postquant 0.2.0 → 0.4.0

package/dist/scanner/code/risk-assessor.js

@@ -0,0 +1,412 @@
+/**
+ * Risk Assessment Layer for PostQuant v0.3.0
+ *
+ * Analyzes the CONTEXT of each cryptographic finding to determine
+ * whether the algorithm usage is security-critical or benign.
+ * MD5 in password hashing is critical; MD5 in UUID v3 is informational.
+ */
+// ── Context priority map ────────────────────────────────────────
+const CONTEXT_PRIORITY = {
+    'authentication': 10,
+    'encryption': 9,
+    'key-exchange': 9,
+    'digital-signature': 8,
+    'legacy-support': 5,
+    'integrity-check': 4,
+    'protocol-compliance': 3,
+    'test-fixture': 2,
+    'documentation': 1,
+    'unknown': 0,
+};
+// ── Signal-to-context mapping ───────────────────────────────────
+// Maps signal value keywords to their UsageContext.
+function inferContextFromSignalValue(value) {
+    const v = value.toLowerCase();
+    // increases-risk contexts
+    if (/password|passwd|pwd|hmac|token|jwt|bearer|oauth/.test(v))
+        return 'authentication';
+    if (/encrypt|decrypt|cipher/.test(v))
+        return 'encryption';
+    if (/key_exchange|kex|handshake/.test(v))
+        return 'key-exchange';
+    if (/(?<![a-zA-Z])sign(?![a-zA-Z])|(?<![a-zA-Z])verify(?![a-zA-Z])|(?<![a-zA-Z])signature(?![a-zA-Z])/.test(v))
+        return 'digital-signature';
+    // decreases-risk contexts
+    if (/uuid|rfc4122|rfc-4122|content-md5|content_md5/.test(v))
+        return 'protocol-compliance';
+    if (/checksum|digest|fingerprint|etag|cache|dedup|lookup|index|md5sum|md5_checksum|file_hash|compute_hash|content_hash|cache_key|compute_etag/.test(v))
+        return 'integrity-check';
+    if (/legacy|compat|fallback|deprecated|vendor|node_modules|third_party|migrations/.test(v))
+        return 'legacy-support';
+    if (/test|mock|stub|fixture|assert|spec|__tests__/.test(v))
+        return 'test-fixture';
+    if (/docs|examples|readme/.test(v))
+        return 'documentation';
+    // Import-based contexts
+    if (/boto3|botocore|aws-sdk|@aws-sdk/.test(v))
+        return 'protocol-compliance';
+    if (/\bpg\b|postgres|psycopg|node-postgres|mysql|mysqlclient/.test(v))
+        return 'legacy-support';
+    if (/\bgit\b/.test(v))
+        return 'protocol-compliance';
+    if (/passlib|bcrypt|argon2|pyjwt|jsonwebtoken|jose|paramiko|ssh2|libssh/.test(v))
+        return 'authentication';
+    // Function-name increases-risk
+    if (/hash_password|check_password|verify_password/.test(v))
+        return 'authentication';
+    if (/generate_key|create_key|new_key/.test(v))
+        return 'encryption';
+    if (/sign_/.test(v))
+        return 'digital-signature';
+    if (/verify_/.test(v))
+        return 'digital-signature';
+    // File path contexts
+    if (/auth|authentication|session|login|password/.test(v))
+        return 'authentication';
+    if (/security|crypto|certs/.test(v))
+        return 'encryption';
+    return 'unknown';
+}
+const FILE_PATH_RULES = [
+    // increases-risk
+    { pattern: /(?:^|\/)(auth|authentication)\//, influence: 'increases-risk', label: 'auth/' },
+    { pattern: /(?:^|\/)(security|crypto|certs)\//, influence: 'increases-risk', label: 'security/' },
+    { pattern: /(?:^|\/)(session|login|password)\//, influence: 'increases-risk', label: 'session/' },
+    // decreases-risk: directories
+    { pattern: /(?:^|\/)(test|tests|__tests__|spec)\//, influence: 'decreases-risk', label: 'test/' },
+    { pattern: /(?:^|\/)(vendor|node_modules|third_party)\//, influence: 'decreases-risk', label: 'vendor/' },
+    { pattern: /(?:^|\/)(docs|examples)\//, influence: 'decreases-risk', label: 'docs/' },
+    { pattern: /README/, influence: 'decreases-risk', label: 'README' },
+    { pattern: /(?:^|\/)(migrations|compat|legacy)\//, influence: 'decreases-risk', label: 'legacy/' },
+    // decreases-risk: file suffixes
+    { pattern: /_test\.go$/, influence: 'decreases-risk', label: '_test.go' },
+    { pattern: /\.test\.[tj]s$/, influence: 'decreases-risk', label: '.test.ts/js' },
+    { pattern: /\.spec\.[tj]s$/, influence: 'decreases-risk', label: '.spec.ts/js' },
+];
+export function detectFilePathSignals(filePath) {
+    const signals = [];
+    for (const rule of FILE_PATH_RULES) {
+        if (rule.pattern.test(filePath)) {
+            signals.push({
+                type: 'file-path',
+                value: rule.label,
+                influence: rule.influence,
+            });
+        }
+    }
+    return signals;
+}
+const NEARBY_CODE_RULES = [
+    // increases-risk
+    { pattern: /password|passwd|pwd/i, influence: 'increases-risk', label: 'password' },
+    { pattern: /(?<![a-zA-Z])sign(?![a-zA-Z])|(?<![a-zA-Z])verify(?![a-zA-Z])|(?<![a-zA-Z])signature(?![a-zA-Z])/i, influence: 'increases-risk', label: 'sign/verify' },
+    { pattern: /encrypt|decrypt|cipher/i, influence: 'increases-risk', label: 'encrypt' },
