dns-security-mcp 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +723 -0
- package/dist/blocklist/index.d.ts +3 -0
- package/dist/blocklist/index.d.ts.map +1 -0
- package/dist/blocklist/index.js +596 -0
- package/dist/blocklist/index.js.map +1 -0
- package/dist/ct/index.d.ts +3 -0
- package/dist/ct/index.d.ts.map +1 -0
- package/dist/ct/index.js +534 -0
- package/dist/ct/index.js.map +1 -0
- package/dist/data/dkim-selectors.d.ts +2 -0
- package/dist/data/dkim-selectors.d.ts.map +1 -0
- package/dist/data/dkim-selectors.js +60 -0
- package/dist/data/dkim-selectors.js.map +1 -0
- package/dist/data/dnsbl-lists.d.ts +8 -0
- package/dist/data/dnsbl-lists.d.ts.map +1 -0
- package/dist/data/dnsbl-lists.js +54 -0
- package/dist/data/dnsbl-lists.js.map +1 -0
- package/dist/data/takeover-fingerprints.d.ts +8 -0
- package/dist/data/takeover-fingerprints.d.ts.map +1 -0
- package/dist/data/takeover-fingerprints.js +84 -0
- package/dist/data/takeover-fingerprints.js.map +1 -0
- package/dist/data/tunneling-signatures.d.ts +17 -0
- package/dist/data/tunneling-signatures.d.ts.map +1 -0
- package/dist/data/tunneling-signatures.js +85 -0
- package/dist/data/tunneling-signatures.js.map +1 -0
- package/dist/dns/index.d.ts +3 -0
- package/dist/dns/index.d.ts.map +1 -0
- package/dist/dns/index.js +1211 -0
- package/dist/dns/index.js.map +1 -0
- package/dist/dnssec/index.d.ts +3 -0
- package/dist/dnssec/index.d.ts.map +1 -0
- package/dist/dnssec/index.js +1377 -0
- package/dist/dnssec/index.js.map +1 -0
- package/dist/domain/index.d.ts +3 -0
- package/dist/domain/index.d.ts.map +1 -0
- package/dist/domain/index.js +938 -0
- package/dist/domain/index.js.map +1 -0
- package/dist/email/index.d.ts +3 -0
- package/dist/email/index.d.ts.map +1 -0
- package/dist/email/index.js +1188 -0
- package/dist/email/index.js.map +1 -0
- package/dist/hijack/index.d.ts +3 -0
- package/dist/hijack/index.d.ts.map +1 -0
- package/dist/hijack/index.js +1117 -0
- package/dist/hijack/index.js.map +1 -0
- package/dist/index.d.ts +3 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +151 -0
- package/dist/index.js.map +1 -0
- package/dist/infra/index.d.ts +3 -0
- package/dist/infra/index.d.ts.map +1 -0
- package/dist/infra/index.js +797 -0
- package/dist/infra/index.js.map +1 -0
- package/dist/privacy/index.d.ts +3 -0
- package/dist/privacy/index.d.ts.map +1 -0
- package/dist/privacy/index.js +772 -0
- package/dist/privacy/index.js.map +1 -0
- package/dist/protocol/mcp-server.d.ts +4 -0
- package/dist/protocol/mcp-server.d.ts.map +1 -0
- package/dist/protocol/mcp-server.js +32 -0
- package/dist/protocol/mcp-server.js.map +1 -0
- package/dist/protocol/tools.d.ts +3 -0
- package/dist/protocol/tools.d.ts.map +1 -0
- package/dist/protocol/tools.js +29 -0
- package/dist/protocol/tools.js.map +1 -0
- package/dist/report/index.d.ts +3 -0
- package/dist/report/index.d.ts.map +1 -0
- package/dist/report/index.js +1167 -0
- package/dist/report/index.js.map +1 -0
- package/dist/threat/index.d.ts +3 -0
- package/dist/threat/index.d.ts.map +1 -0
- package/dist/threat/index.js +999 -0
- package/dist/threat/index.js.map +1 -0
- package/dist/tunnel/index.d.ts +3 -0
- package/dist/tunnel/index.d.ts.map +1 -0
- package/dist/tunnel/index.js +688 -0
- package/dist/tunnel/index.js.map +1 -0
- package/dist/types/index.d.ts +52 -0
- package/dist/types/index.d.ts.map +1 -0
- package/dist/types/index.js +8 -0
- package/dist/types/index.js.map +1 -0
- package/dist/typo/index.d.ts +3 -0
- package/dist/typo/index.d.ts.map +1 -0
- package/dist/typo/index.js +625 -0
- package/dist/typo/index.js.map +1 -0
- package/dist/utils/cache.d.ts +11 -0
- package/dist/utils/cache.d.ts.map +1 -0
- package/dist/utils/cache.js +35 -0
- package/dist/utils/cache.js.map +1 -0
- package/dist/utils/dns-client.d.ts +37 -0
- package/dist/utils/dns-client.d.ts.map +1 -0
- package/dist/utils/dns-client.js +359 -0
- package/dist/utils/dns-client.js.map +1 -0
- package/dist/utils/rate-limiter.d.ts +10 -0
- package/dist/utils/rate-limiter.d.ts.map +1 -0
- package/dist/utils/rate-limiter.js +35 -0
- package/dist/utils/rate-limiter.js.map +1 -0
- package/package.json +63 -0
package/dist/ct/index.js
ADDED
|
@@ -0,0 +1,534 @@
|
|
|
1
|
+
import { z } from "zod";
|
|
2
|
+
import { text, json } from "../types/index.js";
|
|
3
|
+
import { resolveAll } from "../utils/dns-client.js";
|
|
4
|
+
import { TTLCache } from "../utils/cache.js";
|
|
5
|
+
import { RateLimiter } from "../utils/rate-limiter.js";
|
|
6
|
+
// ─── Constants ───
|
|
7
|
+
const CRT_SH_BASE = "https://crt.sh";
|
|
8
|
+
const FETCH_TIMEOUT = 10_000;
|
|
9
|
+
// ─── Rate Limiter & Cache ───
|
|
10
|
+
const crtshLimiter = new RateLimiter(1000);
|
|
11
|
+
const ctCache = new TTLCache(5 * 60 * 1000); // 5 min
|
|
12
|
+
async function queryCrtSh(query) {
|
|
13
|
+
await crtshLimiter.acquire();
|
|
14
|
+
const url = `${CRT_SH_BASE}/?q=${encodeURIComponent(query)}&output=json`;
|
|
15
|
+
const res = await fetch(url, {
|
|
16
|
+
signal: AbortSignal.timeout(FETCH_TIMEOUT),
|
|
17
|
+
headers: { Accept: "application/json" },
|
|
18
|
+
});
|
|
19
|
+
if (!res.ok)
|
|
20
|
+
throw new Error(`crt.sh error: ${res.status} ${res.statusText}`);
|
|
21
|
+
const data = await res.json();
|
|
22
|
+
return data ?? [];
|
|
23
|
+
}
|
|
24
|
+
function parseCaName(issuerName) {
|
|
25
|
+
const match = issuerName.match(/O=([^,]+)/);
|
|
26
|
+
return match ? match[1].trim() : issuerName;
|
|
27
|
+
}
|
|
28
|
+
function daysBetween(a, b) {
|
|
29
|
+
return Math.floor((b.getTime() - a.getTime()) / (1000 * 60 * 60 * 24));
|
|
30
|
