supasec 1.0.0

package/dist/scanners/secrets/detector.js

@@ -0,0 +1,251 @@
+"use strict";
+/**
+ * Secrets Detector
+ * Main scanner module for detecting exposed secrets in frontend bundles
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanForSecrets = scanForSecrets;
+exports.scanJavaScriptBundle = scanJavaScriptBundle;
+exports.scanHTML = scanHTML;
+exports.scanSourceMap = scanSourceMap;
+const finding_js_1 = require("../../models/finding.js");
+const patterns_js_1 = require("./patterns.js");
+/**
+ * Scan content for exposed secrets
+ */
+async function scanForSecrets(options) {
+    const startTime = Date.now();
+    const findings = [];
+    let findingCounter = 1;
+    // Detect all secrets
+    const detected = (0, patterns_js_1.detectSecrets)(options.content, patterns_js_1.allPatterns);
+    for (const secret of detected) {
+        const finding = createFindingFromSecret(secret, options, findingCounter++);
+        if (finding) {
+            findings.push(finding);
+        }
+    }
+    const scanDurationMs = Date.now() - startTime;
+    return {
+        findings,
+        scannedBytes: options.content.length,
+        scanDurationMs
+    };
+}
+/**
+ * Create a Finding from a detected secret
+ */
+function createFindingFromSecret(secret, options, counter) {
+    const severity = mapSeverity(secret.pattern.severity);
+    const category = 'secrets';
+    // Skip INFO level findings for secrets
+    if (severity === 'INFO') {
+        return null;
+    }
+    const findingId = (0, finding_js_1.generateFindingId)(category, counter);
+    return {
+        finding_id: findingId,
+        timestamp: new Date().toISOString(),
+        severity,
+        category,
+        subcategory: secret.pattern.category,
+        title: `${secret.pattern.name} Exposed`,
+        description: `Found ${secret.pattern.name.toLowerCase()} in ${options.sourceType} content. ${secret.pattern.description}`,
+        location: {
+            file: options.sourceUrl,
+            line: secret.line,
+            column: secret.column
+        },
+        evidence: {
+            code_snippet: secret.match,
+            matched_pattern: secret.pattern.name,
+            sample_data: {
+                masked: secret.masked
+            }
+        },
+        impact: {
+            severity_score: severity === 'CRITICAL' ? 10.0 : severity === 'HIGH' ? 8.0 : 5.0,
+            description: getImpactDescription(secret.pattern.category),
+            affected_resources: ['application', 'database', 'api'],
+            compliance_violations: getComplianceViolations(secret.pattern.category)
+        },
+        remediation: {
+            summary: `Remove ${secret.pattern.name.toLowerCase()} from client-side code`,
+            priority: severity === 'CRITICAL' ? 'IMMEDIATE' : 'HIGH',
+            effort: 'LOW',
+            steps: getRemediationSteps(secret.pattern.category),
+            auto_fixable: false
+        },
+        references: getReferences(secret.pattern.category),
+        false_positive_likelihood: 'LOW',
+        confidence: 0.95
+    };
+}
+/**
+ * Map pattern severity to Finding severity
+ */
+function mapSeverity(patternSeverity) {
+    switch (patternSeverity) {
+        case 'CRITICAL':
+            return 'CRITICAL';
+        case 'HIGH':
+            return 'HIGH';
+        case 'MEDIUM':
+            return 'MEDIUM';
+        default:
+            return 'INFO';
+    }
+}
+/**
+ * Get impact description based on category
+ */
+function getImpactDescription(category) {
+    const descriptions = {
+        supabase: 'Complete database access - attacker can read, write, and delete all data',
+        payment: 'Financial data exposure - potential fraud and unauthorized transactions',
+        ai: 'API abuse and quota exhaustion - potential for unauthorized AI usage',
+        vcs: 'Source code access - potential for supply chain attacks',
+        cloud: 'Cloud infrastructure access - potential for data breaches and resource abuse',
+        email: 'Email service abuse - potential for spam and phishing',
