kuzushi 0.2.0 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (87) hide show
  1. package/README.md +2 -0
  2. package/dist/agent-runtime/claude.js +15 -3
  3. package/dist/agent-runtime/claude.js.map +1 -1
  4. package/dist/agents/tasks/code-config-detect.js +3 -0
  5. package/dist/agents/tasks/code-config-detect.js.map +1 -1
  6. package/dist/agents/tasks/command-injection.js +10 -8
  7. package/dist/agents/tasks/command-injection.js.map +1 -1
  8. package/dist/agents/tasks/context-enricher.js +2 -0
  9. package/dist/agents/tasks/context-enricher.js.map +1 -1
  10. package/dist/agents/tasks/deserialization-detection.js +4 -1
  11. package/dist/agents/tasks/deserialization-detection.js.map +1 -1
  12. package/dist/agents/tasks/graphql-security.js +4 -1
  13. package/dist/agents/tasks/graphql-security.js.map +1 -1
  14. package/dist/agents/tasks/nosql-injection.js +6 -3
  15. package/dist/agents/tasks/nosql-injection.js.map +1 -1
  16. package/dist/agents/tasks/prototype-pollution.js +4 -1
  17. package/dist/agents/tasks/prototype-pollution.js.map +1 -1
  18. package/dist/agents/tasks/race-condition.js +4 -1
  19. package/dist/agents/tasks/race-condition.js.map +1 -1
  20. package/dist/agents/tasks/secrets-crypto-detect.js +3 -0
  21. package/dist/agents/tasks/secrets-crypto-detect.js.map +1 -1
  22. package/dist/agents/tasks/sharp-edges-detect.js +5 -0
  23. package/dist/agents/tasks/sharp-edges-detect.js.map +1 -1
  24. package/dist/agents/tasks/ssrf-detection.js +6 -1
  25. package/dist/agents/tasks/ssrf-detection.js.map +1 -1
  26. package/dist/agents/tasks/supply-chain.js +4 -1
  27. package/dist/agents/tasks/supply-chain.js.map +1 -1
  28. package/dist/agents/tasks/template-injection.js +6 -3
  29. package/dist/agents/tasks/template-injection.js.map +1 -1
  30. package/dist/agents/tasks/threat-modeling/randori-adapter.js +19 -2
  31. package/dist/agents/tasks/threat-modeling/randori-adapter.js.map +1 -1
  32. package/dist/agents/tasks/threat-modeling/randori-artifacts.js +69 -13
  33. package/dist/agents/tasks/threat-modeling/randori-artifacts.js.map +1 -1
  34. package/dist/agents/tasks/threat-modeling/randori.js +70 -30
  35. package/dist/agents/tasks/threat-modeling/randori.js.map +1 -1
  36. package/dist/agents/tasks/xxe-detection.js +4 -1
  37. package/dist/agents/tasks/xxe-detection.js.map +1 -1
  38. package/dist/cli/commands/scan.js +35 -5
  39. package/dist/cli/commands/scan.js.map +1 -1
  40. package/dist/cli.js +2 -1
  41. package/dist/cli.js.map +1 -1
  42. package/dist/migrations/024_rename_scanner_to_task_id.d.ts +13 -0
  43. package/dist/migrations/024_rename_scanner_to_task_id.js +25 -0
  44. package/dist/migrations/024_rename_scanner_to_task_id.js.map +1 -0
  45. package/dist/migrations/index.js +2 -0
  46. package/dist/migrations/index.js.map +1 -1
  47. package/dist/migrations/runner.js +7 -0
  48. package/dist/migrations/runner.js.map +1 -1
  49. package/dist/prompts/language-tuning.d.ts +38 -0
  50. package/dist/prompts/language-tuning.js +225 -0
  51. package/dist/prompts/language-tuning.js.map +1 -0
  52. package/dist/prompts/languages/c-cpp.d.ts +2 -0
  53. package/dist/prompts/languages/c-cpp.js +276 -0
  54. package/dist/prompts/languages/c-cpp.js.map +1 -0
  55. package/dist/prompts/languages/go.d.ts +2 -0
  56. package/dist/prompts/languages/go.js +252 -0
  57. package/dist/prompts/languages/go.js.map +1 -0
  58. package/dist/prompts/languages/index.d.ts +6 -0
  59. package/dist/prompts/languages/index.js +44 -0
  60. package/dist/prompts/languages/index.js.map +1 -0
  61. package/dist/prompts/languages/java-kotlin.d.ts +2 -0
  62. package/dist/prompts/languages/java-kotlin.js +495 -0
  63. package/dist/prompts/languages/java-kotlin.js.map +1 -0
  64. package/dist/prompts/languages/javascript-typescript.d.ts +2 -0
  65. package/dist/prompts/languages/javascript-typescript.js +421 -0
  66. package/dist/prompts/languages/javascript-typescript.js.map +1 -0
  67. package/dist/prompts/languages/php.d.ts +2 -0
  68. package/dist/prompts/languages/php.js +277 -0
  69. package/dist/prompts/languages/php.js.map +1 -0
  70. package/dist/prompts/languages/python.d.ts +2 -0
  71. package/dist/prompts/languages/python.js +283 -0
  72. package/dist/prompts/languages/python.js.map +1 -0
  73. package/dist/prompts/languages/ruby.d.ts +2 -0
  74. package/dist/prompts/languages/ruby.js +219 -0
  75. package/dist/prompts/languages/ruby.js.map +1 -0
  76. package/dist/prompts/languages/rust.d.ts +2 -0
  77. package/dist/prompts/languages/rust.js +149 -0
  78. package/dist/prompts/languages/rust.js.map +1 -0
  79. package/dist/prompts/languages/types.d.ts +79 -0
  80. package/dist/prompts/languages/types.js +9 -0
  81. package/dist/prompts/languages/types.js.map +1 -0
  82. package/dist/scanners/run-agentic.d.ts +2 -2
  83. package/dist/scanners/run-agentic.js +11 -3
  84. package/dist/scanners/run-agentic.js.map +1 -1
  85. package/dist/store.js +4 -0
  86. package/dist/store.js.map +1 -1
  87. package/package.json +1 -1
package/dist/prompts/languages/java-kotlin.js ADDED
@@ -0,0 +1,495 @@
1
+ // NOTE: This file contains DETECTION PATTERNS for a security scanner.
2
+ // The API references are DETECTION TARGETS describing what the scanner
3
+ // looks for in scanned codebases, not code this file executes.
