hackmyagent 0.11.13 → 0.11.15

package/dist/nanomind-core/scanner-bridge.js

@@ -0,0 +1,317 @@
+"use strict";
+/**
+ * NanoMind Scanner Bridge
+ *
+ * Integrates AST-based analyzers into the existing HMA scan flow.
+ * Defense-in-depth: both static and AST checks run. NanoMind can
+ * UPGRADE findings (add new, increase severity) but NEVER suppress
+ * static findings.
+ *
+ * Flow:
+ *   1. verifyAll() integrity check
+ *   2. Discover security-relevant files in target directory
+ *   3. Compile each file into a SecurityAST via SemanticCompiler
+ *   4. Run ALL AST analyzers (capability, credential, governance, scope)
+ *   5. Merge AST findings with static findings using defense-in-depth rules
+ *   6. Return merged findings + integrity status
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runNanoMindScan = runNanoMindScan;
+exports.mergeFindings = mergeFindings;
+const promises_1 = require("node:fs/promises");
+const node_path_1 = require("node:path");
+const semantic_compiler_js_1 = require("./compiler/semantic-compiler.js");
+const capability_analyzer_js_1 = require("./analyzers/capability-analyzer.js");
+const credential_analyzer_js_1 = require("./analyzers/credential-analyzer.js");
+const governance_analyzer_js_1 = require("./analyzers/governance-analyzer.js");
+const scope_analyzer_js_1 = require("./analyzers/scope-analyzer.js");
+const defense_in_depth_js_1 = require("./security/defense-in-depth.js");
+const integrity_verifier_js_1 = require("./security/integrity-verifier.js");
+// ============================================================================
+// Constants
+// ============================================================================
+/**
+ * File extensions and names that are security-relevant and should be compiled
+ * into SecurityASTs. Kept intentionally broad -- the compiler's artifact
+ * classifier will set type to 'unknown' for non-matching content, and
+ * analyzers simply produce no findings for unknowns.
+ */
+const SECURITY_RELEVANT_EXTENSIONS = new Set([
+    '.md', '.json', '.yaml', '.yml', '.toml',
+    '.ts', '.js', '.py', '.go', '.rs',
+    '.env', '.cfg', '.ini', '.conf',
+]);
+const SECURITY_RELEVANT_NAMES = new Set([
+    '.env', '.cursorrules', '.clinerules', '.windsurfrules',
+    'mcp.json', 'agent.json', 'SOUL.md', 'SKILL.md', 'CLAUDE.md',
+]);
+/** Maximum file size to compile (1 MB). Larger files are skipped. */
+const MAX_FILE_SIZE = 1048576;
+/** Maximum number of files to compile per scan to bound runtime. */
+const MAX_FILES_PER_SCAN = 200;
+/**
+ * Run the NanoMind AST-based scan and merge results with existing static
+ * findings. This is the main entry point called from the scanner flow.
+ *
+ * Defense-in-depth rules:
+ *   - AST findings ADD to the list (never remove static findings)
+ *   - If AST and static both flag the same issue, use the higher severity
+ *   - If AST says benign but static flags it, static wins (suppression blocked)
+ */
+async function runNanoMindScan(targetDir, existingFindings) {
+    // Step 1: Integrity check before anything else
+    const integrity = (0, integrity_verifier_js_1.verifyAll)();
+    // If quarantined, return existing findings untouched with status
+    if (integrity.status === 'QUARANTINE') {
+        return {
+            mergedFindings: [...existingFindings],
+            astFindings: [],
+            integrityStatus: 'QUARANTINE',
+            compiledArtifacts: 0,
+            nanomindAvailable: false,
+        };
+    }
+    // Step 2: Initialize compiler (heuristic-only if degraded)
+    const useNanoMind = integrity.status === 'CLEAN';
+    const compiler = new semantic_compiler_js_1.SemanticCompiler({ useNanoMind });
+    // Step 3: Discover security-relevant files
+    const files = await discoverFiles(targetDir);
+    // Step 4: Compile each file and run analyzers
+    const allASTFindings = [];
+    let compiledCount = 0;
+    let nanomindUsedAtLeastOnce = false;
+    for (const filePath of files) {
+        try {
+            const content = await (0, promises_1.readFile)(filePath, 'utf-8');
+            const relativePath = (0, node_path_1.relative)(targetDir, filePath);
+            const result = await compiler.compile(content, relativePath);
+            compiledCount++;
+            if (result.nanomindUsed) {
+                nanomindUsedAtLeastOnce = true;
+            }
+            // Run ALL four analyzers against this AST
+            const verifier = (ast) => compiler.verifyAST(ast);
+            const findings = runAllAnalyzers(result.ast, verifier);
+            allASTFindings.push(...findings);
+        }
+        catch {
+            // Skip files that fail to read or compile -- do not block the scan
+            continue;
+        }
+    }
+    // Step 5: Merge using defense-in-depth rules
+    const mergedFindings = mergeFindings(existingFindings, allASTFindings);
+    return {
+        mergedFindings,
+        astFindings: allASTFindings,
+        integrityStatus: integrity.status,
+        compiledArtifacts: compiledCount,
+        nanomindAvailable: nanomindUsedAtLeastOnce || useNanoMind,
+    };
+}
+// ============================================================================
+// File Discovery
+// ============================================================================
+/**
+ * Recursively discover security-relevant files in the target directory.
+ * Skips node_modules, .git, dist, and other non-security directories.