+        sms: 'SMS service abuse - potential for fraud and high costs',
+        messaging: 'Messaging platform abuse - potential for data leaks',
+        generic: 'Unauthorized API access - potential for data breaches',
+        crypto: 'Cryptographic key exposure - complete security compromise',
+        auth: 'Authentication token exposure - unauthorized access to user accounts',
+        config: 'Configuration secret exposure - potential for system compromise'
+    };
+    return descriptions[category] || 'Potential unauthorized access to sensitive resources';
+}
+/**
+ * Get compliance violations based on category
+ */
+function getComplianceViolations(category) {
+    const violations = {
+        supabase: ['SOC2-CC6.1', 'GDPR-Article-32'],
+        payment: ['PCI-DSS-3.2', 'SOC2-CC6.1'],
+        ai: ['SOC2-CC6.1'],
+        vcs: ['SOC2-CC6.1'],
+        cloud: ['SOC2-CC6.1', 'GDPR-Article-32'],
+        email: ['SOC2-CC6.1'],
+        sms: ['SOC2-CC6.1'],
+        messaging: ['SOC2-CC6.1'],
+        generic: ['SOC2-CC6.1'],
+        crypto: ['SOC2-CC6.1', 'GDPR-Article-32', 'FIPS-140-2'],
+        auth: ['SOC2-CC6.1', 'OWASP-A02-2021'],
+        config: ['SOC2-CC6.1']
+    };
+    return violations[category] || ['SOC2-CC6.1'];
+}
+/**
+ * Get remediation steps based on category
+ */
+function getRemediationSteps(category) {
+    const commonSteps = [
+        {
+            order: 1,
+            action: 'Remove the exposed secret from client-side code immediately',
+            code: '// Remove hardcoded key\nconst supabaseKey = process.env.SUPABASE_KEY;'
+        },
+        {
+            order: 2,
+            action: 'Move the secret to environment variables on the server',
+            command: 'export API_KEY=your_key_here'
+        },
+        {
+            order: 3,
+            action: 'Regenerate the exposed secret to invalidate the compromised key',
+            command: 'Regenerate in service dashboard'
+        },
+        {
+            order: 4,
+            action: 'Use only the anon/public key in frontend code',
+            code: 'const supabase = createClient(url, process.env.SUPABASE_ANON_KEY)'
+        }
+    ];
+    if (category === 'supabase') {
+        return [
+            {
+                order: 1,
+                action: 'Regenerate the service_role key in Supabase dashboard',
+                command: 'Dashboard > Settings > API > Regenerate service_role key'
+            },
+            {
+                order: 2,
+                action: 'Move service_role key to backend environment variables only',
+                code: '// Server-side only\nconst supabase = createClient(url, process.env.SUPABASE_SERVICE_ROLE_KEY)'
+            },
+            {
+                order: 3,
+                action: 'Use anon key for client-side operations',
+                code: '// Client-side\nconst supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY)'
+            },
+            {
+                order: 4,
+                action: 'Review database access logs for unauthorized access'
+            }
+        ];
+    }
+    return commonSteps;
+}
+/**
+ * Get reference links based on category
+ */
+function getReferences(category) {
+    const references = {
+        supabase: [
+            { title: 'Supabase API Keys Documentation', url: 'https://supabase.com/docs/guides/api#api-keys' },
+            { title: 'CWE-798: Use of Hard-coded Credentials', url: 'https://cwe.mitre.org/data/definitions/798.html' }
+        ],
+        payment: [
+            { title: 'Stripe Security Best Practices', url: 'https://stripe.com/docs/security' },
+            { title: 'PCI DSS Requirements', url: 'https://www.pcisecuritystandards.org/' }
+        ],
+        ai: [
+            { title: 'OpenAI API Security', url: 'https://platform.openai.com/docs/guides/safety-best-practices' }
+        ],
+        cloud: [
+            { title: 'AWS Security Best Practices', url: 'https://docs.aws.amazon.com/security/' }
+        ],
+        crypto: [