4
+ export const javaKotlinProfile = {
5
+ languageId: "Java/Kotlin",
6
+ aliases: ["java", "kotlin", "jvm", "kt"],
7
+ generalHints: {
8
+ grepPatterns: [
9
+ "@RestController",
10
+ "@Controller",
11
+ "@RequestMapping",
12
+ "@GetMapping",
13
+ "@PostMapping",
14
+ "@Service",
15
+ "@Component",
16
+ "HttpServlet",
17
+ "doGet\\(",
18
+ "doPost\\(",
19
+ ],
20
+ fileHints: [
21
+ "pom.xml for Maven dependency versions and plugin configuration",
22
+ "build.gradle / build.gradle.kts for Gradle dependency versions",
23
+ "application.properties / application.yml for Spring Boot configuration",
24
+ "web.xml for servlet mappings and filter chains",
25
+ "SecurityConfig.java for Spring Security filter chain and auth rules",
26
+ "persistence.xml / hibernate.cfg.xml for JPA/Hibernate settings",
27
+ ],
28
+ instructions: [
29
+ "Check Spring Security configuration for permitAll on sensitive endpoints and CSRF settings",
30
+ "Look for JNDI lookup calls — especially with user-controlled names (Log4Shell pattern)",
31
+ "Inspect Jackson ObjectMapper configuration for enableDefaultTyping or polymorphic type handling",
32
+ "Check for @CrossOrigin annotations with overly permissive origins",
33
+ ],
34
+ },
35
+ generalAntiHallucination: [
36
+ "Spring Data JPA repository methods with derived queries (findByName, etc.) use parameterized queries — they are SAFE against SQL injection",
37
+ "Spring Security enables CSRF protection by default — do NOT flag CSRF unless it is explicitly disabled",
38
+ "Hibernate parameter binding via :paramName or ?1 prevents SQL injection — do NOT flag parameterized HQL/JPQL",
39
+ ],
40
+ vulnClasses: {
41
+ deserialization: {
42
+ sinks: [
43
+ { api: "ObjectInputStream.readObject()", risk: "Deserializes arbitrary Java objects — gadget chains enable RCE via crafted byte streams", cwes: ["CWE-502"] },
44
+ { api: "XMLDecoder.readObject()", risk: "Deserializes Java objects from XML — allows arbitrary method invocation", cwes: ["CWE-502"] },
45
+ { api: "XStream without security framework", risk: "Converts XML/JSON to Java objects — exploitable without allowlist via crafted type references", cwes: ["CWE-502"] },
46
+ { api: "ObjectMapper.enableDefaultTyping()", risk: "Jackson polymorphic deserialization allows instantiation of arbitrary classes from JSON type hints", cwes: ["CWE-502"] },
47
+ { api: "Kryo without class registration", risk: "Kryo deserializes arbitrary classes when setRegistrationRequired(false)", cwes: ["CWE-502"] },
48
+ ],
49
+ safePatterns: [
50
+ { api: "Jackson ObjectMapper without polymorphic type handling", why: "Default Jackson only deserializes to the declared target type — no arbitrary class instantiation" },
51
+ { api: "JSON-only processing (Gson, Jackson default)", why: "Plain JSON parsing to concrete types does not invoke gadget chains" },
52
+ { api: "XStream with setupDefaultSecurity() and allowTypes()", why: "Allowlist restricts deserializable classes" },
53
+ { api: "ObjectInputFilter (JEP 290)", why: "Java 9+ deserialization filter restricts classes during readObject()" },
54
+ ],
55
+ investigationHints: {
56
+ grepPatterns: [
57
+ "ObjectInputStream",
58
+ "readObject\\(",
59
+ "XMLDecoder",
60
+ "enableDefaultTyping",
61
+ "XStream",
62
+ "Kryo",
63
+ "setRegistrationRequired",
64
+ ],
65
+ fileHints: [
66
+ "RMI service implementations and remote interfaces",
67
+ "JMS message consumers and message-driven beans",
68
+ "Custom HTTP message converters or servlet filters that read request body",
69
+ "Cache serialization configuration (Redis, Hazelcast, EhCache)",
70
+ "Session persistence / clustering configuration",
71
+ ],
72
+ instructions: [
73
+ "Check if ObjectInputStream reads data from HTTP requests, message queues, or network sockets",
74
+ "Look for RMI endpoints — Java RMI uses ObjectInputStream by default",
75
+ "Inspect Jackson ObjectMapper configuration for activateDefaultTyping or enableDefaultTyping calls",
76
+ "Check XStream instances — are they configured with allowTypes or setupDefaultSecurity?",
77
+ "Look for Kryo instances — is setRegistrationRequired(true) called?",
78
+ ],
79
+ },
80
+ fewShots: [
81
+ {
82
+ scenario: "RMI endpoint accepting serialized objects",
83
+ vulnerableCode: 'public class RemoteServiceImpl extends UnicastRemoteObject implements RemoteService {\n public Object processData(byte[] data) throws RemoteException {\n ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));\n return ois.readObject();\n }\n}',
84
+ explanation: "data is attacker-controlled byte array deserialized via ObjectInputStream. Attacker sends crafted serialized object with gadget chain (e.g., Commons Collections) to achieve RCE.",
85
+ },
86
+ ],
87
+ frameworkGuidance: [
88
+ {
89
+ framework: "Spring Boot",
90
+ defaults: ["Spring Boot uses Jackson with safe defaults (no polymorphic typing) for REST endpoints"],
91
+ pitfalls: [
92
+ "Custom ObjectMapper beans may enable defaultTyping globally",
93
+ "Spring Session with Redis may use Java serialization by default",
94
+ "Spring Remoting (HttpInvoker, RMI) uses ObjectInputStream",
95
+ ],
96
+ configChecks: [
97
+ "Check for ObjectMapper bean configuration in @Configuration classes",
98
+ "Check spring.session.store-type and serializer settings",
99
+ "Check for spring.remoting or HttpInvokerServiceExporter beans",
100
+ ],
101
+ },
102
+ {
103
+ framework: "Jakarta EE",
104
+ defaults: ["JSON-B / JSON-P are safe for plain JSON processing"],
105
+ pitfalls: [
106
+ "JMS ObjectMessage uses Java serialization",