+ */
+async function discoverFiles(dir) {
+    const results = [];
+    await walkDir(dir, results, 0);
+    return results.slice(0, MAX_FILES_PER_SCAN);
+}
+const SKIP_DIRS = new Set([
+    'node_modules', '.git', 'dist', 'build', 'coverage',
+    '.next', '.nuxt', '__pycache__', '.venv', 'venv',
+    '.tox', '.mypy_cache', 'target', '.cache',
+]);
+async function walkDir(dir, results, depth) {
+    if (depth > 10 || results.length >= MAX_FILES_PER_SCAN)
+        return;
+    let entries;
+    try {
+        entries = await (0, promises_1.readdir)(dir, { withFileTypes: true });
+    }
+    catch {
+        return; // Permission denied or similar
+    }
+    for (const entry of entries) {
+        if (results.length >= MAX_FILES_PER_SCAN)
+            break;
+        const fullPath = (0, node_path_1.join)(dir, entry.name);
+        if (entry.isDirectory()) {
+            if (!SKIP_DIRS.has(entry.name) && !entry.name.startsWith('.')) {
+                await walkDir(fullPath, results, depth + 1);
+            }
+            // Also check dotfiles that are security-relevant (e.g., .cursorrules)
+            if (entry.name === '.claude') {
+                await walkDir(fullPath, results, depth + 1);
+            }
+            continue;
+        }
+        if (!entry.isFile())
+            continue;
+        // Check by exact name first
+        if (SECURITY_RELEVANT_NAMES.has(entry.name)) {
+            if (await isWithinSizeLimit(fullPath)) {
+                results.push(fullPath);
+            }
+            continue;
+        }
+        // Check by extension
+        const ext = (0, node_path_1.extname)(entry.name).toLowerCase();
+        if (SECURITY_RELEVANT_EXTENSIONS.has(ext)) {
+            if (await isWithinSizeLimit(fullPath)) {
+                results.push(fullPath);
+            }
+        }
+        // Dotfiles without extension (e.g., .env.local)
+        if (entry.name.startsWith('.env')) {
+            if (await isWithinSizeLimit(fullPath)) {
+                results.push(fullPath);
+            }
+        }
+    }
+}
+async function isWithinSizeLimit(filePath) {
+    try {
+        const s = await (0, promises_1.stat)(filePath);
+        return s.size <= MAX_FILE_SIZE && s.size > 0;
+    }
+    catch {
+        return false;
+    }
+}
+// ============================================================================
+// Analyzer Orchestration
+// ============================================================================
+/**
+ * Run all four AST analyzers against a compiled SecurityAST.
+ * Each analyzer independently queries the AST structure.
+ */
+function runAllAnalyzers(ast, verifier) {
+    const findings = [];
+    // Capability analyzer does not require verifier (checks internally)
+    findings.push(...(0, capability_analyzer_js_1.analyzeCapabilities)(ast));
+    // Credential, governance, and scope analyzers require AST integrity verification
+    findings.push(...(0, credential_analyzer_js_1.analyzeCredentials)(ast, verifier));
+    findings.push(...(0, governance_analyzer_js_1.analyzeGovernance)(ast, verifier));
+    findings.push(...(0, scope_analyzer_js_1.analyzeScope)(ast, verifier));
+    return findings;
+}
+// ============================================================================
+// Finding Merge (Defense-in-Depth)
+// ============================================================================
+/**
+ * Severity rank for comparison. Higher number = more severe.
+ */
+const SEVERITY_RANK = {
+    critical: 4,
+    high: 3,
+    medium: 2,
+    low: 1,
+};
+/**
+ * Build a dedup key for matching AST findings to static findings.
+ * Two findings are considered "the same issue" if they share the same
+ * file path and a matching attack class or check ID prefix.
+ */
+function findingMatchKey(file, attackClass, checkId) {
+    const f = file ?? '__global__';
+    const a = attackClass ?? checkId.split('-').slice(0, 2).join('-');
+    return `${f}::${a}`;
+}
+/**
+ * Merge AST findings into the static findings list following defense-in-depth:
+ *
+ *   1. Start with ALL static findings (never remove any)
+ *   2. For each AST finding:
+ *      a. If it matches a static finding (same file + attack class), upgrade
+ *         severity if AST severity is higher. Never downgrade.
+ *      b. If AST says passed but static says failed for the same issue,
+ *         the static finding wins (suppression blocked via validateEnhancement).
+ *      c. If no matching static finding, add the AST finding as a new finding.