+            { title: 'OWASP Cryptographic Storage Cheat Sheet', url: 'https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html' }
+        ],
+        auth: [
+            { title: 'OWASP Authentication Cheat Sheet', url: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html' }
+        ]
+    };
+    return references[category] || [
+        { title: 'OWASP Secrets Management Cheat Sheet', url: 'https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html' },
+        { title: 'CWE-798: Use of Hard-coded Credentials', url: 'https://cwe.mitre.org/data/definitions/798.html' }
+    ];
+}
+/**
+ * Scan JavaScript bundle for secrets
+ */
+async function scanJavaScriptBundle(jsContent, url) {
+    return scanForSecrets({
+        content: jsContent,
+        sourceUrl: url,
+        sourceType: 'javascript'
+    });
+}
+/**
+ * Scan HTML content for secrets
+ */
+async function scanHTML(htmlContent, url) {
+    return scanForSecrets({
+        content: htmlContent,
+        sourceUrl: url,
+        sourceType: 'html'
+    });
+}
+/**
+ * Scan source map for secrets
+ */
+async function scanSourceMap(sourceMapContent, url) {
+    return scanForSecrets({
+        content: sourceMapContent,
+        sourceUrl: url,
+        sourceType: 'sourcemap'
+    });
+}
+//# sourceMappingURL=detector.js.map

package/dist/scanners/secrets/detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detector.js","sourceRoot":"","sources":["../../../src/scanners/secrets/detector.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAoBH,wCAsBC;AAiND,oDAMC;AAKD,4BAMC;AAKD,sCAMC;AArRD,wDAAyF;AACzF,+CAA2E;AAc3E;;GAEG;AACI,KAAK,UAAU,cAAc,CAAC,OAA2B;IAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,cAAc,GAAG,CAAC,CAAC;IAEvB,qBAAqB;IACrB,MAAM,QAAQ,GAAG,IAAA,2BAAa,EAAC,OAAO,CAAC,OAAO,EAAE,yBAAW,CAAC,CAAC;IAE7D,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,MAAM,OAAO,GAAG,uBAAuB,CAAC,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC,CAAC;QAC3E,IAAI,OAAO,EAAE,CAAC;YACZ,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;IAE9C,OAAO;QACL,QAAQ;QACR,YAAY,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM;QACpC,cAAc;KACf,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAC9B,MAAsB,EACtB,OAA2B,EAC3B,OAAe;IAEf,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAa,SAAS,CAAC;IAErC,uCAAuC;IACvC,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,SAAS,GAAG,IAAA,8BAAiB,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAEvD,OAAO;QACL,UAAU,EAAE,SAAS;QACrB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ;QACR,QAAQ;QACR,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ;QACpC,KAAK,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,UAAU;QACvC,WAAW,EAAE,SAAS,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,OAAO,CAAC,UAAU,aAAa,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE;QACzH,QAAQ,EAAE;YACR,IAAI,EAAE,OAAO,CAAC,SAAS;YACvB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB;QACD,QAAQ,EAAE;YACR,YAAY,EAAE,MAAM,CAAC,KAAK;YAC1B,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI;YACpC,WAAW,EAAE;gBACX,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB;SACF;QACD,MAAM,EAAE;YACN,cAAc,EAAE,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;YAChF,WAAW,EAAE,oBAAoB,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;YAC1D,kBAAkB,EAAE,CAAC,aAAa,EAAE,UAAU,EAAE,KAAK,CAAC;YACtD,qBAAqB,EAAE,uBAAuB,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;SACxE;QACD,WAAW,EAAE;YACX,OAAO,EAAE,UAAU,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,wBAAwB;YAC5E,QAAQ,EAAE,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM;YACxD,MAAM,EAAE,KAAK;YACb,KAAK,EAAE,mBAAmB,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;YACnD,YAAY,EAAE,KAAK;SACpB;QACD,UAAU,EAAE,aAAa,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;QAClD,yBAAyB,EAAE,KAAK;QAChC,UAAU,EAAE,IAAI;KACjB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,eAAuB;IAC1C,QAAQ,eAAe,EAAE,CAAC;QACxB,KAAK,UAAU;YACb,OAAO,UAAU,CAAC;QACpB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB;YACE,OAAO,MAAM,CAAC;IAClB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,QAAgB;IAC5C,MAAM,YAAY,GAA2B;QAC3C,QAAQ,EAAE,0EAA0E;QACpF,