guardlink 1.0.0

package/dist/analyze/llm.js

@@ -0,0 +1,295 @@
+/**
+ * GuardLink Threat Reports — Lightweight LLM client using raw fetch.
+ *
+ * Supports:
+ *   - Anthropic Messages API (claude-sonnet-4-5-20250929, etc.)
+ *   - OpenAI-compatible Chat Completions (GPT-4o, DeepSeek, OpenRouter)
+ *
+ * Zero dependencies — uses Node 20+ built-in fetch.
+ *
+ * @exposes #llm-client to #api-key-exposure [high] cwe:CWE-798 -- "Reads API keys from environment variables"
+ * @exposes #llm-client to #ssrf [medium] cwe:CWE-918 -- "Makes HTTP requests to configurable provider URLs"
+ * @exposes #llm-client to #prompt-injection [medium] cwe:CWE-77 -- "Sends threat model content as LLM prompt"
+ * @accepts #prompt-injection on #llm-client -- "Core feature: threat model data is sent to LLM for analysis"
+ * @mitigates #llm-client against #ssrf using #config-validation -- "BASE_URLS are hardcoded to known providers"
+ * @mitigates #llm-client against #api-key-exposure using #key-redaction -- "Keys read from env, not logged"
+ * @handles secrets on #llm-client -- "API keys held in memory during request lifecycle"
+ * @boundary between #llm-client and External_LLM_APIs (#llm-boundary) -- "HTTP requests cross network trust boundary to external AI providers"
+ * @flows #llm-client -> External_LLM_APIs via fetch -- "HTTP POST with auth headers and prompt payload"
+ * @flows External_LLM_APIs -> #llm-client via response -- "Streaming or complete response from LLM provider"
+ */
+const DEFAULT_MODELS = {
+    anthropic: 'claude-sonnet-4-5-20250929',
+    openai: 'gpt-4o',
+    openrouter: 'anthropic/claude-sonnet-4-5-20250929',
+    deepseek: 'deepseek-chat',
+};
+const BASE_URLS = {
+    anthropic: 'https://api.anthropic.com',
+    openai: 'https://api.openai.com',
+    openrouter: 'https://openrouter.ai/api',
+    deepseek: 'https://api.deepseek.com',
+};
+/**
+ * Auto-detect provider from environment variables.
+ * Returns null if no API key found.
+ */
+export function autoDetectConfig() {
+    // Priority: Anthropic > OpenAI > OpenRouter > DeepSeek
+    if (process.env.ANTHROPIC_API_KEY) {
+        return {
+            provider: 'anthropic',
+            model: DEFAULT_MODELS.anthropic,
+            apiKey: process.env.ANTHROPIC_API_KEY,
+        };
+    }
+    if (process.env.OPENAI_API_KEY) {
+        return {
+            provider: 'openai',
+            model: DEFAULT_MODELS.openai,
+            apiKey: process.env.OPENAI_API_KEY,
+        };
+    }
+    if (process.env.OPENROUTER_API_KEY) {
+        return {
+            provider: 'openrouter',
+            model: DEFAULT_MODELS.openrouter,
+            apiKey: process.env.OPENROUTER_API_KEY,
+        };
+    }
+    if (process.env.DEEPSEEK_API_KEY) {
+        return {
+            provider: 'deepseek',
+            model: DEFAULT_MODELS.deepseek,
+            apiKey: process.env.DEEPSEEK_API_KEY,
+        };
+    }
+    return null;
+}
+/**
+ * Build config from explicit flags + env vars.
+ */
+export function buildConfig(opts) {
+    // If provider specified, use it
+    if (opts.provider) {
+        const provider = opts.provider;
+        const envKeyMap = {
+            anthropic: 'ANTHROPIC_API_KEY',
+            openai: 'OPENAI_API_KEY',
+            openrouter: 'OPENROUTER_API_KEY',
+            deepseek: 'DEEPSEEK_API_KEY',
+        };
+        const apiKey = opts.apiKey || process.env[envKeyMap[provider] || ''];
+        if (!apiKey)
+            return null;
+        return {
+            provider,
+            model: opts.model || DEFAULT_MODELS[provider] || 'gpt-4o',
+            apiKey,
+        };
+    }
+    // Auto-detect
+    const config = autoDetectConfig();
+    if (!config)
+        return null;
+    // Override model if specified
+    if (opts.model)
+        config.model = opts.model;
+    return config;
+}
+/**
+ * Send a message to the LLM and return the response.
+ */
+export async function chatCompletion(config, systemPrompt, userMessage, onChunk) {
+    if (config.provider === 'anthropic') {
+        return callAnthropic(config, systemPrompt, userMessage, onChunk);
+    }
+    else {
+        return callOpenAICompatible(config, systemPrompt, userMessage, onChunk);
+    }
+}
+// ─── Anthropic Messages API ──────────────────────────────────────────
+async function callAnthropic(config, systemPrompt, userMessage, onChunk) {
+    const baseUrl = config.baseUrl || BASE_URLS.anthropic;
+    const maxTokens = config.maxTokens || 8192;
+    if (onChunk) {
+        // Streaming
+        const res = await fetch(`${baseUrl}/v1/messages`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'x-api-key': config.apiKey,
+                'anthropic-version': '2023-06-01',
+            },
+            body: JSON.stringify({
+                model: config.model,
+                max_tokens: maxTokens,
+                system: systemPrompt,
+                stream: true,
+                messages: [{ role: 'user', content: userMessage }],
+            }),
+        });
+        if (!res.ok) {
+            const err = await res.text();
+            throw new Error(`Anthropic API error ${res.status}: ${err}`);
+        }
+        let content = '';
+        let inputTokens = 0;
+        let outputTokens = 0;
+        const reader = res.body?.getReader();
+        if (!reader)
+            throw new Error('No response body');
+        const decoder = new TextDecoder();
+        let buffer = '';
+        while (true) {
+            const { done, value } = await reader.read();
+            if (done)
+                break;
