npm - shieldcortex - Versions diffs - 2.6.4 → 2.7.0 - Mend

shieldcortex 2.6.4 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

package/dist/defence/__tests__/credential-leak.test.js ADDED Viewed

@@ -0,0 +1,403 @@
+/**
+ * Credential Leak Detection Tests
+ *
+ * Tests each credential type, entropy calculation, redaction,
+ * false positive handling, and pipeline integration.
+ */
+import { describe, it, expect, beforeAll, afterAll } from '@jest/globals';
+import { scanForCredentials, redactCredentials, shannonEntropy } from '../credential-leak/index.js';
+import { initDatabase, closeDatabase } from '../../database/init.js';
+// ── API Key Detection ──
+describe('Credential Leak Detection', () => {
+    describe('OpenAI API Keys', () => {
+        it('should detect OpenAI sk- keys', () => {
+            const result = scanForCredentials('My key is sk-abcdefghijklmnopqrstuvwxyz1234');
+            expect(result.leaked).toBe(true);
+            expect(result.findings).toHaveLength(1);
+            expect(result.findings[0].type).toBe('api_key');
+            expect(result.findings[0].provider).toBe('openai');
+            expect(result.findings[0].severity).toBe('critical');
+            expect(result.findings[0].action).toBe('blocked');
+        });
+        it('should not trigger on short sk- prefixes like "sk-etch"', () => {
+            const result = scanForCredentials('I like to sk-etch drawings');
+            expect(result.leaked).toBe(false);
+            expect(result.findings).toHaveLength(0);
+        });
+        it('should not trigger on "sk-ip" or similar short words', () => {
+            const result = scanForCredentials('Let me sk-ip that part');
+            expect(result.leaked).toBe(false);
+        });
+    });
+    describe('Anthropic API Keys', () => {
+        it('should detect Anthropic sk-ant- keys', () => {
+            const result = scanForCredentials('export ANTHROPIC_API_KEY=sk-ant-api03-abcdefghijklmnopqrstuvwxyz');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'anthropic')).toBe(true);
+            expect(result.findings.find(f => f.provider === 'anthropic')?.severity).toBe('critical');
+        });
+    });
+    describe('AWS Keys', () => {
+        it('should detect AWS Access Key IDs', () => {
+            const result = scanForCredentials('AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'aws')).toBe(true);
+            expect(result.findings.find(f => f.provider === 'aws')?.severity).toBe('critical');
+        });
+        it('should detect AWS Secret Access Keys', () => {
+            const result = scanForCredentials('aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'aws')).toBe(true);
+        });
+    });
+    describe('GitHub Tokens', () => {
+        it('should detect GitHub personal access tokens (ghp_)', () => {
+            const result = scanForCredentials('token: ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'github')).toBe(true);
+            expect(result.findings.find(f => f.provider === 'github')?.severity).toBe('critical');
+        });
+        it('should detect GitHub OAuth tokens (gho_)', () => {
+            const result = scanForCredentials('gho_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'github')).toBe(true);
+        });
+        it('should detect GitHub fine-grained PATs', () => {
+            const result = scanForCredentials('github_pat_11ABCDEFG0abcdefghijklmn');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'github')).toBe(true);
+        });
+    });
+    describe('Stripe Keys', () => {
+        it('should detect Stripe live keys as critical', () => {
+            // Split to avoid GitHub push protection false positive
+            const key = 'sk_live_' + '51ABCDEFGHIJKLMNOPQRSTUVwx';
+            const result = scanForCredentials(key);
+            expect(result.leaked).toBe(true);
+            expect(result.findings.find(f => f.provider === 'stripe')?.severity).toBe('critical');
+        });
+        it('should detect Stripe test keys as medium', () => {
+            const key = 'sk_test_' + '51ABCDEFGHIJKLMNOPQRSTUVwx';
+            const result = scanForCredentials(key);
+            expect(result.leaked).toBe(true);
+            expect(result.findings.find(f => f.provider === 'stripe')?.severity).toBe('medium');
+        });
+    });
+    describe('Other API Keys', () => {
+        it('should detect SendGrid keys', () => {
+            const result = scanForCredentials('SG.abcdefghijklmnopqrstuv.wxyzABCDEFGHIJKLMNOPQRS');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'sendgrid')).toBe(true);
+        });
+        it('should detect Google API keys', () => {
+            const result = scanForCredentials('key=AIzaSyDabcdefghijklmnopqrstuvwxyz123456');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'google')).toBe(true);
+        });
+        it('should detect npm tokens', () => {
+            const result = scanForCredentials('//registry.npmjs.org/:_authToken=npm_abcdefghijklmnopqrstuvwxyz1234567890');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'npm')).toBe(true);
+        });
+        it('should detect Slack bot tokens', () => {
+            // Split to avoid GitHub push protection false positive
+            const token = 'xoxb-' + '1234567890-abcdefghijklmnopqrstuvwx';
+            const result = scanForCredentials(`SLACK_BOT_TOKEN=${token}`);
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'slack')).toBe(true);
+        });