OAAO,EAAE,yEAAyE;QAClF,EAAE,EAAE,sEAAsE;QAC1E,GAAG,EAAE,yDAAyD;QAC9D,KAAK,EAAE,8EAA8E;QACrF,KAAK,EAAE,uDAAuD;QAC9D,GAAG,EAAE,wDAAwD;QAC7D,SAAS,EAAE,qDAAqD;QAChE,OAAO,EAAE,uDAAuD;QAChE,MAAM,EAAE,2DAA2D;QACnE,IAAI,EAAE,sEAAsE;QAC5E,MAAM,EAAE,iEAAiE;KAC1E,CAAC;IAEF,OAAO,YAAY,CAAC,QAAQ,CAAC,IAAI,sDAAsD,CAAC;AAC1F,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,QAAgB;IAC/C,MAAM,UAAU,GAA6B;QAC3C,QAAQ,EAAE,CAAC,YAAY,EAAE,iBAAiB,CAAC;QAC3C,OAAO,EAAE,CAAC,aAAa,EAAE,YAAY,CAAC;QACtC,EAAE,EAAE,CAAC,YAAY,CAAC;QAClB,GAAG,EAAE,CAAC,YAAY,CAAC;QACnB,KAAK,EAAE,CAAC,YAAY,EAAE,iBAAiB,CAAC;QACxC,KAAK,EAAE,CAAC,YAAY,CAAC;QACrB,GAAG,EAAE,CAAC,YAAY,CAAC;QACnB,SAAS,EAAE,CAAC,YAAY,CAAC;QACzB,OAAO,EAAE,CAAC,YAAY,CAAC;QACvB,MAAM,EAAE,CAAC,YAAY,EAAE,iBAAiB,EAAE,YAAY,CAAC;QACvD,IAAI,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;QACtC,MAAM,EAAE,CAAC,YAAY,CAAC;KACvB,CAAC;IAEF,OAAO,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,MAAM,WAAW,GAAG;QAClB;YACE,KAAK,EAAE,CAAC;YACR,MAAM,EAAE,6DAA6D;YACrE,IAAI,EAAE,wEAAwE;SAC/E;QACD;YACE,KAAK,EAAE,CAAC;YACR,MAAM,EAAE,wDAAwD;YAChE,OAAO,EAAE,8BAA8B;SACxC;QACD;YACE,KAAK,EAAE,CAAC;YACR,MAAM,EAAE,iEAAiE;YACzE,OAAO,EAAE,iCAAiC;SAC3C;QACD;YACE,KAAK,EAAE,CAAC;YACR,MAAM,EAAE,+CAA+C;YACvD,IAAI,EAAE,mEAAmE;SAC1E;KACF,CAAC;IAEF,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;QAC5B,OAAO;YACL;gBACE,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,uDAAuD;gBAC/D,OAAO,EAAE,0DAA0D;aACpE;YACD;gBACE,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,6DAA6D;gBACrE,IAAI,EAAE,gGAAgG;aACvG;YACD;gBACE,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,yCAAyC;gBACjD,IAAI,EAAE,+FAA+F;aACtG;YACD;gBACE,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,qDAAqD;aAC9D;SACF,CAAC;IACJ,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,QAAgB;IACrC,MAAM,UAAU,GAA0D;QACxE,QAAQ,EAAE;YACR,EAAE,KAAK,EAAE,iCAAiC,EAAE,GAAG,EAAE,+CAA+C,EAAE;YAClG,EAAE,KAAK,EAAE,wCAAwC,EAAE,GAAG,EAAE,iDAAiD,EAAE;SAC5G;QACD,OAAO,EAAE;YACP,EAAE,KAAK,EAAE,gCAAgC,EAAE,GAAG,EAAE,kCAAkC,EAAE;YACpF,EAAE,KAAK,EAAE,sBAAsB,EAAE,GAAG,EAAE,uCAAuC,EAAE;SAChF;QACD,EAAE,EAAE;YACF,EAAE,KAAK,EAAE,qBAAqB,EAAE,GAAG,EAAE,+DAA+D,EAAE;SACvG;QACD,KAAK,EAAE;YACL,EAAE,KAAK,EAAE,6BAA6B,EAAE,GAAG,EAAE,uCAAuC,EAAE;SACvF;QACD,MAAM,EAAE;YACN,EAAE,KAAK,EAAE,yCAAyC,EAAE,GAAG,EAAE,uFAAuF,EAAE;SACnJ;QACD,IAAI,EAAE;YACJ,EAAE,KAAK,EAAE,kCAAkC,EAAE,GAAG,EAAE,gFAAgF,EAAE;SACrI;KACF,CAAC;IAEF,OAAO,UAAU,CAAC,QAAQ,CAAC,IAAI;QAC7B,EAAE,KAAK,EAAE,sCAAsC,EAAE,GAAG,EAAE,oFAAoF,EAAE;QAC5I,EAAE,KAAK,EAAE,wCAAwC,EAAE,GAAG,EAAE,iDAAiD,EAAE;KAC5G,CAAC;AACJ,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,oBAAoB,CAAC,SAAiB,EAAE,GAAW;IACvE,OAAO,cAAc,CAAC;QACpB,OAAO,EAAE,SAAS;QAClB,SAAS,EAAE,GAAG;QACd,UAAU,EAAE,YAAY;KACzB,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,QAAQ,CAAC,WAAmB,EAAE,GAAW;IAC7D,OAAO,cAAc,CAAC;QACpB,OAAO,EAAE,WAAW;QACpB,SAAS,EAAE,GAAG;QACd,UAAU,EAAE,MAAM;KACnB,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,aAAa,CAAC,gBAAwB,EAAE,GAAW;IACvE,OAAO,cAAc,CAAC;QACpB,OAAO,EAAE,gBAAgB;QACzB,SAAS,EAAE,GAAG;QACd,UAAU,EAAE,WAAW;KACxB,CAAC,CAAC;AACL,CAAC"}

package/dist/scanners/secrets/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Secrets Scanner Module
+ * Export all secrets detection functionality
+ */
+export * from './patterns.js';
+export * from './detector.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/secrets/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/secrets/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,eAAe,CAAC;AAC9B,cAAc,eAAe,CAAC"}

package/dist/scanners/secrets/index.js

@@ -0,0 +1,23 @@
+"use strict";
+/**
+ * Secrets Scanner Module
+ * Export all secrets detection functionality
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./patterns.js"), exports);
+__exportStar(require("./detector.js"), exports);
+//# sourceMappingURL=index.js.map

package/dist/scanners/secrets/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/secrets/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;AAEH,gDAA8B;AAC9B,gDAA8B"}

package/dist/scanners/secrets/patterns.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Secret Detection Patterns
