parse */\nexport async function lookupCveOsv(cveId: string): Promise<CveDetails | null> {\n const vuln = await fetchOsvVuln(cveId);\n if (!vuln) return null;\n return parseOsvVuln(vuln);\n}\n","/**\n * GitHub Advisory Database API client\n *\n * Used as a secondary source to enrich CVE data with `first_patched_version`.\n * Unauthenticated access works; set GITHUB_TOKEN env var for higher rate limits.\n */\nimport type { AffectedPackage, CveDetails } from \"../../platform/types.js\";\nimport { getGitHubToken } from \"../../platform/config.js\";\n\nconst GH_ADVISORY_BASE = \"https://api.github.com/advisories\";\n\n// ---------------------------------------------------------------------------\n// Raw GitHub Advisory response types\n// ---------------------------------------------------------------------------\n\ninterface GhVulnerability {\n package: {\n ecosystem: string;\n name: string;\n };\n vulnerable_version_range: string | null;\n first_patched_version: string | null;\n}\n\ninterface GhAdvisory {\n ghsa_id: string;\n cve_id: string | null;\n summary: string;\n severity: \"low\" | \"medium\" | \"high\" | \"critical\" | \"unknown\";\n vulnerabilities: GhVulnerability[];\n cvss?: { score: number; vector_string: string };\n references: Array<{ url: string }>;\n}\n\n// ---------------------------------------------------------------------------\n// Public API\n// ---------------------------------------------------------------------------\n\nfunction buildHeaders(): Record<string, string> {\n const headers: Record<string, string> = {\n Accept: \"application/vnd.github+json\",\n \"X-GitHub-Api-Version\": \"2022-11-28\",\n };\n const token = getGitHubToken();\n if (token) {\n headers.Authorization = `Bearer ${token}`;\n }\n return headers;\n}\n\n/**\n * Fetch GitHub advisories for a given CVE ID filtered to npm ecosystem.\n * Returns an empty array if none found.\n */\nexport async function fetchGhAdvisories(cveId: string): Promise<GhAdvisory[]> {\n const url = new URL(GH_ADVISORY_BASE);\n url.searchParams.set(\"cve_id\", cveId);\n url.searchParams.set(\"ecosystem\", \"npm\");\n url.searchParams.set(\"type\", \"reviewed\");\n url.searchParams.set(\"per_page\", \"10\");\n\n const res = await fetch(url.toString(), { headers: buildHeaders() });\n\n if (res.status === 404) return [];\n if (!res.ok) {\n // Non-fatal: log and return empty so OSV can still succeed\n console.warn(\n `[autoremediator] GitHub Advisory API returned ${res.status} for ${cveId} — skipping.`\n );\n return [];\n }\n\n return res.json() as Promise<GhAdvisory[]>;\n}\n\n/**\n * Parse GitHub advisories into AffectedPackage entries.\n * Deduplication against OSV results is handled in lookup-cve.ts.\n */\nexport function parseGhAdvisories(advisories: GhAdvisory[]): AffectedPackage[] {\n const packages: AffectedPackage[] = [];\n\n for (const advisory of advisories) {\n for (const vuln of advisory.vulnerabilities) {\n if (vuln.package.ecosystem.toLowerCase() !== \"npm\") continue;\n\n packages.push({\n name: vuln.package.name,\n ecosystem: \"npm\",\n vulnerableRange: vuln.vulnerable_version_range ?? \">=0.0.0\",\n firstPatchedVersion: vuln.first_patched_version ?? undefined,\n source: \"github-advisory\",\n });\n }\n }\n\n return packages;\n}\n\n/**\n * Merge data from GitHub advisory into a CveDetails object built from OSV.\n * Fills in `firstPatchedVersion` where OSV didn't have it, and enriches CVSS.\n */\nexport function mergeGhDataIntoCveDetails(\n details: CveDetails,\n ghPackages: AffectedPackage[]\n): CveDetails {\n const enriched = { ...details };\n\n for (const ghPkg of ghPackages) {\n const existing = enriched.affectedPackages.find(\n (p) => p.name === ghPkg.name\n );\n\n if (existing) {\n // Backfill firstPatchedVersion if OSV didn't have it\n if (!existing.firstPatchedVersion && ghPkg.firstPatchedVersion) {\n existing.firstPatchedVersion = ghPkg.firstPatchedVersion;\n }\n } else {\n // Package only known via GitHub Advisory (not yet in OSV)\n enriched.affectedPackages.push(ghPkg);\n }\n }\n\n return enriched;\n}\n\n/** High-level convenience: fetch + parse, returns enrichment packages */\nexport async function lookupCveGitHub(cveId: string): Promise<AffectedPackage[]> {\n const advisories = await fetchGhAdvisories(cveId);\n return parseGhAdvisories(advisories);\n}\n","/**\n * NVD (National Vulnerability Database) API v2 client\n *\n * Used ONLY for fetching authoritative CVSS scores and severity.\n * NVD CPE data is too inconsistent for npm package discovery — use OSV for that.\n *\n * Rate limits: 5 req/30s without key, 50 req/30s with AUTOREMEDIATOR_NVD_API_KEY\n */\nimport type { CveDetails } from \"../../platform/types.js\";\nimport { getNvdConfig } from \"../../platform/config.js\";\n\nconst NVD_BASE = \"https://services.nvd.nist.gov/rest/json/cves/2.0\";\n\ninterface NvdCvssMetric {\n cvssData: {\n baseScore: number;\n baseSeverity: string;\n vectorString: string;\n };\n}\n\ninterface NvdVulnerability {\n cve: {\n id: string;\n metrics?: {\n cvssMetricV31?: NvdCvssMetric[];\n cvssMetricV30?: NvdCvssMetric[];\n cvssMetricV2?: NvdCvssMetric[];\n };\n references?: Array<{ url: string; tags?: string[] }>;\n };\n}\n\ninterface NvdResponse {\n vulnerabilities?: NvdVulnerability[];\n totalResults?: number;\n}\n\nfunction buildNvdHeaders(): Record<string, string> {\n const { apiKey } = getNvdConfig();\n const headers: Record<string, string> = { Accept: \"application/json\" };\n if (apiKey) {\n headers.apiKey = apiKey;\n }\n return headers;\n}\n\n/**\n * Fetch CVSS score for a CVE from NVD.\n * Returns undefined if NVD doesn't have data or the request fails.\n * Non-fatal — callers should handle undefined gracefully.\n */\nexport async function fetchNvdCvss(\n cveId: string\n): Promise<{ score: number; severity: CveDetails[\"severity\"] } | undefined> {\n const url = `${NVD_BASE}?cveId=${encodeURIComponent(cveId)}`;\n\n try {\n const res = await fetch(url, { headers: buildNvdHeaders() });\n if (!res.ok) return undefined;\n\n const data = (await res.json()) as NvdResponse;\n const vuln = data.vulnerabilities?.[0];\n if (!vuln) return undefined;\n\n const metrics = vuln.cve.metrics;\n const metric =\n metrics?.cvssMetricV31?.[0] ??\n metrics?.cvssMetricV30?.[0] ??\n metrics?.cvssMetricV2?.[0];\n\n if (!metric) return undefined;\n\n const score = metric.cvssData.baseScore;\n const rawSeverity = metric.cvssData.baseSeverity.toUpperCase();\n\n const severityMap: Record<string, CveDetails[\"severity\"]> = {\n CRITICAL: \"CRITICAL\",\n HIGH: \"HIGH\",\n MEDIUM: \"MEDIUM\",\n LOW: \"LOW\",\n };\n\n return {\n score,\n severity: severityMap[rawSeverity] ?? \"UNKNOWN\",\n };\n } catch {\n // NVD is non-critical; don't crash the pipeline on network failures\n return undefined;\n }\n}\n\n/**\n * Enrich an existing CveDetails with NVD CVSS data.\n * Mutates in place and returns the same object.\n */\nexport async function enrichWithNvd(details: CveDetails): Promise<CveDetails> {\n const cvss = await fetchNvdCvss(details.id);\n if (cvss) {\n details.cvssScore = cvss.score;\n if (details.severity === \"UNKNOWN\") {\n details.severity = cvss.severity;\n }\n }\n return details;\n}\n","/**\n * CISA Known Exploited Vulnerabilities (KEV) feed client.\n *\n * Used for risk-priority enrichment only. This source does not provide\n * npm package range intelligence.\n */\nimport type { CveDetails } from \"../../platform/types.js\";\n\nconst CISA_KEV_URL =\n \"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json\";\n\ninterface CisaKevVulnerability {\n cveID: string;\n dateAdded?: string;\n dueDate?: string;\n requiredAction?: string;\n knownRansomwareCampaignUse?: string;\n}\n\ninterface CisaKevFeed {\n vulnerabilities?: CisaKevVulnerability[];\n}\n\nexport async function fetchCisaKevFeed(): Promise<CisaKevFeed | undefined> {\n try {\n const res = await fetch(CISA_KEV_URL, {\n headers: { Accept: \"application/json\" },\n });\n if (!res.ok) return undefined;\n return (await res.json()) as CisaKevFeed;\n } catch {\n // KEV is enrichment only; failures are non-fatal.\n return undefined;\n }\n}\n\nexport function findKevEntry(\n feed: CisaKevFeed | undefined,\n cveId: string\n): CisaKevVulnerability | undefined {\n if (!feed?.vulnerabilities?.length) return undefined;\n const normalized = cveId.toUpperCase();\n return feed.vulnerabilities.find((v) => v.cveID.toUpperCase() === normalized);\n}\n\nexport async function enrichWithCisaKev(details: CveDetails): Promise<CveDetails> {\n const feed = await fetchCisaKevFeed();\n const entry = findKevEntry(feed, details.id);\n if (!entry) return details;\n\n details.kev = {\n knownExploited: true,\n dateAdded: entry.dateAdded,\n dueDate: entry.dueDate,\n requiredAction: entry.requiredAction,\n knownRansomwareCampaignUse: entry.knownRansomwareCampaignUse,\n };\n\n if (!details.references.includes(CISA_KEV_URL)) {\n details.references.push(CISA_KEV_URL);\n }\n\n return details;\n}\n","/**\n * FIRST EPSS API client.\n *\n * Adds exploitation probability metadata for prioritization.\n */\nimport type { CveDetails } from \"../../platform/types.js\";\nimport { getIntelligenceSourceConfig } from \"../../platform/config.js\";\n\ninterface EpssRow {\n cve: string;\n epss: string;\n percentile: string;\n date?: string;\n}\n\ninterface EpssResponse {\n data?: EpssRow[];\n}\n\nexport async function fetchEpss(cveId: string): Promise<EpssRow | undefined> {\n const { epssApi } = getIntelligenceSourceConfig();\n if (!epssApi) return undefined;\n\n try {\n const url = new URL(epssApi);\n url.searchParams.set(\"cve\", cveId);\n\n const res = await fetch(url.toString(), {\n headers: { Accept: \"application/json\" },\n });\n if (!res.ok) return undefined;\n\n const body = (await res.json()) as EpssResponse;\n return body.data?.[0];\n } catch {\n return undefined;\n }\n}\n\nexport async function enrichWithEpss(details: CveDetails): Promise<CveDetails> {\n const row = await fetchEpss(details.id);\n if (!row) return details;\n\n const score = Number.parseFloat(row.epss);\n const percentile = Number.parseFloat(row.percentile);\n if (!Number.isFinite(score) || !Number.isFinite(percentile)) {\n return details;\n }\n\n details.epss = {\n score,\n percentile,\n date: row.date,\n };\n return details;\n}\n","/**\n * CVE Services (CVE.org/MITRE) client.\n *\n * Adds supplemental references and summary data when available.\n */\nimport type { CveDetails } from \"../../platform/types.js\";\nimport { getIntelligenceSourceConfig } from \"../../platform/config.js\";\n\ninterface CveContainer {\n descriptions?: Array<{ lang?: string; value?: string }>;\n references?: Array<{ url?: string }>;\n}\n\ninterface CveRecord {\n containers?: {\n cna?: CveContainer;\n adp?: CveContainer[];\n };\n}\n\nfunction pickEnglishDescription(container?: CveContainer): string | undefined {\n if (!container?.descriptions?.length) return undefined;\n const en = container.descriptions.find((d) => d.lang === \"en\" && d.value);\n return (en?.value ?? container.descriptions[0]?.value)?.trim() || undefined;\n}\n\nfunction collectReferences(record: CveRecord): string[] {\n const refs = new Set<string>();\n const cnaRefs = record.containers?.cna?.references ?? [];\n const adpRefs = (record.containers?.adp ?? []).flatMap((c) => c.references ?? []);\n\n for (const ref of [...cnaRefs, ...adpRefs]) {\n if (ref.url) refs.add(ref.url);\n }\n return Array.from(refs);\n}\n\nexport async function fetchCveServicesRecord(cveId: string): Promise<CveRecord | undefined> {\n const { cveServicesApi } = getIntelligenceSourceConfig();\n if (!cveServicesApi) return undefined;\n\n try {\n const res = await fetch(`${cveServicesApi}/${encodeURIComponent(cveId)}`, {\n headers: { Accept: \"application/json\" },\n });\n if (!res.ok) return undefined;\n return (await res.json()) as CveRecord;\n } catch {\n return undefined;\n }\n}\n\nexport async function enrichWithCveServices(details: CveDetails): Promise<CveDetails> {\n const record = await fetchCveServicesRecord(details.id);\n if (!record) return details;\n\n const summary = pickEnglishDescription(record.containers?.cna);\n if (summary && (!details.summary || details.summary.includes(\"No summary available\"))) {\n details.summary = summary;\n }\n\n const refs = collectReferences(record);\n if (refs.length > 0) {\n const merged = new Set([...details.references, ...refs]);\n details.references = Array.from(merged);\n }\n\n details.intelligence = {\n ...(details.intelligence ?? {}),\n cveServicesEnriched: true,\n };\n\n return details;\n}\n","/**\n * GitLab advisory enrichment client.\n *\n * Endpoint is configurable because deployment paths vary by mirror.\n */\nimport type { CveDetails } from \"../../platform/types.js\";\nimport { getIntelligenceSourceConfig } from \"../../platform/config.js\";\n\ninterface GitLabAdvisoryRecord {\n identifiers?: Array<{ type?: string; value?: string }>;\n references?: string[];\n}\n\nfunction advisoryMatchesCve(advisory: GitLabAdvisoryRecord, cveId: string): boolean {\n const normalized = cveId.toUpperCase();\n return (advisory.identifiers ?? []).some(\n (id) => id.type?.toUpperCase() === \"CVE\" && id.value?.toUpperCase() === normalized\n );\n}\n\nexport async function fetchGitLabAdvisories(cveId: string): Promise<GitLabAdvisoryRecord[]> {\n const { gitLabAdvisoryApi } = getIntelligenceSourceConfig();\n if (!gitLabAdvisoryApi) return [];\n\n try {\n const url = new URL(gitLabAdvisoryApi);\n url.searchParams.set(\"identifier\", cveId);\n url.searchParams.set(\"ecosystem\", \"npm\");\n\n const res = await fetch(url.toString(), {\n headers: { Accept: \"application/json\" },\n });\n if (!res.ok) return [];\n\n const body = (await res.json()) as unknown;\n return Array.isArray(body) ? (body as GitLabAdvisoryRecord[]) : [];\n } catch {\n return [];\n }\n}\n\nexport async function enrichWithGitLabAdvisory(details: CveDetails): Promise<CveDetails> {\n const advisories = await fetchGitLabAdvisories(details.id);\n const matched = advisories.filter((a) => advisoryMatchesCve(a, details.id));\n if (matched.length === 0) return details;\n\n const refs = matched.flatMap((m) => m.references ?? []);\n if (refs.length > 0) {\n const merged = new Set([...details.references, ...refs]);\n details.references = Array.from(merged);\n }\n\n details.intelligence = {\n ...(details.intelligence ?? {}),\n gitlabAdvisoryMatched: true,\n };\n\n return details;\n}\n","/**\n * CERT/CC search enrichment.\n *\n * This source tries to locate a CERT/CC page mentioning a CVE.\n */\nimport type { CveDetails } from \"../../platform/types.js\";\nimport { getIntelligenceSourceConfig } from \"../../platform/config.js\";\n\nconst CERTCC_HOME = \"https://www.kb.cert.org/vuls/\";\n\nexport async function findCertCcReference(cveId: string): Promise<string | undefined> {\n const { certCcSearchUrl } = getIntelligenceSourceConfig();\n if (!certCcSearchUrl) return undefined;\n\n try {\n const url = new URL(certCcSearchUrl);\n url.searchParams.set(\"query\", cveId);\n\n const res = await fetch(url.toString(), {\n headers: { Accept: \"text/html\" },\n });\n if (!res.ok) return undefined;\n\n const html = await res.text();\n const match = html.match(/https:\\/\\/www\\.kb\\.cert\\.org\\/vuls\\/id\\/\\d+/i);\n return match?.[0] ?? undefined;\n } catch {\n return undefined;\n }\n}\n\nexport async function enrichWithCertCc(details: CveDetails): Promise<CveDetails> {\n const ref = await findCertCcReference(details.id);\n if (!ref) return details;\n\n if (!details.references.includes(ref)) {\n details.references.push(ref);\n }\n\n details.intelligence = {\n ...(details.intelligence ?? {}),\n certCcMatched: true,\n };\n\n if (!details.references.includes(CERTCC_HOME)) {\n details.references.push(CERTCC_HOME);\n }\n\n return details;\n}\n","/**\n * deps.dev enrichment.\n *\n * Adds package metadata lookup coverage count for affected npm packages.\n */\nimport type { CveDetails } from \"../../platform/types.js\";\nimport { getIntelligenceSourceConfig } from \"../../platform/config.js\";\n\nasync function fetchDepsDevPackage(name: string): Promise<boolean> {\n const { depsDevApi } = getIntelligenceSourceConfig();\n if (!depsDevApi) return false;\n\n try {\n const url = `${depsDevApi}/systems/npm/packages/${encodeURIComponent(name)}`;\n const res = await fetch(url, { headers: { Accept: \"application/json\" } });\n return res.ok;\n } catch {\n return false;\n }\n}\n\nexport async function enrichWithDepsDev(details: CveDetails): Promise<CveDetails> {\n const names = Array.from(new Set(details.affectedPackages.map((p) => p.name))).slice(0, 20);\n if (names.length === 0) return details;\n\n const checks = await Promise.all(names.map((name) => fetchDepsDevPackage(name)));\n const matched = checks.filter(Boolean).length;\n if (matched === 0) return details;\n\n details.intelligence = {\n ...(details.intelligence ?? {}),\n depsDevEnrichedPackages: matched,\n };\n return details;\n}\n","/**\n * OpenSSF Scorecard enrichment.\n *\n * Uses best-effort project checks from affected package names.\n */\nimport type { CveDetails } from \"../../platform/types.js\";\nimport { getIntelligenceSourceConfig } from \"../../platform/config.js\";\n\nasync function checkProject(project: string): Promise<boolean> {\n const { scorecardApi } = getIntelligenceSourceConfig();\n if (!scorecardApi) return false;\n\n try {\n const url = new URL(`${scorecardApi}/projects`);\n url.searchParams.set(\"project\", project);\n const res = await fetch(url.toString(), {\n headers: { Accept: \"application/json\" },\n });\n return res.ok;\n } catch {\n return false;\n }\n}\n\nexport async function enrichWithOssfScorecard(details: CveDetails): Promise<CveDetails> {\n const projects = Array.from(\n new Set(details.affectedPackages.map((p) => `github.com/${p.name}/${p.name}`))\n ).slice(0, 10);\n\n if (projects.length === 0) return details;\n\n const checks = await Promise.all(projects.map((project) => checkProject(project)));\n const matched = checks.filter(Boolean).length;\n if (matched === 0) return details;\n\n details.intelligence = {\n ...(details.intelligence ?? {}),\n scorecardProjects: matched,\n };\n\n return details;\n}\n","/**\n * Optional vendor and commercial intelligence connectors.\n *\n * Connectors are URL-based and environment configured so enterprise users can\n * plug in proprietary feeds without hard-coding dependencies.\n */\nimport type { CveDetails } from \"../../platform/types.js\";\nimport { getIntelligenceSourceConfig } from \"../../platform/config.js\";\n\nasync function probeFeed(url: string, cveId: string, token?: string): Promise<string | undefined> {\n try {\n const feedUrl = new URL(url);\n feedUrl.searchParams.set(\"cve\", cveId);\n\n const headers: Record<string, string> = { Accept: \"application/json\" };\n if (token) headers.Authorization = `Bearer ${token}`;\n\n const res = await fetch(feedUrl.toString(), { headers });\n if (!res.ok) return undefined;\n return feedUrl.toString();\n } catch {\n return undefined;\n }\n}\n\nexport async function enrichWithExternalFeeds(details: CveDetails): Promise<CveDetails> {\n const {\n vendorAdvisoryFeeds,\n commercialFeeds,\n commercialFeedToken,\n } = getIntelligenceSourceConfig();\n\n const vendorHits = (\n await Promise.all(vendorAdvisoryFeeds.map((url) => probeFeed(url, details.id)))\n ).filter((v): v is string => Boolean(v));\n\n const commercialHits = (\n await Promise.all(\n commercialFeeds.map((url) => probeFeed(url, details.id, commercialFeedToken))\n )\n ).filter((v): v is string => Boolean(v));\n\n if (vendorHits.length === 0 && commercialHits.length === 0) {\n return details;\n }\n\n details.intelligence = {\n ...