+    });
+    // ── JWT Tokens ──
+    describe('JWT Tokens', () => {
+        it('should detect JWT tokens', () => {
+            const jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U';
+            const result = scanForCredentials(`Authorization: Bearer ${jwt}`);
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.type === 'jwt')).toBe(true);
+        });
+    });
+    // ── Bearer/Basic Auth ──
+    describe('Auth Headers', () => {
+        it('should detect Bearer token headers', () => {
+            const result = scanForCredentials('Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.dG9rZW4.sig');
+            expect(result.leaked).toBe(true);
+        });
+        it('should detect Basic auth headers', () => {
+            const result = scanForCredentials('Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=');
+            expect(result.leaked).toBe(true);
+        });
+    });
+    // ── Private Keys ──
+    describe('Private Keys', () => {
+        it('should detect RSA private keys', () => {
+            const pem = '-----BEGIN RSA PRIVATE KEY-----\nMIIBogIBAAJBALRiMLAHudeSA...\n-----END RSA PRIVATE KEY-----';
+            const result = scanForCredentials(pem);
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.type === 'private_key')).toBe(true);
+            expect(result.findings.find(f => f.type === 'private_key')?.severity).toBe('critical');
+        });
+        it('should detect EC private keys', () => {
+            const pem = '-----BEGIN EC PRIVATE KEY-----\nMHQCAQEEIBLtbW...\n-----END EC PRIVATE KEY-----';
+            const result = scanForCredentials(pem);
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.type === 'private_key')).toBe(true);
+        });
+        it('should detect SSH private keys', () => {
+            const pem = '-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1r...\n-----END OPENSSH PRIVATE KEY-----';
+            const result = scanForCredentials(pem);
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.type === 'private_key')).toBe(true);
+        });
+        it('should detect generic private keys', () => {
+            const pem = '-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBg...\n-----END PRIVATE KEY-----';
+            const result = scanForCredentials(pem);
+            expect(result.leaked).toBe(true);
+        });
+    });
+    // ── Connection Strings ──
+    describe('Connection Strings', () => {
+        it('should detect PostgreSQL connection strings with passwords', () => {
+            const result = scanForCredentials('DATABASE_URL=postgres://admin:s3cretP4ss@db.example.com:5432/mydb');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.type === 'connection_string')).toBe(true);
+            expect(result.findings.find(f => f.type === 'connection_string')?.provider).toBe('postgres');
+        });
+        it('should detect MySQL connection strings', () => {
+            const result = scanForCredentials('mysql://root:password123@localhost:3306/app');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'mysql')).toBe(true);
+        });
+        it('should detect MongoDB connection strings', () => {
+            const result = scanForCredentials('mongodb+srv://user:pass123@cluster0.example.mongodb.net/db');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'mongodb')).toBe(true);
+        });
+        it('should detect Redis connection strings', () => {
+            const result = scanForCredentials('redis://default:mypassword@redis.example.com:6379');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'redis')).toBe(true);
+        });
+    });
+    // ── Environment Variable Patterns ──
+    describe('Environment Variable Secrets', () => {
+        it('should detect PASSWORD= assignments', () => {
+            const result = scanForCredentials('DB_PASSWORD=super_secret_password_123');
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.type === 'env_secret')).toBe(true);
+        });
+        it('should detect SECRET= assignments', () => {
+            const result = scanForCredentials('JWT_SECRET="my-super-secret-jwt-key-12345"');
+            expect(result.leaked).toBe(true);
+        });
+        it('should detect TOKEN= assignments', () => {
+            const result = scanForCredentials('API_TOKEN=abcdef1234567890ghijklmn');
+            expect(result.leaked).toBe(true);
+        });
+        it('should detect API_KEY= assignments', () => {
+            const result = scanForCredentials('API_KEY=some-long-api-key-value-here');
+            expect(result.leaked).toBe(true);
+        });
+        it('should not trigger on short values', () => {
+            const result = scanForCredentials('PASSWORD=short');
+            // Value "short" is < 8 chars, should not trigger env_secret
+            const envFindings = result.findings.filter(f => f.type === 'env_secret');
+            expect(envFindings).toHaveLength(0);
+        });
+    });
+    // ── Entropy Calculation ──
+    describe('Shannon Entropy', () => {
+        it('should calculate entropy of uniform distribution', () => {
+            // All unique chars in "abcdefgh" → log2(8) = 3.0
+            const e = shannonEntropy('abcdefgh');
+            expect(e).toBeCloseTo(3.0, 1);
+        });
+        it('should return 0 for empty string', () => {
+            expect(shannonEntropy('')).toBe(0);
+        });
+        it('should return 0 for single repeated char', () => {
+            expect(shannonEntropy('aaaaaaa')).toBe(0);
