circle-ir 3.84.0 → 3.85.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/analysis/passes/scan-secrets-pass.d.ts +12 -4
  2. package/dist/analysis/passes/scan-secrets-pass.d.ts.map +1 -1
  3. package/dist/analysis/passes/scan-secrets-pass.js +282 -46
  4. package/dist/analysis/passes/scan-secrets-pass.js.map +1 -1
  5. package/dist/browser/circle-ir.js +141 -10
  6. package/package.json +1 -1
package/dist/analysis/passes/scan-secrets-pass.d.ts CHANGED
@@ -50,10 +50,18 @@ export declare class ScanSecretsPass implements AnalysisPass<ScanSecretsPassResu
50
50
  /** Length + shape + denylist filter before entropy is computed. */
51
51
  private isCandidate;
52
52
  /**
53
- * Shannon-entropy gate. Base64-shaped strings need higher entropy than
54
- * hex-shaped (hex alphabet is 4 bits/char by construction). When the
55
- * surrounding line contains a credential-shaped variable name, both
56
- * thresholds drop by 0.2 bits/char.
53
+ * Shannon-entropy gate (#125 Gate 4 REQUIRED field-name match).
54
+ *
55
+ * The entropy layer emits ONLY when the enclosing assignment LHS
56
+ * identifier matches a credential keyword (password / secret / token /
57
+ * api_key / etc.). Without this requirement, the layer flagged every
58
+ * high-entropy string — attribution keys, base64 resource blobs, public
59
+ * encoding alphabets — as credentials. Provider patterns (Layer 1) and
60
+ * named-credential matcher (Layer 1b) remain the recall safety net for
61
+ * credentials that don't fit the `FIELD = "..."` shape.
62
+ *
63
+ * Base64-shaped strings need higher entropy than hex-shaped (hex alphabet
64
+ * is 4 bits/char by construction).
57
65
  */
58
66
  private passesEntropyGate;
59
67
  }
package/dist/analysis/passes/scan-secrets-pass.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"scan-secrets-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/scan-secrets-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAqQ9E,MAAM,WAAW,qBAAqB;IACpC,wEAAwE;IACxE,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,qBAAa,eAAgB,YAAW,YAAY,CAAC,qBAAqB,CAAC;IACzE,QAAQ,CAAC,IAAI,kBAAkB;IAC/B,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,qBAAqB;IAqI5C,mEAAmE;IACnE,OAAO,CAAC,WAAW;IAanB;;;;;OAKG;IACH,OAAO,CAAC,iBAAiB;CAO1B"}
1
+ {"version":3,"file":"scan-secrets-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/scan-secrets-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAoc9E,MAAM,WAAW,qBAAqB;IACpC,wEAAwE;IACxE,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,qBAAa,eAAgB,YAAW,YAAY,CAAC,qBAAqB,CAAC;IACzE,QAAQ,CAAC,IAAI,kBAAkB;IAC/B,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,qBAAqB;IAiK5C,mEAAmE;IACnE,OAAO,CAAC,WAAW;IAanB;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,iBAAiB;CAO1B"}
package/dist/analysis/passes/scan-secrets-pass.js CHANGED
@@ -46,6 +46,18 @@ const TEST_FILENAME_RE = /(?:\.(?:test|spec)\.[cm]?[jt]sx?|_test\.go|_test\.py|T
46
46
  function isTestFile(file) {
47
47
  return TEST_PATH_RE.test(file) || TEST_FILENAME_RE.test(file);
48
48
  }
49
+ // ---------------------------------------------------------------------------
50
+ // Generated-code skip heuristic (#125)
51
+ //
52
+ // Generated files routinely embed high-entropy attribution keys, provenance
53
+ // hashes, and embedded resource blobs that trip the entropy layer. Wholesale
54
+ // skip them, same as test files. Cognium-dev #125.
55
+ // ---------------------------------------------------------------------------
56
+ const GENERATED_PATH_RE = /(?:^|[\\/])(?:gen|generated|build[\\/]generated|src[\\/](?:main|test)[\\/]generated|target[\\/]generated-sources|target[\\/]generated-test-sources|node_modules[\\/]\.cache)(?:[\\/]|$)/i;
57
+ const GENERATED_FILENAME_RE = /__[ch]\.java$|\.pb\.go$|_pb2\.py$|\.generated\.[cm]?[jt]sx?$/i;
58
+ function isGeneratedFile(file) {
59
+ return GENERATED_PATH_RE.test(file) || GENERATED_FILENAME_RE.test(file);
60
+ }
49
61
  const PROVIDER_PATTERNS = [
50
62
  {
51
63
  name: 'AWS access key',
@@ -262,16 +274,201 @@ function shannonEntropy(s) {
262
274
  /** Words near the literal that imply credential context — used to lower the entropy threshold. */
263
275
  const CREDENTIAL_NAME_RE = /(?:key|secret|token|password|passwd|credential|api[_-]?key)/i;
264
276
  // ---------------------------------------------------------------------------
277
+ // Context-gate pre-scans (#125)
278
+ //
279
+ // The entropy layer alone fires on any high-entropy string. To kill the
280
+ // noise from generated attribution keys, embedded resource blobs, and
281
+ // public-spec constant tables, we layer three context-aware suppressions on
282
+ // top of the entropy gate: annotation-arg span, array-literal span, and
283
+ // enclosing field-name credential match.
284
+ //
285
+ // All three are regex-based (no AST), matching the existing pass design.
286
+ // ---------------------------------------------------------------------------
287
+ /**
288
+ * Pre-scan: return the set of 1-indexed line numbers that fall inside any
289
+ * `@Annotation( ... )` argument span (Java annotations, JS/TS decorators,
290
+ * Python decorators) or `#[...]` attribute span (Rust). String literals on
291
+ * suppressed lines are treated as annotation metadata, not credentials.
292
+ *
293
+ * Cognium-dev #125 Gate 1.
294
+ */
295
+ function findAnnotationLineRanges(code) {
296
+ const lines = code.split('\n');
297
+ const inAnnotation = new Set();
298
+ // Match `@SomeAnnotation(` (Java/TS/Python with optional `.qualifier`) OR `#[`.
299
+ const OPEN_RE = /(?:@[A-Za-z_]\w*(?:\.[A-Za-z_]\w*)*\s*\(|#\[)/g;
300
+ for (let i = 0; i < lines.length; i++) {
301
+ OPEN_RE.lastIndex = 0;
302
+ let m;
303
+ while ((m = OPEN_RE.exec(lines[i])) !== null) {
304
+ const isRustAttr = m[0].startsWith('#[');
305
+ const openCh = isRustAttr ? '[' : '(';
306
+ const closeCh = isRustAttr ? ']' : ')';
307
+ // Walk forward tracking paren/bracket depth, skipping inside string literals.
308
+ let depth = 1;
309
+ let li = i;
310
+ let col = m.index + m[0].length;
311
+ // Soft cap to avoid runaway on unmatched parens.
