npm - proof-pr - Versions diffs - 0.1.5 → 0.1.6 - Mend

proof-pr 0.1.5 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -9,7 +9,7 @@ ProofPR 帮助维护者在投入深入 review 之前，先检查 PR 的证据、
 作为 GitHub Action 使用时，ProofPR 默认在 PR 打开、PR 分支更新、PR 重新打开时运行。普通分支 push 不会单独生成报告。
 报告会出现在 PR 评论区、GitHub Actions job summary 和 PR checks 状态里。
-`v0.1.5` 起还可以输出 GitHub annotations，并通过 `sarif-output` 写出 SARIF 文件。
+`v0.1.5` 起还可以输出 GitHub annotations，并通过 `sarif-output` 写出 SARIF 文件。当前版本还会识别依赖大版本升级、包生命周期脚本和 `pull_request_target` workflow 触发器。
 ## 使用

package/dist/index.js CHANGED Viewed

@@ -23234,9 +23234,10 @@ const configSchema = object({
     secrets: object({ enabled: schemas_boolean().default(true) }).default({ enabled: true }),
     dependencies: object({
         flagNewPackages: schemas_boolean().default(true),
-        flagMajorUpgrades: schemas_boolean().default(true)
+        flagMajorUpgrades: schemas_boolean().default(true),
+        flagLifecycleScripts: schemas_boolean().default(true)
     })
-        .default({ flagNewPackages: true, flagMajorUpgrades: true }),
+        .default({ flagNewPackages: true, flagMajorUpgrades: true, flagLifecycleScripts: true }),
     comment: object({ enabled: schemas_boolean().default(true) }).default({ enabled: true })
 });
 function parseConfig(input) {
@@ -23543,6 +23544,21 @@ function maintainerFocus(findings, locale) {
                 ? "要求拆分 PR，或提供逐文件 review 指南。"
                 : "Request a smaller PR or a file-by-file review guide.");
         }
+        else if (finding.ruleId === "dependency-major-upgrade") {
+            focus.add(locale === "zh-CN"
+                ? "重点核查依赖大版本升级的迁移说明、兼容性和测试覆盖。"
+                : "Review dependency major upgrade migration notes, compatibility, and test coverage.");
+        }
+        else if (finding.ruleId === "dependency-lifecycle-script") {
+            focus.add(locale === "zh-CN"
+                ? "合并前审查包生命周期脚本是否会在安装或发布时执行非预期代码。"
+                : "Review package lifecycle scripts for unexpected install or publish-time execution.");
+        }
+        else if (finding.ruleId === "workflow-dangerous-trigger") {
+            focus.add(locale === "zh-CN"
+                ? "重点审查 pull_request_target 是否会用高权限 token 执行不可信 PR 代码。"
+                : "Review whether pull_request_target can execute untrusted PR code with privileged tokens.");
+        }
         else if (finding.ruleId === "mcp-credential-risk") {
             focus.add(locale === "zh-CN"
                 ? "重点审查 MCP command、args 和凭证处理方式。"
@@ -23604,6 +23620,20 @@ function translateFinding(finding) {
             recommendation: "请确认包名、许可证、来源可信度，以及 lockfile 是否匹配预期依赖变化。"
         };
     }
+    if (finding.ruleId === "dependency-major-upgrade") {
+        return {
+            title: "依赖发生大版本升级",
+            message: finding.path ? `${finding.path} 中有依赖跨越了大版本边界。` : finding.message,
+            recommendation: "请核查 changelog、迁移说明、peer dependencies 影响，以及测试是否覆盖升级后的关键路径。"
+        };
+    }
+    if (finding.ruleId === "dependency-lifecycle-script") {
+        return {
+            title: "包生命周期脚本发生变更",
+            message: finding.path ? `${finding.path} 新增或修改了安装/发布阶段可能自动执行的脚本。` : finding.message,
+            recommendation: "请确认该脚本是否必要，是否下载或执行远程代码，以及是否会影响安装该包的用户。"
+        };
+    }
     if (finding.ruleId === "workflow-permission-change") {
         return {
             title: "Workflow 权限发生变更",
@@ -23611,6 +23641,13 @@ function translateFinding(finding) {
             recommendation: "请确认 workflow 是否真的需要写权限或 token 权限，并检查不可信 PR 是否能触达该 workflow。"
         };
     }
+    if (finding.ruleId === "workflow-dangerous-trigger") {
