verification-layer 0.20.0 → 0.22.0

package/dist/scanners/credentials/index.test.js

@@ -0,0 +1,395 @@
+/**
+ * Tests for Credential Security Scanner
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { credentialsScanner } from './index.js';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+describe('Credentials Scanner', () => {
+    let tempDir = '';
+    let testFiles = [];
+    beforeEach(async () => {
+        tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'cred-test-'));
+    });
+    afterEach(async () => {
+        // Cleanup
+        for (const file of testFiles) {
+            try {
+                await fs.unlink(file);
+            }
+            catch {
+                // Ignore
+            }
+        }
+        try {
+            await fs.rm(tempDir, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore
+        }
+        testFiles = [];
+    });
+    async function createTestFile(filename, content) {
+        const filePath = path.join(tempDir, filename);
+        await fs.writeFile(filePath, content, 'utf-8');
+        testFiles.push(filePath);
+        return filePath;
+    }
+    const scanOptions = {
+        path: tempDir,
+    };
+    describe('CRED-001: Weak Password Hashing', () => {
+        it('should detect MD5 for password hashing', async () => {
+            const file = await createTestFile('auth.ts', `
+import crypto from 'crypto';
+
+function hashPassword(password: string) {
+  const hash = crypto.createHash('md5');
+  hash.update(password);
+  return hash.digest('hex');
+}
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-001');
+            expect(credFindings.length).toBeGreaterThan(0);
+            expect(credFindings[0].severity).toBe('critical');
+            expect(credFindings[0].hipaaReference).toContain('164.312(d)');
+        });
+        it('should detect SHA1 for password hashing', async () => {
+            const file = await createTestFile('password.ts', `
+const passwordHash = crypto.createHash('sha1').update(userPassword).digest('hex');
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-001');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect SHA256 for password hashing', async () => {
+            const file = await createTestFile('user-auth.ts', `
+async function verifyPassword(password: string, hash: string) {
+  const computed = crypto.createHash('sha256').update(password).digest('hex');
+  return computed === hash;
+}
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-001');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect Python hashlib.md5 for passwords', async () => {
+            const file = await createTestFile('auth.py', `
+import hashlib
+
+def hash_password(password):
+    return hashlib.md5(password.encode()).hexdigest()
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-001');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should not flag bcrypt for password hashing', async () => {
+            const file = await createTestFile('secure-auth.ts', `
+import bcrypt from 'bcrypt';
+
+async function hashPassword(password: string) {
+  const hash = await bcrypt.hash(password, 10);
+  return hash;
+}
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-001');
+            expect(credFindings.length).toBe(0);
+        });
+        it('should not flag argon2 for password hashing', async () => {
+            const file = await createTestFile('argon-auth.ts', `
+import argon2 from 'argon2';
+
+async function hashPassword(password: string) {
+  return await argon2.hash(password);
+}
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-001');
+            expect(credFindings.length).toBe(0);
+        });
+        it('should not flag MD5 for file checksum', async () => {
+            const file = await createTestFile('checksum.ts', `
+function calculateChecksum(fileBuffer: Buffer) {
+  return crypto.createHash('md5').update(fileBuffer).digest('hex');
+}
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-001');
+            expect(credFindings.length).toBe(0);
+        });
+        it('should not flag MD5 for integrity check', async () => {
+            const file = await createTestFile('integrity.ts', `
+const hash = crypto.createHash('md5');
+hash.update(fileContent);
+const integrity = hash.digest('hex');
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-001');
+            expect(credFindings.length).toBe(0);
+        });
+    });
+    describe('CRED-002: Hardcoded Credentials', () => {
+        it('should detect hardcoded password', async () => {
+            const file = await createTestFile('config.ts', `
+const config = {
+  username: 'admin',
+  password: 'SuperSecret123!'