+    { pattern: /key_exchange|kex|handshake/i, influence: 'increases-risk', label: 'key_exchange' },
+    { pattern: /\bhmac\b|\bHMAC\b/, influence: 'increases-risk', label: 'hmac' },
+    { pattern: /\btoken\b|jwt|bearer|oauth/i, influence: 'increases-risk', label: 'token/jwt' },
+    // decreases-risk
+    { pattern: /checksum|digest|fingerprint|etag/i, influence: 'decreases-risk', label: 'checksum' },
+    { pattern: /\bcache\b|\bdedup\b|\blookup\b|\bindex\b/i, influence: 'decreases-risk', label: 'cache' },
+    { pattern: /\buuid\b|\bUUID\b|rfc4122|rfc-4122/, influence: 'decreases-risk', label: 'uuid' },
+    { pattern: /Content-MD5|content_md5/i, influence: 'decreases-risk', label: 'Content-MD5' },
+    { pattern: /legacy|compat|fallback|deprecated/i, influence: 'decreases-risk', label: 'legacy' },
+    { pattern: /\btest\b|\bmock\b|\bstub\b|\bfixture\b|\bassert\b/i, influence: 'decreases-risk', label: 'test' },
+];
+export function detectNearbyCodeSignals(lines, lineNumber, windowSize = 5) {
+    // lineNumber is 1-indexed
+    const idx = lineNumber - 1;
+    const start = Math.max(0, idx - windowSize);
+    const end = Math.min(lines.length - 1, idx + windowSize);
+    const window = lines.slice(start, end + 1).join('\n');
+    const seen = new Set();
+    const signals = [];
+    for (const rule of NEARBY_CODE_RULES) {
+        if (rule.pattern.test(window) && !seen.has(rule.label)) {
+            seen.add(rule.label);
+            signals.push({
+                type: 'nearby-code',
+                value: rule.label,
+                influence: rule.influence,
+            });
+        }
+    }
+    return signals;
+}
+const IMPORT_RULES = [
+    // decreases-risk
+    { libraryPattern: /\buuid\b/i, influence: 'decreases-risk', label: 'uuid' },
+    { libraryPattern: /boto3|botocore|aws-sdk|@aws-sdk/, influence: 'decreases-risk', label: 'boto3/aws-sdk' },
+    { libraryPattern: /\bpg\b|postgres|psycopg|node-postgres/, influence: 'decreases-risk', label: 'pg/psycopg/postgres' },
+    { libraryPattern: /mysql2|mysql|mysqlclient/, influence: 'decreases-risk', label: 'mysql' },
+    { libraryPattern: /\bgit\b/, influence: 'decreases-risk', label: 'git' },
+    // increases-risk
+    { libraryPattern: /passlib|bcrypt|argon2/, influence: 'increases-risk', label: 'passlib/bcrypt/argon2' },
+    { libraryPattern: /pyjwt|jsonwebtoken|jose|\bjwt\b/, influence: 'increases-risk', label: 'pyjwt/jsonwebtoken/jose' },
+    { libraryPattern: /paramiko|ssh2|libssh/, influence: 'increases-risk', label: 'paramiko/ssh2/libssh' },
+];
+// Language-specific import statement patterns
+const IMPORT_LINE_PATTERNS = {
+    python: [
+        /^\s*import\s+(.+)/,
+        /^\s*from\s+(\S+)\s+import/,
+    ],
+    javascript: [
+        /^\s*import\s+.+\s+from\s+['"]([^'"]+)['"]/,
+        /^\s*import\s+['"]([^'"]+)['"]/,
+        /^\s*import\s*\{[^}]+\}\s*from\s*['"]([^'"]+)['"]/,
+        /(?:require|import)\s*\(\s*['"]([^'"]+)['"]\s*\)/,
+    ],
+    go: [
+        /^\s*"([^"]+)"/,
+        /^\s*\w+\s+"([^"]+)"/,
+    ],
+    java: [
+        /^\s*import\s+([\w.]+)/,
+    ],
+};
+export function detectImportSignals(content, language) {
+    const lines = content.split('\n').slice(0, 50);
+    const signals = [];
+    const seen = new Set();
+    const patterns = IMPORT_LINE_PATTERNS[language] || [];
+    for (const line of lines) {
+        for (const importPattern of patterns) {
+            const match = importPattern.exec(line);
+            if (!match)
+                continue;
+            const importedModule = match[1] || line;
+            for (const rule of IMPORT_RULES) {
+                if (rule.libraryPattern.test(importedModule) && !seen.has(rule.label)) {
+                    seen.add(rule.label);
+                    signals.push({
+                        type: 'import-context',
+                        value: rule.label,
+                        influence: rule.influence,
+                    });
+                }
+            }
+        }
+    }
+    return signals;
+}
+const FUNCTION_NAME_RULES = [
+    // increases-risk
+    { pattern: /hash_password|check_password|verify_password/, influence: 'increases-risk', label: 'hash_password' },
+    { pattern: /generate_key|create_key|new_key/, influence: 'increases-risk', label: 'generate_key' },
+    { pattern: /\bsign_\w+/, influence: 'increases-risk', label: 'sign_*' },
+    { pattern: /\bverify_\w+/, influence: 'increases-risk', label: 'verify_*' },
+    // decreases-risk
+    { pattern: /md5sum|md5_checksum|file_hash|compute_hash/, influence: 'decreases-risk', label: 'md5sum/file_hash' },
+    { pattern: /cache_key|compute_etag|content_hash/, influence: 'decreases-risk', label: 'cache_key/etag' },
+    { pattern: /\betag\b/, influence: 'decreases-risk', label: 'etag' },
+];
+export function detectFunctionNameSignals(matchedLine) {
+    const signals = [];