+        return {
+            title: "Workflow 使用了 pull_request_target",
+            message: finding.path ? `${finding.path} 新增了 pull_request_target 触发器。` : finding.message,
+            recommendation: "请确认该 workflow 不会用高权限 token、secret 或写权限执行不可信 PR 代码。"
+        };
+    }
     if (finding.ruleId === "mcp-credential-risk") {
         return {
             title: "MCP 配置需要重点审查",
@@ -23687,9 +23724,12 @@ function translateReviewActionTitle(actionId, fallback) {
         "add-reproduction-context": "要求补充复现或 before/after 上下文",
         "rotate-secret": "轮换并移除暴露的凭证",
         "justify-workflow-permissions": "要求说明 workflow 权限最小化理由",
+        "review-privileged-pr-trigger": "审查 pull_request_target 高权限触发器",
+        "review-package-lifecycle-script": "审查包生命周期脚本",
         "review-mcp-execution-surface": "审查 MCP 命令、参数和凭证处理",
         "request-review-map-or-split": "要求拆分 PR 或提供逐文件 review map",
         "verify-dependency-change": "核查依赖来源和 lockfile 影响",
+        "review-major-dependency-upgrade": "核查依赖大版本升级影响",
         "assign-sensitive-file-review": "安排敏感文件重点 review"
     }[actionId] ?? fallback;
 }
@@ -23704,9 +23744,12 @@ function translateReviewActionDetail(actionId, fallback) {
         "add-reproduction-context": "PR 应包含复现步骤、预期/实际行为，或相关 before/after 截图。",
         "rotate-secret": "在 secret 从 PR 中移除并完成轮换前，不要合并。",
         "justify-workflow-permissions": "确认写权限或 OIDC 是否必要，并检查不可信 PR 是否能触发该 workflow。",
+        "review-privileged-pr-trigger": "确认 workflow 不会用写权限 token、secret 或仓库权限执行不可信 PR 代码。",
+        "review-package-lifecycle-script": "检查 install、postinstall、prepare 或 publish 脚本是否会执行非预期代码。",
         "review-mcp-execution-surface": "检查 MCP 配置是否提交凭证，或意外扩大本地执行面。",
         "request-review-map-or-split": "要求贡献者拆分无关改动，或标出最需要重点 review 的文件。",
         "verify-dependency-change": "检查包名、维护者、许可证、安装脚本，以及 lockfile 是否符合预期依赖变化。",
+        "review-major-dependency-upgrade": "检查 changelog、迁移说明、peer dependencies，以及测试是否覆盖升级后的关键路径。",
         "assign-sensitive-file-review": "合并前由维护者有意识地检查敏感文件改动。"
     }[actionId] ?? fallback;
 }
@@ -23715,7 +23758,10 @@ function translateFocusReason(reasonId, fallback) {
         "change-size": "review 面积相关 finding",
         "sensitive-path": "敏感路径发生变更",
         "dependency-added": "依赖清单发生变更",
+        "dependency-major-upgrade": "依赖发生大版本升级",
+        "dependency-lifecycle-script": "包生命周期脚本发生变更",
         "workflow-permission-change": "workflow 权限发生变更",
+        "workflow-dangerous-trigger": "workflow 使用了高风险触发器",
         "mcp-credential-risk": "MCP 配置存在执行面或凭证风险",
         "missing-tests": "代码改动缺少测试或验证证据"
     }[reasonId] ?? fallback;
@@ -23744,6 +23790,9 @@ function translateDeduction(reasonId, fallback) {
         "sensitive-path-high": "高敏感文件发生变更，需要重点 review。",
         "sensitive-path-medium": "敏感文件发生变更，需要重点 review。",
         "dependency-change": "依赖清单发生变更。",
+        "dependency-major-upgrade": "依赖发生大版本升级。",
+        "dependency-lifecycle-script": "包生命周期脚本可能在安装或发布阶段执行代码。",
+        "workflow-dangerous-trigger": "pull_request_target workflow 需要重点审查高权限触发路径。",
         "missing-tests": "代码发生变更，但缺少测试变更或验证说明。"
     }[reasonId] ?? fallback;
 }
@@ -24055,6 +24104,7 @@ function analyzeDiffFiles(files, config, pullRequest) {
     findings.push(...analyzePullRequestEvidence(activeFiles, pullRequest));
     findings.push(...analyzeDependencyChanges(activeFiles, config));
     findings.push(...analyzeWorkflowPermissions(activeFiles));
+    findings.push(...analyzeWorkflowDangerousTriggers(activeFiles));
     findings.push(...analyzeMcpConfigs(activeFiles));
     if (config.secrets.enabled) {
         for (const file of activeFiles) {