+};
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-002');
+            expect(credFindings.length).toBeGreaterThan(0);
+            expect(credFindings[0].severity).toBe('critical');
+        });
+        it('should detect hardcoded API key', async () => {
+            const file = await createTestFile('api.ts', `
+const apiKey = 'fake_key_ABCDEFGH1234567890XXXXXX';
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-002');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect hardcoded secret', async () => {
+            const file = await createTestFile('secrets.ts', `
+export const JWT_SECRET = 'my-super-secret-jwt-key-12345';
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-002');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect hardcoded token', async () => {
+            const file = await createTestFile('auth-token.ts', `
+const accessToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0';
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-002');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect hardcoded connection string', async () => {
+            const file = await createTestFile('database.ts', `
+const connectionString = 'postgresql://user:password@localhost:5432/mydb';
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-002');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect Bearer token', async () => {
+            const file = await createTestFile('bearer.ts', `
+const token = 'Bearer fake_test_1234567890abcdefghijklmnop';
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-002');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should not flag environment variables', async () => {
+            const file = await createTestFile('env-config.ts', `
+const password = process.env.DATABASE_PASSWORD;
+const apiKey = process.env.API_KEY;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-002');
+            expect(credFindings.length).toBe(0);
+        });
+        it('should not flag import.meta.env', async () => {
+            const file = await createTestFile('vite-config.ts', `
+const secret = import.meta.env.VITE_API_KEY;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-002');
+            expect(credFindings.length).toBe(0);
+        });
+        it('should not flag placeholders', async () => {
+            const file = await createTestFile('example.ts', `
+const apiKey = 'your-api-key-here';
+const password = 'changeme';
+const secret = 'replace-this-value';
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-002');
+            expect(credFindings.length).toBe(0);
+        });
+        it('should not flag template literals', async () => {
+            const file = await createTestFile('template.ts', `
+const connectionString = \`postgresql://\${user}:\${password}@localhost/db\`;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-002');
+            expect(credFindings.length).toBe(0);
+        });
+        it('should not flag short or generic passwords', async () => {
+            const file = await createTestFile('generic.ts', `
+const password = 'test';
+const pwd = '12345';
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-002');
+            expect(credFindings.length).toBe(0);
+        });
+    });
+    describe('CRED-003: NEXT_PUBLIC_ Secrets', () => {
+        it('should detect NEXT_PUBLIC_SECRET', async () => {
+            const file = await createTestFile('.env.local', `
+NEXT_PUBLIC_SECRET=my-secret-key-12345
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-003');
+            expect(credFindings.length).toBeGreaterThan(0);
+            expect(credFindings[0].severity).toBe('critical');
+        });
+        it('should detect NEXT_PUBLIC_API_KEY', async () => {
+            const file = await createTestFile('config.ts', `
+const apiKey = process.env.NEXT_PUBLIC_API_KEY;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-003');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect NEXT_PUBLIC_PASSWORD', async () => {
+            const file = await createTestFile('auth.ts', `
+const password = process.env.NEXT_PUBLIC_PASSWORD;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-003');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect NEXT_PUBLIC_SERVICE_ROLE', async () => {
+            const file = await createTestFile('supabase.ts', `
+const serviceRole = process.env.NEXT_PUBLIC_SERVICE_ROLE;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-003');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect NEXT_PUBLIC_PRIVATE_KEY', async () => {