+ * Regex patterns and detection logic for various secrets
+ */
+export interface SecretPattern {
+    name: string;
+    pattern: RegExp;
+    severity: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'INFO';
+    category: string;
+    description: string;
+    validator?: (match: string) => boolean;
+}
+/**
+ * Supabase-specific patterns
+ */
+export declare const supabasePatterns: SecretPattern[];
+/**
+ * Third-party API key patterns
+ */
+export declare const apiKeyPatterns: SecretPattern[];
+/**
+ * Generic secret patterns
+ */
+export declare const genericPatterns: SecretPattern[];
+/**
+ * Environment variable patterns (for .env files)
+ */
+export declare const envPatterns: SecretPattern[];
+/**
+ * All patterns combined
+ */
+export declare const allPatterns: SecretPattern[];
+/**
+ * Calculate Shannon entropy of a string
+ * Used to detect high-entropy strings that might be secrets
+ */
+export declare function calculateEntropy(str: string): number;
+/**
+ * Check if a string has high entropy (likely a secret)
+ */
+export declare function hasHighEntropy(str: string, threshold?: number): boolean;
+/**
+ * Mask a secret for display
+ */
+export declare function maskSecret(secret: string, visibleChars?: number): string;
+/**
+ * Detect secrets in text content
+ */
+export interface DetectedSecret {
+    pattern: SecretPattern;
+    match: string;
+    line: number;
+    column: number;
+    masked: string;
+}
+export declare function detectSecrets(content: string, patterns?: SecretPattern[]): DetectedSecret[];
+//# sourceMappingURL=patterns.d.ts.map

package/dist/scanners/secrets/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/scanners/secrets/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;CACxC;AAED;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAE,aAAa,EAwD3C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,cAAc,EAAE,aAAa,EAuEzC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAoC1C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,WAAW,EAAE,aAAa,EAQtC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,WAAW,EAAE,aAAa,EAKtC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,GAAE,MAAY,GAAG,OAAO,CAE5E;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,GAAE,MAAU,GAAG,MAAM,CAU3E;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,aAAa,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,GAAE,aAAa,EAAgB,GAAG,cAAc,EAAE,CA4CxG"}

package/dist/scanners/secrets/patterns.js

@@ -0,0 +1,285 @@
+"use strict";
+/**
+ * Secret Detection Patterns
+ * Regex patterns and detection logic for various secrets
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.allPatterns = exports.envPatterns = exports.genericPatterns = exports.apiKeyPatterns = exports.supabasePatterns = void 0;
+exports.calculateEntropy = calculateEntropy;
+exports.hasHighEntropy = hasHighEntropy;
+exports.maskSecret = maskSecret;
+exports.detectSecrets = detectSecrets;
+/**
+ * Supabase-specific patterns
+ */
+exports.supabasePatterns = [
+    {
+        name: 'Supabase Service Role Key',
+        pattern: /eyJ[A-Za-z0-9-_]*\.eyJ[A-Za-z0-9-_]*\.[A-Za-z0-9-_]*/g,
+        severity: 'CRITICAL',
+        category: 'supabase',
+        description: 'Potential Supabase JWT token - needs role verification',
+        validator: (match) => {
+            // Check if it's a valid JWT format
+            const parts = match.split('.');
+            if (parts.length !== 3)
+                return false;
+            try {
+                // Decode payload
+                const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+                // Check for service_role claim
+                return payload.role === 'service_role' ||
+                    (payload.app_metadata && payload.app_metadata.role === 'service_role');
+            }
+            catch {
+                return false;
+            }
+        }
+    },
+    {
+        name: 'Supabase Anon Key',
+        pattern: /eyJ[A-Za-z0-9-_]*\.eyJ[A-Za-z0-9-_]*\.[A-Za-z0-9-_]*/g,
+        severity: 'MEDIUM',
+        category: 'supabase',
