npm - devarmor - Versions diffs - 1.0.0 - Mend

devarmor 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/LICENSE +21 -0
package/README.md +35 -0
package/dist/cli.d.ts +3 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +140 -0
package/dist/cli.js.map +1 -0
package/dist/index.d.ts +3 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +13 -0
package/dist/index.js.map +1 -0
package/dist/modules/agent-residue.d.ts +11 -0
package/dist/modules/agent-residue.d.ts.map +1 -0
package/dist/modules/agent-residue.js +283 -0
package/dist/modules/agent-residue.js.map +1 -0
package/dist/modules/mcp-auditor.d.ts +12 -0
package/dist/modules/mcp-auditor.d.ts.map +1 -0
package/dist/modules/mcp-auditor.js +290 -0
package/dist/modules/mcp-auditor.js.map +1 -0
package/dist/modules/posture-checker.d.ts +11 -0
package/dist/modules/posture-checker.d.ts.map +1 -0
package/dist/modules/posture-checker.js +315 -0
package/dist/modules/posture-checker.js.map +1 -0
package/dist/modules/secret-scanner.d.ts +11 -0
package/dist/modules/secret-scanner.d.ts.map +1 -0
package/dist/modules/secret-scanner.js +321 -0
package/dist/modules/secret-scanner.js.map +1 -0
package/dist/modules/skill-scanner.d.ts +12 -0
package/dist/modules/skill-scanner.d.ts.map +1 -0
package/dist/modules/skill-scanner.js +294 -0
package/dist/modules/skill-scanner.js.map +1 -0
package/dist/report/html.d.ts +6 -0
package/dist/report/html.d.ts.map +1 -0
package/dist/report/html.js +116 -0
package/dist/report/html.js.map +1 -0
package/dist/report/json.d.ts +9 -0
package/dist/report/json.d.ts.map +1 -0
package/dist/report/json.js +69 -0
package/dist/report/json.js.map +1 -0
package/dist/report/terminal.d.ts +6 -0
package/dist/report/terminal.d.ts.map +1 -0
package/dist/report/terminal.js +162 -0
package/dist/report/terminal.js.map +1 -0
package/dist/scanner.d.ts +9 -0
package/dist/scanner.d.ts.map +1 -0
package/dist/scanner.js +145 -0
package/dist/scanner.js.map +1 -0
package/dist/types.d.ts +91 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +17 -0
package/dist/types.js.map +1 -0
package/package.json +50 -0

package/dist/modules/mcp-auditor.js ADDED Viewed

@@ -0,0 +1,290 @@
+"use strict";
+// ============================================================
+// DevArmor — MCP Auditor Module
+// Audits MCP server configurations for security issues.
+// ============================================================
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MCPAuditor = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const types_1 = require("../types");
+/** MCP config files to look for. */
+const MCP_CONFIG_FILENAMES = [
+    'claude_desktop_config.json',
+    '.mcp.json',
+    'mcp.json',
+];
+/** Dangerous command patterns that indicate shell injection risk. */
+const DANGEROUS_COMMANDS = [
+    { pattern: /\brm\s+-rf\b/gi, label: 'Recursive delete (rm -rf)' },
+    { pattern: /\brm\s+/gi, label: 'File deletion (rm)' },
+    { pattern: /\bdel\s+/gi, label: 'File deletion (del)' },
+    { pattern: /\brmdir\s+/gi, label: 'Directory removal (rmdir)' },
+    { pattern: /powershell\s+-[Ee]ncoded[Cc]ommand/g, label: 'PowerShell encoded command' },
+    { pattern: /\bcurl\b.*\|\s*(?:sh|bash|zsh)\b/g, label: 'Curl piped to shell' },
+    { pattern: /\bwget\b.*\|\s*(?:sh|bash|zsh)\b/g, label: 'Wget piped to shell' },
+    { pattern: /\beval\s*\(/g, label: 'Dynamic eval execution' },
+    { pattern: /\bexec\s+/gi, label: 'Process execution (exec)' },
+    { pattern: /\bchmod\s+777\b/g, label: 'Overly permissive chmod 777' },
+    { pattern: /\bnet\s+user\b/gi, label: 'Windows user management (net user)' },
+    { pattern: /\breg\s+add\b/gi, label: 'Windows registry modification' },
+];
+/** Patterns that indicate hardcoded API keys/tokens in MCP configs. */
+const SECRET_PATTERNS = [
+    { regex: /sk-[A-Za-z0-9_-]{20,}/g, label: 'OpenAI API Key' },
+    { regex: /sk-ant-[A-Za-z0-9_-]{20,}/g, label: 'Anthropic API Key' },
+    { regex: /ghp_[A-Za-z0-9]{36,}/g, label: 'GitHub PAT' },
+    { regex: /AKIA[0-9A-Z]{16}/g, label: 'AWS Access Key' },
+    { regex: /glpat-[A-Za-z0-9_-]{20,}/g, label: 'GitLab PAT' },
+    { regex: /(?:api_key|apikey|secret|token|password|auth_token)\s*[=:]\s*["'][A-Za-z0-9_/+=.-]{10,}["']/gi, label: 'Hardcoded Credential' },
+];
+/** Overly broad filesystem paths that grant too much access. */
+const BROAD_FS_PATTERNS = [
+    { pattern: /[\"']\/[\"']/g, label: 'Root filesystem (/)' },
+    { pattern: /[\"']C:\\\\[\"']/gi, label: 'Root drive (C:\\)' },
+    { pattern: /[\"']~[\"']/g, label: 'Home directory (~)' },
+    { pattern: /[\"']\/home[\"']/g, label: 'All home directories (/home)' },
+    { pattern: /[\"']\/Users[\"']/g, label: 'All user directories (/Users)' },
+    { pattern: /[\"']\*[\"']/g, label: 'Wildcard glob (*)' },
+];
+/** Maximum file size to scan (512KB — configs should be small). */
+const MAX_CONFIG_SIZE = 512 * 1024;
+/**
+ * Redacts sensitive content for safe display.
