circle-ir-ai 1.1.0

package/dist/llm/discovery.js

@@ -0,0 +1,505 @@
+/**
+ * LLM Discovery Mode
+ *
+ * Discovers vulnerabilities in methods with no static findings.
+ * Uses LLM to analyze for semantic vulnerabilities that static analysis cannot detect:
+ * - Sanitization logic bugs (e.g., "style".endsWith(x) vs x.equals("style"))
+ * - Shell argument escaping issues
+ * - Context-dependent encoding requirements
+ *
+ * Expected impact: +15-25% on XSS and Command Injection benchmarks.
+ */
+import { getAxLLMClient } from './ax-client.js';
+// ============================================================================
+// CWE-Specific Discovery Prompts
+// ============================================================================
+const CWE_DISCOVERY_PROMPTS = {
+    'CWE-078': `COMMAND INJECTION DISCOVERY (CWE-78)
+
+Look for these SUBTLE vulnerabilities that static analysis misses:
+
+1. SHELL ARGUMENT ESCAPING BUGS:
+   - Arguments passed to shell without proper quoting
+   - Special characters not escaped: ; | & \` $ ( ) { } < > ! # * ?
+   - Arguments with spaces not quoted properly
+
+2. SHELL STRING INTERPRETATION:
+   - User input in shell strings even with "array" style
+   - ProcessBuilder with single command string (not array)
+   - Runtime.exec(String) instead of Runtime.exec(String[])
+
+3. INDIRECT SHELL EXECUTION:
+   - ScriptEngine eval with user input
+   - GroovyShell execution
+   - Jenkins sh(), bat() pipeline steps
+   - Kubernetes/Docker command builders
+
+4. SANITIZATION BYPASSES:
+   - Incomplete blocklist (missing ; but having |)
+   - Case-insensitive bypass
+   - Unicode/encoding bypass
+   - Double encoding
+
+COMMON FALSE NEGATIVES TO FIND:
+- "args" parameter to ProcessBuilder that's actually a shell string
+- "safe" wrappers that don't actually sanitize
+- Validation that checks wrong property (e.g., length instead of content)`,
+    'CWE-079': `XSS DISCOVERY (CWE-79)
+
+Look for these SUBTLE vulnerabilities that static analysis misses:
+
+1. CONTEXT-SPECIFIC ENCODING BUGS:
+   - HTML attribute values need attribute encoding, not HTML encoding
+   - JavaScript context needs JS encoding, not HTML encoding
+   - URL parameters need URL encoding
+   - CSS context needs CSS encoding
+
+2. INCOMPLETE SANITIZATION:
+   - HTML encoding but output in onclick handler
+   - Sanitizing < > but not quotes in attributes
+   - Strip tags but allows event handlers
+   - JSoup.clean() with permissive whitelist
+
+3. DOM-BASED XSS:
+   - Server-side reflection to client-side sinks
+   - Data passed to client without encoding
+   - Template literal injection
+
+4. BYPASSES:
+   - innerHTML with "text" that's actually HTML
+   - React dangerouslySetInnerHTML
+   - Template engines with raw output mode
+   - SVG/MathML vectors
+
+COMMON FALSE NEGATIVES TO FIND:
+- Response.getWriter() that outputs to wrong context
+- Encoding for wrong context (HTML-encoding for JS)
+- Partial encoding that misses edge cases`,
+    'CWE-022': `PATH TRAVERSAL DISCOVERY (CWE-22)
+
+Look for these SUBTLE vulnerabilities that static analysis misses:
+
+1. VALIDATION BYPASSES:
+   - Path normalized AFTER check, not before
+   - startsWith() check with wrong base path
+   - Checking for ".." but not URL-encoded forms
+   - getCanonicalPath() result not validated
+
+2. DOUBLE ENCODING:
+   - %252e%252e%252f (double URL-encoded ../)
+   - Mixed encoding (..%2f or %2e./)
+   - Unicode normalization issues
+
+3. SYMLINK ATTACKS:
+   - Path validated but follows symlinks outside boundary
+   - TOCTOU between validation and use
+
+4. NULL BYTE INJECTION:
+   - file.txt%00.jpg truncates at null on some systems
+
+5. ALTERNATIVE SEPARATORS:
+   - Windows accepts both / and \\
+   - UNC paths: \\\\server\\share
+
+COMMON FALSE NEGATIVES TO FIND:
+- Validation order issues (check then normalize vs normalize then check)
+- Missing validation for certain code paths`,
+    'CWE-094': `CODE INJECTION DISCOVERY (CWE-94)
+
+Look for these SUBTLE vulnerabilities that static analysis misses:
+
+1. DYNAMIC CODE EXECUTION:
+   - Expression language evaluation (EL, SpEL, OGNL, MVEL)
+   - Template engines with unsafe modes
+   - Reflection with user-controlled class/method names
+
+2. DESERIALIZATION:
+   - ObjectInputStream on untrusted data
+   - XMLDecoder, XStream without type filtering
+   - JSON with polymorphic type handling
+   - YAML with unsafe load (not SafeYAML)
+
+3. SCRIPTING ENGINES:
+   - ScriptEngine.eval() with user input
+   - Nashorn JavaScript execution
+   - Groovy shell evaluation
+
+4. RUNTIME COMPILATION:
+   - JavaCompiler with user-controlled code
+   - Dynamic class loading
+
+COMMON FALSE NEGATIVES TO FIND:
+- Deserializers that look safe but have gadget chains
+- Expression languages in unexpected places`,
+};
+// ============================================================================
+// Discovery Engine
+// ============================================================================
+export class DiscoveryEngine {
+    client;
+    verbose;
+    constructor(client, config) {
+        this.client = client || getAxLLMClient(config);
+        this.verbose = false;
+    }
+    /**
+     * Discover vulnerabilities in methods with no static findings
+     */
+    async discoverInFile(ir, code, filePath, options = {}) {
+        const results = [];
+        this.verbose = options.verbose ?? false;
+        // Extract methods from IR
+        const methods = this.extractMethods(ir, code, options);
+        if (this.verbose) {
+            console.log(`[Discovery] Analyzing ${methods.length} methods in ${filePath}`);
+        }
+        // Determine which CWEs to focus on
+        const targetCWEs = options.targetCWEs || ['CWE-078', 'CWE-079', 'CWE-022', 'CWE-094'];
+        const timeout = options.timeoutPerMethod || 30000;
+        // Analyze each method
+        for (const method of methods) {
+            if (this.verbose) {
+                console.log(`[Discovery] Analyzing ${method.className}.${method.methodName}`);
+            }
+            const startTime = Date.now();
+            try {
+                const result = await Promise.race([
+                    this.analyzeMethod(method, targetCWEs, options),
+                    new Promise((_, reject) => setTimeout(() => reject(new Error('Discovery timeout')), timeout)),
+                ]);
+                result.discoveryTimeMs = Date.now() - startTime;
+                results.push(result);
+            }
+            catch (error) {
+                if (this.verbose) {
+                    console.log(`[Discovery] Failed for ${method.className}.${method.methodName}: ${error}`);
+                }
+                results.push({
+                    methodId: `${method.className}.${method.methodName}`,
+                    vulnerabilityFound: false,
+                    reasoning: `Discovery failed: ${error}`,
+                    confidence: 0,
+                    discoveryTimeMs: Date.now() - startTime,
+                });
+            }
+        }
+        return results;
+    }
+    /**
+     * Analyze a single method for vulnerabilities
+     */
+    async analyzeMethod(method, targetCWEs, options) {
+        const methodId = `${method.className}.${method.methodName}`;
+        const confidenceThreshold = options.confidenceThreshold ?? 0.6;
+        // Build the discovery prompt
+        const cweGuidance = targetCWEs
+            .map(cwe => CWE_DISCOVERY_PROMPTS[cwe] || '')
+            .filter(p => p)
+            .join('\n\n---\n\n');
+        const systemPrompt = `You are a security expert performing deep code analysis to find vulnerabilities that automated tools miss.
+
+${cweGuidance}
+
+ANALYSIS APPROACH:
+1. Identify all potential sources of untrusted data
+2. Trace data flow manually through the code
+3. Check for ALL the subtle patterns described above
+4. Consider what an attacker could control and how they could exploit it
+
+IMPORTANT: Only report vulnerabilities you are confident about. False positives waste time.
+Be specific about the vulnerability type and how it could be exploited.`;
+        const userPrompt = `Analyze this Java method for security vulnerabilities:
+
+Class: ${method.className}
+Method: ${method.methodName}
+Annotations: ${method.annotations.join(', ') || 'none'}
+Imports: ${method.imports.slice(0, 20).join(', ')}
+
+\`\`\`java
+${method.methodCode}
+\`\`\`
+
+Does this method contain any security vulnerabilities (${targetCWEs.join(', ')})?