+    const seen = new Set();
+    for (const rule of FUNCTION_NAME_RULES) {
+        if (rule.pattern.test(matchedLine) && !seen.has(rule.label)) {
+            seen.add(rule.label);
+            signals.push({
+                type: 'function-name',
+                value: rule.label,
+                influence: rule.influence,
+            });
+        }
+    }
+    return signals;
+}
+const PROTOCOL_RULES = [
+    {
+        algorithm: 'MD5',
+        contextPatterns: [/\buuid\b|\bUUID\b|uuid3|NAMESPACE|rfc4122/],
+        importHints: [/\buuid\b/],
+        protocolName: 'UUID v3 (RFC 4122)',
+        contextOverride: 'protocol-compliance',
+    },
+    {
+        algorithm: 'SHA-1',
+        contextPatterns: [/\buuid\b|\bUUID\b|uuid5|NAMESPACE|rfc4122/],
+        importHints: [/\buuid\b/],
+        protocolName: 'UUID v5 (RFC 4122)',
+        contextOverride: 'protocol-compliance',
+    },
+    {
+        algorithm: 'MD5',
+        contextPatterns: [/Content-MD5|content_md5|ContentMD5/],
+        importHints: [/boto3|aws|s3/],
+        protocolName: 'HTTP/S3 Content-MD5',
+        contextOverride: 'protocol-compliance',
+    },
+    {
+        algorithm: 'MD5',
+        contextPatterns: [/postgres|postgresql|pg_|md5.*password/i],
+        importHints: [/\bpg\b|postgres|psycopg/],
+        protocolName: 'PostgreSQL MD5 auth',
+        contextOverride: 'legacy-support',
+    },
+    {
+        algorithm: 'SHA-1',
+        contextPatterns: [/\bgit\b|object_hash|blob|commit|tree/],
+        importHints: [/\bgit\b/],
+        protocolName: 'Git object hashing',
+        contextOverride: 'protocol-compliance',
+    },
+];
+/** Shared helper: compute a line window around a 1-indexed lineNumber. */
+function computeWindow(lines, lineNumber, windowSize = 5) {
+    const idx = lineNumber - 1;
+    const start = Math.max(0, idx - windowSize);
+    const end = Math.min(lines.length - 1, idx + windowSize);
+    return lines.slice(start, end + 1);
+}
+export function detectProtocolPattern(finding, lines, lineNumber, imports) {
+    const nearbyLines = computeWindow(lines, lineNumber);
+    const nearbyText = nearbyLines.join('\n');
+    for (const rule of PROTOCOL_RULES) {
+        if (finding.algorithm !== rule.algorithm)
+            continue;
+        const contextMatch = rule.contextPatterns.some(p => p.test(nearbyText));
+        const importMatch = rule.importHints.some(p => p.test(imports));
+        if (contextMatch || importMatch) {
+            return {
+                signal: {
+                    type: 'api-pattern',
+                    value: `${rule.protocolName} (${rule.contextOverride})`,
+                    influence: 'decreases-risk',
+                },
+                contextOverride: rule.contextOverride,
+            };
+        }
+    }
+    return null;
+}
+// ── 6. resolveContext ───────────────────────────────────────────
+export function resolveContext(signals) {
+    if (signals.length === 0) {
+        return { context: 'unknown', influence: 'neutral' };
+    }
+    const increasesRisk = signals.filter(s => s.influence === 'increases-risk');
+    const decreasesRisk = signals.filter(s => s.influence === 'decreases-risk');
+    // increases-risk wins
+    if (increasesRisk.length > 0) {
+        const context = pickHighestPriority(increasesRisk);
+        return { context, influence: 'increases-risk' };
+    }
+    if (decreasesRisk.length > 0) {
+        const context = pickHighestPriority(decreasesRisk);
+        return { context, influence: 'decreases-risk' };
+    }
+    // All neutral
+    return { context: 'unknown', influence: 'neutral' };
+}
+function pickHighestPriority(signals) {
+    let bestContext = 'unknown';
+    let bestPriority = -1;
+    for (const signal of signals) {
+        const ctx = inferContextFromSignalValue(signal.value);
+        const priority = CONTEXT_PRIORITY[ctx];
+        if (priority > bestPriority) {
+            bestPriority = priority;
+            bestContext = ctx;
+        }
+    }
+    return bestContext;
+}
+// ── 7. computeAdjustedRisk ──────────────────────────────────────
+const RISK_MATRIX = {
+    critical: {
+        'authentication': 'critical',
+        'encryption': 'critical',
+        'key-exchange': 'critical',
+        'digital-signature': 'critical',
+        'integrity-check': 'low',
+        'protocol-compliance': 'informational',
+        'legacy-support': 'medium',
+        'test-fixture': 'informational',
+        'documentation': 'informational',
+        'unknown': 'high',
+    },
+    moderate: {
+        'authentication': 'medium',
+        'encryption': 'medium',
+        'key-exchange': 'medium',
+        'digital-signature': 'medium',
+        'integrity-check': 'low',
+        'protocol-compliance': 'informational',
+        'legacy-support': 'low',
+        'test-fixture': 'informational',
+        'documentation': 'informational',