312
+ let lineBudget = 200;
313
+ inAnnotation.add(li + 1);
314
+ while (depth > 0 && li < lines.length && lineBudget > 0) {
315
+ const ln = lines[li];
316
+ let inStr = null;
317
+ while (col < ln.length && depth > 0) {
318
+ const ch = ln[col];
319
+ if (inStr !== null) {
320
+ if (ch === '\\') {
321
+ col += 2;
322
+ continue;
323
+ }
324
+ if (ch === inStr)
325
+ inStr = null;
326
+ }
327
+ else if (ch === '"' || ch === "'" || ch === '`') {
328
+ inStr = ch;
329
+ }
330
+ else if (ch === openCh) {
331
+ depth++;
332
+ }
333
+ else if (ch === closeCh) {
334
+ depth--;
335
+ }
336
+ col++;
337
+ }
338
+ if (depth > 0) {
339
+ li++;
340
+ col = 0;
341
+ lineBudget--;
342
+ if (li < lines.length)
343
+ inAnnotation.add(li + 1);
344
+ }
345
+ }
346
+ }
347
+ }
348
+ return inAnnotation;
349
+ }
350
+ /**
351
+ * Pre-scan: return the set of 1-indexed line numbers that fall inside any
352
+ * array/object literal containing ≥3 string-literal elements (constant
353
+ * data table). Catches the `String[] X = { "...", "...", "...", ... }`
354
+ * shape (Java) and `const X = ["...", "...", "..."]` shape (JS/TS/Python).
355
+ *
356
+ * Cognium-dev #125 Gate 3.
357
+ */
358
+ function findStringArrayLineRanges(code) {
359
+ const lines = code.split('\n');
360
+ const inArray = new Set();
361
+ // Match assignment opener to array/object literal: `= {`, `= [`.
362
+ const OPEN_RE = /=\s*([{\[])/g;
363
+ const STR_LITERAL_COUNT_RE = /(["'`])(?:\\.|(?!\1).)*\1/g;
364
+ for (let i = 0; i < lines.length; i++) {
365
+ OPEN_RE.lastIndex = 0;
366
+ let m;
367
+ while ((m = OPEN_RE.exec(lines[i])) !== null) {
368
+ const openCh = m[1];
369
+ const closeCh = openCh === '{' ? '}' : ']';
370
+ let depth = 1;
371
+ let li = i;
372
+ let col = m.index + m[0].length;
373
+ // #126 perf: tightened 500 → 100 as defense-in-depth. Any legitimate
374
+ // constant-table array fits well under 100 lines; pathological openers
375
+ // (unbalanced braces in generated/minified code) now bail faster.
376
+ let lineBudget = 100;
377
+ const spanLines = [li + 1];
378
+ let spanText = '';
379
+ while (depth > 0 && li < lines.length && lineBudget > 0) {
380
+ const ln = lines[li];
381
+ let inStr = null;
382
+ const start = col;
383
+ while (col < ln.length && depth > 0) {
384
+ const ch = ln[col];
385
+ if (inStr !== null) {
386
+ if (ch === '\\') {
387
+ col += 2;
388
+ continue;
389
+ }
390
+ if (ch === inStr)
391
+ inStr = null;
392
+ }
393
+ else if (ch === '"' || ch === "'" || ch === '`') {
394
+ inStr = ch;
395
+ }
396
+ else if (ch === openCh) {
397
+ depth++;
398
+ }
399
+ else if (ch === closeCh) {
400
+ depth--;
401
+ }
402
+ col++;
403
+ }
404
+ spanText += ln.substring(start, col) + '\n';
405
+ if (depth > 0) {
406
+ li++;
407
+ col = 0;
408
+ lineBudget--;
409
+ if (li < lines.length)
410
+ spanLines.push(li + 1);
411
+ }
412
+ }
413
+ // Count string literals inside the span; if ≥3, mark all span lines.
414
+ STR_LITERAL_COUNT_RE.lastIndex = 0;
415
+ let strCount = 0;
416
+ while (STR_LITERAL_COUNT_RE.exec(spanText) !== null) {
417
+ strCount++;
418
+ if (strCount >= 3)
419
+ break;
420
+ }
421
+ if (strCount >= 3) {
422
+ for (const ln of spanLines)
423
+ inArray.add(ln);
424
+ }
425
+ }
426
+ }
427
+ return inArray;
428
+ }
429
+ /**
430
+ * Per-literal field-name extractor (#125 Gate 4).
431
+ *
432
+ * Extracts the assignment LHS identifier preceding the quoted string on the
433
+ * given line. Returns null if the literal is not an assignment value
434
+ * (e.g. annotation arg, function call arg, return expression).
435
+ */
436
+ const FIELD_ASSIGN_RE = /(?:^|[\s,(])([A-Za-z_$][\w$]*)\s*[:=]\s*["'`]/;
437
+ function extractEnclosingFieldName(lineText) {
438
+ const m = FIELD_ASSIGN_RE.exec(lineText);
439
+ return m ? m[1] : null;
440
+ }
441
+ // ---------------------------------------------------------------------------
265
442
  // Per-line FP-guard substrings (entropy layer only)
266
443
  // ---------------------------------------------------------------------------
267
444
  const TEST_CALL_RE = /\b(?:expect|assert|describe|it|test)\s*\(/;
268
445
  const COMMENT_EXAMPLE_RE = /(?:\/\/|#)\s*(?:example|sample|test|fixture)/i;
446
+ // ---------------------------------------------------------------------------
447
+ // Cheap file-level entropy-candidate probe (#126 perf hotfix)
448
+ //
449
+ // 3.85.0 unconditionally ran the Gate 1 / Gate 3 span pre-scans on every
450
+ // file (after the test/generated-path skip). On string-constant-heavy Java
451
+ // repos (gson, Hystrix, openapi-generator) this caused 2.7×–17× slowdowns
452
+ // and 30-min timeouts because annotation walking compounded with the
453
+ // per-file cost while the entropy layer would never have fired anyway.
454
+ //
455
+ // FAST_CANDIDATE_PROBE_RE is a conservative pre-filter — it matches any
456
+ // quoted run of ≥32 base64-shape chars (a strict superset of every shape
457
+ // the entropy layer's `isCandidate()` accepts after the Gate 4 length
458
+ // floor). If the probe fails, the file cannot contain a single entropy
459
+ // candidate, so we skip the pre-scans AND the Layer 2 loop entirely.
460
+ //
461
+ // No recall loss: any literal that would have triggered the entropy layer
462
+ // is guaranteed to also match this probe. Verified by the gate-set tests
463
+ // in scan-secrets.test.ts.
464
+ // ---------------------------------------------------------------------------
465
+ const FAST_CANDIDATE_PROBE_RE = /["'`][A-Za-z0-9+/=_-]{32,}["'`]/;
269
466
  export class ScanSecretsPass {
270
467
  name = 'scan-secrets';
271
468
  category = 'security';
272
469
  run(ctx) {
273
470
  const file = ctx.graph.ir.meta.file;
274
- if (isTestFile(file)) {
471
+ if (isTestFile(file) || isGeneratedFile(file)) {
275
472
  return { providerFindings: 0, entropyFindings: 0 };
276
473
  }
277
474
  const lines = ctx.code.split('\n');
@@ -285,6 +482,24 @@ export class ScanSecretsPass {
285
482
  seen.add(`${f.line}:${f.rule_id}`);
286
483
  }
287
484
  }
485
+ // #126 perf hotfix: cheap probe to decide whether the entropy layer can
486
+ // fire at all. If the file has zero ≥32-char base64-shape literals, the
487
+ // entropy layer cannot produce any finding, so we skip the expensive
488
+ // Gate 1 / Gate 3 span pre-scans AND the Layer 2 loop entirely.
489
+ //
490
+ // Provider patterns (Layer 1) and named-credential matcher (Layer 1b)
491
+ // are unaffected — they run unconditionally below.
492
+ const hasEntropyCandidate = FAST_CANDIDATE_PROBE_RE.test(ctx.code);
493
+ // Pre-scan: line ranges to suppress in the entropy layer (#125 Gates 1 & 3).
