ghostpatch 1.0.0

package/dist/utils/languages.js

@@ -0,0 +1,128 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CONFIG_FILES = exports.DEFAULT_EXCLUDE = exports.SUPPORTED_LANGUAGES = exports.LANGUAGE_MAP = void 0;
+exports.detectLanguage = detectLanguage;
+exports.isSupportedFile = isSupportedFile;
+exports.isConfigFile = isConfigFile;
+const path = __importStar(require("path"));
+exports.LANGUAGE_MAP = {
+    '.js': 'javascript',
+    '.jsx': 'javascript',
+    '.mjs': 'javascript',
+    '.cjs': 'javascript',
+    '.ts': 'typescript',
+    '.tsx': 'typescript',
+    '.mts': 'typescript',
+    '.cts': 'typescript',
+    '.py': 'python',
+    '.pyw': 'python',
+    '.java': 'java',
+    '.go': 'go',
+    '.rs': 'rust',
+    '.c': 'c',
+    '.h': 'c',
+    '.cpp': 'cpp',
+    '.cc': 'cpp',
+    '.cxx': 'cpp',
+    '.hpp': 'cpp',
+    '.hxx': 'cpp',
+    '.cs': 'csharp',
+    '.php': 'php',
+    '.rb': 'ruby',
+    '.swift': 'swift',
+    '.kt': 'kotlin',
+    '.kts': 'kotlin',
+    '.sh': 'shell',
+    '.bash': 'shell',
+    '.zsh': 'shell',
+    '.sql': 'sql',
+    '.html': 'html',
+    '.htm': 'html',
+    '.vue': 'javascript',
+    '.svelte': 'javascript',
+};
+exports.SUPPORTED_LANGUAGES = [
+    'typescript', 'javascript', 'python', 'java', 'go', 'rust',
+    'c', 'cpp', 'csharp', 'php', 'ruby', 'swift', 'kotlin',
+    'shell', 'sql',
+];
+function detectLanguage(filePath) {
+    const ext = path.extname(filePath).toLowerCase();
+    return exports.LANGUAGE_MAP[ext] || null;
+}
+function isSupportedFile(filePath) {
+    return detectLanguage(filePath) !== null;
+}
+exports.DEFAULT_EXCLUDE = [
+    'node_modules/**',
+    'dist/**',
+    'build/**',
+    'out/**',
+    '.git/**',
+    '.next/**',
+    '.nuxt/**',
+    'vendor/**',
+    '__pycache__/**',
+    '*.min.js',
+    '*.min.css',
+    '*.map',
+    '*.lock',
+    'package-lock.json',
+    'yarn.lock',
+    'pnpm-lock.yaml',
+    '.env',
+    '.env.*',
+    'coverage/**',
+    '.nyc_output/**',
+    '*.d.ts',
+    '*.bundle.js',
+    '*.chunk.js',
+];
+exports.CONFIG_FILES = [
+    'package.json',
+    'requirements.txt',
+    'Pipfile',
+    'pom.xml',
+    'go.mod',
+    'Gemfile',
+    'Cargo.toml',
+    'composer.json',
+];
+function isConfigFile(filePath) {
+    const basename = path.basename(filePath);
+    return exports.CONFIG_FILES.includes(basename);
+}
+//# sourceMappingURL=languages.js.map