+        });
+        it('should have higher entropy for random-looking strings', () => {
+            const lowEntropy = shannonEntropy('aaabbbccc');
+            const highEntropy = shannonEntropy('Kx9$mQ2!pL7@nR4^');
+            expect(highEntropy).toBeGreaterThan(lowEntropy);
+        });
+    });
+    // ── High Entropy Detection ──
+    describe('High Entropy Detection', () => {
+        it('should flag high-entropy strings 20+ chars as potential secrets', () => {
+            // This is a high-entropy random string
+            const result = scanForCredentials('token: aB3xK9mQ2pL7nR4cT8vY1wZ5fH6jD0s');
+            // Should detect either via pattern or entropy
+            expect(result.leaked).toBe(true);
+        });
+        it('should not flag normal English text', () => {
+            const result = scanForCredentials('The quick brown fox jumps over the lazy dog');
+            // No API key patterns, low entropy for English
+            const highEntropyFindings = result.findings.filter(f => f.type === 'high_entropy');
+            expect(highEntropyFindings).toHaveLength(0);
+        });
+    });
+    // ── Redaction ──
+    describe('Redaction', () => {
+        it('should redact detected secrets in content', () => {
+            const content = 'My key is sk-abcdefghijklmnopqrstuvwxyz1234';
+            const redacted = redactCredentials(content);
+            expect(redacted).not.toContain('sk-abcdefghijklmnopqrstuvwxyz1234');
+            expect(redacted).toContain('[REDACTED-');
+        });
+        it('should redact multiple secrets', () => {
+            const content = 'OpenAI: sk-abcdefghijklmnopqrstuvwxyz1234\nGitHub: ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij';
+            const redacted = redactCredentials(content);
+            expect(redacted).not.toContain('sk-abcdefghijklmnopqrstuvwx');
+            expect(redacted).not.toContain('ghp_ABCDEFGHIJKLMNOPQR');
+            expect(redacted).toContain('[REDACTED-');
+        });
+        it('should return original content if no secrets found', () => {
+            const content = 'Just some normal text with no secrets';
+            const redacted = redactCredentials(content);
+            expect(redacted).toBe(content);
+        });
+        it('should show first/last 4 chars in match field for long secrets', () => {
+            const result = scanForCredentials('key is sk-abcdefghijklmnopqrstuvwxyz1234');
+            expect(result.findings.length).toBeGreaterThan(0);
+            const match = result.findings[0].match;
+            // Should look like "sk-a...1234" (first 4 + ... + last 4)
+            expect(match).toContain('...');
+        });
+        it('should redact private keys', () => {
+            const content = 'Here is my key:\n-----BEGIN RSA PRIVATE KEY-----\nMIIBogIBAAJBALRiMLAH\n-----END RSA PRIVATE KEY-----\nDone';
+            const redacted = redactCredentials(content);
+            expect(redacted).toContain('[REDACTED-private_key');
+            expect(redacted).not.toContain('MIIBogIBAAJBALRiMLAH');
+        });
+    });
+    // ── False Positive Handling ──
+    describe('False Positive Handling', () => {
+        it('should not trigger on common words starting with "sk-"', () => {
+            const texts = [
+                'I want to sk-ip this',
+                'Let me sk-etch it out',
+                'The sk-ill level is high',
+            ];
+            for (const text of texts) {
+                const result = scanForCredentials(text);
+                const apiKeyFindings = result.findings.filter(f => f.type === 'api_key' && f.provider === 'openai');
+                expect(apiKeyFindings).toHaveLength(0);
+            }
+        });
+        it('should not trigger on example/placeholder API keys in documentation', () => {
+            // Allow "sk-..." only when actually long enough to be a real key
+            const result = scanForCredentials('Example: sk-your-key-here');
+            // "sk-your-key-here" is only 16 chars; the minLength is 24
+            const openaiFindings = result.findings.filter(f => f.provider === 'openai');
+            expect(openaiFindings).toHaveLength(0);
+        });
+        it('should not flag CSS class names as high-entropy', () => {
+            const result = scanForCredentials('class="flex-items-center-justify-between-px-4"');
+            const entropyFindings = result.findings.filter(f => f.type === 'high_entropy');
+            expect(entropyFindings).toHaveLength(0);
+        });
+        it('should respect allowlist', () => {
+            const result = scanForCredentials('sk-abcdefghijklmnopqrstuvwxyz1234', { allowlist: ['sk-abcdefg'] });
+            expect(result.findings.filter(f => f.provider === 'openai')).toHaveLength(0);
+        });
+    });
+    // ── Config Options ──
+    describe('Configuration', () => {
+        it('should not scan when disabled', () => {
+            const result = scanForCredentials('sk-abcdefghijklmnopqrstuvwxyz1234', { enabled: false });
+            expect(result.leaked).toBe(false);
+            expect(result.findings).toHaveLength(0);
+        });
+        it('should warn instead of block when blockOnCritical is false', () => {
+            const result = scanForCredentials('sk-abcdefghijklmnopqrstuvwxyz1234', {
+                blockOnCritical: false,
+                blockOnHigh: false,
+            });
+            expect(result.leaked).toBe(true);