494
+ // Provider patterns and named-credential layers are intentionally NOT gated
495
+ // by these — they retain full recall on real credential shapes.
496
+ // Only computed when the entropy layer has work to do.
497
+ const annotationLines = hasEntropyCandidate
498
+ ? findAnnotationLineRanges(ctx.code)
499
+ : new Set();
500
+ const arrayLines = hasEntropyCandidate
501
+ ? findStringArrayLineRanges(ctx.code)
502
+ : new Set();
288
503
  let providerFindings = 0;
289
504
  let entropyFindings = 0;
290
505
  // Layer 1: provider patterns (line-by-line).
@@ -352,48 +567,60 @@ export class ScanSecretsPass {
352
567
  providerFindings += 1;
353
568
  }
354
569
  // Layer 2: Shannon-entropy scan on string literals.
355
- for (let i = 0; i < lines.length; i++) {
356
- const lineText = lines[i];
357
- const lineNum = i + 1;
358
- if (TEST_CALL_RE.test(lineText))
359
- continue;
360
- if (COMMENT_EXAMPLE_RE.test(lineText))
361
- continue;
362
- // Reset regex state per line; STRING_LITERAL_RE is global.
363
- STRING_LITERAL_RE.lastIndex = 0;
364
- let match;
365
- while ((match = STRING_LITERAL_RE.exec(lineText)) !== null) {
366
- const value = match[2];
367
- if (!this.isCandidate(value))
570
+ // #126 perf hotfix: short-circuit if the cheap probe found no candidate.
571
+ if (hasEntropyCandidate)
572
+ for (let i = 0; i < lines.length; i++) {
573
+ const lineText = lines[i];
574
+ const lineNum = i + 1;
575
+ if (TEST_CALL_RE.test(lineText))
368
576
  continue;
369
- if (!this.passesEntropyGate(value, lineText))
577
+ if (COMMENT_EXAMPLE_RE.test(lineText))
370
578
  continue;
371
- const key = `${lineNum}:hardcoded-credential-entropy`;
372
- if (seen.has(key))
579
+ // #125 Gate 1: skip annotation-arg spans (e.g. `@Original(key="...")`).
580
+ if (annotationLines.has(lineNum))
373
581
  continue;
374
- // Also dedup against provider-pattern hits on the same line the
375
- // entropy branch is purely additive coverage.
376
- if (seen.has(`${lineNum}:hardcoded-credential`))
582
+ // #125 Gate 3: skip array/object literal spans with ≥3 string elements
583
+ // (constant data tables solar terms, encoding alphabets, etc.).
584
+ if (arrayLines.has(lineNum))
377
585
  continue;
378
- seen.add(key);
379
- ctx.addFinding({
380
- id: `hardcoded-credential-entropy-${file}-${lineNum}`,
381
- pass: this.name,
382
- category: this.category,
383
- rule_id: 'hardcoded-credential-entropy',
384
- cwe: 'CWE-798',
385
- severity: 'high',
386
- level: 'warning',
387
- message: `Possible hardcoded secret: high-entropy string literal (${value.length} chars)`,
388
- file,
389
- line: lineNum,
390
- snippet: lineText.trim().substring(0, 120),
391
- fix: 'If this is a credential, move it to environment / secrets manager. If it is sample data, add an `example` / `test` marker or disable this pass via `disabledPasses: [\'scan-secrets\']`.',
392
- evidence: { kind: 'entropy', length: value.length },
393
- });
394
- entropyFindings += 1;
586
+ // Reset regex state per line; STRING_LITERAL_RE is global.
587
+ STRING_LITERAL_RE.lastIndex = 0;
588
+ let match;
589
+ while ((match = STRING_LITERAL_RE.exec(lineText)) !== null) {
590
+ const value = match[2];
591
+ if (!this.isCandidate(value))
592
+ continue;
593
+ // #125 Gate 4 length floor: short high-entropy literals are too noisy.
594
+ if (value.length < 32)
595
+ continue;
596
+ if (!this.passesEntropyGate(value, lineText))
597
+ continue;
598
+ const key = `${lineNum}:hardcoded-credential-entropy`;
599
+ if (seen.has(key))
600
+ continue;
601
+ // Also dedup against provider-pattern hits on the same line — the
602
+ // entropy branch is purely additive coverage.
603
+ if (seen.has(`${lineNum}:hardcoded-credential`))
604
+ continue;
605
+ seen.add(key);
606
+ ctx.addFinding({
607
+ id: `hardcoded-credential-entropy-${file}-${lineNum}`,
608
+ pass: this.name,
609
+ category: this.category,
610
+ rule_id: 'hardcoded-credential-entropy',
611
+ cwe: 'CWE-798',
612
+ severity: 'high',
613
+ level: 'warning',
614
+ message: `Possible hardcoded secret: high-entropy string literal (${value.length} chars)`,
615
+ file,
616
+ line: lineNum,
617
+ snippet: lineText.trim().substring(0, 120),
618
+ fix: 'If this is a credential, move it to environment / secrets manager. If it is sample data, add an `example` / `test` marker or disable this pass via `disabledPasses: [\'scan-secrets\']`.',
619
+ evidence: { kind: 'entropy', length: value.length },
620
+ });
621
+ entropyFindings += 1;
622
+ }
395
623
  }
396
- }
397
624
  return { providerFindings, entropyFindings };
398
625
  }
399
626
  /** Length + shape + denylist filter before entropy is computed. */
@@ -417,17 +644,26 @@ export class ScanSecretsPass {
417
644
  return true;
418
645
  }
419
646
  /**
420
- * Shannon-entropy gate. Base64-shaped strings need higher entropy than
421
- * hex-shaped (hex alphabet is 4 bits/char by construction). When the
422
- * surrounding line contains a credential-shaped variable name, both
423
- * thresholds drop by 0.2 bits/char.
647
+ * Shannon-entropy gate (#125 Gate 4 REQUIRED field-name match).
648
+ *
649
+ * The entropy layer emits ONLY when the enclosing assignment LHS
650
+ * identifier matches a credential keyword (password / secret / token /
651
+ * api_key / etc.). Without this requirement, the layer flagged every
652
+ * high-entropy string — attribution keys, base64 resource blobs, public
653
+ * encoding alphabets — as credentials. Provider patterns (Layer 1) and
654
+ * named-credential matcher (Layer 1b) remain the recall safety net for
655
+ * credentials that don't fit the `FIELD = "..."` shape.
656
+ *
657
+ * Base64-shaped strings need higher entropy than hex-shaped (hex alphabet
658
+ * is 4 bits/char by construction).