+            buffer += decoder.decode(value, { stream: true });
+            const lines = buffer.split('\n');
+            buffer = lines.pop() || '';
+            for (const line of lines) {
+                if (!line.startsWith('data: '))
+                    continue;
+                const data = line.slice(6).trim();
+                if (data === '[DONE]')
+                    continue;
+                try {
+                    const event = JSON.parse(data);
+                    if (event.type === 'content_block_delta' && event.delta?.text) {
+                        content += event.delta.text;
+                        onChunk(event.delta.text);
+                    }
+                    if (event.type === 'message_delta' && event.usage) {
+                        outputTokens = event.usage.output_tokens || 0;
+                    }
+                    if (event.type === 'message_start' && event.message?.usage) {
+                        inputTokens = event.message.usage.input_tokens || 0;
+                    }
+                }
+                catch { /* skip non-JSON lines */ }
+            }
+        }
+        return { content, model: config.model, inputTokens, outputTokens };
+    }
+    else {
+        // Non-streaming
+        const res = await fetch(`${baseUrl}/v1/messages`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'x-api-key': config.apiKey,
+                'anthropic-version': '2023-06-01',
+            },
+            body: JSON.stringify({
+                model: config.model,
+                max_tokens: maxTokens,
+                system: systemPrompt,
+                messages: [{ role: 'user', content: userMessage }],
+            }),
+        });
+        if (!res.ok) {
+            const err = await res.text();
+            throw new Error(`Anthropic API error ${res.status}: ${err}`);
+        }
+        const data = await res.json();
+        return {
+            content: data.content?.[0]?.text || '',
+            model: data.model || config.model,
+            inputTokens: data.usage?.input_tokens,
+            outputTokens: data.usage?.output_tokens,
+        };
+    }
+}
+// ─── OpenAI-compatible Chat Completions ──────────────────────────────
+async function callOpenAICompatible(config, systemPrompt, userMessage, onChunk) {
+    const baseUrl = config.baseUrl || BASE_URLS[config.provider] || BASE_URLS.openai;
+    const maxTokens = config.maxTokens || 8192;
+    const headers = {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${config.apiKey}`,
+    };
+    // OpenRouter requires extra headers
+    if (config.provider === 'openrouter') {
+        headers['HTTP-Referer'] = 'https://guardlink.bugb.io';
+        headers['X-Title'] = 'GuardLink CLI';
+    }
+    if (onChunk) {
+        // Streaming
+        const res = await fetch(`${baseUrl}/v1/chat/completions`, {
+            method: 'POST',
+            headers,
+            body: JSON.stringify({
+                model: config.model,
+                max_tokens: maxTokens,
+                stream: true,
+                messages: [
+                    { role: 'system', content: systemPrompt },
+                    { role: 'user', content: userMessage },
+                ],
+            }),
+        });
+        if (!res.ok) {
+            const err = await res.text();
+            throw new Error(`${config.provider} API error ${res.status}: ${err}`);
+        }
+        let content = '';
+        const reader = res.body?.getReader();
+        if (!reader)
+            throw new Error('No response body');
+        const decoder = new TextDecoder();
+        let buffer = '';
+        while (true) {
+            const { done, value } = await reader.read();
+            if (done)
+                break;
+            buffer += decoder.decode(value, { stream: true });
+            const lines = buffer.split('\n');
+            buffer = lines.pop() || '';
+            for (const line of lines) {
+                if (!line.startsWith('data: '))
+                    continue;
+                const data = line.slice(6).trim();
+                if (data === '[DONE]')
+                    continue;
+                try {
+                    const event = JSON.parse(data);
+                    const delta = event.choices?.[0]?.delta?.content;
+                    if (delta) {
+                        content += delta;
+                        onChunk(delta);
+                    }
+                }
+                catch { /* skip */ }
+            }
+        }
+        return { content, model: config.model };
+    }
+    else {
+        // Non-streaming
+        const res = await fetch(`${baseUrl}/v1/chat/completions`, {
+            method: 'POST',
+            headers,
+            body: JSON.stringify({
+                model: config.model,
+                max_tokens: maxTokens,
+                messages: [
+                    { role: 'system', content: systemPrompt },
+                    { role: 'user', content: userMessage },
+                ],
+            }),
+        });
+        if (!res.ok) {
+            const err = await res.text();
+            throw new Error(`${config.provider} API error ${res.status}: ${err}`);
+        }
+        const data = await res.json();
+        return {
+            content: data.choices?.[0]?.message?.content || '',
+            model: data.model || config.model,
+            inputTokens: data.usage?.prompt_tokens,
+            outputTokens: data.usage?.completion_tokens,
+        };
+    }
+}
+//# sourceMappingURL=llm.js.map