107
+ "EJB remote interfaces use Java serialization over RMI/IIOP",
108
+ "Custom JAX-RS MessageBodyReaders may use ObjectInputStream",
109
+ ],
110
+ configChecks: [
111
+ "Check JMS consumer code for ObjectMessage usage",
112
+ "Check remote EJB interfaces and their transport",
113
+ ],
114
+ },
115
+ ],
116
+ antiHallucinationExtra: [
117
+ "Jackson ObjectMapper without enableDefaultTyping/activateDefaultTyping is SAFE — do NOT flag standard JSON deserialization to concrete types",
118
+ "Gson.fromJson() to a concrete class is SAFE — Gson does not support polymorphic instantiation by default",
119
+ "JSON parsing (Jackson, Gson, JSON-B) to concrete POJOs is NOT unsafe deserialization",
120
+ ],
121
+ },
122
+ xxe: {
123
+ sinks: [
124
+ { api: "DocumentBuilderFactory without FEATURE_SECURE_PROCESSING", risk: "Parses XML with external entity resolution enabled — allows file read and SSRF", cwes: ["CWE-611"] },
125
+ { api: "SAXParserFactory without secure features", risk: "SAX parsing with external entities enabled — same XXE risk as DocumentBuilder", cwes: ["CWE-611"] },
126
+ { api: "XMLInputFactory without IS_SUPPORTING_EXTERNAL_ENTITIES=false", risk: "StAX parser resolves external entities by default on some implementations", cwes: ["CWE-611"] },
127
+ { api: "TransformerFactory without secure processing", risk: "XSLT processing can resolve external entities and run code via xsl:script", cwes: ["CWE-611"] },
128
+ { api: "SchemaFactory without secure processing", risk: "XML Schema validation can trigger external entity resolution", cwes: ["CWE-611"] },
129
+ ],
130
+ safePatterns: [
131
+ { api: "DocumentBuilderFactory with FEATURE_SECURE_PROCESSING and disallowDoctype", why: "Secure processing feature disables external entities and DTD processing" },
132
+ { api: "SAXParserFactory with external-general-entities and external-parameter-entities set to false", why: "Explicitly disables both types of external entity resolution" },
133
+ { api: "XMLInputFactory with IS_SUPPORTING_EXTERNAL_ENTITIES=false and SUPPORT_DTD=false", why: "StAX parser will not resolve external entities or process DTDs" },
134
+ ],
135
+ investigationHints: {
136
+ grepPatterns: [
137
+ "DocumentBuilderFactory",
138
+ "SAXParser",
139
+ "XMLInputFactory",
140
+ "FEATURE_SECURE",
141
+ "TransformerFactory",
142
+ "SchemaFactory",
143
+ "external-general-entities",
144
+ "IS_SUPPORTING_EXTERNAL_ENTITIES",
145
+ ],
146
+ fileHints: [
147
+ "SOAP endpoint implementations and WS-* handlers",
148
+ "XML import/upload features",
149
+ "Configuration file parsers",
150
+ "RSS/Atom feed parsers",
151
+ "SAML authentication handlers",
152
+ ],
153
+ instructions: [
154
+ "Check every DocumentBuilderFactory/SAXParserFactory instantiation — is FEATURE_SECURE_PROCESSING set?",
155
+ "Look for factory.setFeature() calls — are external-general-entities and external-parameter-entities disabled?",
156
+ "Check XMLInputFactory instances for IS_SUPPORTING_EXTERNAL_ENTITIES and SUPPORT_DTD settings",
157
+ "SOAP endpoints are high-risk — the SOAP envelope is XML and often processed without XXE protection",
158
+ "SAML XML parsing is a common XXE vector — check SAML library version and configuration",
159
+ ],
160
+ },
161
+ fewShots: [
162
+ {
163
+ scenario: "SOAP endpoint parsing XML without XXE protection",
164
+ vulnerableCode: '@WebServlet("/api/import")\npublic class ImportServlet extends HttpServlet {\n protected void doPost(HttpServletRequest req, HttpServletResponse resp) {\n DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();\n DocumentBuilder db = dbf.newDocumentBuilder();\n Document doc = db.parse(req.getInputStream());\n // process doc...\n }\n}',
165
+ explanation: "DocumentBuilderFactory is created with default settings — external entity resolution is enabled. Attacker sends XML with a DOCTYPE declaring an external entity to read local files or perform SSRF.",
166
+ },
167
+ ],
168
+ frameworkGuidance: [
169
+ {
170
+ framework: "Spring Boot",
171
+ defaults: ["Spring RestTemplate and WebClient do not parse XML by default"],
172
+ pitfalls: [
173
+ "Spring WS (spring-ws) endpoints parse SOAP XML — check XXE protection in Wss4jSecurityInterceptor",
174
+ "Custom XML message converters may use unprotected parsers",
175
+ "@RequestBody with XML content type uses JAXB which may be vulnerable depending on implementation",
176
+ ],
177
+ configChecks: [
178
+ "Check for custom HttpMessageConverter beans that handle XML",
179
+ "Check Spring WS configuration for secure XML parser settings",
180
+ ],
181
+ },
182
+ {
183
+ framework: "Jakarta EE",
184
+ defaults: ["JAX-RS implementations vary in XML parser defaults"],
185
+ pitfalls: [
186
+ "JAX-WS SOAP endpoints use XML parsing internally",
187
+ "JAXB unmarshalling may resolve external entities depending on the XML parser",
188
+ "Servlet-based XML processing with manual DocumentBuilder creation",
189
+ ],
190
+ configChecks: [
191
+ "Check web.xml for servlet-based XML endpoints",
192
+ "Check JAX-WS handler chain configuration",
193
+ ],
194
+ },
195
+ ],
196
+ antiHallucinationExtra: [
197
+ "DocumentBuilderFactory with setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) and setFeature for disallow-doctype-decl is SAFE",
198
+ "JAXB with a properly configured SAXSource is SAFE if the underlying parser disables external entities",
199
+ "Do NOT flag XML generation (writing XML) — XXE is a parsing vulnerability only",
200
+ ],
201
+ },
202
+ "command-injection": {
203
+ sinks: [
204