(details.intelligence ?? {}),\n vendorAdvisories: vendorHits.length > 0 ? vendorHits : details.intelligence?.vendorAdvisories,\n commercialFeeds:\n commercialHits.length > 0 ? commercialHits : details.intelligence?.commercialFeeds,\n };\n\n const mergedRefs = new Set([...details.references, ...vendorHits, ...commercialHits]);\n details.references = Array.from(mergedRefs);\n\n return details;\n}\n","/**\n * Tool: check-inventory\n *\n * Reads the consumer's package.json and installed dependency tree to produce\n * a flat list of installed packages and their resolved versions.\n */\nimport { tool } from \"ai\";\nimport { z } from \"zod\";\nimport { readFileSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport { execa } from \"execa\";\nimport type { InventoryPackage } from \"../../platform/types.js\";\nimport {\n detectPackageManager,\n getPackageManagerCommands,\n parseListOutput,\n type PackageManager,\n} from \"../../platform/package-manager.js\";\n\ninterface PackageJson {\n dependencies?: Record<string, string>;\n devDependencies?: Record<string, string>;\n peerDependencies?: Record<string, string>;\n}\n\nexport const checkInventoryTool = tool({\n description:\n \"Read the project's package.json and installed dependencies to list packages and exact versions. Must be called before checking version matches.\",\n parameters: z.object({\n cwd: z.string().describe(\"Absolute path to the consumer project's root directory\"),\n packageManager: z.enum([\"npm\", \"pnpm\", \"yarn\"]).optional().describe(\"Package manager used by the target project (auto-detected if omitted)\"),\n }),\n execute: async ({ cwd, packageManager }): Promise<{ packages: InventoryPackage[]; error?: string }> => {\n let pkgJson: PackageJson;\n\n try {\n pkgJson = JSON.parse(readFileSync(join(cwd, \"package.json\"), \"utf8\")) as PackageJson;\n } catch {\n return {\n packages: [],\n error: `Could not read package.json in \"${cwd}\". Is this a Node.js project?`,\n };\n }\n\n const pm = (packageManager ?? detectPackageManager(cwd)) as PackageManager;\n const commands = getPackageManagerCommands(pm);\n let installedVersions = new Map<string, string>();\n\n try {\n const [cmd, ...args] = commands.list;\n const listResult = await execa(cmd, args, {\n cwd,\n stdio: \"pipe\",\n reject: false,\n });\n installedVersions = parseListOutput(pm, listResult.stdout || \"\");\n } catch {\n // Fallback to package.json-only view when list command fails.\n }\n\n const packages: InventoryPackage[] = [];\n\n for (const [name, version] of installedVersions.entries()) {\n const isDirect =\n Boolean(pkgJson.dependencies?.[name]) ||\n Boolean(pkgJson.devDependencies?.[name]) ||\n Boolean(pkgJson.peerDependencies?.[name]);\n\n packages.push({\n name,\n version,\n type: isDirect ? \"direct\" : \"indirect\",\n });\n }\n\n if (packages.length === 0) {\n // Fallback: only direct deps from package.json (best-effort versions)\n const allDeps = {\n ...pkgJson.dependencies,\n ...pkgJson.devDependencies,\n };\n for (const [name, version] of Object.entries(allDeps)) {\n const cleaned = version.replace(/^[\\^~>=<]+/, \"\").trim();\n packages.push({ name, version: cleaned, type: \"direct\" });\n }\n }\n\n return { packages };\n },\n});\n","/**\n * Tool: check-version-match\n *\n * Cross-references inventory packages against CVE-affected package ranges\n * to find which installed packages are actually vulnerable.\n */\nimport { tool } from \"ai\";\nimport { z } from \"zod\";\nimport semver from \"semver\";\nimport type { AffectedPackage, InventoryPackage, VulnerablePackage } from \"../../platform/types.js\";\n\nconst affectedPackageSchema = z.object({\n name: z.string(),\n ecosystem: z.literal(\"npm\"),\n vulnerableRange: z.string(),\n firstPatchedVersion: z.string().optional(),\n source: z.enum([\"osv\", \"github-advisory\"]),\n});\n\nconst inventoryPackageSchema = z.object({\n name: z.string(),\n version: z.string(),\n type: z.enum([\"direct\", \"indirect\"]),\n});\n\nexport const checkVersionMatchTool = tool({\n description:\n \"Check which of the project's installed packages fall within the CVE's vulnerable version ranges. Returns only the packages that are actually vulnerable.\",\n parameters: z.object({\n installedPackages: z\n .array(inventoryPackageSchema)\n .describe(\"Output from the check-inventory tool\"),\n affectedPackages: z\n .array(affectedPackageSchema)\n .describe(\"affectedPackages array from the lookup-cve tool result\"),\n }),\n execute: async ({ installedPackages, affectedPackages }): Promise<{\n vulnerablePackages: VulnerablePackage[];\n checkedCount: number;\n }> => {\n const vulnerable: VulnerablePackage[] = [];\n\n for (const affected of affectedPackages as AffectedPackage[]) {\n // Find all installed packages with matching name\n const matches = (installedPackages as InventoryPackage[]).filter(\n (p) => p.name === affected.name\n );\n\n for (const installed of matches) {\n // Validate the installed version is parseable\n if (!semver.valid(installed.version)) continue;\n\n let isVulnerable = false;\n try {\n isVulnerable = semver.satisfies(installed.version, affected.vulnerableRange, {\n includePrerelease: false,\n });\n } catch {\n // Malformed range — skip rather than crash\n continue;\n }\n\n if (isVulnerable) {\n vulnerable.push({ installed, affected });\n }\n }\n }\n\n return {\n vulnerablePackages: vulnerable,\n checkedCount: installedPackages.length,\n };\n },\n});\n","/**\n * Tool: find-fixed-version\n *\n * Queries the npm registry to find the best safe upgrade version\n * for a vulnerable package.\n */\nimport { tool } from \"ai\";\nimport { z } from \"zod\";\nimport { findSafeUpgradeVersion } from \"../../intelligence/sources/registry.js\";\n\nexport const findFixedVersionTool = tool({\n description:\n \"Query the npm registry to find the lowest published version of a package that is >= the first patched version. Prefer same-major upgrades. Returns undefined if no safe version exists.\",\n parameters: z.object({\n packageName: z.string().describe(\"The npm package name\"),\n installedVersion: z.string().describe(\"The currently installed version (exact semver)\"),\n firstPatchedVersion: z\n .string()\n .describe(\n \"The first version that is NOT vulnerable (from lookup-cve). Use this as the floor.\"\n ),\n vulnerableRange: z\n .string()\n .optional()\n .describe(\"Optional vulnerable semver range used to exclude still-vulnerable versions\"),\n }),\n execute: async ({\n packageName,\n installedVersion,\n firstPatchedVersion,\n vulnerableRange,\n }): Promise<{\n safeVersion?: string;\n isMajorBump: boolean;\n message: string;\n }> => {\n const safeVersion = await findSafeUpgradeVersion(\n packageName,\n installedVersion,\n firstPatchedVersion,\n vulnerableRange\n );\n\n if (!safeVersion) {\n return {\n isMajorBump: false,\n message: `No safe upgrade version found for \"${packageName}\". The patch-file path will be needed.`,\n };\n }\n\n const installedMajor = parseInt(installedVersion.split(\".\")[0] ?? \"0\", 10);\n const safeMajor = parseInt(safeVersion.split(\".\")[0] ?? \"0\", 10);\n const isMajorBump = safeMajor > installedMajor;\n\n return {\n safeVersion,\n isMajorBump,\n message: isMajorBump\n ? `Found safe version ${safeVersion} for \"${packageName}\", but it is a major bump from ${installedVersion}. Applying anyway — consumer should review for breaking changes.`\n : `Found safe version ${safeVersion} for \"${packageName}\" (from ${installedVersion}).`,\n };\n },\n});\n","/**\n * npm registry API client\n *\n * Used to:\n * - Fetch the full list of published versions for a package\n * - Find the lowest semver-compatible safe upgrade from `firstPatchedVersion`\n * - Download tarballs for patch generation (fallback path)\n */\nimport semver from \"semver\";\n\nconst NPM_REGISTRY = \"https://registry.npmjs.org\";\n\n// ---------------------------------------------------------------------------\n// Raw registry types (abbreviated)\n// ---------------------------------------------------------------------------\n\ninterface NpmPackument {\n name: string;\n versions: Record<string, { version: string; dist: { tarball: string } }>;\n \"dist-tags\": Record<string, string>;\n time: Record<string, string>;\n}\n\n// ---------------------------------------------------------------------------\n// Public API\n// ---------------------------------------------------------------------------\n\n/**\n * Fetch all published versions for an npm package.\n * Returns an empty array if the package is not found.\n */\nexport async function fetchPackageVersions(packageName: string): Promise<string[]> {\n const url = `${NPM_REGISTRY}/${encodeURIComponent(packageName)}`;\n const res = await fetch(url, {\n headers: { Accept: \"application/json\" },\n });\n\n if (res.status === 404) return [];\n if (!res.ok) {\n throw new Error(\n `npm registry error ${res.status} for \"${packageName}\": ${await res.text()}`\n );\n }\n\n const data = (await res.json()) as NpmPackument;\n return Object.keys(data.versions);\n}\n\n/**\n * Find the lowest published version that satisfies `>= firstPatchedVersion`\n * and is semver-compatible with the currently installed version (same major,\n * unless there is no same-major option).\n *\n * Strategy:\n * 1. Try same-major, lowest version >= firstPatchedVersion\n * 2. Fallback: any published version >= firstPatchedVersion (lowest)\n * 3. Returns undefined if nothing found\n */\nexport async function findSafeUpgradeVersion(\n packageName: string,\n installedVersion: string,\n firstPatchedVersion: string,\n vulnerableRange?: string\n): Promise<string | undefined> {\n const versions = await fetchPackageVersions(packageName);\n if (!versions.length) return undefined;\n\n const installedMajor = semver.major(installedVersion);\n\n // All versions >= firstPatchedVersion, sorted ascending\n const candidates = versions\n .filter((v) => semver.valid(v) && semver.gte(v, firstPatchedVersion))\n .filter((v) => {\n if (!vulnerableRange) return true;\n try {\n return !semver.satisfies(v, vulnerableRange, { includePrerelease: false });\n } catch {\n // If vulnerable range cannot be parsed, avoid filtering out candidates.\n return true;\n }\n })\n .sort(semver.compare);\n\n if (!candidates.length) return undefined;\n\n // Prefer same-major bump (semver-compatible)\n const sameMajor = candidates.find(\n (v) => semver.major(v) === installedMajor\n );\n if (sameMajor) return sameMajor;\n\n // Fallback: next-lowest available — caller should warn about major bump\n return candidates[0];\n}\n\n/**\n * Get the tarball URL for a specific package version.\n * Used by the patch generation fallback path.\n */\nexport async function getTarballUrl(\n packageName: string,\n version: string\n): Promise<string | undefined> {\n const url = `${NPM_REGISTRY}/${encodeURIComponent(packageName)}/${encodeURIComponent(version)}`;\n const res = await fetch(url, {\n headers: { Accept: \"application/json\" },\n });\n\n if (!res.ok) return undefined;\n\n const data = (await res.json()) as {\n dist?: { tarball?: string };\n };\n return data.dist?.tarball;\n}\n","/**\n * Tool: apply-version-bump\n *\n * Updates the consumer's package.json to the safe version and runs npm install.\n * Respects --dry-run: in dry-run mode it reports what would happen but writes nothing.\n */\nimport { tool } from \"ai\";\nimport { z } from \"zod\";\nimport { join } from \"node:path\";\nimport { readFileSync, writeFileSync } from \"node:fs\";\nimport { execa } from \"execa\";\nimport semver from \"semver\";\nimport type { PatchResult } from \"../../platform/types.js\";\nimport { isPackageAllowed, loadPolicy } from \"../../platform/policy.js\";\nimport { withRepoLock } from \"../../platform/repo-lock.js\";\nimport {\n detectPackageManager,\n getPackageManagerCommands,\n type PackageManager,\n} from \"../../platform/package-manager.js\";\n\ninterface RawPackageJson {\n dependencies?: Record<string, string>;\n devDependencies?: Record<string, string>;\n peerDependencies?: Record<string, string>;\n [key: string]: unknown;\n}\n\ntype DepField = \"dependencies\" | \"devDependencies\" | \"peerDependencies\";\n\nexport const applyVersionBumpTool = tool({\n description:\n \"Update package.json to use the safe version of a vulnerable package and run the project's package manager install. In dry-run mode, only reports what would change.\",\n parameters: z.object({\n cwd: z.string().describe(\"Absolute path to the consumer project root\"),\n packageManager: z.enum([\"npm\", \"pnpm\", \"yarn\"]).optional().describe(\"Package manager used by the target project (auto-detected if omitted)\"),\n packageName: z.string().describe(\"The npm package to upgrade\"),\n fromVersion: z.string().describe(\"The currently installed vulnerable version\"),\n toVersion: z.string().describe(\"The safe target version to upgrade to\"),\n dryRun: z.boolean().default(false).describe(\"If true, report changes but do not write\"),\n policy: z\n .string()\n .optional()\n .describe(\"Optional path to .autoremediator policy file\"),\n runTests: z\n .boolean()\n .default(false)\n .describe(\"If true, run test validation after applying the fix\"),\n }),\n execute: async ({\n cwd,\n packageManager,\n packageName,\n fromVersion,\n toVersion,\n dryRun,\n policy,\n runTests,\n }): Promise<PatchResult> => {\n const pm = (packageManager ?? detectPackageManager(cwd)) as PackageManager;\n const commands = getPackageManagerCommands(pm);\n const pkgPath = join(cwd, \"package.json\");\n const loadedPolicy = loadPolicy(cwd, policy);\n\n if (!isPackageAllowed(loadedPolicy, packageName)) {\n return {\n packageName,\n strategy: \"none\",\n fromVersion,\n toVersion,\n applied: false,\n dryRun,\n message: `Policy blocked changes for package \"${packageName}\".`,\n };\n }\n\n const isMajorBump =\n semver.valid(fromVersion) &&\n semver.valid(toVersion) &&\n semver.major(toVersion) > semver.major(fromVersion);\n\n if (isMajorBump && !loadedPolicy.allowMajorBumps) {\n return {\n packageName,\n strategy: \"none\",\n fromVersion,\n toVersion,\n applied: false,\n dryRun,\n message: `Policy blocked major bump for \"${packageName}\" (${fromVersion} -> ${toVersion}).`,\n };\n }\n\n let pkgJson: RawPackageJson;\n try {\n pkgJson = JSON.parse(readFileSync(pkgPath, \"utf8\")) as RawPackageJson;\n } catch {\n return {\n packageName,\n strategy: \"none\",\n fromVersion,\n applied: false,\n dryRun,\n message: `Could not read package.json at \"${pkgPath}\".`,\n };\n }\n\n // Locate which dependency field this package lives in\n const depField = ([\"dependencies\", \"devDependencies\", \"peerDependencies\"] as DepField[]).find(\n (f) => pkgJson[f]?.[packageName] !== undefined\n );\n\n if (!depField) {\n return {\n packageName,\n strategy: \"none\",\n fromVersion,\n applied: false,\n dryRun,\n message: `\"${packageName}\" was not found in package.json dependencies (it may be a transitive dep). Cannot auto-bump.`,\n };\n }\n\n const currentRange = pkgJson[depField]![packageName]!;\n\n // Preserve the range prefix (^, ~, empty) from the existing entry\n const prefixMatch = currentRange.match(/^([~^]?)/);\n const prefix = prefixMatch?.[1] ?? \"\";\n const newRange = `${prefix}${toVersion}`;\n\n if (dryRun) {\n const installCmd = commands.installPreferOffline.join(\" \");\n const testCmd = commands.test.join(\" \");\n return {\n packageName,\n strategy: \"version-bump\",\n fromVersion,\n toVersion,\n applied: false,\n dryRun: true,\n message: `[DRY RUN] Would update ${depField}.${packageName}: \"${currentRange}\" -> \"${newRange}\", then run ${installCmd}${runTests ? ` and ${testCmd}` : \"\"}.`,\n };\n }\n\n return withRepoLock(cwd, async () => {\n // Write updated package.json\n pkgJson[depField]![packageName] = newRange;\n writeFileSync(pkgPath, JSON.stringify(pkgJson, null, 2) + \"\\n\", \"utf8\");\n\n // Run package-manager install\n try {\n const [installCmd, ...installArgs] = commands.installPreferOffline;\n await execa(installCmd, installArgs, {\n cwd,\n stdio: \"pipe\",\n });\n } catch (err) {\n // Revert the package.json change on install failure\n pkgJson[depField]![packageName] = currentRange;\n writeFileSync(pkgPath, JSON.stringify(pkgJson, null, 2) + \"\\n\", \"utf8\");\n\n const message = err instanceof Error ? err.message : String(err);\n return {\n packageName,\n strategy: \"version-bump\",\n fromVersion,\n toVersion,\n applied: false,\n dryRun: false,\n message: `${commands.installPreferOffline.join(\" \")} failed after updating \"${packageName}\" to ${toVersion}. Reverted. Error: ${message}`,\n };\n }\n\n if (runTests) {\n try {\n const [testCmd, ...testArgs] = commands.test;\n await execa(testCmd, testArgs, {\n cwd,\n stdio: \"pipe\",\n });\n } catch (err) {\n // Roll back both manifest and lock state by restoring dep range and reinstalling.\n pkgJson[depField]![packageName] = currentRange;\n writeFileSync(pkgPath, JSON.stringify(pkgJson, null, 2) + \"\\n\", \"utf8\");\n\n try {\n const [rollbackCmd, ...rollbackArgs] = commands.installPreferOffline;\n await execa(rollbackCmd, rollbackArgs, {\n cwd,\n stdio: \"pipe\",\n });\n } catch {\n // Ignore rollback install failure and return original test failure context.\n }\n\n const message = err instanceof Error ? err.message : String(err);\n return {\n packageName,\n strategy: \"version-bump\",\n fromVersion,\n toVersion,\n applied: false,\n dryRun: false,\n message: `${commands.test.join(\" \")} failed after upgrading \"${packageName}\" to ${toVersion}. Rolled back to ${currentRange}. Error: ${message}`,\n };\n }\n }\n\n return {\n packageName,\n strategy: \"version-bump\",\n fromVersion,\n toVersion,\n applied: true,\n dryRun: false,\n message: `Successfully upgraded \"${packageName}\" from ${fromVersion} to ${toVersion}, ran ${commands.installPreferOffline.join(\" \")}${runTests ? `, and passed ${commands.test.join(\" \")}` : \"\"}.`,\n };\n });\n },\n});\n","import { existsSync, readFileSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport type { RemediationConstraints } from \"./types.js\";\n\nexport interface AutoremediatorPolicy {\n allowMajorBumps: boolean;\n denyPackages: string[];\n allowPackages: string[];\n constraints?: RemediationConstraints;\n}\n\nexport const DEFAULT_POLICY: AutoremediatorPolicy = {\n allowMajorBumps: false,\n denyPackages: [],\n allowPackages: [],\n constraints: {\n directDependenciesOnly: false,\n preferVersionBump: false,\n },\n};\n\nexport function loadPolicy(cwd: string, explicitPath?: string): AutoremediatorPolicy {\n const candidate = explicitPath ?? join(cwd, \".autoremediator.json\");\n if (!existsSync(candidate)) return DEFAULT_POLICY;\n\n try {\n const parsed = JSON.parse(readFileSync(candidate, \"utf8\")) as Partial<AutoremediatorPolicy>;\n return {\n allowMajorBumps: parsed.allowMajorBumps ?? DEFAULT_POLICY.allowMajorBumps,\n denyPackages: parsed.denyPackages ?? DEFAULT_POLICY.denyPackages,\n allowPackages: parsed.allowPackages ?? DEFAULT_POLICY.allowPackages,\n constraints: {\n directDependenciesOnly:\n parsed.constraints?.directDependenciesOnly ??\n DEFAULT_POLICY.constraints?.directDependenciesOnly ??\n false,\n preferVersionBump:\n parsed.constraints?.preferVersionBump ??\n DEFAULT_POLICY.constraints?.preferVersionBump ??