package/dist/analyze/llm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm.js","sourceRoot":"","sources":["../../src/analyze/llm.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAmBH,MAAM,cAAc,GAAgC;IAClD,SAAS,EAAE,4BAA4B;IACvC,MAAM,EAAE,QAAQ;IAChB,UAAU,EAAE,sCAAsC;IAClD,QAAQ,EAAE,eAAe;CAC1B,CAAC;AAEF,MAAM,SAAS,GAAgC;IAC7C,SAAS,EAAE,2BAA2B;IACtC,MAAM,EAAE,wBAAwB;IAChC,UAAU,EAAE,2BAA2B;IACvC,QAAQ,EAAE,0BAA0B;CACrC,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,uDAAuD;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;QAClC,OAAO;YACL,QAAQ,EAAE,WAAW;YACrB,KAAK,EAAE,cAAc,CAAC,SAAS;YAC/B,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;SACtC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;QAC/B,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,cAAc,CAAC,MAAM;YAC5B,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc;SACnC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC;QACnC,OAAO;YACL,QAAQ,EAAE,YAAY;YACtB,KAAK,EAAE,cAAc,CAAC,UAAU;YAChC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB;SACvC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QACjC,OAAO;YACL,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,cAAc,CAAC,QAAQ;YAC9B,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB;SACrC,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAI3B;IACC,gCAAgC;IAChC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAuB,CAAC;QAC9C,MAAM,SAAS,GAA2B;YACxC,SAAS,EAAE,mBAAmB;YAC9B,MAAM,EAAE,gBAAgB;YACxB,UAAU,EAAE,oBAAoB;YAChC,QAAQ,EAAE,kBAAkB;SAC7B,CAAC;QACF,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QACrE,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,OAAO;YACL,QAAQ;YACR,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,QAAQ;YACzD,MAAM;SACP,CAAC;IACJ,CAAC;IAED,cAAc;IACd,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAClC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,8BAA8B;IAC9B,IAAI,IAAI,CAAC,KAAK;QAAE,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IAC1C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAAiB,EACjB,YAAoB,EACpB,WAAmB,EACnB,OAAgC;IAEhC,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QACpC,OAAO,aAAa,CAAC,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IACnE,CAAC;SAAM,CAAC;QACN,OAAO,oBAAoB,CAAC,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC;AAED,wEAAwE;AAExE,KAAK,UAAU,aAAa,CAC1B,MAAiB,EACjB,YAAoB,EACpB,WAAmB,EACnB,OAAgC;IAEhC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,SAAS,CAAC,SAAS,CAAC;IACtD,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC;IAE3C,IAAI,OAAO,EAAE,CAAC;QACZ,YAAY;QACZ,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,cAAc,EAAE;YAChD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,WAAW,EAAE,MAAM,CAAC,MAAM;gBAC1B,mBAAmB,EAAE,YAAY;aAClC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,UAAU,EAAE,SAAS;gBACrB,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;aACnD,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,YAAY,GAAG,CAAC,CAAC;QACrB,MAAM,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;QACrC,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAEjD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,IAAI,MAAM,GAAG,EAAE,CAAC;QAEhB,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YAC5C,IAAI,IAAI;gBAAE,MAAM;YAChB,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;YAElD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YAE3B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBACzC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAClC,IAAI,IAAI,KAAK,QAAQ;oBAAE,SAAS;gBAChC,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAC/B,IAAI,KAAK,CAAC,IAAI,KAAK,qBAAqB,IAAI,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;wBAC9D,OAAO,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC;wBAC5B,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAC5B,CAAC;oBACD,IAAI,KAAK,CAAC,IAAI,KAAK,eAAe,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;wBAClD,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,aAAa,IAAI,CAAC,CAAC;oBAChD,CAAC;oBACD,IAAI,KAAK,CAAC,IAAI,KAAK,eAAe,IAAI,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;wBAC3D,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,YAAY,IAAI,CAAC,CAAC;oBACtD,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC,CAAC,yBAAyB,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;IACrE,CAAC;SAAM,CAAC;QACN,gBAAgB;QAChB,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,cAAc,EAAE;YAChD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,WAAW,EAAE,MAAM,CAAC,MAAM;gBAC1B,mBAAmB,EAAE,YAAY;aAClC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,UAAU,EAAE,SAAS;gBACrB,MAAM,EAAE,YAAY;gBACpB,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;aACnD,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAS,CAAC;QACrC,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,IAAI,EAAE;YACtC,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,MAAM,CAAC,KAAK;YACjC,WAAW,EAAE,IAAI,CAAC,KAAK,EAAE,YAAY;YACrC,YAAY,EAAE,IAAI,CAAC,KAAK,EAAE,aAAa;SACxC,CAAC;IACJ,CAAC;AACH,CAAC;AAED,wEAAwE;AAExE,KAAK,UAAU,oBAAoB,CACjC,MAAiB,EACjB,YAAoB,EACpB,WAAmB,EACnB,OAAgC;IAEhC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,MAAM,CAAC;IACjF,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC;IAE3C,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;QAClC,eAAe,EAAE,UAAU,MAAM,CAAC,MAAM,EAAE;KAC3C,CAAC;IAEF,oCAAoC;IACpC,IAAI,MAAM,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QACrC,OAAO,CAAC,cAAc,CAAC,GAAG,2BAA2B,CAAC;QACtD,OAAO,CAAC,SAAS,CAAC,GAAG,eAAe,CAAC;IACvC,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,YAAY;QACZ,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,sBAAsB,EAAE;YACxD,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,UAAU,EAAE,SAAS;gBACrB,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE;oBACR,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE;oBACzC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE;iBACvC;aACF,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,CAAC,QAAQ,cAAc,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,MAAM,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;QACrC,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAEjD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,IAAI,MAAM,GAAG,EAAE,CAAC;QAEhB,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YAC5C,IAAI,IAAI;gBAAE,MAAM;YAChB,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;YAElD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YAE3B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBACzC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAClC,IAAI,IAAI,KAAK,QAAQ;oBAAE,SAAS;gBAChC,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAC/B,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC;oBACjD,IAAI,KAAK,EAAE,CAAC;wBACV,OAAO,IAAI,KAAK,CAAC;wBACjB,OAAO,CAAC,KAAK,CAAC,CAAC;oBACjB,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;IAC1C,CAAC;SAAM,CAAC;QACN,gBAAgB;QAChB,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,sBAAsB,EAAE;YACxD,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,UAAU,EAAE,SAAS;gBACrB,QAAQ,EAAE;oBACR,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE;oBACzC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE;iBACvC;aACF,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,CAAC,QAAQ,cAAc,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAS,CAAC;QACrC,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE;YAClD,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,MAAM,CAAC,KAAK;YACjC,WAAW,EAAE,IAAI,CAAC,KAAK,EAAE,aAAa;YACtC,YAAY,EAAE,IAAI,CAAC,KAAK,EAAE,iBAAiB;SAC5C,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/analyze/prompts.d.ts