+            const file = await createTestFile('crypto.ts', `
+const privateKey = process.env.NEXT_PUBLIC_PRIVATE_KEY;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-003');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect NEXT_PUBLIC_DATABASE_URL', async () => {
+            const file = await createTestFile('db.ts', `
+const dbUrl = process.env.NEXT_PUBLIC_DATABASE_URL;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-003');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect NEXT_PUBLIC_ADMIN_TOKEN', async () => {
+            const file = await createTestFile('admin.ts', `
+const adminToken = process.env.NEXT_PUBLIC_ADMIN_TOKEN;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-003');
+            expect(credFindings.length).toBeGreaterThan(0);
+        });
+        it('should not flag NEXT_PUBLIC_SUPABASE_ANON_KEY', async () => {
+            const file = await createTestFile('supabase-config.ts', `
+const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
+const supabaseKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-003');
+            expect(credFindings.length).toBe(0);
+        });
+        it('should not flag NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY', async () => {
+            const file = await createTestFile('clerk.ts', `
+const clerkKey = process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-003');
+            expect(credFindings.length).toBe(0);
+        });
+        it('should not flag NEXT_PUBLIC_GA_ID (Analytics)', async () => {
+            const file = await createTestFile('analytics.ts', `
+const gaId = process.env.NEXT_PUBLIC_GA_ID;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-003');
+            expect(credFindings.length).toBe(0);
+        });
+        it('should not flag NEXT_PUBLIC_APP_URL', async () => {
+            const file = await createTestFile('app-config.ts', `
+const appUrl = process.env.NEXT_PUBLIC_APP_URL;
+const siteName = process.env.NEXT_PUBLIC_SITE_NAME;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-003');
+            expect(credFindings.length).toBe(0);
+        });
+        it('should not flag NEXT_PUBLIC_FEATURE_FLAG', async () => {
+            const file = await createTestFile('features.ts', `
+const newFeature = process.env.NEXT_PUBLIC_FEATURE_NEW_UI;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-003');
+            expect(credFindings.length).toBe(0);
+        });
+    });
+    describe('General Scanner Behavior', () => {
+        it('should only scan code and config files', async () => {
+            await createTestFile('README.md', 'password = "secret123456"');
+            await createTestFile('image.png', 'binary data');
+            await createTestFile('code.ts', 'const password = "secret123456";');
+            const findings = await credentialsScanner.scan(testFiles, scanOptions);
+            const mdFindings = findings.filter((f) => f.file.endsWith('.md'));
+            const pngFindings = findings.filter((f) => f.file.endsWith('.png'));
+            expect(mdFindings.length).toBe(0);
+            expect(pngFindings.length).toBe(0);
+        });
+        it('should skip comment lines', async () => {
+            const file = await createTestFile('commented.ts', `
+// const password = "hardcoded-secret";
+/*
+ * const apiKey = "fake_key_1234567890";
+ */
+const validCode = true;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const credFindings = findings.filter((f) => f.id === 'CRED-002');
+            expect(credFindings.length).toBe(0);
+        });
+        it('should include confidence scores', async () => {
+            const file = await createTestFile('test.ts', `
+const password = "SecretPassword123!";
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            for (const finding of findings) {
+                expect(finding.confidence).toBeDefined();
+                expect(['high', 'medium', 'low']).toContain(finding.confidence);
+            }
+        });
+        it('should detect multiple violations in same file', async () => {
+            const file = await createTestFile('bad-security.ts', `
+import crypto from 'crypto';
+
+// CRED-001: Weak password hashing
+function hashPassword(password: string) {
+  return crypto.createHash('md5').update(password).digest('hex');
+}
+
+// CRED-002: Hardcoded credentials
+const config = {
+  apiKey: 'fake_key_ABCDEFGHIJKLMNOP1234567890',
+  password: 'AdminPassword123!'