+ */
+function redact(value) {
+    if (value.length <= 12)
+        return '****';
+    return value.substring(0, 4) + '****' + value.substring(value.length - 4);
+}
+/**
+ * Locates all MCP config files in common locations.
+ */
+function findMCPConfigs(projectPath) {
+    const results = [];
+    const homeDir = os.homedir();
+    // Search locations: home dir, common config dirs, project dir
+    const searchRoots = [
+        homeDir,
+        path.join(homeDir, '.claude'),
+        path.join(homeDir, '.cursor'),
+        path.join(homeDir, '.config'),
+        path.join(homeDir, 'AppData', 'Roaming', 'Claude'),
+        path.join(homeDir, 'Library', 'Application Support', 'Claude'),
+        projectPath,
+        path.join(projectPath, '.claude'),
+        path.join(projectPath, '.cursor'),
+    ];
+    for (const root of searchRoots) {
+        if (!fs.existsSync(root))
+            continue;
+        for (const filename of MCP_CONFIG_FILENAMES) {
+            const filePath = path.join(root, filename);
+            try {
+                if (fs.existsSync(filePath)) {
+                    const stat = fs.statSync(filePath);
+                    if (stat.isFile() && stat.size <= MAX_CONFIG_SIZE && stat.size > 0) {
+                        // Avoid duplicates
+                        if (!results.includes(filePath)) {
+                            results.push(filePath);
+                        }
+                    }
+                }
+            }
+            catch {
+                // Skip inaccessible files
+            }
+        }
+    }
+    return results;
+}
+/**
+ * MCPAuditor — Audits MCP server configurations for shell injection,
+ * over-privileged tool access, hardcoded secrets, insecure transport,
+ * and overly broad filesystem access.
+ */
+class MCPAuditor {
+    name = 'MCPAuditor';
+    label = '📡 MCP Auditor';
+    async scan(options) {
+        const startTime = Date.now();
+        const findings = [];
+        const configFiles = findMCPConfigs(options.path);
+        for (const filePath of configFiles) {
+            let content;
+            try {
+                content = fs.readFileSync(filePath, 'utf-8');
+            }
+            catch {
+                continue; // Skip unreadable files
+            }
+            // Report MCP config discovery
+            findings.push({
+                module: this.name,
+                severity: types_1.Severity.INFO,
+                title: 'MCP Configuration Found',
+                description: `MCP configuration file detected at ${filePath}. Auditing for security issues.`,
+                filePath,
+                remediation: 'Periodically review MCP server configurations for security',
+            });
+            // Parse JSON to inspect structure
+            let config;
+            try {
+                config = JSON.parse(content);
+            }
+            catch {
+                findings.push({
+                    module: this.name,
+                    severity: types_1.Severity.LOW,
+                    title: 'Malformed MCP Configuration',
+                    description: 'Could not parse MCP config as valid JSON.',
+                    filePath,
+                    remediation: 'Fix JSON syntax errors in the MCP configuration',
+                });
+                continue;
+            }
+            // Check for shell injection in command args
+            for (const pattern of DANGEROUS_COMMANDS) {
+                pattern.pattern.lastIndex = 0;
+                let match;
+                while ((match = pattern.pattern.exec(content)) !== null) {
+                    const upToMatch = content.substring(0, match.index);
+                    const lineNumber = upToMatch.split('\n').length;
+                    findings.push({
+                        module: this.name,
+                        severity: types_1.Severity.CRITICAL,
+                        title: `Shell Injection Risk — ${pattern.label}`,
+                        description: `Dangerous command pattern detected in MCP server configuration.`,
+                        filePath,
+                        line: lineNumber,
+                        evidence: match[0],
+                        remediation: 'Remove dangerous shell commands from MCP server arguments. Use dedicated tools instead of raw shell access.',
+                    });
+                }
+            }
+            // Check for hardcoded API keys/tokens
+            for (const pattern of SECRET_PATTERNS) {
+                pattern.regex.lastIndex = 0;
+                let match;
+                while ((match = pattern.regex.exec(content)) !== null) {
+                    const upToMatch = content.substring(0, match.index);
+                    const lineNumber = upToMatch.split('\n').length;
+                    findings.push({
+                        module: this.name,
+                        severity: types_1.Severity.CRITICAL,
+                        title: `Hardcoded Secret in MCP Config — ${pattern.label}`,
+                        description: `Found a potential ${pattern.label} hardcoded in MCP configuration.`,
+                        filePath,
+                        line: lineNumber,
+                        evidence: redact(match[0]),
+                        remediation: 'Use environment variables instead of hardcoding secrets in MCP configs',
+                    });
+                }
+            }
+            // Check for overly broad filesystem access
+            for (const fsPattern of BROAD_FS_PATTERNS) {
+                fsPattern.pattern.lastIndex = 0;
+                let match;
+                while ((match = fsPattern.pattern.exec(content)) !== null) {
+                    const upToMatch = content.substring(0, match.index);
+                    const lineNumber = upToMatch.split('\n').length;
+                    findings.push({
+                        module: this.name,
+                        severity: types_1.Severity.HIGH,
+                        title: `Overly Broad Filesystem Access — ${fsPattern.label}`,
+                        description: `MCP server is configured with access to ${fsPattern.label}, which grants excessive permissions.`,
+                        filePath,
+                        line: lineNumber,
+                        evidence: match[0],
+                        remediation: 'Restrict MCP server filesystem access to specific project directories only',
+                    });
+                }
+            }
+            // Check for insecure stdio transport without validation
+            const mcpServers = config['mcpServers'] ??
