circle-ir 3.9.10 → 3.12.0

package/README.md

@@ -1,13 +1,14 @@
 # circle-ir
 
-A high-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis, and code quality findings through an extensible analysis-pass pipeline. Works in Node.js and browsers.
+A high-performance Static Application Security Testing (SAST) library for detecting security vulnerabilities through taint analysis, and code quality findings through an extensible 36-pass analysis pipeline. Works in Node.js and browsers.
 
 ## Features
 
 - **Taint Analysis**: Track data flow from sources (user input) to sinks (dangerous operations)
 - **Multi-language Support**: Java, JavaScript/TypeScript, Python, Rust, Bash/Shell
 - **High Accuracy**: 100% on OWASP Benchmark, 100% on Juliet Test Suite, 97.7% TPR on SecuriBench Micro
-- **11-Pass Pipeline**: Security taint passes + quality passes (dead code, missing await, N+1, doc coverage, TODO markers)
+- **36-Pass Pipeline**: 19 security taint passes + 17 reliability/performance/maintainability/architecture quality passes
+- **Metrics Engine**: 24 software quality metrics (cyclomatic complexity, Halstead, CBO, RFC, LCOM, DIT, and 4 composite scores)
 - **Cross-File Analysis**: `analyzeProject()` surfaces taint flows that span multiple files
 - **Universal**: Works in Node.js and browsers with environment-agnostic core
 - **Zero External Dependencies**: Core analysis runs without network calls or external services
@@ -40,12 +41,20 @@ for (const flow of result.taint.flows || []) {
   console.log(`  Sink: line ${flow.sink_line}`);
 }
 
-// Quality findings from analysis passes (dead-code, missing-await, n-plus-one, etc.)
+// Quality findings from all 36 analysis passes
 for (const finding of result.findings || []) {
   console.log(`[${finding.severity}] ${finding.rule_id} at line ${finding.line}`);
   console.log(`  ${finding.message}`);
   if (finding.fix) console.log(`  Fix: ${finding.fix}`);
 }
+
+// Software quality metrics
+const m = result.metrics;
+if (m) {
+  console.log(`Cyclomatic complexity: ${m.cyclomatic_complexity}`);
+  console.log(`Maintainability index: ${m.maintainability_index}`);
+  console.log(`CBO (coupling):        ${m.CBO}`);
+}
 ```
 
 ### Browser
@@ -101,7 +110,8 @@ result.dfg        // Data flow graph
 result.taint      // Taint sources, sinks, flows
 result.imports    // Import statements
 result.exports    // Exported symbols
-result.findings   // SastFinding[] from all 11 analysis passes
+result.findings   // SastFinding[] from all 36 analysis passes
+result.metrics    // FileMetrics — 24 software quality metrics (always populated)
 ```
 
 ### `analyzeProject(files, options?)`
@@ -181,20 +191,29 @@ const pyResult = await analyze(pyCode, 'app.py', 'python');
 const rsResult = await analyze(rsCode, 'main.rs', 'rust');
 ```
 
-## Detected Vulnerabilities
-
-| Type | CWE | Description |
-|------|-----|-------------|
-| SQL Injection | CWE-89 | User input in SQL queries |
-| Command Injection | CWE-78 | User input in system commands |
-| XSS | CWE-79 | User input in HTML output |
-| Path Traversal | CWE-22 | User input in file paths |
-| LDAP Injection | CWE-90 | User input in LDAP queries |
-| XPath Injection | CWE-643 | User input in XPath queries |
-| Deserialization | CWE-502 | Untrusted deserialization |
-| SSRF | CWE-918 | Server-side request forgery |
-| Code Injection | CWE-94 | Dynamic code execution |
-| XXE | CWE-611 | XML external entity injection |
+## Detected Security Vulnerabilities
+
+| Type | CWE | Severity | Description |
+|------|-----|----------|-------------|
+| SQL Injection | CWE-89 | Critical | User input in SQL queries |
+| Command Injection | CWE-78 | Critical | User input in system commands |
+| Deserialization | CWE-502 | Critical | Untrusted deserialization |
+| XXE | CWE-611 | Critical | XML external entity injection |
+| Code Injection | CWE-94 | Critical | Dynamic code execution |
+| XSS | CWE-79 | High | User input in HTML output |
+| Path Traversal | CWE-22 | High | User input in file paths |
+| SSRF | CWE-918 | High | Server-side request forgery |
+| LDAP Injection | CWE-90 | High | User input in LDAP queries |
+| XPath Injection | CWE-643 | High | User input in XPath queries |
+| NoSQL Injection | CWE-943 | High | User input in NoSQL queries |
+| Open Redirect | CWE-601 | Medium | User controls redirect destination |
+| Log Injection | CWE-117 | Medium | User input in logs |
+| Trust Boundary | CWE-501 | Medium | Data crosses trust boundary |
+| External Taint | CWE-668 | Medium | External input reaches sensitive sink |
+| Weak Random | CWE-330 | Low | Weak random number generator |
+| Weak Hash | CWE-327 | Low | Weak hashing algorithm |
+| Weak Crypto | CWE-327 | Low | Weak cryptographic algorithm |