+
+Respond in JSON:
+{
+  "vulnerabilityFound": true/false,
+  "vulnerability": {
+    "type": "command_injection|xss|path_traversal|code_injection|...",
+    "cwe": "CWE-XXX",
+    "severity": "critical|high|medium|low",
+    "line": <line number>,
+    "code": "vulnerable code snippet",
+    "description": "what the vulnerability is",
+    "attackVector": "how to exploit it",
+    "remediation": "how to fix it",
+    "source": {
+      "line": <source line>,
+      "type": "http_param|http_body|...",
+      "variable": "variable name"
+    }
+  },
+  "reasoning": "detailed analysis",
+  "confidence": 0.0-1.0
+}
+
+If no vulnerability found, respond:
+{
+  "vulnerabilityFound": false,
+  "reasoning": "why this code is safe",
+  "confidence": 1.0
+}`;
+        try {
+            // Make LLM call using the raw chat JSON method
+            const response = await this.callLLMForDiscovery(systemPrompt, userPrompt);
+            if (!response) {
+                return {
+                    methodId,
+                    vulnerabilityFound: false,
+                    reasoning: 'LLM call failed',
+                    confidence: 0,
+                    discoveryTimeMs: 0,
+                };
+            }
+            // Process the response
+            const vulnerabilityFound = response.vulnerabilityFound === true;
+            const confidence = typeof response.confidence === 'number' ? response.confidence : 0.5;
+            // Filter by confidence threshold
+            if (vulnerabilityFound && confidence < confidenceThreshold) {
+                return {
+                    methodId,
+                    vulnerabilityFound: false,
+                    reasoning: `Potential vulnerability below confidence threshold (${confidence} < ${confidenceThreshold}): ${response.reasoning}`,
+                    confidence,
+                    discoveryTimeMs: 0,
+                };
+            }
+            const result = {
+                methodId,
+                vulnerabilityFound,
+                reasoning: response.reasoning || '',
+                confidence,
+                discoveryTimeMs: 0,
+            };
+            if (vulnerabilityFound && response.vulnerability) {
+                result.vulnerability = {
+                    type: this.normalizeSinkType(response.vulnerability.type),
+                    cwe: response.vulnerability.cwe || 'CWE-unknown',
+                    severity: this.normalizeSeverity(response.vulnerability.severity),
+                    line: response.vulnerability.line || method.startLine,
+                    code: response.vulnerability.code || '',
+                    description: response.vulnerability.description || '',
+                    attackVector: response.vulnerability.attackVector,
+                    remediation: response.vulnerability.remediation || 'Review and fix the vulnerability',
+                    source: response.vulnerability.source,
+                };
+            }
+            return result;
+        }
+        catch (error) {
+            return {
+                methodId,
+                vulnerabilityFound: false,
+                reasoning: `Analysis error: ${error}`,
+                confidence: 0,
+                discoveryTimeMs: 0,
+            };
+        }
+    }
+    /**
+     * Call LLM for discovery analysis via AxLLMClient
+     * Uses chatJSON for circuit breaker, JSON recovery, retry, and timeout handling
+     */
+    async callLLMForDiscovery(systemPrompt, userPrompt) {
+        return this.client.chatJSON(systemPrompt, userPrompt, 'verification');
+    }
+    /**
+     * Extract methods from IR and code
+     */
+    extractMethods(ir, code, options) {
+        const methods = [];
+        const lines = code.split('\n');
+        const maxMethods = options.maxMethodsPerFile ?? 50;
+        const includeWithFindings = options.includeMethodsWithFindings ?? false;
+        // Get lines with findings
+        const linesWithFindings = new Set();
+        if (!includeWithFindings) {
+            for (const source of ir.taint.sources) {
+                linesWithFindings.add(source.line);
+            }
+            for (const sink of ir.taint.sinks) {
+                linesWithFindings.add(sink.line);
+            }
+        }
+        // Extract methods from types
+        for (const type of ir.types) {
+            if (type.kind !== 'class')
+                continue;
+            const className = type.name;