+        'unknown': 'medium',
+    },
+    safe: {
+        'authentication': 'informational',
+        'encryption': 'informational',
+        'key-exchange': 'informational',
+        'digital-signature': 'informational',
+        'integrity-check': 'informational',
+        'protocol-compliance': 'informational',
+        'legacy-support': 'informational',
+        'test-fixture': 'informational',
+        'documentation': 'informational',
+        'unknown': 'informational',
+    },
+};
+export function computeAdjustedRisk(originalRisk, context) {
+    return RISK_MATRIX[originalRisk][context];
+}
+// ── 8. assessFindings (main entry point) ────────────────────────
+export function assessFindings(findings, fileContents) {
+    return findings.map(finding => assessSingleFinding(finding, fileContents));
+}
+function assessSingleFinding(finding, fileContents) {
+    const content = fileContents.get(finding.file) ?? '';
+    const lines = content.split('\n');
+    // 1. Collect all signals
+    const filePathSignals = detectFilePathSignals(finding.file);
+    const nearbyCodeSignals = detectNearbyCodeSignals(lines, finding.line);
+    const importSignals = detectImportSignals(content, finding.language);
+    const functionNameSignals = detectFunctionNameSignals(finding.matchedLine);
+    // 2. Check protocol pattern (handles its own windowing)
+    const importText = lines.slice(0, 50).join('\n');
+    const protocolResult = detectProtocolPattern(finding, lines, finding.line, importText);
+    // 3. Merge all signals
+    const allSignals = [
+        ...filePathSignals,
+        ...nearbyCodeSignals,
+        ...importSignals,
+        ...functionNameSignals,
+    ];
+    if (protocolResult) {
+        allSignals.push(protocolResult.signal);
+    }
+    // 4. Resolve context
+    let usageContext;
+    const hasIncreasesRisk = allSignals.some(s => s.influence === 'increases-risk');
+    if (protocolResult && !hasIncreasesRisk) {
+        // Protocol pattern detected with no security-increasing signals => use protocol's context
+        usageContext = protocolResult.contextOverride;
+    }
+    else {
+        usageContext = resolveContext(allSignals).context;
+    }
+    // 5. Compute adjusted risk
+    const adjustedRisk = computeAdjustedRisk(finding.risk, usageContext);
+    // 6. Build context evidence
+    const contextEvidence = allSignals.map(signal => {
+        const arrow = signal.influence === 'increases-risk' ? '\u2191' : signal.influence === 'decreases-risk' ? '\u2193' : '\u2022';
+        return `${arrow} ${signal.type}: ${signal.value}`;
+    });
+    // 7. Build AssessedFinding
+    const riskContext = {
+        usageContext,
+        adjustedRisk,
+        contextEvidence,
+        signals: allSignals,
+    };
+    return {
+        ...finding,
+        originalRisk: finding.risk,
+        riskContext,
+    };
+}
+//# sourceMappingURL=risk-assessor.js.map

package/dist/scanner/code/risk-assessor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"risk-assessor.js","sourceRoot":"","sources":["../../../src/scanner/code/risk-assessor.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAoBH,mEAAmE;AAEnE,MAAM,gBAAgB,GAAiC;IACrD,gBAAgB,EAAE,EAAE;IACpB,YAAY,EAAE,CAAC;IACf,cAAc,EAAE,CAAC;IACjB,mBAAmB,EAAE,CAAC;IACtB,gBAAgB,EAAE,CAAC;IACnB,iBAAiB,EAAE,CAAC;IACpB,qBAAqB,EAAE,CAAC;IACxB,cAAc,EAAE,CAAC;IACjB,eAAe,EAAE,CAAC;IAClB,SAAS,EAAE,CAAC;CACb,CAAC;AAEF,mEAAmE;AACnE,oDAAoD;AAEpD,SAAS,2BAA2B,CAAC,KAAa;IAChD,MAAM,CAAC,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAE9B,0BAA0B;IAC1B,IAAI,iDAAiD,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,gBAAgB,CAAC;IACvF,IAAI,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,YAAY,CAAC;IAC1D,IAAI,4BAA4B,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,cAAc,CAAC;IAChE,IAAI,kGAAkG,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,mBAAmB,CAAC;IAE3I,0BAA0B;IAC1B,IAAI,+CAA+C,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,qBAAqB,CAAC;IAC1F,IAAI,0IAA0I,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,iBAAiB,CAAC;IACjL,IAAI,8EAA8E,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,gBAAgB,CAAC;IACpH,IAAI,8CAA8C,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,cAAc,CAAC;IAClF,IAAI,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,eAAe,CAAC;IAE3D,wBAAwB;IACxB,IAAI,iCAAiC,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,qBAAqB,CAAC;IAC5E,IAAI,yDAAyD,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAC/F,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,qBAAqB,CAAC;IACpD,IAAI,oEAAoE,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAE1G,+BAA+B;IAC/B,IAAI,8CAA8C,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,gBAAgB,CAAC;IACpF,IAAI,iCAAiC,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,YAAY,CAAC;IACnE,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,mBAAmB,CAAC;IAChD,