+| Insecure Cookie | CWE-614 | Low | Cookie without Secure/HttpOnly flags |
 
 ## Configuration
 
@@ -212,7 +231,7 @@ sources:
 
 ## SAST Findings & Quality Passes
 
-The 11-pass pipeline emits `SastFinding[]` via `result.findings`. Each finding is SARIF 2.1.0-aligned:
+The 36-pass pipeline emits `SastFinding[]` via `result.findings`. Each finding is SARIF 2.1.0-aligned:
 
 ```typescript
 interface SastFinding {
@@ -230,21 +249,57 @@ interface SastFinding {
 }
 ```
 
-**Current passes** (see [docs/PASSES.md](docs/PASSES.md) for the full registry):
-
-| Pass | rule_id | Category | CWE | Level |
-|------|---------|----------|-----|-------|
-| TaintMatcherPass | _(produces flows)_ | security | — | error |
-| ConstantPropagationPass | _(reduces FP)_ | security | — | — |
-| LanguageSourcesPass | _(enriches sources)_ | security | — | — |
-| SinkFilterPass | _(filters sinks)_ | security | — | — |
-| TaintPropagationPass | _(propagates taint)_ | security | — | error |
-| InterproceduralPass | _(cross-method)_ | security | — | error |
-| DeadCodePass | `dead-code` | reliability | CWE-561 | warning |
-| MissingAwaitPass | `missing-await` | reliability | CWE-252 | warning |
-| NPlusOnePass | `n-plus-one` | performance | CWE-1049 | warning |
-| MissingPublicDocPass | `missing-public-doc` | maintainability | — | note |
-| TodoInProdPass | `todo-in-prod` | maintainability | — | note |
+**Pass categories** (see [docs/PASSES.md](docs/PASSES.md) for the full registry with all 36 rule IDs and CWEs):
+
+| Category | Passes | Example rule_ids |
+|----------|--------|-----------------|
+| `security` (19) | Taint matching, propagation, inter-procedural | _(produces `taint.flows`)_ |
+| `reliability` (16) | Resource management, control flow, exception handling | `null-deref`, `resource-leak`, `infinite-loop`, `double-close`, `use-after-close`, `missing-guard-dom`, `cleanup-verify`, `unhandled-exception`, `broad-catch`, `swallowed-exception` |
+| `performance` (5) | Loop efficiency, async patterns | `n-plus-one`, `redundant-loop-computation`, `unbounded-collection`, `serial-await`, `react-inline-jsx` |
+| `maintainability` (3) | Documentation, markers | `missing-public-doc`, `todo-in-prod`, `stale-doc-ref` |
+| `architecture` (6) | Coupling, inheritance, interface contracts | `circular-dependency`, `orphan-module`, `dependency-fan-out`, `deep-inheritance`, `missing-override`, `unused-interface-method` |
+
+## Metrics Engine
+
+`result.metrics` is always populated with 24 software quality metrics:
+
+```typescript
+interface FileMetrics {
+  // Complexity
+  cyclomatic_complexity: number;  // v(G) per method average
+  WMC: number;                    // Weighted methods per class
+  halstead_volume: number;        // Halstead volume
+  halstead_difficulty: number;
+  halstead_effort: number;
+  halstead_bugs: number;
+
+  // Size
+  LOC: number;                    // Lines of code
+  NLOC: number;                   // Non-blank lines
+  comment_density: number;        // Comment lines / total lines
+  function_count: number;
+
+  // Coupling
+  CBO: number;                    // Coupling between objects
+  RFC: number;                    // Response for a class
+
+  // Inheritance
+  DIT: number;                    // Depth of inheritance tree
+  NOC: number;                    // Number of children
+
+  // Cohesion
+  LCOM: number;                   // Lack of cohesion in methods
+
+  // Documentation
+  doc_coverage: number;           // Fraction of public APIs documented
+
+  // Composite scores (0–100)
+  maintainability_index: number;
+  code_quality_index: number;
+  bug_hotspot_score: number;
+  refactoring_roi: number;
+}
+```
 
 ## Key Analysis Features
 
@@ -253,6 +308,9 @@ interface SastFinding {
 - **Inter-Procedural Analysis**: Tracks taint across method boundaries
 - **Sanitizer Recognition**: Detects PreparedStatement, ESAPI, escapeHtml, and other sanitizers
 - **Collection Tracking**: Precise taint tracking through List/Map operations with index shifting
+- **Dominator Tree Analysis**: Powers `missing-guard-dom` (CWE-285) and `cleanup-verify` (CWE-772) via post-dominator computation
+- **TypeHierarchy Resolution**: `PreparedStatement.executeQuery()` matches `Statement`-level sink configs — no duplicate config entries needed
+- **Exception Flow Graph**: Tracks try/catch structure for `unhandled-exception`, `broad-catch`, `swallowed-exception`
 
 ## Benchmark Results
 

package/dist/analysis/passes/cleanup-verify-pass.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Pass: cleanup-verify (#54, CWE-772)
+ *
+ * Detects resources that have a close() call but that close() does not
+ * post-dominate the acquisition point — meaning some control-flow paths
+ * skip the cleanup entirely.