+            const classAnnotations = type.annotations?.map(a => `@${a}`) || [];
+            const imports = ir.imports.map(i => i.imported_name);
+            for (const method of type.methods) {
+                // Check if method has existing findings
+                const hasExistingFindings = !includeWithFindings &&
+                    method.start_line !== undefined &&
+                    method.end_line !== undefined &&
+                    Array.from(linesWithFindings).some(line => line >= method.start_line && line <= method.end_line);
+                // Skip methods with existing findings unless configured otherwise
+                if (hasExistingFindings && !includeWithFindings) {
+                    continue;
+                }
+                // Extract method code
+                const startLine = method.start_line;
+                const endLine = method.end_line ?? startLine + 20;
+                const methodCode = lines.slice(startLine - 1, endLine).join('\n');
+                // Skip very short methods (likely getters/setters)
+                if (methodCode.split('\n').length < 3) {
+                    continue;
+                }
+                // Skip common safe patterns
+                if (this.isLikelySafeMethod(method.name, methodCode)) {
+                    continue;
+                }
+                methods.push({
+                    className,
+                    methodName: method.name,
+                    methodCode,
+                    startLine,
+                    endLine,
+                    annotations: [
+                        ...classAnnotations,
+                        ...(method.annotations?.map(a => `@${a}`) || []),
+                    ],
+                    imports,
+                    hasExistingFindings,
+                });
+                if (methods.length >= maxMethods) {
+                    break;
+                }
+            }
+            if (methods.length >= maxMethods) {
+                break;
+            }
+        }
+        return methods;
+    }
+    /**
+     * Check if a method is likely safe (simple getter/setter/constructor)
+     */
+    isLikelySafeMethod(methodName, methodCode) {
+        const lowerName = methodName.toLowerCase();
+        // Skip common safe patterns
+        if (lowerName.startsWith('get') && methodCode.includes('return this.')) {
+            return true;
+        }
+        if (lowerName.startsWith('set') && !methodCode.includes('exec') && !methodCode.includes('eval')) {
+            return true;
+        }
+        if (lowerName === 'tostring' || lowerName === 'hashcode' || lowerName === 'equals') {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Normalize sink type string
+     */
+    normalizeSinkType(type) {
+        const lower = (type || '').toLowerCase().replace(/[_-]/g, '_');
+        const typeMap = {
+            'command_injection': 'command_injection',
+            'cmd_injection': 'command_injection',
+            'os_command': 'command_injection',
+            'xss': 'xss',
+            'cross_site_scripting': 'xss',
+            'path_traversal': 'path_traversal',
+            'directory_traversal': 'path_traversal',
+            'lfi': 'path_traversal',
+            'code_injection': 'code_injection',
+            'remote_code_execution': 'code_injection',
+            'rce': 'code_injection',
+            'sql_injection': 'sql_injection',
+            'sqli': 'sql_injection',
+            'deserialization': 'deserialization',
+            'insecure_deserialization': 'deserialization',
+            'xxe': 'xxe',
+            'xml_external_entity': 'xxe',
+            'ssrf': 'ssrf',
+            'server_side_request_forgery': 'ssrf',
+        };
+        return typeMap[lower] || 'code_injection';
+    }
+    /**
+     * Normalize severity string
+     */
+    normalizeSeverity(severity) {
+        const lower = (severity || '').toLowerCase();
+        if (lower === 'critical')
+            return 'critical';
+        if (lower === 'high')
+            return 'high';
+        if (lower === 'medium' || lower === 'moderate')
+            return 'medium';
+        return 'low';
+    }
+}
+// ============================================================================
+// Convenience Functions
+// ============================================================================
+/**
+ * Get a new discovery engine instance
+ * Always creates a fresh instance for per-request isolation
+ */
+export function getDiscoveryEngine(config, client) {