@@ -24180,49 +24230,132 @@ function analyzePullRequestEvidence(files, pullRequest) {
     return findings;
 }
 function analyzeDependencyChanges(files, config) {
-    if (!config.dependencies.flagNewPackages) {
-        return [];
-    }
     const findings = [];
     for (const file of files.filter((candidate) => isDependencyManifest(candidate.path))) {
-        const addedDependencyLines = file.addedLines.filter((line) => isDependencyLikeAddition(file.path, line.value.trim()));
-        if (addedDependencyLines.length === 0) {
-            continue;
+        if (config.dependencies.flagNewPackages) {
+            const addedDependencyLines = file.addedLines.filter((line) => isDependencyLikeAddition(file.path, line.value.trim()));
+            if (addedDependencyLines.length > 0) {
+                findings.push({
+                    ruleId: "dependency-added",
+                    title: "Dependency manifest changed",
+                    message: `${file.path} adds or changes dependency-like entries.`,
+                    severity: "medium",
+                    path: file.path,
+                    evidence: addedDependencyLines.slice(0, 5).map(formatEvidenceLine),
+                    recommendation: "Verify package names, licenses, provenance, and whether the lockfile matches the intended dependency change."
+                });
+            }
+        }
+        if (config.dependencies.flagMajorUpgrades) {
+            findings.push(...analyzeMajorDependencyUpgrades(file));
+        }
+        if (config.dependencies.flagLifecycleScripts) {
+            findings.push(...analyzeLifecycleScripts(file));
         }
-        findings.push({
-            ruleId: "dependency-added",
-            title: "Dependency manifest changed",
-            message: `${file.path} adds or changes dependency-like entries.`,
-            severity: "medium",
-            path: file.path,
-            evidence: addedDependencyLines.slice(0, 5).map(formatEvidenceLine),
-            recommendation: "Verify package names, licenses, provenance, and whether the lockfile matches the intended dependency change."
-        });
     }
     return findings;
 }
 function isDependencyLikeAddition(path, line) {
+    return parseDependencyLine(path, { value: line }) !== undefined;
+}
+function analyzeMajorDependencyUpgrades(file) {
+    const removedDependencies = new Map();
+    for (const line of file.removedLines) {
+        const parsed = parseDependencyLine(file.path, line);
+        if (parsed) {
+            removedDependencies.set(parsed.name, parsed);
+        }
+    }
+    const upgrades = file.addedLines
+        .map((line) => parseDependencyLine(file.path, line))
+        .filter((line) => Boolean(line))
+        .map((added) => ({ added, removed: removedDependencies.get(added.name) }))
+        .filter((change) => change.removed !== undefined && isMajorUpgrade(change.removed.version, change.added.version));
+    if (upgrades.length === 0) {
+        return [];
+    }
+    return [
+        {
+            ruleId: "dependency-major-upgrade",
+            title: "Dependency major version upgrade",
+            message: `${file.path} upgrades one or more dependencies across a major version boundary.`,
+            severity: "medium",
+            path: file.path,
+            evidence: upgrades.slice(0, 5).map(({ added, removed }) => `${added.line.lineNumber ? `line ${added.line.lineNumber}: ` : ""}${added.name} ${removed.version} -> ${added.version}`),
+            recommendation: "Check changelogs, migration notes, peer dependency impact, and whether tests cover the upgraded package surface."