+ { api: "Runtime.getRuntime().exec(cmd) with single String", risk: "Single string form may invoke shell interpretation — metacharacter injection possible", shellInvoking: true, cwes: ["CWE-78"] },
205
+ { api: "ProcessBuilder with shell wrapper", risk: "ProcessBuilder wrapping /bin/sh -c or cmd /c enables shell interpretation of user input", shellInvoking: true, cwes: ["CWE-78"] },
206
+ { api: "Runtime.exec with cmd /c and user input", risk: "Windows cmd.exe shell interpretation of user-controlled arguments", shellInvoking: true, cwes: ["CWE-78"] },
207
+ ],
208
+ safePatterns: [
209
+ { api: "ProcessBuilder with argument list", why: "ProcessBuilder(List<String>) passes arguments directly to the process — no shell interpretation" },
210
+ { api: "Runtime.exec(String[]) array form", why: "Array form bypasses shell — arguments are passed directly to the target process" },
211
+ { api: "ProcessBuilder with hardcoded commands only", why: "No attacker-controlled data in process arguments" },
212
+ ],
213
+ investigationHints: {
214
+ grepPatterns: [
215
+ "Runtime\\.getRuntime\\(\\)",
216
+ "ProcessBuilder",
217
+ "\\.exec\\(",
218
+ "/bin/sh",
219
+ "cmd\\.exe",
220
+ ],
221
+ fileHints: [
222
+ "Utility classes that wrap system command invocation",
223
+ "File processing services (PDF generation, image conversion)",
224
+ "Build/deployment automation code",
225
+ "Monitoring or health check endpoints that invoke system commands",
226
+ ],
227
+ instructions: [
228
+ "Check if Runtime.exec() uses single String form (shell interpretation) vs String[] array form (safe)",
229
+ "Look for ProcessBuilder calls that wrap commands in /bin/sh -c or cmd /c — this reintroduces shell interpretation",
230
+ "Trace user input from @RequestParam, @PathVariable, or request body to process invocation arguments",
231
+ "Check for string concatenation building command strings with user-controlled data",
232
+ ],
233
+ },
234
+ fewShots: [
235
+ {
236
+ scenario: "File conversion endpoint with user-controlled filename in exec call",
237
+ vulnerableCode: '@PostMapping("/convert")\npublic ResponseEntity<byte[]> convert(@RequestParam String filename) {\n Process p = Runtime.getRuntime().exec("convert " + filename + " output.png");\n // read process output...\n}',
238
+ explanation: "filename is user-controlled and concatenated into a single command string passed to exec(String). Attacker injects shell metacharacters to run arbitrary commands.",
239
+ },
240
+ ],
241
+ frameworkGuidance: [
242
+ {
243
+ framework: "Spring Boot",
244
+ defaults: ["Spring does not provide command invocation utilities"],
245
+ pitfalls: [
246
+ "Controller methods that invoke system commands for file processing",
247
+ "Scheduled tasks (@Scheduled) that run system commands with dynamic parameters",
248
+ "Actuator custom endpoints that expose command invocation",
249
+ ],
250
+ configChecks: [
251
+ "Check for custom ProcessBuilder or Runtime usage in service classes",
252
+ "Review @Scheduled methods for command invocation with variable input",
253
+ ],
254
+ },
255
+ ],
256
+ antiHallucinationExtra: [
257
+ "ProcessBuilder with a List<String> of separate arguments (no shell wrapper) is SAFE against metacharacter injection — do NOT flag it",
258
+ "Runtime.exec(new String[]{\"program\", \"arg1\", \"arg2\"}) array form does NOT invoke shell — it is SAFE",
259
+ "Do NOT flag Runtime.exec or ProcessBuilder calls where all arguments are hardcoded constants",
260
+ ],
261
+ },
262
+ ssrf: {
263
+ sinks: [
264
+ { api: "HttpURLConnection with user-controlled URL", risk: "Direct HTTP connection to attacker-specified URL enables access to internal services", cwes: ["CWE-918"] },
265
+ { api: "OkHttpClient with user-controlled URL", risk: "HTTP client follows redirects by default — can reach internal endpoints", cwes: ["CWE-918"] },
266
+ { api: "RestTemplate with user-controlled URL", risk: "Spring RestTemplate makes HTTP request to attacker-specified URL", cwes: ["CWE-918"] },
267
+ { api: "WebClient with user-controlled URL", risk: "Spring WebFlux reactive HTTP client with user-controlled target", cwes: ["CWE-918"] },
268
+ { api: "URL(userInput).openConnection()", risk: "Supports file://, jar://, and other protocol handlers beyond HTTP", cwes: ["CWE-918"] },
269
+ ],
270
+ safePatterns: [
271
+ { api: "URL validated against allowlist of domains/IPs", why: "Only permitted destinations are reachable" },
272
+ { api: "Requests to hardcoded URLs with user data in body/params only", why: "URL is fixed — user controls only the payload, not the destination" },
273
+ { api: "URL parsed and validated against scheme + host allowlist before request", why: "Proper validation prevents reaching internal endpoints" },
274
+ ],
275
+ investigationHints: {
276
+ grepPatterns: [
277
+ "new URL\\(",
278
+ "HttpURLConnection",
279
+ "RestTemplate",
280
+ "WebClient",
281
+ "OkHttpClient",
282
+ "\\.openConnection\\(",
283
+ "URI\\.create\\(",
284
+ ],
285
+ fileHints: [
286
+ "Webhook registration and callback endpoints",
287
+ "URL preview/unfurl features",
288
+ "Proxy or redirect endpoints",
289
+ "File download/import-from-URL features",
290
+ "OAuth callback and token exchange handlers",
291
+ ],
292
+ instructions: [
293
+ "Check if the URL parameter originates from user input (@RequestParam, @PathVariable, request body, database record)",
294
+ "Look for URL validation that can be bypassed — checking startsWith(\"http\") does NOT prevent http://169.254.169.254",
295