+ */
+function mergeFindings(staticFindings, astFindings) {
+    // Clone static findings so we don't mutate the originals
+    const merged = staticFindings.map(f => ({ ...f }));
+    // Index static findings by match key for O(1) lookup
+    const staticIndex = new Map();
+    for (let i = 0; i < merged.length; i++) {
+        const key = findingMatchKey(merged[i].file, merged[i].attackClass, merged[i].checkId);
+        const indices = staticIndex.get(key) ?? [];
+        indices.push(i);
+        staticIndex.set(key, indices);
+    }
+    for (const astFinding of astFindings) {
+        // Skip passed AST findings -- they don't add value in defense-in-depth
+        // (they can't suppress static findings and don't represent new issues)
+        if (astFinding.passed)
+            continue;
+        const key = findingMatchKey(astFinding.file, astFinding.attackClass, astFinding.checkId);
+        const matchIndices = staticIndex.get(key);
+        if (matchIndices && matchIndices.length > 0) {
+            // Matching static finding(s) exist -- apply defense-in-depth rules
+            for (const idx of matchIndices) {
+                const staticFinding = merged[idx];
+                // Rule: If AST says passed but static says failed, static wins
+                if (!(0, defense_in_depth_js_1.validateEnhancement)(staticFinding.passed, astFinding.passed)) {
+                    // Suppression blocked -- keep static finding as-is
+                    continue;
+                }
+                // Rule: Use the higher severity (AST can only upgrade)
+                const astSeverity = normalizeSeverity(astFinding.severity);
+                const resolvedSeverity = (0, defense_in_depth_js_1.enforceSeverityFloor)(staticFinding.severity, astSeverity);
+                merged[idx] = {
+                    ...staticFinding,
+                    severity: resolvedSeverity,
+                };
+            }
+        }
+        else {
+            // No matching static finding -- add as a new finding
+            merged.push(astFindingToSecurityFinding(astFinding));
+        }
+    }
+    return merged;
+}
+// ============================================================================
+// Conversion Helpers
+// ============================================================================
+/**
+ * Convert an ASTFinding to a SecurityFinding for the merged output.
+ * The `file` property must be truthy for findings to pass the scanner filter.
+ */
+function astFindingToSecurityFinding(ast) {
+    return {
+        checkId: ast.checkId,
+        name: ast.name,
+        description: ast.description,
+        category: ast.category,
+        severity: normalizeSeverity(ast.severity),
+        passed: ast.passed,
+        message: ast.message,
+        fixable: ast.fixable,
+        file: ast.file ?? 'ast-analysis',
+        line: ast.line,
+        fix: ast.fix,
+        guidance: ast.guidance,
+        attackClass: ast.attackClass,
+        details: {
+            source: 'nanomind-ast',
+            confidence: ast.confidence,
+            evidence: ast.evidence,
+        },
+    };
+}
+/**
+ * Normalize the 'info' severity level (used by AST analyzers) to 'low'
+ * (used by SecurityFinding). The SecurityFinding type does not include 'info'.
+ */
+function normalizeSeverity(severity) {
+    if (severity === 'info')
+        return 'low';
+    return severity;
+}
+//# sourceMappingURL=scanner-bridge.js.map

package/dist/nanomind-core/scanner-bridge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner-bridge.js","sourceRoot":"","sources":["../../src/nanomind-core/scanner-bridge.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;AAmEH,0CA8DC;AAiJD,sCAqDC;AArUD,+CAA2D;AAC3D,yCAAoD;AAOpD,0EAAmE;AACnE,+EAAyE;AACzE,+EAAwE;AACxE,+EAAuE;AACvE,qEAA6D;AAC7D,wEAA2F;AAE3F,4EAA6D;AAE7D,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E;;;;;GAKG;AACH,MAAM,4BAA4B,GAAG,IAAI,GAAG,CAAC;IAC3C,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO;IACxC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK;IACjC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO;CAChC,CAAC,CAAC;AAEH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,MAAM,EAAE,cAAc,EAAE,aAAa,EAAE,gBAAgB;IACvD,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW;CAC7D,CAAC,CAAC;AAEH,qEAAqE;AACrE,MAAM,aAAa,GAAG,OAAS,CAAC;AAEhC,oEAAoE;AACpE,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAc/B;;;;;;;;GAQG;AACI,KAAK,UAAU,eAAe,CACnC,SAAiB,EACjB,gBAAmC;IAEnC,+CAA+C;IAC/C,MAAM,SAAS,GAAG,IAAA,iCAAS,GAAE,CAAC;IAE9B,iEAAiE;IACjE,IAAI,SAAS,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;QACtC,OAAO;YACL,cAAc,EAAE,CAAC,GAAG,gBAAgB,CAAC;YACrC,WAAW,EAAE,EAAE;YACf,eAAe,EAAE,YAAY;YAC7B,iBAAiB,EAAE,CAAC;YACpB,iBAAiB,EAAE,KAAK;SACzB,CAAC;IACJ,CAAC;IAED,2DAA2D;IAC3D,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,KAAK,OAAO,CAAC;IACjD,MAAM,QAAQ,GAAG,IAAI,uCAAgB,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC;IAEvD,2CAA2C;IAC3C,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,SAAS,CAAC,CAAC;IAE7C,8CAA8C;IAC9C,MAAM,cAAc,GAAiB,EAAE,CAAC;IACxC,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,IAAI,uBAAuB,GAAG,KAAK,CAAC;IAEpC,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,IAAA,mBAAQ,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAClD,MAAM,YAAY,GAAG,IAAA,oBAAQ,EAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YAEnD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;YAC7D,aAAa,EAAE,CAAC;YAEhB,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;gBACxB,uBAAuB,GAAG,IAAI,CAAC;YACjC,CAAC;YAED,0CAA0C;YAC1C,MAAM,QAAQ,GAAG,CAAC,GAAgB,EAAE,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YAC/D,MAAM,QAAQ,GAAG,eAAe,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YACvD,cAAc,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,mEAAmE;YACnE,SAAS;QACX,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,MAAM,cAAc,GAAG,aAAa,CAAC,gBAAgB,EAAE,cAAc,CAAC,CAAC;IAEvE,OAAO;QACL,cAAc;QACd,WAAW,EAAE,cAAc;QAC3B,eAAe,EAAE,SAAS,CAAC,MAAM;QACjC,iBAAiB,EAAE,aAAa;QAChC,iBAAiB,EAAE,uBAAuB,IAAI,WAAW;KAC1D,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