verification-layer 0.20.0 → 0.22.0

package/dist/scanners/operational/index.test.js

@@ -0,0 +1,406 @@
+/**
+ * Operational Security Scanner Tests
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { operationalScanner } from './index.js';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+describe('Operational Security Scanner', () => {
+    let tempDir = '';
+    let testFiles = [];
+    beforeEach(async () => {
+        tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'operational-test-'));
+    });
+    afterEach(async () => {
+        // Cleanup
+        for (const file of testFiles) {
+            try {
+                await fs.unlink(file);
+            }
+            catch {
+                // Ignore
+            }
+        }
+        try {
+            await fs.rm(tempDir, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore
+        }
+        testFiles = [];
+    });
+    async function createTestFile(filename, content) {
+        const filePath = path.join(tempDir, filename);
+        await fs.writeFile(filePath, content, 'utf-8');
+        testFiles.push(filePath);
+        return filePath;
+    }
+    const scanOptions = {
+        path: tempDir,
+    };
+    describe('BACKUP-001: Database Without Backup Configuration', () => {
+        it('should detect Prisma usage without backup configuration', async () => {
+            await createTestFile('db.ts', `
+import { PrismaClient } from '@prisma/client';
+
+const prisma = new PrismaClient();
+`);
+            const findings = await operationalScanner.scan(testFiles, scanOptions);
+            const backupFindings = findings.filter((f) => f.id === 'BACKUP-001');
+            expect(backupFindings.length).toBeGreaterThan(0);
+            expect(backupFindings[0].severity).toBe('medium');
+            expect(backupFindings[0].confidence).toBe('low'); // Advisory
+        });
+        it('should detect Mongoose usage without backup configuration', async () => {
+            await createTestFile('mongoose.ts', `
+import mongoose from 'mongoose';
+
+mongoose.connect(process.env.MONGODB_URI);
+`);
+            const findings = await operationalScanner.scan(testFiles, scanOptions);
+            expect(findings.some((f) => f.id === 'BACKUP-001')).toBe(true);
+        });
+        it('should detect Supabase usage without backup configuration', async () => {
+            await createTestFile('supabase.ts', `
+import { createClient } from '@supabase/supabase-js';
+
+const supabase = createClient(url, key);
+`);
+            const findings = await operationalScanner.scan(testFiles, scanOptions);
+            expect(findings.some((f) => f.id === 'BACKUP-001')).toBe(true);
+        });
+        it('should detect Drizzle usage without backup configuration', async () => {
+            await createTestFile('drizzle.ts', `
+import { drizzle } from 'drizzle-orm';
+`);
+            const findings = await operationalScanner.scan(testFiles, scanOptions);
+            expect(findings.some((f) => f.id === 'BACKUP-001')).toBe(true);
+        });
+        it('should detect TypeORM usage without backup configuration', async () => {
+            await createTestFile('typeorm.ts', `
+import { createConnection } from 'typeorm';
+
+await createConnection();
+`);
+            const findings = await operationalScanner.scan(testFiles, scanOptions);
+            expect(findings.some((f) => f.id === 'BACKUP-001')).toBe(true);
+        });
+        it('should NOT flag database with backup configuration', async () => {
+            await createTestFile('db.ts', `
+import { PrismaClient } from '@prisma/client';
+
+const prisma = new PrismaClient();
+`);
+            await createTestFile('backup.ts', `
+// Automated backup configuration
+const backupSchedule = '0 2 * * *'; // Daily at 2 AM
+const backupCommand = 'pg_dump -U postgres mydb > backup.sql';
+`);
+            const findings = await operationalScanner.scan(testFiles, scanOptions);
+            const backupFindings = findings.filter((f) => f.id === 'BACKUP-001');
+            expect(backupFindings.length).toBe(0);
+        });
+        it('should NOT flag database with pg_dump reference', async () => {
+            await createTestFile('db.ts', `
+import mongoose from 'mongoose';
+mongoose.connect(uri);
+`);
+            await createTestFile('backup-script.ts', `
+// Backup script
+const backupCommand = 'mongodump --uri="mongodb://localhost:27017/mydb" --out=/backups';
+`);
+            const findings = await operationalScanner.scan(testFiles, scanOptions);
+            const backupFindings = findings.filter((f) => f.id === 'BACKUP-001');
+            expect(backupFindings.length).toBe(0);
+        });