package/dist/utils/languages.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"languages.js","sourceRoot":"","sources":["../../src/utils/languages.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6CA,wCAGC;AAED,0CAEC;AAuCD,oCAGC;AA9FD,2CAA6B;AAEhB,QAAA,YAAY,GAA2B;IAClD,KAAK,EAAE,YAAY;IACnB,MAAM,EAAE,YAAY;IACpB,MAAM,EAAE,YAAY;IACpB,MAAM,EAAE,YAAY;IACpB,KAAK,EAAE,YAAY;IACnB,MAAM,EAAE,YAAY;IACpB,MAAM,EAAE,YAAY;IACpB,MAAM,EAAE,YAAY;IACpB,KAAK,EAAE,QAAQ;IACf,MAAM,EAAE,QAAQ;IAChB,OAAO,EAAE,MAAM;IACf,KAAK,EAAE,IAAI;IACX,KAAK,EAAE,MAAM;IACb,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,GAAG;IACT,MAAM,EAAE,KAAK;IACb,KAAK,EAAE,KAAK;IACZ,MAAM,EAAE,KAAK;IACb,MAAM,EAAE,KAAK;IACb,MAAM,EAAE,KAAK;IACb,KAAK,EAAE,QAAQ;IACf,MAAM,EAAE,KAAK;IACb,KAAK,EAAE,MAAM;IACb,QAAQ,EAAE,OAAO;IACjB,KAAK,EAAE,QAAQ;IACf,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,OAAO;IACd,OAAO,EAAE,OAAO;IAChB,MAAM,EAAE,OAAO;IACf,MAAM,EAAE,KAAK;IACb,OAAO,EAAE,MAAM;IACf,MAAM,EAAE,MAAM;IACd,MAAM,EAAE,YAAY;IACpB,SAAS,EAAE,YAAY;CACxB,CAAC;AAEW,QAAA,mBAAmB,GAAG;IACjC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;IAC1D,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ;IACtD,OAAO,EAAE,KAAK;CACf,CAAC;AAEF,SAAgB,cAAc,CAAC,QAAgB;IAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IACjD,OAAO,oBAAY,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;AACnC,CAAC;AAED,SAAgB,eAAe,CAAC,QAAgB;IAC9C,OAAO,cAAc,CAAC,QAAQ,CAAC,KAAK,IAAI,CAAC;AAC3C,CAAC;AAEY,QAAA,eAAe,GAAG;IAC7B,iBAAiB;IACjB,SAAS;IACT,UAAU;IACV,QAAQ;IACR,SAAS;IACT,UAAU;IACV,UAAU;IACV,WAAW;IACX,gBAAgB;IAChB,UAAU;IACV,WAAW;IACX,OAAO;IACP,QAAQ;IACR,mBAAmB;IACnB,WAAW;IACX,gBAAgB;IAChB,MAAM;IACN,QAAQ;IACR,aAAa;IACb,gBAAgB;IAChB,QAAQ;IACR,aAAa;IACb,YAAY;CACb,CAAC;AAEW,QAAA,YAAY,GAAG;IAC1B,cAAc;IACd,kBAAkB;IAClB,SAAS;IACT,SAAS;IACT,QAAQ;IACR,SAAS;IACT,YAAY;IACZ,eAAe;CAChB,CAAC;AAEF,SAAgB,YAAY,CAAC,QAAgB;IAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzC,OAAO,oBAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACzC,CAAC"}

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "ghostpatch",
+  "version": "1.0.0",
+  "description": "AI-powered security vulnerability scanner — like SonarQube but runs locally via npm with zero infrastructure. Uses free HuggingFace models by default.",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "ghostpatch": "dist/cli/index.js",
+    "gp": "dist/cli/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "start": "node dist/cli/index.js",
+    "scan": "node dist/cli/index.js scan",
+    "serve": "node dist/cli/index.js serve",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "vulnerability",
+    "sast",
+    "ai",
+    "sonarqube",
+    "owasp",
+    "mcp",
+    "static-analysis"
+  ],
+  "author": "",
+  "license": "MIT",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "commander": "^14.0.3",
+    "glob": "^13.0.1",
+    "micromatch": "^4.0.8",
+    "chokidar": "^4.0.3"
+  },
+  "optionalDependencies": {
+    "@anthropic-ai/sdk": "^0.39.0",
+    "openai": "^4.80.0"
+  },
+  "devDependencies": {
+    "@types/micromatch": "^4.0.9",
+    "@types/node": "^22.12.0",
+    "typescript": "^5.7.3",
+    "vitest": "^3.2.4"
+  }
+}

