opensecurity 0.1.0 → 0.2.0

package/README.md

@@ -1,56 +1,74 @@
 # OpenSecurity
 
-OpenSecurity is an open-source CLI for scanning codebases for security risks, with first-class static analysis for JavaScript/TypeScript and optional AI scanning for broader files.
-It combines:
+OpenSecurity is an open-source CLI that scans entire repositories for security risks across application code, infrastructure/config files, and dependencies. It combines fast local analysis with optional AI scanning to keep coverage broad but practical.
 
-- Static analysis with AST-based taint rules (OWASP-focused).
-- Dependency scanning with CVE lookup (local cache or API).
-- Optional AI-assisted scanning for deeper findings.
+At a high level, it uses multiple engines:
 
-## Project Status
-
-Active. This repo is maintained and intended for open-source use. Contributions are welcome.
+- **JS/TS native AST + taint + patterns**
+- **Tree‑sitter native taint** for Python/Go/Java/C#/Ruby/PHP/Rust/Kotlin/Swift/C/C++
+- **External adapters** (Bandit, gosec, Brakeman, Semgrep) when installed
+- **Infra/config patterns** (Dockerfile, Kubernetes/Helm, Terraform, YAML)
+- **Dependency CVE scanning** for npm/PyPI
+- **Optional AI scan** across text files (`--no-ai` to disable)
 
+Universal patterns are heuristic (fast but shallow). Native AST/taint is a baseline multi‑lang engine and does not replace deep, language‑specific SAST.
 ## Scope
 
-- Target languages for static analysis: JavaScript and TypeScript.
-- Dependency scanning: npm and PyPI manifests.
-- AI scanning is optional and requires an API key (defaults to scanning all text files).
+- JS/TS native AST + taint + patterns
+- Tree‑sitter native taint for Python/Go/Java/C#/Ruby/PHP/Rust/Kotlin/Swift/C/C++
+- Optional adapters: Bandit, gosec, Brakeman, Semgrep
+- Infra/config patterns: Dockerfile, Kubernetes/Helm YAML, Terraform, generic YAML
+- Dependency scanning: npm and PyPI manifests
+- AI scanning is optional but **recommended** for deeper coverage; it requires an API key and is skipped when none is configured
 
 ## Non-Goals
 
 - This tool is not a full SAST replacement or compliance scanner.
 - It does not execute or sandbox code.
 - It does not guarantee complete coverage of all vulnerabilities.
+- It does not replace specialized commercial scanners (e.g., Codex Security, Claude Security).
+- For compliance-grade coverage, use dedicated SAST/compliance tooling.
+- Use it as a complementary signal, not a single source of truth.
 
-## Quick Start
+## Install(recommended)
+Node.js 20+ is required.
 
 ```bash
-npm install
-npm run dev -- scan --dry-run
+npm i opensecurity
 ```
 
-Build the CLI:
+Package: `https://www.npmjs.com/package/opensecurity`
+
+No build step is required when installing from npm.
+
+## Quick Start
+
+1) Configure API key (optional, only if you want AI scanning):
 
 ```bash
-npm run build
-./dist/cli.js scan --dry-run
+opensecurity login --mode api_key --provider openai
 ```
 
-## Install
+2) Run a scan:
+
+```bash
+opensecurity scan
+```
 
-From source:
+3) Common options:
 
 ```bash
-npm install
-npm run build
-npm link
-opensecurity scan --dry-run
+opensecurity scan --diff-only
+opensecurity scan --no-ai
+opensecurity scan --provider anthropic --model claude-sonnet-4-20250514
 ```
 
+If no API key is configured, AI scanning is skipped automatically.
+If you only want local scanning, you can skip login and run `opensecurity scan --no-ai`.
+
 ## Supported Platforms
 
-- Node.js 20+
+- Node.js 20+ is required.
 - macOS, Linux, Windows
 
 ## Features
@@ -58,11 +76,98 @@ opensecurity scan --dry-run
 - AST taint engine with configurable sources/sinks/sanitizers.
 - OWASP-aligned default rules (injection, SSRF, path traversal, XSS templates, SQLi).
 - Pattern-based detectors (hardcoded secrets, insecure crypto, unsafe deserialization).
+- Optional external adapters for top languages (Bandit, gosec, Brakeman, Semgrep).
 - Dependency scanning for npm and PyPI (`package.json`, `package-lock.json`, `requirements.txt`).
 - Text, JSON, and SARIF output.
 - Optional AI scan (API key or OAuth flow) with multiple providers.
 - Configurable include/exclude filters and scan scope.
 