+                config['servers'] ?? {};
+            if (typeof mcpServers === 'object' && mcpServers !== null) {
+                for (const [serverName, serverConfig] of Object.entries(mcpServers)) {
+                    if (typeof serverConfig !== 'object' || serverConfig === null)
+                        continue;
+                    const sc = serverConfig;
+                    // Check transport type
+                    const transport = sc['transport'] ?? 'stdio';
+                    if (transport === 'stdio') {
+                        // stdio is default — check if there's any validation/sandboxing
+                        const hasEnvRestriction = sc['env'] !== undefined;
+                        const command = String(sc['command'] ?? '');
+                        if (command && !hasEnvRestriction) {
+                            findings.push({
+                                module: this.name,
+                                severity: types_1.Severity.MEDIUM,
+                                title: `Stdio Transport Without Environment Restrictions — ${serverName}`,
+                                description: `MCP server "${serverName}" uses stdio transport without explicit environment variable restrictions.`,
+                                filePath,
+                                remediation: 'Add explicit "env" configuration to restrict environment variable exposure to MCP servers',
+                            });
+                        }
+                    }
+                    // Check for over-privileged tool access (wildcard or excessive tool lists)
+                    const tools = sc['tools'];
+                    if (Array.isArray(tools)) {
+                        if (tools.includes('*') || tools.includes('all')) {
+                            findings.push({
+                                module: this.name,
+                                severity: types_1.Severity.HIGH,
+                                title: `Over-Privileged Tool Access — ${serverName}`,
+                                description: `MCP server "${serverName}" has wildcard tool access, granting it all available tools.`,
+                                filePath,
+                                remediation: 'Restrict tool access to only the specific tools the server needs',
+                            });
+                        }
+                    }
+                }
+            }
+        }
+        return {
+            module: this.name,
+            label: this.label,
+            success: true,
+            durationMs: Date.now() - startTime,
+            itemsScanned: configFiles.length,
+            findings,
+        };
+    }
+}
+exports.MCPAuditor = MCPAuditor;
+//# sourceMappingURL=mcp-auditor.js.map

package/dist/modules/mcp-auditor.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"mcp-auditor.js","sourceRoot":"","sources":["../../src/modules/mcp-auditor.ts"],"names":[],"mappings":";AAAA,+DAA+D;AAC/D,gCAAgC;AAChC,wDAAwD;AACxD,+DAA+D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAE/D,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AACzB,oCAMkB;AAElB,oCAAoC;AACpC,MAAM,oBAAoB,GAAG;IAC3B,4BAA4B;IAC5B,WAAW;IACX,UAAU;CACX,CAAC;AAEF,qEAAqE;AACrE,MAAM,kBAAkB,GAAyC;IAC/D,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,2BAA2B,EAAE;IACjE,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,oBAAoB,EAAE;IACrD,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,qBAAqB,EAAE;IACvD,EAAE,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,2BAA2B,EAAE;IAC/D,EAAE,OAAO,EAAE,qCAAqC,EAAE,KAAK,EAAE,4BAA4B,EAAE;IACvF,EAAE,OAAO,EAAE,mCAAmC,EAAE,KAAK,EAAE,qBAAqB,EAAE;IAC9E,EAAE,OAAO,EAAE,mCAAmC,EAAE,KAAK,EAAE,qBAAqB,EAAE;IAC9E,EAAE,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,wBAAwB,EAAE;IAC5D,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,0BAA0B,EAAE;IAC7D,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,6BAA6B,EAAE;IACrE,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,oCAAoC,EAAE;IAC5E,EAAE,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,+BAA+B,EAAE;CACvE,CAAC;AAEF,uEAAuE;AACvE,MAAM,eAAe,GAAG;IACtB,EAAE,KAAK,EAAE,wBAAwB,EAAE,KAAK,EAAE,gBAAgB,EAAE;IAC5D,EAAE,KAAK,EAAE,4BAA4B,EAAE,KAAK,EAAE,mBAAmB,EAAE;IACnE,EAAE,KAAK,EAAE,uBAAuB,EAAE,KAAK,EAAE,YAAY,EAAE;IACvD,EAAE,KAAK,EAAE,mBAAmB,EAAE,KAAK,EAAE,gBAAgB,EAAE;IACvD,EAAE,KAAK,EAAE,2BAA2B,EAAE,KAAK,EAAE,YAAY,EAAE;IAC3D,EAAE,KAAK,EAAE,+FAA+F,EAAE,KAAK,EAAE,sBAAsB,EAAE;CAC1I,CAAC;AAEF,gEAAgE;AAChE,MAAM,iBAAiB,GAAG;IACxB,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,qBAAqB,EAAE;IAC1D,EAAE,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAE,mBAAmB,EAAE;IAC7D,EAAE,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,oBAAoB,EAAE;IACxD,EAAE,OAAO,EAAE,mBAAmB,EAAE,KAAK,EAAE,8BAA8B,EAAE;IACvE,EAAE,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAE,+BAA+B,EAAE;IACzE,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,mBAAmB,EAAE;CACzD,CAAC;AAEF,mEAAmE;AACnE,MAAM,eAAe,GAAG,GAAG,GAAG,IAAI,CAAC;AAEnC;;GAEG;AACH,SAAS,MAAM,CAAC,KAAa;IAC3B,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IACtC,OAAO,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AAC5E,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,WAAmB;IACzC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;IAE7B,8DAA8D;IAC9D,MAAM,WAAW,GAAG;QAClB,OAAO;QACP,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;QAClD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,QAAQ,CAAC;QAC9D,WAAW;QACX,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC;QACjC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC;KAClC,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,SAAS