+
}
|
|
31
|
+
// ─── Tool 1: ct_search ───
|
|
32
|
+
const ctSearch = {
|
|
33
|
+
name: "ct_search",
|
|
34
|
+
description: "Search Certificate Transparency logs via crt.sh for certificates issued for a domain. " +
|
|
35
|
+
"Returns issuer, validity dates, serial number, and common name.",
|
|
36
|
+
schema: {
|
|
37
|
+
domain: z.string().describe("The domain to search certificates for (e.g. 'example.com')"),
|
|
38
|
+
include_subdomains: z
|
|
39
|
+
.boolean()
|
|
40
|
+
.optional()
|
|
41
|
+
.describe("Include subdomain certificates by prepending wildcard to query. Default false."),
|
|
42
|
+
limit: z
|
|
43
|
+
.number()
|
|
44
|
+
.optional()
|
|
45
|
+
.describe("Maximum number of certificate entries to return. Default 100."),
|
|
46
|
+
},
|
|
47
|
+
async execute(args) {
|
|
48
|
+
const domain = args.domain;
|
|
49
|
+
const includeSubdomains = args.include_subdomains ?? false;
|
|
50
|
+
const limit = args.limit ?? 100;
|
|
51
|
+
const query = includeSubdomains ? `%.${domain}` : domain;
|
|
52
|
+
const cacheKey = `ct_search:${query}:${limit}`;
|
|
53
|
+
const cached = ctCache.get(cacheKey);
|
|
54
|
+
if (cached)
|
|
55
|
+
return json(cached);
|
|
56
|
+
try {
|
|
57
|
+
const entries = await queryCrtSh(query);
|
|
58
|
+
const results = entries.slice(0, limit).map((e) => ({
|
|
59
|
+
common_name: e.common_name,
|
|
60
|
+
issuer: parseCaName(e.issuer_name),
|
|
61
|
+
not_before: e.not_before,
|
|
62
|
+
not_after: e.not_after,
|
|
63
|
+
serial: e.serial_number,
|
|
64
|
+
name_value: e.name_value,
|
|
65
|
+
}));
|
|
66
|
+
const result = {
|
|
67
|
+
domain,
|
|
68
|
+
include_subdomains: includeSubdomains,
|
|
69
|
+
total_found: entries.length,
|
|
70
|
+
returned: results.length,
|
|
71
|
+
certificates: results,
|
|
72
|
+
};
|
|
73
|
+
ctCache.set(cacheKey, result);
|
|
74
|
+
return json(result);
|
|
75
|
+
}
|
|
76
|
+
catch (err) {
|
|
77
|
+
return text(`Error searching CT logs for ${domain}: ${err.message}`);
|
|
78
|
+
}
|
|
79
|
+
},
|
|
80
|
+
};
|
|
81
|
+
// ─── Tool 2: ct_wildcard_audit ───
|
|
82
|
+
const ctWildcardAudit = {
|
|
83
|
+
name: "ct_wildcard_audit",
|
|
84
|
+
description: "Audit Certificate Transparency logs for wildcard certificates (*.domain). " +
|
|
85
|
+
"Reports number of wildcards, issuing CAs, date ranges, and flags multiple wildcards from different CAs.",
|
|
86
|
+
schema: {
|
|
87
|
+
domain: z.string().describe("The domain to audit for wildcard certificates (e.g. 'example.com')"),
|
|
88
|
+
},
|
|
89
|
+
async execute(args) {
|
|
90
|
+
const domain = args.domain;
|
|
91
|
+
const cacheKey = `ct_wildcard_audit:${domain}`;
|
|
92
|
+
const cached = ctCache.get(cacheKey);
|
|
93
|
+
if (cached)
|
|
94
|
+
return json(cached);
|
|
95
|
+
try {
|
|
96
|
+
const entries = await queryCrtSh(`*.${domain}`);
|
|
97
|
+
const wildcards = entries.filter((e) => e.common_name.startsWith("*.") || e.name_value.includes("*."));
|
|
98
|
+
const issuers = new Map();
|
|
99
|
+
let earliestDate = null;
|
|
100
|
+
let latestDate = null;
|
|
101
|
+
for (const w of wildcards) {
|
|
102
|
+
const ca = parseCaName(w.issuer_name);
|
|
103
|
+
issuers.set(ca, (issuers.get(ca) ?? 0) + 1);
|
|
104
|
+
if (!earliestDate || w.not_before < earliestDate)
|
|
105
|
+
earliestDate = w.not_before;
|
|
106
|
+
if (!latestDate || w.not_after > latestDate)
|
|
107
|
+
latestDate = w.not_after;
|
|
108
|
+
}
|
|
109
|
+
const issuerDistribution = Array.from(issuers.entries())
|
|
110
|
+
.map(([ca, count]) => ({ ca, count }))
|
|
111
|
+
.sort((a, b) => b.count - a.count);
|
|
112
|
+
const flags = [];
|
|
113
|
+
if (issuers.size > 1) {
|
|
114
|
+
flags.push(`Multiple CAs (${issuers.size}) have issued wildcard certificates — potential security concern`);
|
|
115
|
+
}
|
|
116
|
+
if (wildcards.length > 10) {
|
|
117
|
+
flags.push(`High number of wildcard certificates (${wildcards.length}) — review if all are necessary`);
|
|
118
|
+
}
|
|
119
|
+
if (wildcards.length === 0) {
|
|
120
|
+
flags.push("No wildcard certificates found — good practice for security");
|
|
121
|
+
}
|
|
122
|
+
const result = {
|
|
123
|
+
domain,
|
|
124
|
+
wildcard_count: wildcards.length,
|
|
125
|
+
unique_issuers: issuers.size,
|
|
126
|
+
date_range: {
|
|
127
|
+
earliest: earliestDate,
|
|
128
|
+
latest: latestDate,
|
|
129
|
+
},
|
|
130
|
+
issuer_distribution: issuerDistribution,
|
|
131
|
+
flags,
|
|
132
|
+
};
|
|
133
|
+
ctCache.set(cacheKey, result);
|
|
134
|
+
return json(result);
|
|
135
|
+
}
|
|
136
|
+
catch (err) {
|
|
137
|
+
return text(`Error auditing wildcards for ${domain}: ${err.message}`);
|
|
138
|
+
}
|
|
139
|
+
},
|
|
140
|
+
};
|
|
141
|
+
// ─── Tool 3: ct_unauthorized_detect ───
|
|
142
|
+
const ctUnauthorizedDetect = {
|
|
143
|
+
name: "ct_unauthorized_detect",
|
|
144
|
+
description: "Detect potentially unauthorized certificates by cross-referencing CT logs with CAA DNS records. " +
|
|
145
|
+
"Flags certificates issued by CAs not authorized in the domain's CAA record.",
|
|
146
|
+
schema: {
|
|
147
|
+
domain: z.string().describe("The domain to check for unauthorized certificates (e.g. 'example.com')"),
|
|
148
|
+
allowed_cas: z
|
|
149
|
+
.array(z.string())
|
|
150
|
+
.optional()
|
|
151
|
+
.describe("Optional explicit list of allowed CA names to override CAA-based detection"),
|
|
152
|
+
},
|
|
153
|
+
async execute(args) {
|
|
154
|
+
const domain = args.domain;
|
|
155
|
+
const allowedCasArg = args.allowed_cas ?? [];
|
|
156
|
+
try {
|
|
157
|
+
// Fetch CAA records
|
|
158
|
+
const caaRecords = await resolveAll(domain, ["CAA"]);