+    return new DiscoveryEngine(client, config);
+}
+/**
+ * Discover vulnerabilities in a file
+ */
+export async function discoverVulnerabilities(ir, code, filePath, options) {
+    return getDiscoveryEngine().discoverInFile(ir, code, filePath, options);
+}
+/**
+ * Convert discovery results to findings
+ */
+export function discoveryResultsToFindings(results, filePath) {
+    const findings = [];
+    for (const result of results) {
+        if (result.vulnerabilityFound && result.vulnerability) {
+            const vuln = result.vulnerability;
+            findings.push({
+                id: `discovery-${filePath}:${vuln.line}-${vuln.type}`,
+                type: vuln.type,
+                cwe: vuln.cwe,
+                severity: vuln.severity,
+                confidence: result.confidence,
+                source: vuln.source
+                    ? {
+                        file: filePath,
+                        line: vuln.source.line,
+                        code: vuln.source.variable,
+                    }
+                    : {
+                        file: filePath,
+                        line: vuln.line,
+                        code: 'user input',
+                    },
+                sink: {
+                    file: filePath,
+                    line: vuln.line,
+                    code: vuln.code,
+                },
+                path: [],
+                exploitable: vuln.severity === 'critical' || vuln.severity === 'high',
+                explanation: `[LLM Discovery] ${vuln.description}\n\nReasoning: ${result.reasoning}`,
+                remediation: vuln.remediation,
+                verification: {
+                    graph_path_exists: true,
+                    llm_verified: true,
+                    llm_confidence: result.confidence,
+                },
+            });
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=discovery.js.map

package/dist/llm/discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/llm/discovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,cAAc,EAAoB,MAAM,gBAAgB,CAAC;AAsFlE,+EAA+E;AAC/E,iCAAiC;AACjC,+EAA+E;AAE/E,MAAM,qBAAqB,GAA2B;IACpD,SAAS,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;0EA6B6D;IAExE,SAAS,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;0CA8B6B;IAExC,SAAS,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;4CA4B+B;IAE1C,SAAS,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;4CA0B+B;CAC3C,CAAC;AAEF,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,MAAM,OAAO,eAAe;IAClB,MAAM,CAAc;IACpB,OAAO,CAAU;IAEzB,YAAY,MAAoB,EAAE,MAA2B;QAC3D,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC;QAC/C,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAClB,EAAY,EACZ,IAAY,EACZ,QAAgB,EAChB,UAA4B,EAAE;QAE9B,MAAM,OAAO,GAAsB,EAAE,CAAC;QACtC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC;QAExC,0BAA0B;QAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAEvD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,yBAAyB,OAAO,CAAC,MAAM,eAAe,QAAQ,EAAE,CAAC,CAAC;QAChF,CAAC;QAED,mCAAmC;QACnC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QACtF,MAAM,OAAO,GAAG,OAAO,CAAC,gBAAgB,IAAI,KAAK,CAAC;QAElD,sBAAsB;QACtB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjB,OAAO,CAAC,GAAG,CAAC,yBAAyB,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;YAChF,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAE7B,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;oBAChC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC;oBAC/C,IAAI,OAAO,CAAkB,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CACzC,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC,EAAE,OAAO,CAAC,CAClE;iBACF,CAAC,CAAC;gBAEH,MAAM,CAAC,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;gBAChD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACvB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBACjB,OAAO,CAAC,GAAG,CAAC,0BAA0B,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,UAAU,KAAK,KAAK,EAAE,CAAC,CAAC;gBAC3F,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC;oBACX,QAAQ,EAAE,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE;oBACpD,kBAAkB,EAAE,KAAK;oBACzB,SAAS,EAAE,qBAAqB,KAAK,EAAE;oBACvC,UAAU,EAAE,CAAC;oBACb,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACxC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,aAAa,CACzB,MAAqB,EACrB,UAAoB,EACpB,OAAyB;QAEzB,MAAM,QAAQ,GAAG,GAAG,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QAC5D,MAAM,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