424
659
  */
425
660
  passesEntropyGate(value, lineText) {
661
+ const fieldName = extractEnclosingFieldName(lineText);
662
+ if (fieldName === null || !CREDENTIAL_NAME_RE.test(fieldName))
663
+ return false;
426
664
  const isHex = HEXISH_RE.test(value);
427
- const boost = CREDENTIAL_NAME_RE.test(lineText) ? 0.2 : 0;
428
- const threshold = isHex ? (3.5 - boost) : (4.3 - boost);
429
- const h = shannonEntropy(value);
430
- return h >= threshold;
665
+ const threshold = isHex ? 3.3 : 4.1;
666
+ return shannonEntropy(value) >= threshold;
431
667
  }
432
668
  }
433
669
  //# sourceMappingURL=scan-secrets-pass.js.map
package/dist/analysis/passes/scan-secrets-pass.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"scan-secrets-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/scan-secrets-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAKH,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E,0EAA0E;AAC1E,MAAM,YAAY,GAAG,2FAA2F,CAAC;AACjH,MAAM,gBAAgB,GAAG,gFAAgF,CAAC;AAE1G,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChE,CAAC;AAiBD,MAAM,iBAAiB,GAAsB;IAC3C;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,sBAAsB;QAC7B,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,sGAAsG;KAC5G;IACD;QACE,IAAI,EAAE,8BAA8B;QACpC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,wGAAwG;KAC9G;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,kEAAkE;KACxE;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,kFAAkF;KACxF;IACD;QACE,IAAI,EAAE,+BAA+B;QACrC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,oFAAoF;KAC1F;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,2EAA2E;KACjF;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,0FAA0F;KAChG;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS;QAClC,GAAG,EAAE,oIAAoI;KAC1I;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,wBAAwB;QAC/B,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,0FAA0F;KAChG;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,+BAA+B;QACtC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,oEAAoE;KAC1E;IACD;QACE,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,kCAAkC;QACzC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,mDAAmD;KACzD;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,2BAA2B;QAClC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,+EAA+E;KACrF;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,sEAAsE;QAC7E,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,sGAAsG;KAC5G;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,KAAK,EAAE,6DAA6D;QACpE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,qIAAqI;KAC3I;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,iGAAiG;KACvG;CACF,CAAC;AAEF,8EAA8E;AAC9E,uCAAuC;AACvC,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,4EAA4E;AAC5E,0DAA0D;AAC1D,2EAA2E;AAC3E,qEAAqE;AACrE,EAAE;AACF,0EAA0E;AAC1E,0EAA0E;AAC1E,0EAA0E;AAC1E,uEAAuE;AACvE,EAAE;AACF,aAAa;AACb,gEAAgE;AAChE,uCAAuC;AACvC,4EAA4E;AAC5E,sDAAsD;AACtD,0EAA0E;AAC1E,iFAAiF;AACjF,iEAAiE;AACjE,EAAE;AACF,qEAAqE;AACrE,8EAA8E;AAE9E,MAAM,eAAe,GACnB,8JAA8J,CAAC;AAEjK,MAAM,qBAAqB,GAAG,yDAAyD,CAAC;AACxF,MAAM,qBAAqB,GAAG,uCAAuC,CAAC;AACtE,MAAM,kBAAkB,GAAG,gCAAgC,CAAC;AAE5D,iGAAiG;AACjG,SAAS,4BAA4B,CAAC,IAAY;IAChD,sFAAsF;IACtF,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,qEAAqE;IACrE,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/C,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IACtC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACpB,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAClB,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnB,oEAAoE;IACpE,wEAAwE;IACxE,IAAI,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,IAAI,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,wCAAwC;IACxC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,6CAA6C;IAC7C,IAAI,aAAa,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtC,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AACzB,CAAC;AAED,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,iBAAiB,GAAG,oCAAoC,CAAC;AAE/D,MAAM,YAAY,GAAG,qBAAqB,CAAC;AAC3C,MAAM,SAAS,GAAG,gBAAgB,CAAC;AACnC,MAAM,OAAO,GAAG,iEAAiE,CAAC;AAElF,MAAM,cAAc,GAClB,qOAAqO,CAAC;AAExO,4GAA4G;AAC5G,SAAS,eAAe,CAAC,CAAS;IAChC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IACnB,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACnD,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,aAAa,CAAC,CAAS;IAC9B,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IACvE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,0FAA0F;AAC1F,SAAS,eAAe,CAAC,CAAS;IAChC,mEAAmE;IACnE,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,uFAAuF;AACvF,SAAS,mBAAmB,CAAC,CAAS;IACpC,MAAM,OAAO,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IACpC,OAAO,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,cAAc,CAAC,CAAS;IAC/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,CAAC;QAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC;IACrB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;QAClB,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,kGAAkG;AAClG,MAAM,kBAAkB,GAAG,8DAA8D,CAAC;AAE1F,8EAA8E;AAC9E,oDAAoD;AACpD,8EAA8E;AAE9E,MAAM,YAAY,GAAG,2CAA2C,CAAC;AACjE,MAAM,kBAAkB,GAAG,+CAA+C,CAAC;AAY3E,MAAM,OAAO,eAAe;IACjB,IAAI,GAAG,cAAc,CAAC;IACtB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEpC,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACrB,OAAO,EAAE,gBAAgB,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,CAAC;QACrD,CAAC;QAED,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,CAAC;QACxC,mEAAmE;QACnE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI;gBAAE,SAAS;YAC9B,IAAI,CAAC,CAAC,OAAO,KAAK,sBAAsB,IAAI,CAAC,CAAC,OAAO,KAAK,8BAA8B,EAAE,CAAC;gBACzF,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,IAAI,gBAAgB,GAAG,CAAC,CAAC;QACzB,IAAI,eAAe,GAAG,CAAC,CAAC;QAExB,6CAA6C;QAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;YACtB,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;gBACxC,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvC,IAAI,CAAC,CAAC;oBAAE,SAAS;gBAEjB,MAAM,GAAG,GAAG,GAAG,OAAO,uBAAuB,CAAC;gBAC9C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAEd,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,wBAAwB,IAAI,IAAI,OAAO,EAAE;oBAC7C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,sBAAsB;oBAC/B,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,OAAO,EAAE,yBAAyB,OAAO,CAAC,IAAI,WAAW;oBACzD,IAAI;oBACJ,IAAI,EAAE,OAAO;oBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC1C,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;iBACnE,CAAC,CAAC;gBACH,gBAAgB,IAAI,CAAC,CAAC;gBACtB,sEAAsE;gBACtE,4DAA4D;gBAC5D,MAAM;YACR,CAAC;QACH,CAAC;QAED,kEAAkE;QAClE,2EAA2E;QAC3