;QAEnC,KAAK,MAAM,QAAQ,IAAI,oBAAoB,EAAE,CAAC;YAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAC3C,IAAI,CAAC;gBACH,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC5B,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;oBACnC,IAAI,IAAI,CAAC,MAAM,EAAE,IAAI,IAAI,CAAC,IAAI,IAAI,eAAe,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;wBACnE,mBAAmB;wBACnB,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;4BAChC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;wBACzB,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,0BAA0B;YAC5B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,MAAa,UAAU;IACrB,IAAI,GAAG,YAAqB,CAAC;IAC7B,KAAK,GAAG,gBAAgB,CAAC;IAEzB,KAAK,CAAC,IAAI,CAAC,OAAoB;QAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAkB,EAAE,CAAC;QAEnC,MAAM,WAAW,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAEjD,KAAK,MAAM,QAAQ,IAAI,WAAW,EAAE,CAAC;YACnC,IAAI,OAAe,CAAC;YACpB,IAAI,CAAC;gBACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC/C,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,CAAC,wBAAwB;YACpC,CAAC;YAED,8BAA8B;YAC9B,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;gBACjB,QAAQ,EAAE,gBAAQ,CAAC,IAAI;gBACvB,KAAK,EAAE,yBAAyB;gBAChC,WAAW,EAAE,sCAAsC,QAAQ,iCAAiC;gBAC5F,QAAQ;gBACR,WAAW,EAAE,4DAA4D;aAC1E,CAAC,CAAC;YAEH,kCAAkC;YAClC,IAAI,MAA+B,CAAC;YACpC,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC;gBACP,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;oBACjB,QAAQ,EAAE,gBAAQ,CAAC,GAAG;oBACtB,KAAK,EAAE,6BAA6B;oBACpC,WAAW,EAAE,2CAA2C;oBACxD,QAAQ;oBACR,WAAW,EAAE,iDAAiD;iBAC/D,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,4CAA4C;YAC5C,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;gBACzC,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBAE9B,IAAI,KAA6B,CAAC;gBAClC,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBACxD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;oBACpD,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;oBAEhD,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;wBACjB,QAAQ,EAAE,gBAAQ,CAAC,QAAQ;wBAC3B,KAAK,EAAE,0BAA0B,OAAO,CAAC,KAAK,EAAE;wBAChD,WAAW,EAAE,iEAAiE;wBAC9E,QAAQ;wBACR,IAAI,EAAE,UAAU;wBAChB,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;wBAClB,WAAW,EAAE,6GAA6G;qBAC3H,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,sCAAsC;YACtC,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;gBACtC,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;gBAE5B,IAAI,KAA6B,CAAC;gBAClC,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBACtD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;oBACpD,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;oBAEhD,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;wBACjB,QAAQ,EAAE,gBAAQ,CAAC,QAAQ;wBAC3B,KAAK,EAAE,oCAAoC,OAAO,CAAC,KAAK,EAAE;wBAC1D,WAAW,EAAE,qBAAqB,OAAO,CAAC,KAAK,kCAAkC;wBACjF,QAAQ;wBACR,IAAI,EAAE,UAAU;wBAChB,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;wBAC1B,WAAW,EAAE,wEAAwE;qBACtF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,2CAA2C;YAC3C,KAAK,MAAM,SAAS,IAAI,iBAAiB,EAAE,CAAC;gBAC1C,SAAS,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBAEhC,IAAI,KAA6B,CAAC;gBAClC,OAAO,CAAC,KAAK,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBAC1D,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;oBACpD,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;oBAEhD,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;wBACjB,QAAQ,EAAE,gBAAQ,CAAC,IAAI;wBACvB,KAAK,EAAE,oCAAoC,SAAS,CAAC,KAAK,EAAE;wBAC5D,WAAW,EAAE,2CAA2C,SAAS,CAAC,KAAK,uCAAuC;wBAC9G,QAAQ;wBACR,IAAI,EAAE,UAAU;wBAChB,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;wBAClB,WAAW,EAAE,4EAA4E;qBAC1F,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,wDAAwD;YACxD,MAAM,UAAU,GAAI,MAAkC,CAAC,YAAY,CAAC;gBAC/C,MAAkC,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;YACzE,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;gBAC1D,KAAK,MAAM,CAAC,UAAU,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAqC,CAAC,EAAE,CAAC;oBAC/F,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,YAAY,KAAK,IAAI;wBAAE,SAAS;oBAExE,MAAM,EAAE,GAAG,YAAuC,CAAC;oBAEnD,uBAAuB;oBACvB,MAAM,SAAS,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC;oBAC7C,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;wBAC1B,gEAAgE;wBAChE,MAAM,iBAAiB,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,SAAS,CAAC;wBAClD,MAAM,OAAO,GAAG,MAAM,CAAC,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;wBAE5C,IAAI,OAAO,IAAI,CAAC,iBAAiB,EAAE,CAAC;4BAClC,QAAQ,CAAC,IAAI,CAAC;gCACZ,MAAM,EAAE,IAAI,CAAC,IAAI;gCACjB,QAAQ,EAAE,gBAAQ,CAAC,MAAM;gCACzB,KAAK,EAAE,sDAAsD,UAAU,EAAE;gCACzE,WAAW,EAAE,eAAe,UAAU,4EAA4E;gCAClH,QAAQ;gCACR,WAAW,EAAE,2FAA2F;6BACzG,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;oBAED,2EAA2E;oBAC3E,MAAM,KAAK,GAAG,EAAE,CAAC,OAAO,CAAyB,CAAC;oBAClD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;wBACzB,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;4BACjD,QAAQ,CAAC,IAAI,CAAC;gCACZ,MAAM,EAAE,IAAI,CAAC,IAAI;gCACjB,QAAQ,EAAE,gBAAQ,CAAC,IAAI;gCACvB,KAAK,EAAE,iCAAiC,UAAU,EAAE;gCACpD,WAAW,EAAE,eAAe,UAAU,8DAA8D;gCACpG,QAAQ;gCACR,WAAW,EAAE,kEAAkE;6BAChF,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,IAAI,CAAC,IAAI;YACjB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,OAAO,EAAE,IAAI;YACb,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAClC,YAAY,EAAE,WAAW,CAAC,MAAM;YAChC,QAAQ;SACT,CAAC;IACJ,CAAC;CACF;AArKD,gCAqKC"}

package/dist/modules/posture-checker.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { ScannerModule, ModuleResult, ScanOptions } from '../types';
+/**
+ * PostureChecker — Audits developer workstation security posture
+ * including git config, .gitignore, .npmrc, SSH keys, and cloud credentials.