+        description: 'Potential Supabase anon key - verify if properly scoped',
+        validator: (match) => {
+            const parts = match.split('.');
+            if (parts.length !== 3)
+                return false;
+            try {
+                const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+                return payload.role === 'anon' ||
+                    (payload.app_metadata && payload.app_metadata.role === 'anon');
+            }
+            catch {
+                return false;
+            }
+        }
+    },
+    {
+        name: 'Supabase URL',
+        pattern: /https:\/\/[a-z0-9-]+\.supabase\.co/gi,
+        severity: 'INFO',
+        category: 'supabase',
+        description: 'Supabase project URL detected'
+    },
+    {
+        name: 'Service Role Key Variable',
+        pattern: /(?:supabase|service)[._-]?role[._-]?key\s*[:=]\s*["\']([^"\']+)["\']/gi,
+        severity: 'CRITICAL',
+        category: 'supabase',
+        description: 'Service role key assignment detected'
+    }
+];
+/**
+ * Third-party API key patterns
+ */
+exports.apiKeyPatterns = [
+    {
+        name: 'Stripe Live Key',
+        pattern: /sk_live_[0-9a-zA-Z]{24,}/g,
+        severity: 'CRITICAL',
+        category: 'payment',
+        description: 'Stripe live secret key - full account access'
+    },
+    {
+        name: 'Stripe Test Key',
+        pattern: /sk_test_[0-9a-zA-Z]{24,}/g,
+        severity: 'MEDIUM',
+        category: 'payment',
+        description: 'Stripe test secret key'
+    },
+    {
+        name: 'OpenAI API Key',
+        pattern: /sk-[a-zA-Z0-9]{48}/g,
+        severity: 'CRITICAL',
+        category: 'ai',
+        description: 'OpenAI API key'
+    },
+    {
+        name: 'GitHub Personal Access Token',
+        pattern: /ghp_[0-9a-zA-Z]{36}/g,
+        severity: 'HIGH',
+        category: 'vcs',
+        description: 'GitHub personal access token'
+    },
+    {
+        name: 'GitHub OAuth Token',
+        pattern: /gho_[0-9a-zA-Z]{36}/g,
+        severity: 'HIGH',
+        category: 'vcs',
+        description: 'GitHub OAuth token'
+    },
+    {
+        name: 'AWS Access Key ID',
+        pattern: /AKIA[0-9A-Z]{16}/g,
+        severity: 'CRITICAL',
+        category: 'cloud',
+        description: 'AWS Access Key ID'
+    },
+    {
+        name: 'AWS Secret Key',
+        pattern: /["\']?(?:aws[_-]?secret[_-]?access[_-]?key|aws_secret)["\']?\s*[:=]\s*["\']([a-zA-Z0-9/+=]{40})["\']/gi,
+        severity: 'CRITICAL',
+        category: 'cloud',
+        description: 'AWS Secret Access Key'
+    },
+    {
+        name: 'SendGrid API Key',
+        pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/g,
+        severity: 'CRITICAL',
+        category: 'email',
+        description: 'SendGrid API key'
+    },
+    {
+        name: 'Twilio API Key',
+        pattern: /SK[0-9a-f]{32}/g,
+        severity: 'CRITICAL',
+        category: 'sms',
+        description: 'Twilio API key'
+    },
+    {
+        name: 'Slack Token',
+        pattern: /xox[baprs]-[0-9a-zA-Z-]+/g,
+        severity: 'HIGH',
+        category: 'messaging',
+        description: 'Slack bot/user token'
+    }
+];
+/**
+ * Generic secret patterns
+ */
+exports.genericPatterns = [
+    {
+        name: 'Generic API Key',
+        pattern: /(?:api[_-]?key|apikey|api[_-]?secret)["\']?\s*[:=]\s*["\']([a-zA-Z0-9_\-]{16,})["\']/gi,
+        severity: 'HIGH',
+        category: 'generic',
+        description: 'Generic API key pattern'
+    },
+    {
+        name: 'Generic Secret',
+        pattern: /(?:secret|password|passwd|pwd)["\']?\s*[:=]\s*["\']([^"\']{8,})["\']/gi,
+        severity: 'MEDIUM',
+        category: 'generic',
+        description: 'Generic secret/password pattern'
+    },
+    {
+        name: 'Private Key',
+        pattern: /-----BEGIN (RSA |DSA |EC |OPENSSH )?PRIVATE KEY-----/g,
+        severity: 'CRITICAL',
+        category: 'crypto',
+        description: 'Private key detected'
+    },
+    {
+        name: 'JWT Token',
+        pattern: /eyJ[A-Za-z0-9-_]*\.eyJ[A-Za-z0-9-_]*\.[A-Za-z0-9-_]*/g,
+        severity: 'HIGH',
+        category: 'auth',
+        description: 'JWT token detected'
+    },
+    {
+        name: 'Bearer Token',
+        pattern: /Bearer\s+[a-zA-Z0-9_\-\.=]+/g,
+        severity: 'HIGH',
+        category: 'auth',
+        description: 'Bearer token detected'
+    }
+];
+/**
+ * Environment variable patterns (for .env files)
+ */
+exports.envPatterns = [
+    {
+        name: 'Env File Secret',
+        pattern: /^[A-Z_]*(?:SECRET|KEY|TOKEN|PASSWORD|PWD|API_KEY)[A-Z_]*\s*=\s*(.+)$/gm,
+        severity: 'HIGH',
+        category: 'config',
+        description: 'Secret in environment file'
+    }
+];
+/**
+ * All patterns combined
+ */
+exports.allPatterns = [
+    ...exports.supabasePatterns,
+    ...exports.apiKeyPatterns,
+    ...exports.genericPatterns,
+    ...exports.envPatterns
+];
+/**
+ * Calculate Shannon entropy of a string
+ * Used to detect high-entropy strings that might be secrets
+ */
+function calculateEntropy(str) {
+    const len = str.length;
+    if (len === 0)
+        return 0;
+    const freq = {};
+    for (const char of str) {
+        freq[char] = (freq[char] || 0) + 1;
+    }
+    let entropy = 0;
+    for (const char in freq) {
+        const p = freq[char] / len;
+        entropy -= p * Math.log2(p);
+    }
+    return entropy;
+}
+/**
+ * Check if a string has high entropy (likely a secret)
+ */
+function hasHighEntropy(str, threshold = 4.5) {
+    return calculateEntropy(str) > threshold;
+}
+/**
+ * Mask a secret for display
+ */
+function maskSecret(secret, visibleChars = 4) {
+    if (secret.length <= visibleChars * 2) {
+        return '*'.repeat(secret.length);
+    }
+    const start = secret.slice(0, visibleChars);
+    const end = secret.slice(-visibleChars);
+    const middle = '*'.repeat(secret.length - visibleChars * 2);
+    return `${start}${middle}${end}`;
+}
+function detectSecrets(content, patterns = exports.allPatterns) {
+    const findings = [];
+    const lines = content.split('\n');
+    for (const pattern of patterns) {
+        // Reset regex lastIndex
+        pattern.pattern.lastIndex = 0;
+        let match;
+        while ((match = pattern.pattern.exec(content)) !== null) {
+            const matchedText = match[0];
+            const matchIndex = match.index;
+            // Validate if validator exists
+            if (pattern.validator && !pattern.validator(matchedText)) {
+                continue;
+            }
+            // Find line and column
+            let line = 1;
+            let column = 1;
+            let currentIndex = 0;
+            for (let i = 0; i < lines.length; i++) {
+                const lineLength = lines[i].length + 1; // +1 for newline
+                if (currentIndex + lineLength > matchIndex) {
+                    line = i + 1;
+                    column = matchIndex - currentIndex + 1;
+                    break;
+                }
+                currentIndex += lineLength;
+            }
+            findings.push({
+                pattern,
+                match: matchedText,
+                line,
+                column,
+                masked: maskSecret(matchedText)
+            });
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=patterns.js.map

package/dist/scanners/secrets/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/scanners/secrets/patterns.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAwNH,4CAgBC;AAKD,wCAEC;AAKD,gCAUC;AAaD,sCA4CC;AA5SD;;GAEG;AACU,QAAA,gBAAgB,GAAoB;IAC/C;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,wDAAwD;QACrE,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,mCAAmC;YACnC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YAErC,IAAI,CAAC;gBACH,iBAAiB;gBACjB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAC1E,+BAA+B;gBAC/B,OAAO,OAAO,CAAC,IAAI,KAAK,cAAc;oBAC/B,CAAC,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,YAAY,CAAC,IAAI,KAAK,cAAc,CAAC,CAAC;YAChF,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;KACF;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,yDAAyD;QACtE,