+};
+
+// CRED-003: Exposed secret
+const secret = process.env.NEXT_PUBLIC_SECRET_KEY;
+        `);
+            const findings = await credentialsScanner.scan([file], scanOptions);
+            const cred001 = findings.filter((f) => f.id === 'CRED-001');
+            const cred002 = findings.filter((f) => f.id === 'CRED-002');
+            const cred003 = findings.filter((f) => f.id === 'CRED-003');
+            expect(cred001.length).toBeGreaterThan(0);
+            expect(cred002.length).toBeGreaterThan(0);
+            expect(cred003.length).toBeGreaterThan(0);
+        });
+    });
+});
+//# sourceMappingURL=index.test.js.map

package/dist/scanners/credentials/index.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.js","sourceRoot":"","sources":["../../../src/scanners/credentials/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAEhD,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,IAAI,OAAO,GAAW,EAAE,CAAC;IACzB,IAAI,SAAS,GAAa,EAAE,CAAC;IAE7B,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,YAAY,CAAC,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,UAAU;QACV,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC,CAAC,CAAC;IAEH,KAAK,UAAU,cAAc,CAC3B,QAAgB,EAChB,OAAe;QAEf,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC/C,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,OAAO;KACd,CAAC;IAEF,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;QAC/C,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;;;;;;;SAQC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC/C,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAClD,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;SAKC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;;;;SAKC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;;;;SAOC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;;;SAMC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;SAIC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;SAIC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;QAC/C,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAChD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,WAAW,EACX;;;;;SAKC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC/C,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;YAC/C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,QAAQ,EACR;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAC9C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;YAC7C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;YAC1C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,WAAW,EACX;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;SAGC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;YAC/C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC5C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;;;SAIC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;YACjD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;YAC1D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;;SAGC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;QAC9C,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAChD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC/C,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;YACjD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,WAAW,EACX;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;YAClD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,WAAW,EACX;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,OAAO,EACP;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,UAAU,EACV;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,oBAAoB,EACpB;;;SAGC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;YACjE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,UAAU,EACV;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;SAGC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;QACxC,