+        it('should NOT flag database with snapshot reference', async () => {
+            await createTestFile('db.ts', `
+import { createClient } from '@supabase/supabase-js';
+const supabase = createClient(url, key);
+`);
+            await createTestFile('config.yml', `
+# Database Configuration
+# We use Supabase automatic snapshots configured in the dashboard
+# Snapshots are taken every 24 hours and retained for 30 days
+database:
+  snapshot_enabled: true
+  snapshot_retention: 30d
+`);
+            const findings = await operationalScanner.scan(testFiles, scanOptions);
+            const backupFindings = findings.filter((f) => f.id === 'BACKUP-001');
+            expect(backupFindings.length).toBe(0);
+        });
+        it('should NOT flag database with replicate reference', async () => {
+            await createTestFile('db.ts', `
+import { PrismaClient } from '@prisma/client';
+const prisma = new PrismaClient();
+`);
+            await createTestFile('config.yml', `
+database:
+  primary: postgres://main
+  replicate: postgres://replica
+  replication_lag_check: true
+`);
+            const findings = await operationalScanner.scan(testFiles, scanOptions);
+            const backupFindings = findings.filter((f) => f.id === 'BACKUP-001');
+            expect(backupFindings.length).toBe(0);
+        });
+    });
+    describe('RETENTION-001: PHI Records Without Retention Fields', () => {
+        it('should detect Prisma patient create without retention fields', async () => {
+            const file = await createTestFile('patient.ts', `
+const patient = await prisma.patient.create({
+  data: {
+    name: 'John Doe',
+    ssn: '123-45-6789',
+    dob: new Date('1990-01-01')
+  }
+});
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            const retentionFindings = findings.filter((f) => f.id === 'RETENTION-001');
+            expect(retentionFindings.length).toBeGreaterThan(0);
+            expect(retentionFindings[0].severity).toBe('medium');
+        });
+        it('should detect Mongoose Patient create without retention fields', async () => {
+            const file = await createTestFile('patient-model.ts', `
+const newPatient = await Patient.create({
+  name: 'Jane Doe',
+  medicalRecordNumber: 'MRN-123456',
+  diagnosis: 'Hypertension'
+});
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'RETENTION-001')).toBe(true);
+        });
+        it('should detect health record insert without retention fields', async () => {
+            const file = await createTestFile('health.ts', `
+await prisma.healthRecord.create({
+  data: {
+    patientId: patient.id,
+    diagnosis: 'Diabetes Type 2',
+    treatment: 'Metformin 500mg'
+  }
+});
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'RETENTION-001')).toBe(true);
+        });
+        it('should detect medical record upsert without retention fields', async () => {
+            const file = await createTestFile('medical.ts', `
+const record = await prisma.medicalRecord.upsert({
+  where: { id: recordId },
+  update: { notes: 'Updated notes' },
+  create: { patientId: pid, notes: 'New record' }
+});
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'RETENTION-001')).toBe(true);
+        });
+        it('should detect Supabase patient insert without retention fields', async () => {
+            const file = await createTestFile('supabase-patient.ts', `
+const { data, error } = await supabase.from('patients').insert({
+  name: 'John Smith',
+  ssn: '987-65-4321',
+  email: 'john@example.com'
+});
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'RETENTION-001')).toBe(true);
+        });
+        it('should detect clinical data insert without retention fields', async () => {
+            const file = await createTestFile('clinical.ts', `
+await db.insert(clinicalNotes).values({
+  patientId: '123',
+  notes: 'Patient shows improvement',
+  provider: 'Dr. Smith'
+});
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'RETENTION-001')).toBe(true);
+        });
+        it('should NOT flag patient create with expiresAt field', async () => {
+            const file = await createTestFile('safe-patient.ts', `
+const patient = await prisma.patient.create({
+  data: {
+    name: 'John Doe',
+    ssn: '123-45-6789',
+    expiresAt: new Date(Date.now() + 7 * 365 * 24 * 60 * 60 * 1000) // 7 years
+  }
+});
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            const retentionFindings = findings.filter((f) => f.id === 'RETENTION-001');
+            expect(retentionFindings.length).toBe(0);
+        });
+        it('should NOT flag health record with retentionPeriod field', async () => {
+            const file = await createTestFile('safe-health.ts', `