\n false,\n },\n };\n } catch {\n return DEFAULT_POLICY;\n }\n}\n\nexport function isPackageAllowed(policy: AutoremediatorPolicy, packageName: string): boolean {\n if (policy.denyPackages.includes(packageName)) return false;\n if (policy.allowPackages.length > 0 && !policy.allowPackages.includes(packageName)) {\n return false;\n }\n return true;\n}\n","import { mkdir, rm } from \"node:fs/promises\";\nimport { join } from \"node:path\";\n\ninterface RepoLockOptions {\n timeoutMs?: number;\n retryDelayMs?: number;\n}\n\ninterface RepoLock {\n lockPath: string;\n release: () => Promise<void>;\n}\n\nasync function sleep(ms: number): Promise<void> {\n await new Promise((resolve) => setTimeout(resolve, ms));\n}\n\nexport async function acquireRepoLock(cwd: string, options: RepoLockOptions = {}): Promise<RepoLock> {\n const timeoutMs = options.timeoutMs ?? 15000;\n const retryDelayMs = options.retryDelayMs ?? 125;\n const lockRoot = join(cwd, \".autoremediator\", \"locks\");\n const lockPath = join(cwd, \".autoremediator\", \"locks\", \"remediation.lock\");\n const startedAt = Date.now();\n\n await mkdir(lockRoot, { recursive: true });\n\n while (true) {\n try {\n await mkdir(lockPath, { recursive: false });\n return {\n lockPath,\n release: async () => {\n await rm(lockPath, { recursive: true, force: true });\n },\n };\n } catch {\n if (Date.now() - startedAt > timeoutMs) {\n throw new Error(`Timed out waiting for repository lock at ${lockPath}.`);\n }\n await sleep(retryDelayMs);\n }\n }\n}\n\nexport async function withRepoLock<T>(cwd: string, fn: () => Promise<T>, options?: RepoLockOptions): Promise<T> {\n const lock = await acquireRepoLock(cwd, options);\n try {\n return await fn();\n } finally {\n await lock.release();\n }\n}\n","/**\n * Tool: fetch-package-source\n *\n * Downloads a package tarball from npm registry and extracts source files for CVE analysis.\n * Uses Node.js fetch API to download and execa to extract tar archives.\n */\nimport { tool } from \"ai\";\nimport { z } from \"zod\";\nimport { mkdir, readdir, readFile, rm } from \"node:fs/promises\";\nimport { join } from \"node:path\";\nimport { execa } from \"execa\";\n\n/**\n * Interface for the tool's return value.\n */\ninterface FetchPackageSourceResult {\n success: boolean;\n sourceFiles?: Record<string, string>;\n packageDir?: string;\n error?: string;\n}\n\nexport const fetchPackageSourceTool = tool({\n description:\n \"Download package tarball from npm and extract source files for CVE analysis. Supports custom file patterns (default: *.js, *.ts).\",\n parameters: z.object({\n packageName: z\n .string()\n .min(1)\n .describe(\"The npm package name (e.g., 'lodash', '@scope/package')\"),\n version: z\n .string()\n .regex(/^\\d+\\.\\d+\\.\\d+/, \"Must be a valid semver version\")\n .describe(\"Exact package version to download\"),\n filePatterns: z\n .array(z.string())\n .optional()\n .default([\"*.js\", \"*.ts\"])\n .describe(\n \"File patterns to extract (glob patterns, default: *.js, *.ts)\"\n ),\n }),\n execute: async ({\n packageName,\n version,\n filePatterns,\n }): Promise<FetchPackageSourceResult> => {\n const tempBaseDir = `/tmp/autoremediator-pkg-${Date.now()}`;\n const extractDir = join(tempBaseDir, \"out\");\n\n try {\n // Step 1: Construct npm registry URL and download tarball\n const npmUrl = `https://registry.npmjs.org/${packageName}/-/${packageName.split(\"/\").pop()}-${version}.tgz`;\n\n // Create temp directory\n await mkdir(tempBaseDir, { recursive: true });\n\n // Download tarball using curl (reliable method)\n const tarballPath = join(tempBaseDir, \"package.tgz\");\n await execa(\"curl\", [\"-L\", \"-o\", tarballPath, npmUrl]);\n\n // Step 2: Extract tar.gz\n await mkdir(extractDir, { recursive: true });\n await execa(\"tar\", [\"-xzf\", tarballPath, \"-C\", extractDir]);\n\n // Step 3: Discover package root (tar extracts to 'package/' subdirectory)\n const extractedContents = await readdir(extractDir);\n const packageRootDir = extractedContents.includes(\"package\")\n ? join(extractDir, \"package\")\n : extractDir;\n\n // Step 4: Recursively find and read matching source files\n const sourceCode: Record<string, string> = {};\n\n async function walkDir(dir: string, relativeBase: string): Promise<void> {\n try {\n const files = await readdir(dir, { withFileTypes: true });\n\n for (const file of files) {\n const fullPath = join(dir, file.name);\n const relPath = join(relativeBase, file.name);\n\n if (file.isDirectory()) {\n // Skip common non-source directories\n if (\n ![\n \"node_modules\",\n \".git\",\n \"dist\",\n \"build\",\n \"coverage\",\n \".next\",\n \"out\",\n ]\n .includes(file.name)\n ) {\n await walkDir(fullPath, relPath);\n }\n } else if (file.isFile()) {\n // Check if file matches any pattern\n const matches = filePatterns!.some((pattern) => {\n const regex = new RegExp(\n `^${pattern.replace(/\\*/g, \".*\").replace(/\\./g, \"\\\\.\")}$`\n );\n return regex.test(file.name);\n });\n\n if (matches) {\n try {\n const content = await readFile(fullPath, \"utf8\");\n sourceCode[relPath] = content;\n } catch {\n // Skip files that can't be read as UTF-8\n }\n }\n }\n }\n } catch {\n // Skip directories that can't be read\n }\n }\n\n await walkDir(packageRootDir, \"\");\n\n if (Object.keys(sourceCode).length === 0) {\n return {\n success: false,\n error: `No source files matching patterns [${filePatterns!.join(\", \")}] found in ${packageName}@${version}. Download succeeded but extraction yielded no matching files.`,\n };\n }\n\n return {\n success: true,\n sourceFiles: sourceCode,\n packageDir: packageRootDir,\n };\n } catch (err) {\n const message =\n err instanceof Error ? err.message : String(err);\n\n // Check if it's a 404 from npm\n if (message.includes(\"404\") || message.includes(\"not found\")) {\n return {\n success: false,\n error: `Package ${packageName}@${version} not found on npm registry. It may not exist or the version may be incorrect.`,\n };\n }\n\n return {\n success: false,\n error: `Failed to fetch and extract package ${packageName}@${version}: ${message}`,\n };\n } finally {\n await rm(tempBaseDir, { recursive: true, force: true });\n }\n },\n});\n","/**\n * Tool: generate-patch\n *\n * Calls the LLM to analyze vulnerable source code and generate a unified diff patch.\n * Parses LLM response and validates patch format.\n */\nimport { tool } from \"ai\";\nimport { z } from \"zod\";\nimport { generateText } from \"ai\";\nimport { createModel } from \"../../platform/config.js\";\n\n/**\n * Represents a single generated patch file.\n */\ninterface GeneratedPatch {\n filePath: string;\n unifiedDiff: string;\n}\n\n/**\n * Result from the patch generation tool.\n */\ninterface GeneratePatchResult {\n success: boolean;\n patches?: GeneratedPatch[];\n patchContent?: string;\n llmModel: string;\n confidence: number;\n riskLevel: \"low\" | \"medium\" | \"high\";\n error?: string;\n}\n\n/**\n * LLM analysis response schema.\n */\ninterface LlmAnalysis {\n analysis: string;\n fixedCode: Record<string, string>;\n confidence: number;\n riskLevel: \"low\" | \"medium\" | \"high\";\n}\n\n/**\n * Vulnerability category descriptions for the LLM.\n */\nconst VULNERABILITY_DESCRIPTIONS: Record<string, string> = {\n redos:\n \"Regular Expression Denial of Service (ReDoS): The vulnerability is caused by poorly constructed regular expressions that cause excessive backtracking when processing certain inputs. The fix should optimize the regex to avoid catastrophic backtracking or replace it with a safer alternative.\",\n \"code-injection\":\n \"Code Injection: The vulnerability allows injected code to be executed. The fix must properly sanitize/validate inputs and prevent dynamic code execution, or use safe alternatives like template literals with proper escaping.\",\n \"path-traversal\":\n \"Path Traversal: The vulnerability allows access to files outside intended directories through path traversal sequences (../, etc.). The fix must validate and normalize file paths, use path.resolve() and path.relative() checks.\",\n unknown:\n \"Unknown vulnerability type: Analyze the CVE summary carefully and implement the most appropriate fix for the security issue described.\",\n};\n\nexport const generatePatchTool = tool({\n description:\n \"Generate a unified diff patch for a CVE using LLM analysis of vulnerable source code.\",\n parameters: z.object({\n packageName: z.string().min(1).describe(\"The npm package name\"),\n vulnerableVersion: z\n .string()\n .describe(\"The vulnerable version string\"),\n cveId: z\n .string()\n .regex(/^CVE-\\d{4}-\\d+$/i)\n .describe(\"CVE ID (e.g., CVE-2021-23337)\"),\n cveSummary: z.string().min(10).describe(\"CVE description and impact\"),\n sourceFiles: z\n .record(z.string())\n .describe(\n \"Map of file paths to source code contents from fetch-package-source\"\n ),\n vulnerabilityCategory: z\n .enum([\"redos\", \"code-injection\", \"path-traversal\", \"unknown\"])\n .optional()\n .default(\"unknown\")\n .describe(\"Category of the vulnerability for better context\"),\n dryRun: z\n .boolean()\n .optional()\n .default(false)\n .describe(\"If true, return analysis without generating patches\"),\n }),\n execute: async ({\n packageName,\n vulnerableVersion,\n cveId,\n cveSummary,\n sourceFiles,\n vulnerabilityCategory,\n dryRun,\n }): Promise<GeneratePatchResult> => {\n try {\n const resolvedSourceFiles = sourceFiles;\n if (Object.keys(resolvedSourceFiles).length === 0) {\n return {\n success: false,\n llmModel: \"unknown\",\n confidence: 0,\n riskLevel: \"high\",\n error: \"No source files were provided. Call fetch-package-source first and pass sourceFiles.\",\n };\n }\n\n // Create LLM model\n const model = await createModel();\n const modelName = model.modelId || \"unknown-model\";\n\n // Build source files context\n const sourceContext = Object.entries(resolvedSourceFiles)\n .map(([filePath, content]) => `\\n### File: ${filePath}\\n\\`\\`\\`typescript\\n${content}\\n\\`\\`\\``)\n .join(\"\\n\");\n\n // Build the LLM prompt\n const vulnerabilityContext =\n VULNERABILITY_DESCRIPTIONS[vulnerabilityCategory] ||\n VULNERABILITY_DESCRIPTIONS.unknown;\n\n const prompt = `You are a security expert tasked with analyzing a CVE vulnerability and generating a secure patch.\n\n## CVE Information\n- CVE ID: ${cveId}\n- Package: ${packageName}@${vulnerableVersion}\n- Category: ${vulnerabilityCategory}\n\n## Vulnerability Summary\n${cveSummary}\n\n## Vulnerability Type Context\n${vulnerabilityContext}\n\n## Vulnerable Source Code\n${sourceContext}\n\n## Your Task\nAnalyze the source code to:\n1. Identify the exact code location causing the vulnerability\n2. Explain the root cause of the security issue\n3. Propose a secure fix that addresses the vulnerability\n4. Provide the complete fixed version of affected files\n\n## Response Format\nRespond ONLY with valid JSON (no markdown, no extra text):\n{\n \"analysis\": \"Detailed explanation of the vulnerability root cause and why it's a security issue\",\n \"fixedCode\": {\n \"path/to/file.js\": \"Complete fixed source code for this file\",\n \"path/to/other.ts\": \"Complete fixed source code for this file\"\n },\n \"confidence\": 0.95,\n \"riskLevel\": \"medium\"\n}\n\nImportant:\n- confidence: number between 0 and 1 indicating how confident you are in the fix\n- riskLevel: \"low\", \"medium\", or \"high\" - assess the risk of the proposed fix breaking functionality\n- fixedCode: must contain the COMPLETE file contents (not just diffs), with the vulnerability addressed\n- Only include files that need modification`;\n\n // Call LLM\n const { text } = await generateText({\n model,\n prompt,\n temperature: 0.3, // Lower temperature for more consistent code generation\n });\n\n // Parse LLM response\n let analysis: LlmAnalysis;\n try {\n // Extract JSON from response (in case LLM includes extra text)\n const jsonMatch = text.match(/\\{[\\s\\S]*\\}/);\n if (!jsonMatch) {\n throw new Error(\"No JSON found in LLM response\");\n }\n analysis = JSON.parse(jsonMatch[0]) as LlmAnalysis;\n } catch (err) {\n return {\n success: false,\n llmModel: modelName,\n confidence: 0,\n riskLevel: \"high\",\n error: `Failed to parse LLM response: ${err instanceof Error ? err.message : \"unknown error\"}`,\n };\n }\n\n // Validate analysis structure\n if (\n !analysis.analysis ||\n !analysis.fixedCode ||\n typeof analysis.confidence !== \"number\" ||\n ![\"low\", \"medium\", \"high\"].includes(analysis.riskLevel)\n ) {\n return {\n success: false,\n llmModel: modelName,\n confidence: 0,\n riskLevel: \"high\",\n error: \"LLM response missing required fields (analysis, fixedCode, confidence, riskLevel)\",\n };\n }\n\n if (dryRun) {\n return {\n success: true,\n llmModel: modelName,\n confidence: analysis.confidence,\n riskLevel: analysis.riskLevel,\n };\n }\n\n // Step 3: Generate unified diffs\n const patches: GeneratedPatch[] = [];\n\n for (const [filePath, fixedCode] of Object.entries(\n analysis.fixedCode\n )) {\n const sourceFile = resolvedSourceFiles[filePath];\n\n if (!sourceFile) {\n continue; // Skip files not in original source\n }\n\n // Generate unified diff\n const unifiedDiff = generateUnifiedDiff(\n sourceFile,\n fixedCode,\n filePath\n );\n\n if (unifiedDiff) {\n patches.push({\n filePath,\n unifiedDiff,\n });\n }\n }\n\n if (patches.length === 0) {\n return {\n success: false,\n llmModel: modelName,\n confidence: analysis.confidence,\n riskLevel: analysis.riskLevel,\n error: \"No valid patches could be generated from LLM response\",\n };\n }\n\n return {\n success: true,\n patches,\n patchContent: patches[0]?.unifiedDiff,\n llmModel: modelName,\n confidence: analysis.confidence,\n riskLevel: analysis.riskLevel,\n };\n } catch (err) {\n const message =\n err instanceof Error ? err.message : String(err);\n return {\n success: false,\n llmModel: \"unknown\",\n confidence: 0,\n riskLevel: \"high\",\n error: `Patch generation failed: ${message}`,\n };\n }\n },\n});\n\n/**\n * Generate a unified diff between two strings.\n * Returns a unified diff format or null if there are no differences.\n */\nfunction generateUnifiedDiff(\n original: string,\n fixed: string,\n filePath: string\n): string | null {\n if (original === fixed) {\n return null;\n }\n\n const originalLines = original.split(\"\\n\");\n const fixedLines = fixed.split(\"\\n\");\n\n // Simple unified diff generation\n // In a production system, use a library like 'diff' for more accurate diffs\n const diff: string[] = [];\n diff.push(`--- a/${filePath}`);\n diff.push(`+++ b/${filePath}`);\n diff.push(\"@@ -1,\" + originalLines.length + \" +1,\" + fixedLines.length + \" @@\");\n\n // Find longest common subsequence for better diff\n // For now, simple line-by-line comparison\n const maxLen = Math.max(originalLines.length, fixedLines.length);\n\n for (let i = 0; i < maxLen; i++) {\n const origLine = originalLines[i] || \"\";\n const fixedLine = fixedLines[i] || \"\";\n\n if (origLine !== fixedLine) {\n if (origLine) {\n diff.push(\"-\" + origLine);\n }\n if (fixedLine) {\n diff.push(\"+\" + fixedLine);\n }\n } else if (origLine) {\n diff.push(\" \" + origLine);\n }\n }\n\n return diff.join(\"\\n\");\n}\n","/**\n * Tool: apply-patch-file\n *\n * Writes generated patch files to disk and applies them using package-manager-aware\n * patch mechanisms (native pnpm/yarn when available, patch-package compatibility otherwise).\n * Optionally validates patches by running tests.\n */\nimport { tool } from \"ai\";\nimport { z } from \"zod\";\nimport { existsSync } from \"node:fs\";\nimport { mkdir, mkdtemp, readFile, rm, writeFile } from \"node:fs/promises\";\nimport { tmpdir } from \"node:os\";\nimport { join } from \"node:path\";\nimport { execa } from \"execa\";\nimport {\n detectPackageManager,\n getPackageManagerCommands,\n type PackageManager,\n} from \"../../platform/package-manager.js\";\nimport { withRepoLock } from \"../../platform/repo-lock.js\";\n\n/**\n * Validation result object.\n */\ninterface ValidationResult {\n passed: boolean;\n output?: string;\n failedTests?: string[];\n}\n\n/**\n * Tool result interface.\n */\ninterface ApplyPatchFileResult {\n success: boolean;\n packageName: string;\n vulnerableVersion: string;\n applied: boolean;\n dryRun: boolean;\n message: string;\n patchFilePath?: string;\n patchPath?: string;\n patchMode?: \"patch-package\" | \"native-pnpm\" | \"native-yarn\";\n postinstallConfigured?: boolean;\n validation?: ValidationResult;\n error?: string;\n}\n\n/**\n * Raw package.json structure for type safety.\n */\ninterface RawPackageJson {\n devDependencies?: Record<string, string>;\n scripts?: Record<string, string>;\n [key: string]: unknown;\n}\n\nexport const applyPatchFileTool = tool({\n description:\n \"Write generated patch file and apply it using package-manager-native patch flow when available, falling back to patch-package when needed.\",\n parameters: z.object({\n packageName: z.string().min(1).describe(\"The npm package name\"),\n vulnerableVersion: z\n .string()\n .describe(\"The vulnerable version string\"),\n patchContent: z\n .string()\n .min(10)\n .optional()\n .describe(\"Unified diff patch content from generate-patch\"),\n patches: z\n .array(\n z.object({\n filePath: z.string().min(1),\n unifiedDiff: z.string().min(10),\n })\n )\n .optional()\n .describe(\"Patch list from generate-patch; first patch is applied\"),\n patchesDir: z\n .string()\n .optional()\n .default(\"./patches\")\n .describe(\"Directory to store patch files\"),\n cwd: z.string().describe(\"Project root directory (for package.json)\"),\n packageManager: z.enum([\"npm\", \"pnpm\", \"yarn\"]).optional().describe(\"Package manager used by the target project (auto-detected if omitted)\"),\n validateWithTests: z\n .boolean()\n .optional()\n .default(true)\n .describe(\"Run package manager test command to validate patch doesn't break anything\"),\n dryRun: z.boolean().optional().default(false).describe(\"If true, report but do not mutate files\"),\n }).refine((value) => Boolean(value.patchContent || (value.patches && value.patches.length > 0)), {\n message: \"Either patchContent or patches must be provided\",\n }),\n execute: async ({\n packageName,\n vulnerableVersion,\n patchContent,\n patches,\n patchesDir,\n cwd,\n packageManager,\n validateWithTests,\n dryRun,\n }): Promise<ApplyPatchFileResult> => {\n try {\n const pm = (packageManager ?? detectPackageManager(cwd)) as PackageManager;\n const selectedPatch = patchContent ?? patches?.[0]?.unifiedDiff;\n\n if (!selectedPatch) {\n return {\n success: false,\n packageName,\n vulnerableVersion,\n applied: false,\n dryRun,\n message: \"No patch content provided.\",\n error: \"No patch content provided.\",\n };\n }\n\n const patchFileName = buildPatchFileName(packageName, vulnerableVersion);\n const patchFilePath = join(cwd, patchesDir, patchFileName);\n\n if (dryRun) {\n return {\n success: true,\n packageName,\n vulnerableVersion,\n applied: false,\n dryRun: true,\n message: `[DRY RUN] Would write and configure patch at ${patchFilePath}.`,\n patchFilePath,\n patchPath: patchFilePath,\n };\n }\n\n return withRepoLock(cwd, async () => {\n // Step 1: Create patches directory if it doesn't exist\n const patchesDirPath = join(cwd, patchesDir);\n await mkdir(patchesDirPath, { recursive: true });\n\n // Step 2: Write patch file with proper naming convention\n await writeFile(patchFilePath, selectedPatch, \"utf8\");\n\n let validationResult: ValidationResult | undefined;\n const patchMode = await resolvePatchMode(pm, cwd);\n\n // Step 3: Apply patch via native package-manager workflow when available.\n // npm always uses patch-package, yarn v1 falls back to patch-package.