@@ -0,0 +1,14 @@
+/**
+ * GuardLink Threat Reports — Framework-specific analysis prompts.
+ *
+ * Each framework produces a structured security analysis from the
+ * serialized threat model. The LLM acts as a senior security architect.
+ */
+export type AnalysisFramework = 'stride' | 'dread' | 'pasta' | 'attacker' | 'rapid' | 'general';
+export declare const FRAMEWORK_LABELS: Record<AnalysisFramework, string>;
+export declare const FRAMEWORK_PROMPTS: Record<AnalysisFramework, string>;
+/**
+ * Build the user message containing the serialized threat model.
+ */
+export declare function buildUserMessage(modelJson: string, framework: AnalysisFramework, customPrompt?: string): string;
+//# sourceMappingURL=prompts.d.ts.map

package/dist/analyze/prompts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompts.d.ts","sourceRoot":"","sources":["../../src/analyze/prompts.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,MAAM,iBAAiB,GAAG,QAAQ,GAAG,OAAO,GAAG,OAAO,GAAG,UAAU,GAAG,OAAO,GAAG,SAAS,CAAC;AAEhG,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,iBAAiB,EAAE,MAAM,CAO9D,CAAC;AAkBF,eAAO,MAAM,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,EAAE,MAAM,CAsK/D,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,iBAAiB,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,CAU/G"}