+            expect(result.findings[0].action).not.toBe('blocked');
+        });
+        it('should support custom patterns', () => {
+            const result = scanForCredentials('my-custom-secret-XYZ123ABC', {
+                customPatterns: [{
+                        name: 'Custom Secret',
+                        type: 'api_key',
+                        provider: 'custom',
+                        regex: /my-custom-secret-[A-Z0-9]+/g,
+                        severity: 'high',
+                        confidence: 0.90,
+                    }],
+            });
+            expect(result.leaked).toBe(true);
+            expect(result.findings.some(f => f.provider === 'custom')).toBe(true);
+        });
+    });
+    // ── Multiple Credentials in Single Content ──
+    describe('Multiple Credentials', () => {
+        it('should detect multiple different credential types', () => {
+            const content = `
+        OPENAI_API_KEY=sk-abcdefghijklmnopqrstuvwxyz1234
+        DATABASE_URL=postgres://admin:password@db.example.com:5432/mydb
+        -----BEGIN RSA PRIVATE KEY-----
+        MIIBogIBAAJBALRiMLAHudeSA
+        -----END RSA PRIVATE KEY-----
+      `;
+            const result = scanForCredentials(content);
+            expect(result.leaked).toBe(true);
+            expect(result.findings.length).toBeGreaterThanOrEqual(3);
+            const types = result.findings.map(f => f.type);
+            expect(types).toContain('api_key');
+            expect(types).toContain('connection_string');
+            expect(types).toContain('private_key');
+        });
+    });
+    // ── Position Tracking ──
+    describe('Position Tracking', () => {
+        it('should report correct character offset positions', () => {
+            const prefix = 'prefix text ';
+            const content = `${prefix}sk-abcdefghijklmnopqrstuvwxyz1234`;
+            const result = scanForCredentials(content);
+            expect(result.findings.length).toBeGreaterThan(0);
+            expect(result.findings[0].position).toBe(prefix.length);
+        });
+    });
+});
+// ── Pipeline Integration ──
+describe('Pipeline Integration', () => {
+    beforeAll(() => {
+        initDatabase(':memory:');
+    });
+    afterAll(() => {
+        closeDatabase();
+    });
+    const testConfig = {
+        mode: 'balanced',
+        enableFragmentationDetection: false,
+        fragmentationWindowHours: 24,
+        trustThresholdForActions: 0.7,
+        autoQuarantineThreshold: 0.3,
+        flagThreshold: 0.5,
+        strictSourceMode: false,
+    };
+    it('should block content with critical credentials via pipeline', async () => {
+        const { runDefencePipeline } = await import('../pipeline.js');
+        const result = runDefencePipeline('Save this: my API key is sk-abcdefghijklmnopqrstuvwxyz1234', 'API key note', { type: 'agent', identifier: 'test-agent' }, testConfig);
+        expect(result.allowed).toBe(false);
+        expect(result.firewall.result).toBe('BLOCK');
+        expect(result.firewall.threatIndicators).toContain('credential_leak');
+    });
+    it('should include credentialScan in pipeline result when leaked', async () => {
+        const { runDefencePipeline } = await import('../pipeline.js');
+        const result = runDefencePipeline('postgres://admin:secret@db.host.com:5432/mydb', 'Database config', { type: 'cli', identifier: 'test' }, testConfig);
+        expect(result.credentialScan).toBeDefined();
+        expect(result.credentialScan.leaked).toBe(true);
+        expect(result.credentialScan.findings.length).toBeGreaterThan(0);
+    });
+    it('should not include credentialScan when no leaks found', async () => {
+        const { runDefencePipeline } = await import('../pipeline.js');
+        const result = runDefencePipeline('Just a normal note about architecture decisions', 'Meeting notes', { type: 'user', identifier: 'direct' }, testConfig);
+        expect(result.credentialScan).toBeUndefined();
+    });
+});
+//# sourceMappingURL=credential-leak.test.js.map

package/dist/defence/__tests__/credential-leak.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"credential-leak.test.js","sourceRoot":"","sources":["../../../src/defence/__tests__/credential-leak.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAEpG,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAGrE,0BAA0B;AAE1B,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IAEzC,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;QAC/B,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;YACvC,MAAM,MAAM,GAAG,kBAAkB,CAAC,6CAA6C,CAAC,CAAC;YACjF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACxC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACnD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACrD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;YACjE,MAAM,MAAM,GAAG,kBAAkB,CAAC,4BAA4B,CAAC,CAAC;YAChE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;YAC9D,MAAM,MAAM,GAAG,kBAAkB,CAAC,wBAAwB,CAAC,CAAC;YAC5D,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAClC,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,MAAM,MAAM,GAAG,kBAAkB,CAAC,kEAAkE,CAAC,CAAC;YACtG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACzE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,WAAW,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC3F,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,UAAU,EAAE,GAAG,EAAE;QACxB,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