+ "Check for redirect following — OkHttpClient and HttpURLConnection follow redirects by default, which can bypass URL checks",
296
+ "Cloud metadata: can the URL reach 169.254.169.254 (AWS), metadata.google.internal (GCP), or 169.254.169.254 (Azure)?",
297
+ "Check for DNS rebinding — URL validated against allowlist but DNS resolves to internal IP at request time",
298
+ ],
299
+ },
300
+ fewShots: [
301
+ {
302
+ scenario: "Spring controller fetching user-provided URL",
303
+ vulnerableCode: '@GetMapping("/preview")\npublic ResponseEntity<String> preview(@RequestParam String url) {\n RestTemplate restTemplate = new RestTemplate();\n String body = restTemplate.getForObject(url, String.class);\n return ResponseEntity.ok(body);\n}',
304
+ explanation: "url is directly from @RequestParam with no validation. Attacker sends http://169.254.169.254/latest/meta-data/ to read AWS instance metadata or http://internal-service:8080/admin to access internal APIs.",
305
+ },
306
+ ],
307
+ frameworkGuidance: [
308
+ {
309
+ framework: "Spring Boot",
310
+ defaults: ["RestTemplate and WebClient do not validate destination URLs"],
311
+ pitfalls: [
312
+ "Feign clients with dynamic URL construction from user input",
313
+ "Spring Cloud Gateway routes with user-controlled forwarding targets",
314
+ "Actuator endpoints that proxy requests",
315
+ ],
316
+ configChecks: [
317
+ "Check RestTemplate and WebClient bean configurations for interceptors that validate URLs",
318
+ "Review Feign client interfaces for dynamic @Url parameters",
319
+ ],
320
+ },
321
+ ],
322
+ antiHallucinationExtra: [
323
+ "RestTemplate/WebClient requests to hardcoded URLs with only user-controlled query parameters or request body are NOT SSRF",
324
+ "Internal service-to-service calls with no user-controlled URL component are NOT SSRF",
325
+ "Feign client calls to service-discovery-resolved names (Eureka, Consul) without user-controlled URL are NOT SSRF",
326
+ ],
327
+ },
328
+ "template-injection": {
329
+ sinks: [
330
+ { api: "SpelExpressionParser with user input", risk: "Spring Expression Language (SpEL) enables method invocation and class instantiation — RCE via type references", cwes: ["CWE-917"] },
331
+ { api: "Velocity.evaluate() with user template string", risk: "Apache Velocity templates allow arbitrary Java method calls via reflection", cwes: ["CWE-1336"] },
332
+ { api: "Freemarker Template with user-controlled source", risk: "FreeMarker new() builtin allows arbitrary class instantiation", cwes: ["CWE-1336"] },
333
+ { api: "OGNL with user input", risk: "Object-Graph Navigation Language enables arbitrary method invocation — Struts2 RCE vector", cwes: ["CWE-917"] },
334
+ ],
335
+ safePatterns: [
336
+ { api: "SpEL with SimpleEvaluationContext", why: "SimpleEvaluationContext restricts type references and method invocation — safe for user expressions" },
337
+ { api: "Velocity/Freemarker with user data as template variables only", why: "User data passed as variables, not as template source — no code invocation" },
338
+ { api: "Thymeleaf with th:text (escaped output)", why: "th:text escapes output — only th:utext or preprocessing expressions are dangerous" },
339
+ ],
340
+ investigationHints: {
341
+ grepPatterns: [
342
+ "SpelExpressionParser",
343
+ "parseExpression\\(",
344
+ "Velocity",
345
+ "Freemarker",
346
+ "FreeMarker",
347
+ "OGNL",
348
+ "OgnlUtil",
349
+ "StandardEvaluationContext",
350
+ "SimpleEvaluationContext",
351
+ ],
352
+ fileHints: [
353
+ "Spring controllers that evaluate user-provided expressions",
354
+ "Email template generation services",
355
+ "Report generation with dynamic templates",
356
+ "Rule engine or formula evaluation features",
357
+ "Struts2 action classes (for OGNL)",
358
+ ],
359
+ instructions: [
360
+ "Check if SpelExpressionParser evaluates user-supplied strings — is StandardEvaluationContext or SimpleEvaluationContext used?",
361
+ "StandardEvaluationContext allows type references for RCE — SimpleEvaluationContext does NOT",
362
+ "Look for Velocity.evaluate() where the template string comes from user input or database",
363
+ "Check Freemarker configuration — is new_builtin_class_resolver set to restrict class instantiation?",
364
+ "Inspect Struts2 action configurations for OGNL evaluation of user parameters",
365
+ ],
366
+ },
367
+ fewShots: [
368
+ {
369
+ scenario: "Spring endpoint using SpEL with user input",
370
+ vulnerableCode: '@GetMapping("/calc")\npublic String calculate(@RequestParam String expression) {\n SpelExpressionParser parser = new SpelExpressionParser();\n StandardEvaluationContext ctx = new StandardEvaluationContext();\n Object result = parser.parseExpression(expression).getValue(ctx);\n return result.toString();\n}',
371
+ explanation: "expression is directly from @RequestParam and evaluated with StandardEvaluationContext. Attacker sends a SpEL expression using type references to invoke runtime methods for RCE.",
372
+ },
373
+ ],
374
+ frameworkGuidance: [
375
+ {
376
+ framework: "Spring Boot",
377
+ defaults: ["Thymeleaf auto-escapes with th:text by default"],
378
+ pitfalls: [
379
+ "SpEL in @Value annotations is safe (compile-time), but dynamic SpEL evaluation of user input is dangerous",
380
+ "Spring Security expressions (@PreAuthorize) use SpEL but are not user-controlled",
381
+ "Thymeleaf preprocessing expressions __${...}__ can evaluate user input as SpEL",
382
+ ],
383
+ configChecks: [
384
+ "Check for SpelExpressionParser usage in controller/service code",
385
+ "Check Thymeleaf templates for __${...}__ preprocessing expressions",