+await prisma.healthRecord.create({
+  data: {
+    patientId: patient.id,
+    diagnosis: 'Diabetes',
+    retentionPeriod: '7years',
+    deleteAfter: calculateDeleteDate()
+  }
+});
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            const retentionFindings = findings.filter((f) => f.id === 'RETENTION-001');
+            expect(retentionFindings.length).toBe(0);
+        });
+        it('should NOT flag patient create with ttl field', async () => {
+            const file = await createTestFile('ttl-patient.ts', `
+const patient = await Patient.create({
+  name: 'Jane Doe',
+  mrn: 'MRN-789',
+  ttl: 60 * 60 * 24 * 365 * 7 // 7 years in seconds
+});
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            const retentionFindings = findings.filter((f) => f.id === 'RETENTION-001');
+            expect(retentionFindings.length).toBe(0);
+        });
+        it('should NOT flag patient create in test files', async () => {
+            const file = await createTestFile('patient.test.ts', `
+describe('Patient creation', () => {
+  it('should create patient', async () => {
+    const patient = await prisma.patient.create({
+      data: { name: 'Test Patient', ssn: '000-00-0000' }
+    });
+  });
+});
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            const retentionFindings = findings.filter((f) => f.id === 'RETENTION-001');
+            expect(retentionFindings.length).toBe(0);
+        });
+    });
+    describe('API-002: JSON Body Parser Without Size Limit', () => {
+        it('should detect express.json() without limit', async () => {
+            const file = await createTestFile('server.ts', `
+import express from 'express';
+
+const app = express();
+app.use(express.json());
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            const apiFindings = findings.filter((f) => f.id === 'API-002');
+            expect(apiFindings.length).toBeGreaterThan(0);
+            expect(apiFindings[0].severity).toBe('low');
+        });
+        it('should detect bodyParser.json() without limit', async () => {
+            const file = await createTestFile('body-parser.ts', `
+import bodyParser from 'body-parser';
+
+app.use(bodyParser.json());
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'API-002')).toBe(true);
+        });
+        it('should detect express.json() with empty options', async () => {
+            const file = await createTestFile('empty-options.ts', `
+app.use(express.json({}));
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'API-002')).toBe(true);
+        });
+        it('should detect bodyParser.json() with empty options', async () => {
+            const file = await createTestFile('empty-body-parser.ts', `
+const app = express();
+app.use(bodyParser.json({}));
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'API-002')).toBe(true);
+        });
+        it('should NOT flag express.json() with limit configured', async () => {
+            const file = await createTestFile('safe-express.ts', `
+import express from 'express';
+
+const app = express();
+app.use(express.json({ limit: '10mb' }));
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            const apiFindings = findings.filter((f) => f.id === 'API-002');
+            expect(apiFindings.length).toBe(0);
+        });
+        it('should NOT flag bodyParser.json() with limit configured', async () => {
+            const file = await createTestFile('safe-body-parser.ts', `
+app.use(bodyParser.json({
+  limit: '1mb',
+  strict: true
+}));
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            const apiFindings = findings.filter((f) => f.id === 'API-002');
+            expect(apiFindings.length).toBe(0);
+        });
+        it('should NOT flag express.json() with limit on separate line', async () => {
+            const file = await createTestFile('multiline-config.ts', `
+app.use(express.json({
+  limit: '5mb',
+  type: 'application/json'
+}));
+`);
+            const findings = await operationalScanner.scan([file], scanOptions);
+            const apiFindings = findings.filter((f) => f.id === 'API-002');
+            expect(apiFindings.length).toBe(0);
+        });
+    });
+    describe('Combined violations', () => {
+        it('should detect multiple operational violations in same project', async () => {
+            await createTestFile('db.ts', `
+import { PrismaClient } from '@prisma/client';
+const prisma = new PrismaClient();
+`);
+            await createTestFile('patient.ts', `
+const patient = await prisma.patient.create({
+  data: { name: 'John', ssn: '123-45-6789' }
+});
+`);
+            await createTestFile('server.ts', `