package/dist/analyze/prompts.js

@@ -0,0 +1,205 @@
+/**
+ * GuardLink Threat Reports — Framework-specific analysis prompts.
+ *
+ * Each framework produces a structured security analysis from the
+ * serialized threat model. The LLM acts as a senior security architect.
+ */
+export const FRAMEWORK_LABELS = {
+    stride: 'STRIDE Threat Analysis',
+    dread: 'DREAD Risk Assessment',
+    pasta: 'PASTA Attack Simulation',
+    attacker: 'Attacker Persona Analysis',
+    rapid: 'Rapid Risk Assessment',
+    general: 'General Threat Analysis',
+};
+const SYSTEM_BASE = `You are an expert Security Architect and Threat Modeler with 15+ years of experience.
+You are analyzing a codebase that uses GuardLink annotations — structured security metadata embedded in source code comments.
+
+The threat model you receive contains:
+- **Assets**: Components declared by developers
+- **Threats**: Known threat vectors with severity and CWE references
+- **Controls**: Security mechanisms in place
+- **Mitigations**: Where controls defend assets against threats
+- **Exposures**: Known vulnerabilities (asset exposed to threat)
+- **Flows**: Data movement between components
+- **Boundaries**: Trust boundaries between security zones
+- **Comments**: Developer security notes
+
+Your analysis must be actionable, specific to THIS codebase, and reference the actual assets/threats/controls by name.
+Never give generic advice — always tie recommendations to concrete annotations in the model.`;
+export const FRAMEWORK_PROMPTS = {
+    stride: `${SYSTEM_BASE}
+
+Perform a **STRIDE** analysis of this threat model.
+
+For each STRIDE category, evaluate the codebase:
+
+## S — Spoofing
+Identify where authentication can be bypassed. Check: are all assets with @exposes to auth-related threats properly mitigated?
+
+## T — Tampering
+Identify where data integrity is at risk. Check: @flows without integrity controls, @handles with sensitive data lacking validation.
+
+## R — Repudiation
+Identify where actions cannot be traced. Check: are there @audit annotations? Are critical operations logged?
+
+## I — Information Disclosure
+Identify where sensitive data leaks. Check: @exposes to info-disclosure/data-exposure threats, @handles pii/phi/secrets without encryption.
+
+## D — Denial of Service
+Identify resource exhaustion risks. Check: @exposes to dos threats, rate limiting controls, boundary protections.
+
+## E — Elevation of Privilege
+Identify privilege escalation paths. Check: @exposes to bac/idor threats, @boundary gaps, missing authorization controls.
+
+For each category:
+1. List specific findings referencing actual assets and threats from the model
+2. Rate severity (Critical/High/Medium/Low)
+3. Recommend specific mitigations referencing existing controls or suggesting new ones
+4. Identify gaps — what SHOULD be annotated but isn't?
+
+End with an Executive Summary and Priority Action Items.`,
+    dread: `${SYSTEM_BASE}
+
+Perform a **DREAD** risk scoring analysis of this threat model.
+
+For each unmitigated exposure and significant threat, calculate a DREAD score:
+
+- **D — Damage Potential** (0-10): How bad if exploited?
+- **R — Reproducibility** (0-10): How easy to reproduce?
+- **E — Exploitability** (0-10): How easy to launch the attack?
+- **A — Affected Users** (0-10): How many users impacted?
+- **D — Discoverability** (0-10): How easy to find the vulnerability?
+
+Present results as a ranked table:
+
+| Threat | Asset | D | R | E | A | D | Total | Risk Level |
+|--------|-------|---|---|---|---|---|-------|------------|
+
+Then provide:
+1. Top 5 risks by DREAD score with detailed justification
+2. Quick wins — high-score items with easy mitigations
+3. Systemic risks — patterns across multiple exposures
+4. Recommended priority order for remediation`,
+    pasta: `${SYSTEM_BASE}
+
+Perform a **PASTA** (Process for Attack Simulation and Threat Analysis) assessment.
+
+Work through all 7 PASTA stages:
+
+### Stage 1: Define Objectives
+What are the business-critical assets? Which @asset declarations represent the crown jewels?
+
+### Stage 2: Define Technical Scope
+Map the attack surface from @flows, @boundary, and @handles annotations. What are the entry points?