;;GAGG;AACH,KAAK,UAAU,aAAa,CAAC,GAAW;IACtC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,OAAO,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IAC/B,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,kBAAkB,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;IACxB,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU;IACnD,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM;IAChD,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ;CAC1C,CAAC,CAAC;AAEH,KAAK,UAAU,OAAO,CAAC,GAAW,EAAE,OAAiB,EAAE,KAAa;IAClE,IAAI,KAAK,GAAG,EAAE,IAAI,OAAO,CAAC,MAAM,IAAI,kBAAkB;QAAE,OAAO;IAE/D,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,IAAA,kBAAO,EAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,+BAA+B;IACzC,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,OAAO,CAAC,MAAM,IAAI,kBAAkB;YAAE,MAAM;QAEhD,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC9D,MAAM,OAAO,CAAC,QAAQ,EAAE,OAAO,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;YAC9C,CAAC;YACD,sEAAsE;YACtE,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC7B,MAAM,OAAO,CAAC,QAAQ,EAAE,OAAO,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;YAC9C,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;YAAE,SAAS;QAE9B,4BAA4B;QAC5B,IAAI,uBAAuB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5C,IAAI,MAAM,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;YACD,SAAS;QACX,CAAC;QAED,qBAAqB;QACrB,MAAM,GAAG,GAAG,IAAA,mBAAO,EAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC9C,IAAI,4BAA4B,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,IAAI,MAAM,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,gDAAgD;QAChD,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAClC,IAAI,MAAM,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,QAAgB;IAC/C,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,IAAA,eAAI,EAAC,QAAQ,CAAC,CAAC;QAC/B,OAAO,CAAC,CAAC,IAAI,IAAI,aAAa,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;;GAGG;AACH,SAAS,eAAe,CACtB,GAAgB,EAChB,QAAuC;IAEvC,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAElC,oEAAoE;IACpE,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAA,4CAAmB,EAAC,GAAG,CAAC,CAAC,CAAC;IAE3C,iFAAiF;IACjF,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAA,2CAAkB,EAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;IACpD,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAA,0CAAiB,EAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;IACnD,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAA,gCAAY,EAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;IAE9C,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,mCAAmC;AACnC,+EAA+E;AAE/E;;GAEG;AACH,MAAM,aAAa,GAA6B;IAC9C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;CACP,CAAC;AAEF;;;;GAIG;AACH,SAAS,eAAe,CAAC,IAAwB,EAAE,WAA+B,EAAE,OAAe;IACjG,MAAM,CAAC,GAAG,IAAI,IAAI,YAAY,CAAC;IAC/B,MAAM,CAAC,GAAG,WAAW,IAAI,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClE,OAAO,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;AACtB,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,aAAa,CAC3B,cAAiC,EACjC,WAAyB;IAEzB,yDAAyD;IACzD,MAAM,MAAM,GAAsB,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IAEtE,qDAAqD;IACrD,MAAM,WAAW,GAAG,IAAI,GAAG,EAAoB,CAAC;IAChD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QACtF,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAC3C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAChB,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,uEAAuE;QACvE,uEAAuE;QACvE,IAAI,UAAU,CAAC,MAAM;YAAE,SAAS;QAEhC,MAAM,GAAG,GAAG,eAAe,CAAC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,WAAW,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC;QACzF,MAAM,YAAY,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAE1C,IAAI,YAAY,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5C,mEAAmE;YACnE,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;gBAC/B,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;gBAElC,+DAA+D;gBAC/D,IAAI,CAAC,IAAA,yCAAmB,EAAC,aAAa,CAAC,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;oBAClE,mDAAmD;oBACnD,SAAS;gBACX,CAAC;gBAED,uDAAuD;gBACvD,MAAM,WAAW,GAAG,iBAAiB,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBAC3D,MAAM,gBAAgB,GAAG,IAAA,0CAAoB,EAC3C,aAAa,CAAC,QAAyB,EACvC,WAA4B,CAC7B,CAAC;gBACF,MAAM,CAAC,GAAG,CAAC,GAAG;oBACZ,GAAG,aAAa;oBAChB,QAAQ,EAAE,gBAA4B;iBACvC,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,qDAAqD;YACrD,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,UAAU,CAAC,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E;;;GAGG;AACH,SAAS,2BAA2B,CAAC,GAAe;IAClD,OAAO;QACL,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,QAAQ,EAAE,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC;QACzC,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,cAAc;QAChC,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,OAAO,EAAE;YACP,MAAM,EAAE,cAAc;YACtB,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACvB;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB,CAAC,QAAgC;IACzD,IAAI,QAAQ,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IACtC,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/nanomind-core/security/defense-in-depth.d.ts

@@ -0,0 +1,99 @@
+/**
+ * NanoMind Defense-in-Depth
+ *
+ * Core security principle: NanoMind is ADVISORY, never AUTHORITATIVE.
+ * Even a fully compromised NanoMind gains the attacker nothing.
+ *
+ * Rules:
+ * 1. NanoMind can UPGRADE findings (add, increase severity) but NEVER SUPPRESS
+ * 2. Static checks always run regardless of NanoMind's opinion
+ * 3. Simulation validates independently -- two systems must agree
+ * 4. NanoMind has zero access to credentials, secrets, or sensitive data
+ * 5. NanoMind daemon is sandboxed: localhost only, no filesystem beyond model
+ * 6. AST signatures verified at every consumer
+ * 7. Training data provenance tracked and Claude-reviewed
+ * 8. A finding from static analysis can never be removed by NanoMind
+ */
+import type { SecurityAST, IntentClass } from '../types.js';
+export type SeverityLevel = 'critical' | 'high' | 'medium' | 'low' | 'info';
+/**
+ * Enforce that NanoMind can only upgrade severity, never downgrade.
