circle-ir 3.25.0 → 3.28.0

package/dist/analysis/passes/scan-secrets-pass.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Pass #90: scan-secrets (category: security, CWE-798)
+ *
+ * Detects hardcoded credentials across all 7 supported languages
+ * (Java, JS/TS, Python, Go, Rust, Bash, HTML).
+ *
+ * Two detection layers:
+ *
+ *   1. Provider-specific regex patterns. ~16 high-confidence prefixes /
+ *      shapes (AWS AKIA, GitHub `ghp_`/`gho_`/`ghs_`/`ghu_`/`ghr_`,
+ *      Stripe `sk_live_`/`pk_live_`, OpenAI `sk-`, Anthropic `sk-ant-`,
+ *      Slack `xox[baprs]-`, Google `AIza`, JWT `eyJ..eyJ..`, PEM private
+ *      keys, npm `npm_`). Each match emits a finding with
+ *      `rule_id: 'hardcoded-credential'` (matches the legacy Bash
+ *      detection in LanguageSourcesPass).
+ *
+ *   2. Shannon-entropy scan of inline string literals. For each
+ *      base64-shaped or hex-shaped quoted string above the length gate,
+ *      compute Shannon entropy; flag if it crosses the per-shape
+ *      threshold. Heavily denylisted (UUIDs, bare SHA hashes, common
+ *      placeholders like "changeme" / "your-key-here", env-var refs)
+ *      and gated against test-file paths. Emits
+ *      `rule_id: 'hardcoded-credential-entropy'` (distinct rule so users
+ *      can filter the noisier entropy branch without losing provider
+ *      coverage).
+ *
+ * Both layers dedupe against any prior `hardcoded-credential` /
+ * `hardcoded-credential-entropy` findings already in the pipeline's
+ * findings buffer, so the pre-existing Bash detection
+ * (`findBashPatternFindings` in language-sources-pass.ts) is never
+ * double-reported.
+ *
+ * Test files (path-based heuristic) are skipped entirely.
+ *
+ * Detection is regex-based on the raw source text, so the pass works
+ * on every language without per-grammar tree walking. This is the same
+ * approach used by `language-sources-pass.findBashPatternFindings` and
+ * `todo-in-prod-pass`.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface ScanSecretsPassResult {
+    /** Number of findings emitted in each layer (for debugging / tests). */
+    providerFindings: number;
+    entropyFindings: number;
+}
+export declare class ScanSecretsPass implements AnalysisPass<ScanSecretsPassResult> {
+    readonly name = "scan-secrets";
+    readonly category: "security";
+    run(ctx: PassContext): ScanSecretsPassResult;
+    /** Length + shape + denylist filter before entropy is computed. */
+    private isCandidate;
+    /**
+     * Shannon-entropy gate. Base64-shaped strings need higher entropy than
+     * hex-shaped (hex alphabet is 4 bits/char by construction). When the
+     * surrounding line contains a credential-shaped variable name, both
+     * thresholds drop by 0.2 bits/char.
+     */
+    private passesEntropyGate;
+}
+//# sourceMappingURL=scan-secrets-pass.d.ts.map

package/dist/analysis/passes/scan-secrets-pass.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-secrets-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/scan-secrets-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AA2M9E,MAAM,WAAW,qBAAqB;IACpC,wEAAwE;IACxE,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,qBAAa,eAAgB,YAAW,YAAY,CAAC,qBAAqB,CAAC;IACzE,QAAQ,CAAC,IAAI,kBAAkB;IAC/B,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,qBAAqB;IAoG5C,mEAAmE;IACnE,OAAO,CAAC,WAAW;IAanB;;;;;OAKG;IACH,OAAO,CAAC,iBAAiB;CAO1B"}

package/dist/analysis/passes/scan-secrets-pass.js

@@ -0,0 +1,345 @@
+/**
+ * Pass #90: scan-secrets (category: security, CWE-798)
+ *
+ * Detects hardcoded credentials across all 7 supported languages
+ * (Java, JS/TS, Python, Go, Rust, Bash, HTML).