+import express from 'express';
+const app = express();
+app.use(express.json());
+`);
+            const findings = await operationalScanner.scan(testFiles, scanOptions);
+            expect(findings.some((f) => f.id === 'BACKUP-001')).toBe(true);
+            expect(findings.some((f) => f.id === 'RETENTION-001')).toBe(true);
+            expect(findings.some((f) => f.id === 'API-002')).toBe(true);
+        });
+    });
+    it('should provide correct HIPAA references', async () => {
+        await createTestFile('db.ts', `import { PrismaClient } from '@prisma/client';`);
+        await createTestFile('patient.ts', `await prisma.patient.create({ data: {} });`);
+        await createTestFile('server.ts', `app.use(express.json());`);
+        const findings = await operationalScanner.scan(testFiles, scanOptions);
+        const backup = findings.find((f) => f.id === 'BACKUP-001');
+        const retention = findings.find((f) => f.id === 'RETENTION-001');
+        const api = findings.find((f) => f.id === 'API-002');
+        expect(backup?.hipaaReference).toContain('164.308(a)(7)(ii)(A)');
+        expect(retention?.hipaaReference).toContain('164.316(b)(2)(i)');
+        expect(api?.hipaaReference).toContain('164.308(a)(1)(ii)(D)');
+    });
+    it('should have correct severity levels', async () => {
+        await createTestFile('db.ts', `import mongoose from 'mongoose';`);
+        await createTestFile('patient.ts', `await Patient.create({});`);
+        await createTestFile('server.ts', `app.use(express.json());`);
+        const findings = await operationalScanner.scan(testFiles, scanOptions);
+        const backup = findings.find((f) => f.id === 'BACKUP-001');
+        const retention = findings.find((f) => f.id === 'RETENTION-001');
+        const api = findings.find((f) => f.id === 'API-002');
+        expect(backup?.severity).toBe('medium');
+        expect(retention?.severity).toBe('medium');
+        expect(api?.severity).toBe('low');
+    });
+    it('should have correct confidence levels', async () => {
+        await createTestFile('db.ts', `import { PrismaClient } from '@prisma/client';`);
+        await createTestFile('patient.ts', `await prisma.patient.create({ data: {} });`);
+        const findings = await operationalScanner.scan(testFiles, scanOptions);
+        const backup = findings.find((f) => f.id === 'BACKUP-001');
+        const retention = findings.find((f) => f.id === 'RETENTION-001');
+        expect(backup?.confidence).toBe('low'); // Advisory finding
+        expect(retention?.confidence).toBe('medium');
+    });
+});
+//# sourceMappingURL=index.test.js.map

package/dist/scanners/operational/index.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.js","sourceRoot":"","sources":["../../../src/scanners/operational/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAEhD,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,IAAI,OAAO,GAAW,EAAE,CAAC;IACzB,IAAI,SAAS,GAAa,EAAE,CAAC;IAE7B,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,UAAU;QACV,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC,CAAC,CAAC;IAEH,KAAK,UAAU,cAAc,CAC3B,QAAgB,EAChB,OAAe;QAEf,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC/C,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,OAAO;KACd,CAAC;IAEF,QAAQ,CAAC,mDAAmD,EAAE,GAAG,EAAE;QACjE,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;YACvE,MAAM,cAAc,CAClB,OAAO,EACP;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACjD,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAClD,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW;QAC/D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;YACzE,MAAM,cAAc,CAClB,aAAa,EACb;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;YACzE,MAAM,cAAc,CAClB,aAAa,EACb;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;YACxE,MAAM,cAAc,CAClB,YAAY,EACZ;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;YACxE,MAAM,cAAc,CAClB,YAAY,EACZ;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;YAClE,MAAM,cAAc,CAClB,OAAO,EACP;;;;CAIP,CACM,CAAC;YAEF,MAAM,cAAc,CAClB,WAAW,EACX;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;YAC/D,MAAM,cAAc,CAClB,OAAO,EACP;;;CAGP,CACM,CAAC;YAEF,MAAM,cAAc,CAClB,kBAAkB,EAClB;;;CAGP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;YAChE,MAAM,cAAc,CAClB,OAAO,EACP;;;CAGP,CACM,CAAC;YAEF,MAAM,cAAc,CAClB,YAAY,EACZ;;;;;;;CAOP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;YACjE,MAAM,cAAc,CAClB,OAAO,EACP;;;CAGP,CACM,CAAC;YAEF,MAAM,cAAc,CAClB,YAAY,EACZ;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qDAAqD,EAAE,GAAG,EAAE;QACnE,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;YAC5E,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;;;;;;;CAQP