,MAAM,GAAG,kBAAkB,CAAC,wCAAwC,CAAC,CAAC;YAC5E,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACrF,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,MAAM,MAAM,GAAG,kBAAkB,CAAC,gEAAgE,CAAC,CAAC;YACpG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;QAC7B,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,MAAM,MAAM,GAAG,kBAAkB,CAAC,iDAAiD,CAAC,CAAC;YACrF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACxF,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;YAClD,MAAM,MAAM,GAAG,kBAAkB,CAAC,0CAA0C,CAAC,CAAC;YAC9E,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,MAAM,MAAM,GAAG,kBAAkB,CAAC,qCAAqC,CAAC,CAAC;YACzE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;YACpD,uDAAuD;YACvD,MAAM,GAAG,GAAG,UAAU,GAAG,4BAA4B,CAAC;YACtD,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACvC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACxF,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;YAClD,MAAM,GAAG,GAAG,UAAU,GAAG,4BAA4B,CAAC;YACtD,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACvC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACtF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,MAAM,MAAM,GAAG,kBAAkB,CAAC,mDAAmD,CAAC,CAAC;YACvF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;YACvC,MAAM,MAAM,GAAG,kBAAkB,CAAC,6CAA6C,CAAC,CAAC;YACjF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;YAClC,MAAM,MAAM,GAAG,kBAAkB,CAAC,2EAA2E,CAAC,CAAC;YAC/G,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;YACxC,uDAAuD;YACvD,MAAM,KAAK,GAAG,OAAO,GAAG,qCAAqC,CAAC;YAC9D,MAAM,MAAM,GAAG,kBAAkB,CAAC,mBAAmB,KAAK,EAAE,CAAC,CAAC;YAC9D,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,mBAAmB;IAEnB,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;QAC1B,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;YAClC,MAAM,GAAG,GAAG,8GAA8G,CAAC;YAC3H,MAAM,MAAM,GAAG,kBAAkB,CAAC,yBAAyB,GAAG,EAAE,CAAC,CAAC;YAClE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0BAA0B;IAE1B,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;QAC5B,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,MAAM,GAAG,kBAAkB,CAAC,wDAAwD,CAAC,CAAC;YAC5F,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,MAAM,GAAG,kBAAkB,CAAC,+CAA+C,CAAC,CAAC;YACnF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,qBAAqB;IAErB,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;QAC5B,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;YACxC,MAAM,GAAG,GAAG,8FAA8F,CAAC;YAC3G,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACvC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACvE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACzF,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;YACvC,MAAM,GAAG,GAAG,iFAAiF,CAAC;YAC9F,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACvC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;YACxC,MAAM,GAAG,GAAG,yFAAyF,CAAC;YACtG,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACvC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,GAAG,GAAG,2EAA2E,CAAC;YACxF,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACvC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,2BAA2B;IAE3B,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAClC,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;YACpE,MAAM,MAAM,GAAG,kBAAkB,CAAC,mEAAmE,CAAC,CAAC;YACvG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7E,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,mBAAmB,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC/F,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,MAAM,MAAM,GAAG,kBAAkB,CAAC,6CAA6C,CAAC,CAAC;YACjF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;YAClD,MAAM,MAAM,GAAG,kBAAkB,CAAC,4DAA4D,CAAC,CAAC;YAChG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,MAAM,MAAM,GAAG,kBAAkB,CAAC,mDAAmD,CAAC,CAAC;YACvF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,sCAAsC;IAEtC,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;QAC5C,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;YAC7C,MAAM,MAAM,GAAG,kBAAkB,CAAC,uCAAuC,CAAC,CAAC;YAC3E,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;YAC3C,MAAM,MAAM,GAAG,kBAAkB,CAAC,4CAA4C,CAAC,CAAC;YAChF,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,MAAM,GAAG,kBAAkB,CAAC,oCAAoC,CAAC,CAAC;YACxE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,MAAM,GAAG,kBAAkB,CAAC,sCAAsC,CAAC,CAAC;YAC1E,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,MAAM,GAAG,kBAAkB,CAAC,gBAAgB,CAAC,CAAC;YACpD,4DAA4D;YAC5D,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC;YACzE,MAAM,CAAC,WAAW,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,4BAA4B;IAE5B,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;QAC/B,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;YAC1D,iDAAiD;YACjD,MAAM,CAAC,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;YACrC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAChC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;YAClD,MAAM,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;YAC/D,MAAM,UAAU,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;YAC/C,MAAM,WAAW,GAAG,cAAc,CAAC,kBAAkB,CAAC,CAAC;YACvD,MAAM,CAAC,WAAW,CAAC,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+BAA+B;IAE/B,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;QACtC,EAAE,CAAC,iEAAiE,EAAE,GAAG,EAAE;YACzE,uCAAuC;YACvC,MAAM,MAAM,GAAG,kBAAkB,CAAC,wCAAwC,CAAC,CAAC;YAC5E,8CAA8C;YAC9C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;YAC7C,MAAM,MAAM,GAAG,kBAAkB,CAAC,6CAA6C,CAAC,CAAC;YACjF,+CAA+C;YAC/C,MAAM,mBAAmB