\n const applyResult =\n patchMode === \"patch-package\"\n ? await configurePatchPackagePostinstall(cwd, pm)\n : await applyNativePatch({\n cwd,\n packageName,\n vulnerableVersion,\n patchContent: selectedPatch,\n patchMode,\n });\n\n if (!applyResult.success) {\n return {\n success: false,\n packageName,\n vulnerableVersion,\n applied: false,\n dryRun: false,\n message: applyResult.error,\n patchFilePath,\n patchPath: patchFilePath,\n patchMode,\n postinstallConfigured: patchMode === \"patch-package\" ? false : undefined,\n error: applyResult.error,\n };\n }\n\n // Step 4: Validate with tests if requested\n if (validateWithTests) {\n validationResult = await validatePatchWithTests(cwd, pm);\n if (!validationResult.passed) {\n const validationError = \"Patch validation failed after apply; patch marked unresolved.\";\n return {\n success: false,\n packageName,\n vulnerableVersion,\n applied: false,\n dryRun: false,\n message: validationError,\n patchFilePath,\n patchPath: patchFilePath,\n patchMode,\n postinstallConfigured: patchMode === \"patch-package\",\n validation: validationResult,\n error: validationError,\n };\n }\n }\n\n return {\n success: true,\n packageName,\n vulnerableVersion,\n applied: true,\n dryRun: false,\n message: `Patch applied successfully for ${packageName}@${vulnerableVersion}.`,\n patchFilePath,\n patchPath: patchFilePath,\n patchMode,\n postinstallConfigured: patchMode === \"patch-package\",\n validation: validationResult,\n };\n });\n } catch (err) {\n const message =\n err instanceof Error ? err.message : String(err);\n return {\n success: false,\n packageName,\n vulnerableVersion,\n applied: false,\n dryRun,\n message: `Failed to apply patch file: ${message}`,\n error: `Failed to apply patch file: ${message}`,\n };\n }\n },\n});\n\ntype PatchMode = \"patch-package\" | \"native-pnpm\" | \"native-yarn\";\n\nasync function resolvePatchMode(packageManager: PackageManager, cwd: string): Promise<PatchMode> {\n if (packageManager === \"npm\") return \"patch-package\";\n if (packageManager === \"pnpm\") return \"native-pnpm\";\n\n // Yarn v1 does not provide native patch commands; use patch-package compatibility path.\n try {\n const result = await execa(\"yarn\", [\"--version\"], {\n cwd,\n stdio: \"pipe\",\n });\n const version = result.stdout.trim();\n const major = Number.parseInt(version.split(\".\")[0] || \"0\", 10);\n return major >= 2 ? \"native-yarn\" : \"patch-package\";\n } catch {\n return \"patch-package\";\n }\n}\n\nfunction buildPatchFileName(packageName: string, vulnerableVersion: string): string {\n const safeName = packageName.replace(/^@/, \"\").replace(/\\//g, \"+\");\n return `${safeName}+${vulnerableVersion}.patch`;\n}\n\nasync function configurePatchPackagePostinstall(cwd: string, packageManager: PackageManager): Promise<{ success: true } | { success: false; error: string }> {\n const pkgJsonPath = join(cwd, \"package.json\");\n let pkgJson: RawPackageJson;\n\n try {\n pkgJson = JSON.parse(await readFile(pkgJsonPath, \"utf8\")) as RawPackageJson;\n } catch {\n return {\n success: false,\n error: `Could not read package.json at ${pkgJsonPath}`,\n };\n }\n\n const devDependencies = pkgJson.devDependencies ?? {};\n if (!devDependencies[\"patch-package\"]) {\n try {\n const commands = getPackageManagerCommands(packageManager);\n const [cmd, ...args] = commands.installDev(\"patch-package\");\n await execa(cmd, args, {\n cwd,\n stdio: \"pipe\",\n });\n } catch (err) {\n return {\n success: false,\n error: `Failed to install patch-package: ${err instanceof Error ? err.message : String(err)}`,\n };\n }\n }\n\n if (!pkgJson.scripts) {\n pkgJson.scripts = {};\n }\n\n const patchApplyCmd = \"patch-package\";\n const currentPostinstall = pkgJson.scripts.postinstall || \"\";\n\n if (currentPostinstall && !currentPostinstall.includes(\"patch-package\")) {\n pkgJson.scripts.postinstall = `${currentPostinstall} && ${patchApplyCmd}`;\n } else if (!currentPostinstall) {\n pkgJson.scripts.postinstall = patchApplyCmd;\n }\n\n await writeFile(pkgJsonPath, JSON.stringify(pkgJson, null, 2) + \"\\n\", \"utf8\");\n return { success: true };\n}\n\nasync function applyNativePatch(params: {\n cwd: string;\n packageName: string;\n vulnerableVersion: string;\n patchContent: string;\n patchMode: \"native-pnpm\" | \"native-yarn\";\n}): Promise<{ success: true } | { success: false; error: string }> {\n const { cwd, packageName, vulnerableVersion, patchContent, patchMode } = params;\n const packageSpec = `${packageName}@${vulnerableVersion}`;\n\n const createCommand = patchMode === \"native-pnpm\" ? \"pnpm\" : \"yarn\";\n const createArgs = [\"patch\", packageSpec];\n\n let patchDir: string;\n try {\n const createResult = await execa(createCommand, createArgs, {\n cwd,\n stdio: \"pipe\",\n });\n patchDir = extractPatchDirectory(`${createResult.stdout}\\n${createResult.stderr}`);\n } catch (err) {\n return {\n success: false,\n error: `Failed to create native patch workspace for ${packageSpec}: ${\n err instanceof Error ? err.message : String(err)\n }`,\n };\n }\n\n if (!patchDir) {\n return {\n success: false,\n error: `Could not determine native patch directory for ${packageSpec}.`,\n };\n }\n\n const tempPatchDir = await mkdtemp(join(tmpdir(), \"autoremediator-native-patch-\"));\n const tempPatchFile = join(tempPatchDir, \"change.patch\");\n\n try {\n await writeFile(tempPatchFile, patchContent, \"utf8\");\n await execa(\"patch\", [\"-p1\", \"-i\", tempPatchFile], {\n cwd: patchDir,\n stdio: \"pipe\",\n });\n\n const commitCommand = patchMode === \"native-pnpm\" ? \"pnpm\" : \"yarn\";\n const commitArgs =\n patchMode === \"native-pnpm\"\n ? [\"patch-commit\", patchDir]\n : [\"patch-commit\", \"-s\", patchDir];\n\n await execa(commitCommand, commitArgs, {\n cwd,\n stdio: \"pipe\",\n });\n } catch (err) {\n return {\n success: false,\n error: `Failed to apply native patch for ${packageSpec}: ${\n err instanceof Error ? err.message : String(err)\n }`,\n };\n } finally {\n await rm(tempPatchDir, { recursive: true, force: true });\n }\n\n return { success: true };\n}\n\nfunction extractPatchDirectory(output: string): string {\n const lines = output\n .split(/\\r?\\n/)\n .map((line) => line.trim())\n .filter(Boolean);\n\n for (const line of lines) {\n if (existsSync(line)) {\n return line;\n }\n\n const tokens = line.split(/\\s+/).map((token) => token.replace(/^['\"]|['\"]$/g, \"\"));\n for (const token of tokens) {\n if (token.startsWith(\"/\") && existsSync(token)) {\n return token;\n }\n }\n }\n\n return \"\";\n}\n\n/**\n * Validate patch by running tests in the project.\n */\nasync function validatePatchWithTests(cwd: string, packageManager: PackageManager): Promise<ValidationResult> {\n try {\n const commands = getPackageManagerCommands(packageManager);\n const [cmd, ...args] = commands.test;\n\n // Run package manager test command with a timeout\n const result = await execa(cmd, args, {\n cwd,\n timeout: 60000, // 60 second timeout\n stdio: \"pipe\",\n });\n\n return {\n passed: true,\n output: result.stdout,\n };\n } catch (err) {\n // Extract useful error information\n const errorOutput =\n err instanceof Error && \"stdout\" in err\n ? (err as Record<string, string>).stdout\n : \"\";\n const failedTests = extractFailedTests(errorOutput);\n\n return {\n passed: false,\n output: errorOutput,\n failedTests,\n };\n }\n}\n\n/**\n * Parse test output to extract names of failed tests.\n * (Basic implementation; real implementation would parse different test runners)\n */\nfunction extractFailedTests(output: string): string[] {\n const failedTests: string[] = [];\n\n // Common test failure patterns\n const patterns = [\n /✖\\s+(.+?)(?:\\n|$)/g, // Mocha style\n /●\\s+(.+)(?:\\n|$)/g, // Jest style\n /FAIL.*?(.+?)(?:\\n|$)/g, // Generic FAIL\n ];\n\n for (const pattern of patterns) {\n let match;\n while ((match = pattern.exec(output)) !== null) {\n if (match[1]) {\n failedTests.push(match[1].trim());\n }\n }\n }\n\n return failedTests.slice(0, 5); // Return first 5 failures\n}\n","import { extname } from \"node:path\";\nimport { readFileSync } from \"node:fs\";\nimport { parseNpmAuditJsonFile, type NormalizedFinding } from \"./adapters/npm-audit.js\";\nimport { parseYarnAuditJsonFile } from \"./adapters/yarn-audit.js\";\nimport { parseSarifFile } from \"./adapters/sarif.js\";\n\nexport type { NormalizedFinding } from \"./adapters/npm-audit.js\";\nexport type ScanInputFormat = \"npm-audit\" | \"yarn-audit\" | \"sarif\" | \"auto\";\n\nexport function parseScanInput(filePath: string, format: ScanInputFormat): NormalizedFinding[] {\n const resolved = format === \"auto\" ? inferFormat(filePath) : format;\n\n if (resolved === \"npm-audit\") {\n return parseNpmAuditJsonFile(filePath);\n }\n if (resolved === \"yarn-audit\") {\n return parseYarnAuditJsonFile(filePath);\n }\n if (resolved === \"sarif\") {\n return parseSarifFile(filePath);\n }\n\n throw new Error(`Unsupported input format: ${resolved}`);\n}\n\nfunction inferFormat(filePath: string): Exclude<ScanInputFormat, \"auto\"> {\n const ext = extname(filePath).toLowerCase();\n if (ext === \".sarif\") return \"sarif\";\n\n try {\n const content = readFileSync(filePath, \"utf8\");\n const firstLine = content.split(\"\\n\").find((line) => line.trim().startsWith(\"{\"));\n if (firstLine) {\n const parsed = JSON.parse(firstLine) as { type?: string };\n if (parsed.type === \"auditAdvisory\" || parsed.type === \"auditSummary\") {\n return \"yarn-audit\";\n }\n }\n } catch {\n // Ignore parse failures and fall back to npm-audit.\n }\n\n return \"npm-audit\";\n}\n\nexport function uniqueCveIds(findings: NormalizedFinding[]): string[] {\n return [...new Set(findings.map((f) => f.cveId.toUpperCase()))];\n}\n","import { readFileSync } from \"node:fs\";\n\nexport interface NormalizedFinding {\n cveId: string;\n source: \"npm-audit\" | \"yarn-audit\" | \"sarif\";\n packageName?: string;\n severity?: \"LOW\" | \"MEDIUM\" | \"HIGH\" | \"CRITICAL\" | \"UNKNOWN\";\n}\n\ninterface NpmAuditVulnerability {\n name: string;\n via: Array<string | { source?: number; name?: string; url?: string; severity?: string; cwe?: string[]; cvss?: { score?: number } }>;\n severity?: string;\n}\n\ninterface NpmAuditReport {\n vulnerabilities?: Record<string, NpmAuditVulnerability>;\n}\n\nconst CVE_REGEX = /CVE-\\d{4}-\\d+/gi;\n\nfunction normalizeSeverity(raw?: string): NormalizedFinding[\"severity\"] {\n if (!raw) return \"UNKNOWN\";\n const up = raw.toUpperCase();\n if (up === \"CRITICAL\" || up === \"HIGH\" || up === \"MEDIUM\" || up === \"LOW\") {\n return up;\n }\n return \"UNKNOWN\";\n}\n\nexport function parseNpmAuditJsonFromString(content: string): NormalizedFinding[] {\n const report = JSON.parse(content) as NpmAuditReport;\n const findings: NormalizedFinding[] = [];\n const seen = new Set<string>();\n\n for (const vuln of Object.values(report.vulnerabilities ?? {})) {\n for (const viaEntry of vuln.via ?? []) {\n const text = typeof viaEntry === \"string\" ? viaEntry : `${viaEntry.url ?? \"\"} ${viaEntry.name ?? \"\"}`;\n const matches = text.match(CVE_REGEX) ?? [];\n for (const match of matches) {\n const cveId = match.toUpperCase();\n const key = `${cveId}:${vuln.name}`;\n if (seen.has(key)) continue;\n seen.add(key);\n findings.push({\n cveId,\n source: \"npm-audit\",\n packageName: vuln.name,\n severity: normalizeSeverity(vuln.severity),\n });\n }\n }\n }\n\n return findings;\n}\n\nexport function parseNpmAuditJsonFile(filePath: string): NormalizedFinding[] {\n const content = readFileSync(filePath, \"utf8\");\n return parseNpmAuditJsonFromString(content);\n}\n","import { readFileSync } from \"node:fs\";\nimport type { NormalizedFinding } from \"./npm-audit.js\";\n\nconst CVE_REGEX = /CVE-\\d{4}-\\d+/gi;\n\nfunction normalizeSeverity(raw?: string): NormalizedFinding[\"severity\"] {\n if (!raw) return \"UNKNOWN\";\n const up = raw.toUpperCase();\n if (up === \"CRITICAL\" || up === \"HIGH\" || up === \"MEDIUM\" || up === \"LOW\") {\n return up;\n }\n return \"UNKNOWN\";\n}\n\nexport function parseYarnAuditJsonFromString(content: string): NormalizedFinding[] {\n const findings: NormalizedFinding[] = [];\n const seen = new Set<string>();\n\n const lines = content\n .split(\"\\n\")\n .map((line) => line.trim())\n .filter(Boolean);\n\n for (const line of lines) {\n let parsed: unknown;\n try {\n parsed = JSON.parse(line);\n } catch {\n continue;\n }\n\n const event = parsed as {\n type?: string;\n data?: {\n advisory?: {\n module_name?: string;\n severity?: string;\n url?: string;\n cves?: string[];\n };\n };\n };\n\n if (event.type !== \"auditAdvisory\") continue;\n\n const advisory = event.data?.advisory;\n const packageName = advisory?.module_name;\n const severity = normalizeSeverity(advisory?.severity);\n\n const text = `${advisory?.url ?? \"\"} ${(advisory?.cves ?? []).join(\" \")}`;\n const matches = text.match(CVE_REGEX) ?? [];\n\n for (const match of matches) {\n const cveId = match.toUpperCase();\n const key = `${cveId}:${packageName ?? \"\"}`;\n if (seen.has(key)) continue;\n seen.add(key);\n\n findings.push({\n cveId,\n source: \"yarn-audit\",\n packageName,\n severity,\n });\n }\n }\n\n return findings;\n}\n\nexport function parseYarnAuditJsonFile(filePath: string): NormalizedFinding[] {\n const content = readFileSync(filePath, \"utf8\");\n return parseYarnAuditJsonFromString(content);\n}\n","import { readFileSync } from \"node:fs\";\nimport type { NormalizedFinding } from \"./npm-audit.js\";\n\ninterface SarifResult {\n ruleId?: string;\n message?: { text?: string };\n properties?: Record<string, unknown>;\n}\n\ninterface SarifRun {\n results?: SarifResult[];\n}\n\ninterface SarifReport {\n runs?: SarifRun[];\n}\n\nconst CVE_REGEX = /CVE-\\d{4}-\\d+/gi;\n\nfunction extractPackageName(result: SarifResult): string | undefined {\n const pkg = result.properties?.[\"packageName\"];\n return typeof pkg === \"string\" ? pkg : undefined;\n}\n\nexport function parseSarifFromString(content: string): NormalizedFinding[] {\n const report = JSON.parse(content) as SarifReport;\n const findings: NormalizedFinding[] = [];\n const seen = new Set<string>();\n\n for (const run of report.runs ?? []) {\n for (const result of run.results ?? []) {\n const combined = `${result.ruleId ?? \"\"} ${result.message?.text ?? \"\"}`;\n const matches = combined.match(CVE_REGEX) ?? [];\n for (const match of matches) {\n const cveId = match.toUpperCase();\n const pkg = extractPackageName(result);\n const key = `${cveId}:${pkg ?? \"\"}`;\n if (seen.has(key)) continue;\n seen.add(key);\n findings.push({\n cveId,\n source: \"sarif\",\n packageName: pkg,\n severity: \"UNKNOWN\",\n });\n }\n }\n }\n\n return findings;\n}\n\nexport function parseSarifFile(filePath: string): NormalizedFinding[] {\n const content = readFileSync(filePath, \"utf8\");\n return parseSarifFromString(content);\n}\n","import { mkdirSync, writeFileSync } from \"node:fs\";\nimport { join } from \"node:path\";\n\nexport interface EvidenceStep {\n at: string;\n action: string;\n input?: Record<string, unknown>;\n output?: Record<string, unknown>;\n error?: string;\n}\n\nexport interface EvidenceLog {\n runId: string;\n requestId?: string;\n sessionId?: string;\n parentRunId?: string;\n actor?: string;\n source?: \"cli\" | \"sdk\" | \"mcp\" | \"openapi\" | \"unknown\";\n idempotencyKey?: string;\n cveIds: string[];\n cwd: string;\n startedAt: string;\n finishedAt?: string;\n steps: EvidenceStep[];\n}\n\ninterface EvidenceContext {\n requestId?: string;\n sessionId?: string;\n parentRunId?: string;\n actor?: string;\n source?: \"cli\" | \"sdk\" | \"mcp\" | \"openapi\" | \"unknown\";\n idempotencyKey?: string;\n}\n\nexport function createEvidenceLog(cwd: string, cveIds: string[], context: EvidenceContext = {}): EvidenceLog {\n return {\n runId: `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,\n requestId: context.requestId,\n sessionId: context.sessionId,\n parentRunId: context.parentRunId,\n actor: context.actor,\n source: context.source,\n idempotencyKey: context.idempotencyKey,\n cveIds,\n cwd,\n startedAt: new Date().toISOString(),\n steps: [],\n };\n}\n\nexport function addEvidenceStep(\n log: EvidenceLog,\n action: string,\n input?: Record<string, unknown>,\n output?: Record<string, unknown>,\n error?: string\n): void {\n log.steps.push({\n at: new Date().toISOString(),\n action,\n input,\n output,\n error,\n });\n}\n\nexport function finalizeEvidence(log: EvidenceLog): EvidenceLog {\n log.finishedAt = new Date().toISOString();\n return log;\n}\n\nexport function writeEvidenceLog(cwd: string, log: EvidenceLog): string {\n const dir = join(cwd, \".autoremediator\", \"evidence\");\n mkdirSync(dir, { recursive: true });\n const filePath = join(dir, `${log.runId}.json`);\n writeFileSync(filePath, JSON.stringify(log, null, 2) + \"\\n\", \"utf8\");\n return filePath;\n}\n","import { existsSync, mkdirSync, readFileSync, writeFileSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport type { RemediationReport } from \"./types.js\";\n\ninterface IdempotencyEntry {\n key: string;\n cveId: string;\n report: RemediationReport;\n savedAt: string;\n}\n\ninterface IdempotencyIndex {\n schemaVersion: \"1.0\";\n entries: Record<string, IdempotencyEntry>;\n}\n\nconst DEFAULT_INDEX: IdempotencyIndex = {\n schemaVersion: \"1.0\",\n entries: {},\n};\n\nfunction indexFilePath(cwd: string): string {\n return join(cwd, \".autoremediator\", \"state\", \"idempotency.json\");\n}\n\nfunction entryKey(idempotencyKey: string, cveId: string): string {\n return `${idempotencyKey}::${cveId.toUpperCase()}`;\n}\n\nfunction loadIndex(cwd: string): IdempotencyIndex {\n const filePath = indexFilePath(cwd);\n if (!existsSync(filePath)) return DEFAULT_INDEX;\n\n try {\n const parsed = JSON.parse(readFileSync(filePath, \"utf8\")) as IdempotencyIndex;\n if (parsed && parsed.schemaVersion === \"1.0\" && parsed.entries) {\n return parsed;\n }\n return DEFAULT_INDEX;\n } catch {\n return DEFAULT_INDEX;\n }\n}\n\nfunction saveIndex(cwd: string, index: IdempotencyIndex): void {\n const filePath = indexFilePath(cwd);\n mkdirSync(join(cwd, \".autoremediator\", \"state\"), { recursive: true });\n writeFileSync(filePath, JSON.stringify(index, null, 2) + \"\\n\", \"utf8\");\n}\n\nexport function readIdempotentReport(\n cwd: string,\n idempotencyKey: string,\n cveId: string\n): RemediationReport | undefined {\n const index = loadIndex(cwd);\n const key = entryKey(idempotencyKey, cveId);\n return index.entries[key]?.report;\n}\n\nexport function storeIdempotentReport(\n cwd: string,\n idempotencyKey: string,\n cveId: string,\n report: RemediationReport\n): void {\n const index = loadIndex(cwd);\n const key = entryKey(idempotencyKey, cveId);\n index.entries[key] = {\n key: idempotencyKey,\n cveId: cveId.toUpperCase(),\n report,\n savedAt: new Date().toISOString(),\n };\n saveIndex(cwd, index);\n}\n","/**\n * autoremediator public SDK\n *\n * Usage:\n * import { remediate } from 'autoremediator';\n * const report = await remediate('CVE-2021-23337', { cwd: '/my/project' });\n */\nimport { runRemediationPipeline } from \"./remediation/pipeline.js\";\nimport type {\n CorrelationContext,\n ProvenanceContext,\n RemediationConstraints,\n RemediateOptions,\n RemediationReport,\n} from \"./platform/types.js\";\nimport { parseScanInput, type ScanInputFormat, uniqueCveIds } from \"./scanner/index.js\";\nimport { addEvidenceStep, createEvidenceLog, finalizeEvidence, writeEvidenceLog } from \"./platform/evidence.js\";\nimport { isPackageAllowed, loadPolicy } from \"./platform/policy.js\";\nimport { readIdempotentReport, storeIdempotentReport } from \"./platform/idempotency.js\";\n\nexport { runRemediationPipeline } from \"./remediation/pipeline.js\";\n\nexport type {\n CorrelationContext,\n RemediationConstraints,\n ProvenanceContext,\n RemediateOptions,\n RemediationReport,\n CveDetails,\n AffectedPackage,\n InventoryPackage,\n VulnerablePackage,\n PatchResult,\n PatchStrategy,\n} from \"./platform/types.js\";\nexport type { ScanInputFormat } from \"./scanner/index.js\";\n\nexport interface ScanOptions extends RemediateOptions {\n format?: ScanInputFormat;\n policy?: string;\n evidence?: boolean;\n}\n\nexport interface ScanReport {\n schemaVersion: \"1.0\";\n status: \"ok\" | \"partial\" | \"failed\";\n generatedAt: string;\n cveIds: string[];\n reports: RemediationReport[];\n successCount: number;\n failedCount: number;\n errors: Array<{ cveId: string; message: string }>;\n evidenceFile?: string;\n patchCount: number;\n patchValidationFailures?: Array<{\n packageName: string;\n cveId: string;\n error: string;\n }>;\n patchesDir?: string;\n correlation?: CorrelationContext;\n provenance?: ProvenanceContext;\n constraints?: RemediationConstraints;\n idempotencyKey?: string;\n}\n\nexport interface CiSummary {\n schemaVersion: \"1.0\";\n status: \"ok\" | \"partial\" | \"failed\";\n generatedAt: string;\n cveCount: number;\n remediationCount: number;\n successCount: number;\n failedCount: number;\n errors: Array<{ cveId: string; message: string }>;\n evidenceFile?: string;\n patchCount?: number;\n patchValidationFailures?: Array<{\n packageName: string;\n cveId: string;\n error: string;\n }>;\n patchesDir?: string;\n correlation?: CorrelationContext;\n provenance?: ProvenanceContext;\n constraints?: RemediationConstraints;\n idempotencyKey?: string;\n}\n\nfunction buildRequestId(): string {\n return `req-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;\n}\n\nfunction resolveCorrelationContext(options: RemediateOptions): Required<Pick<CorrelationContext, \"requestId\">> & CorrelationContext {\n return {\n requestId: options.requestId ?? buildRequestId(),\n sessionId: options.sessionId,\n parentRunId: options.parentRunId,\n };\n}\n\nfunction resolveProvenanceContext(options: RemediateOptions): ProvenanceContext {\n return {\n actor: options.actor,\n source: options.source ?? \"sdk\",\n };\n}\n\nfunction resolveConstraints(options: RemediateOptions, cwd: string): RemediationConstraints {\n const policy = loadPolicy(cwd, options.policy);\n return {\n directDependenciesOnly:\n options.constraints?.directDependenciesOnly ??