+
+### Stage 3: Application Decomposition
+Analyze component relationships from flows and boundaries. Identify trust zones and data paths.
+
+### Stage 4: Threat Analysis
+Map declared @threat annotations to real-world attack techniques. Reference CWE/CAPEC where available.
+
+### Stage 5: Vulnerability Analysis
+Evaluate each @exposes annotation. Which are most exploitable given the technical context?
+
+### Stage 6: Attack Simulation
+For the top 3 most critical exposures, describe a realistic attack scenario step-by-step.
+
+### Stage 7: Risk & Impact Analysis
+Prioritized risk matrix with business impact assessment.
+
+End with concrete remediation recommendations tied to specific annotations.`,
+    attacker: `${SYSTEM_BASE}
+
+Perform an **Attacker Persona** analysis of this threat model.
+
+Adopt the mindset of different attacker types and evaluate the codebase:
+
+### 1. Script Kiddie (Low Skill)
+What can be exploited with publicly available tools? Which @exposes have known CVEs (check cwe: refs)?
+
+### 2. Opportunistic Attacker (Medium Skill)
+What attack chains are possible? Can multiple exposures be combined? Check @flows for lateral movement paths.
+
+### 3. Targeted Attacker (High Skill)
+What are the high-value targets (@handles pii/phi/financial/secrets)? What's the path from @boundary entry points to crown jewel assets?
+
+### 4. Insider Threat
+Which @assumes annotations represent blind spots? Where does the model trust internal components without verification?
+
+For each persona:
+1. Most likely attack vector (reference specific annotations)
+2. Attack path (chain of assets/flows/boundaries)
+3. Impact if successful
+4. Current defenses (existing @mitigates)
+5. Gaps in defense
+
+End with a prioritized defense improvement plan.`,
+    rapid: `${SYSTEM_BASE}
+
+Perform a **Rapid Risk Assessment** — concise, actionable, focused on the highest-impact items.
+
+### Critical Findings (Stop Everything)
+List any P0/critical @exposes without @mitigates. These are active vulnerabilities.
+
+### High-Priority Gaps
+- Unmitigated exposures by severity
+- @assumes that could be violated
+- @boundary without proper controls on crossing flows
+
+### Coverage Assessment
+- What percentage of assets have threat coverage?
+- Which components have @flows but no security annotations?
+- Are there @handles (sensitive data) without corresponding @mitigates?
+
+### Top 5 Recommendations
+Numbered, actionable, with specific annotation suggestions (exact @mitigates lines to add).
+
+### Risk Score
+Rate overall security posture: A (excellent) through F (critical risk). Justify with data from the model.
+
+Keep the entire analysis under 500 lines. Be direct — no filler.`,
+    general: `${SYSTEM_BASE}
+
+Perform a comprehensive threat analysis of this codebase.
+
+### Executive Summary
+2-3 sentence overall assessment.
+
+### Threat Landscape
+What threats does this application face? Map @threat declarations to real-world attack patterns.
+
+### Security Posture
+- Strengths: well-mitigated areas, good control coverage
+- Weaknesses: unmitigated exposures, missing controls
+- Blind spots: areas with no annotations at all
+
+### Data Flow Analysis
+Trace sensitive data through @flows and @boundary annotations. Where does data cross trust boundaries without protection?
+
+### Missing Annotations
+Based on the architecture visible in @flows and @boundary, what security annotations are likely missing?
+
+### Recommendations
+Prioritized list with:
+1. What to fix (specific exposure)
+2. How to fix it (specific control/mitigation)
+3. What annotation to add (exact syntax)
+
+### Compliance Considerations
+Based on @handles classifications (pii, phi, financial), note relevant compliance requirements (GDPR, HIPAA, PCI-DSS).`,
+};
+/**
+ * Build the user message containing the serialized threat model.
+ */
+export function buildUserMessage(modelJson, framework, customPrompt) {
+    const header = customPrompt
+        ? `Analyze this threat model. ${customPrompt}`
+        : `Produce a ${FRAMEWORK_LABELS[framework]} for this threat model.`;
+    return `${header}
+
+<threat_model>
+${modelJson}
+</threat_model>`;
+}
+//# sourceMappingURL=prompts.js.map