E,qEAAqE;QACrE,gEAAgE;QAChE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;YAEtB,MAAM,GAAG,GAAG,4BAA4B,CAAC,QAAQ,CAAC,CAAC;YACnD,IAAI,CAAC,GAAG;gBAAE,SAAS;YAEnB,MAAM,GAAG,GAAG,GAAG,OAAO,uBAAuB,CAAC;YAC9C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAEd,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,wBAAwB,IAAI,IAAI,OAAO,EAAE;gBAC7C,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,sBAAsB;gBAC/B,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,2BAA2B,GAAG,CAAC,IAAI,6BAA6B;gBACzE,IAAI;gBACJ,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;gBAC1C,GAAG,EAAE,iHAAiH;gBACtH,QAAQ,EAAE,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE;aACvD,CAAC,CAAC;YACH,gBAAgB,IAAI,CAAC,CAAC;QACxB,CAAC;QAED,oDAAoD;QACpD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;YAEtB,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAC1C,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAEhD,2DAA2D;YAC3D,iBAAiB,CAAC,SAAS,GAAG,CAAC,CAAC;YAChC,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC3D,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACvB,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC;oBAAE,SAAS;gBACvC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,QAAQ,CAAC;oBAAE,SAAS;gBAEvD,MAAM,GAAG,GAAG,GAAG,OAAO,+BAA+B,CAAC;gBACtD,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAC5B,kEAAkE;gBAClE,8CAA8C;gBAC9C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,uBAAuB,CAAC;oBAAE,SAAS;gBAC1D,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAEd,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,gCAAgC,IAAI,IAAI,OAAO,EAAE;oBACrD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,8BAA8B;oBACvC,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,SAAS;oBAChB,OAAO,EAAE,2DAA2D,KAAK,CAAC,MAAM,SAAS;oBACzF,IAAI;oBACJ,IAAI,EAAE,OAAO;oBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC1C,GAAG,EAAE,0LAA0L;oBAC/L,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE;iBACpD,CAAC,CAAC;gBACH,eAAe,IAAI,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,CAAC;IAC/C,CAAC;IAED,mEAAmE;IAC3D,WAAW,CAAC,CAAS;QAC3B,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,IAAI,CAAC,CAAC,MAAM,GAAG,GAAG;YAAE,OAAO,KAAK,CAAC;QAClD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAC9D,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAClC,IAAI,eAAe,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACrC,IAAI,aAAa,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACnC,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,sEAAsE;QACtE,wCAAwC;QACxC,IAAI,mBAAmB,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACK,iBAAiB,CAAC,KAAa,EAAE,QAAgB;QACvD,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC;QACxD,MAAM,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,CAAC,IAAI,SAAS,CAAC;IACxB,CAAC;CACF"}
1
+ {"version":3,"file":"scan-secrets-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/scan-secrets-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAKH,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E,0EAA0E;AAC1E,MAAM,YAAY,GAAG,2FAA2F,CAAC;AACjH,MAAM,gBAAgB,GAAG,gFAAgF,CAAC;AAE1G,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChE,CAAC;AAED,8EAA8E;AAC9E,uCAAuC;AACvC,EAAE;AACF,4EAA4E;AAC5E,6EAA6E;AAC7E,mDAAmD;AACnD,8EAA8E;AAE9E,MAAM,iBAAiB,GACrB,0LAA0L,CAAC;AAC7L,MAAM,qBAAqB,GAAG,+DAA+D,CAAC;AAE9F,SAAS,eAAe,CAAC,IAAY;IACnC,OAAO,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1E,CAAC;AAiBD,MAAM,iBAAiB,GAAsB;IAC3C;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,sBAAsB;QAC7B,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,sGAAsG;KAC5G;IACD;QACE,IAAI,EAAE,8BAA8B;QACpC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,wGAAwG;KAC9G;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,kEAAkE;KACxE;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,kFAAkF;KACxF;IACD;QACE,IAAI,EAAE,+BAA+B;QACrC,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,oFAAoF;KAC1F;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,2EAA2E;KACjF;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,0FAA0F;KAChG;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS;QAClC,GAAG,EAAE,oIAAoI;KAC1I;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,wBAAwB;QAC/B,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,0FAA0F;KAChG;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,KAAK,EAAE,+BAA+B;QACtC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,oEAAoE;KAC1E;IACD;QACE,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,kCAAkC;QACzC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,mDAAmD;KACzD;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,2BAA2B;QAClC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,+EAA+E;KACrF;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,sEAAsE;QAC7E,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,sGAAsG;KAC5G;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,KAAK,EAAE,6DAA6D;QACpE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,qIAAqI;KAC3I;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;QACpC,GAAG,EAAE,iGAAiG;KACvG;CACF,CAAC;AAEF,8EAA8E;AAC9E,uCAAuC;AACvC,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,4EAA4E;AAC5E,0DAA0D;AAC1D,2EAA2E;AAC3E,qEAAqE;AACrE,EAAE;AACF,0EAA0E;AAC1E,0EAA0E;AAC1E,0EAA0E;AAC1E,uEAAuE;AACvE,EAAE;AACF,aAAa;AACb,gEAAgE;AAChE,uCAAuC;AACvC,4EAA4E;AAC5E,sDAAsD;AACtD,0EAA0E;AAC1E,iFAAiF;AACjF,iEAAiE;AACjE,EAAE;AACF,qEAAqE;AACrE,8EAA8E;AAE9E,MAAM,eAAe,GACnB,8JAA8J,CAAC;AAEjK,MAAM,qBAAqB,GAAG,yDAAyD,CAAC;AACxF,MAAM,qBAAqB,GAAG,uCAAuC,CAAC;AACtE,MAAM,kBAAkB,GAAG,gCAAgC,CAAC;AAE5D,iGAAiG;AACjG,SAAS,4BAA4B,CAAC,IAAY;IAChD,sFAAsF;IACtF,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,qEAAqE;IACrE,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/C,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IACtC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACpB,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAClB,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnB,oEAAoE;IACpE,wEAAwE;IACxE,IAAI,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,IAAI,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,wCAAwC;IACxC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,6CAA6C;IAC7C,IAAI,aAAa,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtC,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AACzB,CAAC;AAED,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,iBAAiB,GAAG,oCAAoC,CAAC;AAE/D,MAAM,YAAY,GAAG,qBAAqB,CAAC;AAC3C,MAAM,SAAS,GAAG,gBAAgB,CAAC;AACnC,MAAM,OAAO,GAAG,iEAAiE,CAAC;AAElF,MAAM,cAAc,GAClB,qOAAqO,CAAC;AAExO,4GAA4G;AAC5G,SAAS,eAAe,CAAC,CAAS;IAChC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IACnB,