kuzushi 0.2.0 → 0.9.2

package/dist/prompts/languages/php.js

@@ -0,0 +1,277 @@
+// NOTE: This file contains DETECTION PATTERNS for a security scanner.
+// References to shell functions, SQL queries, etc. are DETECTION TARGETS
+// describing what the scanner looks for, not code this file runs.
+export const phpProfile = {
+    languageId: "PHP",
+    aliases: ["php"],
+    generalHints: {
+        grepPatterns: [
+            "\\$_GET",
+            "\\$_POST",
+            "\\$_REQUEST",
+            "\\$_SERVER",
+            "\\$_COOKIE",
+            "include\\s*\\(",
+            "require\\s*\\(",
+        ],
+        fileHints: [
+            "php.ini / .user.ini for security settings",
+            "composer.json for dependencies",
+            ".env for configuration secrets",
+            "routes/ or web.php for Laravel route definitions",
+            "config/ for framework configuration",
+        ],
+        instructions: [
+            "Check php.ini settings: display_errors, allow_url_include, register_globals",
+            "Look for direct superglobal usage ($_GET, $_POST) vs. framework request objects",
+            "Check for disabled functions in php.ini — are dangerous functions still enabled?",
+            "Review composer.json for outdated packages with known CVEs",
+        ],
+    },
+    generalAntiHallucination: [
+        "Laravel Eloquent with parameter binding is SAFE against SQL injection — do NOT flag Model::where('field', $val)",
+        "Laravel Blade templates auto-escape with {{ }} — only flag {!! !!} (raw output)",
+        "PDO prepared statements with parameter binding are SAFE against SQL injection",
+    ],
+    vulnClasses: {
+        "type-juggling": {
+            sinks: [
+                { api: "== loose comparison", risk: "PHP loose comparison: '0e123' == '0e456' evaluates true (scientific notation to 0)", cwes: ["CWE-697"] },
+                { api: "strcmp() with non-string input", risk: "strcmp(array, string) returns NULL which == 0 in loose comparison", cwes: ["CWE-697"] },
+                { api: "switch/case (loose comparison)", risk: "PHP switch uses loose comparison by default", cwes: ["CWE-697"] },
+                { api: "in_array without strict flag", risk: "in_array('0', ['password']) is true due to loose comparison", cwes: ["CWE-697"] },
+            ],
+            safePatterns: [
+                { api: "=== strict comparison", why: "Compares type AND value — no type juggling" },
+                { api: "hash_equals() for timing-safe comparison", why: "Constant-time and strict" },
+                { api: "in_array($val, $arr, true)", why: "Third arg true enables strict comparison" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "\\s==\\s",
+                    "strcmp\\(",
+                    "in_array\\(",
+                    "array_search\\(",
+                    "switch\\s*\\(",
+                    "hash_equals\\(",
+                ],
+                fileHints: [
+                    "Authentication/login handlers",
+                    "Token verification code",
+                    "API key validation",
+                    "Password reset handlers",
+                ],
+                instructions: [
+                    "Check authentication code for == instead of === in password/token comparisons",
+                    "Look for hash comparisons: md5($input) == $stored with == can be bypassed with magic hashes (0e...)",
+                    "Check in_array and array_search calls — missing strict flag enables type juggling",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Magic hash authentication bypass",
+                    vulnerableCode: '$hash = md5($user_password);\nif ($hash == $stored_hash) {\n    authenticate($user);\n}',
+                    explanation: "If $stored_hash is '0e123...' (starts with 0e, rest is digits), PHP interprets it as 0 in scientific notation. Attacker finds a password whose MD5 also starts with '0e' followed by digits — both equal 0.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "=== strict comparison is SAFE against type juggling — do NOT flag it",
+                "Loose == comparison with hardcoded integer literals (not user input) is low risk",
+            ],
+        },
+        deserialization: {
+            sinks: [
+                { api: "unserialize($user_input)", risk: "Triggers magic methods (__wakeup, __destruct) enabling RCE via POP chains", cwes: ["CWE-502"] },
+                { api: "unserialize with allowed_classes=true (default)", risk: "All classes allowed — POP gadgets available", cwes: ["CWE-502"] },
+            ],
+            safePatterns: [
+                { api: "json_decode($data)", why: "JSON parsing does not trigger code" },
+                { api: "unserialize($data, ['allowed_classes' => false])", why: "Blocks POP chains — converts objects to __PHP_Incomplete_Class" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "unserialize\\(",
+                    "allowed_classes",
+                    "serialize\\(",
+                    "__wakeup",
+                    "__destruct",
+                ],
+                fileHints: [
+                    "Session handling code",
+                    "Cache implementations",
+                    "Cookie processing",
+                ],
+                instructions: [
+                    "Check if unserialize processes data from cookies, database, or HTTP input",