\n policy.constraints?.directDependenciesOnly ??\n false,\n preferVersionBump:\n options.constraints?.preferVersionBump ??\n policy.constraints?.preferVersionBump ??\n false,\n };\n}\n\nfunction enforceConstraints(\n report: RemediationReport,\n constraints: RemediationConstraints\n): RemediationReport {\n const indirectPackages = new Set(\n report.vulnerablePackages\n .filter((vp) => vp.installed.type === \"indirect\")\n .map((vp) => vp.installed.name)\n );\n\n const nextResults = report.results.map((result) => {\n if (constraints.directDependenciesOnly && indirectPackages.has(result.packageName)) {\n return {\n ...result,\n strategy: \"none\" as const,\n applied: false,\n message: `Constraint blocked remediation for indirect dependency \\\"${result.packageName}\\\".`,\n };\n }\n\n if (constraints.preferVersionBump && result.strategy === \"patch-file\") {\n return {\n ...result,\n strategy: \"none\" as const,\n applied: false,\n message: `Constraint prefers version-bump and rejected patch-file remediation for \\\"${result.packageName}\\\".`,\n };\n }\n\n return result;\n });\n\n return {\n ...report,\n results: nextResults,\n constraints,\n };\n}\n\n/**\n * Main entry point for programmatic use.\n *\n * @param cveId - CVE identifier, e.g. \"CVE-2021-23337\"\n * @param options - Optional configuration (cwd, dryRun, llmProvider, etc.)\n * @returns A RemediationReport describing what was found and done\n */\nexport async function remediate(cveId: string, options: RemediateOptions = {}): Promise<RemediationReport> {\n if (!/^CVE-\\d{4}-\\d+$/i.test(cveId)) {\n throw new Error(\n `Invalid CVE ID: \"${cveId}\". Expected format: CVE-YYYY-NNNNN (e.g. CVE-2021-23337).`\n );\n }\n const cwd = options.cwd ?? process.cwd();\n const constraints = resolveConstraints(options, cwd);\n const provenance = resolveProvenanceContext(options);\n const correlation = resolveCorrelationContext(options);\n\n if (options.resume && options.idempotencyKey) {\n const cached = readIdempotentReport(cwd, options.idempotencyKey, cveId.toUpperCase());\n if (cached) {\n return {\n ...cached,\n summary: `${cached.summary} (resumed from idempotency cache)`,\n correlation,\n provenance,\n constraints,\n resumedFromCache: true,\n };\n }\n }\n\n const report = await runRemediationPipeline(cveId.toUpperCase(), {\n ...options,\n ...correlation,\n constraints,\n });\n const constrainedReport = enforceConstraints(report, constraints);\n const finalReport = {\n ...constrainedReport,\n correlation,\n provenance,\n constraints,\n resumedFromCache: false,\n };\n\n if (options.idempotencyKey && !options.dryRun && !options.preview) {\n storeIdempotentReport(cwd, options.idempotencyKey, cveId.toUpperCase(), finalReport);\n }\n\n return {\n ...finalReport,\n };\n}\n\n/**\n * Non-mutating preview entrypoint for planning and orchestration.\n */\nexport async function planRemediation(\n cveId: string,\n options: RemediateOptions = {}\n): Promise<RemediationReport> {\n return remediate(cveId, {\n ...options,\n preview: true,\n dryRun: true,\n });\n}\n\n/**\n * Scanner-first entrypoint: parse a scanner output file (npm audit JSON or SARIF),\n * extract CVEs, and run remediations one-by-one.\n */\nexport async function remediateFromScan(\n inputPath: string,\n options: ScanOptions = {}\n): Promise<ScanReport> {\n const cwd = options.cwd ?? process.cwd();\n const format = options.format ?? \"auto\";\n const patchesDir = options.patchesDir ?? \"./patches\";\n\n const findings = parseScanInput(inputPath, format);\n const cveIds = uniqueCveIds(findings);\n const policy = loadPolicy(cwd, options.policy);\n const correlation = resolveCorrelationContext(options);\n const provenance = resolveProvenanceContext(options);\n const constraints = resolveConstraints(options, cwd);\n\n const evidence = createEvidenceLog(cwd, cveIds, {\n ...correlation,\n actor: provenance.actor,\n source: provenance.source,\n idempotencyKey: options.idempotencyKey,\n });\n addEvidenceStep(evidence, \"scan.parse\", { inputPath, format }, { findingCount: findings.length, cveCount: cveIds.length });\n\n const reports: RemediationReport[] = [];\n const errors: Array<{ cveId: string; message: string }> = [];\n const patchValidationFailures: Array<{\n packageName: string;\n cveId: string;\n error: string;\n }> = [];\n let patchCount = 0;\n\n for (const cveId of cveIds) {\n try {\n addEvidenceStep(evidence, \"remediate.start\", { cveId });\n const report = await remediate(cveId, {\n ...options,\n patchesDir,\n ...correlation,\n actor: provenance.actor,\n source: provenance.source,\n constraints,\n });\n\n // Keep a defensive filter in case upstream tools return unexpected packages.\n report.results = report.results.filter((r) => isPackageAllowed(policy, r.packageName));\n\n // Count patches and collect validation failures\n for (const result of report.results) {\n if (result.strategy === \"patch-file\") {\n patchCount += 1;\n }\n if (result.validation?.passed === false && result.validation?.error) {\n patchValidationFailures.push({\n packageName: result.packageName,\n cveId,\n error: result.validation.error,\n });\n }\n }\n\n reports.push(report);\n addEvidenceStep(evidence, \"remediate.finish\", { cveId }, { results: report.results.length });\n } catch (error) {\n const message = error instanceof Error ? error.message : String(error);\n errors.push({ cveId, message });\n addEvidenceStep(evidence, \"remediate.error\", { cveId }, undefined, message);\n }\n }\n\n let successCount = 0;\n let failedCount = 0;\n for (const report of reports) {\n for (const result of report.results) {\n if (result.applied || result.dryRun) {\n successCount += 1;\n } else {\n failedCount += 1;\n }\n }\n }\n\n failedCount += errors.length;\n\n let status: ScanReport[\"status\"] = \"ok\";\n if (failedCount > 0 && successCount > 0) {\n status = \"partial\";\n } else if (failedCount > 0 && successCount === 0) {\n status = \"failed\";\n }\n\n finalizeEvidence(evidence);\n const evidenceFile = options.evidence === false ? undefined : writeEvidenceLog(cwd, evidence);\n\n return {\n schemaVersion: \"1.0\",\n status,\n generatedAt: new Date().toISOString(),\n cveIds,\n reports,\n successCount,\n failedCount,\n errors,\n evidenceFile,\n patchCount,\n patchValidationFailures: patchValidationFailures.length > 0 ? patchValidationFailures : undefined,\n patchesDir: patchCount > 0 ? patchesDir : undefined,\n correlation,\n provenance,\n constraints,\n idempotencyKey: options.idempotencyKey,\n };\n}\n\nexport function toCiSummary(report: ScanReport): CiSummary {\n let remediationCount = 0;\n for (const cveReport of report.reports) {\n remediationCount += cveReport.results.length;\n }\n\n return {\n schemaVersion: report.schemaVersion,\n status: report.status,\n generatedAt: report.generatedAt,\n cveCount: report.cveIds.length,\n remediationCount,\n successCount: report.successCount,\n failedCount: report.failedCount,\n errors: report.errors,\n evidenceFile: report.evidenceFile,\n patchCount: report.patchCount || 0,\n patchValidationFailures: report.patchValidationFailures,\n patchesDir: report.patchesDir,\n correlation: report.correlation,\n provenance: report.provenance,\n constraints: report.constraints,\n idempotencyKey: report.idempotencyKey,\n };\n}\n\nexport function ciExitCode(summary: CiSummary): number {\n return summary.failedCount > 0 ? 1 : 0;\n}\n"],"mappings":";AAUA,SAAS,gBAAAA,qBAAoB;AAC7B,SAAS,cAAAC,aAAY,gBAAAC,qBAAoB;AACzC,SAAS,QAAAC,aAAY;AACrB,OAAOC,aAAY;;;ACHZ,SAAS,gBAAgB,UAA4B,CAAC,GAAsB;AACjF,QAAM,MACJ,QAAQ,eACR,QAAQ,IAAI,+BACZ;AAEF,MAAI,QAAQ,YAAY,QAAQ,eAAe,QAAQ,SAAS;AAC9D,UAAM,IAAI;AAAA,MACR,6BAA6B,GAAG;AAAA,IAClC;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,iBACd,UACA,UAA4B,CAAC,GACrB;AACR,MAAI,QAAQ,MAAO,QAAO,QAAQ;AAClC,MAAI,QAAQ,IAAI,qBAAsB,QAAO,QAAQ,IAAI;AAEzD,QAAM,WAA8C;AAAA,IAClD,QAAQ;AAAA,IACR,WAAW;AAAA,IACX,OAAO;AAAA,EACT;AACA,SAAO,SAAS,QAAQ;AAC1B;AAGA,eAAsB,YAAY,UAA4B,CAAC,GAA6B;AAC1F,QAAM,WAAW,gBAAgB,OAAO;AAExC,MAAI,aAAa,SAAS;AACxB,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,YAAY,iBAAiB,UAAU,OAAO;AAEpD,MAAI,aAAa,UAAU;AACzB,UAAM,SAAS,QAAQ,IAAI;AAC3B,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,UAAM,EAAE,aAAa,IAAI,MAAM,OAAO,gBAAgB;AACtD,UAAM,SAAS,aAAa,EAAE,OAAO,CAAC;AACtC,WAAO,OAAO,SAAS;AAAA,EACzB;AAEA,MAAI,aAAa,aAAa;AAC5B,UAAM,SAAS,QAAQ,IAAI;AAC3B,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,UAAM,EAAE,gBAAgB,IAAI,MAAM,OAAO,mBAAmB;AAC5D,UAAM,YAAY,gBAAgB,EAAE,OAAO,CAAC;AAC5C,WAAO,UAAU,SAAS;AAAA,EAC5B;AAEA,QAAM,IAAI,MAAM,uBAAuB,QAAQ,EAAE;AACnD;AAMO,SAAS,eAA0B;AACxC,SAAO;AAAA,IACL,QAAQ,QAAQ,IAAI;AAAA,EACtB;AACF;AAEO,SAAS,iBAAqC;AACnD,SAAO,QAAQ,IAAI;AACrB;AAcO,SAAS,8BAAwD;AACtE,SAAO;AAAA,IACL,mBACE,QAAQ,IAAI,sCACZ;AAAA,IACF,iBACE,QAAQ,IAAI,oCACZ;AAAA,IACF,SACE,QAAQ,IAAI,2BACZ;AAAA,IACF,gBACE,QAAQ,IAAI,mCACZ;AAAA,IACF,YACE,QAAQ,IAAI,8BACZ;AAAA,IACF,cACE,QAAQ,IAAI,gCACZ;AAAA,IACF,sBAAsB,QAAQ,IAAI,wCAAwC,IACvE,MAAM,GAAG,EACT,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EACnB,OAAO,OAAO;AAAA,IACjB,kBAAkB,QAAQ,IAAI,mCAAmC,IAC9D,MAAM,GAAG,EACT,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EACnB,OAAO,OAAO;AAAA,IACjB,qBAAqB,QAAQ,IAAI;AAAA,EACnC;AACF;;;ACtIA,SAAS,kBAAkB;AAC3B,SAAS,YAAY;AAad,SAAS,qBAAqB,KAA6B;AAChE,MAAI,WAAW,KAAK,KAAK,gBAAgB,CAAC,EAAG,QAAO;AACpD,MAAI,WAAW,KAAK,KAAK,WAAW,CAAC,EAAG,QAAO;AAC/C,SAAO;AACT;AAEO,SAAS,0BAA0B,IAA4C;AACpF,MAAI,OAAO,QAAQ;AACjB,WAAO;AAAA,MACL,SAAS,CAAC,QAAQ,SAAS;AAAA,MAC3B,sBAAsB,CAAC,QAAQ,WAAW,kBAAkB;AAAA,MAC5D,YAAY,CAAC,QAAgB,CAAC,QAAQ,OAAO,MAAM,GAAG;AAAA,MACtD,MAAM,CAAC,QAAQ,MAAM;AAAA,MACrB,MAAM,CAAC,QAAQ,QAAQ,UAAU,WAAW,IAAI;AAAA,MAChD,cAAc;AAAA,IAChB;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ;AACjB,WAAO;AAAA,MACL,SAAS,CAAC,QAAQ,SAAS;AAAA,MAC3B,sBAAsB,CAAC,QAAQ,SAAS;AAAA,MACxC,YAAY,CAAC,QAAgB,CAAC,QAAQ,OAAO,SAAS,GAAG;AAAA,MACzD,MAAM,CAAC,QAAQ,MAAM;AAAA,MACrB,MAAM,CAAC,QAAQ,QAAQ,QAAQ;AAAA,MAC/B,cAAc;AAAA,IAChB;AAAA,EACF;AAEA,SAAO;AAAA,IACL,SAAS,CAAC,OAAO,SAAS;AAAA,IAC1B,sBAAsB,CAAC,OAAO,WAAW,kBAAkB;AAAA,IAC3D,YAAY,CAAC,QAAgB,CAAC,OAAO,WAAW,cAAc,GAAG;AAAA,IACjE,MAAM,CAAC,OAAO,MAAM;AAAA,IACpB,MAAM,CAAC,OAAO,QAAQ,UAAU,OAAO;AAAA,IACvC,cAAc;AAAA,EAChB;AACF;AAEO,SAAS,gBAAgB,IAAoB,QAAqC;AACvF,QAAM,WAAW,oBAAI,IAAoB;AAEzC,MAAI,CAAC,OAAO,KAAK,EAAG,QAAO;AAE3B,MAAI,OAAO,QAAQ;AACjB,UAAM,QAAQ,OACX,MAAM,IAAI,EACV,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EACnB,OAAO,OAAO;AAEjB,eAAW,QAAQ,OAAO;AACxB,UAAI;AACF,cAAM,MAAM,KAAK,MAAM,IAAI;AAC3B,YAAI,IAAI,SAAS,OAAQ;AAEzB,mBAAW,QAAQ,IAAI,MAAM,SAAS,CAAC,GAAG;AACxC,gBAAM,MAAM,KAAK,QAAQ;AACzB,gBAAM,KAAK,IAAI,YAAY,GAAG;AAC9B,cAAI,MAAM,EAAG;AACb,gBAAM,OAAO,IAAI,MAAM,GAAG,EAAE;AAC5B,gBAAM,UAAU,IAAI,MAAM,KAAK,CAAC;AAChC,cAAI,QAAQ,SAAS;AACnB,qBAAS,IAAI,MAAM,OAAO;AAAA,UAC5B;AAAA,QACF;AAAA,MACF,QAAQ;AAAA,MAER;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,MAAM;AAAA,EAC5B,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,QAAM,OAAO,MAAM,QAAQ,MAAM,IAAI,OAAO,CAAC,IAAI;AAOjD,WAAS,oBAAoB,MAA6C;AACxE,QAAI,CAAC,KAAM;AAEX,eAAW,CAAC,MAAM,KAAK,KAAK,OAAO,QAAQ,IAAI,GAAG;AAChD,UAAI,CAAC,SAAS,OAAO,UAAU,SAAU;AACzC,YAAM,UAAU,MAAM;AACtB,UAAI,OAAO,YAAY,YAAY,SAAS;AAC1C,iBAAS,IAAI,MAAM,OAAO;AAAA,MAC5B;AACA,0BAAoB,MAAM,YAAY;AAAA,IACxC;AAAA,EACF;AAEA,sBAAqB,MAAwE,YAAY;AAEzG,SAAO;AACT;;;AC9GA,SAAS,YAAY;AACrB,SAAS,SAAS;;;ACClB,IAAM,WAAW;AAuDjB,eAAsB,aAAa,OAAiD;AAClF,QAAM,MAAM,GAAG,QAAQ,UAAU,mBAAmB,KAAK,CAAC;AAC1D,QAAM,MAAM,MAAM,MAAM,KAAK;AAAA,IAC3B,SAAS,EAAE,QAAQ,mBAAmB;AAAA,EACxC,CAAC;AAED,MAAI,IAAI,WAAW,IAAK,QAAO;AAC/B,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI,MAAM,iBAAiB,IAAI,MAAM,QAAQ,KAAK,KAAK,MAAM,IAAI,KAAK,CAAC,EAAE;AAAA,EACjF;AAEA,SAAO,IAAI,KAAK;AAClB;AAOA,SAAS,uBAAuB,QAAkC;AAChE,QAAM,QAAkB,CAAC;AAEzB,aAAW,SAAS,QAAQ;AAC1B,QAAI,MAAM,eAAe,QAAW;AAClC,YAAM,IAAI,MAAM,eAAe,MAAM,UAAU,MAAM;AACrD,YAAM,KAAK,KAAK,CAAC,EAAE;AAAA,IACrB;AACA,QAAI,MAAM,UAAU,QAAW;AAC7B,YAAM,KAAK,IAAI,MAAM,KAAK,EAAE;AAAA,IAC9B;AACA,QAAI,MAAM,kBAAkB,QAAW;AACrC,YAAM,KAAK,KAAK,MAAM,aAAa,EAAE;AAAA,IACvC;AAAA,EACF;AAEA,SAAO,MAAM,KAAK,GAAG,KAAK;AAC5B;AAMO,SAAS,aAAa,MAAoC;AAC/D,QAAM,cAAiC,CAAC;AAExC,aAAW,YAAY,KAAK,YAAY,CAAC,GAAG;AAC1C,UAAM,YAAY,SAAS,SAAS;AACpC,UAAM,cAAc,SAAS,SAAS;AACtC,QAAI,CAAC,aAAa,OAAO,cAAc,SAAU;AACjD,QAAI,CAAC,eAAe,OAAO,gBAAgB,SAAU;AACrD,QAAI,UAAU,YAAY,MAAM,MAAO;AAGvC,UAAM,cAAc,SAAS,QAAQ,KAAK,CAAC,MAAM,EAAE,SAAS,QAAQ;AACpE,UAAM,kBAAkB,cACpB,uBAAuB,YAAY,MAAM,IACzC;AAGJ,UAAM,aAAa,aAAa,OAAO,KAAK,CAAC,MAAM,EAAE,UAAU,MAAS;AAExE,gBAAY,KAAK;AAAA,MACf,MAAM;AAAA,MACN,WAAW;AAAA,MACX;AAAA,MACA,qBAAqB,YAAY;AAAA,MACjC,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAGA,QAAM,WAAW,eAAe,KAAK,QAAQ;AAE7C,SAAO;AAAA,IACL,IAAI,KAAK;AAAA,IACT,SAAS,KAAK,WAAW,KAAK,WAAW;AAAA,IACzC;AAAA,IACA,YAAY,KAAK,YAAY,IAAI,CAAC,MAAM,EAAE,GAAG,KAAK,CAAC;AAAA,IACnD,kBAAkB;AAAA,EACpB;AACF;AAEA,SAAS,eACP,iBACwB;AACxB,MAAI,CAAC,iBAAiB,OAAQ,QAAO;AAGrC,QAAM,YACJ,gBAAgB,KAAK,CAAC,MAAM,EAAE,SAAS,SAAS,KAAK,gBAAgB,CAAC;AAGxE,QAAM,aAAa,UAAU,MAAM,MAAM,aAAa;AACtD,MAAI,YAAY;AACd,UAAM,QAAQ,WAAW,WAAW,CAAC,CAAC;AACtC,QAAI,SAAS,EAAK,QAAO;AACzB,QAAI,SAAS,EAAK,QAAO;AACzB,QAAI,SAAS,EAAK,QAAO;AACzB,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAGA,eAAsB,aAAa,OAA2C;AAC5E,QAAM,OAAO,MAAM,aAAa,KAAK;AACrC,MAAI,CAAC,KAAM,QAAO;AAClB,SAAO,aAAa,IAAI;AAC1B;;;ACnKA,IAAM,mBAAmB;AA6BzB,SAAS,eAAuC;AAC9C,QAAM,UAAkC;AAAA,IACtC,QAAQ;AAAA,IACR,wBAAwB;AAAA,EAC1B;AACA,QAAM,QAAQ,eAAe;AAC7B,MAAI,OAAO;AACT,YAAQ,gBAAgB,UAAU,KAAK;AAAA,EACzC;AACA,SAAO;AACT;AAMA,eAAsB,kBAAkB,OAAsC;AAC5E,QAAM,MAAM,IAAI,IAAI,gBAAgB;AACpC,MAAI,aAAa,IAAI,UAAU,KAAK;AACpC,MAAI,aAAa,IAAI,aAAa,KAAK;AACvC,MAAI,aAAa,IAAI,QAAQ,UAAU;AACvC,MAAI,aAAa,IAAI,YAAY,IAAI;AAErC,QAAM,MAAM,MAAM,MAAM,IAAI,SAAS,GAAG,EAAE,SAAS,aAAa,EAAE,CAAC;AAEnE,MAAI,IAAI,WAAW,IAAK,QAAO,CAAC;AAChC,MAAI,CAAC,IAAI,IAAI;AAEX,YAAQ;AAAA,MACN,iDAAiD,IAAI,MAAM,QAAQ,KAAK;AAAA,IAC1E;AACA,WAAO,CAAC;AAAA,EACV;AAEA,SAAO,IAAI,KAAK;AAClB;AAMO,SAAS,kBAAkB,YAA6C;AAC7E,QAAM,WAA8B,CAAC;AAErC,aAAW,YAAY,YAAY;AACjC,eAAW,QAAQ,SAAS,iBAAiB;AAC3C,UAAI,KAAK,QAAQ,UAAU,YAAY,MAAM,MAAO;AAEpD,eAAS,KAAK;AAAA,QACZ,MAAM,KAAK,QAAQ;AAAA,QACnB,WAAW;AAAA,QACX,iBAAiB,KAAK,4BAA4B;AAAA,QAClD,qBAAqB,KAAK,yBAAyB;AAAA,QACnD,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAMO,SAAS,0BACd,SACA,YACY;AACZ,QAAM,WAAW,EAAE,GAAG,QAAQ;AAE9B,aAAW,SAAS,YAAY;AAC9B,UAAM,WAAW,SAAS,iBAAiB;AAAA,MACzC,CAAC,MAAM,EAAE,SAAS,MAAM;AAAA,IAC1B;AAEA,QAAI,UAAU;AAEZ,UAAI,CAAC,SAAS,uBAAuB,MAAM,qBAAqB;AAC9D,iBAAS,sBAAsB,MAAM;AAAA,MACvC;AAAA,IACF,OAAO;AAEL,eAAS,iBAAiB,KAAK,KAAK;AAAA,IACtC;AAAA,EACF;AAEA,SAAO;AACT;AAGA,eAAsB,gBAAgB,OAA2C;AAC/E,QAAM,aAAa,MAAM,kBAAkB,KAAK;AAChD,SAAO,kBAAkB,UAAU;AACrC;;;ACzHA,IAAM,WAAW;AA2BjB,SAAS,kBAA0C;AACjD,QAAM,EAAE,OAAO,IAAI,aAAa;AAChC,QAAM,UAAkC,EAAE,QAAQ,mBAAmB;AACrE,MAAI,QAAQ;AACV,YAAQ,SAAS;AAAA,EACnB;AACA,SAAO;AACT;AAOA,eAAsB,aACpB,OAC0E;AAC1E,QAAM,MAAM,GAAG,QAAQ,UAAU,mBAAmB,KAAK,CAAC;AAE1D,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,KAAK,EAAE,SAAS,gBAAgB,EAAE,CAAC;AAC3D,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,OAAO,KAAK,kBAAkB,CAAC;AACrC,QAAI,CAAC,KAAM,QAAO;AAElB,UAAM,UAAU,KAAK,IAAI;AACzB,UAAM,SACJ,SAAS,gBAAgB,CAAC,KAC1B,SAAS,gBAAgB,CAAC,KAC1B,SAAS,eAAe,CAAC;AAE3B,QAAI,CAAC,OAAQ,QAAO;AAEpB,UAAM,QAAQ,OAAO,SAAS;AAC9B,UAAM,cAAc,OAAO,SAAS,aAAa,YAAY;AAE7D,UAAM,cAAsD;AAAA,MAC1D,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,KAAK;AAAA,IACP;AAEA,WAAO;AAAA,MACL;AAAA,MACA,UAAU,YAAY,WAAW,KAAK;AAAA,IACxC;AAAA,EACF,QAAQ;AAEN,WAAO;AAAA,EACT;AACF;AAMA,eAAsB,cAAc,SAA0C;AAC5E,QAAM,OAAO,MAAM,aAAa,QAAQ,EAAE;AAC1C,MAAI,MAAM;AACR,YAAQ,YAAY,KAAK;AACzB,QAAI,QAAQ,aAAa,WAAW;AAClC,cAAQ,WAAW,KAAK;AAAA,IAC1B;AAAA,EACF;AACA,SAAO;AACT;;;AClGA,IAAM,eACJ;AAcF,eAAsB,mBAAqD;AACzE,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,cAAc;AAAA,MACpC,SAAS,EAAE,QAAQ,mBAAmB;AAAA,IACxC,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB,QAAQ;AAEN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,aACd,MACA,OACkC;AAClC,MAAI,CAAC,MAAM,iBAAiB,OAAQ,QAAO;AAC3C,QAAM,aAAa,MAAM,YAAY;AACrC,SAAO,KAAK,gBAAgB,KAAK,CAAC,MAAM,EAAE,MAAM,YAAY,MAAM,UAAU;AAC9E;AAEA,eAAsB,kBAAkB,SAA0C;AAChF,QAAM,OAAO,MAAM,iBAAiB;AACpC,QAAM,QAAQ,aAAa,MAAM,QAAQ,EAAE;AAC3C,MAAI,CAAC,MAAO,QAAO;AAEnB,UAAQ,MAAM;AAAA,IACZ,gBAAgB;AAAA,IAChB,WAAW,MAAM;AAAA,IACjB,SAAS,MAAM;AAAA,IACf,gBAAgB,MAAM;AAAA,IACtB,4BAA4B,MAAM;AAAA,EACpC;AAEA,MAAI,CAAC,QAAQ,WAAW,SAAS,YAAY,GAAG;AAC9C,YAAQ,WAAW,KAAK,YAAY;AAAA,EACtC;AAEA,SAAO;AACT;;;AC5CA,eAAsB,UAAU,OAA6C;AAC3E,QAAM,EAAE,QAAQ,IAAI,4BAA4B;AAChD,MAAI,CAAC,QAAS,QAAO;AAErB,MAAI;AACF,UAAM,MAAM,IAAI,IAAI,OAAO;AAC3B,QAAI,aAAa,IAAI,OAAO,KAAK;AAEjC,UAAM,MAAM,MAAM,MAAM,IAAI,SAAS,GAAG;AAAA,MACtC,SAAS,EAAE,QAAQ,mBAAmB;AAAA,IACxC,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,WAAO,KAAK,OAAO,CAAC;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,eAAe,SAA0C;AAC7E,QAAM,MAAM,MAAM,UAAU,QAAQ,EAAE;AACtC,MAAI,CAAC,IAAK,QAAO;AAEjB,QAAM,QAAQ,OAAO,WAAW,IAAI,IAAI;AACxC,QAAM,aAAa,OAAO,WAAW,IAAI,UAAU;AACnD,MAAI,CAAC,OAAO,SAAS,KAAK,KAAK,CAAC,OAAO,SAAS,UAAU,GAAG;AAC3D,WAAO;AAAA,EACT;AAEA,UAAQ,OAAO;AAAA,IACb;AAAA,IACA;AAAA,IACA,MAAM,IAAI;AAAA,EACZ;AACA,SAAO;AACT