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,cAAc,CAAC,WAAW,EAAE,2BAA2B,CAAC,CAAC;YAC/D,MAAM,cAAc,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;YACjD,MAAM,cAAc,CAAC,SAAS,EAAE,kCAAkC,CAAC,CAAC;YAEpE,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YAEvE,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YAClE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YAEpE,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2BAA2B,EAAE,KAAK,IAAI,EAAE;YACzC,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;;SAMC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAEjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAChD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;SAEC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAEpE,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC/B,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;gBACzC,MAAM,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YAClE,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;;;;;;;;;;;;SAgBC,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YAEpE,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAC5D,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAC5D,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YAE5D,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC1C,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC1C,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanners/credentials/patterns.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Credential Security Detection Patterns
+ * Detects weak password hashing, hardcoded credentials, and exposed secrets
+ */
+export interface CredentialPattern {
+    id: string;
+    name: string;
+    description: string;
+    severity: 'critical' | 'high' | 'medium';
+    hipaaReference: string;
+    patterns: RegExp[];
+    negativePatterns?: RegExp[];
+    recommendation: string;
+    category: string;
+}
+/**
+ * CRED-001: Weak Password Hashing Algorithm
+ * Detects MD5, SHA1, SHA256 for password hashing instead of bcrypt/argon2/scrypt
+ */
+export declare const WEAK_PASSWORD_HASH: CredentialPattern;
+/**
+ * CRED-002: Hardcoded Credentials in Code
+ * Detects credentials assigned to string literals
+ */
+export declare const HARDCODED_CREDENTIALS: CredentialPattern;
+/**
+ * CRED-003: Secrets Exposed via NEXT_PUBLIC_ Prefix
+ * Detects sensitive values exposed to client-side via Next.js public env vars
+ */
+export declare const NEXT_PUBLIC_SECRETS: CredentialPattern;
+export declare const ALL_CREDENTIAL_PATTERNS: CredentialPattern[];
+//# sourceMappingURL=patterns.d.ts.map

package/dist/scanners/credentials/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/scanners/credentials/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;IACzC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,eAAO,MAAM,kBAAkB,EAAE,iBAqChC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,iBAuDnC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mBAAmB,EAAE,iBAqDjC,CAAC;AAEF,eAAO,MAAM,uBAAuB,EAAE,iBAAiB,EAItD,CAAC"}

package/dist/scanners/credentials/patterns.js

@@ -0,0 +1,140 @@
+/**
+ * Credential Security Detection Patterns
+ * Detects weak password hashing, hardcoded credentials, and exposed secrets
+ */
+/**
+ * CRED-001: Weak Password Hashing Algorithm
+ * Detects MD5, SHA1, SHA256 for password hashing instead of bcrypt/argon2/scrypt
+ */
+export const WEAK_PASSWORD_HASH = {
+    id: 'CRED-001',
+    name: 'Weak Password Hashing Algorithm Detected',
+    description: 'Using MD5, SHA1, or SHA256 for password hashing instead of secure algorithms like bcrypt, argon2, or scrypt',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.312(d) - Person or Entity Authentication',
+    patterns: [
+        // crypto.createHash with weak algorithms near password
+        /createHash\s*\(\s*['"`](?:md5|sha1|sha-?1|sha256|sha-?256)['"`]\s*\)/i,