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,iBAAiB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;YAC3E,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACpD,MAAM,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;YAC9E,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6DAA6D,EAAE,KAAK,IAAI,EAAE;YAC3E,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,WAAW,EACX;;;;;;;;CAQP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;YAC5E,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;YAC9E,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,qBAAqB,EACrB;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6DAA6D,EAAE,KAAK,IAAI,EAAE;YAC3E,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;YACnE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;;;;CAQP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,iBAAiB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;YAC3E,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;YACxE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;;;;;;CASP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,iBAAiB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;YAC3E,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,iBAAiB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;YAC3E,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;;;;CAQP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,iBAAiB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;YAC3E,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,8CAA8C,EAAE,GAAG,EAAE;QAC5D,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;YAC1D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,WAAW,EACX;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAC/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC9C,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;YAC/D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;YAClE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,sBAAsB,EACtB;;;CAGP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;YACpE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAC/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;YACvE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,qBAAqB,EACrB;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAC/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;YAC1E,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,qBAAqB,EACrB;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAC/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACnC,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;YAC7E,MAAM,cAAc,CAClB,OAAO,EACP;;;CAGP,CACM,CAAC;YAEF,MAAM,cAAc,CAClB,YAAY,EACZ;;;;CAIP,CACM,CAAC;YAEF,MAAM,cAAc,CAClB,WAAW,EACX;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;YACvE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/D,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,cAAc,CAClB,OAAO,EACP,gDAAgD,CACjD,CAAC;QAEF,MAAM,cAAc,CAClB,YAAY,EACZ,4CAA4C,CAC7C,CAAC;QAEF,MAAM,cAAc,CAClB,WAAW,EACX,0BAA0B,CAC3B,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QAEvE,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;QAC3D,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;QACjE,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;QAErD,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;QACjE,MAAM,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;QAChE,MAAM,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,cAAc,CAClB,OAAO,EACP,kCAAkC,CACnC,CAAC;QAEF,MAAM,cAAc,CAClB,YAAY,EACZ,2BAA2B,CAC5B,CAAC;QAEF,MAAM,cAAc,CAClB,WAAW,EACX,0BAA0B,CAC3B,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QAEvE,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;QAC3D,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;QACjE,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;QAErD,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACxC,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,cAAc,CAClB,OAAO,EACP,gDAAgD,CACjD,CAAC;QAEF,MAAM,cAAc,CAClB,YAAY,EACZ,4CAA4C,CAC7C,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QAEvE,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;QAC3D,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;QAEjE,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,mBAAmB;QAC3D,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanners/operational/patterns.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Operational Security Detection Patterns
+ * Detects backup configuration, data retention, and API security issues
+ */
+export interface OperationalPattern {
+    id: string;
+    name: string;
+    description: string;
+    severity: 'medium' | 'low';
+    hipaaReference: string;
+    patterns: RegExp[];
+    negativePatterns?: RegExp[];