package/src/ai/anthropic.ts

@@ -0,0 +1,82 @@
+import { AIFinding } from '../core/severity';
+import { AIProvider, parseAIResponse } from './provider';
+import { buildAnalysisPrompt } from './prompts';
+
+export class AnthropicProvider implements AIProvider {
+  name = 'anthropic';
+  private apiKey: string | undefined;
+
+  constructor() {
+    this.apiKey = process.env.ANTHROPIC_API_KEY;
+  }
+
+  isAvailable(): boolean {
+    return !!this.apiKey;
+  }
+
+  async analyze(code: string, context: string): Promise<AIFinding[]> {
+    if (!this.apiKey) return [];
+
+    const prompt = buildAnalysisPrompt(code, context, 'security');
+
+    try {
+      // Try to use the SDK if available
+      const Anthropic = require('@anthropic-ai/sdk');
+      const client = new Anthropic({ apiKey: this.apiKey });
+
+      const response = await client.messages.create({
+        model: 'claude-sonnet-4-5-20250929',
+        max_tokens: 4096,
+        messages: [{
+          role: 'user',
+          content: prompt,
+        }],
+      });
+
+      const text = response.content
+        .filter((c: any) => c.type === 'text')
+        .map((c: any) => c.text)
+        .join('');
+
+      return parseAIResponse(text);
+    } catch (sdkError) {
+      // Fallback to direct API call
+      try {
+        return await this.callDirectAPI(prompt);
+      } catch {
+        return [];
+      }
+    }
+  }
+
+  private async callDirectAPI(prompt: string): Promise<AIFinding[]> {
+    const response = await fetch('https://api.anthropic.com/v1/messages', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'x-api-key': this.apiKey!,
+        'anthropic-version': '2023-06-01',
+      },
+      body: JSON.stringify({
+        model: 'claude-sonnet-4-5-20250929',
+        max_tokens: 4096,
+        messages: [{
+          role: 'user',
+          content: prompt,
+        }],
+      }),
+    });
+
+    if (!response.ok) {
+      throw new Error(`Anthropic API error: ${response.status}`);
+    }
+
+    const data: any = await response.json();
+    const text = data.content
+      ?.filter((c: any) => c.type === 'text')
+      ?.map((c: any) => c.text)
+      ?.join('') || '';
+
+    return parseAIResponse(text);
+  }
+}

package/src/ai/huggingface.ts

@@ -0,0 +1,111 @@
+import { AIFinding } from '../core/severity';
+import { AIProvider, parseAIResponse } from './provider';
+import { buildAnalysisPrompt } from './prompts';
+
+const DEFAULT_MODEL = 'Qwen/Qwen2.5-Coder-32B-Instruct';
+const FALLBACK_MODEL = 'bigcode/starcoder2-15b';
+const HF_API_URL = 'https://api-inference.huggingface.co/models';
+
+export class HuggingFaceProvider implements AIProvider {
+  name = 'huggingface';
+  private token: string | undefined;
+  private model: string;
+
+  constructor(model?: string) {
+    this.token = process.env.HF_TOKEN || process.env.HUGGINGFACE_TOKEN;
+    this.model = model || DEFAULT_MODEL;
+  }
+
+  isAvailable(): boolean {
+    return true; // HuggingFace free tier doesn't require a token for some models
+  }
+
+  async analyze(code: string, context: string): Promise<AIFinding[]> {
+    const prompt = buildAnalysisPrompt(code, context, 'security');
+
+    try {
+      const response = await this.callAPI(this.model, prompt);
+      return parseAIResponse(response);
+    } catch {
+      try {
+        // Fallback to secondary model
+        const response = await this.callAPI(FALLBACK_MODEL, prompt);
+        return parseAIResponse(response);
+      } catch {
+        return [];
+      }
+    }
+  }
+
+  private async callAPI(model: string, prompt: string): Promise<string> {
+    const headers: Record<string, string> = {
+      'Content-Type': 'application/json',
+    };
+
+    if (this.token) {
+      headers['Authorization'] = `Bearer ${this.token}`;
+    }
+
+    const body = JSON.stringify({
+      inputs: prompt,
+      parameters: {
+        max_new_tokens: 2048,
+        temperature: 0.1,
+        return_full_text: false,
+      },
+    });
+
+    const response = await fetchWithRetry(`${HF_API_URL}/${model}`, {
+      method: 'POST',
+      headers,
+      body,
+    });
+
+    if (!response.ok) {
+      throw new Error(`HuggingFace API error: ${response.status}`);
+    }
+
+    const data = await response.json();
+
+    if (Array.isArray(data) && data[0]?.generated_text) {
+      return data[0].generated_text;
+    }
+
+    return JSON.stringify(data);
+  }
+}
+
+async function fetchWithRetry(
+  url: string,
+  options: RequestInit,
+  retries: number = 3,
+  delay: number = 1000,
+): Promise<Response> {
+  for (let i = 0; i < retries; i++) {
+    try {
+      const response = await fetch(url, options);
+
+      // If model is loading, wait and retry
+      if (response.status === 503) {
+        const body = await response.json().catch(() => ({}));
+        const estimatedTime = (body as any)?.estimated_time || 20;
+        const waitTime = Math.min(estimatedTime * 1000, 30000);
+        await new Promise(resolve => setTimeout(resolve, waitTime));
+        continue;
+      }
+
+      // Rate limited
+      if (response.status === 429) {
+        await new Promise(resolve => setTimeout(resolve, delay * (i + 1)));
+        continue;
+      }
+
+      return response;
+    } catch (err) {
+      if (i === retries - 1) throw err;
+      await new Promise(resolve => setTimeout(resolve, delay * (i + 1)));
+    }
+  }
+
+  throw new Error('Max retries exceeded');
+}