|
|
159
|
+
const caaIssuers = [];
|
|
160
|
+
for (const r of caaRecords) {
|
|
161
|
+
// CAA data format: "0 issue letsencrypt.org" or similar
|
|
162
|
+
const parts = r.data.split(/\s+/);
|
|
163
|
+
if (parts.length >= 3 && (parts[1] === "issue" || parts[1] === "issuewild")) {
|
|
164
|
+
caaIssuers.push(parts.slice(2).join(" ").replace(/"/g, "").toLowerCase());
|
|
165
|
+
}
|
|
166
|
+
}
|
|
167
|
+
const allowedCas = allowedCasArg.length > 0
|
|
168
|
+
? allowedCasArg.map((ca) => ca.toLowerCase())
|
|
169
|
+
: caaIssuers;
|
|
170
|
+
// Fetch CT log entries
|
|
171
|
+
const entries = await queryCrtSh(`%.${domain}`);
|
|
172
|
+
// Group by CA
|
|
173
|
+
const caGroups = new Map();
|
|
174
|
+
for (const e of entries) {
|
|
175
|
+
const ca = parseCaName(e.issuer_name);
|
|
176
|
+
const group = caGroups.get(ca) ?? [];
|
|
177
|
+
group.push(e);
|
|
178
|
+
caGroups.set(ca, group);
|
|
179
|
+
}
|
|
180
|
+
// Detect unauthorized
|
|
181
|
+
const unauthorized = [];
|
|
182
|
+
const authorized = [];
|
|
183
|
+
for (const [ca, certs] of caGroups) {
|
|
184
|
+
const caLower = ca.toLowerCase();
|
|
185
|
+
const isAllowed = allowedCas.length === 0 ||
|
|
186
|
+
allowedCas.some((allowed) => caLower.includes(allowed) || allowed.includes(caLower));
|
|
187
|
+
if (isAllowed) {
|
|
188
|
+
authorized.push({ ca, cert_count: certs.length });
|
|
189
|
+
}
|
|
190
|
+
else {
|
|
191
|
+
const commonNames = [...new Set(certs.map((c) => c.common_name))].slice(0, 10);
|
|
192
|
+
unauthorized.push({
|
|
193
|
+
ca,
|
|
194
|
+
cert_count: certs.length,
|
|
195
|
+
common_names: commonNames,
|
|
196
|
+
reason: allowedCasArg.length > 0
|
|
197
|
+
? "Not in provided allowed CA list"
|
|
198
|
+
: caaIssuers.length > 0
|
|
199
|
+
? "Not authorized by CAA record"
|
|
200
|
+
: "No CAA record exists — any CA could issue",
|
|
201
|
+
});
|
|
202
|
+
}
|
|
203
|
+
}
|
|
204
|
+
const result = {
|
|
205
|
+
domain,
|
|
206
|
+
caa_records: caaRecords.map((r) => r.data),
|
|
207
|
+
caa_authorized_issuers: caaIssuers,
|
|
208
|
+
has_caa: caaIssuers.length > 0,
|
|
209
|
+
total_cas_found: caGroups.size,
|
|
210
|
+
authorized_cas: authorized,
|
|
211
|
+
unauthorized_cas: unauthorized,
|
|
212
|
+
risk_level: unauthorized.length === 0
|
|
213
|
+
? "low"
|
|
214
|
+
: caaIssuers.length === 0
|
|
215
|
+
? "medium"
|
|
216
|
+
: "high",
|
|
217
|
+
};
|
|
218
|
+
return json(result);
|
|
219
|
+
}
|
|
220
|
+
catch (err) {
|
|
221
|
+
return text(`Error detecting unauthorized certs for ${domain}: ${err.message}`);
|
|
222
|
+
}
|
|
223
|
+
},
|
|
224
|
+
};
|
|
225
|
+
// ─── Tool 4: ct_monitor ───
|
|
226
|
+
const ctMonitor = {
|
|
227
|
+
name: "ct_monitor",
|
|
228
|
+
description: "Monitor Certificate Transparency logs for recently issued certificates. " +
|
|
229
|
+
"Returns certificates issued within the last N days for a given domain.",
|
|
230
|
+
schema: {
|
|
231
|
+
domain: z.string().describe("The domain to monitor for new certificates (e.g. 'example.com')"),
|
|
232
|
+
days: z
|
|
233
|
+
.number()
|
|
234
|
+
.optional()
|
|
235
|
+
.describe("Number of days to look back for new certificates. Default 7."),
|
|
236
|
+
},
|
|
237
|
+
async execute(args) {
|
|
238
|
+
const domain = args.domain;
|
|
239
|
+
const days = args.days ?? 7;
|
|
240
|
+
try {
|
|
241
|
+
const entries = await queryCrtSh(`%.${domain}`);
|
|
242
|
+
const cutoff = new Date();
|
|
243
|
+
cutoff.setDate(cutoff.getDate() - days);
|
|
244
|
+
const recentCerts = entries.filter((e) => {
|
|
245
|
+
const notBefore = new Date(e.not_before);
|
|
246
|
+
return notBefore >= cutoff;
|
|
247
|
+
});
|
|
248
|
+
// Deduplicate by serial
|
|
249
|
+
const seen = new Set();
|
|
250
|
+
const uniqueCerts = recentCerts.filter((e) => {
|
|
251
|
+
if (seen.has(e.serial_number))
|
|
252
|
+
return false;
|
|
253
|
+
seen.add(e.serial_number);
|
|
254
|
+
return true;
|
|
255
|
+
});
|
|
256
|
+
// Extract unique subdomains
|
|
257
|
+
const subdomains = new Set();
|
|
258
|
+
for (const c of uniqueCerts) {
|
|
259
|
+
const names = c.name_value.split("\n");
|
|
260
|
+
for (const n of names) {
|
|
261
|
+
const trimmed = n.trim();
|
|
262
|
+
if (trimmed)
|
|
263
|
+
subdomains.add(trimmed);
|
|
264
|
+
}
|
|
265
|
+
}
|
|
266
|
+
const certificates = uniqueCerts.map((c) => ({
|
|
267
|
+
common_name: c.common_name,
|
|
268
|
+
issuer: parseCaName(c.issuer_name),
|
|
269
|
+
not_before: c.not_before,
|
|
270
|
+
not_after: c.not_after,
|
|
271
|
+
serial: c.serial_number,
|
|
272
|
+
type: c.common_name.startsWith("*.") ? "wildcard" : "specific",
|
|
273
|
+
names: c.name_value.split("\n").map((n) => n.trim()).filter(Boolean),
|
|
274
|
+
}));
|
|
275
|
+
return json({
|
|
276
|
+
domain,
|
|
277
|
+
monitoring_period_days: days,
|
|
278
|
+
cutoff_date: cutoff.toISOString(),
|
|
279
|
+
new_certificates_count: certificates.length,
|
|
280
|
+
unique_subdomains: [...subdomains].sort(),
|
|
281
|
+
certificates,
|
|
282
|
+
});
|
|
283
|
+
}
|
|
284
|
+
catch (err) {
|
|
285
|
+
return text(`Error monitoring CT logs for ${domain}: ${err.message}`);
|
|
286
|
+
}
|
|
287
|
+
},
|
|
288
|
+
};
|
|
289
|
+
// ─── Tool 5: ct_check_caa ───
|
|
290
|
+
const ctCheckCaa = {
|
|
291
|
+
name: "ct_check_caa",
|
|
292
|
+
description: "Check CAA (Certification Authority Authorization) DNS records for a domain and its parents. " +
|
|
293
|
+
"Analyzes issue, issuewild, and iodef tags. Flags missing CAA, unrestricted wildcards, and missing iodef.",
|
|
294
|
+
schema: {
|
|
295
|
+