+ *
+ * Two detection layers:
+ *
+ *   1. Provider-specific regex patterns. ~16 high-confidence prefixes /
+ *      shapes (AWS AKIA, GitHub `ghp_`/`gho_`/`ghs_`/`ghu_`/`ghr_`,
+ *      Stripe `sk_live_`/`pk_live_`, OpenAI `sk-`, Anthropic `sk-ant-`,
+ *      Slack `xox[baprs]-`, Google `AIza`, JWT `eyJ..eyJ..`, PEM private
+ *      keys, npm `npm_`). Each match emits a finding with
+ *      `rule_id: 'hardcoded-credential'` (matches the legacy Bash
+ *      detection in LanguageSourcesPass).
+ *
+ *   2. Shannon-entropy scan of inline string literals. For each
+ *      base64-shaped or hex-shaped quoted string above the length gate,
+ *      compute Shannon entropy; flag if it crosses the per-shape
+ *      threshold. Heavily denylisted (UUIDs, bare SHA hashes, common
+ *      placeholders like "changeme" / "your-key-here", env-var refs)
+ *      and gated against test-file paths. Emits
+ *      `rule_id: 'hardcoded-credential-entropy'` (distinct rule so users
+ *      can filter the noisier entropy branch without losing provider
+ *      coverage).
+ *
+ * Both layers dedupe against any prior `hardcoded-credential` /
+ * `hardcoded-credential-entropy` findings already in the pipeline's
+ * findings buffer, so the pre-existing Bash detection
+ * (`findBashPatternFindings` in language-sources-pass.ts) is never
+ * double-reported.
+ *
+ * Test files (path-based heuristic) are skipped entirely.
+ *
+ * Detection is regex-based on the raw source text, so the pass works
+ * on every language without per-grammar tree walking. This is the same
+ * approach used by `language-sources-pass.findBashPatternFindings` and
+ * `todo-in-prod-pass`.
+ */
+// ---------------------------------------------------------------------------
+// Test-file skip heuristic
+// ---------------------------------------------------------------------------
+/** Path components and filename suffixes that mark test/fixture files. */
+const TEST_PATH_RE = /(?:^|[\\/])(?:test|tests|spec|specs|__tests?__|__mocks?__|fixtures?|testdata)(?:[\\/]|$)/i;
+const TEST_FILENAME_RE = /(?:\.(?:test|spec)\.[cm]?[jt]sx?|_test\.go|_test\.py|Test\.java|Tests\.java)$/i;
+function isTestFile(file) {
+    return TEST_PATH_RE.test(file) || TEST_FILENAME_RE.test(file);
+}
+const PROVIDER_PATTERNS = [
+    {
+        name: 'AWS access key',
+        regex: /\bAKIA[0-9A-Z]{16}\b/,
+        severity: 'critical', level: 'error',
+        fix: 'Rotate the AWS access key immediately and move it to an environment variable or AWS Secrets Manager.',
+    },
+    {
+        name: 'GitHub personal access token',
+        regex: /\bghp_[A-Za-z0-9]{36}\b/,
+        severity: 'critical', level: 'error',
+        fix: 'Revoke the token at https://github.com/settings/tokens and store secrets in CI/CD secrets, not source.',
+    },
+    {
+        name: 'GitHub OAuth token',
+        regex: /\bgho_[A-Za-z0-9]{36}\b/,
+        severity: 'critical', level: 'error',
+        fix: 'Revoke the OAuth token and store secrets outside source control.',
+    },
+    {
+        name: 'GitHub user-to-server token',
+        regex: /\bghu_[A-Za-z0-9]{36}\b/,
+        severity: 'critical', level: 'error',
+        fix: 'Revoke the GitHub user-to-server token and store secrets outside source control.',
+    },
+    {
+        name: 'GitHub server-to-server token',
+        regex: /\bghs_[A-Za-z0-9]{36}\b/,
+        severity: 'critical', level: 'error',
+        fix: 'Revoke the GitHub server-to-server token and store secrets outside source control.',
+    },
+    {
+        name: 'GitHub refresh token',
+        regex: /\bghr_[A-Za-z0-9]{36}\b/,
+        severity: 'critical', level: 'error',
+        fix: 'Revoke the GitHub refresh token and store secrets outside source control.',
+    },
+    {
+        name: 'Stripe live secret key',
+        regex: /\bsk_live_[A-Za-z0-9]{24,}\b/,
+        severity: 'critical', level: 'error',