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,cAAc,CAAC,CAAC;YACnF,MAAM,CAAC,mBAAmB,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAElB,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;QACzB,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;YACnD,MAAM,OAAO,GAAG,6CAA6C,CAAC;YAC9D,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;YAC5C,MAAM,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,mCAAmC,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;YACxC,MAAM,OAAO,GAAG,6FAA6F,CAAC;YAC9G,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;YAC5C,MAAM,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,6BAA6B,CAAC,CAAC;YAC9D,MAAM,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC;YACzD,MAAM,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,MAAM,OAAO,GAAG,uCAAuC,CAAC;YACxD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;YAC5C,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;YACxE,MAAM,MAAM,GAAG,kBAAkB,CAAC,0CAA0C,CAAC,CAAC;YAC9E,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAClD,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;YACvC,0DAA0D;YAC1D,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;YACpC,MAAM,OAAO,GAAG,6GAA6G,CAAC;YAC9H,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;YAC5C,MAAM,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,uBAAuB,CAAC,CAAC;YACpD,MAAM,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,gCAAgC;IAEhC,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACvC,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;YAChE,MAAM,KAAK,GAAG;gBACZ,sBAAsB;gBACtB,uBAAuB;gBACvB,0BAA0B;aAC3B,CAAC;YACF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;gBACxC,MAAM,cAAc,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;gBACpG,MAAM,CAAC,cAAc,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACzC,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qEAAqE,EAAE,GAAG,EAAE;YAC7E,iEAAiE;YACjE,MAAM,MAAM,GAAG,kBAAkB,CAAC,2BAA2B,CAAC,CAAC;YAC/D,2DAA2D;YAC3D,MAAM,cAAc,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;YAC5E,MAAM,CAAC,cAAc,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACzD,MAAM,MAAM,GAAG,kBAAkB,CAAC,gDAAgD,CAAC,CAAC;YACpF,MAAM,eAAe,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,cAAc,CAAC,CAAC;YAC/E,MAAM,CAAC,eAAe,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;YAClC,MAAM,MAAM,GAAG,kBAAkB,CAC/B,mCAAmC,EACnC,EAAE,SAAS,EAAE,CAAC,YAAY,CAAC,EAAE,CAC9B,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC/E,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,uBAAuB;IAEvB,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;QAC7B,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;YACvC,MAAM,MAAM,GAAG,kBAAkB,CAAC,mCAAmC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YAC3F,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;YACpE,MAAM,MAAM,GAAG,kBAAkB,CAAC,mCAAmC,EAAE;gBACrE,eAAe,EAAE,KAAK;gBACtB,WAAW,EAAE,KAAK;aACnB,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;YACxC,MAAM,MAAM,GAAG,kBAAkB,CAAC,4BAA4B,EAAE;gBAC9D,cAAc,EAAE,CAAC;wBACf,IAAI,EAAE,eAAe;wBACrB,IAAI,EAAE,SAAS;wBACf,QAAQ,EAAE,QAAQ;wBAClB,KAAK,EAAE,6BAA6B;wBACpC,QAAQ,EAAE,MAAM;wBAChB,UAAU,EAAE,IAAI;qBACjB,CAAC;aACH,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+CAA+C;IAE/C,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACpC,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;YAC3D,MAAM,OAAO,GAAG;;;;;;OAMf,CAAC;YACF,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;YAEzD,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAC/C,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YACnC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;YAC7C,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,0BAA0B;IAE1B,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;QACjC,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;YAC1D,MAAM,MAAM,GAAG,cAAc,CAAC;YAC9B,MAAM,OAAO,GAAG,GAAG,MAAM,mCAAmC,CAAC;YAC7D,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAClD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC1D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,6BAA6B;AAE7B,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,SAAS,CAAC,GAAG,EAAE;QACb,YAAY,CAAC,UAAU,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,GAAG,EAAE;QACZ,aAAa,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,MAAM,UAAU,GAAkB;QAChC,IAAI,EAAE,UAAU;QAChB,4BAA4B,EAAE,KAAK;QACnC,wBAAwB,EAAE,EAAE;QAC5B,wBAAwB,EAAE,GAAG;QAC7B,uBAAuB,EAAE,GAAG;QAC5B,aAAa,EAAE,GAAG;QAClB,gBAAgB,EAAE,KAAK;KACxB,CAAC;IAEF,EAAE,CAAC,6DAA6D,EAAE,KAAK,IAAI,EAAE;QAC3E,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,kBAAkB,CAC/B,4DAA4D,EAC5D,cAAc,EACd,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,EAC3C,UAAU,CACX,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,kBAAkB,CAC/B,+CAA+C,EAC/C,iBAAiB,EACjB,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,EACnC,UAAU,CACX,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,cAAe,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,cAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,kBAAkB,CAC/B,iDAAiD,EACjD,eAAe,EACf,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,EACtC,UAAU,CACX,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,aAAa,EAAE,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/defence/credential-leak/entropy.d.ts ADDED Viewed

@@ -0,0 +1,42 @@
+/**
+ * Credential Leak Detection — Entropy Analysis
+ *
+ * Shannon entropy calculation for detecting high-entropy strings
+ * that look like secrets (random tokens, keys, passwords).