+        // hashlib with weak algorithms (Python)
+        /hashlib\.(?:md5|sha1|sha256)\s*\(/i,
+        // Direct mentions of weak hashing for passwords
+        /(?:md5|sha1|sha256).*?(?:password|pass|pwd|hash)/i,
+        /(?:password|pass|pwd).*?(?:md5|sha1|sha256)/i,
+    ],
+    negativePatterns: [
+        // Secure algorithms
+        /bcrypt/i,
+        /argon2/i,
+        /scrypt/i,
+        /pbkdf2/i,
+        // Comments explaining not to use MD5
+        /\/\/.*(?:don't|do not|avoid|never).*md5/i,
+        /\/\*.*(?:don't|do not|avoid|never).*md5/i,
+        // Non-password use cases (checksums, file hashing)
+        /checksum/i,
+        /file.*hash/i,
+        /integrity/i,
+    ],
+    recommendation: 'Use bcrypt, argon2, or scrypt for password hashing. Example: await bcrypt.hash(password, 10) or await argon2.hash(password). Never use MD5, SHA1, or simple SHA256 for passwords.',
+    category: 'encryption',
+};
+/**
+ * CRED-002: Hardcoded Credentials in Code
+ * Detects credentials assigned to string literals
+ */
+export const HARDCODED_CREDENTIALS = {
+    id: 'CRED-002',
+    name: 'Hardcoded Credentials Detected',
+    description: 'Credentials (password, apiKey, secret, token, connectionString) hardcoded as string literals instead of using environment variables',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.312(a)(2)(i) - Unique User Identification',
+    patterns: [
+        // Password assignments to string literals (8+ chars)
+        /(?:password|passwd|pwd)\s*[:=]\s*['"`][^'"`]{8,}['"`]/i,
+        // API keys
+        /(?:api[-_]?key|apikey)\s*[:=]\s*['"`][^'"`]{8,}['"`]/i,
+        // Secrets
+        /(?:secret|private[-_]?key|privatekey)\s*[:=]\s*['"`][^'"`]{8,}['"`]/i,
+        // Tokens
+        /(?:token|auth[-_]?token|access[-_]?token)\s*[:=]\s*['"`][^'"`]{16,}['"`]/i,
+        // Connection strings
+        /(?:connection[-_]?string|connectionstring|database[-_]?url)\s*[:=]\s*['"`][^'"`]{10,}['"`]/i,
+        // Bearer tokens
+        /['"`]Bearer\s+[A-Za-z0-9_\-\.]{16,}['"`]/i,
+        // AWS/Service keys
+        /(?:aws|service|client)[-_]?(?:key|secret)\s*[:=]\s*['"`][A-Za-z0-9+/]{20,}['"`]/i,
+    ],
+    negativePatterns: [
+        // Environment variables
+        /process\.env/i,
+        /import\.meta\.env/i,
+        /env\./i,
+        /ENV\[/i,
+        /getenv/i,
+        // Placeholders
+        /your[-_]?(?:key|secret|password|token)/i,
+        /(?:placeholder|example|dummy|test|sample)/i,
+        /changeme/i,
+        /replace[-_]?(?:this|me)/i,
+        /(?:xxx|yyy|zzz)/i,
+        // Empty or template strings
+        /['"]\s*['"]/i,
+        /\$\{/i, // Template literals
+        // Comments
+        /\/\//i,
+        /\/\*/i,
+    ],
+    recommendation: 'Move credentials to environment variables. Use process.env.PASSWORD or a secure secrets manager. Never commit credentials to source control. Add credentials to .gitignore.',
+    category: 'encryption',
+};
+/**
+ * CRED-003: Secrets Exposed via NEXT_PUBLIC_ Prefix
+ * Detects sensitive values exposed to client-side via Next.js public env vars
+ */
+export const NEXT_PUBLIC_SECRETS = {
+    id: 'CRED-003',
+    name: 'Secrets Exposed to Client via NEXT_PUBLIC_ Prefix',
+    description: 'Sensitive credentials exposed to client-side code using NEXT_PUBLIC_ environment variable prefix',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.312(a)(2)(i) - Unique User Identification',
+    patterns: [
+        // NEXT_PUBLIC_SECRET
+        /NEXT_PUBLIC_SECRET/i,
+        // NEXT_PUBLIC_*KEY
+        /NEXT_PUBLIC_.*?KEY/i,
+        // NEXT_PUBLIC_*PASSWORD
+        /NEXT_PUBLIC_.*?PASSWORD/i,
+        // NEXT_PUBLIC_SERVICE_ROLE
+        /NEXT_PUBLIC_SERVICE_ROLE/i,
+        // NEXT_PUBLIC_*TOKEN
+        /NEXT_PUBLIC_.*?TOKEN/i,