+ */
+export declare class PostureChecker implements ScannerModule {
+    name: "PostureChecker";
+    label: string;
+    scan(options: ScanOptions): Promise<ModuleResult>;
+}
+//# sourceMappingURL=posture-checker.d.ts.map

package/dist/modules/posture-checker.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"posture-checker.d.ts","sourceRoot":"","sources":["../../src/modules/posture-checker.ts"],"names":[],"mappings":"AASA,OAAO,EACL,aAAa,EACb,YAAY,EAEZ,WAAW,EAEZ,MAAM,UAAU,CAAC;AAoClB;;;GAGG;AACH,qBAAa,cAAe,YAAW,aAAa;IAClD,IAAI,EAAG,gBAAgB,CAAU;IACjC,KAAK,SAAwB;IAEvB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC;CA0OxD"}

package/dist/modules/posture-checker.js ADDED Viewed

@@ -0,0 +1,315 @@
+"use strict";
+// ============================================================
+// DevArmor — Posture Checker Module
+// Audits developer workstation security posture.
+// ============================================================
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PostureChecker = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const child_process_1 = require("child_process");
+const types_1 = require("../types");
+/** Common personal email domains to flag. */
+const PERSONAL_EMAIL_DOMAINS = [
+    'gmail.com', 'yahoo.com', 'hotmail.com', 'outlook.com',
+    'aol.com', 'icloud.com', 'mail.com', 'protonmail.com',
+    'live.com', 'msn.com', 'ymail.com', 'zoho.com',
+];
+/** Cloud CLI credential file locations relative to home directory. */
+const CLOUD_CREDENTIAL_FILES = [
+    { name: 'AWS Credentials', file: path.join('.aws', 'credentials') },
+    { name: 'AWS Config', file: path.join('.aws', 'config') },
+    { name: 'Azure CLI Config', file: path.join('.azure', 'config') },
+    { name: 'Azure CLI Token', file: path.join('.azure', 'accessTokens.json') },
+    { name: 'Azure CLI Profile', file: path.join('.azure', 'azureProfile.json') },
+    { name: 'GCP Application Default Credentials', file: path.join('.config', 'gcloud', 'application_default_credentials.json') },
+    { name: 'GCP Properties', file: path.join('.config', 'gcloud', 'properties') },
+];
+/** SSH key files to check. */
+const SSH_KEY_FILES = [
+    'id_rsa', 'id_ecdsa', 'id_ed25519', 'id_dsa',
+];
+/**
+ * Safely executes a command and returns stdout, or null on failure.
+ */
+function safeExec(command) {
+    try {
+        return (0, child_process_1.execSync)(command, { encoding: 'utf-8', timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * PostureChecker — Audits developer workstation security posture
+ * including git config, .gitignore, .npmrc, SSH keys, and cloud credentials.
+ */
+class PostureChecker {
+    name = 'PostureChecker';
+    label = '📋 Posture Checker';
+    async scan(options) {
+        const startTime = Date.now();
+        const findings = [];
+        const homeDir = os.homedir();
+        let itemsChecked = 0;
+        // ── Check 1: Git config email exposure ──
+        itemsChecked++;
+        const gitEmail = safeExec('git config --global user.email');
+        if (gitEmail) {
+            const domain = gitEmail.split('@')[1]?.toLowerCase();
+            if (domain && PERSONAL_EMAIL_DOMAINS.includes(domain)) {
+                findings.push({
+                    module: this.name,
+                    severity: types_1.Severity.MEDIUM,
+                    title: 'Personal Email in Global Git Config',
+                    description: `Global git config uses personal email "${gitEmail}". This email appears in every commit and is publicly visible on pushed repositories.`,
+                    remediation: 'Use a work email or GitHub noreply address: git config --global user.email "user@users.noreply.github.com"',
+                });
+            }
+            else if (gitEmail) {
+                findings.push({
+                    module: this.name,
+                    severity: types_1.Severity.INFO,
+                    title: 'Git Email Configured',
+                    description: `Global git email is set to "${gitEmail}".`,
+                    remediation: 'No action needed — verify this email is appropriate for public commits',
+                });
+            }
+        }
+        else {
+            findings.push({
+                module: this.name,
+                severity: types_1.Severity.LOW,
+                title: 'No Global Git Email Configured',
+                description: 'No global git user.email is set. Commits may use system defaults.',
+                remediation: 'Set a git email: git config --global user.email "your-email@example.com"',
+            });
+        }
+        // ── Check 2: .gitignore exists and covers .env ──
+        itemsChecked++;
+        const gitignorePath = path.join(options.path, '.gitignore');
+        if (fs.existsSync(gitignorePath)) {
+            let gitignoreContent;
+            try {
+                gitignoreContent = fs.readFileSync(gitignorePath, 'utf-8');
+            }
+            catch {
+                gitignoreContent = '';
+            }
+            const hasEnvEntry = /^\.env$/m.test(gitignoreContent) ||
+                /^\.env\.\*$/m.test(gitignoreContent) ||
+                /^\.env\.local$/m.test(gitignoreContent) ||
+                /^\.env\*$/m.test(gitignoreContent);
+            if (!hasEnvEntry) {
+                findings.push({