+                    "Look for classes with __wakeup or __destruct methods — POP gadget candidates",
+                    "Check if allowed_classes option is set in unserialize calls (PHP 7.0+)",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Cookie-based deserialization attack",
+                    vulnerableCode: '$prefs = unserialize(base64_decode($_COOKIE["user_prefs"]));',
+                    explanation: "User controls cookie value. unserialize instantiates arbitrary classes and triggers __wakeup/__destruct. If a gadget chain exists, attacker achieves RCE.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "json_decode() is SAFE — it does not instantiate objects or trigger magic methods",
+            ],
+        },
+        "command-injection": {
+            sinks: [
+                { api: "system($cmd)", risk: "Shell interpretation of command string", shellInvoking: true, cwes: ["CWE-78"] },
+                { api: "passthru($cmd)", risk: "Shell interpretation with raw output", shellInvoking: true, cwes: ["CWE-78"] },
+                { api: "shell_exec($cmd) / backtick operator", risk: "Shell interpretation", shellInvoking: true, cwes: ["CWE-78"] },
+                { api: "popen($cmd, $mode)", risk: "Shell interpretation", shellInvoking: true, cwes: ["CWE-78"] },
+                { api: "proc_open($cmd, ...)", risk: "Shell interpretation if cmd is string", shellInvoking: true, cwes: ["CWE-78"] },
+            ],
+            safePatterns: [
+                { api: "escapeshellarg() wrapping each argument", why: "Escapes shell metacharacters in arguments" },
+                { api: "proc_open with array command (PHP 7.4+)", why: "Array form bypasses shell interpretation" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "\\bsystem\\(",
+                    "passthru\\(",
+                    "shell_exec\\(",
+                    "popen\\(",
+                    "proc_open\\(",
+                    "escapeshellarg",
+                ],
+                fileHints: [
+                    "Image/file processing handlers",
+                    "Admin/utility scripts",
+                    "Cron job handlers",
+                ],
+                instructions: [
+                    "PHP has many shell functions — check all of them (system, passthru, shell_exec, popen, proc_open, backticks)",
+                    "Look for string concatenation with $_GET/$_POST values into command strings",
+                    "Check if escapeshellarg is applied to EVERY user-controlled part of the command",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Image conversion with user-controlled filename",
+                    vulnerableCode: '$file = $_POST["filename"];\nsystem("convert " . $file . " output.png");',
+                    explanation: "$_POST['filename'] is user-controlled. Attacker sends 'img.png; cat /etc/passwd' — shell interprets semicolon.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "escapeshellarg() properly applied to all user inputs in a command is sufficient protection",
+                "Do NOT flag shell functions with fully hardcoded command strings and no user input",
+            ],
+        },
+        ssrf: {
+            sinks: [
+                { api: "file_get_contents($url)", risk: "Fetches URL — can reach internal services and use file:// protocol", cwes: ["CWE-918"] },
+                { api: "curl with user-controlled CURLOPT_URL", risk: "User-controlled URL in cURL request", cwes: ["CWE-918"] },
+                { api: "fopen($url)", risk: "PHP fopen supports URL wrappers when allow_url_fopen is enabled", cwes: ["CWE-918"] },
+            ],
+            safePatterns: [
+                { api: "URL validated against domain allowlist", why: "Restricts reachable hosts" },
+                { api: "CURLOPT_PROTOCOLS set to CURLPROTO_HTTPS only", why: "Blocks file:// and other dangerous protocols" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "file_get_contents\\(",
+                    "curl_setopt.*CURLOPT_URL",
+                    "curl_exec\\(",
+                    "fopen\\(",
+                    "CURLOPT_FOLLOWLOCATION",
+                ],
+                fileHints: ["Webhook handlers", "URL preview features", "File import features"],
+                instructions: [
+                    "Check php.ini allow_url_fopen — when enabled, fopen/file_get_contents accept URLs",
+                    "file_get_contents supports php:// and other wrappers — check if user controls the scheme",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "URL preview with SSRF",
+                    vulnerableCode: '$url = $_GET["url"];\n$content = file_get_contents($url);\necho extractTitle($content);',
+                    explanation: "User-controlled URL to file_get_contents. Attacker sends url=file:///etc/passwd for local file read or url=http://169.254.169.254/ for cloud metadata.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "file_get_contents with a hardcoded file path (not user-controlled) is NOT SSRF",
+            ],
+        },
+        "include-injection": {
+            sinks: [
+                { api: "include($user_path)", risk: "Runs PHP code from attacker-controlled file path", cwes: ["CWE-98"] },
+                { api: "require($user_path)", risk: "Same as include — runs PHP from controlled path", cwes: ["CWE-98"] },