,IAAI,GAAG,CAAC;QAE/D,6BAA6B;QAC7B,MAAM,WAAW,GAAG,UAAU;aAC3B,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,qBAAqB,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;aAC5C,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;aACd,IAAI,CAAC,aAAa,CAAC,CAAC;QAEvB,MAAM,YAAY,GAAG;;EAEvB,WAAW;;;;;;;;;wEAS2D,CAAC;QAErE,MAAM,UAAU,GAAG;;SAEd,MAAM,CAAC,SAAS;UACf,MAAM,CAAC,UAAU;eACZ,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM;WAC3C,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;;;EAG/C,MAAM,CAAC,UAAU;;;yDAGsC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA6B5E,CAAC;QAEC,IAAI,CAAC;YACH,+CAA+C;YAC/C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;YAE1E,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO;oBACL,QAAQ;oBACR,kBAAkB,EAAE,KAAK;oBACzB,SAAS,EAAE,iBAAiB;oBAC5B,UAAU,EAAE,CAAC;oBACb,eAAe,EAAE,CAAC;iBACnB,CAAC;YACJ,CAAC;YAED,uBAAuB;YACvB,MAAM,kBAAkB,GAAG,QAAQ,CAAC,kBAAkB,KAAK,IAAI,CAAC;YAChE,MAAM,UAAU,GAAG,OAAO,QAAQ,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC;YAEvF,iCAAiC;YACjC,IAAI,kBAAkB,IAAI,UAAU,GAAG,mBAAmB,EAAE,CAAC;gBAC3D,OAAO;oBACL,QAAQ;oBACR,kBAAkB,EAAE,KAAK;oBACzB,SAAS,EAAE,uDAAuD,UAAU,MAAM,mBAAmB,MAAM,QAAQ,CAAC,SAAS,EAAE;oBAC/H,UAAU;oBACV,eAAe,EAAE,CAAC;iBACnB,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAoB;gBAC9B,QAAQ;gBACR,kBAAkB;gBAClB,SAAS,EAAE,QAAQ,CAAC,SAAS,IAAI,EAAE;gBACnC,UAAU;gBACV,eAAe,EAAE,CAAC;aACnB,CAAC;YAEF,IAAI,kBAAkB,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;gBACjD,MAAM,CAAC,aAAa,GAAG;oBACrB,IAAI,EAAE,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC;oBACzD,GAAG,EAAE,QAAQ,CAAC,aAAa,CAAC,GAAG,IAAI,aAAa;oBAChD,QAAQ,EAAE,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,aAAa,CAAC,QAAQ,CAAC;oBACjE,IAAI,EAAE,QAAQ,CAAC,aAAa,CAAC,IAAI,IAAI,MAAM,CAAC,SAAS;oBACrD,IAAI,EAAE,QAAQ,CAAC,aAAa,CAAC,IAAI,IAAI,EAAE;oBACvC,WAAW,EAAE,QAAQ,CAAC,aAAa,CAAC,WAAW,IAAI,EAAE;oBACrD,YAAY,EAAE,QAAQ,CAAC,aAAa,CAAC,YAAY;oBACjD,WAAW,EAAE,QAAQ,CAAC,aAAa,CAAC,WAAW,IAAI,kCAAkC;oBACrF,MAAM,EAAE,QAAQ,CAAC,aAAa,CAAC,MAAM;iBACtC,CAAC;YACJ,CAAC;YAED,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,QAAQ;gBACR,kBAAkB,EAAE,KAAK;gBACzB,SAAS,EAAE,mBAAmB,KAAK,EAAE;gBACrC,UAAU,EAAE,CAAC;gBACb,eAAe,EAAE,CAAC;aACnB,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,mBAAmB,CAC/B,YAAoB,EACpB,UAAkB;QAElB,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAM,YAAY,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;IAC7E,CAAC;IAED;;OAEG;IACK,cAAc,CACpB,EAAY,EACZ,IAAY,EACZ,OAAyB;QAEzB,MAAM,OAAO,GAAoB,EAAE,CAAC;QACpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,UAAU,GAAG,OAAO,CAAC,iBAAiB,IAAI,EAAE,CAAC;QACnD,MAAM,mBAAmB,GAAG,OAAO,CAAC,0BAA0B,IAAI,KAAK,CAAC;QAExE,0BAA0B;QAC1B,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAU,CAAC;QAC5C,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,KAAK,MAAM,MAAM,IAAI,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;gBACtC,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACrC,CAAC;YACD,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;gBAClC,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,KAAK,EAAE,CAAC;YAC5B,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO;gBAAE,SAAS;YAEpC,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC;YAC5B,MAAM,gBAAgB,GAAG,IAAI,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;YACnE,MAAM,OAAO,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;YAErD,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClC,wCAAwC;gBACxC,MAAM,mBAAmB,GACvB,CAAC,mBAAmB;oBACpB,MAAM,CAAC,UAAU,KAAK,SAAS;oBAC/B,MAAM,CAAC,QAAQ,KAAK,SAAS;oBAC7B,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAChC,IAAI,CAAC,EAAE,CAAC,IAAI,IAAI,MAAM,CAAC,UAAU,IAAI,IAAI,IAAI,MAAM,CAAC,QAAQ,CAC7D,CAAC;gBAEJ,kEAAkE;gBAClE,IAAI,mBAAmB,IAAI,CAAC,mBAAmB,EAAE,CAAC;oBAChD,SAAS;gBACX,CAAC;gBAED,sBAAsB;gBACtB,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC;gBACpC,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,IAAI,SAAS,GAAG,EAAE,CAAC;gBAClD,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAElE,mDAAmD;gBACnD,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACtC,SAAS;gBACX,CAAC;gBAED,4BAA4B;gBAC5B,IAAI,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,EAAE,CAAC;oBACrD,SAAS;gBACX,CAAC;gBAED,OAAO,CAAC,IAAI,CAAC;oBACX,SAAS;oBACT,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,UAAU;oBACV,SAAS;oBACT,OAAO;oBACP,WAAW,EAAE;wBACX,GAAG,gBAAgB;wBACnB,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;qBACjD;oBACD,OAAO;oBACP,mBAAmB;iBACpB,CAAC,CAAC;gBAEH,IAAI,OAAO,CAAC,MAAM,IAAI,UAAU,EAAE,CAAC;oBACjC,MAAM;gBACR,CAAC;YACH,CAAC;YAED,IAAI,OAAO,CAAC,MAAM,IAAI,UAAU,EAAE,CAAC;gBACjC,MAAM;YACR,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACK,kBAAkB,CAAC,UAAkB,EAAE,UAAkB;QAC/D,MAAM,SAAS,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;QAE3C,4BAA4B;QAC5B,IAAI,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACvE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAChG,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,SAAS,KAAK,UAAU,IAAI,SAAS,KAAK,UAAU,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;YACnF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,IAAY;QACpC,MAAM,KAAK,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC/D,MAAM,OAAO,GAA6B;YACxC,mBAAmB,EAAE,mBAAmB;YACxC,eAAe,EAAE,mBAAmB;YACpC,YAAY,EAAE,mBAAmB;YACjC,KAAK,EAAE,KAAK;YACZ,sBAAsB,EAAE,KAAK;YAC7B,gBAAgB,EAAE,gBAAgB;YAClC,qBAAqB,EAAE,gBAAgB;YACvC,KAAK,EAAE,gBAAgB;YACvB,gBAAgB,EAAE,gBAAgB;YAClC,uBAAuB,EAAE,gBAAgB;YACzC,KAAK,EAAE,gBAAgB;YACvB,eAAe,EAAE,eAAe;YAChC,MAAM,EAAE,eAAe;YACvB,iBAAiB,EAAE,iBAAiB;YACpC,0BAA0B,EAAE,iBAAiB;YAC7C,KAAK,EAAE,KAAK;YACZ,qBAAqB,EAAE,KAAK;YAC5B,MAAM,EAAE,MAAM;YACd,6BAA6B,EAAE,MAAM;SACtC,CAAC;QACF,OAAO,OAAO,CAAC,KAAK,CAAC,IAAI,gBAAgB,CAAC;IAC5C,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,QAAgB;QACxC,MAAM,KAAK,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7C,IAAI,KAAK,KAAK,UAAU;YAAE,OAAO,UAAU,CAAC;QAC5C,IAAI,KAAK,KAAK,MAAM;YAAE,OAAO,MAAM,CAAC;QACpC,IAAI,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,UAAU;YAAE,OAAO,QAAQ,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAA2B,EAAE,MAAoB;IAClF,OAAO,IAAI,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,EAAY,EACZ,IAAY,EACZ,QAAgB,EAChB,OAA0B;IAE1B,OAAO,kBAAkB,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,0BAA0B,CACxC,OAA0B,EAC1B,QAAgB;IAEhB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YACtD,MAAM,IAAI,GAAG,MAAM,CAAC,aAAa,CAAC;YAElC,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,aAAa,QAAQ,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE;gBACrD,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,MAAM,EAAE,IAAI,CAAC,MAAM;oBACjB,CAAC,CAAC;wBACE,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;wBACtB,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;qBAC3B;oBACH,CAAC,CAAC;wBACE,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,YAAY;qBACnB;gBACL,IAAI,EAAE;oBACJ,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB;gBACD,IAAI,EAAE,EAAE;gBACR,WAAW,EAAE,IAAI,CAAC,QAAQ,KAAK,UAAU,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM;gBACrE,WAAW,EAAE,mBAAmB,IAAI,CAAC,WAAW,kBAAkB,MAAM,CAAC,SAAS,EAAE;gBACpF,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,YAAY,EAAE;oBACZ,iBAAiB,EAAE,IAAI;oBACvB,YAAY,EAAE,IAAI;oBAClB,cAAc,EAAE,MAAM,CAAC,UAAU;iBAClC;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/llm/enrichment.d.ts

@@ -0,0 +1,108 @@
+/**
+ * LLM Enrichment Engine (Phase 1)
+ *
+ * Uses LLM to discover:
+ * - Taint sources beyond YAML patterns
+ * - Taint sinks beyond YAML patterns
+ * - Class/method roles (controller, service, repository)
+ * - Virtual call resolution
+ *
+ * Supports language-aware prompts for Java, Python, JavaScript/TypeScript, and Rust.
+ */
+import { type AxLLMClient } from './ax-client.js';
+import type { TypeInfo, MethodInfo, CallInfo, TaintSource, TaintSink, SupportedLanguage } from 'circle-ir';
+export interface RoleClassificationResult {
+    role: 'controller' | 'service' | 'repository' | 'utility' | 'entity' | 'unknown';
+    confidence: number;
+    reasoning: string;
+    indicators: string[];
+}
+export interface DiscoveredSource {
+    line: number;
+    variable: string;
+    type: string;
+    method?: string;
+    confidence: number;
+    reasoning: string;
+}
+export interface DiscoveredSink {
+    line: number;
+    method: string;
+    type: string;
+    cwe: string;
+    argPositions: number[];
+    confidence: number;
+    reasoning: string;
+}
+export interface VirtualCallResolution {
+    callLine: number;
+    interfaceType: string;
+    resolvedImplementation: string;
+    confidence: number;
+    reasoning: string;
+}
+export interface EnrichmentResult {
+    role?: RoleClassificationResult;
+    additionalSources: DiscoveredSource[];
+    additionalSinks: DiscoveredSink[];
+    virtualCallResolutions: VirtualCallResolution[];
+    framework?: {
+        name: string;
+        version?: string;
+        confidence: number;
+    };
+    enrichedAt: string;
+    modelUsed: string;
+}
+export declare class EnrichmentEngine {