domain: z.string().describe("The domain to check CAA records for (e.g. 'sub.example.com')"),
|
|
296
|
+
},
|
|
297
|
+
async execute(args) {
|
|
298
|
+
const domain = args.domain;
|
|
299
|
+
try {
|
|
300
|
+
// Check CAA at domain level and parent levels
|
|
301
|
+
const parts = domain.split(".");
|
|
302
|
+
const levels = [];
|
|
303
|
+
for (let i = 0; i < parts.length - 1; i++) {
|
|
304
|
+
levels.push(parts.slice(i).join("."));
|
|
305
|
+
}
|
|
306
|
+
const caaResults = [];
|
|
307
|
+
for (const level of levels) {
|
|
308
|
+
try {
|
|
309
|
+
const records = await resolveAll(level, ["CAA"]);
|
|
310
|
+
if (records.length > 0) {
|
|
311
|
+
const parsed = records.map((r) => {
|
|
312
|
+
const parts = r.data.split(/\s+/);
|
|
313
|
+
const critical = parts[0] === "128";
|
|
314
|
+
const tag = parts[1] ?? "unknown";
|
|
315
|
+
const value = parts.slice(2).join(" ").replace(/"/g, "");
|
|
316
|
+
return { tag, value, critical };
|
|
317
|
+
});
|
|
318
|
+
caaResults.push({ domain: level, records: parsed });
|
|
319
|
+
}
|
|
320
|
+
}
|
|
321
|
+
catch {
|
|
322
|
+
// Skip resolution errors at parent levels
|
|
323
|
+
}
|
|
324
|
+
}
|
|
325
|
+
// Analyze findings
|
|
326
|
+
const flags = [];
|
|
327
|
+
const allRecords = caaResults.flatMap((r) => r.records);
|
|
328
|
+
const issueRecords = allRecords.filter((r) => r.tag === "issue");
|
|
329
|
+
const issuewildRecords = allRecords.filter((r) => r.tag === "issuewild");
|
|
330
|
+
const iodefRecords = allRecords.filter((r) => r.tag === "iodef");
|
|
331
|
+
if (caaResults.length === 0) {
|
|
332
|
+
flags.push("CRITICAL: No CAA records found at any level — any CA can issue certificates for this domain");
|
|
333
|
+
}
|
|
334
|
+
if (issueRecords.length === 0 && caaResults.length > 0) {
|
|
335
|
+
flags.push("WARNING: No 'issue' tag found — certificate issuance policy is not explicitly defined");
|
|
336
|
+
}
|
|
337
|
+
if (issuewildRecords.length === 0 && caaResults.length > 0) {
|
|
338
|
+
flags.push("WARNING: No 'issuewild' tag — wildcard certificate issuance is not restricted separately");
|
|
339
|
+
}
|
|
340
|
+
if (iodefRecords.length === 0 && caaResults.length > 0) {
|
|
341
|
+
flags.push("INFO: No 'iodef' tag — CA violation reports will not be sent to domain owner");
|
|
342
|
+
}
|
|
343
|
+
if (issueRecords.some((r) => r.value === ";")) {
|
|
344
|
+
flags.push("INFO: 'issue ;' found — explicitly prohibiting certificate issuance");
|
|
345
|
+
}
|
|
346
|
+
const allowedCas = issueRecords
|
|
347
|
+
.filter((r) => r.value !== ";")
|
|
348
|
+
.map((r) => r.value);
|
|
349
|
+
const allowedWildcardCas = issuewildRecords
|
|
350
|
+
.filter((r) => r.value !== ";")
|
|
351
|
+
.map((r) => r.value);
|
|
352
|
+
const reportingUrls = iodefRecords.map((r) => r.value);
|
|
353
|
+
return json({
|
|
354
|
+
domain,
|
|
355
|
+
levels_checked: levels,
|
|
356
|
+
caa_found: caaResults.length > 0,
|
|
357
|
+
caa_records: caaResults,
|
|
358
|
+
analysis: {
|
|
359
|
+
allowed_cas: allowedCas,
|
|
360
|
+
allowed_wildcard_cas: allowedWildcardCas.length > 0 ? allowedWildcardCas : allowedCas,
|
|
361
|
+
reporting_urls: reportingUrls,
|
|
362
|
+
wildcard_restricted: issuewildRecords.length > 0,
|
|
363
|
+
has_reporting: iodefRecords.length > 0,
|
|
364
|
+
},
|
|
365
|
+
flags,
|
|
366
|
+
});
|
|
367
|
+
}
|
|
368
|
+
catch (err) {
|
|
369
|
+
return text(`Error checking CAA for ${domain}: ${err.message}`);
|
|
370
|
+
}
|
|
371
|
+
},
|
|
372
|
+
};
|
|
373
|
+
// ─── Tool 6: ct_cert_inventory ───
|
|
374
|
+
const ctCertInventory = {
|
|
375
|
+
name: "ct_cert_inventory",
|
|
376
|
+
description: "Build a full certificate inventory from CT logs for a domain. Groups by active/expired, " +
|
|
377
|
+
"wildcard/specific, and CA. Returns total count, active count, unique subdomains, and CA distribution.",
|
|
378
|
+
schema: {
|
|
379
|
+
domain: z.string().describe("The domain to inventory certificates for (e.g. 'example.com')"),
|
|
380
|
+
},
|
|
381
|
+
async execute(args) {
|
|
382
|
+
const domain = args.domain;
|
|
383
|
+
const cacheKey = `ct_cert_inventory:${domain}`;
|
|
384
|
+
const cached = ctCache.get(cacheKey);
|
|
385
|
+
if (cached)
|
|
386
|
+
return json(cached);
|
|
387
|
+
try {
|
|
388
|
+
const entries = await queryCrtSh(`%.${domain}`);
|
|
389
|
+
// Deduplicate by serial
|
|
390
|
+
const seen = new Set();
|
|
391
|
+
const unique = entries.filter((e) => {
|
|
392
|
+
if (seen.has(e.serial_number))
|
|
393
|
+
return false;
|
|
394
|
+
seen.add(e.serial_number);
|
|
395
|
+
return true;
|
|
396
|
+
});
|
|
397
|
+
const now = new Date();
|
|
398
|
+
let activeCount = 0;
|
|
399
|
+
let expiredCount = 0;
|
|
400
|
+
let wildcardCount = 0;
|
|
401
|
+
let specificCount = 0;
|
|
402
|
+
const caDistribution = new Map();
|
|
403
|
+
const subdomains = new Set();
|
|
404
|
+
for (const cert of unique) {
|
|
405
|
+
const notAfter = new Date(cert.not_after);
|
|
406
|
+
const notBefore = new Date(cert.not_before);
|
|
407
|
+
const isActive = notAfter >= now && notBefore <= now;
|
|
408
|
+
if (isActive)
|
|
409
|
+
activeCount++;
|
|
410
|
+
else
|
|
411
|
+
expiredCount++;
|
|
412
|
+
if (cert.common_name.startsWith("*."))
|
|
413
|
+
wildcardCount++;
|
|
414
|
+
else
|
|
415
|
+
specificCount++;
|
|
416
|
+
const ca = parseCaName(cert.issuer_name);
|
|
417
|
+
caDistribution.set(ca, (caDistribution.get(ca) ?? 0) + 1);
|
|
418
|
+
const names = cert.name_value.split("\n");
|
|
419
|
+
for (const n of names) {
|
|
420
|
+
const trimmed = n.trim();
|
|
421
|
+
if (trimmed && !trimmed.startsWith("*."))