+ */
+/**
+ * Calculate Shannon entropy of a string (bits per character).
+ * Higher entropy = more random/unpredictable.
+ *
+ * Reference values:
+ * - English text: ~3.5-4.0
+ * - Base64 encoded: ~5.0-5.5
+ * - Random hex: ~3.5-4.0
+ * - Random alphanumeric: ~5.5-5.9
+ * - Crypto keys: ~5.5-6.0+
+ */
+export declare function shannonEntropy(str: string): number;
+/** Minimum string length for entropy-based detection */
+export declare const MIN_ENTROPY_LENGTH = 20;
+/** Entropy threshold — strings above this are flagged */
+export declare const ENTROPY_THRESHOLD = 4.5;
+/**
+ * Check if a string looks like a high-entropy secret.
+ * Returns confidence score (0-1) or null if not suspicious.
+ */
+export declare function checkHighEntropy(str: string): {
+    entropy: number;
+    confidence: number;
+} | null;
+/**
+ * Extract candidate high-entropy tokens from content.
+ * Looks for long contiguous alphanumeric+special strings
+ * that could be secrets.
+ */
+export declare function extractHighEntropyTokens(content: string): Array<{
+    token: string;
+    position: number;
+    entropy: number;
+    confidence: number;
+}>;
+//# sourceMappingURL=entropy.d.ts.map

package/dist/defence/credential-leak/entropy.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"entropy.d.ts","sourceRoot":"","sources":["../../../src/defence/credential-leak/entropy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;;;GAUG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBlD;AAED,wDAAwD;AACxD,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC,yDAAyD;AACzD,eAAO,MAAM,iBAAiB,MAAM,CAAC;AAErC;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAW5F;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,GACd,KAAK,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,CA2BjF"}

package/dist/defence/credential-leak/entropy.js ADDED Viewed

@@ -0,0 +1,105 @@
+/**
+ * Credential Leak Detection — Entropy Analysis
+ *
+ * Shannon entropy calculation for detecting high-entropy strings
+ * that look like secrets (random tokens, keys, passwords).
+ */
+/**
+ * Calculate Shannon entropy of a string (bits per character).
+ * Higher entropy = more random/unpredictable.
+ *
+ * Reference values:
+ * - English text: ~3.5-4.0
+ * - Base64 encoded: ~5.0-5.5
+ * - Random hex: ~3.5-4.0
+ * - Random alphanumeric: ~5.5-5.9
+ * - Crypto keys: ~5.5-6.0+
+ */
+export function shannonEntropy(str) {
+    if (str.length === 0)
+        return 0;
+    const freq = new Map();
+    for (const ch of str) {
+        freq.set(ch, (freq.get(ch) ?? 0) + 1);
+    }
+    let entropy = 0;
+    const len = str.length;
+    for (const count of freq.values()) {
+        const p = count / len;
+        entropy -= p * Math.log2(p);
+    }
+    return entropy;
+}
+/** Minimum string length for entropy-based detection */
+export const MIN_ENTROPY_LENGTH = 20;
+/** Entropy threshold — strings above this are flagged */
+export const ENTROPY_THRESHOLD = 4.5;
+/**
+ * Check if a string looks like a high-entropy secret.
+ * Returns confidence score (0-1) or null if not suspicious.
+ */
+export function checkHighEntropy(str) {
+    if (str.length < MIN_ENTROPY_LENGTH)
+        return null;
+    const entropy = shannonEntropy(str);
+    if (entropy < ENTROPY_THRESHOLD)
+        return null;
+    // Confidence scales with entropy above threshold
+    // 4.5 → 0.50, 5.0 → 0.65, 5.5 → 0.80, 6.0 → 0.95
+    const confidence = Math.min(0.95, 0.50 + (entropy - ENTROPY_THRESHOLD) * 0.30);
+    return { entropy, confidence };
+}
+/**
+ * Extract candidate high-entropy tokens from content.
+ * Looks for long contiguous alphanumeric+special strings
+ * that could be secrets.
+ */
+export function extractHighEntropyTokens(content) {
+    // Match long strings of alphanumeric + common secret chars
+    const tokenRegex = /[A-Za-z0-9\-_./+=]{20,}/g;
+    const results = [];
+    const seen = new Set();
+    let match;
+    while ((match = tokenRegex.exec(content)) !== null) {
+        const token = match[0];
+        if (seen.has(token))
+            continue;
+        seen.add(token);
+        // Skip common false positives
+        if (isLikelyFalsePositive(token))
+            continue;
+        const result = checkHighEntropy(token);
+        if (result) {
+            results.push({
+                token,
+                position: match.index,
+                entropy: result.entropy,
+                confidence: result.confidence,
+            });
+        }
+    }
+    return results;
+}
+/**
+ * Heuristic filter to reduce false positives from entropy detection.