+        fix: 'Rotate the Stripe secret key in the Stripe Dashboard and load it from a secrets manager.',
+    },
+    {
+        name: 'Stripe live publishable key',
+        regex: /\bpk_live_[A-Za-z0-9]{24,}\b/,
+        severity: 'high', level: 'warning',
+        fix: 'Publishable keys are not secret but should still not be checked in to back-end source files; verify front-end vs back-end context.',
+    },
+    {
+        name: 'OpenAI API key',
+        regex: /\bsk-[A-Za-z0-9]{48}\b/,
+        severity: 'critical', level: 'error',
+        fix: 'Revoke the OpenAI key at https://platform.openai.com/api-keys and load from environment.',
+    },
+    {
+        name: 'Anthropic API key',
+        regex: /\bsk-ant-[A-Za-z0-9_-]{90,}\b/,
+        severity: 'critical', level: 'error',
+        fix: 'Revoke the Anthropic key in the Console and load from environment.',
+    },
+    {
+        name: 'Slack token',
+        regex: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/,
+        severity: 'critical', level: 'error',
+        fix: 'Revoke the Slack token and load from environment.',
+    },
+    {
+        name: 'Google API key',
+        regex: /\bAIza[0-9A-Za-z_-]{35}\b/,
+        severity: 'critical', level: 'error',
+        fix: 'Restrict the Google API key by referrer / IP in the GCP console or revoke it.',
+    },
+    {
+        name: 'JSON Web Token',
+        regex: /\beyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/,
+        severity: 'critical', level: 'error',
+        fix: 'JWTs in source carry whatever scope they were minted with; rotate signing keys and remove the token.',
+    },
+    {
+        name: 'PEM private key',
+        regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----/,
+        severity: 'critical', level: 'error',
+        fix: 'Remove the private key from source control immediately, rotate the corresponding public key, and store keys outside the repository.',
+    },
+    {
+        name: 'npm access token',
+        regex: /\bnpm_[A-Za-z0-9]{36}\b/,
+        severity: 'critical', level: 'error',
+        fix: 'Revoke the npm token at https://www.npmjs.com/settings/<user>/tokens and load from environment.',
+    },
+];
+// ---------------------------------------------------------------------------
+// Entropy patterns (layer 2)
+// ---------------------------------------------------------------------------
+/**
+ * Single-line string-literal extraction across languages.
+ * Matches "...", '...', `...`. Group 1: opening delimiter; Group 2: content.
+ *
+ * Intentionally does NOT try to parse escapes or multi-line strings —
+ * we want the literal-text content as the user wrote it, which is what
+ * Shannon entropy needs to see.
+ */
+const STRING_LITERAL_RE = /(["'`])((?:\\.|(?!\1).){8,200})\1/g;
+const BASE64ISH_RE = /^[A-Za-z0-9+/=_-]+$/;
+const HEXISH_RE = /^[a-fA-F0-9]+$/;
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+const PLACEHOLDER_RE = /(?:changeme|your[-_]?(?:key|secret|token|password)(?:[-_]?here)?|replace[-_]?me|example[-_]?(?:key|secret|token)?|placeholder|todo|fixme|test[-_]?(?:key|secret|token)|fake[-_]?(?:key|secret|token)|dummy|sample|insert[-_]?your)/i;
+/** Bare cryptographic-hash shapes (MD5 / SHA1 / SHA256) — high entropy but rarely a secret on their own. */
+function isBareHashShape(s) {
+    const n = s.length;
+    if (n !== 32 && n !== 40 && n !== 64)
+        return false;
+    return HEXISH_RE.test(s);
+}
+function isAllSameChar(s) {
+    if (s.length < 2)
+        return false;
+    const c = s.charAt(0);
+    for (let i = 1; i < s.length; i++)
+        if (s.charAt(i) !== c)
+            return false;
+    return true;
+}
+/** Decode base64 best-effort; return decoded text or null. Universal (no Node Buffer). */
+function tryBase64Decode(s) {
+    // Quick reject: base64 length must be a multiple of 4 when padded.