+        }
+    ];
+}
+function analyzeLifecycleScripts(file) {
+    if (!file.path.endsWith("package.json")) {
+        return [];
+    }
+    const lifecycleLines = file.addedLines.filter((line) => /^"(?:preinstall|install|postinstall|prepare|prepublish|prepublishOnly)"\s*:/.test(line.value.trim()));
+    if (lifecycleLines.length === 0) {
+        return [];
+    }
+    return [
+        {
+            ruleId: "dependency-lifecycle-script",
+            title: "Package lifecycle script changed",
+            message: `${file.path} adds or changes npm lifecycle scripts that may run during install or publish.`,
+            severity: "high",
+            path: file.path,
+            evidence: lifecycleLines.slice(0, 5).map(formatEvidenceLine),
+            recommendation: "Review whether the lifecycle script is necessary, whether it downloads or executes remote code, and whether it can affect consumers during install."
+        }
+    ];
+}
+function parseDependencyLine(path, line) {
+    const value = line.value.trim();
     if (path.endsWith("package.json")) {
-        const match = /^"(?<key>[@A-Za-z0-9_.-]+)"\s*:\s*"(?<value>[^"]*)"/.exec(line);
+        const match = /^"(?<key>[@A-Za-z0-9_.-]+)"\s*:\s*"(?<version>[^"]*)"/.exec(value);
         if (!match?.groups) {
-            return false;
+            return undefined;
         }
-        const { key, value } = match.groups;
-        if (!key || !value || PACKAGE_JSON_NON_DEPENDENCY_KEYS.has(key)) {
-            return false;
+        const { key, version } = match.groups;
+        if (!key || !version || PACKAGE_JSON_NON_DEPENDENCY_KEYS.has(key)) {
+            return undefined;
+        }
+        if (!/^(?:\^|~|>=?|<=?|\d|workspace:|npm:|file:|link:|portal:|git\+|https?:|github:)/.test(version)) {
+            return undefined;
         }
-        return /^(?:\^|~|>=?|<=?|\d|workspace:|npm:|file:|link:|portal:|git\+|https?:|github:)/.test(value);
+        return { name: key, version, line };
     }
     if (path.endsWith("requirements.txt")) {
-        return /^[A-Za-z0-9_.-]+(?:\[.*\])?\s*(?:==|>=|<=|~=|>|<)\s*[^#\s]+/.test(line);
+        const match = /^(?<name>[A-Za-z0-9_.-]+)(?:\[.*\])?\s*(?:==|>=|<=|~=|>|<)\s*(?<version>[^#\s]+)/.exec(value);
+        return match?.groups?.name && match.groups.version
+            ? { name: match.groups.name, version: match.groups.version, line }
+            : undefined;
     }
     if (path.endsWith("pyproject.toml") || path.endsWith("Cargo.toml")) {
-        return /^[A-Za-z0-9_.-]+\s*=\s*"(?:\^|~|>=?|<=?|\d|workspace:|path\s*=|git\s*=)[^"]*"/.test(line);
+        const match = /^(?<name>[A-Za-z0-9_.-]+)\s*=\s*"(?<version>(?:\^|~|>=?|<=?|\d|workspace:|path\s*=|git\s*=)[^"]*)"/.exec(value);
+        return match?.groups?.name && match.groups.version
+            ? { name: match.groups.name, version: match.groups.version, line }
+            : undefined;
     }
     if (path.endsWith("go.mod")) {
-        return /^(?:require\s+)?[A-Za-z0-9_.\-/]+\s+v\d+\.\d+\.\d+/.test(line);
+        const match = /^(?:require\s+)?(?<name>[A-Za-z0-9_.\-/]+)\s+(?<version>v\d+\.\d+\.\d+)/.exec(value);
+        return match?.groups?.name && match.groups.version
+            ? { name: match.groups.name, version: match.groups.version, line }
+            : undefined;
     }
-    return false;
+    return undefined;
+}
+function isMajorUpgrade(previousVersion, nextVersion) {
+    const previousMajor = extractMajorVersion(previousVersion);
+    const nextMajor = extractMajorVersion(nextVersion);
+    return previousMajor !== undefined && nextMajor !== undefined && nextMajor > previousMajor;
+}
+function extractMajorVersion(version) {
+    const normalized = version
+        .replace(/^workspace:/, "")
+        .replace(/^npm:[^@]+@/, "")
+        .replace(/^[~^<>=\s]+/, "")