+ */
+function isLikelyFalsePositive(token) {
+    // Pure lowercase with dashes — likely a slug or CSS class
+    if (/^[a-z\-]+$/.test(token))
+        return true;
+    // Looks like a file path
+    if (token.includes('/') && !token.includes('//') && /\.[a-z]{2,4}$/i.test(token))
+        return true;
+    // Repeated character sequences (aaaaaaa...)
+    if (/^(.)\1{10,}$/.test(token))
+        return true;
+    // Common base64 padding pattern (just padding)
+    if (/^=+$/.test(token) || /^[A-Za-z0-9+/]*={3,}$/.test(token))
+        return true;
+    // Long runs of a single character class with low variety
+    const uniqueChars = new Set(token).size;
+    if (uniqueChars < 6 && token.length > 20)
+        return true;
+    return false;
+}
+//# sourceMappingURL=entropy.js.map

package/dist/defence/credential-leak/entropy.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"entropy.js","sourceRoot":"","sources":["../../../src/defence/credential-leak/entropy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAE/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,wDAAwD;AACxD,MAAM,CAAC,MAAM,kBAAkB,GAAG,EAAE,CAAC;AAErC,yDAAyD;AACzD,MAAM,CAAC,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAErC;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,IAAI,GAAG,CAAC,MAAM,GAAG,kBAAkB;QAAE,OAAO,IAAI,CAAC;IAEjD,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,OAAO,GAAG,iBAAiB;QAAE,OAAO,IAAI,CAAC;IAE7C,iDAAiD;IACjD,iDAAiD;IACjD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,GAAG,CAAC,OAAO,GAAG,iBAAiB,CAAC,GAAG,IAAI,CAAC,CAAC;IAE/E,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC;AACjC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CACtC,OAAe;IAEf,2DAA2D;IAC3D,MAAM,UAAU,GAAG,0BAA0B,CAAC;IAC9C,MAAM,OAAO,GAAoF,EAAE,CAAC;IACpG,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,IAAI,KAA6B,CAAC;IAClC,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACvB,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,SAAS;QAC9B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAEhB,8BAA8B;QAC9B,IAAI,qBAAqB,CAAC,KAAK,CAAC;YAAE,SAAS;QAE3C,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACvC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK;gBACL,QAAQ,EAAE,KAAK,CAAC,KAAK;gBACrB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,KAAa;IAC1C,0DAA0D;IAC1D,IAAI,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1C,yBAAyB;IACzB,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE9F,4CAA4C;IAC5C,IAAI,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE5C,+CAA+C;IAC/C,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3E,yDAAyD;IACzD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC;IACxC,IAAI,WAAW,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IAEtD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/defence/credential-leak/index.d.ts ADDED Viewed

@@ -0,0 +1,54 @@
+/**
+ * Credential Leak Detection — Layer 6
+ *
+ * Detects credentials, secrets, and sensitive tokens accidentally
+ * persisted in AI agent memory writes. Supports known API key formats,
+ * generic secrets, private keys, connection strings, environment
+ * variable patterns, and high-entropy string heuristics.
+ */
+import { type CredentialPattern, type CredentialType, type CredentialSeverity } from './patterns.js';
+export interface CredentialFinding {
+    type: CredentialType;
+    provider?: string;
+    confidence: number;
+    severity: CredentialSeverity;
+    /** Redacted version showing first/last 4 chars */
+    match: string;
+    /** Char offset in content */
+    position: number;
+    action: 'blocked' | 'warned' | 'logged';
+}
+export interface CredentialScanResult {
+    leaked: boolean;
+    findings: CredentialFinding[];
+    redactedContent?: string;
+}
+export interface CredentialDetectionConfig {
+    enabled: boolean;
+    blockOnCritical: boolean;
+    blockOnHigh: boolean;
+    warnOnMedium: boolean;
+    customPatterns: CredentialPattern[];
+    allowlist: string[];
+}
+export declare const DEFAULT_CREDENTIAL_CONFIG: CredentialDetectionConfig;
+/**
+ * Scan content for credential leaks.
+ *
+ * Checks known API key formats, generic secrets, private keys,
+ * connection strings, env variable patterns, and high-entropy strings.
+ *
+ * @param content - The text content to scan
+ * @param config - Optional credential detection configuration
+ * @returns Scan result with findings and optional redacted content
+ */
+export declare function scanForCredentials(content: string, config?: Partial<CredentialDetectionConfig>): CredentialScanResult;
+/**
+ * Replace all detected secrets in content with [REDACTED-{type}] placeholders.
+ * Useful for agents that want to store memory but strip the secrets.
+ */
+export declare function redactCredentials(content: string, config?: Partial<CredentialDetectionConfig>): string;
+export type { CredentialPattern, CredentialType, CredentialSeverity } from './patterns.js';
+export { shannonEntropy, checkHighEntropy } from './entropy.js';
+export { ALL_CREDENTIAL_PATTERNS } from './patterns.js';
+//# sourceMappingURL=index.d.ts.map