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,mBAAmB,CAAC;IAElD,qBAAqB;IACrB,IAAI,4CAA4C,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAClF,IAAI,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,YAAY,CAAC;IAEzD,OAAO,SAAS,CAAC;AACnB,CAAC;AAUD,MAAM,eAAe,GAAmB;IACtC,iBAAiB;IACjB,EAAE,OAAO,EAAE,iCAAiC,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,OAAO,EAAE;IAC3F,EAAE,OAAO,EAAE,mCAAmC,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,WAAW,EAAE;IACjG,EAAE,OAAO,EAAE,oCAAoC,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE;IAEjG,8BAA8B;IAC9B,EAAE,OAAO,EAAE,uCAAuC,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,OAAO,EAAE;IACjG,EAAE,OAAO,EAAE,6CAA6C,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,SAAS,EAAE;IACzG,EAAE,OAAO,EAAE,2BAA2B,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,OAAO,EAAE;IACrF,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,QAAQ,EAAE;IACnE,EAAE,OAAO,EAAE,sCAAsC,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,SAAS,EAAE;IAElG,gCAAgC;IAChC,EAAE,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE;IACzE,EAAE,OAAO,EAAE,gBAAgB,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,aAAa,EAAE;IAChF,EAAE,OAAO,EAAE,gBAAgB,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,aAAa,EAAE;CACjF,CAAC;AAEF,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,MAAM,OAAO,GAAoB,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,WAAW;gBACjB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAUD,MAAM,iBAAiB,GAAqB;IAC1C,iBAAiB;IACjB,EAAE,OAAO,EAAE,sBAAsB,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE;IACnF,EAAE,OAAO,EAAE,mGAAmG,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,aAAa,EAAE;IACnK,EAAE,OAAO,EAAE,yBAAyB,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,SAAS,EAAE;IACrF,EAAE,OAAO,EAAE,6BAA6B,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,cAAc,EAAE;IAC9F,EAAE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE;IAC5E,EAAE,OAAO,EAAE,6BAA6B,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,WAAW,EAAE;IAE3F,iBAAiB;IACjB,EAAE,OAAO,EAAE,mCAAmC,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE;IAChG,EAAE,OAAO,EAAE,2CAA2C,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,OAAO,EAAE;IACrG,EAAE,OAAO,EAAE,oCAAoC,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE;IAC7F,EAAE,OAAO,EAAE,0BAA0B,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,aAAa,EAAE;IAC1F,EAAE,OAAO,EAAE,oCAAoC,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,QAAQ,EAAE;IAC/F,EAAE,OAAO,EAAE,oDAAoD,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE;CAC9G,CAAC;AAEF,MAAM,UAAU,uBAAuB,CACrC,KAAe,EACf,UAAkB,EAClB,aAAqB,CAAC;IAEtB,0BAA0B;IAC1B,MAAM,GAAG,GAAG,UAAU,GAAG,CAAC,CAAC;IAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,UAAU,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,GAAG,GAAG,UAAU,CAAC,CAAC;IAEzD,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,OAAO,GAAoB,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACvD,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAUD,MAAM,YAAY,GAAiB;IACjC,iBAAiB;IACjB,EAAE,cAAc,EAAE,WAAW,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE;IAC3E,EAAE,cAAc,EAAE,iCAAiC,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,eAAe,EAAE;IAC1G,EAAE,cAAc,EAAE,uCAAuC,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,qBAAqB,EAAE;IACtH,EAAE,cAAc,EAAE,0BAA0B,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,OAAO,EAAE;IAC3F,EAAE,cAAc,EAAE,SAAS,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,KAAK,EAAE;IAExE,iBAAiB;IACjB,EAAE,cAAc,EAAE,uBAAuB,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,uBAAuB,EAAE;IACxG,EAAE,cAAc,EAAE,iCAAiC,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,yBAAyB,EAAE;IACpH,EAAE,cAAc,EAAE,sBAAsB,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,sBAAsB,EAAE;CACvG,CAAC;AAEF,8CAA8C;AAC9C,MAAM,oBAAoB,GAA+B;IACvD,MAAM,EAAE;QACN,mBAAmB;QACnB,2BAA2B;KAC5B;IACD,UAAU,EAAE;QACV,2CAA2C;QAC3C,+BAA+B;QAC/B,kDAAkD;QAClD,iDAAiD;KAClD;IACD,EAAE,EAAE;QACF,eAAe;QACf,qBAAqB;KACtB;IACD,IAAI,EAAE;QACJ,uBAAuB;KACxB;CACF,CAAC;AAEF,MAAM,UAAU,mBAAmB,CAAC,OAAe,EAAE,QAAkB;IACrE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC/C,MAAM,OAAO,GAAoB,EAAE,CAAC;IACpC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,MAAM,QAAQ,GAAG,oBAAoB,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IAEtD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,KAAK,MAAM,aAAa,IAAI,QAAQ,EAAE,CAAC;YACrC,MAAM,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACvC,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,MAAM,cAAc,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;YAExC,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;gBAChC,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBACtE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;oBACrB,OAAO,CAAC,IAAI,CAAC;wBACX,IAAI,EAAE,gBAAgB;wBACtB,KAAK,EAAE,IAAI,CAAC,KAAK;wBACjB,SAAS,EAAE,IAAI,CAAC,SAAS;qBAC1B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAUD,MAAM,mBAAmB,GAAuB;IAC9C,iBAAiB;IACjB,EAAE,OAAO,EAAE,8CAA8C,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,eAAe,EAAE;IAChH,EAAE,OAAO,EAAE,iCAAiC,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,cAAc,EAAE;IAClG,EAAE,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,QAAQ,EAAE;IACvE,EAAE,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE;IAE3E,iBAAiB;IACjB,EAAE,OAAO,EAAE,4CAA4C,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,kBAAkB,EAAE;IACjH,EAAE,OAAO,EAAE,qCAAqC,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,gBAAgB,EAAE;IACxG,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,gBAAgB,EAAE,KAAK,EAAE,MAAM,EAAE;CACpE,CAAC;AAEF,MAAM,UAAU,yBAAyB,CAAC,WAAmB;IAC3D,MAAM,OAAO,GAAoB,EAAE,CAAC;IACpC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,mBAAmB,EAAE,CAAC;QACvC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,eAAe;gBACrB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAYD,MAAM,cAAc,GAAmB;IACrC;QACE,SAAS,EAAE,KAAK;QAChB,eAAe,EAAE,CAAC,2CAA2C,CAAC;QAC9D,WAAW,EAAE,CAAC,UAAU,CAAC;QACzB,YAAY,EAAE,oBAAoB;QAClC,eAAe,EAAE,qBAAqB;KACvC;IACD;QACE,SAAS,EAAE,OAAO;QAClB,eAAe,EAAE,CAAC,2CAA2C,CAAC;QAC9D,WAAW,EAAE,CAAC,UAAU,CAAC;QACzB,YAAY,EAAE,oBAAoB;QAClC,eAAe,EAAE,qBAAqB;KACvC;IACD;QACE,SAAS,EAAE,KAAK;QAChB,eAAe,EAAE,CAAC,oCAAoC,CAAC;QACvD,WAAW,EAAE,CAAC,cAAc,CAAC;QAC7B,YAAY,EAAE,qBAAqB;QACnC,eAAe,EAAE,qBAAqB;KACvC;IACD;QACE,SAAS,EAAE,KAAK;QAChB,eAAe,EAAE,CAAC,wCAAwC,CAAC;QAC3D,WAAW,EAAE,CAAC,yBAAyB,CAAC;QACxC,YAAY,EAAE,qBAAqB;QACnC,eAAe,EAAE,gBAAgB;KAClC;IACD;QACE,SAAS,EAAE,OAAO;QAClB,eAAe,EAAE,CAAC,sCAAsC,CAAC;QACzD,WAAW,EAAE,CAAC,SAAS,CAAC;QACxB,YAAY,EAAE,oBAAoB;QAClC,eAAe,EAAE,qBAAqB;KACvC;CACF,CAAC;AAOF,0EAA0E;AAC1E,SAAS,aAAa,CAAC,KAAe,EAAE,UAAkB,EAAE,aAAqB,CAAC;IAChF,MAAM,GAAG,GAAG,UAAU,GAAG,CAAC,CAAC;IAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,UAAU,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,GAAG,GAAG,UAAU,CAAC,CAAC;IACzD,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,OAAoB,EACpB,KAAe,EACf,UAAkB,EAClB,OAAe;IAEf,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE1C,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;QAClC,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,CAAC,SAAS;YAAE,SAAS;QAEnD,MAAM,YAAY,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QACxE,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QAEhE,IAAI,YAAY,IAAI,WAAW,EAAE,CAAC;YAChC,OAAO;gBACL,MAAM,EAAE;oBACN,IAAI,EAAE,aAAa;oBACnB,KAAK,EAAE,GAAG,IAAI,CAAC,YAAY,KAAK,IAAI,CAAC,eAAe,GAAG;oBACvD,SAAS,EAAE,gBAAgB;iBAC5B;gBACD,eAAe,EAAE,IAAI,CAAC,eAAe;aACtC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,mEAAmE;AAEnE,MAAM,UAAU,cAAc,CAAC,OAAwB;IACrD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;IACtD,CAAC;IAED,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,gBAAgB,CAAC,CAAC;IAC5E,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,gBAAgB,CAAC,CAAC;IAE5E,sBAAsB;IACtB,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAC;QACnD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,CAAC;IAClD,CAAC;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAC;QACnD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,CAAC;IAClD,CAAC;IAED,cAAc;IACd,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;AACtD,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAwB;IACnD,IAAI,WAAW,GAAiB,SAAS,CAAC;IAC1C,IAAI,YAAY,GAAG,CAAC,CAAC,CAAC;IAEtB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,2BAA2B,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACtD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,QAAQ,GAAG,YAAY,EAAE,CAAC;YAC5B,YAAY,GAAG,QAAQ,CAAC;YACxB,WAAW,GAAG,GAAG,CAAC;QACpB,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,mEAAmE;AAEnE,MAAM,WAAW,GAA0D;IACzE,QAAQ,EAAE;QACR,gBAAgB,EAAE,UAAU;QAC5B,YAAY,EAAE,UAAU;QACxB,cAAc,EAAE,UAAU;QAC1B,mBAAmB,EAAE,UAAU;QAC/B,iBAAiB,EAAE,KAAK;QACxB,qBAAqB,EAAE,eAAe;QACtC,gBAAgB,EAAE,QAAQ;QAC1B,cAAc,EAAE,eAAe;QAC/B,eAAe,EAAE,eAAe;QAChC,SAAS,EAAE,MAAM;KAClB;IACD,QAAQ,EAAE;QACR,gBAAgB,EAAE,QAAQ;QAC1B,YAAY,EAAE,QAAQ;QACtB,cAAc,EAAE,QAAQ;QACxB,mBAAmB,EAAE,QAAQ;QAC7B,iBAAiB,EAAE,KAAK;QACxB,qBAAqB,EAAE,eAAe;QACtC,gBAAgB,EAAE,KAAK;QACvB,cAAc,EAAE,eAAe;QAC/B,eAAe,EAAE,eAAe;QAChC,SAAS,EAAE,QAAQ;KACpB;IACD,IAAI,EAAE;QACJ,gBAAgB,EAAE,eAAe;QACjC,YAAY,EAAE,eAAe;QAC7B,cAAc,EAAE,eAAe;QAC/B,mBAAmB,EAAE,eAAe;QACpC,iBAAiB,EAAE,eAAe;QAClC,qBAAqB,EAAE,eAAe;QACtC,gBAAgB,EAAE,eAAe;QACjC,cAAc,EAAE,eAAe;QAC/B,eAAe,EAAE,eAAe;QAChC,SAAS,EAAE,eAAe;KAC3B;CACF,CAAC;AAEF,MAAM,UAAU,mBAAmB,CACjC,YAAuB,EACvB,OAAqB;IAErB,OAAO,WAAW,CAAC,YAAY,CAAC,CAAC,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED,mEAAmE;AAEnE,MAAM,UAAU,cAAc,CAC5B,QAAuB,EACvB,YAAiC;IAEjC,OAAO,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,mBAAmB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,mBAAmB,CAC1B,OAAoB,EACpB,YAAiC;IAEjC,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,yBAAyB;IACzB,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5D,