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACnD,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,aAAa,CAAC,CAAS;IAC9B,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IACvE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,0FAA0F;AAC1F,SAAS,eAAe,CAAC,CAAS;IAChC,mEAAmE;IACnE,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,uFAAuF;AACvF,SAAS,mBAAmB,CAAC,CAAS;IACpC,MAAM,OAAO,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3B,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IACpC,OAAO,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,cAAc,CAAC,CAAS;IAC/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,CAAC;QAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC;IACrB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;QAClB,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,kGAAkG;AAClG,MAAM,kBAAkB,GAAG,8DAA8D,CAAC;AAE1F,8EAA8E;AAC9E,gCAAgC;AAChC,EAAE;AACF,wEAAwE;AACxE,sEAAsE;AACtE,4EAA4E;AAC5E,wEAAwE;AACxE,yCAAyC;AACzC,EAAE;AACF,yEAAyE;AACzE,8EAA8E;AAE9E;;;;;;;GAOG;AACH,SAAS,wBAAwB,CAAC,IAAY;IAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACvC,gFAAgF;IAChF,MAAM,OAAO,GAAG,gDAAgD,CAAC;IACjE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC7C,MAAM,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;YACzC,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YACtC,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YACvC,8EAA8E;YAC9E,IAAI,KAAK,GAAG,CAAC,CAAC;YACd,IAAI,EAAE,GAAG,CAAC,CAAC;YACX,IAAI,GAAG,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;YAChC,iDAAiD;YACjD,IAAI,UAAU,GAAG,GAAG,CAAC;YACrB,YAAY,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;YACzB,OAAO,KAAK,GAAG,CAAC,IAAI,EAAE,GAAG,KAAK,CAAC,MAAM,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;gBACxD,MAAM,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC;gBACrB,IAAI,KAAK,GAA2B,IAAI,CAAC;gBACzC,OAAO,GAAG,GAAG,EAAE,CAAC,MAAM,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;oBACpC,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;oBACnB,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;wBACnB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;4BAAC,GAAG,IAAI,CAAC,CAAC;4BAAC,SAAS;wBAAC,CAAC;wBACxC,IAAI,EAAE,KAAK,KAAK;4BAAE,KAAK,GAAG,IAAI,CAAC;oBACjC,CAAC;yBAAM,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;wBAClD,KAAK,GAAG,EAAqB,CAAC;oBAChC,CAAC;yBAAM,IAAI,EAAE,KAAK,MAAM,EAAE,CAAC;wBACzB,KAAK,EAAE,CAAC;oBACV,CAAC;yBAAM,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;wBAC1B,KAAK,EAAE,CAAC;oBACV,CAAC;oBACD,GAAG,EAAE,CAAC;gBACR,CAAC;gBACD,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;oBACd,EAAE,EAAE,CAAC;oBACL,GAAG,GAAG,CAAC,CAAC;oBACR,UAAU,EAAE,CAAC;oBACb,IAAI,EAAE,GAAG,KAAK,CAAC,MAAM;wBAAE,YAAY,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;gBAClD,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,yBAAyB,CAAC,IAAY;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,iEAAiE;IACjE,MAAM,OAAO,GAAG,cAAc,CAAC;IAC/B,MAAM,oBAAoB,GAAG,4BAA4B,CAAC;IAC1D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,IAAI,CAAyB,CAAC;QAC9B,OAAO,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC7C,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACpB,MAAM,OAAO,GAAG,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YAC3C,IAAI,KAAK,GAAG,CAAC,CAAC;YACd,IAAI,EAAE,GAAG,CAAC,CAAC;YACX,IAAI,GAAG,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;YAChC,qEAAqE;YACrE,uEAAuE;YACvE,kEAAkE;YAClE,IAAI,UAAU,GAAG,GAAG,CAAC;YACrB,MAAM,SAAS,GAAa,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;YACrC,IAAI,QAAQ,GAAG,EAAE,CAAC;YAClB,OAAO,KAAK,GAAG,CAAC,IAAI,EAAE,GAAG,KAAK,CAAC,MAAM,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;gBACxD,MAAM,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC;gBACrB,IAAI,KAAK,GAA2B,IAAI,CAAC;gBACzC,MAAM,KAAK,GAAG,GAAG,CAAC;gBAClB,OAAO,GAAG,GAAG,EAAE,CAAC,MAAM,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;oBACpC,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;oBACnB,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;wBACnB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;4BAAC,GAAG,IAAI,CAAC,CAAC;4BAAC,SAAS;wBAAC,CAAC;wBACxC,IAAI,EAAE,KAAK,KAAK;4BAAE,KAAK,GAAG,IAAI,CAAC;oBACjC,CAAC;yBAAM,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;wBAClD,KAAK,GAAG,EAAqB,CAAC;oBAChC,CAAC;yBAAM,IAAI,EAAE,KAAK,MAAM,EAAE,CAAC;wBACzB,KAAK,EAAE,CAAC;oBACV,CAAC;yBAAM,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;wBAC1B,KAAK,EAAE,CAAC;oBACV,CAAC;oBACD,GAAG,EAAE,CAAC;gBACR,CAAC;gBACD,QAAQ,IAAI,EAAE,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,IAAI,CAAC;gBAC5C,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;oBACd,EAAE,EAAE,CAAC;oBACL,GAAG,GAAG,CAAC,CAAC;oBACR,UAAU,EAAE,CAAC;oBACb,IAAI,EAAE,GAAG,KAAK,CAAC,MAAM;wBAAE,SAAS,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;gBAChD,CAAC;YACH,CAAC;YACD,qEAAqE;YACrE,oBAAoB,CAAC,SAAS,GAAG,CAAC,CAAC;YACnC,IAAI,QAAQ,GAAG,CAAC,CAAC;YACjB,OAAO,oBAAoB,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC;gBACpD,QAAQ,EAAE,CAAC;gBACX,IAAI,QAAQ,IAAI,CAAC;oBAAE,MAAM;YAC3B,CAAC;YACD,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;gBAClB,KAAK,MAAM,EAAE,IAAI,SAAS;oBAAE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,eAAe,GACnB,+CAA+C,CAAC;AAElD,SAAS,yBAAyB,CAAC,QAAgB;IACjD,MAAM,CAAC,GAAG,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACzB,CAAC;AAED,8EAA8E;AAC9E,oDAAoD;AACpD,8EAA8E;AAE9E,MAAM,YAAY,GAAG,2CAA2C,CAAC;AACjE,MAAM,kBAAkB,GAAG,+CAA+C,CAAC;AAE3E,8EAA8E;AAC9E,8DAA8D;AAC9D,EAAE;AACF,yEAAyE;AACzE,2EAA2E;AAC3E,0EAA0E;AAC1E,qEAAqE;AACrE,uEAAuE;AACvE,EAAE;AACF,wEAAwE;AACxE,yEAAyE;AACzE,sEAAsE;AACtE,uEAAuE;AACvE,qEAAqE;AACrE,EAAE;AACF,0EAA0E;AAC1E,yEAAyE;AACzE,2BAA2B;AAC3B,8EAA8E;AAE9E,MAAM,uBAAuB,GAAG,iCAAiC,CAAC;AAYlE,MAAM,OAAO,eAAe;IACjB,IAAI,GAAG,cAAc,CAAC;IACtB,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEpC,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9C,OAAO,EAAE,gBAAgB,EAAE,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE,CAAC;QACrD,CAAC;QAED,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,CAAC;QACxC,mEAAmE;QACnE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI;gBAAE,SAAS;YAC9B,IAAI,CAAC,CAAC,OAAO,KAAK,sBAAsB,IAAI,CAAC,CAAC,OAAO,KAAK,8BAA8B,EAAE,CAAC;gBACzF,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,wEAAwE;QACxE,qEAAqE;QACrE,gEAAgE;QAChE,EAAE;QACF,sEAAsE;QACtE,mDAAmD;QACnD,MAAM,mBAAmB,GAAG,uBAAuB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAEnE,6EAA6E;QAC7E,4EAA4E;QAC5E,gEAAgE;QAChE,uDAAuD;QACvD,MAAM,eAAe,GAAgB,mBAAmB;YACtD,CAAC,CAAC,wBAAwB,CAAC,GAAG,CAAC,IAAI,CAAC;YACpC,CAAC,CAAC,IAAI,GAAG,EAAU,CAAC;QACtB,MAAM,UAAU,GAAgB,mBAAmB;YACjD,CAAC,CAAC,yBAAyB,CAAC,GAAG,CAAC,IAAI,CAAC;YACrC,CAAC,CAAC,IAAI,GAAG,EAAU,CAAC;QAEtB,IAAI,gBAAgB,GAAG,CAAC,CAAC;QACzB,IAAI,eAAe,GAAG,CAAC,CAAC;QAExB,6CAA6C;QAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;YACtB,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;gBACxC,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvC,IAAI,CAAC,CAAC;oBAAE,SAAS;gBAEjB,MAAM,GAAG,GAAG,GAAG,OAAO,uBAAuB,CAAC;gBAC9C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAEd,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,wBAAwB,IAAI,IAAI,OAAO,EAAE;oBAC7C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,sBAAsB;oBAC/B,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,OAAO,EAAE,yBAAyB,OAAO,CAAC,IAAI,WAAW;oBACzD,IAAI;oBACJ,IAAI,EAAE,OAAO;oBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC1C,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;iBACnE,CAAC,CAAC;gBACH,gBAAgB,IAAI,CAAC,CAAC;gBACtB,sEAAsE;gBACtE,4DAA4D;gBAC5D,MAAM;YACR,CAAC;QACH,CAAC;QAED,kEAAkE;QAClE,2EAA2E;QAC3E,qEAAqE;QACrE,gEAAgE;QAChE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;YAEtB,MAAM,GAAG,GAAG,4BAA4B,CAAC,QAAQ,CAAC,CAAC;YACnD,IAAI,CAAC,GAAG;gBAAE,SAAS;YAEnB,MAAM,GAAG,GAAG,GAAG,OAAO,uBAAuB,CAAC;YAC9C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAEd,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,wBAAwB,IAAI,IAAI,OAAO,EAAE;gBAC7C,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,sBAAsB;gBAC/B,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,2BAA2B,GAAG,CAAC,IAAI,6BAA6B;gBACzE,IAAI;gBACJ,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;gBAC1C,GAAG,EAAE,iHAAiH;gBACtH,QAAQ,EAAE,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE;aACvD,CAAC,CAAC;YACH,gBAAgB,IAAI,CAAC,CAAC;QACxB,CAAC;QAED,oDAAoD;QACpD,yEAAyE;QACzE,IAAI,mBAAmB;YAAE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC/D,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC1B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;gBAEtB,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBAC1C,IAAI,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBAChD,wEAAwE;gBACxE,IAAI,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC;oBAAE,SAAS;gBAC3C,uEAAuE;gBACvE,kEAAkE;gBAClE,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC;oBAAE,SAAS;gBAEtC,2DAA2D;gBAC3D,iBAAiB,CAAC,SAAS,GAAG,CAAC,CAAC;gBAChC,IAAI,KAA6B,CAAC;gBAClC,OAAO,CAAC,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBAC3D,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACvB,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC;wBAAE,SAAS;oBACvC,uEAAuE;oBACvE,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE;wBAAE,SAAS;oBAChC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,QAAQ,CAAC;wBAAE,SAAS;oBAEvD,MAAM,GAAG,GAAG,GAAG,OAAO,+BAA+B,CAAC;oBACtD,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;wBAAE,SAAS;oBAC5B,kEAAkE;oBAClE,8CAA8C;oBAC9C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,uBAAuB,CAAC;wBAAE,SAAS;oBAC1D,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;oBAEd,GAAG,CAAC,UAAU,CAAC;wBACb,EAAE,EAAE,gCAAgC,IAAI,IAAI,OAAO,EAAE;wBACrD,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,OAAO,EAAE,8BAA8B;wBACvC,GAAG,EAAE,SAAS;wBACd,QAAQ,EAAE,MAAM;wBAChB,KAAK,EAAE,SAAS;wBAChB,OAAO,EAAE,2DAA2D,KAAK,CAAC,MAAM,SAAS;wBACzF,IAAI;wBACJ,IAAI,EAAE,OAAO;wBACb,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;wBAC1C,GAAG,EAAE,0LAA0L;wBAC/L,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE;qBACpD,CAAC,CAAC;oBACH,eAAe,IAAI,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;QAED,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,CAAC;IAC/C,CAAC;IAED,mEAAmE;IAC3D,WAAW,CAAC,CAAS;QAC3B,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,IAAI,CAAC,CAAC,MAAM,GAAG,GAAG;YAAE,OAAO,KAAK,CAAC;QAClD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAC9D,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAClC,IAAI,eAAe,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACrC,IAAI,aAAa,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACnC,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,sEAAsE;QACtE,wCAAwC;QACxC,IAAI,mBAAmB,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;;;;OAaG;IACK,iBAAiB,CAAC,KAAa,EAAE,QAAgB;QACvD,MAAM,SAAS,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAC;QACtD,IAAI,SAAS,KAAK,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC;YAAE,OAAO,KAAK,CAAC;QAC5E,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QACpC,OAAO,cAAc,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC;IAC5C,CAAC;CACF"}
package/dist/browser/circle-ir.js CHANGED
@@ -28845,6 +28845,11 @@ var TEST_FILENAME_RE = /(?:\.(?:test|spec)\.[cm]?[jt]sx?|_test\.go|_test\.py|Tes
28845
28845
  function isTestFile(file) {
28846
28846
  return TEST_PATH_RE3.test(file) || TEST_FILENAME_RE.test(file);
28847
28847
  }
28848
+ var GENERATED_PATH_RE = /(?:^|[\\/])(?:gen|generated|build[\\/]generated|src[\\/](?:main|test)[\\/]generated|target[\\/]generated-sources|target[\\/]generated-test-sources|node_modules[\\/]\.cache)(?:[\\/]|$)/i;
28849
+ var GENERATED_FILENAME_RE = /__[ch]\.java$|\.pb\.go$|_pb2\.py$|\.generated\.[cm]?[jt]sx?$/i;
28850
+ function isGeneratedFile(file) {
28851
+ return GENERATED_PATH_RE.test(file) || GENERATED_FILENAME_RE.test(file);
28852
+ }
28848
28853
  var PROVIDER_PATTERNS = [
28849
28854
  {
28850
28855
  name: "AWS access key",
@@ -29011,14 +29016,126 @@ function shannonEntropy(s) {
29011
29016
  return h;
29012
29017
  }
29013
29018
  var CREDENTIAL_NAME_RE = /(?:key|secret|token|password|passwd|credential|api[_-]?key)/i;
29019
+ function findAnnotationLineRanges(code) {
29020
+ const lines = code.split("\n");
29021
+ const inAnnotation = /* @__PURE__ */ new Set();
29022
+ const OPEN_RE = /(?:@[A-Za-z_]\w*(?:\.[A-Za-z_]\w*)*\s*\(|#\[)/g;
29023
+ for (let i2 = 0; i2 < lines.length; i2++) {
29024
+ OPEN_RE.lastIndex = 0;
29025
+ let m;
29026
+ while ((m = OPEN_RE.exec(lines[i2])) !== null) {
29027
+ const isRustAttr = m[0].startsWith("#[");
29028
+ const openCh = isRustAttr ? "[" : "(";
29029
+ const closeCh = isRustAttr ? "]" : ")";
29030
+ let depth = 1;
29031
+ let li = i2;
29032
+ let col = m.index + m[0].length;
29033
+ let lineBudget = 200;
29034
+ inAnnotation.add(li + 1);
29035
+ while (depth > 0 && li < lines.length && lineBudget > 0) {
29036
+ const ln = lines[li];
29037
+ let inStr = null;
29038
+ while (col < ln.length && depth > 0) {
29039
+ const ch = ln[col];
29040
+ if (inStr !== null) {
29041
+ if (ch === "\\") {
29042
+ col += 2;
29043
+ continue;
29044
+ }
29045
+ if (ch === inStr) inStr = null;
29046
+ } else if (ch === '"' || ch === "'" || ch === "`") {
29047
+ inStr = ch;
29048
+ } else if (ch === openCh) {
29049