+## How It Works
+
+1. **File discovery**
+   - Walks the repository based on `include`/`exclude`.
+   - Optional `--diff-only` or `--path` to narrow scope.
+
+2. **Static analysis (JS/TS)**
+   - Parses JS/TS with Babel and runs taint rules (sources → sinks → sanitizers).
+   - Emits OWASP-aligned findings.
+
+3. **Pattern detectors (JS/TS)**
+   - Finds hardcoded secrets, insecure crypto, and unsafe deserialization.
+
+4. **AI scan (all text files by default)**
+   - Splits files into chunks and sends to the configured model.
+   - Optional multi‑agent batching with shared leader context.
+   - Optional per‑file cache to skip unchanged files.
+
+5. **Native AST/taint (Tree‑sitter)**
+   - Loads Tree‑sitter parsers (WASM default, native optional).
+   - Runs taint rules per language for core injection/path/SSRF/deserialization/XSS.
+
+6. **External language adapters**
+   - Runs optional tool adapters when installed (Bandit, gosec, Brakeman, Semgrep).
+   - Each adapter only runs if matching files exist and the tool is on PATH.
+
+7. **Infra/config patterns**
+   - Scans Dockerfile, Terraform, and Kubernetes/Helm YAML for risky defaults.
+
+8. **Dependency scan**
+   - Reads `package.json`, `package-lock.json`, and `requirements.txt`.
+   - Matches against CVE cache or API and adds recommendations.
+
+9. **Reporting**
+   - Outputs text, JSON, or SARIF.
+   - Optional `--fail-on`/`--fail-on-high` for CI gating.
+
+## External Adapters
+
+OpenSecurity can run optional external tools when they are installed and found on `PATH`.
+
+- `bandit` → Python
+- `gosec` → Go
+- `brakeman` → Ruby
+- `semgrep` → Java, C#, PHP, Rust, Kotlin, Swift, C/C++
+
+Adapters only run when matching files exist. Use `--disable-adapters` to skip or `--adapters` to whitelist.
+
+## Tree-sitter Grammars
+
+Native AST/taint uses Tree‑sitter grammars. WASM grammars live in `assets/grammars`.
+
+Build them locally:
+
+```bash
+npm run build-grammars
+```
+
+This repo ships prebuilt WASM grammars for the 10 native languages. If they are missing, OpenSecurity will try native Tree‑sitter bindings (if installed) and otherwise skip native taint for that language with a warning.
+
+## Native AST/Taint Matrix
+
+| Language | AST/Taint (Tree‑sitter) | Rules |
+| --- | --- | --- |
+| Python | ✅ | SQLi, Command Injection, Path Traversal, SSRF, Deserialization, Template XSS, Weak Crypto, Hardcoded Secret |
+| Go | ✅ | SQLi, Command Injection, Path Traversal, SSRF, Template XSS, Weak Crypto, Hardcoded Secret |
+| Java | ✅ | SQLi, Command Injection, Path Traversal, SSRF, Deserialization, Template XSS, Weak Crypto, Hardcoded Secret |
+| C# | ✅ | SQLi, Command Injection, Path Traversal, SSRF, Deserialization, Template XSS, Weak Crypto, Hardcoded Secret |
+| Ruby | ✅ | SQLi, Command Injection, Path Traversal, SSRF, Deserialization, Template XSS, Weak Crypto, Hardcoded Secret |
+| PHP | ✅ | SQLi, Command Injection, Path Traversal, SSRF, Deserialization, Template XSS, Weak Crypto, Hardcoded Secret |
+| Rust | ✅ | SQLi, Command Injection, Path Traversal, SSRF, Template XSS, Weak Crypto, Hardcoded Secret |
+| Kotlin | ✅ | SQLi, Command Injection, Path Traversal, SSRF, Template XSS, Weak Crypto, Hardcoded Secret |
+| Swift | ✅ | SQLi, Command Injection, Path Traversal, SSRF, Template XSS, Weak Crypto, Hardcoded Secret |
+| C/C++ | ✅ | Command Injection, Path Traversal, Weak Crypto, Hardcoded Secret |
+
+Rule coverage is heuristic and may miss context; validate findings in your environment.
+
+## Infra/Config Coverage
+
+Built-in infra checks include:
+
+- Dockerfile: `USER root`, privileged flags/capabilities.
+- Kubernetes/Helm YAML: `privileged`, `allowPrivilegeEscalation`, `readOnlyRootFilesystem:false`, `runAsNonRoot:false`, `runAsUser:0`, `seccompProfile: Unconfined`, `hostNetwork/hostPID/hostIPC`, `hostPath`.
+- Terraform: public security group ingress, public ACLs, public S3 ACLs, disabled S3 public access block, public RDS instances.
+- YAML: insecure TLS (`insecureSkipVerify`, `verify_ssl: false`).
+
 ## CLI
 