+ *
+ * Detection strategy:
+ *   1. Find resource-opening calls (same set as ResourceLeakPass).
+ *   2. Locate the corresponding close() call within the enclosing method.
+ *   3. Build a post-dominator graph by reversing all CFG edges and computing
+ *      a DominatorGraph from the exit block.
+ *   4. If close() block does NOT post-dominate the open block → emit finding.
+ *
+ * Languages: Java, Python, JavaScript/TypeScript.
+ * Skips: Rust (RAII guarantees cleanup), Bash.
+ *
+ * Note: complements ResourceLeakPass, which handles the no-close() case.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface CleanupVerifyResult {
+    findings: number;
+}
+export declare class CleanupVerifyPass implements AnalysisPass<CleanupVerifyResult> {
+    readonly name = "cleanup-verify";
+    readonly category: "reliability";
+    run(ctx: PassContext): CleanupVerifyResult;
+}

package/dist/analysis/passes/cleanup-verify-pass.js

@@ -0,0 +1,130 @@
+/**
+ * Pass: cleanup-verify (#54, CWE-772)
+ *
+ * Detects resources that have a close() call but that close() does not
+ * post-dominate the acquisition point — meaning some control-flow paths
+ * skip the cleanup entirely.
+ *
+ * Detection strategy:
+ *   1. Find resource-opening calls (same set as ResourceLeakPass).
+ *   2. Locate the corresponding close() call within the enclosing method.
+ *   3. Build a post-dominator graph by reversing all CFG edges and computing
+ *      a DominatorGraph from the exit block.
+ *   4. If close() block does NOT post-dominate the open block → emit finding.
+ *
+ * Languages: Java, Python, JavaScript/TypeScript.
+ * Skips: Rust (RAII guarantees cleanup), Bash.
+ *
+ * Note: complements ResourceLeakPass, which handles the no-close() case.
+ */
+import { DominatorGraph } from '../../graph/dominator-graph.js';
+/** Resource-opening constructors (same set as ResourceLeakPass). */
+const RESOURCE_CTORS = new Set([
+    'FileInputStream', 'FileOutputStream', 'FileReader', 'FileWriter',
+    'BufferedReader', 'BufferedWriter', 'PrintWriter', 'InputStreamReader',
+    'OutputStreamWriter', 'RandomAccessFile', 'DataInputStream', 'DataOutputStream',
+    'ObjectInputStream', 'ObjectOutputStream', 'ZipInputStream', 'ZipOutputStream',
+    'JarInputStream', 'JarOutputStream', 'GZIPInputStream', 'GZIPOutputStream',
+    'FileChannel', 'Socket', 'ServerSocket', 'DatagramSocket',
+]);
+/** Factory / open methods that return closeable resources. */
+const RESOURCE_FACTORY_METHODS = new Set([
+    'openConnection', 'openStream', 'newInputStream', 'newOutputStream',
+    'newBufferedReader', 'newBufferedWriter', 'newByteChannel',
+    'open', 'createReadStream', 'createWriteStream', 'createConnection',
+]);
+/** Methods that release a resource. */
+const CLOSE_METHODS = new Set([
+    'close', 'dispose', 'shutdown', 'disconnect', 'release', 'destroy', 'free',
+    'shutdownNow', 'terminate',
+]);
+/**
+ * Build a post-dominator graph by reversing all CFG edges and running
+ * the dominator algorithm from the exit block.
+ * `postDom.dominates(A, B)` means "A post-dominates B in the original CFG".
+ */
+function buildPostDomGraph(cfg) {
+    const exitBlock = cfg.blocks.find(b => b.type === 'exit') ??