+    if (s.length % 4 !== 0 && !/=+$/.test(s))
+        return null;
+    try {
+        return globalThis.atob(s);
+    }
+    catch {
+        return null;
+    }
+}
+/** True if the base64 decodes to something that starts with `{` or `[` (i.e. JSON). */
+function looksLikeBase64Json(s) {
+    const decoded = tryBase64Decode(s);
+    if (!decoded)
+        return false;
+    const trimmed = decoded.trimStart();
+    return trimmed.startsWith('{') || trimmed.startsWith('[');
+}
+function shannonEntropy(s) {
+    const freq = new Map();
+    for (const ch of s)
+        freq.set(ch, (freq.get(ch) ?? 0) + 1);
+    const len = s.length;
+    let h = 0;
+    for (const n of freq.values()) {
+        const p = n / len;
+        h -= p * Math.log2(p);
+    }
+    return h;
+}
+/** Words near the literal that imply credential context — used to lower the entropy threshold. */
+const CREDENTIAL_NAME_RE = /(?:key|secret|token|password|passwd|credential|api[_-]?key)/i;
+// ---------------------------------------------------------------------------
+// Per-line FP-guard substrings (entropy layer only)
+// ---------------------------------------------------------------------------
+const TEST_CALL_RE = /\b(?:expect|assert|describe|it|test)\s*\(/;
+const COMMENT_EXAMPLE_RE = /(?:\/\/|#)\s*(?:example|sample|test|fixture)/i;
+export class ScanSecretsPass {
+    name = 'scan-secrets';
+    category = 'security';
+    run(ctx) {
+        const file = ctx.graph.ir.meta.file;
+        if (isTestFile(file)) {
+            return { providerFindings: 0, entropyFindings: 0 };
+        }
+        const lines = ctx.code.split('\n');
+        const prior = ctx.getFindings?.() ?? [];
+        // Build dedup index keyed on `${line}:${rule_id}` for O(1) lookup.
+        const seen = new Set();
+        for (const f of prior) {
+            if (f.file !== file)
+                continue;
+            if (f.rule_id === 'hardcoded-credential' || f.rule_id === 'hardcoded-credential-entropy') {
+                seen.add(`${f.line}:${f.rule_id}`);
+            }
+        }
+        let providerFindings = 0;
+        let entropyFindings = 0;
+        // Layer 1: provider patterns (line-by-line).
+        for (let i = 0; i < lines.length; i++) {
+            const lineText = lines[i];
+            const lineNum = i + 1;
+            for (const pattern of PROVIDER_PATTERNS) {
+                const m = pattern.regex.exec(lineText);
+                if (!m)
+                    continue;
+                const key = `${lineNum}:hardcoded-credential`;
+                if (seen.has(key))
+                    continue;
+                seen.add(key);
+                ctx.addFinding({
+                    id: `hardcoded-credential-${file}-${lineNum}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: 'hardcoded-credential',
+                    cwe: 'CWE-798',
+                    severity: pattern.severity,
+                    level: pattern.level,
+                    message: `Hardcoded credential: ${pattern.name} detected`,
+                    file,
+                    line: lineNum,
+                    snippet: lineText.trim().substring(0, 120),
+                    fix: pattern.fix,
+                    evidence: { provider: pattern.name, match: m[0].substring(0, 40) },
+                });
+                providerFindings += 1;
+                // First provider hit on a line is enough — same value won't match two
+                // unrelated providers because patterns are prefix-anchored.
+                break;
+            }
+        }
+        // Layer 2: Shannon-entropy scan on string literals.
+        for (let i = 0; i < lines.length; i++) {
+            const lineText = lines[i];
+            const lineNum = i + 1;
+            if (TEST_CALL_RE.test(lineText))
+                continue;
+            if (COMMENT_EXAMPLE_RE.test(lineText))
+                continue;
+            // Reset regex state per line; STRING_LITERAL_RE is global.
+            STRING_LITERAL_RE.lastIndex = 0;
+            let match;
+            while ((match = STRING_LITERAL_RE.exec(lineText)) !== null) {
+                const value = match[2];
+                if (!this.isCandidate(value))
+                    continue;
+                if (!this.passesEntropyGate(value, lineText))
+                    continue;
+                const key = `${lineNum}:hardcoded-credential-entropy`;
+                if (seen.has(key))
+                    continue;
+                // Also dedup against provider-pattern hits on the same line — the
+                // entropy branch is purely additive coverage.