 ### `scan`
@@ -91,6 +196,14 @@ Common options:
 - `--ai-cache`: enable AI per-file cache (default)
 - `--no-ai-cache`: disable AI per-file cache
 - `--ai-cache-path <path>`: path to AI cache file
+- `--native-taint`: enable native multi-language taint engine (default)
+- `--no-native-taint`: disable native multi-language taint engine
+- `--native-langs <list>`: comma-separated native languages (python,go,java,csharp,ruby,php,rust,kotlin,swift,c,cpp)
+- `--native-cache`: enable native taint cache (default)
+- `--no-native-cache`: disable native taint cache
+- `--native-cache-path <path>`: path to native taint cache file
+- `--adapters <list>`: comma-separated adapter ids (bandit,gosec,brakeman,semgrep)
+- `--disable-adapters`: disable external static adapters
 - `--dependency-only`: only run dependency scan
 - `--no-ai`: disable AI scanning
 - `--dry-run`: list matched files without scanning
@@ -107,6 +220,12 @@ opensecurity scan --no-ai
 opensecurity scan --format sarif --sarif-output reports/opensecurity.sarif
 opensecurity scan --provider anthropic --model claude-sonnet-4-20250514
 opensecurity scan --dependency-only --simulate
+opensecurity scan --ai-multi-agent --ai-batch-size 25 --ai-batch-depth 2
+opensecurity scan --diff-only --diff-base main
+opensecurity scan --path src/
+opensecurity scan --adapters bandit,gosec
+opensecurity scan --disable-adapters
+opensecurity scan --native-langs python,go,java
 ```
 
 ### `login`
@@ -154,7 +273,15 @@ Project config: `.opensecurity.json`
   "cveApiUrl": "https://example.com/osv",
   "dataSensitivity": "medium",
   "maxChars": 4000,
-  "concurrency": 2
+  "concurrency": 2,
+  "aiCache": true,
+  "aiCachePath": ".opensecurity/ai-cache.json",
+  "nativeTaint": true,
+  "nativeTaintLanguages": ["python", "go", "java", "csharp", "ruby", "php", "rust", "kotlin", "swift", "c", "cpp"],
+  "nativeTaintCache": true,
+  "nativeTaintCachePath": ".opensecurity/native-taint-cache.json",
+  "adapters": ["bandit", "gosec", "brakeman", "semgrep"],
+  "noAdapters": false
 }
 ```
 
@@ -201,10 +328,6 @@ Rule schema (simplified):
 - **JSON**: machine-readable, includes `schemaVersion`
 - **SARIF**: for CI and code scanning tools
 
-## Language Support
-
-- Static analysis: JavaScript and TypeScript
-- Dependency scanning: npm and PyPI manifests
 
 ## Security Notes
 
@@ -255,11 +378,14 @@ If you discover a vulnerability:
 
 For questions or help, open a GitHub issue with clear reproduction steps.
 