+        cfg.blocks.find(b => !cfg.edges.some(e => e.from === b.id));
+    if (!exitBlock || cfg.blocks.length === 0) {
+        return new DominatorGraph({ blocks: [], edges: [] });
+    }
+    const reversed = {
+        blocks: cfg.blocks,
+        edges: cfg.edges.map(e => ({ from: e.to, to: e.from, type: e.type })),
+    };
+    return new DominatorGraph(reversed, exitBlock.id);
+}
+export class CleanupVerifyPass {
+    name = 'cleanup-verify';
+    category = 'reliability';
+    run(ctx) {
+        const { graph, language } = ctx;
+        // Rust RAII guarantees cleanup; Bash has no structured resource model
+        if (language === 'rust' || language === 'bash')
+            return { findings: 0 };
+        const { cfg, calls } = graph.ir;
+        const file = graph.ir.meta.file;
+        if (cfg.blocks.length === 0)
+            return { findings: 0 };
+        const postDom = buildPostDomGraph(cfg);
+        const blockContainingLine = (line) => cfg.blocks.find(b => b.start_line <= line && line <= b.end_line) ?? null;
+        let count = 0;
+        for (const call of calls) {
+            const name = call.method_name;
+            const isConstructor = call.is_constructor === true && RESOURCE_CTORS.has(name);
+            const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS.has(name);
+            if (!isConstructor && !isFactory)
+                continue;
+            const openLine = call.location.line;
+            // Resource must be captured in a variable to be trackable
+            const defs = graph.defsAtLine(openLine);
+            if (defs.length === 0)
+                continue;
+            const resourceVar = defs[0].variable;
+            const methodInfo = graph.methodAtLine(openLine);
+            if (!methodInfo)
+                continue;
+            const methodEnd = methodInfo.method.end_line;
+            // Find the first close() call for this resource within the enclosing method
+            const closeCall = calls.find(c => CLOSE_METHODS.has(c.method_name) &&
+                c.receiver === resourceVar &&
+                c.location.line > openLine &&
+                c.location.line <= methodEnd);
+            // ResourceLeakPass handles the no-close() case; we only care about
+            // close() calls that may be skipped on some paths
+            if (!closeCall)
+                continue;
+            const openBlock = blockContainingLine(openLine);
+            const closeBlock = blockContainingLine(closeCall.location.line);
+            if (!openBlock || !closeBlock)
+                continue;
+            // If close post-dominates open, cleanup is guaranteed on every exit path
+            if (postDom.dominates(closeBlock.id, openBlock.id))
+                continue;
+            count++;
+            ctx.addFinding({
+                id: `cleanup-verify-${file}-${openLine}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: 'cleanup-verify',
+                cwe: 'CWE-772',
+                severity: 'medium',
+                level: 'warning',
+                message: `Resource \`${resourceVar}\` opened at line ${openLine} may not close on all ` +
+                    `paths — close() at line ${closeCall.location.line} does not post-dominate ` +
+                    `the acquisition`,
+                file,
+                line: openLine,
+                fix: 'Use try-with-resources (Java) or a finally block to guarantee cleanup on all paths',
+                evidence: {
+                    resource: name,
+                    variable: resourceVar,
+                    close_line: closeCall.location.line,
+                },
+            });
+        }
+        return { findings: count };
+    }
+}
+//# sourceMappingURL=cleanup-verify-pass.js.map

package/dist/analysis/passes/cleanup-verify-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cleanup-verify-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/cleanup-verify-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAGhE,oEAAoE;AACpE,MAAM,cAAc,GAAwB,IAAI,GAAG,CAAC;IAClD,iBAAiB,EAAE,kBAAkB,EAAE,YAAY,EAAE,YAAY;IACjE,gBAAgB,EAAE,gBAAgB,EAAE,aAAa,EAAE,mBAAmB;IACtE,oBAAoB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,kBAAkB;IAC/E,mBAAmB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,iBAAiB;IAC9E,gBAAgB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,kBAAkB;IAC1E,aAAa,EAAE,QAAQ,EAAE,cAAc,EAAE,gBAAgB;CAC1D,CAAC,CAAC;AAEH,8DAA8D;AAC9D,MAAM,wBAAwB,GAAwB,IAAI,GAAG,CAAC;IAC5D,gBAAgB,EAAE,YAAY,EAAE,gBAAgB,EAAE,iBAAiB;IACnE,mBAAmB,EAAE,mBAAmB,EAAE,gBAAgB;IAC1D,MAAM,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,kBAAkB;CACpE,CAAC,CAAC;AAEH,uCAAuC;AACvC,MAAM,aAAa,GAAwB,IAAI,GAAG,CAAC;IACjD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM;IAC1E,aAAa,EAAE,WAAW;CAC3B,CAAC,CAAC;AAEH;