+                if (seen.has(`${lineNum}:hardcoded-credential`))
+                    continue;
+                seen.add(key);
+                ctx.addFinding({
+                    id: `hardcoded-credential-entropy-${file}-${lineNum}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: 'hardcoded-credential-entropy',
+                    cwe: 'CWE-798',
+                    severity: 'high',
+                    level: 'warning',
+                    message: `Possible hardcoded secret: high-entropy string literal (${value.length} chars)`,
+                    file,
+                    line: lineNum,
+                    snippet: lineText.trim().substring(0, 120),
+                    fix: 'If this is a credential, move it to environment / secrets manager. If it is sample data, add an `example` / `test` marker or disable this pass via `disabledPasses: [\'scan-secrets\']`.',
+                    evidence: { kind: 'entropy', length: value.length },
+                });
+                entropyFindings += 1;
+            }
+        }
+        return { providerFindings, entropyFindings };
+    }
+    /** Length + shape + denylist filter before entropy is computed. */
+    isCandidate(s) {
+        if (s.length < 20 || s.length > 200)
+            return false;
+        if (!BASE64ISH_RE.test(s) && !HEXISH_RE.test(s))
+            return false;
+        if (UUID_RE.test(s))
+            return false;
+        if (isBareHashShape(s))
+            return false;
+        if (isAllSameChar(s))
+            return false;
+        if (PLACEHOLDER_RE.test(s))
+            return false;
+        // Skip strings that are themselves a recognizable base64-encoded JSON
+        // payload (configs, PEM-bundles, etc.).
+        if (looksLikeBase64Json(s))
+            return false;
+        return true;
+    }
+    /**
+     * Shannon-entropy gate. Base64-shaped strings need higher entropy than
+     * hex-shaped (hex alphabet is 4 bits/char by construction). When the
+     * surrounding line contains a credential-shaped variable name, both
+     * thresholds drop by 0.2 bits/char.
+     */
+    passesEntropyGate(value, lineText) {
+        const isHex = HEXISH_RE.test(value);
+        const boost = CREDENTIAL_NAME_RE.test(lineText) ? 0.2 : 0;
+        const threshold = isHex ? (3.5 - boost) : (4.3 - boost);
+        const h = shannonEntropy(value);
+        return h >= threshold;
+    }
+}
+//# sourceMappingURL=scan-secrets-pass.js.map

package/dist/analysis/passes/scan-secrets-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-secrets-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/scan-secrets-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAKH,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E,0EAA0E;AAC1E,MAAM,YAAY,GAAG,2FAA2F,CAAC;AACjH,MAAM,gBAAgB,GAAG,gFAAgF,CAAC;AAE1G,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChE,CAAC;AAiBD,MAAM,iBAAiB,GAAsB;IAC3C;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,sBAAsB;QAC7B,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,sGAAsG;KAC5G;IACD;QACE,IAAI,EAAE,8BAA8B;QACpC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,wGAAwG;KAC9G;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,kEAAkE;KACxE;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,kFAAkF;KACxF;IACD;QACE,IAAI,EAAE,+BAA+B;QACrC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,oFAAoF;KAC1F;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,2EAA2E;KACjF;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,0FAA0F;KAChG;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS;QAClC,GAAG,EAAE,oIAAoI;KAC1I;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,wBAAwB;QAC/B,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,0FAA0F;KAChG;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,+BAA+B;QACtC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,oEAAoE;KAC1E;IACD;QACE,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,kCAAkC;QACzC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,mDAAmD;KACzD;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,2BAA2B;QAClC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,+EAA+E;KACrF;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,sEAAsE;QAC7E,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,sGAAsG;KAC5G;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,KAAK,EAAE,6DAA6D;QACpE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,qIAAqI;KAC3I;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,iGAAiG;KACvG;CACF,CAAC;AAEF,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,iBAAiB,GAAG,oCAAoC,CAAC;AAE/D,MAAM,YAAY,GAAG,qBAAqB,CAAC;AAC3C,MAAM,SAAS,GAAG,gBAAgB,CAAC;AACnC,MAAM,OAAO,GAAG,iEAAiE,CAAC;AAElF,MAAM,cAAc,GAClB,qOAAqO,CAAC;AAExO,4GAA4G;AAC5G,SAAS,eAAe,CAAC,CAAS;IAChC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IACnB,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACnD,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,aAAa,CAAC,CAAS;IAC9B,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IACvE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,0FAA0F;AAC1F,SAAS,eAAe,CAAC,CAAS;IAChC,mEAAmE;IACnE,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,uFAAuF;AACvF,SAAS,mBAAmB,CAAC,CAAS;IACpC,MAAM,OAAO,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IACpC,OAAO,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,cAAc,CAAC,CAAS;IAC/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,CAAC;QAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC;IACrB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;QAClB,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,kGAAkG;AAClG,MAAM,kBAAkB,GAAG,8DAA8D,CAAC;AAE1F,8EAA8E;AAC9E,oDAAoD;AACpD,8EAA8E;AAE9E,MAAM,YAAY,GAAG,2CAA2C,CAAC;AACjE,MAAM,kBAAkB,GAAG,+CAA+C,CAAC;AAY3E,MAAM,OAAO,eAAe;IACjB,IAAI,GAAG,cAAc,CAAC;IACtB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEpC,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACrB,OAAO,EAAE,gBAAgB,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,CAAC;QACrD,CAAC;QAED,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,CAAC;QACxC,mEAAmE;QACnE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI;gBAAE,SAAS;YAC9B,IAAI,CAAC,CAAC,OAAO,KAAK,sBAAsB,IAAI,CAAC,CAAC,OAAO,KAAK,8BAA8B,EAAE,CAAC;gBACzF,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,IAAI,gBAAgB,GAAG,CAAC,CAAC;QACzB,IAAI,eAAe,GAAG,CAAC,CAAC;QAExB,6CAA6C;QAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;YACtB,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;gBACxC,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvC,IAAI,CAAC,CAAC;oBAAE,SAAS;gBAEjB,MAAM,GAAG,GAAG,GAAG,OAAO,uBAAuB,CAAC;gBAC9C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAEd,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,wBAAwB,IAAI,IAAI,OAAO,EAAE;oBAC7C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,sBAAsB;oBAC/B,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,OAAO,EAAE,yBAAyB,OAAO,CAAC,IAAI,WAAW;oBACzD,IAAI;oBACJ,IAAI,EAAE,OAAO;oBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC1C,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;iBACnE,CAAC,CAAC;gBACH,gBAAgB,IAAI,CAAC,CAAC;gBACtB,sEAAsE;gBACtE,4DAA4D;gBAC5D,MAAM;YACR,CAAC;QACH,CAAC;QAED,oDAAoD;QACpD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;YAEtB,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAC1C,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAEhD,2DAA2D;YAC3D,iBAAiB,CAAC,SAAS,GAAG,CAAC,CAAC;YAChC,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC3D,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACvB,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC;oBAAE,SAAS;gBACvC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,QAAQ,CAAC;oBAAE,SAAS;gBAEvD,MAAM,GAAG,GAAG,GAAG,OAAO,+BAA+B,CAAC;gBACtD,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAC5B,kEAAkE;gBAClE,8CAA8C;gBAC9C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,uBAAuB,CAAC;oBAAE,SAAS;gBAC1D,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAEd,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,gCAAgC,IAAI,IAAI,OAAO,EAAE;oBACrD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,8BAA8B;oBACvC,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,SAAS;oBAChB,OAAO,EAAE,2DAA2D,KAAK,CAAC,MAAM,SAAS;oBACzF,IAAI;oBACJ,IAAI,EAAE,OAAO;oBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC1C,GAAG,EAAE,0LAA0L;oBAC/L,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE;iBACpD,CAAC,CAAC;gBACH,eAAe,IAAI,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,CAAC;IAC/C,CAAC;IAED,mEAAmE;IAC3D,WAAW,CAAC,CAAS;QAC3B,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,IAAI,CAAC,CAAC,MAAM,GAAG,GAAG;YAAE,OAAO,KAAK,CAAC;QAClD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAC9D,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAClC,IAAI,eAAe,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACrC,IAAI,aAAa,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACnC,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,sEAAsE;QACtE,wCAAwC;QACxC,IAAI,mBAAmB,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACK,iBAAiB,CAAC,KAAa,EAAE,QAAgB;QACvD,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC;QACxD,MAAM,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,CAAC,IAAI,SAAS,CAAC;IACxB,CAAC;CACF"}