package/src/ai/openai.ts

@@ -0,0 +1,75 @@
+import { AIFinding } from '../core/severity';
+import { AIProvider, parseAIResponse } from './provider';
+import { buildAnalysisPrompt } from './prompts';
+
+export class OpenAIProvider implements AIProvider {
+  name = 'openai';
+  private apiKey: string | undefined;
+
+  constructor() {
+    this.apiKey = process.env.OPENAI_API_KEY;
+  }
+
+  isAvailable(): boolean {
+    return !!this.apiKey;
+  }
+
+  async analyze(code: string, context: string): Promise<AIFinding[]> {
+    if (!this.apiKey) return [];
+
+    const prompt = buildAnalysisPrompt(code, context, 'security');
+
+    try {
+      // Try to use the SDK if available
+      const OpenAI = require('openai');
+      const client = new OpenAI({ apiKey: this.apiKey });
+
+      const response = await client.chat.completions.create({
+        model: 'gpt-4o',
+        messages: [{
+          role: 'user',
+          content: prompt,
+        }],
+        temperature: 0.1,
+        max_tokens: 4096,
+      });
+
+      const text = response.choices[0]?.message?.content || '';
+      return parseAIResponse(text);
+    } catch (sdkError) {
+      // Fallback to direct API call
+      try {
+        return await this.callDirectAPI(prompt);
+      } catch {
+        return [];
+      }
+    }
+  }
+
+  private async callDirectAPI(prompt: string): Promise<AIFinding[]> {
+    const response = await fetch('https://api.openai.com/v1/chat/completions', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${this.apiKey}`,
+      },
+      body: JSON.stringify({
+        model: 'gpt-4o',
+        messages: [{
+          role: 'user',
+          content: prompt,
+        }],
+        temperature: 0.1,
+        max_tokens: 4096,
+      }),
+    });
+
+    if (!response.ok) {
+      throw new Error(`OpenAI API error: ${response.status}`);
+    }
+
+    const data: any = await response.json();
+    const text = data.choices?.[0]?.message?.content || '';
+    return parseAIResponse(text);
+  }
+}

package/src/ai/prompts.ts

@@ -0,0 +1,100 @@
+export const SECURITY_ANALYSIS_PROMPT = `You are a senior application security engineer performing a code review. Analyze the following code for security vulnerabilities.
+
+Look for:
+1. **Injection flaws** — SQL injection, command injection, XSS, LDAP injection, template injection
+2. **Authentication/Authorization bugs** — bypass conditions, privilege escalation, session issues
+3. **Cryptographic weaknesses** — weak algorithms, hardcoded keys, insecure randomness
+4. **Business logic vulnerabilities** — race conditions, TOCTOU, integer overflow, logic bypasses
+5. **Data exposure** — sensitive data in logs, responses, URLs, or error messages
+6. **Insecure configurations** — debug modes, permissive CORS, missing security headers
+7. **Novel attack vectors** — unusual patterns that could be exploited
+
+For each vulnerability found, respond in this exact JSON format:
+{
+  "findings": [
+    {
+      "title": "Brief vulnerability title",
+      "description": "Detailed explanation of the vulnerability and its impact",
+      "severity": "critical|high|medium|low|info",
+      "confidence": "high|medium|low",
+      "line": <line_number_or_null>,
+      "cwe": "CWE-XXX",
+      "remediation": "How to fix the issue"
+    }
+  ]
+}
+
+If no vulnerabilities are found, return: { "findings": [] }
+
+Be precise and avoid false positives. Only report genuine security concerns.`;
+
+export const SECRETS_ANALYSIS_PROMPT = `You are a secrets detection specialist. Analyze the following code for hardcoded secrets, credentials, API keys, tokens, and sensitive configuration.
+
+Look for:
+- API keys (AWS, GCP, Azure, Stripe, SendGrid, Twilio, etc.)
+- Passwords and credentials
+- Private keys and certificates
+- Database connection strings with credentials
+- OAuth client secrets
+- JWT secrets
+- Encryption keys
+- Webhook URLs with tokens
+
+Respond in JSON format:
+{
+  "findings": [
+    {
+      "title": "Type of secret found",
+      "description": "What was found and why it's a risk",
+      "severity": "critical|high|medium",
+      "confidence": "high|medium|low",
+      "line": <line_number_or_null>,
+      "cwe": "CWE-798",
+      "remediation": "How to properly handle this secret"
+    }
+  ]
+}`;
+
+export const ZERO_DAY_PROMPT = `You are an elite security researcher analyzing code for novel, zero-day class vulnerabilities that standard scanners would miss.
+
+Focus on:
+1. **Logic bugs** — Subtle flaws in business logic, authentication flows, or authorization checks
+2. **Race conditions** — Time-of-check to time-of-use bugs, concurrent access issues
+3. **Type confusion** — Unexpected type coercion leading to security bypass
+4. **Integer issues** — Overflow, underflow, truncation leading to security impacts
+5. **State management** — Inconsistent state that could be exploited
+6. **Error handling** — Errors that leak info or bypass security checks
+7. **Deserialization** — Unsafe data handling leading to code execution
+8. **Side channels** — Timing attacks, cache-based attacks
+
+Only report findings you have HIGH confidence in. These should be genuine, exploitable issues.
+
+Respond in JSON format:
+{
+  "findings": [
+    {
+      "title": "Vulnerability title",
+      "description": "Detailed technical explanation",
+      "severity": "critical|high|medium",
+      "confidence": "high|medium",
+      "line": <line_number_or_null>,
+      "cwe": "CWE-XXX",
+      "remediation": "Specific fix"
+    }
+  ]
+}`;
+
+export function buildAnalysisPrompt(code: string, context: string, promptType: 'security' | 'secrets' | 'zeroday' = 'security'): string {
+  const prompt = promptType === 'secrets' ? SECRETS_ANALYSIS_PROMPT
+    : promptType === 'zeroday' ? ZERO_DAY_PROMPT
+    : SECURITY_ANALYSIS_PROMPT;
+
+  return `${prompt}
+
+Context: ${context}
+
+Code to analyze:
+\`\`\`
+${code}
+\`\`\``;
+}