+    private client;
+    private config;
+    private language;
+    constructor(client?: AxLLMClient, language?: SupportedLanguage);
+    /**
+     * Set the language for enrichment (affects prompts)
+     */
+    setLanguage(language: SupportedLanguage): void;
+    /**
+     * Get the current language context
+     */
+    getLanguageContext(): import("./language-context.js").LanguageContext;
+    /**
+     * Classify the role of a class
+     */
+    classifyRole(className: string, methods: MethodInfo[], annotations: string[], imports: string[]): Promise<RoleClassificationResult | undefined>;
+    /**
+     * Discover additional taint sources in a method
+     */
+    discoverSources(methodCode: string, methodName: string, classRole: string, existingSources: TaintSource[]): Promise<DiscoveredSource[]>;
+    /**
+     * Discover additional taint sinks in a method
+     */
+    discoverSinks(methodCode: string, methodName: string, methodCalls: CallInfo[], existingSinks: TaintSink[]): Promise<DiscoveredSink[]>;
+    /**
+     * Resolve virtual/interface method calls to implementations
+     */
+    resolveVirtualCall(callExpression: string, interfaceType: string, availableImplementations: string[], context: string): Promise<VirtualCallResolution | undefined>;
+    /**
+     * Enrich a complete type (class/interface)
+     */
+    enrichType(type: TypeInfo, sourceCode: string, imports: string[], existingSources: TaintSource[], existingSinks: TaintSink[]): Promise<EnrichmentResult>;
+    /**
+     * Batch methods for efficient LLM calls
+     */
+    private batchMethods;
+    /**
+     * Extract method code from source
+     */
+    private extractMethodCode;
+}
+/**
+ * Get a new enrichment engine instance for a specific language
+ * Always creates a fresh instance for per-request isolation
+ */
+export declare function getEnrichmentEngine(language?: SupportedLanguage, client?: AxLLMClient): EnrichmentEngine;
+/**
+ * Enrich a type with LLM-discovered sources/sinks
+ */
+export declare function enrichType(type: TypeInfo, sourceCode: string, imports: string[], existingSources: TaintSource[], existingSinks: TaintSink[], language?: SupportedLanguage): Promise<EnrichmentResult>;
+//# sourceMappingURL=enrichment.d.ts.map

package/dist/llm/enrichment.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"enrichment.d.ts","sourceRoot":"","sources":["../../src/llm/enrichment.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAkB,KAAK,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAY3G,MAAM,WAAW,wBAAwB;IACvC,IAAI,EAAE,YAAY,GAAG,SAAS,GAAG,YAAY,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,CAAC;IACjF,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,gBAAgB;IAE/B,IAAI,CAAC,EAAE,wBAAwB,CAAC;IAGhC,iBAAiB,EAAE,gBAAgB,EAAE,CAAC;IACtC,eAAe,EAAE,cAAc,EAAE,CAAC;IAGlC,sBAAsB,EAAE,qBAAqB,EAAE,CAAC;IAGhD,SAAS,CAAC,EAAE;QACV,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IAGF,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAoHD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,MAAM,CAMZ;IACF,OAAO,CAAC,QAAQ,CAAoB;gBAExB,MAAM,CAAC,EAAE,WAAW,EAAE,QAAQ,GAAE,iBAA0B;IAMtE;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,iBAAiB,GAAG,IAAI;IAI9C;;OAEG;IACH,kBAAkB;IAIlB;;OAEG;IACG,YAAY,CAChB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,UAAU,EAAE,EACrB,WAAW,EAAE,MAAM,EAAE,EACrB,OAAO,EAAE,MAAM,EAAE,GAChB,OAAO,CAAC,wBAAwB,GAAG,SAAS,CAAC;IAyBhD;;OAEG;IACG,eAAe,CACnB,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM,EACjB,eAAe,EAAE,WAAW,EAAE,GAC7B,OAAO,CAAC,gBAAgB,EAAE,CAAC;IAuB9B;;OAEG;IACG,aAAa,CACjB,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,QAAQ,EAAE,EACvB,aAAa,EAAE,SAAS,EAAE,GACzB,OAAO,CAAC,cAAc,EAAE,CAAC;IAuB5B;;OAEG;IACG,kBAAkB,CACtB,cAAc,EAAE,MAAM,EACtB,aAAa,EAAE,MAAM,EACrB,wBAAwB,EAAE,MAAM,EAAE,EAClC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,qBAAqB,GAAG,SAAS,CAAC;IA6B7C;;OAEG;IACG,UAAU,CACd,IAAI,EAAE,QAAQ,EACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,EAAE,EACjB,eAAe,EAAE,WAAW,EAAE,EAC9B,aAAa,EAAE,SAAS,EAAE,GACzB,OAAO,CAAC,gBAAgB,CAAC;IAiD5B;;OAEG;IACH,OAAO,CAAC,YAAY;IAQpB;;OAEG;IACH,OAAO,CAAC,iBAAiB;CAO1B;AAMD;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,GAAE,iBAA0B,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,gBAAgB,CAEhH;AAED;;GAEG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,QAAQ,EACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,EAAE,EACjB,eAAe,EAAE,WAAW,EAAE,EAC9B,aAAa,EAAE,SAAS,EAAE,EAC1B,QAAQ,GAAE,iBAA0B,GACnC,OAAO,CAAC,gBAAgB,CAAC,CAQ3B"}