+        .replace(/^v/, "");
+    const match = /(?<major>\d+)\.\d+\.\d+/.exec(normalized);
+    const major = match?.groups?.major ? Number(match.groups.major) : undefined;
+    return major !== undefined && Number.isInteger(major) ? major : undefined;
 }
 function analyzeWorkflowPermissions(files) {
     const findings = [];
@@ -24243,6 +24376,25 @@ function analyzeWorkflowPermissions(files) {
     }
     return findings;
 }
+function analyzeWorkflowDangerousTriggers(files) {
+    const findings = [];
+    for (const file of files.filter((candidate) => isWorkflowPath(candidate.path))) {
+        const triggerLines = file.addedLines.filter((line) => /\bpull_request_target\b/.test(line.value.trim()));
+        if (triggerLines.length === 0) {
+            continue;
+        }
+        findings.push({
+            ruleId: "workflow-dangerous-trigger",
+            title: "Workflow uses pull_request_target",
+            message: `${file.path} adds pull_request_target, which runs with base repository context and can be risky for untrusted PRs.`,
+            severity: "high",
+            path: file.path,
+            evidence: triggerLines.slice(0, 5).map(formatEvidenceLine),
+            recommendation: "Confirm the workflow does not check out or execute untrusted PR code with privileged tokens or write permissions."
+        });
+    }
+    return findings;
+}
 function analyzeMcpConfigs(files) {
     const findings = [];
     for (const file of files.filter((candidate) => isMcpConfigPath(candidate.path))) {
@@ -24336,7 +24488,10 @@ function calculateEvidenceScore(summary, findings) {
         "sensitive-path",
         "missing-tests",
         "dependency-added",
+        "dependency-major-upgrade",
+        "dependency-lifecycle-script",
         "workflow-permission-change",
+        "workflow-dangerous-trigger",
         "mcp-credential-risk"
     ].includes(finding.ruleId));
     if (needsVerificationEvidence && !summary.verificationEvidence) {
@@ -24352,6 +24507,9 @@ function calculateEvidenceScore(summary, findings) {
         else if (finding.ruleId === "workflow-permission-change") {
             addDeduction("workflow-permission-change", 25, "Workflow permission changes need deliberate review.");
         }
+        else if (finding.ruleId === "workflow-dangerous-trigger") {
+            addDeduction("workflow-dangerous-trigger", 30, "pull_request_target workflows need privileged trigger review.");
+        }
         else if (finding.ruleId === "mcp-credential-risk") {
             addDeduction("mcp-credential-risk", 25, "MCP configuration expands local execution or credential risk.");
         }
@@ -24366,6 +24524,12 @@ function calculateEvidenceScore(summary, findings) {
         else if (finding.ruleId === "dependency-added") {
             addDeduction("dependency-change", 10, "Dependency manifest changed.");
         }
+        else if (finding.ruleId === "dependency-major-upgrade") {
+            addDeduction("dependency-major-upgrade", 15, "Dependency major version changed.");
+        }
+        else if (finding.ruleId === "dependency-lifecycle-script") {
+            addDeduction("dependency-lifecycle-script", 25, "Package lifecycle scripts can run during install or publish.");
+        }
         else if (finding.ruleId === "missing-tests") {
             addDeduction("missing-tests", finding.severity === "medium" ? 20 : 12, "Code changed without test changes or verification notes.");
         }
@@ -24417,11 +24581,14 @@ function gradeEvidenceScore(value) {
 function calculateReviewDecision(risk, evidenceScore, findings) {
     const hasBlockingSecurityFinding = findings.some((finding) => finding.ruleId.startsWith("secret-detected") ||
         finding.ruleId === "workflow-permission-change" ||