+ * If static analysis says HIGH, NanoMind can upgrade to CRITICAL
+ * but can NEVER downgrade to LOW or suppress the finding.
+ *
+ * This means even if NanoMind is compromised and always returns "benign",
+ * static findings are never suppressed.
+ */
+export declare function enforceSeverityFloor(staticSeverity: SeverityLevel, nanomindSeverity: SeverityLevel): SeverityLevel;
+/**
+ * Validate that a NanoMind enhancement never suppresses a static finding.
+ * Returns true if the enhancement is valid (doesn't suppress).
+ */
+export declare function validateEnhancement(staticFindingPassed: boolean, nanomindSaysPassed: boolean): boolean;
+/**
+ * Require agreement between NanoMind and at least one other system
+ * before classifying an artifact as definitively benign.
+ *
+ * NanoMind alone saying "benign" is not sufficient.
+ * Static checks must also show zero findings.
+ */
+export declare function requireBenignConsensus(nanomindIntent: IntentClass, staticFindingCount: number, simulationVerdict?: 'CLEAN' | 'SUSPICIOUS' | 'MALICIOUS'): {
+    finalClassification: IntentClass;
+    consensusReached: boolean;
+    reason: string;
+};
+/**
+ * Strip ALL credential-like content before sending to NanoMind.
+ * This goes beyond the input sanitizer (which strips meta-instructions).
+ * This strips actual secrets so NanoMind never sees real credentials.
+ *
+ * Even if the daemon is compromised, it cannot exfiltrate credentials
+ * because it never received them.
+ */
+export declare function redactSecretsForNanoMind(content: string): string;
+/**
+ * Verify AST hasn't been tampered with before any analyzer consumes it.
+ * Every analyzer MUST call this before processing.
+ */
+export declare function assertASTIntegrity(ast: SecurityAST, verifier: (ast: SecurityAST) => boolean): void;
+export declare class SecurityError extends Error {
+    constructor(message: string);
+}
+export interface TrainingDataProvenance {
+    /** SHA-256 hash of the training sample */
+    contentHash: string;
+    /** Where this sample came from */
+    source: 'registry_scan' | 'simulation' | 'attack_session' | 'hma_payload' | 'dvaa' | 'manual';
+    /** Who/what labeled it */
+    labeledBy: 'heuristic' | 'nanomind' | 'claude_review' | 'human';
+    /** Confidence in the label */
+    confidence: number;
+    /** When it was created */
+    createdAt: string;
+    /** Has this been reviewed by Claude? */
+    claudeReviewed: boolean;
+    /** Signature of the provenance record */
+    signature: string;
+}
+/**
+ * Verify that a training sample has valid provenance.
+ * Samples without provenance are rejected from training.
+ */
+export declare function verifyTrainingProvenance(provenance: TrainingDataProvenance): boolean;
+export interface NanoMindAuditEvent {
+    timestamp: string;
+    event: 'classification' | 'suppression_blocked' | 'ast_tamper_detected' | 'secret_redacted' | 'manipulation_detected' | 'consensus_override';
+    details: string;
+    artifactHash?: string;
+    severity: 'info' | 'warning' | 'critical';
+}
+/**
+ * Log a NanoMind security event. These events are immutable and
+ * should be forwarded to the transparency log.
+ */
+export declare function logSecurityEvent(event: Omit<NanoMindAuditEvent, 'timestamp'>): void;
+/**
+ * Get all audit events since a given timestamp.
+ */
+export declare function getAuditEvents(since?: string): NanoMindAuditEvent[];
+//# sourceMappingURL=defense-in-depth.d.ts.map

package/dist/nanomind-core/security/defense-in-depth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"defense-in-depth.d.ts","sourceRoot":"","sources":["../../../src/nanomind-core/security/defense-in-depth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAM5D,MAAM,MAAM,aAAa,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAU5E;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,cAAc,EAAE,aAAa,EAC7B,gBAAgB,EAAE,aAAa,GAC9B,aAAa,CAMf;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,mBAAmB,EAAE,OAAO,EAC5B,kBAAkB,EAAE,OAAO,GAC1B,OAAO,CAMT;AAMD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,cAAc,EAAE,WAAW,EAC3B,kBAAkB,EAAE,MAAM,EAC1B,iBAAiB,CAAC,EAAE,OAAO,GAAG,YAAY,GAAG,WAAW,GACvD;IACD,mBAAmB,EAAE,WAAW,CAAC;IACjC,gBAAgB,EAAE,OAAO,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;CAChB,CA8CA;AAMD;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAqBhE;AAMD;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,WAAW,EAChB,QAAQ,EAAE,CAAC,GAAG,EAAE,WAAW,KAAK,OAAO,GACtC,IAAI,CAaN;AAED,qBAAa,aAAc,SAAQ,KAAK;gBAC1B,OAAO,EAAE,MAAM;CAI5B;AAMD,MAAM,WAAW,sBAAsB;IACrC,0CAA0C;IAC1C,WAAW,EAAE,MAAM,CAAC;IACpB,kCAAkC;IAClC,MAAM,EAAE,eAAe,GAAG,YAAY,GAAG,gBAAgB,GAAG,aAAa,GAAG,MAAM,GAAG,QAAQ,CAAC;IAC9F,0BAA0B;IAC1B,SAAS,EAAE,WAAW,GAAG,UAAU,GAAG,eAAe,GAAG,OAAO,CAAC;IAChE,8BAA8B;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,0BAA0B;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,wCAAwC;IACxC,cAAc,EAAE,OAAO,CAAC;IACxB,yCAAyC;IACzC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,sBAAsB,GAAG,OAAO,CAYpF;AAMD,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,gBAAgB,GAAG,qBAAqB,GAAG,qBAAqB,GAAG,iBAAiB,GAAG,uBAAuB,GAAG,oBAAoB,CAAC;IAC7I,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC;CAC3C;AAID;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,IAAI,CAAC,kBAAkB,EAAE,WAAW,CAAC,GAAG,IAAI,CAKnF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,kBAAkB,EAAE,CAGnE"}

package/dist/nanomind-core/security/defense-in-depth.js

@@ -0,0 +1,206 @@
+"use strict";
+/**
+ * NanoMind Defense-in-Depth
+ *
+ * Core security principle: NanoMind is ADVISORY, never AUTHORITATIVE.