+                { api: "include_once/require_once($user_path)", risk: "Same risk — path is still attacker-controlled", cwes: ["CWE-98"] },
+            ],
+            safePatterns: [
+                { api: "include with hardcoded path", why: "Path is constant — no user control" },
+                { api: "Allowlist mapping user input to fixed paths", why: "User selects from safe options" },
+                { api: "basename() + directory prefix", why: "Strips directory traversal" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "include\\s*\\(",
+                    "require\\s*\\(",
+                    "include_once",
+                    "require_once",
+                ],
+                fileHints: ["Routing/dispatcher code", "Template loaders", "Plugin systems"],
+                instructions: [
+                    "Check if include/require paths contain user input",
+                    "Look for directory traversal: can user input contain ../ ?",
+                    "With allow_url_include=On, include can fetch remote URLs",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Local file inclusion via page parameter",
+                    vulnerableCode: '$page = $_GET["page"];\ninclude("templates/" . $page . ".php");',
+                    explanation: "Attacker sends page=../../config to read sensitive files. With allow_url_include, attacker can include remote PHP code.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "include/require with fully hardcoded paths and no user input are SAFE",
+            ],
+        },
+        sqli: {
+            sinks: [
+                { api: "mysql_query with string concat", risk: "Direct SQL concatenation — classic injection", cwes: ["CWE-89"] },
+                { api: "mysqli_query with string interpolation", risk: "User input in SQL string", cwes: ["CWE-89"] },
+                { api: "PDO::query with concat", risk: "PDO query without prepared statements", cwes: ["CWE-89"] },
+                { api: "DB::raw($user_input) in Laravel", risk: "Raw SQL expression with user input", cwes: ["CWE-89"] },
+            ],
+            safePatterns: [
+                { api: "PDO prepared statements with placeholders", why: "Parameterized query — safe" },
+                { api: "mysqli_prepare + bind_param", why: "Parameterized query" },
+                { api: "Laravel Eloquent parameter binding", why: "Model::where('field', $val) is parameterized" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "mysql_query\\(",
+                    "mysqli_query\\(",
+                    "->query\\(",
+                    "DB::raw\\(",
+                    "->whereRaw\\(",
+                    "prepare\\(",
+                ],
+                fileHints: ["Database access layer", "Search implementations", "Report queries"],
+                instructions: [
+                    "Check for string concatenation or interpolation in SQL queries",
+                    "In Laravel: look for DB::raw(), whereRaw(), selectRaw() with user input",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Search with SQL injection",
+                    vulnerableCode: '$search = $_GET["q"];\n$result = $db->query("SELECT * FROM products WHERE name LIKE \'%" . $search . "%\'");',
+                    explanation: "User-controlled $search concatenated into SQL. Attacker sends q=' UNION SELECT password FROM users -- to extract data.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "PDO prepared statements with placeholders are SAFE",
+                "Laravel Eloquent Model::where('field', $val) is SAFE — only flag raw SQL methods",
+            ],
+        },
+    },
+};
+//# sourceMappingURL=php.js.map

package/dist/prompts/languages/php.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"php.js","sourceRoot":"","sources":["../../../src/prompts/languages/php.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,yEAAyE;AACzE,kEAAkE;AAIlE,MAAM,CAAC,MAAM,UAAU,GAAoB;IACzC,UAAU,EAAE,KAAK;IACjB,OAAO,EAAE,CAAC,KAAK,CAAC;IAChB,YAAY,EAAE;QACZ,YAAY,EAAE;YACZ,SAAS;YACT,UAAU;YACV,aAAa;YACb,YAAY;YACZ,YAAY;YACZ,gBAAgB;YAChB,gBAAgB;SACjB;QACD,SAAS,EAAE;YACT,2CAA2C;YAC3C,gCAAgC;YAChC,gCAAgC;YAChC,kDAAkD;YAClD,qCAAqC;SACtC;QACD,YAAY,EAAE;YACZ,6EAA6E;YAC7E,iFAAiF;YACjF,kFAAkF;YAClF,4DAA4D;SAC7D;KACF;IACD,wBAAwB,EAAE;QACxB,iHAAiH;QACjH,iFAAiF;QACjF,+EAA+E;KAChF;IACD,WAAW,EAAE;QACX,eAAe,EAAE;YACf,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,qBAAqB,EAAE,IAAI,EAAE,oFAAoF,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAC7I,EAAE,GAAG,EAAE,gCAAgC,EAAE,IAAI,EAAE,mEAAmE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACvI,EAAE,GAAG,EAAE,gCAAgC,EAAE,IAAI,EAAE,6CAA6C,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACjH,EAAE,GAAG,EAAE,8BAA8B,EAAE,IAAI,EAAE,6DAA6D,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aAChI;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,uBAAuB,EAAE,GAAG,EAAE,4CAA4C,EAAE;gBACnF,EAAE,GAAG,EAAE,0CAA0C,EAAE,GAAG,EAAE,0BAA0B,EAAE;gBACpF,EAAE,GAAG,EAAE,4BAA4B,EAAE,GAAG,EAAE,0CAA0C,EAAE;aACvF;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,UAAU;oBACV,WAAW;oBACX,aAAa;oBACb,iBAAiB;oBACjB,eAAe;oBACf,gBAAgB;iBACjB;gBACD,SAAS,EAAE;oBACT,+BAA+B;oBAC/B,yBAAyB;oBACzB,oBAAoB;oBACpB,yBAAyB;iBAC1B;gBACD,YAAY,EAAE;oBACZ,+EAA+E;oBAC/E,qGAAqG;oBACrG,mFAAmF;iBACpF;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,kCAAkC;oBAC5C,cAAc,EAAE,yFAAyF;oBACzG,WAAW,EAAE,6MAA6M;iBAC3N;aACF;YACD,sBAAsB,EAAE;gBACtB,sEAAsE;gBACtE,kFAAkF;aACnF;SACF;QACD,eAAe,EAAE;YACf,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,0BAA0B,EAAE,IAAI,EAAE,2EAA2E,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACzI,EAAE,GAAG,EAAE,iDAAiD,EAAE,IAAI,EAAE,6CAA6C,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aACnI;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,oBAAoB,EAAE,GAAG,EAAE,oCAAoC,EAAE;gBACxE,EAAE,GAAG,EAAE,kDAAkD,EAAE,GAAG,EAAE,gEAAgE,EAAE;aACnI;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,gBAAgB;oBAChB,iBAAiB;oBACjB,cAAc;oBACd,UAAU;oBACV,YAAY;iBACb;gBACD,SAAS,EAAE;oBACT,uBAAuB;oBACvB,uBAAuB;oBACvB,mBAAmB;iBACpB;gBACD,YAAY,EAAE;oBACZ,2EAA2E;oBAC3E,8EAA8E;oBAC9E,wEAAwE;iBACzE;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,qCAAqC;oBAC/C,cAAc,EAAE,8DAA8D;oBAC9E,WAAW,EAAE,2JAA2J;iBACzK;aACF;YACD,sBAAsB,EAAE;gBACtB,kFAAkF;aACnF;SACF;QACD,mBAAmB,EAAE;YACnB,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,wCAAwC,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBAC9G,EAAE,GAAG,EAAE,gBAAgB,EAAE,IAAI,EAAE,sCAAsC,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBAC9G,EAAE,GAAG,EAAE,sCAAsC,EAAE,IAAI,EAAE,sBAAsB,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBACpH,EAAE,GAAG,EAAE,oBAAoB,EAAE,IAAI,EAAE,sBAAsB,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBAClG,EAAE,GAAG,EAAE,sBAAsB,EAAE,IAAI,EAAE,uCAAuC,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;aACtH;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,yCAAyC,EAAE,GAAG,EAAE,2CAA2C,EAAE;gBACpG,EAAE,GAAG,EAAE,yCAAyC,EAAE,GAAG,EAAE,0CAA0C,EAAE;aACpG;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,cAAc;oBACd,aAAa;oBACb,eAAe;oBACf,UAAU;oBACV,cAAc;oBACd,gBAAgB;iBACjB;gBACD,SAAS,EAAE;oBACT,gCAAgC;oBAChC,uBAAuB;oBACvB,mBAAmB;iBACpB;gBACD,YAAY,EAAE;oBACZ,8GAA8G;oBAC9G,6EAA6E;oBAC7E,iFAAiF;iBAClF;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,gDAAgD;oBAC1D,cAAc,EAAE,0EAA0E;oBAC1F,WAAW,EAAE,gHAAgH;iBAC9H;aACF;YACD,sBAAsB,EAAE;gBACtB,4FAA4F;gBAC5F,oFAAoF;aACrF;SACF;QACD,IAAI,EAAE;YACJ,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,yBAAyB,EAAE,IAAI,EAAE,oEAAoE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACjI,EAAE,GAAG,EAAE,uCAAuC,EAAE,IAAI,EAAE,qCAAqC,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAChH,EAAE,GAAG,EAAE,aAAa,EAAE,IAAI,EAAE,iEAAiE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aACnH;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,wCAAwC,EAAE,GAAG,EAAE,2BAA2B,EAAE;gBACnF,EAAE,GAAG,EAAE,+CAA+C,EAAE,GAAG,EAAE,8CAA8C,EAAE;aAC9G;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,sBAAsB;oBACtB,0BAA0B;oBAC1B,cAAc;oBACd,UAAU;oBACV,wBAAwB;iBACzB;gBACD,SAAS,EAAE,CAAC,kBAAkB,EAAE,sBAAsB,EAAE,sBAAsB,CAAC;gBAC/E,YAAY,EAAE;oBACZ,mFAAmF;oBACnF,0FAA0F;iBAC3F;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,uBAAuB;oBACjC,cAAc,EAAE,yFAAyF;oBACzG,WAAW,EAAE,wJAAwJ;iBACtK;aACF;YACD,sBAAsB,EAAE;gBACtB,gFAAgF;aACjF;SACF;QACD,mBAAmB,EAAE;YACnB,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,qBAAqB,EAAE,IAAI,EAAE,kDAAkD,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBAC1G,EAAE,GAAG,EAAE,qBAAqB,EAAE,IAAI,EAAE,iDAAiD,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBACzG,EAAE,GAAG,EAAE,uCAAuC,EAAE,IAAI,EAAE,+CAA+C,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;aAC1H;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,6BAA6B,EAAE,GAAG,EAAE,oCAAoC,EAAE;gBACjF,EAAE,GAAG,EAAE,6CAA6C,EAAE,GAAG,EAAE,gCAAgC,EAAE;gBAC7F,EAAE,GAAG,EAAE,+BAA+B,EAAE,GAAG,EAAE,4BAA4B,EAAE;aAC5E;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,gBAAgB;oBAChB,gBAAgB;oBAChB,cAAc;oBACd,cAAc;iBACf;gBACD,SAAS,EAAE,CAAC,yBAAyB,EAAE,kBAAkB,EAAE,gBAAgB,CAAC;gBAC5E,YAAY,EAAE;oBACZ,mDAAmD;oBACnD,4DAA4D;oBAC5D,0DAA0D;iBAC3D;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,yCAAyC;oBACnD,cAAc,EAAE,iEAAiE;oBACjF,WAAW,EAAE,yHAAyH;iBACvI;aACF;YACD,sBAAsB,EAAE;gBACtB,uEAAuE;aACxE;SACF;QACD,IAAI,EAAE;YACJ,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,gCAAgC,EAAE,IAAI,EAAE,8CAA8C,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBACjH,EAAE,GAAG,EAAE,wCAAwC,EAAE,IAAI,EAAE,0BAA0B,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBACrG,EAAE,GAAG,EAAE,wBAAwB,EAAE,IAAI,EAAE,uCAAuC,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBAClG,EAAE,GAAG,EAAE,iCAAiC,EAAE,IAAI,EAAE,oCAAoC,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;aACzG;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,2CAA2C,EAAE,GAAG,EAAE,4BAA4B,EAAE;gBACvF,EAAE,GAAG,EAAE,6BAA6B,EAAE,GAAG,EAAE,qBAAqB,EAAE;gBAClE,EAAE,GAAG,EAAE,oCAAoC,EAAE,GAAG,EAAE,8CAA8C,EAAE;aACnG;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,gBAAgB;oBAChB,iBAAiB;oBACjB,YAAY;oBACZ,YAAY;oBACZ,eAAe;oBACf,YAAY;iBACb;gBACD,SAAS,EAAE,CAAC,uBAAuB,EAAE,wBAAwB,EAAE,gBAAgB,CAAC;gBAChF,YAAY,EAAE;oBACZ,gEAAgE;oBAChE,yEAAyE;iBAC1E;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,2BAA2B;oBACrC,cAAc,EAAE,8GAA8G;oBAC9H,WAAW,EAAE,wHAAwH;iBACtI;aACF;YACD,sBAAsB,EAAE;gBACtB,oDAAoD;gBACpD,kFAAkF;aACnF;SACF;KACF;CACF,CAAC"}

package/dist/prompts/languages/python.d.ts

@@ -0,0 +1,2 @@
+import type { LanguageProfile } from "./types.js";
+export declare const pythonProfile: LanguageProfile;

package/dist/prompts/languages/python.js

@@ -0,0 +1,283 @@
+// NOTE: This file contains DETECTION PATTERNS for a security scanner.
+// The API references (subprocess, pickle, etc.) are DETECTION TARGETS
+// describing what the scanner looks for in scanned codebases,
+// not code this file executes.