+        finding.ruleId === "workflow-dangerous-trigger" ||
+        finding.ruleId === "dependency-lifecycle-script" ||
         finding.ruleId === "mcp-credential-risk");
     if (hasBlockingSecurityFinding || evidenceScore.value < 50 || risk === "high") {
         return "block-merge";
     }
-    if (evidenceScore.value < 70 || findings.some((finding) => finding.ruleId === "missing-tests" || finding.ruleId === "thin-pr-description")) {
+    if (evidenceScore.value < 70 ||
+        findings.some((finding) => finding.ruleId === "missing-tests" || finding.ruleId === "thin-pr-description")) {
         return "needs-evidence";
     }
     if (risk === "medium") {
@@ -24558,6 +24725,28 @@ function reviewActionsForFinding(finding) {
             }
         ];
     }
+    if (finding.ruleId === "workflow-dangerous-trigger") {
+        return [
+            {
+                actionId: "review-privileged-pr-trigger",
+                title: "Review privileged pull_request_target usage.",
+                detail: "Confirm the workflow does not execute untrusted PR code with write tokens, secrets, or repository permissions.",
+                priority: "high",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
+    if (finding.ruleId === "dependency-lifecycle-script") {
+        return [
+            {
+                actionId: "review-package-lifecycle-script",
+                title: "Review package lifecycle scripts before merge.",
+                detail: "Check whether install, postinstall, prepare, or publish scripts can execute unexpected code for contributors or consumers.",
+                priority: "high",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
     if (finding.ruleId === "mcp-credential-risk") {
         return [
             {
@@ -24591,6 +24780,17 @@ function reviewActionsForFinding(finding) {
             }
         ];
     }
+    if (finding.ruleId === "dependency-major-upgrade") {
+        return [
+            {
+                actionId: "review-major-dependency-upgrade",
+                title: "Review major dependency upgrade impact.",
+                detail: "Check changelogs, migration notes, peer dependencies, and whether tests cover the upgraded surface.",
+                priority: "medium",
+                relatedRuleIds: [finding.ruleId]
+            }
+        ];
+    }
     if (finding.ruleId === "sensitive-path") {
         return [
             {
@@ -24664,7 +24864,7 @@ const build_program = new Command();
 build_program
     .name("proof-pr")
     .description("Review pull request evidence, scope, and safety before maintainers spend time on it.")
-    .version("0.1.5");
+    .version("0.1.6");
 build_program
     .command("scan", { isDefault: true })
     .description("Scan a git diff and print a ProofPR report.")
@@ -24792,6 +24992,7 @@ comment:
 # dependencies:
 #   flagNewPackages: true
 #   flagMajorUpgrades: true
+#   flagLifecycleScripts: true
 `;
 }
 function renderWorkflowTemplate(failOn) {
@@ -24810,7 +25011,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: linsk27/proof-pr@v0.1.5
+      - uses: linsk27/proof-pr@v0.1.6
         with:
           fail-on: ${failOn}
           comment: "true"

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "proof-pr",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "description": "CLI for ProofPR, a maintainer-focused pull request evidence scanner.",
   "license": "MIT",
   "type": "module",

package/dist/index.d.ts DELETED Viewed

	@@ -1,2 +0,0 @@
1	- #!/usr/bin/env node
2	- export {};