package/dist/analyze/prompts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompts.js","sourceRoot":"","sources":["../../src/analyze/prompts.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,CAAC,MAAM,gBAAgB,GAAsC;IACjE,MAAM,EAAE,wBAAwB;IAChC,KAAK,EAAE,uBAAuB;IAC9B,KAAK,EAAE,yBAAyB;IAChC,QAAQ,EAAE,2BAA2B;IACrC,KAAK,EAAE,uBAAuB;IAC9B,OAAO,EAAE,yBAAyB;CACnC,CAAC;AAEF,MAAM,WAAW,GAAG;;;;;;;;;;;;;;6FAcyE,CAAC;AAE9F,MAAM,CAAC,MAAM,iBAAiB,GAAsC;IAClE,MAAM,EAAE,GAAG,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yDA8BiC;IAEvD,KAAK,EAAE,GAAG,WAAW;;;;;;;;;;;;;;;;;;;;;8CAqBuB;IAE5C,KAAK,EAAE,GAAG,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;4EA2BqD;IAE1E,QAAQ,EAAE,GAAG,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;iDAyBuB;IAE/C,KAAK,EAAE,GAAG,WAAW;;;;;;;;;;;;;;;;;;;;;;;iEAuB0C;IAE/D,OAAO,EAAE,GAAG,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;uHA4B8F;CACtH,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAiB,EAAE,SAA4B,EAAE,YAAqB;IACrG,MAAM,MAAM,GAAG,YAAY;QACzB,CAAC,CAAC,8BAA8B,YAAY,EAAE;QAC9C,CAAC,CAAC,aAAa,gBAAgB,CAAC,SAAS,CAAC,yBAAyB,CAAC;IAEtE,OAAO,GAAG,MAAM;;;EAGhB,SAAS;gBACK,CAAC;AACjB,CAAC"}

package/dist/analyzer/index.d.ts

@@ -0,0 +1,5 @@
+/**
+ * GuardLink Analyzer — exports.
+ */
+export { generateSarif, type SarifOptions } from './sarif.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/analyzer/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/analyzer/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAE,KAAK,YAAY,EAAE,MAAM,YAAY,CAAC"}

package/dist/analyzer/index.js

@@ -0,0 +1,5 @@
+/**
+ * GuardLink Analyzer — exports.
+ */
+export { generateSarif } from './sarif.js';
+//# sourceMappingURL=index.js.map

package/dist/analyzer/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/analyzer/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAqB,MAAM,YAAY,CAAC"}