+ * Even a fully compromised NanoMind gains the attacker nothing.
+ *
+ * Rules:
+ * 1. NanoMind can UPGRADE findings (add, increase severity) but NEVER SUPPRESS
+ * 2. Static checks always run regardless of NanoMind's opinion
+ * 3. Simulation validates independently -- two systems must agree
+ * 4. NanoMind has zero access to credentials, secrets, or sensitive data
+ * 5. NanoMind daemon is sandboxed: localhost only, no filesystem beyond model
+ * 6. AST signatures verified at every consumer
+ * 7. Training data provenance tracked and Claude-reviewed
+ * 8. A finding from static analysis can never be removed by NanoMind
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurityError = void 0;
+exports.enforceSeverityFloor = enforceSeverityFloor;
+exports.validateEnhancement = validateEnhancement;
+exports.requireBenignConsensus = requireBenignConsensus;
+exports.redactSecretsForNanoMind = redactSecretsForNanoMind;
+exports.assertASTIntegrity = assertASTIntegrity;
+exports.verifyTrainingProvenance = verifyTrainingProvenance;
+exports.logSecurityEvent = logSecurityEvent;
+exports.getAuditEvents = getAuditEvents;
+const SEVERITY_ORDER = {
+    critical: 5,
+    high: 4,
+    medium: 3,
+    low: 2,
+    info: 1,
+};
+/**
+ * Enforce that NanoMind can only upgrade severity, never downgrade.
+ * If static analysis says HIGH, NanoMind can upgrade to CRITICAL
+ * but can NEVER downgrade to LOW or suppress the finding.
+ *
+ * This means even if NanoMind is compromised and always returns "benign",
+ * static findings are never suppressed.
+ */
+function enforceSeverityFloor(staticSeverity, nanomindSeverity) {
+    const staticRank = SEVERITY_ORDER[staticSeverity];
+    const nmRank = SEVERITY_ORDER[nanomindSeverity];
+    // NanoMind can only make it MORE severe, never less
+    return nmRank >= staticRank ? nanomindSeverity : staticSeverity;
+}
+/**
+ * Validate that a NanoMind enhancement never suppresses a static finding.
+ * Returns true if the enhancement is valid (doesn't suppress).
+ */
+function validateEnhancement(staticFindingPassed, nanomindSaysPassed) {
+    // Static said FAIL → NanoMind cannot change it to PASS
+    if (!staticFindingPassed && nanomindSaysPassed) {
+        return false; // BLOCKED: suppression attempt
+    }
+    return true;
+}
+// ============================================================================
+// Rule 3: Two-System Agreement for Benign Classification
+// ============================================================================
+/**
+ * Require agreement between NanoMind and at least one other system
+ * before classifying an artifact as definitively benign.
+ *
+ * NanoMind alone saying "benign" is not sufficient.
+ * Static checks must also show zero findings.
+ */
+function requireBenignConsensus(nanomindIntent, staticFindingCount, simulationVerdict) {
+    // If static found issues, NanoMind's "benign" is overruled
+    if (nanomindIntent === 'benign' && staticFindingCount > 0) {
+        return {
+            finalClassification: 'suspicious',
+            consensusReached: false,
+            reason: `NanoMind says benign but ${staticFindingCount} static finding(s) exist. Static findings cannot be suppressed.`,
+        };
+    }
+    // If NanoMind says malicious, trust it (it can only upgrade)
+    if (nanomindIntent === 'malicious') {
+        return {
+            finalClassification: 'malicious',
+            consensusReached: true,
+            reason: 'NanoMind classified as malicious. Malicious classifications are always trusted (can only upgrade).',
+        };
+    }
+    // If simulation ran and disagrees with NanoMind
+    if (simulationVerdict === 'MALICIOUS' && nanomindIntent === 'benign') {
+        return {
+            finalClassification: 'malicious',
+            consensusReached: false,
+            reason: 'Simulation observed malicious behavior. NanoMind benign classification overruled by behavioral evidence.',
+        };
+    }
+    // Consensus: NanoMind benign + zero static findings + simulation clean (or not run)
+    if (nanomindIntent === 'benign' && staticFindingCount === 0) {
+        const simClean = !simulationVerdict || simulationVerdict === 'CLEAN';
+        return {
+            finalClassification: 'benign',
+            consensusReached: simClean,
+            reason: simClean
+                ? 'Consensus: NanoMind benign + zero static findings + simulation clean.'