package/src/ai/provider.ts

@@ -0,0 +1,68 @@
+import { AIFinding, Severity, severityFromString } from '../core/severity';
+
+export interface AIProvider {
+  name: string;
+  analyze(code: string, context: string): Promise<AIFinding[]>;
+  isAvailable(): boolean;
+}
+
+export function getAvailableProvider(preferred?: string): AIProvider | null {
+  // Import providers lazily
+  const { HuggingFaceProvider } = require('./huggingface');
+  const { AnthropicProvider } = require('./anthropic');
+  const { OpenAIProvider } = require('./openai');
+
+  if (preferred) {
+    switch (preferred) {
+      case 'anthropic': {
+        const p = new AnthropicProvider();
+        if (p.isAvailable()) return p;
+        break;
+      }
+      case 'openai': {
+        const p = new OpenAIProvider();
+        if (p.isAvailable()) return p;
+        break;
+      }
+      case 'huggingface': {
+        const p = new HuggingFaceProvider();
+        return p;
+      }
+    }
+  }
+
+  // Auto-detect: prefer Anthropic > OpenAI > HuggingFace
+  const anthropic = new AnthropicProvider();
+  if (anthropic.isAvailable()) return anthropic;
+
+  const openai = new OpenAIProvider();
+  if (openai.isAvailable()) return openai;
+
+  // HuggingFace is always available (free tier)
+  return new HuggingFaceProvider();
+}
+
+export function parseAIResponse(response: string): AIFinding[] {
+  try {
+    // Try to extract JSON from the response
+    const jsonMatch = response.match(/\{[\s\S]*"findings"[\s\S]*\}/);
+    if (!jsonMatch) return [];
+
+    const parsed = JSON.parse(jsonMatch[0]);
+    if (!Array.isArray(parsed.findings)) return [];
+
+    return parsed.findings
+      .filter((f: any) => f.title && f.description)
+      .map((f: any) => ({
+        title: String(f.title),
+        description: String(f.description),
+        severity: severityFromString(f.severity || 'medium'),
+        confidence: (['high', 'medium', 'low'].includes(f.confidence) ? f.confidence : 'medium') as 'high' | 'medium' | 'low',
+        line: typeof f.line === 'number' ? f.line : undefined,
+        cwe: f.cwe ? String(f.cwe) : undefined,
+        remediation: f.remediation ? String(f.remediation) : undefined,
+      }));
+  } catch {
+    return [];
+  }
+}