-## Development
+## Development (contributors)
 
 ```bash
 npm install
 npm run dev -- scan --dry-run
+npm run build
+npm link
+opensecurity scan --dry-run
 npm test
 ```
 

package/assets/grammars/README.md

@@ -0,0 +1,9 @@
+# Tree-sitter WASM Grammars
+
+This directory holds prebuilt Tree-sitter WASM grammar files used by the native multi-language taint engine.
+
+Generate or refresh them with:
+
+```bash
+npm run build-grammars
+```

package/dist/adapters/bandit.js

@@ -0,0 +1,41 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { PYTHON_EXTS, matchesExtension } from "./languages.js";
+import { commandExists, extractJsonFromOutput, normalizePath } from "./utils.js";
+const execFileAsync = promisify(execFile);
+function mapSeverity(level) {
+    const norm = (level ?? "").toLowerCase();
+    if (norm === "high")
+        return "high";
+    if (norm === "medium")
+        return "medium";
+    return "low";
+}
+export const banditAdapter = {
+    id: "bandit",
+    name: "Bandit",
+    languages: ["Python"],
+    matchFile: (filePath) => matchesExtension(filePath, PYTHON_EXTS),
+    isAvailable: () => commandExists("bandit"),
+    async run(context) {
+        const { cwd, relPaths } = context;
+        if (!relPaths.length)
+            return [];
+        const args = ["-f", "json", ...relPaths];
+        const { stdout, stderr } = await execFileAsync("bandit", args, {
+            cwd,
+            maxBuffer: 10 * 1024 * 1024
+        });
+        const json = extractJsonFromOutput(stdout, stderr);
+        const results = Array.isArray(json?.results) ? json.results : [];
+        return results.map((item) => ({
+            id: item.test_id ?? "bandit",
+            severity: mapSeverity(item.issue_severity),
+            title: item.test_name ?? item.issue_text ?? "Bandit issue",
+            description: item.issue_text ?? "Bandit issue detected.",
+            file: normalizePath(item.filename ?? "", cwd),
+            line: item.line_number ? Number(item.line_number) : undefined,
+            category: "code"
+        }));
+    }
+};

package/dist/adapters/brakeman.js

@@ -0,0 +1,41 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { RUBY_EXTS, matchesExtension } from "./languages.js";
+import { commandExists, extractJsonFromOutput, normalizePath } from "./utils.js";
+const execFileAsync = promisify(execFile);
+function mapSeverity(confidence) {
+    const norm = (confidence ?? "").toLowerCase();
+    if (norm === "high")
+        return "high";
+    if (norm === "medium")
+        return "medium";
+    if (norm === "low")
+        return "low";
+    return "medium";
+}
+export const brakemanAdapter = {
+    id: "brakeman",
+    name: "Brakeman",
+    languages: ["Ruby"],
+    matchFile: (filePath) => matchesExtension(filePath, RUBY_EXTS),
+    isAvailable: () => commandExists("brakeman"),
+    async run(context) {
+        const { cwd } = context;
+        const args = ["-f", "json", "-q"];
+        const { stdout, stderr } = await execFileAsync("brakeman", args, {
+            cwd,
+            maxBuffer: 10 * 1024 * 1024
+        });
+        const json = extractJsonFromOutput(stdout, stderr);
+        const warnings = Array.isArray(json?.warnings) ? json.warnings : [];
+        return warnings.map((item) => ({
+            id: item.warning_code ?? item.warning_type ?? "brakeman",
+            severity: mapSeverity(item.confidence),
+            title: item.warning_type ?? item.message ?? "Brakeman warning",
+            description: item.message ?? "Brakeman warning detected.",
+            file: normalizePath(item.file ?? "", cwd),
+            line: item.line ? Number(item.line) : undefined,
+            category: "code"
+        }));
+    }
+};