386
+ ],
387
+ },
388
+ {
389
+ framework: "Jakarta EE",
390
+ defaults: ["JSP EL (Expression Language) has limited functionality compared to SpEL"],
391
+ pitfalls: [
392
+ "Unified EL in JSF can evaluate user-controlled expressions",
393
+ "Struts2 OGNL injection has been a recurring critical vulnerability",
394
+ "Custom tag libraries may evaluate expressions unsafely",
395
+ ],
396
+ configChecks: [
397
+ "Check Struts2 version — many OGNL injection CVEs exist in older versions",
398
+ "Check JSF managed bean properties for expression evaluation",
399
+ ],
400
+ },
401
+ ],
402
+ antiHallucinationExtra: [
403
+ "SpEL in @Value(\"${property}\") annotations reads config properties at startup — this is NOT user-controlled and is SAFE",
404
+ "@PreAuthorize(\"hasRole('ADMIN')\") uses SpEL but the expression is hardcoded — NOT injectable",
405
+ "Thymeleaf th:text=\"${variable}\" is SAFE — it escapes output and does not evaluate variable as an expression",
406
+ ],
407
+ },
408
+ "auth-bypass": {
409
+ sinks: [
410
+ { api: "Controller methods missing @PreAuthorize/@Secured", risk: "Endpoint accessible without authorization check — may expose sensitive operations", cwes: ["CWE-862"] },
411
+ { api: "permitAll() on sensitive endpoints", risk: "Spring Security explicitly allows unauthenticated access to endpoints that should be protected", cwes: ["CWE-862"] },
412
+ { api: "IDOR via @PathVariable without ownership check", risk: "User can access or modify other users' resources by changing the ID in the path", cwes: ["CWE-639"] },
413
+ { api: "CSRF disabled globally via csrf().disable()", risk: "State-changing endpoints vulnerable to cross-site request forgery", cwes: ["CWE-352"] },
414
+ ],
415
+ safePatterns: [
416
+ { api: "Method-level @PreAuthorize with proper role/ownership checks", why: "Authorization verified before business logic runs" },
417
+ { api: "@Secured with role-based access control", why: "Spring Security enforces role requirement at method level" },
418
+ { api: "Ownership check comparing resource owner to authenticated principal", why: "Prevents IDOR by verifying the current user owns the resource" },
419
+ ],
420
+ investigationHints: {
421
+ grepPatterns: [
422
+ "@PreAuthorize",
423
+ "@Secured",
424
+ "antMatchers",
425
+ "requestMatchers",
426
+ "permitAll",
427
+ "csrf\\(\\)\\.disable",
428
+ "@PathVariable",
429
+ "SecurityFilterChain",
430
+ ],
431
+ fileHints: [
432
+ "Spring Security configuration classes (@EnableWebSecurity)",
433
+ "REST controller classes with @RestController or @Controller",
434
+ "Custom authentication filters and providers",
435
+ "Method-level security configuration (@EnableMethodSecurity)",
436
+ ],
437
+ instructions: [
438
+ "Map all controller endpoints and check each for authorization annotations or SecurityFilterChain rules",
439
+ "Look for permitAll() in SecurityFilterChain — are sensitive endpoints (admin, user data, payment) accidentally unprotected?",
440
+ "Check for IDOR: endpoints with @PathVariable id — is there a check that the authenticated user owns the resource?",
441
+ "Verify that @EnableMethodSecurity or @EnableGlobalMethodSecurity is present when using @PreAuthorize",
442
+ "Check for csrf().disable() — is it a REST-only API with token auth (acceptable) or a web app with session cookies (dangerous)?",
443
+ ],
444
+ },
445
+ fewShots: [
446
+ {
447
+ scenario: "REST endpoint without authorization annotation",
448
+ vulnerableCode: '@RestController\n@RequestMapping("/api/admin")\npublic class AdminController {\n @DeleteMapping("/users/{id}")\n public ResponseEntity<Void> deleteUser(@PathVariable Long id) {\n userService.deleteUser(id);\n return ResponseEntity.noContent().build();\n }\n}',
449
+ explanation: "Admin endpoint has no @PreAuthorize or @Secured annotation and no SecurityFilterChain rule restricting /api/admin/**. Any authenticated user (or unauthenticated if permitAll) can delete users.",
450
+ },
451
+ ],
452
+ frameworkGuidance: [
453
+ {
454
+ framework: "Spring Boot",
455
+ defaults: [
456
+ "Spring Security requires authentication for all endpoints by default when on classpath",
457
+ "CSRF protection is enabled by default for session-based auth",
458
+ ],
459
+ pitfalls: [
460
+ "Overly broad permitAll() rules that match sensitive paths",
461
+ "@EnableMethodSecurity must be present for @PreAuthorize to work — missing it silently disables method security",
462
+ "Custom AuthenticationProvider may accept unexpected credentials",
463
+ "JWT validation without signature verification or expiry check",
464
+ ],
465
+ configChecks: [
466
+ "Check SecurityFilterChain bean for permitAll() rules and their URL patterns",
467
+ "Verify @EnableMethodSecurity is present in a @Configuration class",
468
+ "Check JWT token validation — is the signature verified? Is expiry checked?",
469
+ "Review CORS configuration for overly permissive origins",
470
+ ],
471
+ },
472
+ {
473
+ framework: "Jakarta EE",
474
+ defaults: ["Java EE/Jakarta security constraints in web.xml restrict URL patterns by role"],
475
+ pitfalls: [
476
+ "Missing <security-constraint> for new endpoints added after initial deployment descriptor",
477
+ "Programmatic security (HttpServletRequest.isUserInRole) may be inconsistently applied",
478
+ "@RolesAllowed annotation requires container-managed security to be active",
479
+ ],
480
+ configChecks: [
481
+ "Check web.xml for <security-constraint> coverage of all sensitive URL patterns",
482
+ "Verify <login-config> is properly configured",
483