+ depth++;
29050
+ } else if (ch === closeCh) {
29051
+ depth--;
29052
+ }
29053
+ col++;
29054
+ }
29055
+ if (depth > 0) {
29056
+ li++;
29057
+ col = 0;
29058
+ lineBudget--;
29059
+ if (li < lines.length) inAnnotation.add(li + 1);
29060
+ }
29061
+ }
29062
+ }
29063
+ }
29064
+ return inAnnotation;
29065
+ }
29066
+ function findStringArrayLineRanges(code) {
29067
+ const lines = code.split("\n");
29068
+ const inArray = /* @__PURE__ */ new Set();
29069
+ const OPEN_RE = /=\s*([{\[])/g;
29070
+ const STR_LITERAL_COUNT_RE = /(["'`])(?:\\.|(?!\1).)*\1/g;
29071
+ for (let i2 = 0; i2 < lines.length; i2++) {
29072
+ OPEN_RE.lastIndex = 0;
29073
+ let m;
29074
+ while ((m = OPEN_RE.exec(lines[i2])) !== null) {
29075
+ const openCh = m[1];
29076
+ const closeCh = openCh === "{" ? "}" : "]";
29077
+ let depth = 1;
29078
+ let li = i2;
29079
+ let col = m.index + m[0].length;
29080
+ let lineBudget = 100;
29081
+ const spanLines = [li + 1];
29082
+ let spanText = "";
29083
+ while (depth > 0 && li < lines.length && lineBudget > 0) {
29084
+ const ln = lines[li];
29085
+ let inStr = null;
29086
+ const start2 = col;
29087
+ while (col < ln.length && depth > 0) {
29088
+ const ch = ln[col];
29089
+ if (inStr !== null) {
29090
+ if (ch === "\\") {
29091
+ col += 2;
29092
+ continue;
29093
+ }
29094
+ if (ch === inStr) inStr = null;
29095
+ } else if (ch === '"' || ch === "'" || ch === "`") {
29096
+ inStr = ch;
29097
+ } else if (ch === openCh) {
29098
+ depth++;
29099
+ } else if (ch === closeCh) {
29100
+ depth--;
29101
+ }
29102
+ col++;
29103
+ }
29104
+ spanText += ln.substring(start2, col) + "\n";
29105
+ if (depth > 0) {
29106
+ li++;
29107
+ col = 0;
29108
+ lineBudget--;
29109
+ if (li < lines.length) spanLines.push(li + 1);
29110
+ }
29111
+ }
29112
+ STR_LITERAL_COUNT_RE.lastIndex = 0;
29113
+ let strCount = 0;
29114
+ while (STR_LITERAL_COUNT_RE.exec(spanText) !== null) {
29115
+ strCount++;
29116
+ if (strCount >= 3) break;
29117
+ }
29118
+ if (strCount >= 3) {
29119
+ for (const ln of spanLines) inArray.add(ln);
29120
+ }
29121
+ }
29122
+ }
29123
+ return inArray;
29124
+ }
29125
+ var FIELD_ASSIGN_RE = /(?:^|[\s,(])([A-Za-z_$][\w$]*)\s*[:=]\s*["'`]/;
29126
+ function extractEnclosingFieldName(lineText) {
29127
+ const m = FIELD_ASSIGN_RE.exec(lineText);
29128
+ return m ? m[1] : null;
29129
+ }
29014
29130
  var TEST_CALL_RE = /\b(?:expect|assert|describe|it|test)\s*\(/;
29015
29131
  var COMMENT_EXAMPLE_RE = /(?:\/\/|#)\s*(?:example|sample|test|fixture)/i;
29132
+ var FAST_CANDIDATE_PROBE_RE = /["'`][A-Za-z0-9+/=_-]{32,}["'`]/;
29016
29133
  var ScanSecretsPass = class {
29017
29134
  name = "scan-secrets";
29018
29135
  category = "security";
29019
29136
  run(ctx) {
29020
29137
  const file = ctx.graph.ir.meta.file;
29021
- if (isTestFile(file)) {
29138
+ if (isTestFile(file) || isGeneratedFile(file)) {
29022
29139
  return { providerFindings: 0, entropyFindings: 0 };
29023
29140
  }
29024
29141
  const lines = ctx.code.split("\n");
@@ -29030,6 +29147,9 @@ var ScanSecretsPass = class {
29030
29147
  seen.add(`${f.line}:${f.rule_id}`);
29031
29148
  }
29032
29149
  }
29150
+ const hasEntropyCandidate = FAST_CANDIDATE_PROBE_RE.test(ctx.code);
29151
+ const annotationLines = hasEntropyCandidate ? findAnnotationLineRanges(ctx.code) : /* @__PURE__ */ new Set();
29152
+ const arrayLines = hasEntropyCandidate ? findStringArrayLineRanges(ctx.code) : /* @__PURE__ */ new Set();
29033
29153
  let providerFindings = 0;
29034
29154
  let entropyFindings = 0;
29035
29155
  for (let i2 = 0; i2 < lines.length; i2++) {
@@ -29085,16 +29205,19 @@ var ScanSecretsPass = class {
29085
29205
  });
29086
29206
  providerFindings += 1;
29087
29207
  }
29088
- for (let i2 = 0; i2 < lines.length; i2++) {
29208
+ if (hasEntropyCandidate) for (let i2 = 0; i2 < lines.length; i2++) {
29089
29209
  const lineText = lines[i2];
29090
29210
  const lineNum = i2 + 1;
29091
29211
  if (TEST_CALL_RE.test(lineText)) continue;
29092
29212
  if (COMMENT_EXAMPLE_RE.test(lineText)) continue;
29213
+ if (annotationLines.has(lineNum)) continue;
29214
+ if (arrayLines.has(lineNum)) continue;
29093
29215
  STRING_LITERAL_RE.lastIndex = 0;
29094
29216
  let match;
29095
29217
  while ((match = STRING_LITERAL_RE.exec(lineText)) !== null) {
29096
29218
  const value = match[2];
29097
29219
  if (!this.isCandidate(value)) continue;
29220
+ if (value.length < 32) continue;
29098
29221
  if (!this.passesEntropyGate(value, lineText)) continue;
29099
29222
  const key = `${lineNum}:hardcoded-credential-entropy`;
29100
29223
  if (seen.has(key)) continue;
@@ -29132,17 +29255,25 @@ var ScanSecretsPass = class {
29132
29255
  return true;
29133
29256
  }
29134
29257
  /**
29135
- * Shannon-entropy gate. Base64-shaped strings need higher entropy than
29136
- * hex-shaped (hex alphabet is 4 bits/char by construction). When the
29137
- * surrounding line contains a credential-shaped variable name, both
29138
- * thresholds drop by 0.2 bits/char.
29258
+ * Shannon-entropy gate (#125 Gate 4 REQUIRED field-name match).
29259
+ *
29260
+ * The entropy layer emits ONLY when the enclosing assignment LHS
29261
+ * identifier matches a credential keyword (password / secret / token /
29262
+ * api_key / etc.). Without this requirement, the layer flagged every
29263
+ * high-entropy string — attribution keys, base64 resource blobs, public
29264
+ * encoding alphabets — as credentials. Provider patterns (Layer 1) and
29265
+ * named-credential matcher (Layer 1b) remain the recall safety net for
29266
+ * credentials that don't fit the `FIELD = "..."` shape.
29267
+ *
29268
+ * Base64-shaped strings need higher entropy than hex-shaped (hex alphabet
29269
+ * is 4 bits/char by construction).
29139
29270
  */
29140
29271
  passesEntropyGate(value, lineText) {
29272
+ const fieldName = extractEnclosingFieldName(lineText);
29273
+ if (fieldName === null || !CREDENTIAL_NAME_RE.test(fieldName)) return false;
29141
29274
  const isHex = HEXISH_RE.test(value);
29142
- const boost = CREDENTIAL_NAME_RE.test(lineText) ? 0.2 : 0;
29143
- const threshold = isHex ? 3.5 - boost : 4.3 - boost;
29144
- const h = shannonEntropy(value);
29145
- return h >= threshold;
29275
+ const threshold = isHex ? 3.3 : 4.1;
29276
+ return shannonEntropy(value) >= threshold;
29146
29277
  }
29147
29278
  };
29148
29279
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "circle-ir",
3
- "version": "3.84.0",
3
+ "version": "3.85.1",
4
4
  "description": "High-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis",
5
5
  "main": "dist/index.js",
6
6
  "module": "dist/index.js",