package/dist/adapters/gosec.js

@@ -0,0 +1,49 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import path from "node:path";
+import { GO_EXTS, matchesExtension } from "./languages.js";
+import { commandExists, extractJsonFromOutput, normalizePath, unique } from "./utils.js";
+const execFileAsync = promisify(execFile);
+function mapSeverity(level) {
+    const norm = (level ?? "").toLowerCase();
+    if (norm === "high")
+        return "high";
+    if (norm === "medium")
+        return "medium";
+    return "low";
+}
+function uniqueDirs(relPaths) {
+    return unique(relPaths.map((relPath) => {
+        const dir = path.dirname(relPath);
+        return dir === "." ? "." : dir;
+    }));
+}
+export const gosecAdapter = {
+    id: "gosec",
+    name: "gosec",
+    languages: ["Go"],
+    matchFile: (filePath) => matchesExtension(filePath, GO_EXTS),
+    isAvailable: () => commandExists("gosec"),
+    async run(context) {
+        const { cwd, relPaths } = context;
+        if (!relPaths.length)
+            return [];
+        const dirs = uniqueDirs(relPaths);
+        const args = ["-fmt", "json", ...dirs];
+        const { stdout, stderr } = await execFileAsync("gosec", args, {
+            cwd,
+            maxBuffer: 10 * 1024 * 1024
+        });
+        const json = extractJsonFromOutput(stdout, stderr);
+        const issues = Array.isArray(json?.Issues) ? json.Issues : Array.isArray(json?.issues) ? json.issues : [];
+        return issues.map((item) => ({
+            id: item.rule_id ?? item.rule ?? "gosec",
+            severity: mapSeverity(item.severity),
+            title: item.details ?? item.what ?? "gosec issue",
+            description: item.details ?? item.what ?? "gosec issue detected.",
+            file: normalizePath(item.file ?? item.filename ?? "", cwd),
+            line: item.line ? Number(item.line) : undefined,
+            category: "code"
+        }));
+    }
+};

package/dist/adapters/languages.js

@@ -0,0 +1,29 @@
+const normalizeExt = (ext) => ext.toLowerCase();
+export const PYTHON_EXTS = new Set([".py", ".pyw"].map(normalizeExt));
+export const GO_EXTS = new Set([".go"].map(normalizeExt));
+export const RUBY_EXTS = new Set([".rb"].map(normalizeExt));
+export const PHP_EXTS = new Set([".php", ".phtml", ".php5", ".php7", ".phps"].map(normalizeExt));
+export const RUST_EXTS = new Set([".rs"].map(normalizeExt));
+export const JAVA_EXTS = new Set([".java"].map(normalizeExt));
+export const CSHARP_EXTS = new Set([".cs"].map(normalizeExt));
+export const KOTLIN_EXTS = new Set([".kt", ".kts"].map(normalizeExt));
+export const SWIFT_EXTS = new Set([".swift", ".m", ".mm"].map(normalizeExt));
+export const C_EXTS = new Set([".c", ".h"].map(normalizeExt));
+export const CPP_EXTS = new Set([".cpp", ".hpp", ".cc", ".cxx", ".hh", ".hxx"].map(normalizeExt));
+export const SEMGREP_EXTS = new Set([
+    ...JAVA_EXTS,
+    ...CSHARP_EXTS,
+    ...PHP_EXTS,
+    ...RUST_EXTS,
+    ...KOTLIN_EXTS,
+    ...SWIFT_EXTS,
+    ...C_EXTS,
+    ...CPP_EXTS
+].map(normalizeExt));
+export function matchesExtension(filePath, extensions) {
+    const idx = filePath.lastIndexOf(".");
+    if (idx === -1)
+        return false;
+    const ext = filePath.slice(idx).toLowerCase();
+    return extensions.has(ext);
+}

package/dist/adapters/runner.js

@@ -0,0 +1,46 @@
+import path from "node:path";
+import { banditAdapter } from "./bandit.js";
+import { brakemanAdapter } from "./brakeman.js";
+import { gosecAdapter } from "./gosec.js";
+import { semgrepAdapter } from "./semgrep.js";
+export const ALL_ADAPTERS = [
+    banditAdapter,
+    gosecAdapter,
+    brakemanAdapter,
+    semgrepAdapter
+];
+export function filterAdapters(allowList) {
+    if (!allowList || allowList.length === 0)
+        return [...ALL_ADAPTERS];
+    const normalized = new Set(allowList.map((item) => item.trim().toLowerCase()).filter(Boolean));
+    return ALL_ADAPTERS.filter((adapter) => normalized.has(adapter.id));
+}
+export async function runExternalAdapters(options) {
+    const selected = filterAdapters(options.allowList);
+    const warnings = [];
+    const findings = [];
+    for (const adapter of selected) {
+        const matching = options.files.filter((filePath) => adapter.matchFile(filePath));
+        if (!matching.length)
+            continue;
+        const available = await adapter.isAvailable();
+        if (!available) {
+            warnings.push(`Adapter "${adapter.id}" skipped: ${adapter.name} not found in PATH.`);
+            continue;
+        }
+        const relPaths = matching.map((filePath) => path.relative(options.cwd, filePath).split(path.sep).join("/"));
+        try {
+            const adapterFindings = await adapter.run({
+                cwd: options.cwd,
+                targetPaths: matching,
+                relPaths,
+                onWarning: (message) => warnings.push(message)
+            });
+            findings.push(...adapterFindings);
+        }
+        catch (err) {
+            warnings.push(`Adapter "${adapter.id}" failed: ${err?.message ?? err}`);
+        }
+    }
+    return { findings, warnings };
+}