|
|
422
|
+
subdomains.add(trimmed);
|
|
423
|
+
}
|
|
424
|
+
}
|
|
425
|
+
const sortedCaDistribution = Array.from(caDistribution.entries())
|
|
426
|
+
.map(([ca, count]) => ({ ca, count }))
|
|
427
|
+
.sort((a, b) => b.count - a.count);
|
|
428
|
+
const result = {
|
|
429
|
+
domain,
|
|
430
|
+
total_certificates: unique.length,
|
|
431
|
+
active: activeCount,
|
|
432
|
+
expired: expiredCount,
|
|
433
|
+
wildcard: wildcardCount,
|
|
434
|
+
specific: specificCount,
|
|
435
|
+
unique_subdomains_count: subdomains.size,
|
|
436
|
+
unique_subdomains: [...subdomains].sort().slice(0, 200),
|
|
437
|
+
ca_distribution: sortedCaDistribution,
|
|
438
|
+
summary: {
|
|
439
|
+
wildcard_ratio: unique.length > 0 ? (wildcardCount / unique.length * 100).toFixed(1) + "%" : "0%",
|
|
440
|
+
active_ratio: unique.length > 0 ? (activeCount / unique.length * 100).toFixed(1) + "%" : "0%",
|
|
441
|
+
top_ca: sortedCaDistribution[0]?.ca ?? "N/A",
|
|
442
|
+
},
|
|
443
|
+
};
|
|
444
|
+
ctCache.set(cacheKey, result);
|
|
445
|
+
return json(result);
|
|
446
|
+
}
|
|
447
|
+
catch (err) {
|
|
448
|
+
return text(`Error building cert inventory for ${domain}: ${err.message}`);
|
|
449
|
+
}
|
|
450
|
+
},
|
|
451
|
+
};
|
|
452
|
+
// ─── Tool 7: ct_expiry_monitor ───
|
|
453
|
+
const ctExpiryMonitor = {
|
|
454
|
+
name: "ct_expiry_monitor",
|
|
455
|
+
description: "Find certificates expiring within N days for a domain. Returns expiring certificates with subject, " +
|
|
456
|
+
"issuer, expiry date, and days remaining.",
|
|
457
|
+
schema: {
|
|
458
|
+
domain: z.string().describe("The domain to check for expiring certificates (e.g. 'example.com')"),
|
|
459
|
+
days_threshold: z
|
|
460
|
+
.number()
|
|
461
|
+
.optional()
|
|
462
|
+
.describe("Number of days threshold for expiry warning. Default 30."),
|
|
463
|
+
},
|
|
464
|
+
async execute(args) {
|
|
465
|
+
const domain = args.domain;
|
|
466
|
+
const daysThreshold = args.days_threshold ?? 30;
|
|
467
|
+
try {
|
|
468
|
+
const entries = await queryCrtSh(`%.${domain}`);
|
|
469
|
+
const now = new Date();
|
|
470
|
+
const threshold = new Date();
|
|
471
|
+
threshold.setDate(threshold.getDate() + daysThreshold);
|
|
472
|
+
// Deduplicate by serial
|
|
473
|
+
const seen = new Set();
|
|
474
|
+
const unique = entries.filter((e) => {
|
|
475
|
+
if (seen.has(e.serial_number))
|
|
476
|
+
return false;
|
|
477
|
+
seen.add(e.serial_number);
|
|
478
|
+
return true;
|
|
479
|
+
});
|
|
480
|
+
// Filter active certs expiring within threshold
|
|
481
|
+
const expiring = unique
|
|
482
|
+
.filter((e) => {
|
|
483
|
+
const notAfter = new Date(e.not_after);
|
|
484
|
+
const notBefore = new Date(e.not_before);
|
|
485
|
+
return notBefore <= now && notAfter >= now && notAfter <= threshold;
|
|
486
|
+
})
|
|
487
|
+
.map((e) => {
|
|
488
|
+
const notAfter = new Date(e.not_after);
|
|
489
|
+
const daysRemaining = daysBetween(now, notAfter);
|
|
490
|
+
return {
|
|
491
|
+
common_name: e.common_name,
|
|
492
|
+
issuer: parseCaName(e.issuer_name),
|
|
493
|
+
not_before: e.not_before,
|
|
494
|
+
not_after: e.not_after,
|
|
495
|
+
serial: e.serial_number,
|
|
496
|
+
days_remaining: daysRemaining,
|
|
497
|
+
urgency: daysRemaining <= 7
|
|
498
|
+
? "critical"
|
|
499
|
+
: daysRemaining <= 14
|
|
500
|
+
? "high"
|
|
501
|
+
: daysRemaining <= 21
|
|
502
|
+
? "medium"
|
|
503
|
+
: "low",
|
|
504
|
+
names: e.name_value.split("\n").map((n) => n.trim()).filter(Boolean),
|
|
505
|
+
};
|
|
506
|
+
})
|
|
507
|
+
.sort((a, b) => a.days_remaining - b.days_remaining);
|
|
508
|
+
return json({
|
|
509
|
+
domain,
|
|
510
|
+
days_threshold: daysThreshold,
|
|
511
|
+
check_date: now.toISOString(),
|
|
512
|
+
threshold_date: threshold.toISOString(),
|
|
513
|
+
expiring_count: expiring.length,
|
|
514
|
+
critical_count: expiring.filter((e) => e.urgency === "critical").length,
|
|
515
|
+
high_count: expiring.filter((e) => e.urgency === "high").length,
|
|
516
|
+
certificates: expiring,
|
|
517
|
+
});
|
|
518
|
+
}
|
|
519
|
+
catch (err) {
|
|
520
|
+
return text(`Error checking cert expiry for ${domain}: ${err.message}`);
|
|
521
|
+
}
|
|
522
|
+
},
|
|
523
|
+
};
|
|
524
|
+
// ─── Export All CT Tools ───
|
|
525
|
+
export const ctTools = [
|
|
526
|
+
ctSearch,
|
|
527
|
+
ctWildcardAudit,
|
|
528
|
+
ctUnauthorizedDetect,
|
|
529
|
+
ctMonitor,
|
|
530
|
+
ctCheckCaa,
|
|
531
|
+
ctCertInventory,
|
|
532
|
+
ctExpiryMonitor,
|
|
533
|
+
];
|
|
534
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/ct/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAkB,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpE,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD,oBAAoB;AAEpB,MAAM,WAAW,GAAG,gBAAgB,CAAC;AACrC,MAAM,aAAa,GAAG,MAAM,CAAC;AAE7B,+BAA+B;AAE/B,MAAM,YAAY,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC;AAC3C,MAAM,OAAO,GAAG,IAAI,QAAQ,CAAU,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,QAAQ;AAgB9D,KAAK,UAAU,UAAU,CAAC,KAAa;IACrC,MAAM,YAAY,CAAC,OAAO,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,GAAG,WAAW,OAAO,kBAAkB,CAAC,KAAK,CAAC,cAAc,CAAC;IACzE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,aAAa,CAAC;QAC1C,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;KACxC,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;IAC9E,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9B,OAAQ,IAAqB,IAAI,EAAE,CAAC;AACtC,CAAC;AAED,SAAS,WAAW,CAAC,UAAkB;IACrC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAC5C,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC;AAC9C,CAAC;AAED,SAAS,WAAW,CAAC,CAAO,EAAE,CAAO;IACnC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;AACzE,CAAC;AAED,4BAA4B;AAE5B,MAAM,QAAQ,GAAY;IACxB,IAAI,EAAE,WAAW;IACjB,WAAW,EACT,wFAAwF;QACxF,iEAAiE;IACnE,MAAM,EAAE;QACN,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,4DAA4D,CAAC;QACzF,kBAAkB,EAAE,CAAC;aAClB,OAAO,EAAE;aACT,QAAQ,EAAE;aACV,QAAQ,CAAC,gFAAgF,CAAC;QAC7F,KAAK,EAAE,CAAC;aACL,MAAM,EAAE;aACR,QAAQ,EAAE;aACV,QAAQ,CAAC,+DAA+D,CAAC;KAC7E;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAgB,CAAC;QACrC,MAAM,iBAAiB,GAAI,IAAI,CAAC,kBAA8B,IAAI,KAAK,CAAC;QACxE,MAAM,KAAK,GAAI,IAAI,CAAC,KAAgB,IAAI,GAAG,CAAC;QAE5C,MAAM,KAAK,GAAG,iBAAiB,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;QACzD,MAAM,QAAQ,GAAG,aAAa,KAAK,IAAI,KAAK,EAAE,CAAC;QAE/C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,MAAM;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;QAEhC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YAExC,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAClD,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC;gBAClC,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