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IACvE,MAAM,aAAa,GAAG,mBAAmB,CAAC,OAAO,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrE,MAAM,mBAAmB,GAAG,yBAAyB,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAE3E,wDAAwD;IACxD,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjD,MAAM,cAAc,GAAG,qBAAqB,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAEvF,uBAAuB;IACvB,MAAM,UAAU,GAAoB;QAClC,GAAG,eAAe;QAClB,GAAG,iBAAiB;QACpB,GAAG,aAAa;QAChB,GAAG,mBAAmB;KACvB,CAAC;IACF,IAAI,cAAc,EAAE,CAAC;QACnB,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAED,qBAAqB;IACrB,IAAI,YAA0B,CAAC;IAC/B,MAAM,gBAAgB,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,gBAAgB,CAAC,CAAC;IAEhF,IAAI,cAAc,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACxC,0FAA0F;QAC1F,YAAY,GAAG,cAAc,CAAC,eAAe,CAAC;IAChD,CAAC;SAAM,CAAC;QACN,YAAY,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC;IACpD,CAAC;IAED,2BAA2B;IAC3B,MAAM,YAAY,GAAG,mBAAmB,CAAC,OAAO,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;IAErE,4BAA4B;IAC5B,MAAM,eAAe,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE;QAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,KAAK,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,KAAK,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;QAC7H,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,KAAK,EAAE,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,2BAA2B;IAC3B,MAAM,WAAW,GAAgB;QAC/B,YAAY;QACZ,YAAY;QACZ,eAAe;QACf,OAAO,EAAE,UAAU;KACpB,CAAC;IAEF,OAAO;QACL,GAAG,OAAO;QACV,YAAY,EAAE,OAAO,CAAC,IAAI;QAC1B,WAAW;KACZ,CAAC;AACJ,CAAC"}

package/dist/scanner/openssl.d.ts

@@ -0,0 +1,25 @@
+export interface OpensslProbeResult {
+    /** Negotiated TLS 1.3 group (e.g., 'X25519MLKEM768') */
+    group: string | null;
+    /** Classical key exchange info from "Peer Temp Key" / "Server Temp Key" */
+    peerTempKey: {
+        type: string;
+        name: string;
+        size: number;
+    } | null;
+}
+/**
+ * Find an OpenSSL 3.x binary (not LibreSSL).
+ * Returns the path or null if none found.
+ */
+export declare function findOpenssl3(): Promise<string | null>;
+/**
+ * Probe a host via `openssl s_client` to detect the negotiated TLS group.
+ * Gracefully returns nulls on any failure.
+ */
+export declare function probeWithOpenssl(host: string, port: number): Promise<OpensslProbeResult>;
+/**
+ * Parse openssl s_client output for TLS group and key exchange info.
+ */
+export declare function parseOpensslOutput(output: string): OpensslProbeResult;
+//# sourceMappingURL=openssl.d.ts.map

package/dist/scanner/openssl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openssl.d.ts","sourceRoot":"","sources":["../../src/scanner/openssl.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,kBAAkB;IACjC,wDAAwD;IACxD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,2EAA2E;IAC3E,WAAW,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;CAClE;AAUD;;;GAGG;AACH,wBAAsB,YAAY,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAiB3D;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,kBAAkB,CAAC,CA0B7B;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,kBAAkB,CAyBrE"}

package/dist/scanner/openssl.js

@@ -0,0 +1,113 @@
+import { execFile } from 'node:child_process';
+import { access, constants } from 'node:fs/promises';
+const OPENSSL_CANDIDATES = [
+    'openssl',
+    '/opt/homebrew/opt/openssl@3/bin/openssl',
+    '/usr/local/opt/openssl@3/bin/openssl',
+];
+const PROBE_TIMEOUT_MS = 5000;
+/**
+ * Find an OpenSSL 3.x binary (not LibreSSL).
+ * Returns the path or null if none found.
+ */
+export async function findOpenssl3() {
+    for (const candidate of OPENSSL_CANDIDATES) {
+        try {
+            // For absolute paths, check file exists first
+            if (candidate.startsWith('/')) {
+                await access(candidate, constants.X_OK);
+            }
+            const version = await runCommand(candidate, ['version']);
+            if (version.startsWith('OpenSSL 3.')) {
+                return candidate;
+            }
+        }
+        catch {
+            // Not found or not usable — try next
+        }
+    }
+    return null;
+}
+/**
+ * Probe a host via `openssl s_client` to detect the negotiated TLS group.
+ * Gracefully returns nulls on any failure.
+ */
+export async function probeWithOpenssl(host, port) {
+    const nullResult = { group: null, peerTempKey: null };
+    let opensslBin;
+    try {
+        opensslBin = await findOpenssl3();
+    }
+    catch {
+        return nullResult;
+    }
+    if (!opensslBin) {
+        return nullResult;
+    }
+    let output;
+    try {
+        output = await runCommand(opensslBin, [
+            's_client',
+            '-connect',
+            `${host}:${port}`,
+        ]);
+    }
+    catch {
+        return nullResult;
+    }
+    return parseOpensslOutput(output);
+}
+/**
+ * Parse openssl s_client output for TLS group and key exchange info.