+                : 'NanoMind benign + zero static findings, but simulation not yet run.',
+        };
+    }
+    // Default: suspicious when no consensus
+    return {
+        finalClassification: 'suspicious',
+        consensusReached: false,
+        reason: 'No consensus reached. Treated as suspicious until verified.',
+    };
+}
+// ============================================================================
+// Rule 4: NanoMind Has Zero Access to Secrets
+// ============================================================================
+/**
+ * Strip ALL credential-like content before sending to NanoMind.
+ * This goes beyond the input sanitizer (which strips meta-instructions).
+ * This strips actual secrets so NanoMind never sees real credentials.
+ *
+ * Even if the daemon is compromised, it cannot exfiltrate credentials
+ * because it never received them.
+ */
+function redactSecretsForNanoMind(content) {
+    let redacted = content;
+    // API keys
+    redacted = redacted.replace(/sk-ant-api\d{2}-[a-zA-Z0-9_-]{20,}/g, '[REDACTED_ANTHROPIC_KEY]');
+    redacted = redacted.replace(/sk-proj-[a-zA-Z0-9]{20,}/g, '[REDACTED_OPENAI_KEY]');
+    redacted = redacted.replace(/AKIA[0-9A-Z]{16}/g, '[REDACTED_AWS_KEY]');
+    redacted = redacted.replace(/ghp_[a-zA-Z0-9]{36}/g, '[REDACTED_GITHUB_TOKEN]');
+    redacted = redacted.replace(/glpat-[a-zA-Z0-9_-]{20,}/g, '[REDACTED_GITLAB_TOKEN]');
+    // Generic secret patterns
+    redacted = redacted.replace(/-----BEGIN [A-Z ]+ KEY-----[\s\S]*?-----END [A-Z ]+ KEY-----/g, '[REDACTED_PRIVATE_KEY]');
+    redacted = redacted.replace(/(?:password|secret|token|key)\s*[=:]\s*['"][^'"]{8,}['"]/gi, (match) => {
+        const prefix = match.split(/[=:]/)[0];
+        return `${prefix}=[REDACTED]`;
+    });
+    // Connection strings
+    redacted = redacted.replace(/(?:postgres|mysql|mongodb|redis):\/\/[^\s'"]+/gi, '[REDACTED_CONNECTION_STRING]');
+    return redacted;
+}
+// ============================================================================
+// Rule 6: AST Integrity Verification
+// ============================================================================
+/**
+ * Verify AST hasn't been tampered with before any analyzer consumes it.
+ * Every analyzer MUST call this before processing.
+ */
+function assertASTIntegrity(ast, verifier) {
+    if (!ast.signature) {
+        throw new SecurityError('AST has no signature. Refusing to process unsigned AST.');
+    }
+    if (!ast.contentHash) {
+        throw new SecurityError('AST has no content hash. Refusing to process.');
+    }
+    if (!verifier(ast)) {
+        throw new SecurityError('AST signature verification FAILED. The AST may have been tampered with. ' +
+            'This is a critical security event that should be investigated.');
+    }
+}
+class SecurityError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'SecurityError';
+    }
+}
+exports.SecurityError = SecurityError;
+/**
+ * Verify that a training sample has valid provenance.
+ * Samples without provenance are rejected from training.
+ */
+function verifyTrainingProvenance(provenance) {
+    if (!provenance.contentHash)
+        return false;
+    if (!provenance.source)
+        return false;
+    if (!provenance.labeledBy)
+        return false;
+    if (provenance.confidence < 0 || provenance.confidence > 1)
+        return false;
+    // High-risk: samples from external sources must be Claude-reviewed
+    if (provenance.source === 'registry_scan' && !provenance.claudeReviewed) {
+        return false; // External data must be validated before training
+    }
+    return true;
+}
+const auditLog = [];
+/**
+ * Log a NanoMind security event. These events are immutable and
+ * should be forwarded to the transparency log.
+ */
+function logSecurityEvent(event) {
+    auditLog.push({
+        ...event,
+        timestamp: new Date().toISOString(),
+    });
+}
+/**
+ * Get all audit events since a given timestamp.