package/dist/analyzer.d.ts

@@ -45,6 +45,7 @@
  *  38. MissingStreamPass       — whole-file read without streaming (performance)
  *  39. GodClassPass            — class with high WMC/LCOM2/CBO metrics (CWE-1060)
  *  40. NamingConventionPass    — class/method names violate language conventions
+ *  41. ScanSecretsPass         — hardcoded credentials: provider regexes + Shannon entropy (CWE-798)
  *
  * Removed from default pipeline (raw IR signals still available for circle-ir-ai):
  *  – MissingGuardDomPass  — false positives in framework-auth codebases (see pass file)

package/dist/analyzer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../src/analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAA2B,eAAe,EAAe,MAAM,kBAAkB,CAAC;AAC1H,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAWL,KAAK,iBAAiB,EACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAKL,eAAe,EAChB,MAAM,qBAAqB,CAAC;AAgC7B,OAAO,EAAwB,KAAK,uBAAuB,EAAE,MAAM,8CAA8C,CAAC;AAKlH,OAAO,EAA2B,KAAK,0BAA0B,EAAE,MAAM,gDAAgD,CAAC;AAe1H,OAAO,EAAwB,KAAK,uBAAuB,EAAE,MAAM,6CAA6C,CAAC;AACjH,OAAO,EAAuB,KAAK,sBAAsB,EAA6B,MAAM,4CAA4C,CAAC;AAqBzI,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,UAAU,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC,CAAC;IAE3D;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;IAEzE;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,uBAAuB,CAAC;IAC3C,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,uBAAuB,CAAC;IAC3C,iDAAiD;IACjD,mBAAmB,CAAC,EAAE,0BAA0B,CAAC;IACjD,6CAA6C;IAC7C,eAAe,CAAC,EAAE,sBAAsB,CAAC;CAC1C;AAID;;GAEG;AACH,wBAAsB,YAAY,CAAC,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAc/E;AA4HD;;GAEG;AACH,wBAAsB,OAAO,CAC3B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,QAAQ,CAAC,CA8HnB;AA6FD;;GAEG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,gBAAgB,CAAC,CAoG3B;AAkID;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,IAAI,CAEpC;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,iBAAiB,CAAA;CAAE,CAAC,EAC7E,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAmE1B;AAsBD,OAAO,EAAE,eAAe,EAAE,CAAC"}
+{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../src/analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoDG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAA2B,eAAe,EAAe,MAAM,kBAAkB,CAAC;AAC1H,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAYL,KAAK,iBAAiB,EACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAKL,eAAe,EAChB,MAAM,qBAAqB,CAAC;AAgC7B,OAAO,EAAwB,KAAK,uBAAuB,EAAE,MAAM,8CAA8C,CAAC;AAKlH,OAAO,EAA2B,KAAK,0BAA0B,EAAE,MAAM,gDAAgD,CAAC;AAe1H,OAAO,EAAwB,KAAK,uBAAuB,EAAE,MAAM,6CAA6C,CAAC;AACjH,OAAO,EAAuB,KAAK,sBAAsB,EAA6B,MAAM,4CAA4C,CAAC;AAsBzI,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,UAAU,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC;IAEhC;;OAEG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC,CAAC;IAE3D;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;IAEzE;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;OAEG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,uBAAuB,CAAC;IAC3C,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,uBAAuB,CAAC;IAC3C,iDAAiD;IACjD,mBAAmB,CAAC,EAAE,0BAA0B,CAAC;IACjD,6CAA6C;IAC7C,eAAe,CAAC,EAAE,sBAAsB,CAAC;CAC1C;AAID;;GAEG;AACH,wBAAsB,YAAY,CAAC,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAc/E;AA4HD;;GAEG;AACH,wBAAsB,OAAO,CAC3B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,QAAQ,CAAC,CAwInB;AAiGD;;GAEG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,iBAAiB,EAC3B,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,gBAAgB,CAAC,CAwG3B;AAkID;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,IAAI,CAEpC;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,iBAAiB,CAAA;CAAE,CAAC,EAC7E,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAmE1B;AAsBD,OAAO,EAAE,eAAe,EAAE,CAAC"}