+export const pythonProfile = {
+    languageId: "Python",
+    aliases: ["python", "py", "python3"],
+    generalHints: {
+        grepPatterns: [
+            "import\\s+subprocess",
+            "import\\s+os",
+            "from\\s+flask",
+            "from\\s+django",
+            "from\\s+fastapi",
+            "@app\\.route",
+            "def\\s+\\w+.*request",
+        ],
+        fileHints: [
+            "settings.py / config.py for Django/Flask configuration",
+            "requirements.txt / pyproject.toml for dependency versions",
+            "urls.py for Django route definitions",
+            "views.py / routes.py for request handlers",
+            "manage.py and management/commands/ for Django management commands",
+            "celery tasks (tasks.py) for background job handlers",
+        ],
+        instructions: [
+            "Check Django settings for DEBUG, ALLOWED_HOSTS, SECRET_KEY, SECURE_* flags",
+            "Look for Flask routes with methods=['POST'] and raw request.data access",
+            "Check FastAPI Depends() chains for missing auth dependencies",
+            "Inspect Celery task arguments — are they user-controlled?",
+        ],
+    },
+    generalAntiHallucination: [
+        "Django ORM parameterized queries are SAFE against SQL injection — do NOT flag Model.objects.filter(field=value)",
+        "Flask/Django built-in template rendering auto-escapes by default — only flag |safe or Markup() usage",
+        "Python json.loads() is SAFE — it does not run code during deserialization",
+    ],
+    vulnClasses: {
+        "command-injection": {
+            sinks: [
+                { api: "os.system(cmd)", risk: "Full shell interpretation of cmd string", shellInvoking: true, cwes: ["CWE-78"] },
+                { api: "os.popen(cmd)", risk: "Shell interpretation, returns pipe", shellInvoking: true, cwes: ["CWE-78"] },
+                { api: "subprocess with shell=True", risk: "Shell interpretation when shell=True", shellInvoking: true, cwes: ["CWE-78"] },
+                { api: "subprocess with list args, shell=False", risk: "SAFE against metachar injection when passed as list", shellInvoking: false, cwes: ["CWE-78"] },
+            ],
+            safePatterns: [
+                { api: "subprocess.run([cmd, arg1, arg2])", why: "List args with shell=False (default) prevents metachar injection" },
+                { api: "shlex.quote() wrapping user input", why: "Proper shell escaping before insertion into command string" },
+                { api: "subprocess with all hardcoded arguments", why: "No attacker-controlled data in arguments" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "os\\.system\\(",
+                    "os\\.popen\\(",
+                    "subprocess\\.",
+                    "shell=True",
+                    "shlex\\.quote",
+                ],
+                fileHints: [
+                    "Django management commands (management/commands/)",
+                    "Celery tasks (tasks.py)",
+                    "Scripts that invoke external tools (ffmpeg, imagemagick, git)",
+                ],
+                instructions: [
+                    "Check if subprocess calls use shell=True — this is the critical distinction in Python",
+                    "Look for f-strings or .format() constructing shell command strings with user data",
+                    "Check Django management commands for subprocess calls with user-influenced arguments",
+                    "Inspect Celery task definitions — their arguments may come from untrusted web requests",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Django management command with shell injection",
+                    vulnerableCode: 'def handle(self, *args, **options):\n    db_name = options["database"]\n    subprocess.call(f"pg_dump {db_name}", shell=True)',
+                    explanation: "db_name from command options flows to shell via f-string with shell=True. If db_name is user-influenced, attacker injects shell commands.",
+                },
+            ],
+            frameworkGuidance: [
+                {
+                    framework: "Django",
+                    defaults: ["Django ORM avoids most need for shell commands"],
+                    pitfalls: ["Management commands often use subprocess for database/migration tools", "Settings values (DB name, paths) may flow to subprocess calls"],
+                    configChecks: ["Check DATABASES config for names flowing to shell commands"],
+                },
+            ],
+            antiHallucinationExtra: [
+                "subprocess.run() with a list argument and shell=False (the default) is SAFE against metachar injection — do NOT flag it",
+                "Do NOT flag subprocess calls where all arguments are hardcoded strings with no user data",
+            ],
+        },
+        deserialization: {
+            sinks: [
+                { api: "pickle.loads/load", risk: "Runs arbitrary Python code during deserialization via __reduce__", cwes: ["CWE-502"] },
+                { api: "yaml.load() without SafeLoader", risk: "YAML !!python/object tags run arbitrary code", cwes: ["CWE-502"] },
+                { api: "shelve.open()", risk: "Uses pickle internally — same code-exec risk", cwes: ["CWE-502"] },
+                { api: "marshal.loads()", risk: "Can run code via crafted bytecode objects", cwes: ["CWE-502"] },
+                { api: "dill.loads()", risk: "Extended pickle — same arbitrary code execution", cwes: ["CWE-502"] },
+                { api: "jsonpickle.decode()", risk: "Deserializes Python objects from JSON — code-exec via crafted payloads", cwes: ["CWE-502"] },
+            ],
+            safePatterns: [
+                { api: "json.loads(data)", why: "JSON parsing does NOT run code — safe for untrusted input" },