+ */
+export function parseOpensslOutput(output) {
+    const result = { group: null, peerTempKey: null };
+    // Match: "Negotiated TLS1.3 group: X25519MLKEM768"
+    const groupMatch = output.match(/Negotiated TLS[\d.]+ group:\s*(\S+)/i);
+    if (groupMatch) {
+        result.group = groupMatch[1];
+    }
+    // Match: "Peer Temp Key: ECDH, X25519, 253 bits"
+    // or:    "Server Temp Key: ECDH, prime256v1, 256 bits"
+    const tempKeyMatch = output.match(/(?:Peer|Server) Temp Key:\s*(\w+),\s*([^,]+),\s*(\d+)\s*bits/i);
+    if (tempKeyMatch) {
+        result.peerTempKey = {
+            type: tempKeyMatch[1],
+            name: tempKeyMatch[2].trim(),
+            size: parseInt(tempKeyMatch[3], 10),
+        };
+    }
+    return result;
+}
+function runCommand(bin, args) {
+    return new Promise((resolve, reject) => {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), PROBE_TIMEOUT_MS);
+        const child = execFile(bin, args, {
+            timeout: PROBE_TIMEOUT_MS,
+            signal: controller.signal,
+        }, (error, stdout, stderr) => {
+            clearTimeout(timer);
+            // openssl s_client writes useful info to both stdout and stderr
+            // and may exit non-zero even on success (connection closed)
+            const combined = String(stdout ?? '') + '\n' + String(stderr ?? '');
+            if (combined.trim().length > 0) {
+                resolve(combined);
+            }
+            else if (error) {
+                reject(error);
+            }
+            else {
+                resolve('');
+            }
+        });
+        // Close stdin immediately so openssl doesn't hang waiting for input
+        try {
+            child.stdin?.end();
+        }
+        catch {
+            // ignore
+        }
+    });
+}
+//# sourceMappingURL=openssl.js.map

package/dist/scanner/openssl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"openssl.js","sourceRoot":"","sources":["../../src/scanner/openssl.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AASrD,MAAM,kBAAkB,GAAG;IACzB,SAAS;IACT,yCAAyC;IACzC,sCAAsC;CACvC,CAAC;AAEF,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAE9B;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,KAAK,MAAM,SAAS,IAAI,kBAAkB,EAAE,CAAC;QAC3C,IAAI,CAAC;YACH,8CAA8C;YAC9C,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC9B,MAAM,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;YAC1C,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,SAAS,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;YACzD,IAAI,OAAO,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gBACrC,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,qCAAqC;QACvC,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAY,EACZ,IAAY;IAEZ,MAAM,UAAU,GAAuB,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IAE1E,IAAI,UAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,YAAY,EAAE,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,IAAI,MAAc,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE;YACpC,UAAU;YACV,UAAU;YACV,GAAG,IAAI,IAAI,IAAI,EAAE;SAClB,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,OAAO,kBAAkB,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAc;IAC/C,MAAM,MAAM,GAAuB,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IAEtE,mDAAmD;IACnD,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAC7B,sCAAsC,CACvC,CAAC;IACF,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC/B,CAAC;IAED,iDAAiD;IACjD,uDAAuD;IACvD,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAC/B,+DAA+D,CAChE,CAAC;IACF,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,CAAC,WAAW,GAAG;YACnB,IAAI,EAAE,YAAY,CAAC,CAAC,CAAC;YACrB,IAAI,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;YAC5B,IAAI,EAAE,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;SACpC,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,UAAU,CAAC,GAAW,EAAE,IAAc;IAC7C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,gBAAgB,CAAC,CAAC;QAErE,MAAM,KAAK,GAAG,QAAQ,CACpB,GAAG,EACH,IAAI,EACJ;YACE,OAAO,EAAE,gBAAgB;YACzB,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,EACD,CAAC,KAAmB,EAAE,MAAuB,EAAE,MAAuB,EAAE,EAAE;YACxE,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,gEAAgE;YAChE,4DAA4D;YAC5D,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,GAAG,IAAI,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;YACpE,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,QAAQ,CAAC,CAAC;YACpB,CAAC;iBAAM,IAAI,KAAK,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CAAC,CAAC;YAChB,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,EAAE,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CACF,CAAC;QAEF,oEAAoE;QACpE,IAAI,CAAC;YACH,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/scanner/tls.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tls.d.ts","sourceRoot":"","sources":["../../src/scanner/tls.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAEvD,wBAAgB,QAAQ,CACtB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,aAAa,CAAC,CA+BxB"}
+{"version":3,"file":"tls.d.ts","sourceRoot":"","sources":["../../src/scanner/tls.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGvD,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,aAAa,CAAC,CA0CxB"}

package/dist/scanner/tls.js

@@ -1,5 +1,47 @@
 import tls from 'node:tls';
-export function scanHost(host, port, timeout) {
+import { probeWithOpenssl } from './openssl.js';
+export async function scanHost(host, port, timeout) {
+    const result = await connectTls(host, port, timeout);
+    // Enrich with openssl probe for PQC detection
+    // Node.js returns {} for getEphemeralKeyInfo() on TLS 1.3
+    try {
+        const probe = await probeWithOpenssl(host, port);
+        if (probe.group) {
+            const groupUpper = probe.group.toUpperCase();
+            const isPqc = groupUpper.includes('KYBER') ||
+                groupUpper.includes('MLKEM') ||
+                groupUpper.includes('ML-KEM');
+            if (isPqc) {
+                result.ephemeralKeyInfo = {
+                    type: 'KEM',
+                    name: probe.group,
+                    size: 0,
+                };
+            }
+            else if (!result.ephemeralKeyInfo) {
+                // Classical group detected by openssl, Node.js had nothing
+                result.ephemeralKeyInfo = {
+                    type: 'ECDH',
+                    name: probe.group,
+                    size: 0,
+                };
+            }
+        }
+        else if (!result.ephemeralKeyInfo && probe.peerTempKey) {
+            // No negotiated group line but we got Peer Temp Key info
+            result.ephemeralKeyInfo = {
+                type: probe.peerTempKey.type,
+                name: probe.peerTempKey.name,
+                size: probe.peerTempKey.size,
+            };
+        }
+    }
+    catch {
+        // openssl probe failed — keep Node.js data as-is
+    }
+    return result;
+}
+function connectTls(host, port, timeout) {
     return new Promise((resolve, reject) => {
         const socket = tls.connect({
             host,