package/dist/index.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AAC1D,OAAO,EACL,UAAU,EACV,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,EAClB,QAAQ,EAET,MAAM,gBAAgB,CAAC;AAExB,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAwB1C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,UAAU,CAAC;KAChB,WAAW,CAAC,sFAAsF,CAAC;KACnG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;KACpC,WAAW,CAAC,6CAA6C,CAAC;KAC1D,MAAM,CAAC,cAAc,EAAE,yDAAyD,CAAC;KACjF,MAAM,CAAC,cAAc,EAAE,gCAAgC,EAAE,MAAM,CAAC;KAChE,MAAM,CAAC,oBAAoB,EAAE,8DAA8D,CAAC;KAC5F,MAAM,CAAC,oBAAoB,EAAE,8CAA8C,CAAC;KAC5E,MAAM,CAAC,kBAAkB,EAAE,6CAA6C,CAAC;KACzE,MAAM,CAAC,uBAAuB,EAAE,gDAAgD,CAAC;KACjF,MAAM,CAAC,iBAAiB,EAAE,uBAAuB,EAAE,cAAc,CAAC;KAClE,MAAM,CAAC,mBAAmB,EAAE,0CAA0C,EAAE,WAAW,EAAE,UAAU,CAAC;KAChG,MAAM,CAAC,mBAAmB,EAAE,8DAA8D,EAAE,cAAc,EAAE,OAAO,CAAC;KACpH,MAAM,CAAC,KAAK,EAAE,OAA2B,EAAE,EAAE;IAC5C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ;QAC/B,CAAC,CAAC,MAAM,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC;QAC1C,CAAC,CAAC,MAAM,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAElD,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,WAAW,GACf,OAAO,CAAC,OAAO,KAAK,SAAS,IAAI,MAAM,KAAK,SAAS;QACnD,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE;QAC1C,CAAC,CAAC,SAAS,CAAC;IAChB,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAEpD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,IAAI,CAAC,CAAC;IAEpC,IAAI,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACpD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IACvB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,4DAA4D,CAAC;KACzE,MAAM,CAAC,sBAAsB,EAAE,+CAA+C,EAAE,cAAc,CAAC;KAC/F,MAAM,CACL,wBAAwB,EACxB,4CAA4C,EAC5C,+BAA+B,CAChC;KACA,MAAM,CAAC,mBAAmB,EAAE,0DAA0D,EAAE,cAAc,EAAE,MAAM,CAAC;KAC/G,MAAM,CAAC,SAAS,EAAE,2BAA2B,EAAE,KAAK,CAAC;KACrD,MAAM,CAAC,KAAK,EAAE,OAA2B,EAAE,EAAE;IAC5C,MAAM,cAAc,CAAC,OAAO,CAAC,UAAU,EAAE,oBAAoB,EAAE,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAChF,MAAM,cAAc,CAAC,OAAO,CAAC,YAAY,EAAE,sBAAsB,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAClG,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,2BAA2B,OAAO,CAAC,UAAU,OAAO,OAAO,CAAC,YAAY,IAAI,CAC7E,CAAC;AACJ,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,KAAc,EAAE,EAAE;IACxD,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,OAAO,IAAI,CAAC,CAAC;IACrD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACvB,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,WAAW,CAAC,IAAwB,EAAE,IAAY;IAC/D,MAAM,IAAI,GAAG,CAAC,MAAM,EAAE,eAAe,EAAE,aAAa,CAAC,CAAC;IAEtD,IAAI,IAAI,EAAE,CAAC;QACT,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,MAAM,IAAI,EAAE,CAAC,CAAC;IACjC,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC,CAAC;IACrF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,OAA2B;IAC5D,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,OAAO,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,OAAO,CAAC,MAAM,CAAC;AACxB,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,IAAY,EAAE,QAAgB,EAAE,KAAc;IAC1E,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,UAAU,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,gDAAgD,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,MAAM,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;AAC1C,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,IAAY;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB;IAC3B,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiCR,CAAC;AACF,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAiB;IAC/C,OAAO;;;;;;;;;;;;;;;;;qBAiBY,MAAM;;CAE1B,CAAC;AACF,CAAC;AAED,SAAS,YAAY,CAAC,MAAmC,EAAE,MAAoB;IAC7E,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,oBAAoB,CAAC,MAAM,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,UAAU,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;QAClE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,IAAI,oBAAoB,CAAC,8CAA8C,CAAC,CAAC;AACjF,CAAC;AAED,SAAS,cAAc,CAAC,KAAa;IACnC,IAAI,KAAK,KAAK,KAAK,IAAI,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;QACnF,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,IAAI,oBAAoB,CAAC,kDAAkD,CAAC,CAAC;AACrF,CAAC"}