+                    module: this.name,
+                    severity: types_1.Severity.HIGH,
+                    title: '.gitignore Missing .env Entry',
+                    description: '.gitignore exists but does not contain entries for .env files. Environment files with secrets may be accidentally committed.',
+                    filePath: gitignorePath,
+                    remediation: 'Add ".env" and ".env.*" to your .gitignore file',
+                });
+            }
+            else {
+                findings.push({
+                    module: this.name,
+                    severity: types_1.Severity.INFO,
+                    title: '.gitignore Covers .env Files',
+                    description: '.gitignore properly includes entries for .env files.',
+                    filePath: gitignorePath,
+                    remediation: 'No action needed',
+                });
+            }
+        }
+        else {
+            findings.push({
+                module: this.name,
+                severity: types_1.Severity.HIGH,
+                title: 'No .gitignore File Found',
+                description: 'No .gitignore file exists in the project root. Sensitive files may be accidentally committed.',
+                remediation: 'Create a .gitignore file with entries for .env, node_modules, and other sensitive paths',
+            });
+        }
+        // ── Check 3: .npmrc for auth tokens ──
+        itemsChecked++;
+        const npmrcPaths = [
+            path.join(options.path, '.npmrc'),
+            path.join(homeDir, '.npmrc'),
+        ];
+        for (const npmrcPath of npmrcPaths) {
+            if (!fs.existsSync(npmrcPath))
+                continue;
+            let npmrcContent;
+            try {
+                npmrcContent = fs.readFileSync(npmrcPath, 'utf-8');
+            }
+            catch {
+                continue;
+            }
+            // Check for _authToken
+            const authTokenMatch = /_authToken\s*=\s*(.+)/i.exec(npmrcContent);
+            if (authTokenMatch) {
+                const token = authTokenMatch[1].trim();
+                const isEnvVar = token.startsWith('${') && token.endsWith('}');
+                if (!isEnvVar) {
+                    const upToMatch = npmrcContent.substring(0, authTokenMatch.index);
+                    const lineNumber = upToMatch.split('\n').length;
+                    findings.push({
+                        module: this.name,
+                        severity: types_1.Severity.HIGH,
+                        title: 'Hardcoded npm Auth Token',
+                        description: `Found a hardcoded _authToken in .npmrc. This token should use environment variable substitution.`,
+                        filePath: npmrcPath,
+                        line: lineNumber,
+                        evidence: '_authToken=****',
+                        remediation: 'Replace the hardcoded token with an env var: _authToken=${NPM_TOKEN}',
+                    });
+                }
+                else {
+                    findings.push({
+                        module: this.name,
+                        severity: types_1.Severity.INFO,
+                        title: 'npm Auth Token Uses Environment Variable',
+                        description: '.npmrc uses environment variable substitution for auth token.',
+                        filePath: npmrcPath,
+                        remediation: 'No action needed',
+                    });
+                }
+            }
+        }
+        // ── Check 4: SSH key file existence ──
+        itemsChecked++;
+        const sshDir = path.join(homeDir, '.ssh');
+        if (fs.existsSync(sshDir)) {
+            for (const keyFile of SSH_KEY_FILES) {
+                const keyPath = path.join(sshDir, keyFile);
+                if (!fs.existsSync(keyPath))
+                    continue;
+                // On non-Windows, we'd check permissions with stat
+                // On Windows, report existence and recommend review
+                const isWindows = os.platform() === 'win32';
+                if (isWindows) {
+                    findings.push({
+                        module: this.name,
+                        severity: types_1.Severity.INFO,
+                        title: `SSH Private Key Found — ${keyFile}`,
+                        description: `SSH private key file detected at ${keyPath}. Verify that file ACLs are properly restricted.`,
+                        filePath: keyPath,
+                        remediation: 'Ensure only your user account has access: icacls <key> /inheritance:r /grant:r "%USERNAME%:R"',
+                    });
+                }
+                else {
+                    // Check Unix permissions
+                    try {
+                        const stat = fs.statSync(keyPath);
+                        const mode = (stat.mode & 0o777).toString(8);
+                        const isPermissive = (stat.mode & 0o077) !== 0; // group/other have any access
+                        if (isPermissive) {
+                            findings.push({
+                                module: this.name,
+                                severity: types_1.Severity.HIGH,
+                                title: `SSH Key Overly Permissive — ${keyFile}`,