+                { api: "yaml.safe_load(data)", why: "SafeLoader rejects dangerous YAML tags" },
+                { api: "yaml.load(data, Loader=SafeLoader)", why: "Explicitly safe loader" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "pickle\\.",
+                    "yaml\\.load\\(",
+                    "yaml\\.unsafe_load",
+                    "shelve\\.",
+                    "marshal\\.",
+                    "dill\\.",
+                    "jsonpickle\\.",
+                    "SafeLoader",
+                ],
+                fileHints: [
+                    "Cache backends (Redis/Memcached serialization)",
+                    "Celery result backends and message serializers",
+                    "Session storage implementations",
+                    "ML model loading code (joblib, torch.load)",
+                ],
+                instructions: [
+                    "Check if pickle/yaml.load processes data from HTTP requests, message queues, or uploaded files",
+                    "Look at Celery configuration — CELERY_ACCEPT_CONTENT and CELERY_RESULT_SERIALIZER settings control serialization format",
+                    "Check ML model loading — torch.load and joblib.load use pickle internally",
+                    "Inspect cache get/set operations — some cache backends serialize with pickle by default",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Flask endpoint deserializing uploaded data unsafely",
+                    vulnerableCode: '@app.route("/import", methods=["POST"])\ndef import_data():\n    data = pickle.loads(request.data)\n    return process(data)',
+                    explanation: "request.data is attacker-controlled. Unsafe deserialization runs arbitrary code via __reduce__ method in crafted payloads.",
+                },
+            ],
+            frameworkGuidance: [
+                {
+                    framework: "Django",
+                    defaults: ["Django sessions use JSON serializer by default since 1.6"],
+                    pitfalls: ["SESSION_SERIALIZER can be changed to PickleSerializer", "Cache backends may use pickle"],
+                    configChecks: ["Check SESSION_SERIALIZER in settings.py", "Check CACHES backend configuration"],
+                },
+                {
+                    framework: "Flask",
+                    defaults: ["Flask session cookies are signed and use JSON by default"],
+                    pitfalls: ["Flask-Caching with certain backends may use pickle", "Custom session stores may use pickle"],
+                    configChecks: ["Check CACHE_TYPE configuration"],
+                },
+            ],
+            antiHallucinationExtra: [
+                "json.loads() is SAFE — it does NOT run code. Never flag JSON deserialization as unsafe",
+                "yaml.safe_load() is SAFE — only flag yaml.load() without SafeLoader or yaml.unsafe_load()",
+                "torch.load with weights_only=True is safe (PyTorch 2.6+)",
+            ],
+        },
+        "template-injection": {
+            sinks: [
+                { api: "jinja2.Template(user_str).render()", risk: "User-controlled Jinja2 template — SSTI enables RCE via __class__.__mro__ chain", cwes: ["CWE-1336"] },
+                { api: "render_template_string(user_str)", risk: "Flask helper that compiles user string as Jinja2 template", cwes: ["CWE-1336"] },
+                { api: "mako.template.Template(user_str)", risk: "Mako templates allow Python code execution", cwes: ["CWE-1336"] },
+            ],
+            safePatterns: [
+                { api: "render_template('file.html', var=user_data)", why: "User data passed as variable, not as template source — Jinja2 auto-escapes" },
+                { api: "Jinja2 SandboxedEnvironment", why: "Restricts template capabilities (but can be bypassed — verify version)" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "render_template_string",
+                    "Template\\(",
+                    "from_string\\(",
+                    "Environment\\(",
+                ],
+                fileHints: [
+                    "View functions that render templates",
+                    "Email template generation code",
+                    "Report/PDF generation code",
+                ],
+                instructions: [
+                    "Check if user input is passed as the template string (first arg) vs. as a template variable",
+                    "render_template('file.html', name=user_input) is SAFE — render_template_string(user_input) is DANGEROUS",
+                    "Look for custom template rendering in email/notification systems",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Flask SSTI via render_template_string",
+                    vulnerableCode: '@app.route("/greet")\ndef greet():\n    name = request.args.get("name")\n    return render_template_string(f"Hello {name}!")',
+                    explanation: "User-controlled name is interpolated into the template string before Jinja2 compiles it. Attacker sends {{config.items()}} to extract secrets or chain to RCE.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "render_template('template.html', var=user_input) is SAFE — user data is a variable, not the template",
+                "Jinja2 auto-escapes HTML by default — this prevents XSS but NOT SSTI (different vulnerability class)",
+            ],
+        },
+        ssrf: {
+            sinks: [
+                { api: "requests.get/post(url)", risk: "URL from user input can target internal services", cwes: ["CWE-918"] },
+                { api: "urllib.request.urlopen(url)", risk: "No URL validation — can reach internal endpoints", cwes: ["CWE-918"] },
+                { api: "httpx.get/post(url)", risk: "Same risk as requests — user-controlled URL", cwes: ["CWE-918"] },
+                { api: "aiohttp.ClientSession.get(url)", risk: "Async HTTP client with user-controlled URL", cwes: ["CWE-918"] },