,SAAS,EAAE,CAAC,CAAC,SAAS;gBACtB,MAAM,EAAE,CAAC,CAAC,aAAa;gBACvB,UAAU,EAAE,CAAC,CAAC,UAAU;aACzB,CAAC,CAAC,CAAC;YAEJ,MAAM,MAAM,GAAG;gBACb,MAAM;gBACN,kBAAkB,EAAE,iBAAiB;gBACrC,WAAW,EAAE,OAAO,CAAC,MAAM;gBAC3B,QAAQ,EAAE,OAAO,CAAC,MAAM;gBACxB,YAAY,EAAE,OAAO;aACtB,CAAC;YAEF,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC9B,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,+BAA+B,MAAM,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;CACF,CAAC;AAEF,oCAAoC;AAEpC,MAAM,eAAe,GAAY;IAC/B,IAAI,EAAE,mBAAmB;IACzB,WAAW,EACT,4EAA4E;QAC5E,yGAAyG;IAC3G,MAAM,EAAE;QACN,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,oEAAoE,CAAC;KAClG;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAgB,CAAC;QACrC,MAAM,QAAQ,GAAG,qBAAqB,MAAM,EAAE,CAAC;QAE/C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,MAAM;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;QAEhC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,MAAM,EAAE,CAAC,CAAC;YAEhD,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAC9B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CACrE,CAAC;YAEF,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;YAC1C,IAAI,YAAY,GAAkB,IAAI,CAAC;YACvC,IAAI,UAAU,GAAkB,IAAI,CAAC;YAErC,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;gBAC1B,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAE5C,IAAI,CAAC,YAAY,IAAI,CAAC,CAAC,UAAU,GAAG,YAAY;oBAAE,YAAY,GAAG,CAAC,CAAC,UAAU,CAAC;gBAC9E,IAAI,CAAC,UAAU,IAAI,CAAC,CAAC,SAAS,GAAG,UAAU;oBAAE,UAAU,GAAG,CAAC,CAAC,SAAS,CAAC;YACxE,CAAC;YAED,MAAM,kBAAkB,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;iBACrD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;iBACrC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;YAErC,MAAM,KAAK,GAAa,EAAE,CAAC;YAC3B,IAAI,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;gBACrB,KAAK,CAAC,IAAI,CACR,iBAAiB,OAAO,CAAC,IAAI,kEAAkE,CAChG,CAAC;YACJ,CAAC;YACD,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;gBAC1B,KAAK,CAAC,IAAI,CACR,yCAAyC,SAAS,CAAC,MAAM,iCAAiC,CAC3F,CAAC;YACJ,CAAC;YACD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC3B,KAAK,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;YAC5E,CAAC;YAED,MAAM,MAAM,GAAG;gBACb,MAAM;gBACN,cAAc,EAAE,SAAS,CAAC,MAAM;gBAChC,cAAc,EAAE,OAAO,CAAC,IAAI;gBAC5B,UAAU,EAAE;oBACV,QAAQ,EAAE,YAAY;oBACtB,MAAM,EAAE,UAAU;iBACnB;gBACD,mBAAmB,EAAE,kBAAkB;gBACvC,KAAK;aACN,CAAC;YAEF,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC9B,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,gCAAgC,MAAM,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;CACF,CAAC;AAEF,yCAAyC;AAEzC,MAAM,oBAAoB,GAAY;IACpC,IAAI,EAAE,wBAAwB;IAC9B,WAAW,EACT,kGAAkG;QAClG,6EAA6E;IAC/E,MAAM,EAAE;QACN,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wEAAwE,CAAC;QACrG,WAAW,EAAE,CAAC;aACX,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;aACjB,QAAQ,EAAE;aACV,QAAQ,CAAC,4EAA4E,CAAC;KAC1F;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAgB,CAAC;QACrC,MAAM,aAAa,GAAI,IAAI,CAAC,WAAoC,IAAI,EAAE,CAAC;QAEvE,IAAI,CAAC;YACH,oBAAoB;YACpB,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;YACrD,MAAM,UAAU,GAAa,EAAE,CAAC;YAChC,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;gBAC3B,wDAAwD;gBACxD,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBAClC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,OAAO,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,EAAE,CAAC;oBAC5E,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;gBAC5E,CAAC;YACH,CAAC;YAED,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,GAAG,CAAC;gBACzC,CAAC,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC;gBAC7C,CAAC,CAAC,UAAU,CAAC;YAEf,uBAAuB;YACvB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,MAAM,EAAE,CAAC,CAAC;YAEhD,cAAc;YACd,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAwB,CAAC;YACjD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;gBACtC,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;gBACrC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACd,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAC1B,CAAC;YAED,sBAAsB;YACtB,MAAM,YAAY,GAKb,EAAE,CAAC;YAER,MAAM,UAAU,GAA8C,EAAE,CAAC;YAEjE,KAAK,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACnC,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;gBACjC,MAAM,SAAS,GACb,UAAU,CAAC,MAAM,KAAK,CAAC;oBACvB,UAAU,CAAC,IAAI,CACb,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CACpE,CAAC;gBAEJ,IAAI,SAAS,EAAE,CAAC;oBACd,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;gBACpD,CAAC;qBAAM,CAAC;oBACN,MAAM,WAAW,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBAC/E,YAAY,CAAC,IAAI,CAAC;wBAChB,EAAE;wBACF,UAAU,EAAE,KAAK,CAAC,MAAM;wBACxB,YAAY,EAAE,WAAW;wBACzB,MAAM,EACJ,aAAa,CAAC,MAAM,GAAG,CAAC;4BACtB,CAAC,CAAC,iCAAiC;4BACnC,CAAC,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC;gCACrB,CAAC,CAAC,8BAA8B;gCAChC,CAAC,CAAC,2CAA2C;qBACpD,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,MAAM,MAAM,GAAG;gBACb,MAAM;gBACN,WAAW,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC1C,sBAAsB,EAAE,UAAU;gBAClC,OAAO,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC;gBAC9B,eAAe,EAAE,QAAQ,CAAC,IAAI;gBAC9B,cAAc,EAAE,UAAU;gBAC1B,gBAAgB,EAAE,YAAY;gBAC9B,UAAU,EACR,YAAY,CAAC,MAAM,KAAK,CAAC;oBACvB,CAAC,CAAC,KAAK;oBACP,CAAC,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC;wBACvB,CAAC,CAAC,QAAQ;wBACV,CAAC,CAAC,MAAM;aACf,CAAC;YAEF,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,0CAA0C,MAAM,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7F,CAAC;IACH,CAAC;CACF,CAAC;AAEF,6BAA6B;AAE7B,MAAM,SAAS,GAAY;IACzB,IAAI,EAAE,YAAY;IAClB,WAAW,EACT,0EAA0E;QAC1E,wEAAwE;IAC1E,MAAM,EAAE;QACN,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,iEAAiE,CAAC;QAC9F,IAAI,EAAE,CAAC;aACJ,MAAM,EAAE;aACR,QAAQ,EAAE;aACV,QAAQ,CAAC,8DAA8D,CAAC;KAC5E;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAgB,CAAC;QACrC,MAAM,IAAI,GAAI,IAAI,CAAC,IAAe,IAAI,CAAC,CAAC;QAExC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,MAAM,EAAE,CAAC,CAAC;YAChD,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YAC1B,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;YAExC,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBACvC,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;gBACzC,OAAO,SAAS,IAAI,MAAM,CAAC;YAC7B,CAAC,CAAC,CAAC;YAEH,wBAAwB;YACxB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;YAC/B,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBAC3C,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,aAAa,CAAC;oBAAE,OAAO,KAAK,CAAC;gBAC5C,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;gBAC1B,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,CAAC;YAEH,4BAA4B;YAC5B,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;YACrC,