+                                description: `SSH private key has permissions ${mode} — group/other users can read it.`,
+                                filePath: keyPath,
+                                evidence: `mode: ${mode}`,
+                                remediation: `Fix permissions: chmod 600 ${keyPath}`,
+                            });
+                        }
+                        else {
+                            findings.push({
+                                module: this.name,
+                                severity: types_1.Severity.INFO,
+                                title: `SSH Key Permissions OK — ${keyFile}`,
+                                description: `SSH private key has proper permissions (${mode}).`,
+                                filePath: keyPath,
+                                remediation: 'No action needed',
+                            });
+                        }
+                    }
+                    catch {
+                        // Skip inaccessible key files
+                    }
+                }
+            }
+        }
+        // ── Check 5: Cloud CLI credential files ──
+        itemsChecked++;
+        for (const cred of CLOUD_CREDENTIAL_FILES) {
+            const credPath = path.join(homeDir, cred.file);
+            if (!fs.existsSync(credPath))
+                continue;
+            findings.push({
+                module: this.name,
+                severity: types_1.Severity.MEDIUM,
+                title: `Cloud CLI Credentials Found — ${cred.name}`,
+                description: `Cloud credential file detected at ${credPath}. Ensure these credentials follow least-privilege principles.`,
+                filePath: credPath,
+                remediation: 'Review cloud CLI credentials for excessive permissions. Use short-lived tokens or SSO where possible.',
+            });
+            // Additionally check AWS credentials for hardcoded keys
+            if (cred.file.includes('.aws') && cred.file.endsWith('credentials')) {
+                let content;
+                try {
+                    content = fs.readFileSync(credPath, 'utf-8');
+                }
+                catch {
+                    continue;
+                }
+                if (/aws_access_key_id\s*=\s*AKIA[0-9A-Z]{16}/i.test(content)) {
+                    findings.push({
+                        module: this.name,
+                        severity: types_1.Severity.HIGH,
+                        title: 'Long-Lived AWS Access Key Detected',
+                        description: 'AWS credentials file contains a long-lived access key. Consider using IAM Identity Center (SSO) instead.',
+                        filePath: credPath,
+                        remediation: 'Migrate to AWS SSO/IAM Identity Center for short-lived credentials',
+                    });
+                }
+            }
+        }
+        return {
+            module: this.name,
+            label: this.label,
+            success: true,
+            durationMs: Date.now() - startTime,
+            itemsScanned: itemsChecked,
+            findings,
+        };
+    }
+}
+exports.PostureChecker = PostureChecker;
+//# sourceMappingURL=posture-checker.js.map

package/dist/modules/posture-checker.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"posture-checker.js","sourceRoot":"","sources":["../../src/modules/posture-checker.ts"],"names":[],"mappings":";AAAA,+DAA+D;AAC/D,oCAAoC;AACpC,iDAAiD;AACjD,+DAA+D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAE/D,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AACzB,iDAAyC;AACzC,oCAMkB;AAElB,6CAA6C;AAC7C,MAAM,sBAAsB,GAAG;IAC7B,WAAW,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa;IACtD,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,gBAAgB;IACrD,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU;CAC/C,CAAC;AAEF,sEAAsE;AACtE,MAAM,sBAAsB,GAAG;IAC7B,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,aAAa,CAAC,EAAE;IACnE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE;IACzD,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE;IACjE,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,mBAAmB,CAAC,EAAE;IAC3E,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,mBAAmB,CAAC,EAAE;IAC7E,EAAE,IAAI,EAAE,qCAAqC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,sCAAsC,CAAC,EAAE;IAC7H,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,YAAY,CAAC,EAAE;CAC/E,CAAC;AAEF,8BAA8B;AAC9B,MAAM,aAAa,GAAG;IACpB,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ;CAC7C,CAAC;AAEF;;GAEG;AACH,SAAS,QAAQ,CAAC,OAAe;IAC/B,IAAI,CAAC;QACH,OAAO,IAAA,wBAAQ,EAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACzG,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAa,cAAc;IACzB,IAAI,GAAG,gBAAyB,CAAC;IACjC,KAAK,GAAG,oBAAoB,CAAC;IAE7B,KAAK,CAAC,IAAI,CAAC,OAAoB;QAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;QAC7B,IAAI,YAAY,GAAG,CAAC,CAAC;QAErB,2CAA2C;QAC3C,YAAY,EAAE,CAAC;QACf,MAAM,QAAQ,GAAG,QAAQ,CAAC,gCAAgC,CAAC,CAAC;QAC5D,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC;YACrD,IAAI,MAAM,IAAI,sBAAsB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBACtD,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;oBACjB,QAAQ,EAAE,gBAAQ,CAAC,MAAM;oBACzB,KAAK,EAAE,qCAAqC;oBAC5C,WAAW,EAAE,0CAA0C,QAAQ,uFAAuF;oBACtJ,WAAW,EAAE,4GAA4G;iBAC1H,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,QAAQ,EAAE,CAAC;gBACpB,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;oBACjB,QAAQ,EAAE,gBAAQ,CAAC,IAAI;oBACvB,KAAK,EAAE,sBAAsB;oBAC7B,WAAW,EAAE,+BAA+B,QAAQ,IAAI;oBACxD,WAAW,EAAE,wEAAwE;iBACtF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;gBACjB,QAAQ,EAAE,gBAAQ,CAAC,GAAG;gBACtB,KAAK,EAAE,gCAAgC;gBACvC,WAAW,EAAE,mEAAmE;gBAChF,WAAW,EAAE,0EAA0E;aACxF,CAAC,CAAC;QACL,CAAC;QAED,mDAAmD;QACnD,YAAY,EAAE,CAAC;QACf,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;QAC5D,IAAI,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YACjC,IAAI,gBAAwB,CAAC;YAC7B,IAAI,CAAC;gBACH,gBAAgB,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YAC7D,CAAC;YAAC,MAAM,CAAC;gBACP,gBAAgB,GAAG,EAAE,CAAC;YACxB,CAAC;YAED,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC;gBACjC,cAAc,CAAC,IAAI,CAAC,gBAAgB,CAAC;gBACrC,iBAAiB,CAAC,IAAI,CAAC,gBAAgB,CAAC;gBACxC,YAAY,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAExD,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;oBACjB,QAAQ,EAAE,gBAAQ,CAAC,IAAI;oBACvB,KAAK,EAAE,+BAA+B;oBACtC,WAAW,EAAE,8HAA8H;oBAC3I,QAAQ,EAAE,aAAa;oBACvB,WAAW,EAAE,iDAAiD;iBAC/D,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;oBACjB,QAAQ,EAAE,gBAAQ,CAAC,IAAI;oBACvB,KAAK,EAAE,8BAA8B;oBACrC,WAAW,EAAE,sDAAsD;oBACnE,QAAQ,EAAE,aAAa;oBACvB,WAAW,EAAE,kBAAkB;iBAChC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;gBACjB,QAAQ,EAAE,gBAAQ,CAAC,IAAI;gBACvB,KAAK,EAAE,0BAA0B;gBACjC,WAAW,EAAE,+FAA+F;gBAC5G,WAAW,EAAE,yFAAyF;aACvG,CAAC,CAAC;QACL,CAAC;QAED,wCAAwC;QACxC,YAAY,EAAE,CAAC;QACf,MAAM,UAAU,GAAG;YACjB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC;SAC7B,CAAC;QAEF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;gBAAE,SAAS;YAExC,IAAI,YAAoB,CAAC;YACzB,IAAI,CAAC;gBACH,YAAY,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YAED,uBAAuB;YACvB,MAAM,cAAc,GAAG,wBAAwB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACnE,IAAI,cAAc,EAAE,CAAC;gBACnB,MAAM,KAAK,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACvC,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;gBAE/D,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,MAAM,SAAS,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC;oBAClE,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;oBAEhD,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;wBACjB,QAAQ,EAAE,gBAAQ,CAAC,IAAI;wBACvB,KAAK,EAAE,0BAA0B;wBACjC,WAAW,EAAE,kGAAkG;wBAC/G,QAAQ,EAAE,SAAS;wBACnB,IAAI,EAAE,UAAU;wBAChB,QAAQ,EAAE,iBAAiB;wBAC3B,WAAW,EAAE,sEAAsE;qBACpF,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;wBACjB,QAAQ,EAAE,gBAAQ,CAAC,IAAI;wBACvB,KAAK,EAAE,0CAA0C;wBACjD,WAAW,EAAE,+DAA+D;wBAC5E,QAAQ,EAAE,SAAS;wBACnB,WAAW,EAAE,kBAAkB;qBAChC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,wCAAwC;QACxC,YAAY,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1C,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1B,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;gBACpC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBAC3C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;oBAAE,SAAS;gBAEtC,mDAAmD;gBACnD,oDAAoD;gBACpD,MAAM,SAAS,GAAG,EAAE,CAAC,QAAQ,EAAE,KAAK,OAAO,CAAC;gBAE5C,IAAI,SAAS,EAAE,CAAC;oBACd,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;wBACjB,QAAQ,EAAE,gBAAQ,CAAC,IAAI;wBACvB,KAAK,EAAE,2BAA2B,OAAO,EAAE;wBAC3C,WAAW,EAAE,oCAAoC,OAAO,kDAAkD;wBAC1G,QAAQ,EAAE,OAAO;wBACjB,WAAW,EAAE,+FAA+F;qBAC7G,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,yBAAyB;oBACzB,IAAI,CAAC;wBACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;wBAClC,MAAM,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;wBAC7C,MAAM,YAAY,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,8BAA8B;wBAE9E,IAAI,YAAY,EAAE,CAAC;4BACjB,QAAQ,CAAC,IAAI,CAAC;gCACZ,MAAM,EAAE,IAAI,CAAC,IAAI;gCACjB,QAAQ,EAAE,gBAAQ,CAAC,IAAI;gCACvB,KAAK,EAAE,+BAA+B,OAAO,EAAE;gCAC/C,WAAW,EAAE,mCAAmC,IAAI,mCAAmC;gCACvF,QAAQ,EAAE,OAAO;gCACjB,QAAQ,EAAE,SAAS,IAAI,EAAE;gCACzB,WAAW,EAAE,8BAA8B,OAAO,EAAE;6BACrD,CAAC,CAAC;wBACL,CAAC;6BAAM,CAAC;4BACN,QAAQ,CAAC,IAAI,CAAC;gCACZ,MAAM,EAAE,IAAI,CAAC,IAAI;gCACjB,QAAQ,EAAE,gBAAQ,CAAC,IAAI;gCACvB,KAAK,EAAE,4BAA4B,OAAO,EAAE;gCAC5C,WAAW,EAAE,2CAA2C,IAAI,IAAI;gCAChE,QAAQ,EAAE,OAAO;gCACjB,WAAW,EAAE,kBAAkB;6BAChC,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,8BAA8B;oBAChC,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,YAAY,EAAE,CAAC;QACf,KAAK,MAAM,IAAI,IAAI,sBAAsB,EAAE,CAAC;YAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAEvC,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;gBACjB,QAAQ,EAAE,gBAAQ,CAAC,MAAM;gBACzB,KAAK,EAAE,iCAAiC,IAAI,CAAC,IAAI,EAAE;gBACnD,WAAW,EAAE,qCAAqC,QAAQ,+DAA+D;gBACzH,QAAQ,EAAE,QAAQ;gBAClB,WAAW,EAAE,uGAAuG;aACrH,CAAC,CAAC;YAEH,wDAAwD;YACxD,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBACpE,IAAI,OAAe,CAAC;gBACpB,IAAI,CAAC;oBACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBAC/C,CAAC;gBAAC,MAAM,CAAC;oBACP,SAAS;gBACX,CAAC;gBAED,IAAI,2CAA2C,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC9D,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,IAAI,CAAC,IAAI;wBACjB,QAAQ,EAAE,gBAAQ,CAAC,IAAI;wBACvB,KAAK,EAAE,oCAAoC;wBAC3C,WAAW,EAAE,0GAA0G;wBACvH,QAAQ,EAAE,QAAQ;wBAClB,WAAW,EAAE,oEAAoE;qBAClF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,IAAI,CAAC,IAAI;YACjB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,OAAO,EAAE,IAAI;YACb,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAClC,YAAY,EAAE,YAAY;YAC1B,QAAQ;SACT,CAAC;IACJ,CAAC;CACF;AA9OD,wCA8OC"}