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,GAAQ;IACjC,MAAM,SAAS,GACb,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;QACvC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAE9D,IAAI,CAAC,SAAS,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1C,OAAO,IAAI,cAAc,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,QAAQ,GAAQ;QACpB,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;KACtE,CAAC;IAEF,OAAO,IAAI,cAAc,CAAC,QAAQ,EAAE,SAAS,CAAC,EAAE,CAAC,CAAC;AACpD,CAAC;AAMD,MAAM,OAAO,iBAAiB;IACnB,IAAI,GAAG,gBAAgB,CAAC;IACxB,QAAQ,GAAG,aAAsB,CAAC;IAE3C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEhC,sEAAsE;QACtE,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEvE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEpD,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAEvC,MAAM,mBAAmB,GAAG,CAAC,IAAY,EAAE,EAAE,CAC3C,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;QAE3E,IAAI,KAAK,GAAG,CAAC,CAAC;QAEd,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC;YAC9B,MAAM,aAAa,GAAG,IAAI,CAAC,cAAc,KAAK,IAAI,IAAI,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC/E,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,cAAc,IAAI,wBAAwB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC7E,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS;gBAAE,SAAS;YAE3C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAEpC,0DAA0D;YAC1D,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAChC,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;YAErC,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAChD,IAAI,CAAC,UAAU;gBAAE,SAAS;YAC1B,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC;YAE7C,4EAA4E;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAC1B,CAAC,CAAC,EAAE,CACF,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC;gBAChC,CAAC,CAAC,QAAQ,KAAK,WAAW;gBAC1B,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,QAAQ;gBAC1B,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,SAAS,CAC/B,CAAC;YAEF,mEAAmE;YACnE,kDAAkD;YAClD,IAAI,CAAC,SAAS;gBAAE,SAAS;YAEzB,MAAM,SAAS,GAAI,mBAAmB,CAAC,QAAQ,CAAC,CAAC;YACjD,MAAM,UAAU,GAAG,mBAAmB,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAChE,IAAI,CAAC,SAAS,IAAI,CAAC,UAAU;gBAAE,SAAS;YAExC,yEAAyE;YACzE,IAAI,OAAO,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,EAAE,SAAS,CAAC,EAAE,CAAC;gBAAE,SAAS;YAE7D,KAAK,EAAE,CAAC;YACR,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,kBAAkB,IAAI,IAAI,QAAQ,EAAE;gBACxC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,gBAAgB;gBACzB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,cAAc,WAAW,qBAAqB,QAAQ,wBAAwB;oBAC9E,2BAA2B,SAAS,CAAC,QAAQ,CAAC,IAAI,0BAA0B;oBAC5E,iBAAiB;gBACnB,IAAI;gBACJ,IAAI,EAAE,QAAQ;gBACd,GAAG,EAAE,oFAAoF;gBACzF,QAAQ,EAAE;oBACR,QAAQ,EAAE,IAAI;oBACd,QAAQ,EAAE,WAAW;oBACrB,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,IAAI;iBACpC;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;CACF"}

package/dist/analysis/passes/missing-guard-dom-pass.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Pass: missing-guard-dom (#53, CWE-285)
+ *
+ * Detects sensitive operations that are not dominated by an authentication
+ * or authorization check on all control-flow paths within the same method.
+ *
+ * Detection strategy:
+ *   1. Identify calls to known authentication methods and sensitive operations.
+ *   2. Build a DominatorGraph from the file-level CFG.
+ *   3. For each sensitive operation, find the CFG block containing it and check
+ *      whether any auth-check block in the same method dominates that block.
+ *   4. If no auth-check block dominates the sensitive-op block → emit finding.
+ *
+ * Language: Java only (other languages handled differently or not yet).
+ * Dedup: at most one finding per method.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface MissingGuardDomResult {
+    findings: number;
+}
+export declare class MissingGuardDomPass implements AnalysisPass<MissingGuardDomResult> {
+    readonly name = "missing-guard-dom";
+    readonly category: "security";
+    run(ctx: PassContext): MissingGuardDomResult;
+}

package/dist/analysis/passes/missing-guard-dom-pass.js

@@ -0,0 +1,99 @@
+/**
+ * Pass: missing-guard-dom (#53, CWE-285)
+ *
+ * Detects sensitive operations that are not dominated by an authentication
+ * or authorization check on all control-flow paths within the same method.
+ *
+ * Detection strategy:
+ *   1. Identify calls to known authentication methods and sensitive operations.
+ *   2. Build a DominatorGraph from the file-level CFG.
+ *   3. For each sensitive operation, find the CFG block containing it and check
+ *      whether any auth-check block in the same method dominates that block.
+ *   4. If no auth-check block dominates the sensitive-op block → emit finding.
+ *
+ * Language: Java only (other languages handled differently or not yet).
+ * Dedup: at most one finding per method.