+            ],
+            safePatterns: [
+                { api: "URL validated against allowlist of domains", why: "Only permitted domains are reachable" },
+                { api: "Requests to hardcoded URLs with user data in body/params", why: "URL is fixed, user controls only payload" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "requests\\.(get|post|put|delete|head)\\(",
+                    "urlopen\\(",
+                    "httpx\\.",
+                    "aiohttp",
+                ],
+                fileHints: [
+                    "Webhook handlers",
+                    "URL preview/unfurl features",
+                    "Proxy or redirect endpoints",
+                    "File download/import from URL features",
+                ],
+                instructions: [
+                    "Check if the URL parameter comes from user input (request args, form data, database record from user)",
+                    "Look for URL parsing that can be bypassed (checking startswith('http') does not prevent http://internal)",
+                    "Check for redirect following — requests follows redirects by default, which can bypass URL checks",
+                    "Cloud metadata: can the URL reach 169.254.169.254 (AWS), metadata.google.internal, etc.?",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Webhook URL validation bypass",
+                    vulnerableCode: '@app.route("/webhook", methods=["POST"])\ndef register_webhook():\n    url = request.json["callback_url"]\n    if not url.startswith("https://"):\n        abort(400)\n    requests.get(url)',
+                    explanation: "startswith check is insufficient — attacker sends https://169.254.169.254/latest/meta-data/ to reach AWS metadata endpoint.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "Requests to hardcoded URLs with only user-controlled query params or body data are NOT SSRF",
+                "Internal service-to-service calls with no user-controlled URL component are NOT SSRF",
+            ],
+        },
+        "race-condition": {
+            sinks: [
+                { api: "Shared mutable state without locks", risk: "Concurrent access to shared dict/list/object from multiple threads or async tasks", cwes: ["CWE-362"] },
+                { api: "TOCTOU on filesystem", risk: "Check-then-act on file existence/permissions with race window", cwes: ["CWE-367"] },
+                { api: "Django get_or_create without select_for_update", risk: "Race between check and create in concurrent requests", cwes: ["CWE-362"] },
+            ],
+            safePatterns: [
+                { api: "threading.Lock / asyncio.Lock around shared state", why: "Proper synchronization" },
+                { api: "Django select_for_update()", why: "Database-level row locking prevents concurrent modification" },
+                { api: "Atomic database operations (F() expressions, update())", why: "Single SQL statement is atomic" },
+            ],
+            investigationHints: {
+                grepPatterns: [
+                    "threading\\.Thread",
+                    "asyncio\\.gather",
+                    "concurrent\\.futures",
+                    "get_or_create",
+                    "select_for_update",
+                ],
+                fileHints: [
+                    "Background task/worker code",
+                    "Payment or balance-modifying endpoints",
+                    "User registration or resource allocation code",
+                ],
+                instructions: [
+                    "Look for read-modify-write patterns on shared state without locking",
+                    "Check Django views that modify balances/counters — are they using F() expressions or select_for_update?",
+                    "In async code, check if shared state is modified across await points without asyncio.Lock",
+                ],
+            },
+            fewShots: [
+                {
+                    scenario: "Double-spend via Django balance update race",
+                    vulnerableCode: 'def withdraw(request):\n    account = Account.objects.get(user=request.user)\n    if account.balance >= amount:\n        account.balance -= amount\n        account.save()',
+                    explanation: "Two concurrent requests both read the same balance, both pass the check, both subtract — double withdrawal. Fix: use select_for_update() or F() expressions.",
+                },
+            ],
+            antiHallucinationExtra: [
+                "Single-threaded Python code (no threading/asyncio) is NOT vulnerable to race conditions via the GIL (but IO-bound async code CAN race)",
+                "Django ORM operations that use F() expressions are atomic at the database level",
+            ],
+        },
+    },
+};
+//# sourceMappingURL=python.js.map

package/dist/prompts/languages/python.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"python.js","sourceRoot":"","sources":["../../../src/prompts/languages/python.