+ "Check @RolesAllowed annotations on EJB and JAX-RS endpoints",
484
+ ],
485
+ },
486
+ ],
487
+ antiHallucinationExtra: [
488
+ "Public endpoints like /login, /register, /health, /actuator/health are EXPECTED to have permitAll() — do NOT flag them",
489
+ "REST APIs using stateless JWT authentication legitimately disable CSRF — do NOT flag csrf().disable() for stateless APIs",
490
+ "Spring Security secures all endpoints by default when spring-boot-starter-security is on the classpath — only flag if explicit permitAll() opens sensitive paths",
491
+ ],
492
+ },
493
+ },
494
+ };
495
+ //# sourceMappingURL=java-kotlin.js.map
package/dist/prompts/languages/java-kotlin.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"java-kotlin.js","sourceRoot":"","sources":["../../../src/prompts/languages/java-kotlin.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,uEAAuE;AACvE,+DAA+D;AAI/D,MAAM,CAAC,MAAM,iBAAiB,GAAoB;IAChD,UAAU,EAAE,aAAa;IACzB,OAAO,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC;IACxC,YAAY,EAAE;QACZ,YAAY,EAAE;YACZ,iBAAiB;YACjB,aAAa;YACb,iBAAiB;YACjB,aAAa;YACb,cAAc;YACd,UAAU;YACV,YAAY;YACZ,aAAa;YACb,UAAU;YACV,WAAW;SACZ;QACD,SAAS,EAAE;YACT,gEAAgE;YAChE,gEAAgE;YAChE,wEAAwE;YACxE,gDAAgD;YAChD,qEAAqE;YACrE,gEAAgE;SACjE;QACD,YAAY,EAAE;YACZ,4FAA4F;YAC5F,wFAAwF;YACxF,iGAAiG;YACjG,mEAAmE;SACpE;KACF;IACD,wBAAwB,EAAE;QACxB,4IAA4I;QAC5I,wGAAwG;QACxG,8GAA8G;KAC/G;IACD,WAAW,EAAE;QACX,eAAe,EAAE;YACf,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,gCAAgC,EAAE,IAAI,EAAE,yFAAyF,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAC7J,EAAE,GAAG,EAAE,yBAAyB,EAAE,IAAI,EAAE,yEAAyE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACtI,EAAE,GAAG,EAAE,oCAAoC,EAAE,IAAI,EAAE,+FAA+F,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACvK,EAAE,GAAG,EAAE,oCAAoC,EAAE,IAAI,EAAE,oGAAoG,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAC5K,EAAE,GAAG,EAAE,iCAAiC,EAAE,IAAI,EAAE,yEAAyE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aAC/I;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,wDAAwD,EAAE,GAAG,EAAE,kGAAkG,EAAE;gBAC1K,EAAE,GAAG,EAAE,8CAA8C,EAAE,GAAG,EAAE,oEAAoE,EAAE;gBAClI,EAAE,GAAG,EAAE,sDAAsD,EAAE,GAAG,EAAE,4CAA4C,EAAE;gBAClH,EAAE,GAAG,EAAE,6BAA6B,EAAE,GAAG,EAAE,sEAAsE,EAAE;aACpH;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,mBAAmB;oBACnB,eAAe;oBACf,YAAY;oBACZ,qBAAqB;oBACrB,SAAS;oBACT,MAAM;oBACN,yBAAyB;iBAC1B;gBACD,SAAS,EAAE;oBACT,mDAAmD;oBACnD,gDAAgD;oBAChD,0EAA0E;oBAC1E,+DAA+D;oBAC/D,gDAAgD;iBACjD;gBACD,YAAY,EAAE;oBACZ,8FAA8F;oBAC9F,qEAAqE;oBACrE,mGAAmG;oBACnG,wFAAwF;oBACxF,oEAAoE;iBACrE;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,2CAA2C;oBACrD,cAAc,EAAE,gSAAgS;oBAChT,WAAW,EAAE,mLAAmL;iBACjM;aACF;YACD,iBAAiB,EAAE;gBACjB;oBACE,SAAS,EAAE,aAAa;oBACxB,QAAQ,EAAE,CAAC,wFAAwF,CAAC;oBACpG,QAAQ,EAAE;wBACR,6DAA6D;wBAC7D,iEAAiE;wBACjE,2DAA2D;qBAC5D;oBACD,YAAY,EAAE;wBACZ,qEAAqE;wBACrE,yDAAyD;wBACzD,+DAA+D;qBAChE;iBACF;gBACD;oBACE,SAAS,EAAE,YAAY;oBACvB,QAAQ,EAAE,CAAC,oDAAoD,CAAC;oBAChE,QAAQ,EAAE;wBACR,2CAA2C;wBAC3C,4DAA4D;wBAC5D,4DAA4D;qBAC7D;oBACD,YAAY,EAAE;wBACZ,iDAAiD;wBACjD,iDAAiD;qBAClD;iBACF;aACF;YACD,sBAAsB,EAAE;gBACtB,8IAA8I;gBAC9I,0GAA0G;gBAC1G,sFAAsF;aACvF;SACF;QACD,GAAG,EAAE;YACH,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,0DAA0D,EAAE,IAAI,EAAE,gFAAgF,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAC9K,EAAE,GAAG,EAAE,0CAA0C,EAAE,IAAI,EAAE,+EAA+E,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAC7J,EAAE,GAAG,EAAE,+DAA+D,EAAE,IAAI,EAAE,2EAA2E,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAC9K,EAAE,GAAG,EAAE,8CAA8C,EAAE,IAAI,EAAE,2EAA2E,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAC7J,EAAE,GAAG,EAAE,yCAAyC,EAAE,IAAI,EAAE,8DAA8D,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aAC5I;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,2EAA2E,EAAE,GAAG,EAAE,yEAAyE,EAAE;gBACpK,EAAE,GAAG,EAAE,8FAA8F,EAAE,GAAG,EAAE,8DAA8D,EAAE;gBAC5K,EAAE,GAAG,EAAE,kFAAkF,EAAE,GAAG,EAAE,gEAAgE,EAAE;aACnK;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,wBAAwB;oBACxB,WAAW;oBACX,iBAAiB;oBACjB,gBAAgB;oBAChB,oBAAoB;oBACpB,eAAe;oBACf,2BAA2B;oBAC3B,iCAAiC;iBAClC;gBACD,SAAS,EAAE;oBACT,iDAAiD;oBACjD,4BAA4B;oBAC5B,4BAA4B;oBAC5B,uBAAuB;oBACvB,8BAA8B;iBAC/B;gBACD,YAAY,EAAE;oBACZ,uGAAuG;oBACvG,+GAA+G;oBAC/G,8FAA8F;oBAC9F,oGAAoG;oBACpG,wFAAwF;iBACzF;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,kDAAkD;oBAC5D,cAAc,EAAE,8XAA8X;oBAC9Y,WAAW,EAAE,sMAAsM;iBACpN;aACF;YACD,iBAAiB,EAAE;gBACjB;oBACE,SAAS,EAAE,aAAa;oBACxB,QAAQ,EAAE,CAAC,+DAA+D,CAAC;oBAC3E,QAAQ,EAAE;wBACR,mGAAmG;wBACnG,2DAA2D;wBAC3D,kGAAkG;qBACnG;oBACD,YAAY,EAAE;wBACZ,6DAA6D;wBAC7D,8DAA8D;qBAC/D;iBACF;gBACD;oBACE,SAAS,EAAE,YAAY;oBACvB,QAAQ,EAAE,CAAC,oDAAoD,CAAC;oBAChE,QAAQ,EAAE;wBACR,kDAAkD;wBAClD,8EAA8E;wBAC9E,mEAAmE;qBACpE;oBACD,YAAY,EAAE;wBACZ,+CAA+C;wBAC/C,0CAA0C;qBAC3C;iBACF;aACF;YACD,sBAAsB,EAAE;gBACtB,uIAAuI;gBACvI,uGAAuG;gBACvG,gFAAgF;aACjF;SACF;QACD,mBAAmB,EAAE;YACnB,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,mDAAmD,EAAE,IAAI,EAAE,uFAAuF,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBAClM,EAAE,GAAG,EAAE,mCAAmC,EAAE,IAAI,EAAE,yFAAyF,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBACpL,EAAE,GAAG,EAAE,yCAAyC,EAAE,IAAI,EAAE,mEAAmE,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;aACrK;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,mCAAmC,EAAE,GAAG,EAAE,iGAAiG,EAAE;gBACpJ,EAAE,GAAG,EAAE,mCAAmC,EAAE,GAAG,EAAE,iFAAiF,EAAE;gBACpI,EAAE,GAAG,EAAE,6CAA6C,EAAE,GAAG,EAAE,kDAAkD,EAAE;aAChH;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,4BAA4B;oBAC5B,gBAAgB;oBAChB,YAAY;oBACZ,SAAS;oBACT,WAAW;iBACZ;gBACD,SAAS,EAAE;oBACT,qDAAqD;oBACrD,6DAA6D;oBAC7D,kCAAkC;oBAClC,kEAAkE;iBACnE;gBACD,YAAY,EAAE;oBACZ,sGAAsG;oBACtG,mHAAmH;oBACnH,qGAAqG;oBACrG,mFAAmF;iBACpF;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,qEAAqE;oBAC/E,cAAc,EAAE,uNAAuN;oBACvO,WAAW,EAAE,oKAAoK;iBAClL;aACF;YACD,iBAAiB,EAAE;gBACjB;oBACE,SAAS,EAAE,aAAa;oBACxB,QAAQ,EAAE,CAAC,sDAAsD,CAAC;oBAClE,QAAQ,EAAE;wBACR,oEAAoE;wBACpE,+EAA+E;wBAC/E,0DAA0D;qBAC3D;oBACD,YAAY,EAAE;wBACZ,qEAAqE;wBACrE,sEAAsE;qBACvE;iBACF;aACF;YACD,sBAAsB,EAAE;gBACtB,sIAAsI;gBACtI,2GAA2G;gBAC3G,8FAA8F;aAC/F;SACF;QACD,IAAI,EAAE;YACJ,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,4CAA4C,EAAE,IAAI,EAAE,sFAAsF,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACtK,EAAE,GAAG,EAAE,uCAAuC,EAAE,IAAI,EAAE,yEAAyE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACpJ,EAAE,GAAG,EAAE,uCAAuC,EAAE,IAAI,EAAE,kEAAkE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAC7I,EAAE,GAAG,EAAE,oCAAoC,EAAE,IAAI,EAAE,iEAAiE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACzI,EAAE,GAAG,EAAE,iCAAiC,EAAE,IAAI,EAAE,mEAAmE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aACzI;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,gDAAgD,EAAE,GAAG,EAAE,2CAA2C,EAAE;gBAC3G,EAAE,GAAG,EAAE,+DAA+D,EAAE,GAAG,EAAE,oEAAoE,EAAE;gBACnJ,EAAE,GAAG,EAAE,yEAAyE,EAAE,GAAG,EAAE,wDAAwD,EAAE;aAClJ;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,YAAY;oBACZ,mBAAmB;oBACnB,cAAc;oBACd,WAAW;oBACX,cAAc;oBACd,sBAAsB;oBACtB,iBAAiB;iBAClB;gBACD,SAAS,EAAE;oBACT,6CAA6C;oBAC7C,6BAA6B;oBAC7B,6BAA6B;oBAC7B,wCAAwC;oBACxC,4CAA4C;iBAC7C;gBACD,YAAY,EAAE;oBACZ,qHAAqH;oBACrH,sHAAsH;oBACtH,4HAA4H;oBAC5H,sHAAsH;oBACtH,2GAA2G;iBAC5G;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,8CAA8C;oBACxD,cAAc,EAAE,0PAA0P;oBAC1Q,WAAW,EAAE,6MAA6M;iBAC3N;aACF;YACD,iBAAiB,EAAE;gBACjB;oBACE,SAAS,EAAE,aAAa;oBACxB,QAAQ,EAAE,CAAC,6DAA6D,CAAC;oBACzE,QAAQ,EAAE;wBACR,6DAA6D;wBAC7D,qEAAqE;wBACrE,wCAAwC;qBACzC;oBACD,YAAY,EAAE;wBACZ,0FAA0F;wBAC1F,4DAA4D;qBAC7D;iBACF;aACF;YACD,sBAAsB,EAAE;gBACtB,2HAA2H;gBAC3H,sFAAsF;gBACtF,kHAAkH;aACnH;SACF;QACD,oBAAoB,EAAE;YACpB,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,sCAAsC,EAAE,IAAI,EAAE,+GAA+G,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACzL,EAAE,GAAG,EAAE,+CAA+C,EAAE,IAAI,EAAE,4EAA4E,EAAE,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE;gBAChK,EAAE,GAAG,EAAE,iDAAiD,EAAE,IAAI,EAAE,+DAA+D,EAAE,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE;gBACrJ,EAAE,GAAG,EAAE,sBAAsB,EAAE,IAAI,EAAE,2FAA2F,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aACtJ;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,mCAAmC,EAAE,GAAG,EAAE,qGAAqG,EAAE;gBACxJ,EAAE,GAAG,EAAE,+DAA+D,EAAE,GAAG,EAAE,4EAA4E,EAAE;gBAC3J,EAAE,GAAG,EAAE,yCAAyC,EAAE,GAAG,EAAE,mFAAmF,EAAE;aAC7I;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,sBAAsB;oBACtB,oBAAoB;oBACpB,UAAU;oBACV,YAAY;oBACZ,YAAY;oBACZ,MAAM;oBACN,UAAU;oBACV,2BAA2B;oBAC3B,yBAAyB;iBAC1B;gBACD,SAAS,EAAE;oBACT,4DAA4D;oBAC5D,oCAAoC;oBACpC,0CAA0C;oBAC1C,4CAA4C;oBAC5C,mCAAmC;iBACpC;gBACD,YAAY,EAAE;oBACZ,+HAA+H;oBAC/H,6FAA6F;oBAC7F,0FAA0F;oBAC1F,qGAAqG;oBACrG,8EAA8E;iBAC/E;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,4CAA4C;oBACtD,cAAc,EAAE,gUAAgU;oBAChV,WAAW,EAAE,mLAAmL;iBACjM;aACF;YACD,iBAAiB,EAAE;gBACjB;oBACE,SAAS,EAAE,aAAa;oBACxB,QAAQ,EAAE,CAAC,gDAAgD,CAAC;oBAC5D,QAAQ,EAAE;wBACR,2GAA2G;wBAC3G,kFAAkF;wBAClF,gFAAgF;qBACjF;oBACD,YAAY,EAAE;wBACZ,iEAAiE;wBACjE,oEAAoE;qBACrE;iBACF;gBACD;oBACE,SAAS,EAAE,YAAY;oBACvB,QAAQ,EAAE,CAAC,yEAAyE,CAAC;oBACrF,QAAQ,EAAE;wBACR,4DAA4D;wBAC5D,oEAAoE;wBACpE,wDAAwD;qBACzD;oBACD,YAAY,EAAE;wBACZ,0EAA0E;wBAC1E,6DAA6D;qBAC9D;iBACF;aACF;YACD,sBAAsB,EAAE;gBACtB,0HAA0H;gBAC1H,gGAAgG;gBAChG,+GAA+G;aAChH;SACF;QACD,aAAa,EAAE;YACb,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,mDAAmD,EAAE,IAAI,EAAE,mFAAmF,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAC1K,EAAE,GAAG,EAAE,oCAAoC,EAAE,IAAI,EAAE,gGAAgG,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACxK,EAAE,GAAG,EAAE,gDAAgD,EAAE,IAAI,EAAE,iFAAiF,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACrK,EAAE,GAAG,EAAE,6CAA6C,EAAE,IAAI,EAAE,mEAAmE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aACrJ;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,8DAA8D,EAAE,GAAG,EAAE,mDAAmD,EAAE;gBACjI,EAAE,GAAG,EAAE,yCAAyC,EAAE,GAAG,EAAE,2DAA2D,EAAE;gBACpH,EAAE,GAAG,EAAE,qEAAqE,EAAE,GAAG,EAAE,+DAA+D,EAAE;aACrJ;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,eAAe;oBACf,UAAU;oBACV,aAAa;oBACb,iBAAiB;oBACjB,WAAW;oBACX,sBAAsB;oBACtB,eAAe;oBACf,qBAAqB;iBACtB;gBACD,SAAS,EAAE;oBACT,4DAA4D;oBAC5D,6DAA6D;oBAC7D,6CAA6C;oBAC7C,6DAA6D;iBAC9D;gBACD,YAAY,EAAE;oBACZ,wGAAwG;oBACxG,6HAA6H;oBAC7H,mHAAmH;oBACnH,sGAAsG;oBACtG,gIAAgI;iBACjI;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,gDAAgD;oBAC1D,cAAc,EAAE,2RAA2R;oBAC3S,WAAW,EAAE,kMAAkM;iBAChN;aACF;YACD,iBAAiB,EAAE;gBACjB;oBACE,SAAS,EAAE,aAAa;oBACxB,QAAQ,EAAE;wBACR,wFAAwF;wBACxF,8DAA8D;qBAC/D;oBACD,QAAQ,EAAE;wBACR,2DAA2D;wBAC3D,gHAAgH;wBAChH,iEAAiE;wBACjE,+DAA+D;qBAChE;oBACD,YAAY,EAAE;wBACZ,6EAA6E;wBAC7E,mEAAmE;wBACnE,4EAA4E;wBAC5E,yDAAyD;qBAC1D;iBACF;gBACD;oBACE,SAAS,EAAE,YAAY;oBACvB,QAAQ,EAAE,CAAC,+EAA+E,CAAC;oBAC3F,QAAQ,EAAE;wBACR,2FAA2F;wBAC3F,uFAAuF;wBACvF,2EAA2E;qBAC5E;oBACD,YAAY,EAAE;wBACZ,gFAAgF;wBAChF,8CAA8C;wBAC9C,6DAA6D;qBAC9D;iBACF;aACF;YACD,sBAAsB,EAAE;gBACtB,wHAAwH;gBACxH,0HAA0H;gBAC1H,kKAAkK;aACnK;SACF;KACF;CACF,CAAC"}
package/dist/prompts/languages/javascript-typescript.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ import type { LanguageProfile } from "./types.js";
2
+ export declare const jstsProfile: LanguageProfile;