+ */
+import { DominatorGraph } from '../../graph/dominator-graph.js';
+const AUTH_METHODS = new Set([
+    'authenticate', 'isAuthenticated', 'isAuthorized', 'isAdmin',
+    'checkAuth', 'hasPermission', 'requiresAuth', 'verifyToken',
+    'validateToken', 'checkRole', 'authorize', 'isLoggedIn',
+]);
+const SENSITIVE_METHODS = new Set([
+    'delete', 'deleteById', 'drop', 'truncate', 'executeUpdate',
+    'createUser', 'createAdmin', 'modifyPermission', 'grantRole',
+    'setAdmin', 'elevatePrivilege',
+]);
+export class MissingGuardDomPass {
+    name = 'missing-guard-dom';
+    category = 'security';
+    run(ctx) {
+        const { graph, language } = ctx;
+        if (language !== 'java')
+            return { findings: 0 };
+        const { cfg, calls } = graph.ir;
+        if (cfg.blocks.length === 0 || cfg.edges.length === 0)
+            return { findings: 0 };
+        const dom = new DominatorGraph(cfg);
+        const file = graph.ir.meta.file;
+        // Collect auth-check and sensitive-op call lines from the IR
+        const authCallLines = [];
+        const sensitiveOps = [];
+        for (const call of calls) {
+            if (AUTH_METHODS.has(call.method_name)) {
+                authCallLines.push(call.location.line);
+            }
+            if (SENSITIVE_METHODS.has(call.method_name)) {
+                sensitiveOps.push({ line: call.location.line, method: call.method_name });
+            }
+        }
+        if (sensitiveOps.length === 0)
+            return { findings: 0 };
+        // Helper: find the CFG block whose [start_line, end_line] contains a given line
+        const blockContainingLine = (line) => cfg.blocks.find(b => b.start_line <= line && line <= b.end_line) ?? null;
+        // Emit at most one finding per method to avoid noise
+        const reportedMethods = new Set();
+        let count = 0;
+        for (const op of sensitiveOps) {
+            const opBlock = blockContainingLine(op.line);
+            if (!opBlock)
+                continue;
+            const methodInfo = graph.methodAtLine(op.line);
+            if (!methodInfo)
+                continue;
+            const methodKey = `${methodInfo.type.name}::${methodInfo.method.name}`;
+            if (reportedMethods.has(methodKey))
+                continue;
+            const { start_line, end_line } = methodInfo.method;
+            // Restrict auth checks to those inside the same method
+            const authInMethod = authCallLines.filter(l => l >= start_line && l <= end_line);
+            // Check whether any auth-check block dominates the sensitive-op block
+            const dominated = authInMethod.some(authLine => {
+                const authBlock = blockContainingLine(authLine);
+                return authBlock !== null && dom.dominates(authBlock.id, opBlock.id);
+            });
+            if (!dominated) {
+                reportedMethods.add(methodKey);
+                count++;
+                ctx.addFinding({
+                    id: `missing-guard-dom-${file}-${op.line}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: 'missing-guard-dom',
+                    cwe: 'CWE-285',
+                    severity: 'high',
+                    level: 'error',
+                    message: `Sensitive operation \`${op.method}()\` at line ${op.line} is not dominated ` +
+                        `by an authentication check`,
+                    file,
+                    line: op.line,
+                    fix: `Add authentication/authorization check on all paths leading to line ${op.line}`,
+                    evidence: { method: op.method },
+                });
+            }
+        }
+        return { findings: count };
+    }
+}
+//# sourceMappingURL=missing-guard-dom-pass.js.map

package/dist/analysis/passes/missing-guard-dom-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-guard-dom-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/missing-guard-dom-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAEhE,MAAM,YAAY,GAAwB,IAAI,GAAG,CAAC;IAChD,cAAc,EAAE,iBAAiB,EAAE,cAAc,EAAE,SAAS;IAC5D,WAAW,EAAE,eAAe,EAAE,cAAc,EAAE,aAAa;IAC3D,eAAe,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY;CACxD,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAwB,IAAI,GAAG,CAAC;IACrD,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,eAAe;IAC3D,YAAY,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW;IAC5D,UAAU,EAAE,kBAAkB;CAC/B,CAAC,CAAC;AAMH,MAAM,OAAO,mBAAmB;IACrB,IAAI,GAAG,mBAAmB,CAAC;IAC3B,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEhC,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEhD,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QAChC,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAE9E,MAAM,GAAG,GAAG,IAAI,cAAc,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,6DAA6D;QAC7D,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,MAAM,YAAY,GAA4C,EAAE,CAAC;QAEjE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBACvC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC5C,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YAC5E,CAAC;QACH,CAAC;QAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEtD,gFAAgF;QAChF,MAAM,mBAAmB,GAAG,CAAC,IAAY,EAAE,EAAE,CAC3C,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,IAAI,IAAI,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;QAE3E,qDAAqD;QACrD,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;QAC1C,IAAI,KAAK,GAAG,CAAC,CAAC;QAEd,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,mBAAmB,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAC7C,IAAI,CAAC,OAAO;gBAAE,SAAS;YAEvB,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAC/C,IAAI,CAAC,UAAU;gBAAE,SAAS;YAE1B,MAAM,SAAS,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,UAAU,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACvE,IAAI,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,SAAS;YAE7C,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC;YAEnD,uDAAuD;YACvD,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,UAAU,IAAI,CAAC,IAAI,QAAQ,CAAC,CAAC;YAEjF,sEAAsE;YACtE,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;gBAC7C,MAAM,SAAS,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;gBAChD,OAAO,SAAS,KAAK,IAAI,IAAI,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;YACvE,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBAC/B,KAAK,EAAE,CAAC;gBACR,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,qBAAqB,IAAI,IAAI,EAAE,CAAC,IAAI,EAAE;oBAC1C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,mBAAmB;oBAC5B,GAAG,EAAE,SAAS;oBACd,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,OAAO;oBACd,OAAO,EACL,yBAAyB,EAAE,CAAC,MAAM,gBAAgB,EAAE,CAAC,IAAI,oBAAoB;wBAC7E,4BAA4B;oBAC9B,IAAI;oBACJ,IAAI,EAAE,EAAE,CAAC,IAAI;oBACb,GAAG,EAAE,uEAAuE,EAAE,CAAC,IAAI,EAAE;oBACrF,QAAQ,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE;iBAChC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;CACF"}

package/dist/analysis/passes/missing-override-pass.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Pass: missing-override (#64)
+ *
+ * Detects Java methods that override a parent class method but lack the
+ * @Override annotation. Without @Override the compiler cannot catch signature
+ * mismatches introduced by a parent-class refactoring.
+ *
+ * Detection strategy:
+ *   1. Build a map of class → method names from all types in the IR.
+ *   2. Build a parent map: class name → direct parent class name (strip generics).
+ *   3. For each class that has a parent in the same file, walk the inheritance
+ *      chain (max 10 hops, cycle guard) to collect all ancestor method names.
+ *   4. For each non-constructor, non-private, non-static, non-abstract method
+ *      whose name appears in the ancestor set — if @Override is absent → finding.
+ *
+ * Language: Java only.
+ * Dedup: at most one finding per class:method pair.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface MissingOverrideResult {
+    findings: number;
+}
+export declare class MissingOverridePass implements AnalysisPass<MissingOverrideResult> {
+    readonly name = "missing-override";
+    readonly category: "maintainability";
+    run(ctx: PassContext): MissingOverrideResult;
+}

package/dist/analysis/passes/missing-override-pass.js

@@ -0,0 +1,110 @@
+/**
+ * Pass: missing-override (#64)
+ *
+ * Detects Java methods that override a parent class method but lack the
+ * @Override annotation. Without @Override the compiler cannot catch signature
+ * mismatches introduced by a parent-class refactoring.
+ *
+ * Detection strategy:
+ *   1. Build a map of class → method names from all types in the IR.
+ *   2. Build a parent map: class name → direct parent class name (strip generics).
+ *   3. For each class that has a parent in the same file, walk the inheritance
+ *      chain (max 10 hops, cycle guard) to collect all ancestor method names.
+ *   4. For each non-constructor, non-private, non-static, non-abstract method
+ *      whose name appears in the ancestor set — if @Override is absent → finding.
+ *
+ * Language: Java only.
+ * Dedup: at most one finding per class:method pair.