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACvC,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;oBACtB,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;oBACzB,IAAI,OAAO;wBAAE,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACvC,CAAC;YACH,CAAC;YAED,MAAM,YAAY,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC3C,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC;gBAClC,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,SAAS,EAAE,CAAC,CAAC,SAAS;gBACtB,MAAM,EAAE,CAAC,CAAC,aAAa;gBACvB,IAAI,EAAE,CAAC,CAAC,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU;gBAC9D,KAAK,EAAE,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;aACrE,CAAC,CAAC,CAAC;YAEJ,OAAO,IAAI,CAAC;gBACV,MAAM;gBACN,sBAAsB,EAAE,IAAI;gBAC5B,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE;gBACjC,sBAAsB,EAAE,YAAY,CAAC,MAAM;gBAC3C,iBAAiB,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,EAAE;gBACzC,YAAY;aACb,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,gCAAgC,MAAM,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;CACF,CAAC;AAEF,+BAA+B;AAE/B,MAAM,UAAU,GAAY;IAC1B,IAAI,EAAE,cAAc;IACpB,WAAW,EACT,8FAA8F;QAC9F,0GAA0G;IAC5G,MAAM,EAAE;QACN,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,8DAA8D,CAAC;KAC5F;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAgB,CAAC;QAErC,IAAI,CAAC;YACH,8CAA8C;YAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAChC,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC1C,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;YACxC,CAAC;YAED,MAAM,UAAU,GAGX,EAAE,CAAC;YAER,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;oBACjD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBACvB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;4BAC/B,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;4BAClC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC;4BACpC,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;4BAClC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;4BACzD,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;wBAClC,CAAC,CAAC,CAAC;wBACH,UAAU,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;oBACtD,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,0CAA0C;gBAC5C,CAAC;YACH,CAAC;YAED,mBAAmB;YACnB,MAAM,KAAK,GAAa,EAAE,CAAC;YAC3B,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;YAExD,MAAM,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,OAAO,CAAC,CAAC;YACjE,MAAM,gBAAgB,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,WAAW,CAAC,CAAC;YACzE,MAAM,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,OAAO,CAAC,CAAC;YAEjE,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC5B,KAAK,CAAC,IAAI,CAAC,6FAA6F,CAAC,CAAC;YAC5G,CAAC;YACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvD,KAAK,CAAC,IAAI,CAAC,uFAAuF,CAAC,CAAC;YACtG,CAAC;YACD,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC3D,KAAK,CAAC,IAAI,CAAC,0FAA0F,CAAC,CAAC;YACzG,CAAC;YACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvD,KAAK,CAAC,IAAI,CAAC,8EAA8E,CAAC,CAAC;YAC7F,CAAC;YACD,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,GAAG,CAAC,EAAE,CAAC;gBAC9C,KAAK,CAAC,IAAI,CAAC,qEAAqE,CAAC,CAAC;YACpF,CAAC;YAED,MAAM,UAAU,GAAG,YAAY;iBAC5B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,GAAG,CAAC;iBAC9B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YAEvB,MAAM,kBAAkB,GAAG,gBAAgB;iBACxC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,GAAG,CAAC;iBAC9B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YAEvB,MAAM,aAAa,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YAEvD,OAAO,IAAI,CAAC;gBACV,MAAM;gBACN,cAAc,EAAE,MAAM;gBACtB,SAAS,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC;gBAChC,WAAW,EAAE,UAAU;gBACvB,QAAQ,EAAE;oBACR,WAAW,EAAE,UAAU;oBACvB,oBAAoB,EAAE,kBAAkB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,UAAU;oBACrF,cAAc,EAAE,aAAa;oBAC7B,mBAAmB,EAAE,gBAAgB,CAAC,MAAM,GAAG,CAAC;oBAChD,aAAa,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC;iBACvC;gBACD,KAAK;aACN,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,0BAA0B,MAAM,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;CACF,CAAC;AAEF,oCAAoC;AAEpC,MAAM,eAAe,GAAY;IAC/B,IAAI,EAAE,mBAAmB;IACzB,WAAW,EACT,0FAA0F;QAC1F,uGAAuG;IACzG,MAAM,EAAE;QACN,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,+DAA+D,CAAC;KAC7F;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAgB,CAAC;QACrC,MAAM,QAAQ,GAAG,qBAAqB,MAAM,EAAE,CAAC;QAE/C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,MAAM;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;QAEhC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,MAAM,EAAE,CAAC,CAAC;YAEhD,wBAAwB;YACxB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;YAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBAClC,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,aAAa,CAAC;oBAAE,OAAO,KAAK,CAAC;gBAC5C,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;gBAC1B,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,CAAC;YAEH,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,IAAI,WAAW,GAAG,CAAC,CAAC;YACpB,IAAI,YAAY,GAAG,CAAC,CAAC;YACrB,IAAI,aAAa,GAAG,CAAC,CAAC;YACtB,IAAI,aAAa,GAAG,CAAC,CAAC;YACtB,MAAM,cAAc,GAAG,IAAI,GAAG,EAAkB,CAAC;YACjD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;YAErC,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;gBAC1B,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAC1C,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBAC5C,MAAM,QAAQ,GAAG,QAAQ,IAAI,GAAG,IAAI,SAAS,IAAI,GAAG,CAAC;gBAErD,IAAI,QAAQ;oBAAE,WAAW,EAAE,CAAC;;oBACvB,YAAY,EAAE,CAAC;gBAEpB,IAAI,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC;oBAAE,aAAa,EAAE,CAAC;;oBAClD,aAAa,EAAE,CAAC;gBAErB,MAAM,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;gBACzC,cAAc,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAE1D,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC1C,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;oBACtB,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;oBACzB,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;wBAAE,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACpE,CAAC;YACH,CAAC;YAED,MAAM,oBAAoB,GAAG,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC;iBAC9D,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;iBACrC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;YAErC,MAAM,MAAM,GAAG;gBACb,MAAM;gBACN,kBAAkB,EAAE,MAAM,CAAC,MAAM;gBACjC,MAAM,EAAE,WAAW;gBACnB,OAAO,EAAE,YAAY;gBACrB,QAAQ,EAAE,aAAa;gBACvB,QAAQ,EAAE,aAAa;gBACvB,uBAAuB,EAAE,UAAU,CAAC,IAAI;gBACxC,iBAAiB,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;gBACvD,eAAe,EAAE,oBAAoB;gBACrC,OAAO,EAAE;oBACP,cAAc,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,GAAG,MAAM,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI;oBACjG,YAAY,