;;;ACnCA,SAAS,uBAAuB,WAA8C;AAC5E,MAAI,CAAC,WAAW,cAAc,OAAQ,QAAO;AAC7C,QAAM,KAAK,UAAU,aAAa,KAAK,CAAC,MAAM,EAAE,SAAS,QAAQ,EAAE,KAAK;AACxE,UAAQ,IAAI,SAAS,UAAU,aAAa,CAAC,GAAG,QAAQ,KAAK,KAAK;AACpE;AAEA,SAAS,kBAAkB,QAA6B;AACtD,QAAM,OAAO,oBAAI,IAAY;AAC7B,QAAM,UAAU,OAAO,YAAY,KAAK,cAAc,CAAC;AACvD,QAAM,WAAW,OAAO,YAAY,OAAO,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;AAEhF,aAAW,OAAO,CAAC,GAAG,SAAS,GAAG,OAAO,GAAG;AAC1C,QAAI,IAAI,IAAK,MAAK,IAAI,IAAI,GAAG;AAAA,EAC/B;AACA,SAAO,MAAM,KAAK,IAAI;AACxB;AAEA,eAAsB,uBAAuB,OAA+C;AAC1F,QAAM,EAAE,eAAe,IAAI,4BAA4B;AACvD,MAAI,CAAC,eAAgB,QAAO;AAE5B,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,cAAc,IAAI,mBAAmB,KAAK,CAAC,IAAI;AAAA,MACxE,SAAS,EAAE,QAAQ,mBAAmB;AAAA,IACxC,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,sBAAsB,SAA0C;AACpF,QAAM,SAAS,MAAM,uBAAuB,QAAQ,EAAE;AACtD,MAAI,CAAC,OAAQ,QAAO;AAEpB,QAAM,UAAU,uBAAuB,OAAO,YAAY,GAAG;AAC7D,MAAI,YAAY,CAAC,QAAQ,WAAW,QAAQ,QAAQ,SAAS,sBAAsB,IAAI;AACrF,YAAQ,UAAU;AAAA,EACpB;AAEA,QAAM,OAAO,kBAAkB,MAAM;AACrC,MAAI,KAAK,SAAS,GAAG;AACnB,UAAM,SAAS,oBAAI,IAAI,CAAC,GAAG,QAAQ,YAAY,GAAG,IAAI,CAAC;AACvD,YAAQ,aAAa,MAAM,KAAK,MAAM;AAAA,EACxC;AAEA,UAAQ,eAAe;AAAA,IACrB,GAAI,QAAQ,gBAAgB,CAAC;AAAA,IAC7B,qBAAqB;AAAA,EACvB;AAEA,SAAO;AACT;;;AC5DA,SAAS,mBAAmB,UAAgC,OAAwB;AAClF,QAAM,aAAa,MAAM,YAAY;AACrC,UAAQ,SAAS,eAAe,CAAC,GAAG;AAAA,IAClC,CAAC,OAAO,GAAG,MAAM,YAAY,MAAM,SAAS,GAAG,OAAO,YAAY,MAAM;AAAA,EAC1E;AACF;AAEA,eAAsB,sBAAsB,OAAgD;AAC1F,QAAM,EAAE,kBAAkB,IAAI,4BAA4B;AAC1D,MAAI,CAAC,kBAAmB,QAAO,CAAC;AAEhC,MAAI;AACF,UAAM,MAAM,IAAI,IAAI,iBAAiB;AACrC,QAAI,aAAa,IAAI,cAAc,KAAK;AACxC,QAAI,aAAa,IAAI,aAAa,KAAK;AAEvC,UAAM,MAAM,MAAM,MAAM,IAAI,SAAS,GAAG;AAAA,MACtC,SAAS,EAAE,QAAQ,mBAAmB;AAAA,IACxC,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO,CAAC;AAErB,UAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,WAAO,MAAM,QAAQ,IAAI,IAAK,OAAkC,CAAC;AAAA,EACnE,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAEA,eAAsB,yBAAyB,SAA0C;AACvF,QAAM,aAAa,MAAM,sBAAsB,QAAQ,EAAE;AACzD,QAAM,UAAU,WAAW,OAAO,CAAC,MAAM,mBAAmB,GAAG,QAAQ,EAAE,CAAC;AAC1E,MAAI,QAAQ,WAAW,EAAG,QAAO;AAEjC,QAAM,OAAO,QAAQ,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;AACtD,MAAI,KAAK,SAAS,GAAG;AACnB,UAAM,SAAS,oBAAI,IAAI,CAAC,GAAG,QAAQ,YAAY,GAAG,IAAI,CAAC;AACvD,YAAQ,aAAa,MAAM,KAAK,MAAM;AAAA,EACxC;AAEA,UAAQ,eAAe;AAAA,IACrB,GAAI,QAAQ,gBAAgB,CAAC;AAAA,IAC7B,uBAAuB;AAAA,EACzB;AAEA,SAAO;AACT;;;AClDA,IAAM,cAAc;AAEpB,eAAsB,oBAAoB,OAA4C;AACpF,QAAM,EAAE,gBAAgB,IAAI,4BAA4B;AACxD,MAAI,CAAC,gBAAiB,QAAO;AAE7B,MAAI;AACF,UAAM,MAAM,IAAI,IAAI,eAAe;AACnC,QAAI,aAAa,IAAI,SAAS,KAAK;AAEnC,UAAM,MAAM,MAAM,MAAM,IAAI,SAAS,GAAG;AAAA,MACtC,SAAS,EAAE,QAAQ,YAAY;AAAA,IACjC,CAAC;AACD,QAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,UAAM,QAAQ,KAAK,MAAM,8CAA8C;AACvE,WAAO,QAAQ,CAAC,KAAK;AAAA,EACvB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,iBAAiB,SAA0C;AAC/E,QAAM,MAAM,MAAM,oBAAoB,QAAQ,EAAE;AAChD,MAAI,CAAC,IAAK,QAAO;AAEjB,MAAI,CAAC,QAAQ,WAAW,SAAS,GAAG,GAAG;AACrC,YAAQ,WAAW,KAAK,GAAG;AAAA,EAC7B;AAEA,UAAQ,eAAe;AAAA,IACrB,GAAI,QAAQ,gBAAgB,CAAC;AAAA,IAC7B,eAAe;AAAA,EACjB;AAEA,MAAI,CAAC,QAAQ,WAAW,SAAS,WAAW,GAAG;AAC7C,YAAQ,WAAW,KAAK,WAAW;AAAA,EACrC;AAEA,SAAO;AACT;;;ACzCA,eAAe,oBAAoB,MAAgC;AACjE,QAAM,EAAE,WAAW,IAAI,4BAA4B;AACnD,MAAI,CAAC,WAAY,QAAO;AAExB,MAAI;AACF,UAAM,MAAM,GAAG,UAAU,yBAAyB,mBAAmB,IAAI,CAAC;AAC1E,UAAM,MAAM,MAAM,MAAM,KAAK,EAAE,SAAS,EAAE,QAAQ,mBAAmB,EAAE,CAAC;AACxE,WAAO,IAAI;AAAA,EACb,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,kBAAkB,SAA0C;AAChF,QAAM,QAAQ,MAAM,KAAK,IAAI,IAAI,QAAQ,iBAAiB,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,EAAE,MAAM,GAAG,EAAE;AAC1F,MAAI,MAAM,WAAW,EAAG,QAAO;AAE/B,QAAM,SAAS,MAAM,QAAQ,IAAI,MAAM,IAAI,CAAC,SAAS,oBAAoB,IAAI,CAAC,CAAC;AAC/E,QAAM,UAAU,OAAO,OAAO,OAAO,EAAE;AACvC,MAAI,YAAY,EAAG,QAAO;AAE1B,UAAQ,eAAe;AAAA,IACrB,GAAI,QAAQ,gBAAgB,CAAC;AAAA,IAC7B,yBAAyB;AAAA,EAC3B;AACA,SAAO;AACT;;;AC1BA,eAAe,aAAa,SAAmC;AAC7D,QAAM,EAAE,aAAa,IAAI,4BAA4B;AACrD,MAAI,CAAC,aAAc,QAAO;AAE1B,MAAI;AACF,UAAM,MAAM,IAAI,IAAI,GAAG,YAAY,WAAW;AAC9C,QAAI,aAAa,IAAI,WAAW,OAAO;AACvC,UAAM,MAAM,MAAM,MAAM,IAAI,SAAS,GAAG;AAAA,MACtC,SAAS,EAAE,QAAQ,mBAAmB;AAAA,IACxC,CAAC;AACD,WAAO,IAAI;AAAA,EACb,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,wBAAwB,SAA0C;AACtF,QAAM,WAAW,MAAM;AAAA,IACrB,IAAI,IAAI,QAAQ,iBAAiB,IAAI,CAAC,MAAM,cAAc,EAAE,IAAI,IAAI,EAAE,IAAI,EAAE,CAAC;AAAA,EAC/E,EAAE,MAAM,GAAG,EAAE;AAEb,MAAI,SAAS,WAAW,EAAG,QAAO;AAElC,QAAM,SAAS,MAAM,QAAQ,IAAI,SAAS,IAAI,CAAC,YAAY,aAAa,OAAO,CAAC,CAAC;AACjF,QAAM,UAAU,OAAO,OAAO,OAAO,EAAE;AACvC,MAAI,YAAY,EAAG,QAAO;AAE1B,UAAQ,eAAe;AAAA,IACrB,GAAI,QAAQ,gBAAgB,CAAC;AAAA,IAC7B,mBAAmB;AAAA,EACrB;AAEA,SAAO;AACT;;;AChCA,eAAe,UAAU,KAAa,OAAe,OAA6C;AAChG,MAAI;AACF,UAAM,UAAU,IAAI,IAAI,GAAG;AAC3B,YAAQ,aAAa,IAAI,OAAO,KAAK;AAErC,UAAM,UAAkC,EAAE,QAAQ,mBAAmB;AACrE,QAAI,MAAO,SAAQ,gBAAgB,UAAU,KAAK;AAElD,UAAM,MAAM,MAAM,MAAM,QAAQ,SAAS,GAAG,EAAE,QAAQ,CAAC;AACvD,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAO,QAAQ,SAAS;AAAA,EAC1B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,wBAAwB,SAA0C;AACtF,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI,4BAA4B;AAEhC,QAAM,cACJ,MAAM,QAAQ,IAAI,oBAAoB,IAAI,CAAC,QAAQ,UAAU,KAAK,QAAQ,EAAE,CAAC,CAAC,GAC9E,OAAO,CAAC,MAAmB,QAAQ,CAAC,CAAC;AAEvC,QAAM,kBACJ,MAAM,QAAQ;AAAA,IACZ,gBAAgB,IAAI,CAAC,QAAQ,UAAU,KAAK,QAAQ,IAAI,mBAAmB,CAAC;AAAA,EAC9E,GACA,OAAO,CAAC,MAAmB,QAAQ,CAAC,CAAC;AAEvC,MAAI,WAAW,WAAW,KAAK,eAAe,WAAW,GAAG;AAC1D,WAAO;AAAA,EACT;AAEA,UAAQ,eAAe;AAAA,IACrB,GAAI,QAAQ,gBAAgB,CAAC;AAAA,IAC7B,kBAAkB,WAAW,SAAS,IAAI,aAAa,QAAQ,cAAc;AAAA,IAC7E,iBACE,eAAe,SAAS,IAAI,iBAAiB,QAAQ,cAAc;AAAA,EACvE;AAEA,QAAM,aAAa,oBAAI,IAAI,CAAC,GAAG,QAAQ,YAAY,GAAG,YAAY,GAAG,cAAc,CAAC;AACpF,UAAQ,aAAa,MAAM,KAAK,UAAU;AAE1C,SAAO;AACT;;;AXpCO,IAAM,gBAAgB,KAAK;AAAA,EAChC,aACE;AAAA,EACF,YAAY,EAAE,OAAO;AAAA,IACnB,OAAO,EACJ,OAAO,EACP,MAAM,oBAAoB,4CAA4C;AAAA,EAC3E,CAAC;AAAA,EACD,SAAS,OAAO,EAAE,MAAM,MAAwE;AAC9F,UAAM,eAAe,MAAM,YAAY;AAGvC,UAAM,CAAC,YAAY,UAAU,IAAI,MAAM,QAAQ,IAAI;AAAA,MACjD,aAAa,YAAY;AAAA,MACzB,gBAAgB,YAAY;AAAA,IAC9B,CAAC;AAED,QAAI,CAAC,cAAc,WAAW,WAAW,GAAG;AAC1C,aAAO;AAAA,QACL,SAAS;AAAA,QACT,OAAO,QAAQ,YAAY;AAAA,MAC7B;AAAA,IACF;AAGA,QAAI,UAAsB,cAAc;AAAA,MACtC,IAAI;AAAA,MACJ,SAAS;AAAA,MACT,UAAU;AAAA,MACV,YAAY,CAAC;AAAA,MACb,kBAAkB,CAAC;AAAA,IACrB;AAGA,QAAI,WAAW,SAAS,GAAG;AACzB,gBAAU,0BAA0B,SAAS,UAAU;AAAA,IACzD;AAEA,UAAM,eAAyF,CAAC;AAEhG,UAAM,gBAAgB,OACpB,YACA,aACkB;AAClB,YAAM,SAAS,KAAK,UAAU,OAAO;AACrC,UAAI;AACF,kBAAU,MAAM,SAAS,OAAO;AAChC,cAAM,QAAQ,KAAK,UAAU,OAAO;AACpC,qBAAa,UAAU,IAAI;AAAA,UACzB,WAAW;AAAA,UACX,SAAS,WAAW;AAAA,QACtB;AAAA,MACF,SAAS,OAAO;AACd,qBAAa,UAAU,IAAI;AAAA,UACzB,WAAW;AAAA,UACX,SAAS;AAAA,UACT,OAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,QAC9D;AAAA,MACF;AAAA,IACF;AAEA,UAAM,cAAc,OAAO,aAAa;AACxC,UAAM,cAAc,YAAY,iBAAiB;AACjD,UAAM,cAAc,QAAQ,cAAc;AAC1C,UAAM,cAAc,gBAAgB,qBAAqB;AACzD,UAAM,cAAc,mBAAmB,wBAAwB;AAC/D,UAAM,cAAc,UAAU,gBAAgB;AAC9C,UAAM,cAAc,YAAY,iBAAiB;AACjD,UAAM,cAAc,kBAAkB,uBAAuB;AAC7D,UAAM,cAAc,kBAAkB,uBAAuB;AAE7D,YAAQ,eAAe;AAAA,MACrB,GAAI,QAAQ,gBAAgB,CAAC;AAAA,MAC7B;AAAA,IACF;AAEA,QAAI,QAAQ,iBAAiB,WAAW,GAAG;AACzC,aAAO;AAAA,QACL,SAAS;AAAA,QACT,OAAO,QAAQ,YAAY;AAAA,MAC7B;AAAA,IACF;AAEA,WAAO,EAAE,SAAS,MAAM,MAAM,QAAQ;AAAA,EACxC;AACF,CAAC;;;AYpGD,SAAS,QAAAC,aAAY;AACrB,SAAS,KAAAC,UAAS;AAClB,SAAS,oBAAoB;AAC7B,SAAS,QAAAC,aAAY;AACrB,SAAS,aAAa;AAef,IAAM,qBAAqBC,MAAK;AAAA,EACrC,aACE;AAAA,EACF,YAAYC,GAAE,OAAO;AAAA,IACnB,KAAKA,GAAE,OAAO,EAAE,SAAS,wDAAwD;AAAA,IACjF,gBAAgBA,GAAE,KAAK,CAAC,OAAO,QAAQ,MAAM,CAAC,EAAE,SAAS,EAAE,SAAS,uEAAuE;AAAA,EAC7I,CAAC;AAAA,EACD,SAAS,OAAO,EAAE,KAAK,eAAe,MAAiE;AACrG,QAAI;AAEJ,QAAI;AACF,gBAAU,KAAK,MAAM,aAAaC,MAAK,KAAK,cAAc,GAAG,MAAM,CAAC;AAAA,IACtE,QAAQ;AACN,aAAO;AAAA,QACL,UAAU,CAAC;AAAA,QACX,OAAO,mCAAmC,GAAG;AAAA,MAC/C;AAAA,IACF;AAEA,UAAM,KAAM,kBAAkB,qBAAqB,GAAG;AACtD,UAAM,WAAW,0BAA0B,EAAE;AAC7C,QAAI,oBAAoB,oBAAI,IAAoB;AAEhD,QAAI;AACF,YAAM,CAAC,KAAK,GAAG,IAAI,IAAI,SAAS;AAChC,YAAM,aAAa,MAAM,MAAM,KAAK,MAAM;AAAA,QACxC;AAAA,QACA,OAAO;AAAA,QACP,QAAQ;AAAA,MACV,CAAC;AACD,0BAAoB,gBAAgB,IAAI,WAAW,UAAU,EAAE;AAAA,IACjE,QAAQ;AAAA,IAER;AAEA,UAAM,WAA+B,CAAC;AAEtC,eAAW,CAAC,MAAM,OAAO,KAAK,kBAAkB,QAAQ,GAAG;AACzD,YAAM,WACJ,QAAQ,QAAQ,eAAe,IAAI,CAAC,KACpC,QAAQ,QAAQ,kBAAkB,IAAI,CAAC,KACvC,QAAQ,QAAQ,mBAAmB,IAAI,CAAC;AAE1C,eAAS,KAAK;AAAA,QACZ;AAAA,QACA;AAAA,QACA,MAAM,WAAW,WAAW;AAAA,MAC9B,CAAC;AAAA,IACH;AAEA,QAAI,SAAS,WAAW,GAAG;AAEzB,YAAM,UAAU;AAAA,QACd,GAAG,QAAQ;AAAA,QACX,GAAG,QAAQ;AAAA,MACb;AACA,iBAAW,CAAC,MAAM,OAAO,KAAK,OAAO,QAAQ,OAAO,GAAG;AACrD,cAAM,UAAU,QAAQ,QAAQ,cAAc,EAAE,EAAE,KAAK;AACvD,iBAAS,KAAK,EAAE,MAAM,SAAS,SAAS,MAAM,SAAS,CAAC;AAAA,MAC1D;AAAA,IACF;AAEA,WAAO,EAAE,SAAS;AAAA,EACpB;AACF,CAAC;;;ACnFD,SAAS,QAAAC,aAAY;AACrB,SAAS,KAAAC,UAAS;AAClB,OAAO,YAAY;AAGnB,IAAM,wBAAwBA,GAAE,OAAO;AAAA,EACrC,MAAMA,GAAE,OAAO;AAAA,EACf,WAAWA,GAAE,QAAQ,KAAK;AAAA,EAC1B,iBAAiBA,GAAE,OAAO;AAAA,EAC1B,qBAAqBA,GAAE,OAAO,EAAE,SAAS;AAAA,EACzC,QAAQA,GAAE,KAAK,CAAC,OAAO,iBAAiB,CAAC;AAC3C,CAAC;AAED,IAAM,yBAAyBA,GAAE,OAAO;AAAA,EACtC,MAAMA,GAAE,OAAO;AAAA,EACf,SAASA,GAAE,OAAO;AAAA,EAClB,MAAMA,GAAE,KAAK,CAAC,UAAU,UAAU,CAAC;AACrC,CAAC;AAEM,IAAM,wBAAwBD,MAAK;AAAA,EACxC,aACE;AAAA,EACF,YAAYC,GAAE,OAAO;AAAA,IACnB,mBAAmBA,GAChB,MAAM,sBAAsB,EAC5B,SAAS,sCAAsC;AAAA,IAClD,kBAAkBA,GACf,MAAM,qBAAqB,EAC3B,SAAS,wDAAwD;AAAA,EACtE,CAAC;AAAA,EACD,SAAS,OAAO,EAAE,mBAAmB,iBAAiB,MAGhD;AACJ,UAAM,aAAkC,CAAC;AAEzC,eAAW,YAAY,kBAAuC;AAE5D,YAAM,UAAW,kBAAyC;AAAA,QACxD,CAAC,MAAM,EAAE,SAAS,SAAS;AAAA,MAC7B;AAEA,iBAAW,aAAa,SAAS;AAE/B,YAAI,CAAC,OAAO,MAAM,UAAU,OAAO,EAAG;AAEtC,YAAI,eAAe;AACnB,YAAI;AACF,yBAAe,OAAO,UAAU,UAAU,SAAS,SAAS,iBAAiB;AAAA,YAC3E,mBAAmB;AAAA,UACrB,CAAC;AAAA,QACH,QAAQ;AAEN;AAAA,QACF;AAEA,YAAI,cAAc;AAChB,qBAAW,KAAK,EAAE,WAAW,SAAS,CAAC;AAAA,QACzC;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,oBAAoB;AAAA,MACpB,cAAc,kBAAkB;AAAA,IAClC;AAAA,EACF;AACF,CAAC;;;ACnED,SAAS,QAAAC,aAAY;AACrB,SAAS,KAAAC,UAAS;;;ACClB,OAAOC,aAAY;AAEnB,IAAM,eAAe;AAqBrB,eAAsB,qBAAqB,aAAwC;AACjF,QAAM,MAAM,GAAG,YAAY,IAAI,mBAAmB,WAAW,CAAC;AAC9D,QAAM,MAAM,MAAM,MAAM,KAAK;AAAA,IAC3B,SAAS,EAAE,QAAQ,mBAAmB;AAAA,EACxC,CAAC;AAED,MAAI,IAAI,WAAW,IAAK,QAAO,CAAC;AAChC,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI;AAAA,MACR,sBAAsB,IAAI,MAAM,SAAS,WAAW,MAAM,MAAM,IAAI,KAAK,CAAC;AAAA,IAC5E;AAAA,EACF;AAEA,QAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,SAAO,OAAO,KAAK,KAAK,QAAQ;AAClC;AAYA,eAAsB,uBACpB,aACA,kBACA,qBACA,iBAC6B;AAC7B,QAAM,WAAW,MAAM,qBAAqB,WAAW;AACvD,MAAI,CAAC,SAAS,OAAQ,QAAO;AAE7B,QAAM,iBAAiBA,QAAO,MAAM,gBAAgB;AAGpD,QAAM,aAAa,SAChB,OAAO,CAAC,MAAMA,QAAO,MAAM,CAAC,KAAKA,QAAO,IAAI,GAAG,mBAAmB,CAAC,EACnE,OAAO,CAAC,MAAM;AACb,QAAI,CAAC,gBAAiB,QAAO;AAC7B,QAAI;AACF,aAAO,CAACA,QAAO,UAAU,GAAG,iBAAiB,EAAE,mBAAmB,MAAM,CAAC;AAAA,IAC3E,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF,CAAC,EACA,KAAKA,QAAO,OAAO;AAEtB,MAAI,CAAC,WAAW,OAAQ,QAAO;AAG/B,QAAM,YAAY,WAAW;AAAA,IAC3B,CAAC,MAAMA,QAAO,MAAM,CAAC,MAAM;AAAA,EAC7B;AACA,MAAI,UAAW,QAAO;AAGtB,SAAO,WAAW,CAAC;AACrB;;;ADnFO,IAAM,uBAAuBC,MAAK;AAAA,EACvC,aACE;AAAA,EACF,YAAYC,GAAE,OAAO;AAAA,IACnB,aAAaA,GAAE,OAAO,EAAE,SAAS,sBAAsB;AAAA,IACvD,kBAAkBA,GAAE,OAAO,EAAE,SAAS,gDAAgD;AAAA,IACtF,qBAAqBA,GAClB,OAAO,EACP;AAAA,MACC;AAAA,IACF;AAAA,IACF,iBAAiBA,GACd,OAAO,EACP,SAAS,EACT,SAAS,4EAA4E;AAAA,EAC1F,CAAC;AAAA,EACD,SAAS,OAAO;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,MAIM;AACJ,UAAM,cAAc,MAAM;AAAA,MACxB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,QAAI,CAAC,aAAa;AAChB,aAAO;AAAA,QACL,aAAa;AAAA,QACb,SAAS,sCAAsC,WAAW;AAAA,MAC5D;AAAA,IACF;AAEA,UAAM,iBAAiB,SAAS,iBAAiB,MAAM,GAAG,EAAE,CAAC,KAAK,KAAK,EAAE;AACzE,UAAM,YAAY,SAAS,YAAY,MAAM,GAAG,EAAE,CAAC,KAAK,KAAK,EAAE;AAC/D,UAAM,cAAc,YAAY;AAEhC,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA,SAAS,cACL,sBAAsB,WAAW,SAAS,WAAW,kCAAkC,gBAAgB,0EACvG,sBAAsB,WAAW,SAAS,WAAW,WAAW,gBAAgB;AAAA,IACtF;AAAA,EACF;AACF,CAAC;;;AExDD,SAAS,QAAAC,aAAY;AACrB,SAAS,KAAAC,UAAS;AAClB,SAAS,QAAAC,aAAY;AACrB,SAAS,gBAAAC,eAAc,qBAAqB;AAC5C,SAAS,SAAAC,cAAa;AACtB,OAAOC,aAAY;;;ACXnB,SAAS,cAAAC,aAAY,gBAAAC,qBAAoB;AACzC,SAAS,QAAAC,aAAY;AAUd,IAAM,iBAAuC;AAAA,EAClD,iBAAiB;AAAA,EACjB,cAAc,CAAC;AAAA,EACf,eAAe,CAAC;AAAA,EAChB,aAAa;AAAA,IACX,wBAAwB;AAAA,IACxB,mBAAmB;AAAA,EACrB;AACF;AAEO,SAAS,WAAW,KAAa,cAA6C;AACnF,QAAM,YAAY,gBAAgBA,MAAK,KAAK,sBAAsB;AAClE,MAAI,CAACF,YAAW,SAAS,EAAG,QAAO;AAEnC,MAAI;AACF,UAAM,SAAS,KAAK,MAAMC,cAAa,WAAW,MAAM,CAAC;AACzD,WAAO;AAAA,MACL,iBAAiB,OAAO,mBAAmB,eAAe;AAAA,MAC1D,cAAc,OAAO,gBAAgB,eAAe;AAAA,MACpD,eAAe,OAAO,iBAAiB,eAAe;AAAA,MACtD,aAAa;AAAA,QACX,wBACE,OAAO,aAAa,0BACpB,eAAe,aAAa,0BAC5B;AAAA,QACF,mBACE,OAAO,aAAa,qBACpB,eAAe,aAAa,qBAC5B;AAAA,MACJ;AAAA,IACF;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iBAAiB,QAA8B,aAA8B;AAC3F,MAAI,OAAO,aAAa,SAAS,WAAW,EAAG,QAAO;AACtD,MAAI,OAAO,cAAc,SAAS,KAAK,CAAC,OAAO,cAAc,SAAS,WAAW,GAAG;AAClF,WAAO;AAAA,EACT;AACA,SAAO;AACT;;;ACrDA,SAAS,OAAO,UAAU;AAC1B,SAAS,QAAAE,aAAY;AAYrB,eAAe,MAAM,IAA2B;AAC9C,QAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,EAAE,CAAC;AACxD;AAEA,eAAsB,gBAAgB,KAAa,UAA2B,CAAC,GAAsB;AACnG,QAAM,YAAY,QAAQ,aAAa;AACvC,QAAM,eAAe,QAAQ,gBAAgB;AAC7C,QAAM,WAAWA,MAAK,KAAK,mBAAmB,OAAO;AACrD,QAAM,WAAWA,MAAK,KAAK,mBAAmB,SAAS,kBAAkB;AACzE,QAAM,YAAY,KAAK,IAAI;AAE3B,QAAM,MAAM,UAAU,EAAE,WAAW,KAAK,CAAC;AAEzC,SAAO,MAAM;AACX,QAAI;AACF,YAAM,MAAM,UAAU,EAAE,WAAW,MAAM,CAAC;AAC1C,aAAO;AAAA,QACL;AAAA,QACA,SAAS,YAAY;AACnB,gBAAM,GAAG,UAAU,EAAE,WAAW,MAAM,OAAO,KAAK,CAAC;AAAA,QACrD;AAAA,MACF;AAAA,IACF,QAAQ;AACN,UAAI,KAAK,IAAI,IAAI,YAAY,WAAW;AACtC,cAAM,IAAI,MAAM,4CAA4C,QAAQ,GAAG;AAAA,MACzE;AACA,YAAM,MAAM,YAAY;AAAA,IAC1B;AAAA,EACF;AACF;AAEA,eAAsB,aAAgB,KAAa,IAAsB,SAAuC;AAC9G,QAAM,OAAO,MAAM,gBAAgB,KAAK,OAAO;AAC/C,MAAI;AACF,WAAO,MAAM,GAAG;AAAA,EAClB,UAAE;AACA,UAAM,KAAK,QAAQ;AAAA,EACrB;AACF;;;AFrBO,IAAM,uBAAuBC,MAAK;AAAA,EACvC,aACE;AAAA,EACF,YAAYC,GAAE,OAAO;AAAA,IACnB,KAAKA,GAAE,OAAO,EAAE,SAAS,4CAA4C;AAAA,IACrE,gBAAgBA,GAAE,KAAK,CAAC,OAAO,QAAQ,MAAM,CAAC,EAAE,SAAS,EAAE,SAAS,uEAAuE;AAAA,IAC3I,aAAaA,GAAE,OAAO,EAAE,SAAS,4BAA4B;AAAA,IAC7D,aAAaA,GAAE,OAAO,EAAE,SAAS,4CAA4C;AAAA,IAC7E,WAAWA,GAAE,OAAO,EAAE,SAAS,uCAAuC;AAAA,IACtE,QAAQA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,0CAA0C;AAAA,IACtF,QAAQA,GACL,OAAO,EACP,SAAS,EACT,SAAS,8CAA8C;AAAA,IAC1D,UAAUA,GACP,QAAQ,EACR,QAAQ,KAAK,EACb,SAAS,qDAAqD;AAAA,EACnE,CAAC;AAAA,EACD,SAAS,OAAO;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,MAA4B;AAC1B,UAAM,KAAM,kBAAkB,qBAAqB,GAAG;AACtD,UAAM,WAAW,0BAA0B,EAAE;AAC7C,UAAM,UAAUC,MAAK,KAAK,cAAc;AACxC,UAAM,eAAe,WAAW,KAAK,MAAM;AAE3C,QAAI,CAAC,iBAAiB,cAAc,WAAW,GAAG;AAChD,aAAO;AAAA,QACL;AAAA,QACA,UAAU;AAAA,QACV;AAAA,QACA;AAAA,QACA,SAAS;AAAA,QACT;AAAA,QACA,SAAS,uCAAuC,WAAW;AAAA,MAC7D;AAAA,IACF;AAEA,UAAM,cACJC,QAAO,MAAM,WAAW,KACxBA,QAAO,MAAM,SAAS,KACtBA,QAAO,MAAM,SAAS,IAAIA,QAAO,MAAM,WAAW;AAEpD,QAAI,eAAe,CAAC,aAAa,iBAAiB;AAChD,aAAO;AAAA,QACL;AAAA,QACA,UAAU;AAAA,QACV;AAAA,QACA;AAAA,QACA,SAAS;AAAA,QACT;AAAA,QACA,SAAS,kCAAkC,WAAW,MAAM,WAAW,OAAO,SAAS;AAAA,MACzF;AAAA,IACF;AAEA,QAAI;AACJ,QAAI;AACF,gBAAU,KAAK,MAAMC,cAAa,SAAS,MAAM,CAAC;AAAA,IACpD,QAAQ;AACN,aAAO;AAAA,QACL;AAAA,QACA,UAAU;AAAA,QACV;AAAA,QACA,SAAS;AAAA,QACT;AAAA,QACA,SAAS,mCAAmC,OAAO;AAAA,MACrD;AAAA,IACF;AAGA,UAAM,WAAY,CAAC,gBAAgB,mBAAmB,kBAAkB,EAAiB;AAAA,MACvF,CAAC,MAAM,QAAQ,CAAC,IAAI,WAAW,MAAM;AAAA,IACvC;AAEA,QAAI,CAAC,UAAU;AACb,aAAO;AAAA,QACL;AAAA,QACA,UAAU;AAAA,QACV;AAAA,QACA,SAAS;AAAA,QACT;AAAA,QACA,SAAS,IAAI,WAAW;AAAA,MAC1B;AAAA,IACF;AAEA,UAAM,eAAe,QAAQ,QAAQ,EAAG,WAAW;AAGnD,UAAM,cAAc,aAAa,MAAM,UAAU;AACjD,UAAM,SAAS,cAAc,CAAC,KAAK;AACnC,UAAM,WAAW,GAAG,MAAM,GAAG,SAAS;AAEtC,QAAI,QAAQ;AACV,YAAM,aAAa,SAAS,qBAAqB,KAAK,GAAG;AACzD,YAAM,UAAU,SAAS,KAAK,KAAK,GAAG;AACtC,aAAO;AAAA,QACL;AAAA,QACA,UAAU;AAAA,QACV;AAAA,QACA;AAAA,QACA,SAAS;AAAA,QACT,QAAQ;AAAA,QACR,SAAS,0BAA0B,QAAQ,IAAI,WAAW,MAAM,YAAY,SAAS,QAAQ,eAAe,UAAU,GAAG,WAAW,QAAQ,OAAO,KAAK,EAAE;AAAA,MAC5J;AAAA,IACF;AAEA,WAAO,aAAa,KAAK,YAAY;AAEnC,cAAQ,QAAQ,EAAG,WAAW,IAAI;AAClC,oBAAc,SAAS,KAAK,UAAU,SAAS,MAAM,CAAC,IAAI,MAAM,MAAM;AAGtE,UAAI;AACF,cAAM,CAAC,YAAY,GAAG,WAAW,IAAI,SAAS;AAC9C,cAAMC,OAAM,YAAY,aAAa;AAAA,UACnC;AAAA,UACA,OAAO;AAAA,QACT,CAAC;AAAA,MACH,SAAS,KAAK;AAEZ,gBAAQ,QAAQ,EAAG,WAAW,IAAI;AAClC,sBAAc,SAAS,KAAK,UAAU,SAAS,MAAM,CAAC,IAAI,MAAM,MAAM;AAEtE,cAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,eAAO;AAAA,UACL;AAAA,UACA,UAAU;AAAA,UACV;AAAA,UACA;AAAA,UACA,SAAS;AAAA,UACT,QAAQ;AAAA,UACR,SAAS,GAAG,SAAS,qBAAqB,KAAK,GAAG,CAAC,2BAA2B,WAAW,QAAQ,SAAS,sBAAsB,OAAO;AAAA,QACzI;AAAA,MACF;AAEA,UAAI,UAAU;AACZ,YAAI;AACF,gBAAM,CAAC,SAAS,GAAG,QAAQ,IAAI,SAAS;AACxC,gBAAMA,OAAM,SAAS,UAAU;AAAA,YAC7B;AAAA,YACA,OAAO;AAAA,UACT,CAAC;AAAA,QACH,SAAS,KAAK;AAEZ,kBAAQ,QAAQ,EAAG,WAAW,IAAI;AAClC,wBAAc,SAAS,KAAK,UAAU,SAAS,MAAM,CAAC,IAAI,MAAM,MAAM;AAEtE,cAAI;AACF,kBAAM,CAAC,aAAa,GAAG,YAAY,IAAI,SAAS;AAChD,kBAAMA,OAAM,aAAa,cAAc;AAAA,cACrC;AAAA,cACA,OAAO;AAAA,YACT,CAAC;AAAA,UACH,QAAQ;AAAA,UAER;AAEA,gBAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,iBAAO;AAAA,YACL;AAAA,YACA,UAAU;AAAA,YACV;AAAA,YACA;AAAA,YACA,SAAS;AAAA,YACT,QAAQ;AAAA,YACR,SAAS,GAAG,SAAS,KAAK,KAAK,GAAG,CAAC,4BAA4B,WAAW,QAAQ,SAAS,oBAAoB,YAAY,YAAY,OAAO;AAAA,UAChJ;AAAA,QACF;AAAA,MACF;AAEA,aAAO;AAAA,QACL;AAAA,QACA,UAAU;AAAA,QACV;AAAA,QACA;AAAA,QACA,SAAS;AAAA,QACT,QAAQ;AAAA,QACR,SAAS,0BAA0B,WAAW,UAAU,WAAW,OAAO,SAAS,SAAS,SAAS,qBAAqB,KAAK,GAAG,CAAC,GAAG,WAAW,gBAAgB,SAAS,KAAK,KAAK,GAAG,CAAC,KAAK,EAAE;AAAA,MACjM;AAAA,IACF,CAAC;AAAA,EACH;AACF,CAAC;;;AGrND,SAAS,QAAAC,aAAY;AACrB,SAAS,KAAAC,UAAS;AAClB,SAAS,SAAAC,QAAO,SAAS,UAAU,MAAAC,WAAU;AAC7C,SAAS,QAAAC,aAAY;AACrB,SAAS,SAAAC,cAAa;AAYf,IAAM,yBAAyBL,MAAK;AAAA,EACzC,aACE;AAAA,EACF,YAAYC,GAAE,OAAO;AAAA,IACnB,aAAaA,GACV,OAAO,EACP,IAAI,CAAC,EACL,SAAS,yDAAyD;AAAA,IACrE,SAASA,GACN,OAAO,EACP,MAAM,kBAAkB,gCAAgC,EACxD,SAAS,mCAAmC;AAAA,IAC/C,cAAcA,GACX,MAAMA,GAAE,OAAO,CAAC,EAChB,SAAS,EACT,QAAQ,CAAC,QAAQ,MAAM,CAAC,EACxB;AAAA,MACC;AAAA,IACF;AAAA,EACJ,CAAC;AAAA,EACD,SAAS,OAAO;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,EACF,MAAyC;AACvC,UAAM,cAAc,2BAA2B,KAAK,IAAI,CAAC;AACzD,UAAM,aAAaG,MAAK,aAAa,KAAK;AAE1C,QAAI;AAEF,YAAM,SAAS,8BAA8B,WAAW,MAAM,YAAY,MAAM,GAAG,EAAE,IAAI,CAAC,IAAI,OAAO;AAGrG,YAAMF,OAAM,aAAa,EAAE,WAAW,KAAK,CAAC;AAG5C,YAAM,cAAcE,MAAK,aAAa,aAAa;AACnD,YAAMC,OAAM,QAAQ,CAAC,MAAM,MAAM,aAAa,MAAM,CAAC;AAGrD,YAAMH,OAAM,YAAY,EAAE,WAAW,KAAK,CAAC;AAC3C,YAAMG,OAAM,OAAO,CAAC,QAAQ,aAAa,MAAM,UAAU,CAAC;AAG1D,YAAM,oBAAoB,MAAM,QAAQ,UAAU;AAClD,YAAM,iBAAiB,kBAAkB,SAAS,SAAS,IACvDD,MAAK,YAAY,SAAS,IAC1B;AAGJ,YAAM,aAAqC,CAAC;AAE5C,qBAAe,QAAQ,KAAa,cAAqC;AACvE,YAAI;AACF,gBAAM,QAAQ,MAAM,QAAQ,KAAK,EAAE,eAAe,KAAK,CAAC;AAExD,qBAAW,QAAQ,OAAO;AACxB,kBAAM,WAAWA,MAAK,KAAK,KAAK,IAAI;AACpC,kBAAM,UAAUA,MAAK,cAAc,KAAK,IAAI;AAE5C,gBAAI,KAAK,YAAY,GAAG;AAEtB,kBACE,CAAC;AAAA,gBACC;AAAA,gBACA;AAAA,gBACA;AAAA,gBACA;AAAA,gBACA;AAAA,gBACA;AAAA,gBACA;AAAA,cACF,EACG,SAAS,KAAK,IAAI,GACrB;AACA,sBAAM,QAAQ,UAAU,OAAO;AAAA,cACjC;AAAA,YACF,WAAW,KAAK,OAAO,GAAG;AAExB,oBAAM,UAAU,aAAc,KAAK,CAAC,YAAY;AAC9C,sBAAM,QAAQ,IAAI;AAAA,kBAChB,IAAI,QAAQ,QAAQ,OAAO,IAAI,EAAE,QAAQ,OAAO,KAAK,CAAC;AAAA,gBACxD;AACA,uBAAO,MAAM,KAAK,KAAK,IAAI;AAAA,cAC7B,CAAC;AAED,kBAAI,SAAS;AACX,oBAAI;AACF,wBAAM,UAAU,MAAM,SAAS,UAAU,MAAM;AAC/C,6BAAW,OAAO,IAAI;AAAA,gBACxB,QAAQ;AAAA,gBAER;AAAA,cACF;AAAA,YACF;AAAA,UACF;AAAA,QACF,QAAQ;AAAA,QAER;AAAA,MACF;AAEA,YAAM,QAAQ,gBAAgB,EAAE;AAEhC,UAAI,OAAO,KAAK,UAAU,EAAE,WAAW,GAAG;AACxC,eAAO;AAAA,UACL,SAAS;AAAA,UACT,OAAO,sCAAsC,aAAc,KAAK,IAAI,CAAC,cAAc,WAAW,IAAI,OAAO;AAAA,QAC3G;AAAA,MACF;AAEA,aAAO;AAAA,QACL,SAAS;AAAA,QACT,aAAa;AAAA,QACb,YAAY;AAAA,MACd;AAAA,IACF,SAAS,KAAK;AACZ,YAAM,UACJ,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAGjD,UAAI,QAAQ,SAAS,KAAK,KAAK,QAAQ,SAAS,WAAW,GAAG;AAC5D,eAAO;AAAA,UACL,SAAS;AAAA,UACT,OAAO,WAAW,WAAW,IAAI,OAAO;AAAA,QAC1C;AAAA,MACF;AAEA,aAAO;AAAA,QACL,SAAS;AAAA,QACT,OAAO,uCAAuC,WAAW,IAAI,OAAO,KAAK,OAAO;AAAA,MAClF;AAAA,IACF,UAAE;AACA,YAAMD,IAAG,aAAa,EAAE,WAAW,MAAM,OAAO,KAAK,CAAC;AAAA,IACxD;AAAA,EACF;AACF,CAAC;;;ACtJD,SAAS,QAAAG,aAAY;AACrB,SAAS,KAAAC,UAAS;AAClB,SAAS,oBAAoB;AAqC7B,IAAM,6BAAqD;AAAA,EACzD,OACE;AAAA,EACF,kBACE;AAAA,EACF,kBACE;AAAA,EACF,SACE;AACJ;AAEO,IAAM,oBAAoBC,MAAK;AAAA,EACpC,aACE;AAAA,EACF,YAAYC,GAAE,OAAO;AAAA,IACnB,aAAaA,GAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,sBAAsB;AAAA,IAC9D,mBAAmBA,GAChB,OAAO,EACP,SAAS,+BAA+B;AAAA,IAC3C,OAAOA,GACJ,OAAO,EACP,MAAM,kBAAkB,EACxB,SAAS,+BAA+B;AAAA,IAC3C,YAAYA,GAAE,OAAO,EAAE,IAAI,EAAE,EAAE,SAAS,4BAA4B;AAAA,IACpE,aAAaA,GACV,OAAOA,GAAE,OAAO,CAAC,EACjB;AAAA,MACC;AAAA,IACF;AAAA,IACF,uBAAuBA,GACpB,KAAK,CAAC,SAAS,kBAAkB,kBAAkB,SAAS,CAAC,EAC7D,SAAS,EACT,QAAQ,SAAS,EACjB,SAAS,kDAAkD;AAAA,IAC9D,QAAQA,GACL,QAAQ,EACR,SAAS,EACT,QAAQ,KAAK,EACb,SAAS,qDAAqD;AAAA,EACnE,CAAC;AAAA,EACD,SAAS,OAAO;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,MAAoC;AAClC,QAAI;AACF,YAAM,sBAAsB;AAC5B,UAAI,OAAO,KAAK,mBAAmB,EAAE,WAAW,GAAG;AACjD,eAAO;AAAA,UACL,SAAS;AAAA,UACT,UAAU;AAAA,UACV,YAAY;AAAA,UACZ,WAAW;AAAA,UACX,OAAO;AAAA,QACT;AAAA,MACF;AAGA,YAAM,QAAQ,MAAM,YAAY;AAChC,YAAM,YAAY,MAAM,WAAW;AAGnC,YAAM,gBAAgB,OAAO,QAAQ,mBAAmB,EACrD,IAAI,CAAC,CAAC,UAAU,OAAO,MAAM;AAAA,YAAe,QAAQ;AAAA;AAAA,EAAuB,OAAO;AAAA,OAAU,EAC5F,KAAK,IAAI;AAGZ,YAAM,uBACJ,2BAA2B,qBAAqB,KAChD,2BAA2B;AAE7B,YAAM,SAAS;AAAA;AAAA;AAAA,YAGT,KAAK;AAAA,aACJ,WAAW,IAAI,iBAAiB;AAAA,cAC/B,qBAAqB;AAAA;AAAA;AAAA,EAGjC,UAAU;AAAA;AAAA;AAAA,EAGV,oBAAoB;AAAA;AAAA;AAAA,EAGpB,aAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA4BT,YAAM,EAAE,KAAK,IAAI,MAAM,aAAa;AAAA,QAClC;AAAA,QACA;AAAA,QACA,aAAa;AAAA;AAAA,MACf,CAAC;AAGD,UAAI;AACJ,UAAI;AAEF,cAAM,YAAY,KAAK,MAAM,aAAa;AAC1C,YAAI,CAAC,WAAW;AACd,gBAAM,IAAI,MAAM,+BAA+B;AAAA,QACjD;AACA,mBAAW,KAAK,MAAM,UAAU,CAAC,CAAC;AAAA,MACpC,SAAS,KAAK;AACZ,eAAO;AAAA,UACL,SAAS;AAAA,UACT,UAAU;AAAA,UACV,YAAY;AAAA,UACZ,WAAW;AAAA,UACX,OAAO,iCAAiC,eAAe,QAAQ,IAAI,UAAU,eAAe;AAAA,QAC9F;AAAA,MACF;AAGA,UACE,CAAC,SAAS,YACV,CAAC,SAAS,aACV,OAAO,SAAS,eAAe,YAC/B,CAAC,CAAC,OAAO,UAAU,MAAM,EAAE,SAAS,SAAS,SAAS,GACtD;AACA,eAAO;AAAA,UACL,SAAS;AAAA,UACT,UAAU;AAAA,UACV,YAAY;AAAA,UACZ,WAAW;AAAA,UACX,OAAO;AAAA,QACT;AAAA,MACF;AAEA,UAAI,QAAQ;AACV,eAAO;AAAA,UACL,SAAS;AAAA,UACT,UAAU;AAAA,UACV,YAAY,SAAS;AAAA,UACrB,WAAW,SAAS;AAAA,QACtB;AAAA,MACF;AAGA,YAAM,UAA4B,CAAC;AAEnC,iBAAW,CAAC,UAAU,SAAS,KAAK,OAAO;AAAA,QACzC,SAAS;AAAA,MACX,GAAG;AACD,cAAM,aAAa,oBAAoB,QAAQ;AAE/C,YAAI,CAAC,YAAY;AACf;AAAA,QACF;AAGA,cAAM,cAAc;AAAA,UAClB;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAEA,YAAI,aAAa;AACf,kBAAQ,KAAK;AAAA,YACX;AAAA,YACA;AAAA,UACF,CAAC;AAAA,QACH;AAAA,MACF;AAEA,UAAI,QAAQ,WAAW,GAAG;AACxB,eAAO;AAAA,UACL,SAAS;AAAA,UACT,UAAU;AAAA,UACV,YAAY,SAAS;AAAA,UACrB,WAAW,SAAS;AAAA,UACpB,OAAO;AAAA,QACT;AAAA,MACF;AAEA,aAAO;AAAA,QACL,SAAS;AAAA,QACT;AAAA,QACA,cAAc,QAAQ,CAAC,GAAG;AAAA,QAC1B,UAAU;AAAA,QACV,YAAY,SAAS;AAAA,QACrB,WAAW,SAAS;AAAA,MACtB;AAAA,IACF,SAAS,KAAK;AACZ,YAAM,UACJ,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AACjD,aAAO;AAAA,QACL,SAAS;AAAA,QACT,UAAU;AAAA,QACV,YAAY;AAAA,QACZ,WAAW;AAAA,QACX,OAAO,4BAA4B,OAAO;AAAA,MAC5C;AAAA,IACF;AAAA,EACF;AACF,CAAC;AAMD,SAAS,oBACP,UACA,OACA,UACe;AACf,MAAI,aAAa,OAAO;AACtB,WAAO;AAAA,EACT;AAEA,QAAM,gBAAgB,SAAS,MAAM,IAAI;AACzC,QAAM,aAAa,MAAM,MAAM,IAAI;AAInC,QAAM,OAAiB,CAAC;AACxB,OAAK,KAAK,SAAS,QAAQ,EAAE;AAC7B,OAAK,KAAK,SAAS,QAAQ,EAAE;AAC7B,OAAK,KAAK,WAAW,cAAc,SAAS,SAAS,WAAW,SAAS,KAAK;AAI9E,QAAM,SAAS,KAAK,IAAI,cAAc,QAAQ,WAAW,MAAM;AAE/D,WAAS,IAAI,GAAG,IAAI,QAAQ,KAAK;AAC/B,UAAM,WAAW,cAAc,CAAC,KAAK;AACrC,UAAM,YAAY,WAAW,CAAC,KAAK;AAEnC,QAAI,aAAa,WAAW;AAC1B,UAAI,UAAU;AACZ,aAAK,KAAK,MAAM,QAAQ;AAAA,MAC1B;AACA,UAAI,WAAW;AACb,aAAK,KAAK,MAAM,SAAS;AAAA,MAC3B;AAAA,IACF,WAAW,UAAU;AACnB,WAAK,KAAK,MAAM,QAAQ;AAAA,IAC1B;AAAA,EACF;AAEA,SAAO,KAAK,KAAK,IAAI;AACvB;;;ACpTA,SAAS,QAAAC,aAAY;AACrB,SAAS,KAAAC,UAAS;AAClB,SAAS,cAAAC,mBAAkB;AAC3B,SAAS,SAAAC,QAAO,SAAS,YAAAC,WAAU,MAAAC,KAAI,iBAAiB;AACxD,SAAS,cAAc;AACvB,SAAS,QAAAC,aAAY;AACrB,SAAS,SAAAC,cAAa;AA4Cf,IAAM,qBAAqBC,MAAK;AAAA,EACrC,aACE;AAAA,EACF,YAAYC,GAAE,OAAO;AAAA,IACnB,aAAaA,GAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS,sBAAsB;AAAA,IAC9D,mBAAmBA,GAChB,OAAO,EACP,SAAS,+BAA+B;AAAA,IAC3C,cAAcA,GACX,OAAO,EACP,IAAI,EAAE,EACN,SAAS,EACT,SAAS,gDAAgD;AAAA,IAC5D,SAASA,GACN;AAAA,MACCA,GAAE,OAAO;AAAA,QACP,UAAUA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,QAC1B,aAAaA,GAAE,OAAO,EAAE,IAAI,EAAE;AAAA,MAChC,CAAC;AAAA,IACH,EACC,SAAS,EACT,SAAS,wDAAwD;AAAA,IACpE,YAAYA,GACT,OAAO,EACP,SAAS,EACT,QAAQ,WAAW,EACnB,SAAS,gCAAgC;AAAA,IAC5C,KAAKA,GAAE,OAAO,EAAE,SAAS,2CAA2C;AAAA,IACpE,gBAAgBA,GAAE,KAAK,CAAC,OAAO,QAAQ,MAAM,CAAC,EAAE,SAAS,EAAE,SAAS,uEAAuE;AAAA,IAC3I,mBAAmBA,GAChB,QAAQ,EACR,SAAS,EACT,QAAQ,IAAI,EACZ,SAAS,2EAA2E;AAAA,IACvF,QAAQA,GAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,KAAK,EAAE,SAAS,yCAAyC;AAAA,EAClG,CAAC,EAAE,OAAO,CAAC,UAAU,QAAQ,MAAM,gBAAiB,MAAM,WAAW,MAAM,QAAQ,SAAS,CAAE,GAAG;AAAA,IAC/F,SAAS;AAAA,EACX,CAAC;AAAA,EACD,SAAS,OAAO;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,MAAqC;AACnC,QAAI;AACF,YAAM,KAAM,kBAAkB,qBAAqB,GAAG;AACtD,YAAM,gBAAgB,gBAAgB,UAAU,CAAC,GAAG;AAEpD,UAAI,CAAC,eAAe;AAClB,eAAO;AAAA,UACL,SAAS;AAAA,UACT;AAAA,UACA;AAAA,UACA,SAAS;AAAA,UACT;AAAA,UACA,SAAS;AAAA,UACT,OAAO;AAAA,QACT;AAAA,MACF;AAEA,YAAM,gBAAgB,mBAAmB,aAAa,iBAAiB;AACvE,YAAM,gBAAgBC,MAAK,KAAK,YAAY,aAAa;AAEzD,UAAI,QAAQ;AACV,eAAO;AAAA,UACL,SAAS;AAAA,UACT;AAAA,UACA;AAAA,UACA,SAAS;AAAA,UACT,QAAQ;AAAA,UACR,SAAS,gDAAgD,aAAa;AAAA,UACtE;AAAA,UACA,WAAW;AAAA,QACb;AAAA,MACF;AAEA,aAAO,aAAa,KAAK,YAAY;AAEnC,cAAM,iBAAiBA,MAAK,KAAK,UAAU;AAC3C,cAAMC,OAAM,gBAAgB,EAAE,WAAW,KAAK,CAAC;AAG/C,cAAM,UAAU,eAAe,eAAe,MAAM;AAEpD,YAAI;AACJ,cAAM,YAAY,MAAM,iBAAiB,IAAI,GAAG;AAIhD,cAAM,cACJ,cAAc,kBACV,MAAM,iCAAiC,KAAK,EAAE,IAC9C,MAAM,iBAAiB;AAAA,UACrB;AAAA,UACA;AAAA,UACA;AAAA,UACA,cAAc;AAAA,UACd;AAAA,QACF,CAAC;AAEP,YAAI,CAAC,YAAY,SAAS;AACxB,iBAAO;AAAA,YACL,SAAS;AAAA,YACT;AAAA,YACA;AAAA,YACA,SAAS;AAAA,YACT,QAAQ;AAAA,YACR,SAAS,YAAY;AAAA,YACrB;AAAA,YACA,WAAW;AAAA,YACX;AAAA,YACA,uBAAuB,cAAc,kBAAkB,QAAQ;AAAA,YAC/D,OAAO,YAAY;AAAA,UACrB;AAAA,QACF;AAGA,YAAI,mBAAmB;AACrB,6BAAmB,MAAM,uBAAuB,KAAK,EAAE;AACvD,cAAI,CAAC,iBAAiB,QAAQ;AAC5B,kBAAM,kBAAkB;AACxB,mBAAO;AAAA,cACL,SAAS;AAAA,cACT;AAAA,cACA;AAAA,cACA,SAAS;AAAA,cACT,QAAQ;AAAA,cACR,SAAS;AAAA,cACT;AAAA,cACA,WAAW;AAAA,cACX;AAAA,cACA,uBAAuB,cAAc;AAAA,cACrC,YAAY;AAAA,cACZ,OAAO;AAAA,YACT;AAAA,UACF;AAAA,QACF;AAEA,eAAO;AAAA,UACL,SAAS;AAAA,UACT;AAAA,UACA;AAAA,UACA,SAAS;AAAA,UACT,QAAQ;AAAA,UACR,SAAS,kCAAkC,WAAW,IAAI,iBAAiB;AAAA,UAC3E;AAAA,UACA,WAAW;AAAA,UACX;AAAA,UACA,uBAAuB,cAAc;AAAA,UACrC,YAAY;AAAA,QACd;AAAA,MACF,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,YAAM,UACJ,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AACjD,aAAO;AAAA,QACL,SAAS;AAAA,QACT;AAAA,QACA;AAAA,QACA,SAAS;AAAA,QACT;AAAA,QACA,SAAS,+BAA+B,OAAO;AAAA,QAC/C,OAAO,+BAA+B,OAAO;AAAA,MAC/C;AAAA,IACF;AAAA,EACF;AACF,CAAC;AAID,eAAe,iBAAiB,gBAAgC,KAAiC;AAC/F,MAAI,mBAAmB,MAAO,QAAO;AACrC,MAAI,mBAAmB,OAAQ,QAAO;AAGtC,MAAI;AACF,UAAM,SAAS,MAAMC,OAAM,QAAQ,CAAC,WAAW,GAAG;AAAA,MAChD;AAAA,MACA,OAAO;AAAA,IACT,CAAC;AACD,UAAM,UAAU,OAAO,OAAO,KAAK;AACnC,UAAM,QAAQ,OAAO,SAAS,QAAQ,MAAM,GAAG,EAAE,CAAC,KAAK,KAAK,EAAE;AAC9D,WAAO,SAAS,IAAI,gBAAgB;AAAA,EACtC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,mBAAmB,aAAqB,mBAAmC;AAClF,QAAM,WAAW,YAAY,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,GAAG;AACjE,SAAO,GAAG,QAAQ,IAAI,iBAAiB;AACzC;AAEA,eAAe,iCAAiC,KAAa,gBAAgG;AAC3J,QAAM,cAAcF,MAAK,KAAK,cAAc;AAC5C,MAAI;AAEJ,MAAI;AACF,cAAU,KAAK,MAAM,MAAMG,UAAS,aAAa,MAAM,CAAC;AAAA,EAC1D,QAAQ;AACN,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,kCAAkC,WAAW;AAAA,IACtD;AAAA,EACF;AAEA,QAAM,kBAAkB,QAAQ,mBAAmB,CAAC;AACpD,MAAI,CAAC,gBAAgB,eAAe,GAAG;AACrC,QAAI;AACF,YAAM,WAAW,0BAA0B,cAAc;AACzD,YAAM,CAAC,KAAK,GAAG,IAAI,IAAI,SAAS,WAAW,eAAe;AAC1D,YAAMD,OAAM,KAAK,MAAM;AAAA,QACrB;AAAA,QACA,OAAO;AAAA,MACT,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,aAAO;AAAA,QACL,SAAS;AAAA,QACT,OAAO,oCAAoC,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,MAC7F;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,QAAQ,SAAS;AACpB,YAAQ,UAAU,CAAC;AAAA,EACrB;AAEA,QAAM,gBAAgB;AACtB,QAAM,qBAAqB,QAAQ,QAAQ,eAAe;AAE1D,MAAI,sBAAsB,CAAC,mBAAmB,SAAS,eAAe,GAAG;AACvE,YAAQ,QAAQ,cAAc,GAAG,kBAAkB,OAAO,aAAa;AAAA,EACzE,WAAW,CAAC,oBAAoB;AAC9B,YAAQ,QAAQ,cAAc;AAAA,EAChC;AAEA,QAAM,UAAU,aAAa,KAAK,UAAU,SAAS,MAAM,CAAC,IAAI,MAAM,MAAM;AAC5E,SAAO,EAAE,SAAS,KAAK;AACzB;AAEA,eAAe,iBAAiB,QAMmC;AACjE,QAAM,EAAE,KAAK,aAAa,mBAAmB,cAAc,UAAU,IAAI;AACzE,QAAM,cAAc,GAAG,WAAW,IAAI,iBAAiB;AAEvD,QAAM,gBAAgB,cAAc,gBAAgB,SAAS;AAC7D,QAAM,aAAa,CAAC,SAAS,WAAW;AAExC,MAAI;AACJ,MAAI;AACF,UAAM,eAAe,MAAMA,OAAM,eAAe,YAAY;AAAA,MAC1D;AAAA,MACA,OAAO;AAAA,IACT,CAAC;AACD,eAAW,sBAAsB,GAAG,aAAa,MAAM;AAAA,EAAK,aAAa,MAAM,EAAE;AAAA,EACnF,SAAS,KAAK;AACZ,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,+CAA+C,WAAW,KAC/D,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CACjD;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,UAAU;AACb,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,kDAAkD,WAAW;AAAA,IACtE;AAAA,EACF;AAEA,QAAM,eAAe,MAAM,QAAQF,MAAK,OAAO,GAAG,8BAA8B,CAAC;AACjF,QAAM,gBAAgBA,MAAK,cAAc,cAAc;AAEvD,MAAI;AACF,UAAM,UAAU,eAAe,cAAc,MAAM;AACnD,UAAME,OAAM,SAAS,CAAC,OAAO,MAAM,aAAa,GAAG;AAAA,MACjD,KAAK;AAAA,MACL,OAAO;AAAA,IACT,CAAC;AAED,UAAM,gBAAgB,cAAc,gBAAgB,SAAS;AAC7D,UAAM,aACJ,cAAc,gBACV,CAAC,gBAAgB,QAAQ,IACzB,CAAC,gBAAgB,MAAM,QAAQ;AAErC,UAAMA,OAAM,eAAe,YAAY;AAAA,MACrC;AAAA,MACA,OAAO;AAAA,IACT,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,oCAAoC,WAAW,KACpD,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CACjD;AAAA,IACF;AAAA,EACF,UAAE;AACA,UAAME,IAAG,cAAc,EAAE,WAAW,MAAM,OAAO,KAAK,CAAC;AAAA,EACzD;AAEA,SAAO,EAAE,SAAS,KAAK;AACzB;AAEA,SAAS,sBAAsB,QAAwB;AACrD,QAAM,QAAQ,OACX,MAAM,OAAO,EACb,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EACzB,OAAO,OAAO;AAEjB,aAAW,QAAQ,OAAO;AACxB,QAAIC,YAAW,IAAI,GAAG;AACpB,aAAO;AAAA,IACT;AAEA,UAAM,SAAS,KAAK,MAAM,KAAK,EAAE,IAAI,CAAC,UAAU,MAAM,QAAQ,gBAAgB,EAAE,CAAC;AACjF,eAAW,SAAS,QAAQ;AAC1B,UAAI,MAAM,WAAW,GAAG,KAAKA,YAAW,KAAK,GAAG;AAC9C,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAKA,eAAe,uBAAuB,KAAa,gBAA2D;AAC5G,MAAI;AACF,UAAM,WAAW,0BAA0B,cAAc;AACzD,UAAM,CAAC,KAAK,GAAG,IAAI,IAAI,SAAS;AAGhC,UAAM,SAAS,MAAMH,OAAM,KAAK,MAAM;AAAA,MACpC;AAAA,MACA,SAAS;AAAA;AAAA,MACT,OAAO;AAAA,IACT,CAAC;AAED,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,QAAQ,OAAO;AAAA,IACjB;AAAA,EACF,SAAS,KAAK;AAEZ,UAAM,cACJ,eAAe,SAAS,YAAY,MAC/B,IAA+B,SAChC;AACN,UAAM,cAAc,mBAAmB,WAAW;AAElD,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;AAMA,SAAS,mBAAmB,QAA0B;AACpD,QAAM,cAAwB,CAAC;AAG/B,QAAM,WAAW;AAAA,IACf;AAAA;AAAA,IACA;AAAA;AAAA,IACA;AAAA;AAAA,EACF;AAEA,aAAW,WAAW,UAAU;AAC9B,QAAI;AACJ,YAAQ,QAAQ,QAAQ,KAAK,MAAM,OAAO,MAAM;AAC9C,UAAI,MAAM,CAAC,GAAG;AACZ,oBAAY,KAAK,MAAM,CAAC,EAAE,KAAK,CAAC;AAAA,MAClC;AAAA,IACF;AAAA,EACF;AAEA,SAAO,YAAY,MAAM,GAAG,CAAC;AAC/B;;;AxBvaA,eAAsB,uBACpB,OACA,UAA4B,CAAC,GACD;AAC5B,QAAM,WAAW,gBAAgB,OAAO;AACxC,MAAI,aAAa,SAAS;AACxB,WAAO,4BAA4B,OAAO,OAAO;AAAA,EACnD;AAEA,QAAM,MAAM,QAAQ,OAAO,QAAQ,IAAI;AACvC,QAAM,iBAAiB,QAAQ,kBAAkB,qBAAqB,GAAG;AACzE,QAAM,UAAU,QAAQ,WAAW;AACnC,QAAM,UAAU,QAAQ,UAAU,UAAU;AAC5C,QAAM,WAAW,QAAQ,YAAY;AACrC,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,aAAa,QAAQ,cAAc;AAEzC,QAAM,QAAQ,MAAM,YAAY,OAAO;AAEvC,QAAM,eAAe,wBAAwB;AAAA,IAC3C;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AAED,QAAM,SAAS,6CAA6C,KAAK,uBAAuB,GAAG,sBAAsB,cAAc;AAE/H,QAAM,mBAAkC,CAAC;AACzC,QAAM,qBAA0C,CAAC;AACjD,MAAI,aAAgC;AACpC,MAAI,aAAa;AAEjB,QAAM,6BAA6B,UAC/B;AAAA,IACE,GAAG;AAAA,IACH,SAAS,OAAO,UACb,qBAA6B,QAAQ,EAAE,GAAG,OAAO,QAAQ,KAAK,CAAC;AAAA,EACpE,IACA;AACJ,QAAM,2BAA2B,UAC7B;AAAA,IACE,GAAG;AAAA,IACH,SAAS,OAAO,UACb,mBAA2B,QAAQ,EAAE,GAAG,OAAO,QAAQ,KAAK,CAAC;AAAA,EAClE,IACA;AAEJ,QAAM,SAAS,MAAMI,cAAa;AAAA,IAChC;AAAA,IACA,QAAQ;AAAA,IACR;AAAA,IACA,OAAO;AAAA,MACL,cAAc;AAAA,MACd,mBAAmB;AAAA,MACnB,uBAAuB;AAAA,MACvB,sBAAsB;AAAA,MACtB,sBAAsB;AAAA,MACtB,wBAAwB;AAAA,MACxB,kBAAkB;AAAA,MAClB,oBAAoB;AAAA,IACtB;AAAA,IACA,UAAU;AAAA,IACV,aAAa,YAAY;AACvB,oBAAc;AAEd,YAAM,EAAE,YAAY,IAAI;AAExB,iBAAW,MAAM,eAAe,CAAC,GAAG;AAClC,cAAM,aAAa,GAAG;AAEtB,YAAI,GAAG,aAAa,gBAAgB,YAAY,MAAM;AACpD,uBAAa,WAAW;AAAA,QAC1B;AACA,YAAI,GAAG,aAAa,yBAAyB,YAAY,oBAAoB;AAC3E,6BAAmB,KAAK,GAAI,WAAW,kBAA0C;AAAA,QACnF;AACA,YAAI,GAAG,aAAa,sBAAsB;AACxC,2BAAiB,KAAK,UAAoC;AAAA,QAC5D;AAEA,YAAI,GAAG,aAAa,sBAAsB,YAAY;AACpD,gBAAM,aAAa,WAAW;AAG9B,gBAAM,UACJ,OAAO,WAAW,YAAY,WAC1B,WAAW,UACX,OAAO,WAAW,UAAU,WAC1B,WAAW,QACX;AAER,2BAAiB,KAAK;AAAA,YACpB,aACE,OAAO,WAAW,gBAAgB,WAC9B,WAAW,cACX;AAAA,YACN,UAAU;AAAA,YACV,aACE,OAAO,WAAW,sBAAsB,WACpC,WAAW,oBACX;AAAA,YACN,eACE,OAAO,WAAW,kBAAkB,WAChC,WAAW,gBACX,OAAO,WAAW,cAAc,WAC9B,WAAW,YACX;AAAA,YACR,SAAS,QAAQ,WAAW,OAAO;AAAA,YACnC,QAAQ,QAAQ,WAAW,MAAM;AAAA,YACjC;AAAA,YACA,YACE,cAAc,OAAO,WAAW,WAAW,YACvC;AAAA,cACE,QAAQ,WAAW;AAAA,cACnB,OAAO,OAAO,WAAW,UAAU,WAAW,WAAW,QAAQ;AAAA,YACnE,IACA;AAAA,UACR,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA,SAAS,OAAO;AAAA,IAChB,aAAa;AAAA,MACX,WAAW,QAAQ;AAAA,MACnB,WAAW,QAAQ;AAAA,MACnB,aAAa,QAAQ;AAAA,IACvB;AAAA,EACF;AACF;AAEA,eAAe,4BACb,OACA,UAA4B,CAAC,GACD;AAC5B,QAAM,MAAM,QAAQ,OAAO,QAAQ,IAAI;AACvC,QAAM,iBAAiB,QAAQ,kBAAkB,qBAAqB,GAAG;AACzE,QAAM,UAAU,QAAQ,WAAW;AACnC,QAAM,UAAU,QAAQ,UAAU,UAAU;AAC5C,QAAM,WAAW,QAAQ,YAAY;AACrC,QAAM,SAAS,QAAQ,UAAU;AAEjC,QAAM,mBAAkC,CAAC;AACzC,QAAM,qBAA0C,CAAC;AACjD,MAAI,aAAgC;AACpC,MAAI,aAAa;AAEjB,QAAM,eAAe,MAAM,YAAY;AACvC,QAAM,CAAC,YAAY,UAAU,IAAI,MAAM,QAAQ,IAAI;AAAA,IACjD,aAAa,YAAY;AAAA,IACzB,gBAAgB,YAAY,EAAE,MAAM,MAAM,CAAC,CAAC;AAAA,EAC9C,CAAC;AACD,gBAAc;AAEd,MAAI,CAAC,cAAc,WAAW,WAAW,GAAG;AAC1C,WAAO;AAAA,MACL;AAAA,MACA,YAAY;AAAA,MACZ;AAAA,MACA,SAAS;AAAA,MACT;AAAA,MACA,SAAS,oCAAoC,YAAY;AAAA,MACzD,aAAa;AAAA,QACX,WAAW,QAAQ;AAAA,QACnB,WAAW,QAAQ;AAAA,QACnB,aAAa,QAAQ;AAAA,MACvB;AAAA,IACF;AAAA,EACF;AAEA,eAAa,cAAc;AAAA,IACzB,IAAI;AAAA,IACJ,SAAS;AAAA,IACT,UAAU;AAAA,IACV,YAAY,CAAC;AAAA,IACb,kBAAkB,CAAC;AAAA,EACrB;AAEA,MAAI,WAAW,SAAS,GAAG;AACzB,iBAAa,0BAA0B,YAAY,UAAU;AAAA,EAC/D;AACA,eAAa,MAAM,cAAc,UAAU;AAE3C,MAAI,WAAW,iBAAiB,WAAW,GAAG;AAC5C,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA,SAAS;AAAA,MACT;AAAA,MACA,SAAS,2EAA2E,YAAY;AAAA,MAChG,aAAa;AAAA,QACX,WAAW,QAAQ;AAAA,QACnB,WAAW,QAAQ;AAAA,QACnB,aAAa,QAAQ;AAAA,MACvB;AAAA,IACF;AAAA,EACF;AAEA,QAAM,YAAY,MAAO,mBAA2B,QAAQ,EAAE,KAAK,eAAe,CAAC;AACnF,gBAAc;AAEd,MAAI,WAAW,OAAO;AACpB,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA,SAAS;AAAA,MACT;AAAA,MACA,SAAS,yCAAyC,UAAU,KAAK;AAAA,MACjE,aAAa;AAAA,QACX,WAAW,QAAQ;AAAA,QACnB,WAAW,QAAQ;AAAA,QACnB,aAAa,QAAQ;AAAA,MACvB;AAAA,IACF;AAAA,EACF;AAEA,QAAM,oBAAqB,UAAU,YAAY,CAAC;AAMlD,aAAW,YAAY,WAAW,kBAAkB;AAClD,QAAI,CAAC,YAAY,OAAO,aAAa,SAAU;AAC/C,QAAI,CAAC,SAAS,QAAQ,CAAC,SAAS,gBAAiB;AACjD,QAAI,SAAS,cAAc,MAAO;AAClC,UAAM,UAAU,kBAAkB,OAAO,CAAC,MAAM,EAAE,SAAS,SAAS,IAAI;AACxE,eAAW,aAAa,SAAS;AAC/B,UAAI,CAACC,QAAO,MAAM,UAAU,OAAO,EAAG;AACtC,UAAI,eAAe;AACnB,UAAI;AACF,uBAAeA,QAAO,UAAU,UAAU,SAAS,SAAS,iBAAiB;AAAA,UAC3E,mBAAmB;AAAA,QACrB,CAAC;AAAA,MACH,QAAQ;AACN;AAAA,MACF;AACA,UAAI,cAAc;AAChB,2BAAmB,KAAK,EAAE,WAAW,SAAS,CAAC;AAAA,MACjD;AAAA,IACF;AAAA,EACF;AACA,gBAAc;AAEd,aAAW,cAAc,oBAAoB;AAC3C,UAAM,MAAM,WAAW;AACvB,UAAM,sBAAsB,WAAW,SAAS;AAEhD,QAAI,IAAI,SAAS,YAAY;AAC3B,uBAAiB,KAAK;AAAA,QACpB,aAAa,IAAI;AAAA,QACjB,UAAU;AAAA,QACV,aAAa,IAAI;AAAA,QACjB,SAAS;AAAA,QACT;AAAA,QACA,SAAS,IAAI,IAAI,IAAI;AAAA,MACvB,CAAC;AACD;AAAA,IACF;AAEA,QAAI,CAAC,qBAAqB;AACxB,uBAAiB,KAAK;AAAA,QACpB,aAAa,IAAI;AAAA,QACjB,UAAU;AAAA,QACV,aAAa,IAAI;AAAA,QACjB,SAAS;AAAA,QACT;AAAA,QACA,SAAS,wCAAwC,IAAI,IAAI;AAAA,MAC3D,CAAC;AACD;AAAA,IACF;AAEA,UAAM,cAAc,MAAM;AAAA,MACxB,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ;AAAA,MACA,WAAW,SAAS;AAAA,IACtB;AACA,kBAAc;AAEd,QAAI,CAAC,aAAa;AAChB,uBAAiB,KAAK;AAAA,QACpB,aAAa,IAAI;AAAA,QACjB,UAAU;AAAA,QACV,aAAa,IAAI;AAAA,QACjB,SAAS;AAAA,QACT;AAAA,QACA,SAAS,qCAAqC,IAAI,IAAI;AAAA,MACxD,CAAC;AACD;AAAA,IACF;AAEA,UAAM,cAAe,MAAO,qBAA6B,QAAQ;AAAA,MAC/D;AAAA,MACA;AAAA,MACA,aAAa,IAAI;AAAA,MACjB,aAAa,IAAI;AAAA,MACjB,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AACD,kBAAc;AAEd,qBAAiB,KAAK,WAAW;AAAA,EACnC;AAEA,QAAM,eAAe,iBAAiB,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE;AAC/D,QAAM,kBAAkB,iBAAiB,OAAO,CAAC,MAAM,CAAC,EAAE,WAAW,CAAC,EAAE,MAAM,EAAE;AAChF,QAAM,cAAc,iBAAiB,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE;AAE7D,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA,SAAS,oCAAoC,mBAAmB,MAAM,aAAa,YAAY,YAAY,WAAW,gBAAgB,eAAe;AAAA,IACrJ,aAAa;AAAA,MACX,WAAW,QAAQ;AAAA,MACnB,WAAW,QAAQ;AAAA,MACnB,aAAa,QAAQ;AAAA,IACvB;AAAA,EACF;AACF;AAYA,SAAS,wBAAwB,KAA4B;AAC3D,QAAM,aAAaC,MAAK,QAAQ,IAAI,GAAG,WAAW,gBAAgB,+BAA+B;AAEjG,MAAI,CAACC,YAAW,UAAU,GAAG;AAC3B,WAAO;AAAA,qBACU,IAAI,GAAG;AAAA,qBACP,IAAI,cAAc;AAAA,WAC5B,IAAI,MAAM;AAAA,aACR,IAAI,QAAQ;AAAA,UACf,IAAI,UAAU,WAAW;AAAA,eACpB,IAAI,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAe3B;AAEA,QAAM,WAAWC,cAAa,YAAY,MAAM;AAChD,SAAO,SACJ,WAAW,aAAa,IAAI,KAAK,EACjC,WAAW,WAAW,IAAI,GAAG,EAC7B,WAAW,sBAAsB,IAAI,cAAc,EACnD,WAAW,cAAc,OAAO,IAAI,MAAM,CAAC,EAC3C,WAAW,gBAAgB,OAAO,IAAI,QAAQ,CAAC,EAC/C,WAAW,cAAc,IAAI,UAAU,WAAW,EAClD,WAAW,kBAAkB,IAAI,UAAU;AAChD;;;AyB/ZA,SAAS,eAAe;AACxB,SAAS,gBAAAC,qBAAoB;;;ACD7B,SAAS,gBAAAC,qBAAoB;AAmB7B,IAAM,YAAY;AAElB,SAAS,kBAAkB,KAA6C;AACtE,MAAI,CAAC,IAAK,QAAO;AACjB,QAAM,KAAK,IAAI,YAAY;AAC3B,MAAI,OAAO,cAAc,OAAO,UAAU,OAAO,YAAY,OAAO,OAAO;AACzE,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEO,SAAS,4BAA4B,SAAsC;AAChF,QAAM,SAAS,KAAK,MAAM,OAAO;AACjC,QAAM,WAAgC,CAAC;AACvC,QAAM,OAAO,oBAAI,IAAY;AAE7B,aAAW,QAAQ,OAAO,OAAO,OAAO,mBAAmB,CAAC,CAAC,GAAG;AAC9D,eAAW,YAAY,KAAK,OAAO,CAAC,GAAG;AACrC,YAAM,OAAO,OAAO,aAAa,WAAW,WAAW,GAAG,SAAS,OAAO,EAAE,IAAI,SAAS,QAAQ,EAAE;AACnG,YAAM,UAAU,KAAK,MAAM,SAAS,KAAK,CAAC;AAC1C,iBAAW,SAAS,SAAS;AAC3B,cAAM,QAAQ,MAAM,YAAY;AAChC,cAAM,MAAM,GAAG,KAAK,IAAI,KAAK,IAAI;AACjC,YAAI,KAAK,IAAI,GAAG,EAAG;AACnB,aAAK,IAAI,GAAG;AACZ,iBAAS,KAAK;AAAA,UACZ;AAAA,UACA,QAAQ;AAAA,UACR,aAAa,KAAK;AAAA,UAClB,UAAU,kBAAkB,KAAK,QAAQ;AAAA,QAC3C,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,sBAAsB,UAAuC;AAC3E,QAAM,UAAUA,cAAa,UAAU,MAAM;AAC7C,SAAO,4BAA4B,OAAO;AAC5C;;;AC5DA,SAAS,gBAAAC,qBAAoB;AAG7B,IAAMC,aAAY;AAElB,SAASC,mBAAkB,KAA6C;AACtE,MAAI,CAAC,IAAK,QAAO;AACjB,QAAM,KAAK,IAAI,YAAY;AAC3B,MAAI,OAAO,cAAc,OAAO,UAAU,OAAO,YAAY,OAAO,OAAO;AACzE,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEO,SAAS,6BAA6B,SAAsC;AACjF,QAAM,WAAgC,CAAC;AACvC,QAAM,OAAO,oBAAI,IAAY;AAE7B,QAAM,QAAQ,QACX,MAAM,IAAI,EACV,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EACzB,OAAO,OAAO;AAEjB,aAAW,QAAQ,OAAO;AACxB,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,IAAI;AAAA,IAC1B,QAAQ;AACN;AAAA,IACF;AAEA,UAAM,QAAQ;AAYd,QAAI,MAAM,SAAS,gBAAiB;AAEpC,UAAM,WAAW,MAAM,MAAM;AAC7B,UAAM,cAAc,UAAU;AAC9B,UAAM,WAAWA,mBAAkB,UAAU,QAAQ;AAErD,UAAM,OAAO,GAAG,UAAU,OAAO,EAAE,KAAK,UAAU,QAAQ,CAAC,GAAG,KAAK,GAAG,CAAC;AACvE,UAAM,UAAU,KAAK,MAAMD,UAAS,KAAK,CAAC;AAE1C,eAAW,SAAS,SAAS;AAC3B,YAAM,QAAQ,MAAM,YAAY;AAChC,YAAM,MAAM,GAAG,KAAK,IAAI,eAAe,EAAE;AACzC,UAAI,KAAK,IAAI,GAAG,EAAG;AACnB,WAAK,IAAI,GAAG;AAEZ,eAAS,KAAK;AAAA,QACZ;AAAA,QACA,QAAQ;AAAA,QACR;AAAA,QACA;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,uBAAuB,UAAuC;AAC5E,QAAM,UAAUD,cAAa,UAAU,MAAM;AAC7C,SAAO,6BAA6B,OAAO;AAC7C;;;ACzEA,SAAS,gBAAAG,qBAAoB;AAiB7B,IAAMC,aAAY;AAElB,SAAS,mBAAmB,QAAyC;AACnE,QAAM,MAAM,OAAO,aAAa,aAAa;AAC7C,SAAO,OAAO,QAAQ,WAAW,MAAM;AACzC;AAEO,SAAS,qBAAqB,SAAsC;AACzE,QAAM,SAAS,KAAK,MAAM,OAAO;AACjC,QAAM,WAAgC,CAAC;AACvC,QAAM,OAAO,oBAAI,IAAY;AAE7B,aAAW,OAAO,OAAO,QAAQ,CAAC,GAAG;AACnC,eAAW,UAAU,IAAI,WAAW,CAAC,GAAG;AACtC,YAAM,WAAW,GAAG,OAAO,UAAU,EAAE,IAAI,OAAO,SAAS,QAAQ,EAAE;AACrE,YAAM,UAAU,SAAS,MAAMA,UAAS,KAAK,CAAC;AAC9C,iBAAW,SAAS,SAAS;AAC3B,cAAM,QAAQ,MAAM,YAAY;AAChC,cAAM,MAAM,mBAAmB,MAAM;AACrC,cAAM,MAAM,GAAG,KAAK,IAAI,OAAO,EAAE;AACjC,YAAI,KAAK,IAAI,GAAG,EAAG;AACnB,aAAK,IAAI,GAAG;AACZ,iBAAS,KAAK;AAAA,UACZ;AAAA,UACA,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,UAAU;AAAA,QACZ,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,eAAe,UAAuC;AACpE,QAAM,UAAUD,cAAa,UAAU,MAAM;AAC7C,SAAO,qBAAqB,OAAO;AACrC;;;AH9CO,SAAS,eAAe,UAAkB,QAA8C;AAC7F,QAAM,WAAW,WAAW,SAAS,YAAY,QAAQ,IAAI;AAE7D,MAAI,aAAa,aAAa;AAC5B,WAAO,sBAAsB,QAAQ;AAAA,EACvC;AACA,MAAI,aAAa,cAAc;AAC7B,WAAO,uBAAuB,QAAQ;AAAA,EACxC;AACA,MAAI,aAAa,SAAS;AACxB,WAAO,eAAe,QAAQ;AAAA,EAChC;AAEA,QAAM,IAAI,MAAM,6BAA6B,QAAQ,EAAE;AACzD;AAEA,SAAS,YAAY,UAAoD;AACvE,QAAM,MAAM,QAAQ,QAAQ,EAAE,YAAY;AAC1C,MAAI,QAAQ,SAAU,QAAO;AAE7B,MAAI;AACF,UAAM,UAAUE,cAAa,UAAU,MAAM;AAC7C,UAAM,YAAY,QAAQ,MAAM,IAAI,EAAE,KAAK,CAAC,SAAS,KAAK,KAAK,EAAE,WAAW,GAAG,CAAC;AAChF,QAAI,WAAW;AACb,YAAM,SAAS,KAAK,MAAM,SAAS;AACnC,UAAI,OAAO,SAAS,mBAAmB,OAAO,SAAS,gBAAgB;AACrE,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AAEA,SAAO;AACT;AAEO,SAAS,aAAa,UAAyC;AACpE,SAAO,CAAC,GAAG,IAAI,IAAI,SAAS,IAAI,CAAC,MAAM,EAAE,MAAM,YAAY,CAAC,CAAC,CAAC;AAChE;;;AI/CA,SAAS,WAAW,iBAAAC,sBAAqB;AACzC,SAAS,QAAAC,aAAY;AAkCd,SAAS,kBAAkB,KAAa,QAAkB,UAA2B,CAAC,GAAgB;AAC3G,SAAO;AAAA,IACL,OAAO,GAAG,KAAK,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,GAAG,CAAC,CAAC;AAAA,IAC9D,WAAW,QAAQ;AAAA,IACnB,WAAW,QAAQ;AAAA,IACnB,aAAa,QAAQ;AAAA,IACrB,OAAO,QAAQ;AAAA,IACf,QAAQ,QAAQ;AAAA,IAChB,gBAAgB,QAAQ;AAAA,IACxB;AAAA,IACA;AAAA,IACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,OAAO,CAAC;AAAA,EACV;AACF;AAEO,SAAS,gBACd,KACA,QACA,OACA,QACA,OACM;AACN,MAAI,MAAM,KAAK;AAAA,IACb,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEO,SAAS,iBAAiB,KAA+B;AAC9D,MAAI,cAAa,oBAAI,KAAK,GAAE,YAAY;AACxC,SAAO;AACT;AAEO,SAAS,iBAAiB,KAAa,KAA0B;AACtE,QAAM,MAAMA,MAAK,KAAK,mBAAmB,UAAU;AACnD,YAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AAClC,QAAM,WAAWA,MAAK,KAAK,GAAG,IAAI,KAAK,OAAO;AAC9C,EAAAD,eAAc,UAAU,KAAK,UAAU,KAAK,MAAM,CAAC,IAAI,MAAM,MAAM;AACnE,SAAO;AACT;;;AC9EA,SAAS,cAAAE,aAAY,aAAAC,YAAW,gBAAAC,eAAc,iBAAAC,sBAAqB;AACnE,SAAS,QAAAC,cAAY;AAerB,IAAM,gBAAkC;AAAA,EACtC,eAAe;AAAA,EACf,SAAS,CAAC;AACZ;AAEA,SAAS,cAAc,KAAqB;AAC1C,SAAOA,OAAK,KAAK,mBAAmB,SAAS,kBAAkB;AACjE;AAEA,SAAS,SAAS,gBAAwB,OAAuB;AAC/D,SAAO,GAAG,cAAc,KAAK,MAAM,YAAY,CAAC;AAClD;AAEA,SAAS,UAAU,KAA+B;AAChD,QAAM,WAAW,cAAc,GAAG;AAClC,MAAI,CAACJ,YAAW,QAAQ,EAAG,QAAO;AAElC,MAAI;AACF,UAAM,SAAS,KAAK,MAAME,cAAa,UAAU,MAAM,CAAC;AACxD,QAAI,UAAU,OAAO,kBAAkB,SAAS,OAAO,SAAS;AAC9D,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,UAAU,KAAa,OAA+B;AAC7D,QAAM,WAAW,cAAc,GAAG;AAClC,EAAAD,WAAUG,OAAK,KAAK,mBAAmB,OAAO,GAAG,EAAE,WAAW,KAAK,CAAC;AACpE,EAAAD,eAAc,UAAU,KAAK,UAAU,OAAO,MAAM,CAAC,IAAI,MAAM,MAAM;AACvE;AAEO,SAAS,qBACd,KACA,gBACA,OAC+B;AAC/B,QAAM,QAAQ,UAAU,GAAG;AAC3B,QAAM,MAAM,SAAS,gBAAgB,KAAK;AAC1C,SAAO,MAAM,QAAQ,GAAG,GAAG;AAC7B;AAEO,SAAS,sBACd,KACA,gBACA,OACA,QACM;AACN,QAAM,QAAQ,UAAU,GAAG;AAC3B,QAAM,MAAM,SAAS,gBAAgB,KAAK;AAC1C,QAAM,QAAQ,GAAG,IAAI;AAAA,IACnB,KAAK;AAAA,IACL,OAAO,MAAM,YAAY;AAAA,IACzB;AAAA,IACA,UAAS,oBAAI,KAAK,GAAE,YAAY;AAAA,EAClC;AACA,YAAU,KAAK,KAAK;AACtB;;;ACcA,SAAS,iBAAyB;AAChC,SAAO,OAAO,KAAK,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,GAAG,CAAC,CAAC;AACpE;AAEA,SAAS,0BAA0B,SAAiG;AAClI,SAAO;AAAA,IACL,WAAW,QAAQ,aAAa,eAAe;AAAA,IAC/C,WAAW,QAAQ;AAAA,IACnB,aAAa,QAAQ;AAAA,EACvB;AACF;AAEA,SAAS,yBAAyB,SAA8C;AAC9E,SAAO;AAAA,IACL,OAAO,QAAQ;AAAA,IACf,QAAQ,QAAQ,UAAU;AAAA,EAC5B;AACF;AAEA,SAAS,mBAAmB,SAA2B,KAAqC;AAC1F,QAAM,SAAS,WAAW,KAAK,QAAQ,MAAM;AAC7C,SAAO;AAAA,IACL,wBACE,QAAQ,aAAa,0BACrB,OAAO,aAAa,0BACpB;AAAA,IACF,mBACE,QAAQ,aAAa,qBACrB,OAAO,aAAa,qBACpB;AAAA,EACJ;AACF;AAEA,SAAS,mBACP,QACA,aACmB;AACnB,QAAM,mBAAmB,IAAI;AAAA,IAC3B,OAAO,mBACJ,OAAO,CAAC,OAAO,GAAG,UAAU,SAAS,UAAU,EAC/C,IAAI,CAAC,OAAO,GAAG,UAAU,IAAI;AAAA,EAClC;AAEA,QAAM,cAAc,OAAO,QAAQ,IAAI,CAAC,WAAW;AACjD,QAAI,YAAY,0BAA0B,iBAAiB,IAAI,OAAO,WAAW,GAAG;AAClF,aAAO;AAAA,QACL,GAAG;AAAA,QACH,UAAU;AAAA,QACV,SAAS;AAAA,QACT,SAAS,2DAA4D,OAAO,WAAW;AAAA,MACzF;AAAA,IACF;AAEA,QAAI,YAAY,qBAAqB,OAAO,aAAa,cAAc;AACrE,aAAO;AAAA,QACL,GAAG;AAAA,QACH,UAAU;AAAA,QACV,SAAS;AAAA,QACT,SAAS,4EAA6E,OAAO,WAAW;AAAA,MAC1G;AAAA,IACF;AAEA,WAAO;AAAA,EACT,CAAC;AAED,SAAO;AAAA,IACL,GAAG;AAAA,IACH,SAAS;AAAA,IACT;AAAA,EACF;AACF;AASA,eAAsB,UAAU,OAAe,UAA4B,CAAC,GAA+B;AACzG,MAAI,CAAC,mBAAmB,KAAK,KAAK,GAAG;AACnC,UAAM,IAAI;AAAA,MACR,oBAAoB,KAAK;AAAA,IAC3B;AAAA,EACF;AACA,QAAM,MAAM,QAAQ,OAAO,QAAQ,IAAI;AACvC,QAAM,cAAc,mBAAmB,SAAS,GAAG;AACnD,QAAM,aAAa,yBAAyB,OAAO;AACnD,QAAM,cAAc,0BAA0B,OAAO;AAErD,MAAI,QAAQ,UAAU,QAAQ,gBAAgB;AAC5C,UAAM,SAAS,qBAAqB,KAAK,QAAQ,gBAAgB,MAAM,YAAY,CAAC;AACpF,QAAI,QAAQ;AACV,aAAO;AAAA,QACL,GAAG;AAAA,QACH,SAAS,GAAG,OAAO,OAAO;AAAA,QAC1B;AAAA,QACA;AAAA,QACA;AAAA,QACA,kBAAkB;AAAA,MACpB;AAAA,IACF;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,uBAAuB,MAAM,YAAY,GAAG;AAAA,IAC/D,GAAG;AAAA,IACH,GAAG;AAAA,IACH;AAAA,EACF,CAAC;AACD,QAAM,oBAAoB,mBAAmB,QAAQ,WAAW;AAChE,QAAM,cAAc;AAAA,IAClB,GAAG;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA,kBAAkB;AAAA,EACpB;AAEA,MAAI,QAAQ,kBAAkB,CAAC,QAAQ,UAAU,CAAC,QAAQ,SAAS;AACjE,0BAAsB,KAAK,QAAQ,gBAAgB,MAAM,YAAY,GAAG,WAAW;AAAA,EACrF;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,EACL;AACF;AAKA,eAAsB,gBACpB,OACA,UAA4B,CAAC,GACD;AAC5B,SAAO,UAAU,OAAO;AAAA,IACtB,GAAG;AAAA,IACH,SAAS;AAAA,IACT,QAAQ;AAAA,EACV,CAAC;AACH;AAMA,eAAsB,kBACpB,WACA,UAAuB,CAAC,GACH;AACrB,QAAM,MAAM,QAAQ,OAAO,QAAQ,IAAI;AACvC,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,aAAa,QAAQ,cAAc;AAEzC,QAAM,WAAW,eAAe,WAAW,MAAM;AACjD,QAAM,SAAS,aAAa,QAAQ;AACpC,QAAM,SAAS,WAAW,KAAK,QAAQ,MAAM;AAC7C,QAAM,cAAc,0BAA0B,OAAO;AACrD,QAAM,aAAa,yBAAyB,OAAO;AACnD,QAAM,cAAc,mBAAmB,SAAS,GAAG;AAEnD,QAAM,WAAW,kBAAkB,KAAK,QAAQ;AAAA,IAC9C,GAAG;AAAA,IACH,OAAO,WAAW;AAAA,IAClB,QAAQ,WAAW;AAAA,IACnB,gBAAgB,QAAQ;AAAA,EAC1B,CAAC;AACD,kBAAgB,UAAU,cAAc,EAAE,WAAW,OAAO,GAAG,EAAE,cAAc,SAAS,QAAQ,UAAU,OAAO,OAAO,CAAC;AAEzH,QAAM,UAA+B,CAAC;AACtC,QAAM,SAAoD,CAAC;AAC3D,QAAM,0BAID,CAAC;AACN,MAAI,aAAa;AAEjB,aAAW,SAAS,QAAQ;AAC1B,QAAI;AACF,sBAAgB,UAAU,mBAAmB,EAAE,MAAM,CAAC;AACtD,YAAM,SAAS,MAAM,UAAU,OAAO;AAAA,QACpC,GAAG;AAAA,QACH;AAAA,QACA,GAAG;AAAA,QACH,OAAO,WAAW;AAAA,QAClB,QAAQ,WAAW;AAAA,QACnB;AAAA,MACF,CAAC;AAGD,aAAO,UAAU,OAAO,QAAQ,OAAO,CAAC,MAAM,iBAAiB,QAAQ,EAAE,WAAW,CAAC;AAGrF,iBAAW,UAAU,OAAO,SAAS;AACnC,YAAI,OAAO,aAAa,cAAc;AACpC,wBAAc;AAAA,QAChB;AACA,YAAI,OAAO,YAAY,WAAW,SAAS,OAAO,YAAY,OAAO;AACnE,kCAAwB,KAAK;AAAA,YAC3B,aAAa,OAAO;AAAA,YACpB;AAAA,YACA,OAAO,OAAO,WAAW;AAAA,UAC3B,CAAC;AAAA,QACH;AAAA,MACF;AAEA,cAAQ,KAAK,MAAM;AACnB,sBAAgB,UAAU,oBAAoB,EAAE,MAAM,GAAG,EAAE,SAAS,OAAO,QAAQ,OAAO,CAAC;AAAA,IAC7F,SAAS,OAAO;AACd,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACrE,aAAO,KAAK,EAAE,OAAO,QAAQ,CAAC;AAC9B,sBAAgB,UAAU,mBAAmB,EAAE,MAAM,GAAG,QAAW,OAAO;AAAA,IAC5E;AAAA,EACF;AAEA,MAAI,eAAe;AACnB,MAAI,cAAc;AAClB,aAAW,UAAU,SAAS;AAC5B,eAAW,UAAU,OAAO,SAAS;AACnC,UAAI,OAAO,WAAW,OAAO,QAAQ;AACnC,wBAAgB;AAAA,MAClB,OAAO;AACL,uBAAe;AAAA,MACjB;AAAA,IACF;AAAA,EACF;AAEA,iBAAe,OAAO;AAEtB,MAAI,SAA+B;AACnC,MAAI,cAAc,KAAK,eAAe,GAAG;AACvC,aAAS;AAAA,EACX,WAAW,cAAc,KAAK,iBAAiB,GAAG;AAChD,aAAS;AAAA,EACX;AAEA,mBAAiB,QAAQ;AACzB,QAAM,eAAe,QAAQ,aAAa,QAAQ,SAAY,iBAAiB,KAAK,QAAQ;AAE5F,SAAO;AAAA,IACL,eAAe;AAAA,IACf;AAAA,IACA,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpC;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,yBAAyB,wBAAwB,SAAS,IAAI,0BAA0B;AAAA,IACxF,YAAY,aAAa,IAAI,aAAa;AAAA,IAC1C;AAAA,IACA;AAAA,IACA;AAAA,IACA,gBAAgB,QAAQ;AAAA,EAC1B;AACF;AAEO,SAAS,YAAY,QAA+B;AACzD,MAAI,mBAAmB;AACvB,aAAW,aAAa,OAAO,SAAS;AACtC,wBAAoB,UAAU,QAAQ;AAAA,EACxC;AAEA,SAAO;AAAA,IACL,eAAe,OAAO;AAAA,IACtB,QAAQ,OAAO;AAAA,IACf,aAAa,OAAO;AAAA,IACpB,UAAU,OAAO,OAAO;AAAA,IACxB;AAAA,IACA,cAAc,OAAO;AAAA,IACrB,aAAa,OAAO;AAAA,IACpB,QAAQ,OAAO;AAAA,IACf,cAAc,OAAO;AAAA,IACrB,YAAY,OAAO,cAAc;AAAA,IACjC,yBAAyB,OAAO;AAAA,IAChC,YAAY,OAAO;AAAA,IACnB,aAAa,OAAO;AAAA,IACpB,YAAY,OAAO;AAAA,IACnB,aAAa,OAAO;AAAA,IACpB,gBAAgB,OAAO;AAAA,EACzB;AACF;AAEO,SAAS,WAAW,SAA4B;AACrD,SAAO,QAAQ,cAAc,IAAI,IAAI;AACvC;","names":["generateText","existsSync","readFileSync","join","semver","tool","z","join","tool","z","join","tool","z","tool","z","semver","tool","z","tool","z","join","readFileSync","execa","semver","existsSync","readFileSync","join","join","tool","z","join","semver","readFileSync","execa","tool","z","mkdir","rm","join","execa","tool","z","tool","z","tool","z","existsSync","mkdir","readFile","rm","join","execa","tool","z","join","mkdir","execa","readFile","rm","existsSync","generateText","semver","join","existsSync","readFileSync","readFileSync","readFileSync","readFileSync","CVE_REGEX","normalizeSeverity","readFileSync","CVE_REGEX","readFileSync","writeFileSync","join","existsSync","mkdirSync","readFileSync","writeFileSync","join"]}
package/dist/cli.d.ts CHANGED
@@ -1 +1,6 @@
1
1
  #!/usr/bin/env node
2
+ import { Command } from 'commander';
3
+
4
+ declare function createProgram(): Command;
5
+
6
+ export { createProgram };
package/dist/cli.js CHANGED
@@ -4,11 +4,12 @@ import {
4
4
  remediate,
5
5
  remediateFromScan,
6
6
  toCiSummary
7
- } from "./chunk-DQKT2CUG.js";
7
+ } from "./chunk-GBOD3DV6.js";
8
8
 
9
9
  // src/cli.ts
10
10
  import { Command } from "commander";
11
11
  import { existsSync, writeFileSync } from "fs";
12
+ import { fileURLToPath } from "url";
12
13
  function logJson(value) {
13
14
  process.stdout.write(`${JSON.stringify(value, null, 2)}
14
15
  `);
@@ -21,9 +22,21 @@ async function runSingleCve(cveId, opts) {
21
22
  cwd: opts.cwd,
22
23
  packageManager: opts.packageManager,
23
24
  dryRun: opts.dryRun,
24
- skipTests: !opts.runTests,
25
- policyPath: opts.policy,
26
- llmProvider: opts.llmProvider
25
+ preview: opts.preview,
26
+ runTests: opts.runTests,
27
+ policy: opts.policy,
28
+ llmProvider: opts.llmProvider,
29
+ requestId: opts.requestId,
30
+ sessionId: opts.sessionId,
31
+ parentRunId: opts.parentRunId,
32
+ idempotencyKey: opts.idempotencyKey,
33
+ resume: opts.resume,
34
+ actor: opts.actor,
35
+ source: opts.source ?? "cli",
36
+ constraints: {
37
+ directDependenciesOnly: opts.directDependenciesOnly,
38
+ preferVersionBump: opts.preferVersionBump
39
+ }
27
40
  });
28
41
  if (opts.json) {
29
42
  logJson(report);
@@ -39,11 +52,23 @@ async function runScanInput(inputPath, opts) {
39
52
  cwd: opts.cwd,
40
53
  packageManager: opts.packageManager,
41
54
  format: opts.format,
42
- policyPath: opts.policy,
55
+ policy: opts.policy,
43
56
  dryRun: opts.dryRun,
44
- skipTests: !opts.runTests,
57
+ preview: opts.preview,
58
+ runTests: opts.runTests,
45
59
  llmProvider: opts.llmProvider,
46
- writeEvidence: opts.evidence
60
+ evidence: opts.evidence,
61
+ requestId: opts.requestId,
62
+ sessionId: opts.sessionId,
63
+ parentRunId: opts.parentRunId,
64
+ idempotencyKey: opts.idempotencyKey,
65
+ resume: opts.resume,
66
+ actor: opts.actor,
67
+ source: opts.source ?? "cli",
68
+ constraints: {
69
+ directDependenciesOnly: opts.directDependenciesOnly,
70
+ preferVersionBump: opts.preferVersionBump
71
+ }
47
72
  });
48
73
  if (opts.summaryFile) {
49
74
  const summary = toCiSummary(report);
@@ -78,16 +103,16 @@ async function runScanInput(inputPath, opts) {
78
103
  process.exitCode = ciExitCode(toCiSummary(report));
79
104
  }
80
105
  }
81
- async function main() {
106
+ function createProgram() {
82
107
  const program = new Command();
83
108
  program.name("autoremediator").description("Scanner-first Node.js vulnerability auto-remediation tool").version("0.1.2").showHelpAfterError();
84
- program.command("cve").description("Remediate a single CVE ID").argument("<cveId>", "CVE ID, e.g. CVE-2021-23337").option("--cwd <path>", "Target project directory", process.cwd()).option("--package-manager <name>", "Package manager: npm|pnpm|yarn").option("--dry-run", "Plan changes only without mutating files", false).option("--run-tests", "Run package-manager test validation after apply", false).option("--llm-provider <provider>", "LLM provider: openai|anthropic|local").option("--json", "Print JSON output", false).action(async (cveId, opts) => {
109
+ program.command("cve").description("Remediate a single CVE ID").argument("<cveId>", "CVE ID, e.g. CVE-2021-23337").option("--cwd <path>", "Target project directory", process.cwd()).option("--package-manager <name>", "Package manager: npm|pnpm|yarn").option("--dry-run", "Plan changes only without mutating files", false).option("--preview", "Run non-mutating remediation preview mode", false).option("--run-tests", "Run package-manager test validation after apply", false).option("--llm-provider <provider>", "LLM provider: openai|anthropic|local").option("--request-id <id>", "Request correlation ID").option("--session-id <id>", "Session correlation ID").option("--parent-run-id <id>", "Parent run correlation ID").option("--idempotency-key <key>", "Idempotency key for replay-safe execution").option("--resume", "Resume by returning cached result for matching idempotency key", false).option("--actor <name>", "Actor identity for evidence provenance").option("--source <src>", "Source system: cli|sdk|mcp|openapi|unknown").option("--direct-dependencies-only", "Enforce direct-dependency-only remediation constraint", false).option("--prefer-version-bump", "Reject patch-file outcomes when version-bump is preferred", false).option("--json", "Print JSON output", false).action(async (cveId, opts) => {
85
110
  await runSingleCve(cveId, opts);
86
111
  });
87
- program.command("scan").description("Remediate vulnerabilities from scanner output (npm/pnpm/yarn audit JSON or SARIF)").requiredOption("--input <path>", "Path to scanner output file").option("--format <type>", "Input format: auto|npm-audit|yarn-audit|sarif", "auto").option("--cwd <path>", "Target project directory", process.cwd()).option("--package-manager <name>", "Package manager: npm|pnpm|yarn").option("--policy <path>", "Path to policy file (.autoremediator.json)").option("--dry-run", "Plan changes only without mutating files", false).option("--run-tests", "Run package-manager test validation after apply", false).option("--llm-provider <provider>", "LLM provider: openai|anthropic|local").option("--no-evidence", "Disable evidence file output").option("--ci", "Enable CI behavior (non-zero exit on failed remediations)", false).option("--summary-file <path>", "Write machine-readable scan summary JSON to path").option("--json", "Print JSON output", false).action(async (opts) => {
112
+ program.command("scan").description("Remediate vulnerabilities from scanner output (npm/pnpm/yarn audit JSON or SARIF)").requiredOption("--input <path>", "Path to scanner output file").option("--format <type>", "Input format: auto|npm-audit|yarn-audit|sarif", "auto").option("--cwd <path>", "Target project directory", process.cwd()).option("--package-manager <name>", "Package manager: npm|pnpm|yarn").option("--policy <path>", "Path to policy file (.autoremediator.json)").option("--dry-run", "Plan changes only without mutating files", false).option("--preview", "Run non-mutating remediation preview mode", false).option("--run-tests", "Run package-manager test validation after apply", false).option("--llm-provider <provider>", "LLM provider: openai|anthropic|local").option("--request-id <id>", "Request correlation ID").option("--session-id <id>", "Session correlation ID").option("--parent-run-id <id>", "Parent run correlation ID").option("--idempotency-key <key>", "Idempotency key for replay-safe execution").option("--resume", "Resume by returning cached result for matching idempotency key", false).option("--actor <name>", "Actor identity for evidence provenance").option("--source <src>", "Source system: cli|sdk|mcp|openapi|unknown").option("--direct-dependencies-only", "Enforce direct-dependency-only remediation constraint", false).option("--prefer-version-bump", "Reject patch-file outcomes when version-bump is preferred", false).option("--evidence", "Enable evidence file output", true).option("--no-evidence", "Disable evidence file output").option("--ci", "Enable CI behavior (non-zero exit on failed remediations)", false).option("--summary-file <path>", "Write machine-readable scan summary JSON to path").option("--json", "Print JSON output", false).action(async (opts) => {
88
113
  await runScanInput(opts.input, opts);
89
114
  });
90
- program.argument("[target]", "Scanner output file path (or CVE ID fallback)").option("--cwd <path>", "Target project directory", process.cwd()).option("--package-manager <name>", "Package manager: npm|pnpm|yarn").option("--dry-run", "Plan changes only without mutating files", false).option("--run-tests", "Run package-manager test validation after apply", false).option("--llm-provider <provider>", "LLM provider: openai|anthropic|local").option("--input <path>", "Path to scanner output file (scanner-first mode)").option("--format <type>", "Input format: auto|npm-audit|yarn-audit|sarif", "auto").option("--policy <path>", "Path to policy file (.autoremediator.json)").option("--no-evidence", "Disable evidence file output").option("--ci", "Enable CI behavior (non-zero exit on failed remediations)", false).option("--summary-file <path>", "Write machine-readable scan summary JSON to path").option("--json", "Print JSON output", false).action(async (target, opts) => {
115
+ program.argument("[target]", "Scanner output file path (or CVE ID fallback)").option("--cwd <path>", "Target project directory", process.cwd()).option("--package-manager <name>", "Package manager: npm|pnpm|yarn").option("--dry-run", "Plan changes only without mutating files", false).option("--preview", "Run non-mutating remediation preview mode", false).option("--run-tests", "Run package-manager test validation after apply", false).option("--llm-provider <provider>", "LLM provider: openai|anthropic|local").option("--request-id <id>", "Request correlation ID").option("--session-id <id>", "Session correlation ID").option("--parent-run-id <id>", "Parent run correlation ID").option("--idempotency-key <key>", "Idempotency key for replay-safe execution").option("--resume", "Resume by returning cached result for matching idempotency key", false).option("--actor <name>", "Actor identity for evidence provenance").option("--source <src>", "Source system: cli|sdk|mcp|openapi|unknown").option("--direct-dependencies-only", "Enforce direct-dependency-only remediation constraint", false).option("--prefer-version-bump", "Reject patch-file outcomes when version-bump is preferred", false).option("--input <path>", "Path to scanner output file (scanner-first mode)").option("--format <type>", "Input format: auto|npm-audit|yarn-audit|sarif", "auto").option("--policy <path>", "Path to policy file (.autoremediator.json)").option("--evidence", "Enable evidence file output", true).option("--no-evidence", "Disable evidence file output").option("--ci", "Enable CI behavior (non-zero exit on failed remediations)", false).option("--summary-file <path>", "Write machine-readable scan summary JSON to path").option("--json", "Print JSON output", false).action(async (target, opts) => {
91
116
  if (opts.input) {
92
117
  await runScanInput(opts.input, opts);
93
118
  return;
@@ -108,12 +133,25 @@ async function main() {
108
133
  `Target "${target}" is neither a valid CVE ID nor an existing scan file path.`
109
134
  );
110
135
  });
111
- await program.parseAsync(process.argv);
136
+ return program;
137
+ }
138
+ async function main(argv = process.argv) {
139
+ const program = createProgram();
140
+ await program.parseAsync(argv);
112
141
  }
113
- main().catch((error) => {
114
- const message = error instanceof Error ? error.message : String(error);
115
- process.stderr.write(`[autoremediator] ${message}
142
+ function isMainModule() {
143
+ if (!process.argv[1]) return false;
144
+ return fileURLToPath(import.meta.url) === process.argv[1];
145
+ }
146
+ if (isMainModule()) {
147
+ main().catch((error) => {
148
+ const message = error instanceof Error ? error.message : String(error);
149
+ process.stderr.write(`[autoremediator] ${message}
116
150
  `);
117
- process.exit(1);
118
- });
151
+ process.exit(1);
152
+ });
153
+ }
154
+ export {
155
+ createProgram
156
+ };
119
157
  //# sourceMappingURL=cli.js.map