+ */
+export class MissingOverridePass {
+    name = 'missing-override';
+    category = 'maintainability';
+    run(ctx) {
+        const { graph, language } = ctx;
+        if (language !== 'java')
+            return { findings: 0 };
+        const { types } = graph.ir;
+        const file = graph.ir.meta.file;
+        if (types.length === 0)
+            return { findings: 0 };
+        // Build map: class name → Set<method name>
+        const methodsByClass = new Map();
+        for (const type of types) {
+            methodsByClass.set(type.name, new Set(type.methods.map(m => m.name)));
+        }
+        // Build parent map: class name → direct parent class name (generics stripped)
+        const parentMap = new Map();
+        for (const type of types) {
+            if (type.extends) {
+                const parent = type.extends.replace(/<[^>]*>/g, '').trim();
+                parentMap.set(type.name, parent);
+            }
+        }
+        if (parentMap.size === 0)
+            return { findings: 0 };
+        // Walk inheritance chain to collect all ancestor method names
+        const getAncestorMethods = (className) => {
+            const methods = new Set();
+            const visited = new Set();
+            let current = parentMap.get(className);
+            let hops = 0;
+            while (current && !visited.has(current) && hops < 10) {
+                visited.add(current);
+                const parentMethods = methodsByClass.get(current);
+                if (parentMethods) {
+                    for (const m of parentMethods)
+                        methods.add(m);
+                }
+                current = parentMap.get(current);
+                hops++;
+            }
+            return methods;
+        };
+        const dedup = new Set();
+        let count = 0;
+        for (const type of types) {
+            if (!parentMap.has(type.name))
+                continue;
+            const ancestorMethods = getAncestorMethods(type.name);
+            if (ancestorMethods.size === 0)
+                continue;
+            for (const method of type.methods) {
+                // Skip constructors (same name as class)
+                if (method.name === type.name)
+                    continue;
+                // Skip private / static / abstract methods
+                if (method.modifiers.includes('private'))
+                    continue;
+                if (method.modifiers.includes('static'))
+                    continue;
+                if (method.modifiers.includes('abstract'))
+                    continue;
+                if (!ancestorMethods.has(method.name))
+                    continue;
+                if (method.annotations.includes('Override'))
+                    continue;
+                const key = `${type.name}:${method.name}`;
+                if (dedup.has(key))
+                    continue;
+                dedup.add(key);
+                count++;
+                ctx.addFinding({
+                    id: `missing-override-${file}-${method.start_line}`,
+                    pass: this.name,
+                    category: this.category,
+                    rule_id: 'missing-override',
+                    severity: 'low',
+                    level: 'warning',
+                    message: `Method \`${method.name}()\` in \`${type.name}\` overrides a parent method ` +
+                        `but lacks @Override`,
+                    file,
+                    line: method.start_line,
+                    fix: 'Add @Override to make the intent explicit and catch signature mismatches at compile time',
+                    evidence: { className: type.name, methodName: method.name },
+                });
+            }
+        }
+        return { findings: count };
+    }
+}
+//# sourceMappingURL=missing-override-pass.js.map

package/dist/analysis/passes/missing-override-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-override-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/missing-override-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAQH,MAAM,OAAO,mBAAmB;IACrB,IAAI,GAAG,kBAAkB,CAAC;IAC1B,QAAQ,GAAG,iBAA0B,CAAC;IAE/C,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC;QAEhC,IAAI,QAAQ,KAAK,MAAM;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEhD,MAAM,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAEhC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAE/C,2CAA2C;QAC3C,MAAM,cAAc,GAAG,IAAI,GAAG,EAAuB,CAAC;QACtD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxE,CAAC;QAED,8EAA8E;QAC9E,MAAM,SAAS,GAAG,IAAI,GAAG,EAAkB,CAAC;QAC5C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3D,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,IAAI,SAAS,CAAC,IAAI,KAAK,CAAC;YAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAEjD,8DAA8D;QAC9D,MAAM,kBAAkB,GAAG,CAAC,SAAiB,EAAe,EAAE;YAC5D,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;YAClC,MAAM,OAAO,GAAI,IAAI,GAAG,EAAU,CAAC;YACnC,IAAI,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACvC,IAAI,IAAI,GAAG,CAAC,CAAC;YACb,OAAO,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,GAAG,EAAE,EAAE,CAAC;gBACrD,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACrB,MAAM,aAAa,GAAG,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAClD,IAAI,aAAa,EAAE,CAAC;oBAClB,KAAK,MAAM,CAAC,IAAI,aAAa;wBAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBAChD,CAAC;gBACD,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACjC,IAAI,EAAE,CAAC;YACT,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC,CAAC;QAEF,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;QAChC,IAAI,KAAK,GAAG,CAAC,CAAC;QAEd,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAExC,MAAM,eAAe,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,IAAI,eAAe,CAAC,IAAI,KAAK,CAAC;gBAAE,SAAS;YAEzC,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClC,yCAAyC;gBACzC,IAAI,MAAM,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI;oBAAE,SAAS;gBACxC,2CAA2C;gBAC3C,IAAI,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;oBAAE,SAAS;gBACnD,IAAI,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBAClD,IAAI,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;oBAAE,SAAS;gBAEpD,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAChD,IAAI,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;oBAAE,SAAS;gBAEtD,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;gBAC1C,IAAI,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAC7B,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAEf,KAAK,EAAE,CAAC;gBACR,GAAG,CAAC,UAAU,CAAC;oBACb,EAAE,EAAE,oBAAoB,IAAI,IAAI,MAAM,CAAC,UAAU,EAAE;oBACnD,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,OAAO,EAAE,kBAAkB;oBAC3B,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,SAAS;oBAChB,OAAO,EACL,YAAY,MAAM,CAAC,IAAI,aAAa,IAAI,CAAC,IAAI,+BAA+B;wBAC5E,qBAAqB;oBACvB,IAAI;oBACJ,IAAI,EAAE,MAAM,CAAC,UAAU;oBACvB,GAAG,EAAE,0FAA0F;oBAC/F,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE;iBAC5D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;CACF"}