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,sEAAsE;AACtE,8DAA8D;AAC9D,+BAA+B;AAI/B,MAAM,CAAC,MAAM,aAAa,GAAoB;IAC5C,UAAU,EAAE,QAAQ;IACpB,OAAO,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,SAAS,CAAC;IACpC,YAAY,EAAE;QACZ,YAAY,EAAE;YACZ,sBAAsB;YACtB,cAAc;YACd,eAAe;YACf,gBAAgB;YAChB,iBAAiB;YACjB,cAAc;YACd,sBAAsB;SACvB;QACD,SAAS,EAAE;YACT,wDAAwD;YACxD,2DAA2D;YAC3D,sCAAsC;YACtC,2CAA2C;YAC3C,mEAAmE;YACnE,qDAAqD;SACtD;QACD,YAAY,EAAE;YACZ,4EAA4E;YAC5E,yEAAyE;YACzE,8DAA8D;YAC9D,2DAA2D;SAC5D;KACF;IACD,wBAAwB,EAAE;QACxB,iHAAiH;QACjH,sGAAsG;QACtG,2EAA2E;KAC5E;IACD,WAAW,EAAE;QACX,mBAAmB,EAAE;YACnB,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,gBAAgB,EAAE,IAAI,EAAE,yCAAyC,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBACjH,EAAE,GAAG,EAAE,eAAe,EAAE,IAAI,EAAE,oCAAoC,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBAC3G,EAAE,GAAG,EAAE,4BAA4B,EAAE,IAAI,EAAE,sCAAsC,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;gBAC1H,EAAE,GAAG,EAAE,wCAAwC,EAAE,IAAI,EAAE,qDAAqD,EAAE,aAAa,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,EAAE;aACvJ;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,mCAAmC,EAAE,GAAG,EAAE,kEAAkE,EAAE;gBACrH,EAAE,GAAG,EAAE,mCAAmC,EAAE,GAAG,EAAE,4DAA4D,EAAE;gBAC/G,EAAE,GAAG,EAAE,yCAAyC,EAAE,GAAG,EAAE,0CAA0C,EAAE;aACpG;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,gBAAgB;oBAChB,eAAe;oBACf,eAAe;oBACf,YAAY;oBACZ,eAAe;iBAChB;gBACD,SAAS,EAAE;oBACT,mDAAmD;oBACnD,yBAAyB;oBACzB,+DAA+D;iBAChE;gBACD,YAAY,EAAE;oBACZ,uFAAuF;oBACvF,mFAAmF;oBACnF,sFAAsF;oBACtF,wFAAwF;iBACzF;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,gDAAgD;oBAC1D,cAAc,EAAE,+HAA+H;oBAC/I,WAAW,EAAE,2IAA2I;iBACzJ;aACF;YACD,iBAAiB,EAAE;gBACjB;oBACE,SAAS,EAAE,QAAQ;oBACnB,QAAQ,EAAE,CAAC,gDAAgD,CAAC;oBAC5D,QAAQ,EAAE,CAAC,uEAAuE,EAAE,+DAA+D,CAAC;oBACpJ,YAAY,EAAE,CAAC,4DAA4D,CAAC;iBAC7E;aACF;YACD,sBAAsB,EAAE;gBACtB,yHAAyH;gBACzH,0FAA0F;aAC3F;SACF;QACD,eAAe,EAAE;YACf,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,mBAAmB,EAAE,IAAI,EAAE,kEAAkE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACzH,EAAE,GAAG,EAAE,gCAAgC,EAAE,IAAI,EAAE,8CAA8C,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAClH,EAAE,GAAG,EAAE,eAAe,EAAE,IAAI,EAAE,8CAA8C,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACjG,EAAE,GAAG,EAAE,iBAAiB,EAAE,IAAI,EAAE,2CAA2C,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAChG,EAAE,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,iDAAiD,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACnG,EAAE,GAAG,EAAE,qBAAqB,EAAE,IAAI,EAAE,wEAAwE,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aAClI;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,kBAAkB,EAAE,GAAG,EAAE,2DAA2D,EAAE;gBAC7F,EAAE,GAAG,EAAE,sBAAsB,EAAE,GAAG,EAAE,wCAAwC,EAAE;gBAC9E,EAAE,GAAG,EAAE,oCAAoC,EAAE,GAAG,EAAE,wBAAwB,EAAE;aAC7E;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,WAAW;oBACX,gBAAgB;oBAChB,oBAAoB;oBACpB,WAAW;oBACX,YAAY;oBACZ,SAAS;oBACT,eAAe;oBACf,YAAY;iBACb;gBACD,SAAS,EAAE;oBACT,gDAAgD;oBAChD,gDAAgD;oBAChD,iCAAiC;oBACjC,4CAA4C;iBAC7C;gBACD,YAAY,EAAE;oBACZ,gGAAgG;oBAChG,yHAAyH;oBACzH,2EAA2E;oBAC3E,yFAAyF;iBAC1F;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,qDAAqD;oBAC/D,cAAc,EAAE,8HAA8H;oBAC9I,WAAW,EAAE,4HAA4H;iBAC1I;aACF;YACD,iBAAiB,EAAE;gBACjB;oBACE,SAAS,EAAE,QAAQ;oBACnB,QAAQ,EAAE,CAAC,0DAA0D,CAAC;oBACtE,QAAQ,EAAE,CAAC,uDAAuD,EAAE,+BAA+B,CAAC;oBACpG,YAAY,EAAE,CAAC,yCAAyC,EAAE,oCAAoC,CAAC;iBAChG;gBACD;oBACE,SAAS,EAAE,OAAO;oBAClB,QAAQ,EAAE,CAAC,0DAA0D,CAAC;oBACtE,QAAQ,EAAE,CAAC,oDAAoD,EAAE,sCAAsC,CAAC;oBACxG,YAAY,EAAE,CAAC,gCAAgC,CAAC;iBACjD;aACF;YACD,sBAAsB,EAAE;gBACtB,wFAAwF;gBACxF,2FAA2F;gBAC3F,0DAA0D;aAC3D;SACF;QACD,oBAAoB,EAAE;YACpB,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,oCAAoC,EAAE,IAAI,EAAE,gFAAgF,EAAE,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE;gBACzJ,EAAE,GAAG,EAAE,kCAAkC,EAAE,IAAI,EAAE,2DAA2D,EAAE,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE;gBAClI,EAAE,GAAG,EAAE,kCAAkC,EAAE,IAAI,EAAE,4CAA4C,EAAE,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE;aACpH;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,6CAA6C,EAAE,GAAG,EAAE,4EAA4E,EAAE;gBACzI,EAAE,GAAG,EAAE,6BAA6B,EAAE,GAAG,EAAE,wEAAwE,EAAE;aACtH;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,wBAAwB;oBACxB,aAAa;oBACb,gBAAgB;oBAChB,gBAAgB;iBACjB;gBACD,SAAS,EAAE;oBACT,sCAAsC;oBACtC,gCAAgC;oBAChC,4BAA4B;iBAC7B;gBACD,YAAY,EAAE;oBACZ,6FAA6F;oBAC7F,yGAAyG;oBACzG,kEAAkE;iBACnE;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,uCAAuC;oBACjD,cAAc,EAAE,8HAA8H;oBAC9I,WAAW,EAAE,gKAAgK;iBAC9K;aACF;YACD,sBAAsB,EAAE;gBACtB,sGAAsG;gBACtG,sGAAsG;aACvG;SACF;QACD,IAAI,EAAE;YACJ,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,wBAAwB,EAAE,IAAI,EAAE,kDAAkD,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAC9G,EAAE,GAAG,EAAE,6BAA6B,EAAE,IAAI,EAAE,kDAAkD,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACnH,EAAE,GAAG,EAAE,qBAAqB,EAAE,IAAI,EAAE,6CAA6C,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACtG,EAAE,GAAG,EAAE,gCAAgC,EAAE,IAAI,EAAE,4CAA4C,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aACjH;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,4CAA4C,EAAE,GAAG,EAAE,sCAAsC,EAAE;gBAClG,EAAE,GAAG,EAAE,0DAA0D,EAAE,GAAG,EAAE,0CAA0C,EAAE;aACrH;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,0CAA0C;oBAC1C,YAAY;oBACZ,UAAU;oBACV,SAAS;iBACV;gBACD,SAAS,EAAE;oBACT,kBAAkB;oBAClB,6BAA6B;oBAC7B,6BAA6B;oBAC7B,wCAAwC;iBACzC;gBACD,YAAY,EAAE;oBACZ,uGAAuG;oBACvG,0GAA0G;oBAC1G,mGAAmG;oBACnG,0FAA0F;iBAC3F;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,+BAA+B;oBACzC,cAAc,EAAE,8LAA8L;oBAC9M,WAAW,EAAE,6HAA6H;iBAC3I;aACF;YACD,sBAAsB,EAAE;gBACtB,6FAA6F;gBAC7F,sFAAsF;aACvF;SACF;QACD,gBAAgB,EAAE;YAChB,KAAK,EAAE;gBACL,EAAE,GAAG,EAAE,oCAAoC,EAAE,IAAI,EAAE,mFAAmF,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBAC3J,EAAE,GAAG,EAAE,sBAAsB,EAAE,IAAI,EAAE,+DAA+D,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;gBACzH,EAAE,GAAG,EAAE,gDAAgD,EAAE,IAAI,EAAE,sDAAsD,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE;aAC3I;YACD,YAAY,EAAE;gBACZ,EAAE,GAAG,EAAE,mDAAmD,EAAE,GAAG,EAAE,wBAAwB,EAAE;gBAC3F,EAAE,GAAG,EAAE,4BAA4B,EAAE,GAAG,EAAE,6DAA6D,EAAE;gBACzG,EAAE,GAAG,EAAE,wDAAwD,EAAE,GAAG,EAAE,gCAAgC,EAAE;aACzG;YACD,kBAAkB,EAAE;gBAClB,YAAY,EAAE;oBACZ,oBAAoB;oBACpB,kBAAkB;oBAClB,sBAAsB;oBACtB,eAAe;oBACf,mBAAmB;iBACpB;gBACD,SAAS,EAAE;oBACT,6BAA6B;oBAC7B,wCAAwC;oBACxC,+CAA+C;iBAChD;gBACD,YAAY,EAAE;oBACZ,qEAAqE;oBACrE,yGAAyG;oBACzG,2FAA2F;iBAC5F;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,QAAQ,EAAE,6CAA6C;oBACvD,cAAc,EAAE,4KAA4K;oBAC5L,WAAW,EAAE,8JAA8J;iBAC5K;aACF;YACD,sBAAsB,EAAE;gBACtB,wIAAwI;gBACxI,iFAAiF;aAClF;SACF;KACF;CACF,CAAC"}

package/dist/prompts/languages/ruby.d.ts

@@ -0,0 +1,2 @@
+import type { LanguageProfile } from "./types.js";
+export declare const rubyProfile: LanguageProfile;