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YAErC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAC1E,OAAO,OAAO,CAAC,IAAI,KAAK,MAAM;oBACvB,CAAC,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,YAAY,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC;YACxE,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;KACF;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,sCAAsC;QAC/C,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+BAA+B;KAC7C;IACD;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,wEAAwE;QACjF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,sCAAsC;KACpD;CACF,CAAC;AAEF;;GAEG;AACU,QAAA,cAAc,GAAoB;IAC7C;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,8CAA8C;KAC5D;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,wBAAwB;KACtC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,qBAAqB;QAC9B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,IAAI;QACd,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,8BAA8B;KAC5C;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,oBAAoB;KAClC;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,mBAAmB;QAC5B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;QACjB,WAAW,EAAE,mBAAmB;KACjC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,wGAAwG;QACjH,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;QACjB,WAAW,EAAE,uBAAuB;KACrC;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;QACjB,WAAW,EAAE,kBAAkB;KAChC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,iBAAiB;QAC1B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,WAAW;QACrB,WAAW,EAAE,sBAAsB;KACpC;CACF,CAAC;AAEF;;GAEG;AACU,QAAA,eAAe,GAAoB;IAC9C;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,wFAAwF;QACjG,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,yBAAyB;KACvC;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,wEAAwE;QACjF,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,iCAAiC;KAC/C;IACD;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,sBAAsB;KACpC;IACD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,oBAAoB;KAClC;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,8BAA8B;QACvC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,uBAAuB;KACrC;CACF,CAAC;AAEF;;GAEG;AACU,QAAA,WAAW,GAAoB;IAC1C;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,wEAAwE;QACjF,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4BAA4B;KAC1C;CACF,CAAC;AAEF;;GAEG;AACU,QAAA,WAAW,GAAoB;IAC1C,GAAG,wBAAgB;IACnB,GAAG,sBAAc;IACjB,GAAG,uBAAe;IAClB,GAAG,mBAAW;CACf,CAAC;AAEF;;;GAGG;AACH,SAAgB,gBAAgB,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAExB,MAAM,IAAI,GAA2B,EAAE,CAAC;IACxC,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC;QAC3B,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,GAAW,EAAE,YAAoB,GAAG;IACjE,OAAO,gBAAgB,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,SAAgB,UAAU,CAAC,MAAc,EAAE,eAAuB,CAAC;IACjE,IAAI,MAAM,CAAC,MAAM,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;QACtC,OAAO,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,YAAY,GAAG,CAAC,CAAC,CAAC;IAE5D,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG,GAAG,EAAE,CAAC;AACnC,CAAC;AAaD,SAAgB,aAAa,CAAC,OAAe,EAAE,WAA4B,mBAAW;IACpF,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,wBAAwB;QACxB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QAE9B,IAAI,KAA6B,CAAC;QAClC,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACxD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC7B,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC;YAE/B,+BAA+B;YAC/B,IAAI,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC;gBACzD,SAAS;YACX,CAAC;YAED,uBAAuB;YACvB,IAAI,IAAI,GAAG,CAAC,CAAC;YACb,IAAI,MAAM,GAAG,CAAC,CAAC;YACf,IAAI,YAAY,GAAG,CAAC,CAAC;YAErB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,iBAAiB;gBACzD,IAAI,YAAY,GAAG,UAAU,GAAG,UAAU,EAAE,CAAC;oBAC3C,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;oBACb,MAAM,GAAG,UAAU,GAAG,YAAY,GAAG,CAAC,CAAC;oBACvC,MAAM;gBACR,CAAC;gBACD,YAAY,IAAI,UAAU,CAAC;YAC7B,CAAC;YAED,QAAQ,CAAC,IAAI,CAAC;gBACZ,OAAO;gBACP,KAAK,EAAE,WAAW;gBAClB,IAAI;gBACJ,MAAM;gBACN,MAAM,EAAE,UAAU,CAAC,WAAW,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}