+ */
+function getAuditEvents(since) {
+    if (!since)
+        return [...auditLog];
+    return auditLog.filter(e => e.timestamp >= since);
+}
+//# sourceMappingURL=defense-in-depth.js.map

package/dist/nanomind-core/security/defense-in-depth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"defense-in-depth.js","sourceRoot":"","sources":["../../../src/nanomind-core/security/defense-in-depth.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;AA0BH,oDASC;AAMD,kDASC;AAaD,wDAsDC;AAcD,4DAqBC;AAUD,gDAgBC;AAkCD,4DAYC;AAoBD,4CAKC;AAKD,wCAGC;AAvPD,MAAM,cAAc,GAAkC;IACpD,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF;;;;;;;GAOG;AACH,SAAgB,oBAAoB,CAClC,cAA6B,EAC7B,gBAA+B;IAE/B,MAAM,UAAU,GAAG,cAAc,CAAC,cAAc,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,cAAc,CAAC,gBAAgB,CAAC,CAAC;IAEhD,oDAAoD;IACpD,OAAO,MAAM,IAAI,UAAU,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,cAAc,CAAC;AAClE,CAAC;AAED;;;GAGG;AACH,SAAgB,mBAAmB,CACjC,mBAA4B,EAC5B,kBAA2B;IAE3B,uDAAuD;IACvD,IAAI,CAAC,mBAAmB,IAAI,kBAAkB,EAAE,CAAC;QAC/C,OAAO,KAAK,CAAC,CAAC,+BAA+B;IAC/C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,+EAA+E;AAC/E,yDAAyD;AACzD,+EAA+E;AAE/E;;;;;;GAMG;AACH,SAAgB,sBAAsB,CACpC,cAA2B,EAC3B,kBAA0B,EAC1B,iBAAwD;IAMxD,2DAA2D;IAC3D,IAAI,cAAc,KAAK,QAAQ,IAAI,kBAAkB,GAAG,CAAC,EAAE,CAAC;QAC1D,OAAO;YACL,mBAAmB,EAAE,YAAY;YACjC,gBAAgB,EAAE,KAAK;YACvB,MAAM,EAAE,4BAA4B,kBAAkB,iEAAiE;SACxH,CAAC;IACJ,CAAC;IAED,6DAA6D;IAC7D,IAAI,cAAc,KAAK,WAAW,EAAE,CAAC;QACnC,OAAO;YACL,mBAAmB,EAAE,WAAW;YAChC,gBAAgB,EAAE,IAAI;YACtB,MAAM,EAAE,oGAAoG;SAC7G,CAAC;IACJ,CAAC;IAED,gDAAgD;IAChD,IAAI,iBAAiB,KAAK,WAAW,IAAI,cAAc,KAAK,QAAQ,EAAE,CAAC;QACrE,OAAO;YACL,mBAAmB,EAAE,WAAW;YAChC,gBAAgB,EAAE,KAAK;YACvB,MAAM,EAAE,0GAA0G;SACnH,CAAC;IACJ,CAAC;IAED,oFAAoF;IACpF,IAAI,cAAc,KAAK,QAAQ,IAAI,kBAAkB,KAAK,CAAC,EAAE,CAAC;QAC5D,MAAM,QAAQ,GAAG,CAAC,iBAAiB,IAAI,iBAAiB,KAAK,OAAO,CAAC;QACrE,OAAO;YACL,mBAAmB,EAAE,QAAQ;YAC7B,gBAAgB,EAAE,QAAQ;YAC1B,MAAM,EAAE,QAAQ;gBACd,CAAC,CAAC,uEAAuE;gBACzE,CAAC,CAAC,qEAAqE;SAC1E,CAAC;IACJ,CAAC;IAED,wCAAwC;IACxC,OAAO;QACL,mBAAmB,EAAE,YAAY;QACjC,gBAAgB,EAAE,KAAK;QACvB,MAAM,EAAE,6DAA6D;KACtE,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,8CAA8C;AAC9C,+EAA+E;AAE/E;;;;;;;GAOG;AACH,SAAgB,wBAAwB,CAAC,OAAe;IACtD,IAAI,QAAQ,GAAG,OAAO,CAAC;IAEvB,WAAW;IACX,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,qCAAqC,EAAE,0BAA0B,CAAC,CAAC;IAC/F,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,2BAA2B,EAAE,uBAAuB,CAAC,CAAC;IAClF,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,CAAC;IACvE,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,sBAAsB,EAAE,yBAAyB,CAAC,CAAC;IAC/E,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,2BAA2B,EAAE,yBAAyB,CAAC,CAAC;IAEpF,0BAA0B;IAC1B,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,+DAA+D,EAAE,wBAAwB,CAAC,CAAC;IACvH,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,4DAA4D,EAAE,CAAC,KAAK,EAAE,EAAE;QAClG,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACtC,OAAO,GAAG,MAAM,aAAa,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,qBAAqB;IACrB,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,iDAAiD,EAAE,8BAA8B,CAAC,CAAC;IAE/G,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAC/E,qCAAqC;AACrC,+EAA+E;AAE/E;;;GAGG;AACH,SAAgB,kBAAkB,CAChC,GAAgB,EAChB,QAAuC;IAEvC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QACnB,MAAM,IAAI,aAAa,CAAC,yDAAyD,CAAC,CAAC;IACrF,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;QACrB,MAAM,IAAI,aAAa,CAAC,+CAA+C,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACnB,MAAM,IAAI,aAAa,CACrB,0EAA0E;YAC1E,gEAAgE,CACjE,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAa,aAAc,SAAQ,KAAK;IACtC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF;AALD,sCAKC;AAuBD;;;GAGG;AACH,SAAgB,wBAAwB,CAAC,UAAkC;IACzE,IAAI,CAAC,UAAU,CAAC,WAAW;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,CAAC,UAAU,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACrC,IAAI,CAAC,UAAU,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,UAAU,CAAC,UAAU,GAAG,CAAC,IAAI,UAAU,CAAC,UAAU,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAEzE,mEAAmE;IACnE,IAAI,UAAU,CAAC,MAAM,KAAK,eAAe,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;QACxE,OAAO,KAAK,CAAC,CAAC,kDAAkD;IAClE,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAcD,MAAM,QAAQ,GAAyB,EAAE,CAAC;AAE1C;;;GAGG;AACH,SAAgB,gBAAgB,CAAC,KAA4C;IAC3E,QAAQ,CAAC,IAAI,CAAC;QACZ,GAAG,KAAK;QACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,KAAc;IAC3C,IAAI,CAAC,KAAK;QAAE,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC;IACjC,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,KAAK,CAAC,CAAC;AACpD,CAAC"}