package/dist/adapters/semgrep.js

@@ -0,0 +1,59 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { SEMGREP_EXTS, matchesExtension } from "./languages.js";
+import { commandExists, extractJsonFromOutput, normalizePath, unique } from "./utils.js";
+const execFileAsync = promisify(execFile);
+function mapSeverity(level) {
+    const norm = (level ?? "").toLowerCase();
+    if (norm === "critical")
+        return "critical";
+    if (norm === "error" || norm === "high")
+        return "high";
+    if (norm === "warning" || norm === "medium")
+        return "medium";
+    return "low";
+}
+function uniqueDirs(relPaths) {
+    return unique(relPaths.map((relPath) => {
+        const dir = relPath.includes("/") ? relPath.slice(0, relPath.lastIndexOf("/")) : ".";
+        return dir === "" ? "." : dir;
+    }));
+}
+export const semgrepAdapter = {
+    id: "semgrep",
+    name: "Semgrep",
+    languages: [
+        "Java",
+        "C#",
+        "PHP",
+        "Rust",
+        "Kotlin",
+        "Swift",
+        "C/C++"
+    ],
+    matchFile: (filePath) => matchesExtension(filePath, SEMGREP_EXTS),
+    isAvailable: () => commandExists("semgrep"),
+    async run(context) {
+        const { cwd, relPaths } = context;
+        if (!relPaths.length)
+            return [];
+        const targets = relPaths.length > 200 ? uniqueDirs(relPaths) : unique(relPaths);
+        const args = ["--config", "auto", "--json", "--quiet", ...targets];
+        const { stdout, stderr } = await execFileAsync("semgrep", args, {
+            cwd,
+            maxBuffer: 20 * 1024 * 1024
+        });
+        const json = extractJsonFromOutput(stdout, stderr);
+        const results = Array.isArray(json?.results) ? json.results : [];
+        return results.map((item) => ({
+            id: item.check_id ?? "semgrep",
+            severity: mapSeverity(item.extra?.severity),
+            title: item.extra?.message ?? item.check_id ?? "Semgrep issue",
+            description: item.extra?.message ?? "Semgrep issue detected.",
+            file: normalizePath(item.path ?? "", cwd),
+            line: item.start?.line ? Number(item.start.line) : undefined,
+            column: item.start?.col ? Number(item.start.col) : undefined,
+            category: "code"
+        }));
+    }
+};

package/dist/adapters/types.js

@@ -0,0 +1 @@
+export {};

package/dist/adapters/utils.js

@@ -0,0 +1,52 @@
+import path from "node:path";
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+const execFileAsync = promisify(execFile);
+export async function commandExists(command) {
+    const isWin = process.platform === "win32";
+    const lookup = isWin ? "where" : "which";
+    try {
+        await execFileAsync(lookup, [command]);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export function normalizePath(filePath, cwd) {
+    const rel = path.isAbsolute(filePath) ? path.relative(cwd, filePath) : filePath;
+    return rel.split(path.sep).join("/");
+}
+export function tryParseJson(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed)
+        return null;
+    try {
+        return JSON.parse(trimmed);
+    }
+    catch {
+        return null;
+    }
+}
+export function extractJsonFromOutput(stdout, stderr) {
+    const parsed = tryParseJson(stdout);
+    if (parsed)
+        return parsed;
+    const parsedErr = tryParseJson(stderr);
+    if (parsedErr)
+        return parsedErr;
+    const combined = `${stdout}\n${stderr}`.trim();
+    if (!combined)
+        return null;
+    const start = combined.search(/[\[{]/);
+    if (start === -1)
+        return null;
+    const end = Math.max(combined.lastIndexOf("}"), combined.lastIndexOf("]"));
+    if (end <= start)
+        return null;
+    const slice = combined.slice(start, end + 1);
+    return tryParseJson(slice);
+}
+export function unique(items) {
+    return Array.from(new Set(items));
+}