+        // NEXT_PUBLIC_*PRIVATE*
+        /NEXT_PUBLIC_.*?PRIVATE/i,
+        // NEXT_PUBLIC_DATABASE
+        /NEXT_PUBLIC_DATABASE/i,
+        // NEXT_PUBLIC_*ADMIN*
+        /NEXT_PUBLIC_.*?ADMIN/i,
+    ],
+    negativePatterns: [
+        // Legitimate public keys
+        /NEXT_PUBLIC_(?:SUPABASE|FIREBASE|CLERK)_(?:ANON|PUBLISHABLE)_KEY/i,
+        /NEXT_PUBLIC_.*?PUBLISHABLE/i,
+        /NEXT_PUBLIC_.*?PUBLIC_KEY/i,
+        // Analytics and tracking (safe to expose)
+        /NEXT_PUBLIC_(?:GA|GTM|ANALYTICS|MIXPANEL|SEGMENT)_/i,
+        // App metadata (safe)
+        /NEXT_PUBLIC_(?:APP|SITE|BASE)_(?:URL|NAME|VERSION)/i,
+        // Feature flags
+        /NEXT_PUBLIC_FEATURE_/i,
+        // Comments explaining the issue
+        /\/\/.*(?:don't|do not|avoid|never)/i,
+    ],
+    recommendation: 'Remove NEXT_PUBLIC_ prefix from sensitive variables. Use server-side environment variables (without NEXT_PUBLIC_) and access them in API routes or getServerSideProps. Only use NEXT_PUBLIC_ for truly public values like API endpoints or publishable keys.',
+    category: 'encryption',
+};
+export const ALL_CREDENTIAL_PATTERNS = [
+    WEAK_PASSWORD_HASH,
+    HARDCODED_CREDENTIALS,
+    NEXT_PUBLIC_SECRETS,
+];
+//# sourceMappingURL=patterns.js.map

package/dist/scanners/credentials/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/scanners/credentials/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAcH;;;GAGG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAsB;IACnD,EAAE,EAAE,UAAU;IACd,IAAI,EAAE,0CAA0C;IAChD,WAAW,EACT,6GAA6G;IAC/G,QAAQ,EAAE,UAAU;IACpB,cAAc,EAAE,sDAAsD;IACtE,QAAQ,EAAE;QACR,uDAAuD;QACvD,uEAAuE;QAEvE,wCAAwC;QACxC,oCAAoC;QAEpC,gDAAgD;QAChD,mDAAmD;QACnD,8CAA8C;KAC/C;IACD,gBAAgB,EAAE;QAChB,oBAAoB;QACpB,SAAS;QACT,SAAS;QACT,SAAS;QACT,SAAS;QAET,qCAAqC;QACrC,0CAA0C;QAC1C,0CAA0C;QAE1C,mDAAmD;QACnD,WAAW;QACX,aAAa;QACb,YAAY;KACb;IACD,cAAc,EACZ,mLAAmL;IACrL,QAAQ,EAAE,YAAY;CACvB,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAsB;IACtD,EAAE,EAAE,UAAU;IACd,IAAI,EAAE,gCAAgC;IACtC,WAAW,EACT,qIAAqI;IACvI,QAAQ,EAAE,UAAU;IACpB,cAAc,EAAE,uDAAuD;IACvE,QAAQ,EAAE;QACR,qDAAqD;QACrD,wDAAwD;QAExD,WAAW;QACX,uDAAuD;QAEvD,UAAU;QACV,sEAAsE;QAEtE,SAAS;QACT,2EAA2E;QAE3E,qBAAqB;QACrB,6FAA6F;QAE7F,gBAAgB;QAChB,2CAA2C;QAE3C,mBAAmB;QACnB,kFAAkF;KACnF;IACD,gBAAgB,EAAE;QAChB,wBAAwB;QACxB,eAAe;QACf,oBAAoB;QACpB,QAAQ;QACR,QAAQ;QACR,SAAS;QAET,eAAe;QACf,yCAAyC;QACzC,4CAA4C;QAC5C,WAAW;QACX,0BAA0B;QAC1B,kBAAkB;QAElB,4BAA4B;QAC5B,cAAc;QACd,OAAO,EAAE,oBAAoB;QAE7B,WAAW;QACX,OAAO;QACP,OAAO;KACR;IACD,cAAc,EACZ,6KAA6K;IAC/K,QAAQ,EAAE,YAAY;CACvB,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAsB;IACpD,EAAE,EAAE,UAAU;IACd,IAAI,EAAE,mDAAmD;IACzD,WAAW,EACT,kGAAkG;IACpG,QAAQ,EAAE,UAAU;IACpB,cAAc,EAAE,uDAAuD;IACvE,QAAQ,EAAE;QACR,qBAAqB;QACrB,qBAAqB;QAErB,mBAAmB;QACnB,qBAAqB;QAErB,wBAAwB;QACxB,0BAA0B;QAE1B,2BAA2B;QAC3B,2BAA2B;QAE3B,qBAAqB;QACrB,uBAAuB;QAEvB,wBAAwB;QACxB,yBAAyB;QAEzB,uBAAuB;QACvB,uBAAuB;QAEvB,sBAAsB;QACtB,uBAAuB;KACxB;IACD,gBAAgB,EAAE;QAChB,yBAAyB;QACzB,mEAAmE;QACnE,6BAA6B;QAC7B,4BAA4B;QAE5B,0CAA0C;QAC1C,qDAAqD;QAErD,sBAAsB;QACtB,qDAAqD;QAErD,gBAAgB;QAChB,uBAAuB;QAEvB,gCAAgC;QAChC,qCAAqC;KACtC;IACD,cAAc,EACZ,8PAA8P;IAChQ,QAAQ,EAAE,YAAY;CACvB,CAAC;AAEF,MAAM,CAAC,MAAM,uBAAuB,GAAwB;IAC1D,kBAAkB;IAClB,qBAAqB;IACrB,mBAAmB;CACpB,CAAC"}

package/dist/scanners/errors/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Error Handling Security Scanner
+ * Detects unsafe error responses and PHI in error logs
+ */
+import type { Scanner } from '../../types.js';
+export declare const errorsScanner: Scanner;
+export default errorsScanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/errors/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/errors/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAwB,MAAM,gBAAgB,CAAC;AAGpE,eAAO,MAAM,aAAa,EAAE,OAqF3B,CAAC;AAEF,eAAe,aAAa,CAAC"}