package/dist/analyzer/sarif.d.ts

@@ -0,0 +1,84 @@
+/**
+ * GuardLink SARIF — Convert threat model findings to SARIF 2.1.0.
+ *
+ * SARIF (Static Analysis Results Interchange Format) is consumed by:
+ *   - GitHub Advanced Security (code scanning alerts)
+ *   - VS Code SARIF Viewer extension
+ *   - Azure DevOps
+ *   - SonarQube, Snyk, etc.
+ *
+ * We emit results for:
+ *   1. Unmitigated exposures (the primary security findings)
+ *   2. Parse errors (annotation syntax problems)
+ *   3. Dangling references (broken #id refs)
+ *
+ * @exposes #sarif to #info-disclosure [low] cwe:CWE-200 -- "SARIF output contains detailed threat model findings"
+ * @accepts #info-disclosure on #sarif -- "SARIF export for security tools is the intended feature"
+ * @exposes #sarif to #arbitrary-write [high] cwe:CWE-73 -- "SARIF written to user-specified output path"
+ * @mitigates #sarif against #arbitrary-write using #path-validation -- "CLI resolves output path before write"
+ * @flows #parser -> #sarif via ThreatModel -- "SARIF generator receives parsed threat model"
+ * @flows #sarif -> External_Security_Tools via SARIF_JSON -- "Output consumed by GitHub, VS Code, etc."
+ */
+import type { ThreatModel, ParseDiagnostic, Severity } from '../types/index.js';
+interface SarifLog {
+    $schema: string;
+    version: '2.1.0';
+    runs: SarifRun[];
+}
+interface SarifRun {
+    tool: {
+        driver: {
+            name: string;
+            version: string;
+            informationUri: string;
+            rules: SarifRule[];
+        };
+    };
+    results: SarifResult[];
+}
+interface SarifRule {
+    id: string;
+    name: string;
+    shortDescription: {
+        text: string;
+    };
+    fullDescription?: {
+        text: string;
+    };
+    helpUri?: string;
+    defaultConfiguration: {
+        level: 'error' | 'warning' | 'note';
+    };
+    properties?: Record<string, unknown>;
+}
+interface SarifResult {
+    ruleId: string;
+    level: 'error' | 'warning' | 'note';
+    message: {
+        text: string;
+    };
+    locations: SarifLocation[];
+    properties?: Record<string, unknown>;
+}
+interface SarifLocation {
+    physicalLocation: {
+        artifactLocation: {
+            uri: string;
+        };
+        region: {
+            startLine: number;
+            startColumn?: number;
+        };
+    };
+}
+export interface SarifOptions {
+    /** Include parse diagnostics as results */
+    includeDiagnostics?: boolean;
+    /** Include dangling reference warnings */
+    includeDanglingRefs?: boolean;
+    /** Only include unmitigated exposures at or above this severity */
+    minSeverity?: Severity;
+}
+export declare function generateSarif(model: ThreatModel, diagnostics?: ParseDiagnostic[], danglingRefs?: ParseDiagnostic[], options?: SarifOptions): SarifLog;
+export {};
+//# sourceMappingURL=sarif.d.ts.map

package/dist/analyzer/sarif.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/analyzer/sarif.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAuB,eAAe,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAIrG,UAAU,QAAQ;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,QAAQ,EAAE,CAAC;CAClB;AAED,UAAU,QAAQ;IAChB,IAAI,EAAE;QACJ,MAAM,EAAE;YACN,IAAI,EAAE,MAAM,CAAC;YACb,OAAO,EAAE,MAAM,CAAC;YAChB,cAAc,EAAE,MAAM,CAAC;YACvB,KAAK,EAAE,SAAS,EAAE,CAAC;SACpB,CAAC;KACH,CAAC;IACF,OAAO,EAAE,WAAW,EAAE,CAAC;CACxB;AAED,UAAU,SAAS;IACjB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,gBAAgB,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IACnC,eAAe,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IACnC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE;QACpB,KAAK,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;KACrC,CAAC;IACF,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,UAAU,WAAW;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;IACpC,OAAO,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1B,SAAS,EAAE,aAAa,EAAE,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,UAAU,aAAa;IACrB,gBAAgB,EAAE;QAChB,gBAAgB,EAAE;YAAE,GAAG,EAAE,MAAM,CAAA;SAAE,CAAC;QAClC,MAAM,EAAE;YACN,SAAS,EAAE,MAAM,CAAC;YAClB,WAAW,CAAC,EAAE,MAAM,CAAC;SACtB,CAAC;KACH,CAAC;CACH;AAyCD,MAAM,WAAW,YAAY;IAC3B,2CAA2C;IAC3C,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,0CAA0C;IAC1C,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,mEAAmE;IACnE,WAAW,CAAC,EAAE,QAAQ,CAAC;CACxB;AAED,wBAAgB,aAAa,CAC3B,KAAK,EAAE,WAAW,EAClB,WAAW,GAAE,eAAe,EAAO,EACnC,YAAY,GAAE,eAAe,EAAO,EACpC,OAAO,GAAE,YAAiB,GACzB,QAAQ,CA+EV"}