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,GAAG,MAAM,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI;oBAC7F,MAAM,EAAE,oBAAoB,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,KAAK;iBAC7C;aACF,CAAC;YAEF,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC9B,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,qCAAqC,MAAM,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;CACF,CAAC;AAEF,oCAAoC;AAEpC,MAAM,eAAe,GAAY;IAC/B,IAAI,EAAE,mBAAmB;IACzB,WAAW,EACT,qGAAqG;QACrG,0CAA0C;IAC5C,MAAM,EAAE;QACN,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,oEAAoE,CAAC;QACjG,cAAc,EAAE,CAAC;aACd,MAAM,EAAE;aACR,QAAQ,EAAE;aACV,QAAQ,CAAC,0DAA0D,CAAC;KACxE;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAgB,CAAC;QACrC,MAAM,aAAa,GAAI,IAAI,CAAC,cAAyB,IAAI,EAAE,CAAC;QAE5D,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,MAAM,EAAE,CAAC,CAAC;YAEhD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;YAC7B,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,aAAa,CAAC,CAAC;YAEvD,wBAAwB;YACxB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;YAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBAClC,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,aAAa,CAAC;oBAAE,OAAO,KAAK,CAAC;gBAC5C,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;gBAC1B,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,CAAC;YAEH,gDAAgD;YAChD,MAAM,QAAQ,GAAG,MAAM;iBACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBACZ,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;gBACvC,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;gBACzC,OAAO,SAAS,IAAI,GAAG,IAAI,QAAQ,IAAI,GAAG,IAAI,QAAQ,IAAI,SAAS,CAAC;YACtE,CAAC,CAAC;iBACD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;gBACT,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;gBACvC,MAAM,aAAa,GAAG,WAAW,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;gBACjD,OAAO;oBACL,WAAW,EAAE,CAAC,CAAC,WAAW;oBAC1B,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC;oBAClC,UAAU,EAAE,CAAC,CAAC,UAAU;oBACxB,SAAS,EAAE,CAAC,CAAC,SAAS;oBACtB,MAAM,EAAE,CAAC,CAAC,aAAa;oBACvB,cAAc,EAAE,aAAa;oBAC7B,OAAO,EACL,aAAa,IAAI,CAAC;wBAChB,CAAC,CAAC,UAAU;wBACZ,CAAC,CAAC,aAAa,IAAI,EAAE;4BACnB,CAAC,CAAC,MAAM;4BACR,CAAC,CAAC,aAAa,IAAI,EAAE;gCACnB,CAAC,CAAC,QAAQ;gCACV,CAAC,CAAC,KAAK;oBACf,KAAK,EAAE,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;iBACrE,CAAC;YACJ,CAAC,CAAC;iBACD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,GAAG,CAAC,CAAC,cAAc,CAAC,CAAC;YAEvD,OAAO,IAAI,CAAC;gBACV,MAAM;gBACN,cAAc,EAAE,aAAa;gBAC7B,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;gBAC7B,cAAc,EAAE,SAAS,CAAC,WAAW,EAAE;gBACvC,cAAc,EAAE,QAAQ,CAAC,MAAM;gBAC/B,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,UAAU,CAAC,CAAC,MAAM;gBACvE,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,MAAM,CAAC,CAAC,MAAM;gBAC/D,YAAY,EAAE,QAAQ;aACvB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,kCAAkC,MAAM,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACrF,CAAC;IACH,CAAC;CACF,CAAC;AAEF,8BAA8B;AAE9B,MAAM,CAAC,MAAM,OAAO,GAAc;IAChC,QAAQ;IACR,eAAe;IACf,oBAAoB;IACpB,SAAS;IACT,UAAU;IACV,eAAe;IACf,eAAe;CAChB,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dkim-selectors.d.ts","sourceRoot":"","sources":["../../src/data/dkim-selectors.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,cAAc,EAAE,MAAM,EAmFlC,CAAC"}
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
// Common DKIM selectors to brute-force during email security checks
|
|
2
|
+
export const DKIM_SELECTORS = [
|
|
3
|
+
// Generic
|
|
4
|
+
"default", "dkim", "mail", "email", "smtp", "dk", "sig1",
|
|
5
|
+
// Google Workspace
|
|
6
|
+
"google", "google2048",
|
|
7
|
+
// Microsoft 365
|
|
8
|
+
"selector1", "selector2",
|
|
9
|
+
// Amazon SES
|
|
10
|
+
"ses", "amazonses",
|
|
11
|
+
// Mandrill / Mailchimp
|
|
12
|
+
"mandrill", "k1", "k2", "k3",
|
|
13
|
+
// Mailjet
|
|
14
|
+
"mailjet",
|
|
15
|
+
// SendGrid
|
|
16
|
+
"s1", "s2", "smtpapi", "sgrid",
|
|
17
|
+
// Postmark
|
|
18
|
+
"pm", "postmark",
|
|
19
|
+
// SparkPost
|
|
20
|
+
"sparkpost",
|
|
21
|
+
// Protonmail
|
|
22
|
+
"protonmail", "protonmail2", "protonmail3",
|
|
23
|
+
// Zoho
|
|
24
|
+
"zoho", "zmail",
|
|
25
|
+
// Turbo-SMTP
|
|
26
|
+
"turbo-smtp",
|
|
27
|
+
// Brevo (Sendinblue)
|
|
28
|
+
"brevo", "sendinblue",
|
|
29
|
+
// Fastmail
|
|
30
|
+
"fm1", "fm2", "fm3",
|
|
31
|
+
// MailerLite
|
|
32
|
+
"ml",
|
|
33
|
+
// Campaign Monitor
|
|
34
|
+
"cm",
|
|
35
|
+
// Constant Contact
|
|
36
|
+
"ctct1", "ctct2",
|
|
37
|
+
// ActiveCampaign
|
|
38
|
+
"dk1", "dk2",
|
|
39
|
+
// Klaviyo
|
|
40
|
+
"kl", "kl2",
|
|
41
|
+
// HubSpot
|
|
42
|
+
"hs1", "hs2", "hubspot",
|
|
43
|
+
// Salesforce
|
|
44
|
+
"sf", "salesforce", "sf1", "sf2",
|
|
45
|
+
// Zendesk
|
|
46
|
+
"zendesk1", "zendesk2",
|
|
47
|
+
// Intercom
|
|
48
|
+
"intercom",
|
|
49
|
+
// Everlytic
|
|
50
|
+
"everlytickey1", "everlytickey2",
|
|
51
|
+
// MXRoute
|
|
52
|
+
"mxroute",
|
|
53
|
+
// Rackspace
|
|
54
|
+
"rackspace",
|
|
55
|
+
// Generic numbered
|
|
56
|
+
"dkim1", "dkim2", "dkim3",
|
|
57
|
+
"key1", "key2",
|
|
58
|
+
"mx", "mx1", "mx2",
|
|
59
|
+
];
|
|
60
|
+
//# sourceMappingURL=dkim-selectors.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dkim-selectors.js","sourceRoot":"","sources":["../../src/data/dkim-selectors.ts"],"names":[],"mappings":"AAAA,oEAAoE;AACpE,MAAM,CAAC,MAAM,cAAc,GAAa;IACtC,UAAU;IACV,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;IAExD,mBAAmB;IACnB,QAAQ,EAAE,YAAY;IAEtB,gBAAgB;IAChB,WAAW,EAAE,WAAW;IAExB,aAAa;IACb,KAAK,EAAE,WAAW;IAElB,uBAAuB;IACvB,UAAU,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;IAE5B,UAAU;IACV,SAAS;IAET,WAAW;IACX,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO;IAE9B,WAAW;IACX,IAAI,EAAE,UAAU;IAEhB,YAAY;IACZ,WAAW;IAEX,aAAa;IACb,YAAY,EAAE,aAAa,EAAE,aAAa;IAE1C,OAAO;IACP,MAAM,EAAE,OAAO;IAEf,aAAa;IACb,YAAY;IAEZ,qBAAqB;IACrB,OAAO,EAAE,YAAY;IAErB,WAAW;IACX,KAAK,EAAE,KAAK,EAAE,KAAK;IAEnB,aAAa;IACb,IAAI;IAEJ,mBAAmB;IACnB,IAAI;IAEJ,mBAAmB;IACnB,OAAO,EAAE,OAAO;IAEhB,iBAAiB;IACjB,KAAK,EAAE,KAAK;IAEZ,UAAU;IACV,IAAI,EAAE,KAAK;IAEX,UAAU;IACV,KAAK,EAAE,KAAK,EAAE,SAAS;IAEvB,aAAa;IACb,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK;IAEhC,UAAU;IACV,UAAU,EAAE,UAAU;IAEtB,WAAW;IACX,UAAU;IAEV,YAAY;IACZ,eAAe,EAAE,eAAe;IAEhC,UAAU;IACV,SAAS;IAET,YAAY;IACZ,WAAW;IAEX,mBAAmB;IACnB,OAAO,EAAE,OAAO,EAAE,OAAO;IACzB,MAAM,EAAE,MAAM;IACd,IAAI,EAAE,KAAK,EAAE,KAAK;CACnB,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dnsbl-lists.d.ts","sourceRoot":"","sources":["../../src/data/dnsbl-lists.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,IAAI,GAAG,QAAQ,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,eAAO,MAAM,WAAW,EAAE,UAAU,EAqDnC,CAAC"}
|