+    recommendation: string;
+    category: string;
+    requiresProjectScan?: boolean;
+}
+/**
+ * BACKUP-001: Database Without Backup Configuration
+ * Detects database usage without backup/snapshot references in project
+ */
+export declare const DATABASE_WITHOUT_BACKUP: OperationalPattern;
+/**
+ * RETENTION-001: PHI Records Without Retention Fields
+ * Detects creation of PHI records without retention/expiration fields
+ */
+export declare const PHI_RECORDS_WITHOUT_RETENTION: OperationalPattern;
+/**
+ * API-002: JSON Body Parser Without Size Limit
+ * Detects express.json() or bodyParser.json() without limit configuration
+ */
+export declare const BODY_PARSER_WITHOUT_LIMIT: OperationalPattern;
+export declare const ALL_OPERATIONAL_PATTERNS: OperationalPattern[];
+//# sourceMappingURL=patterns.d.ts.map

package/dist/scanners/operational/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/scanners/operational/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,QAAQ,GAAG,KAAK,CAAC;IAC3B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B;AAED;;;GAGG;AACH,eAAO,MAAM,uBAAuB,EAAE,kBAyCrC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,6BAA6B,EAAE,kBAmE3C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,yBAAyB,EAAE,kBAkCvC,CAAC;AAEF,eAAO,MAAM,wBAAwB,EAAE,kBAAkB,EAIxD,CAAC"}

package/dist/scanners/operational/patterns.js

@@ -0,0 +1,151 @@
+/**
+ * Operational Security Detection Patterns
+ * Detects backup configuration, data retention, and API security issues
+ */
+/**
+ * BACKUP-001: Database Without Backup Configuration
+ * Detects database usage without backup/snapshot references in project
+ */
+export const DATABASE_WITHOUT_BACKUP = {
+    id: 'BACKUP-001',
+    name: 'Database Without Backup Configuration',
+    description: 'Database usage detected (supabase, prisma, mongoose, drizzle, typeorm, sequelize, knex) without backup/snapshot/replicate configuration references in project. Advisory: Full verification requires infrastructure inspection.',
+    severity: 'medium',
+    hipaaReference: '45 CFR §164.308(a)(7)(ii)(A) - Data Backup Plan',
+    patterns: [
+        // Database library imports
+        /import.*from\s+['"]@supabase\/supabase-js['"]/i,
+        /import.*from\s+['"]@prisma\/client['"]/i,
+        /import.*from\s+['"]prisma['"]/i,
+        /import.*from\s+['"]mongoose['"]/i,
+        /import.*from\s+['"]drizzle-orm['"]/i,
+        /import.*from\s+['"]typeorm['"]/i,
+        /import.*from\s+['"]sequelize['"]/i,
+        /import.*from\s+['"]knex['"]/i,
+        // Database client initialization
+        /new\s+PrismaClient\s*\(/i,
+        /mongoose\.connect\s*\(/i,
+        /createClient\s*\(.*supabase/i,
+        /new\s+Sequelize\s*\(/i,
+        /createConnection\s*\(.*typeorm/i,
+    ],
+    negativePatterns: [
+        // Backup-related keywords (these are "good" - they prevent the finding)
+        /backup/i,
+        /snapshot/i,
+        /replicate/i,
+        /pg_dump/i,
+        /mongodump/i,
+        /restore/i,
+        /\.backup\(/i,
+        /backupSchedule/i,
+        /automaticBackup/i,
+    ],
+    recommendation: 'Configure automated database backups. Examples: Enable Supabase automatic backups, configure Prisma backup scripts, set up MongoDB Atlas continuous backups, or use pg_dump/mongodump in CI/CD. Document backup schedule and retention policy.',
+    category: 'data-retention',
+    requiresProjectScan: true, // This pattern needs to scan entire project
+};
+/**
+ * RETENTION-001: PHI Records Without Retention Fields
+ * Detects creation of PHI records without retention/expiration fields
+ */
+export const PHI_RECORDS_WITHOUT_RETENTION = {
+    id: 'RETENTION-001',
+    name: 'PHI Records Created Without Retention Fields',
+    description: 'PHI record creation (insert/create/save/upsert on patient/health/medical/clinical tables) without retention fields (expiresAt, ttl, retainUntil, retentionPeriod, deleteAfter). HIPAA requires minimum necessary retention periods.',
+    severity: 'medium',
+    hipaaReference: '45 CFR §164.316(b)(2)(i) - Retention Period',
+    patterns: [
+        // Prisma operations
+        /prisma\.patient\.create\s*\(/i,
+        /prisma\.health.*\.create\s*\(/i,
+        /prisma\.medical.*\.create\s*\(/i,
+        /prisma\.clinical.*\.create\s*\(/i,
+        /prisma\.patient\.upsert\s*\(/i,
+        /prisma\.health.*\.upsert\s*\(/i,
+        // Mongoose operations
+        /Patient\.create\s*\(/i,
+        /Health.*\.create\s*\(/i,
+        /Medical.*\.create\s*\(/i,
+        /Clinical.*\.create\s*\(/i,
+        /new\s+Patient\s*\(.*\)\.save\s*\(/i,
+        // Generic ORM insert/create
+        /db\.insert\s*\(\s*patient/i,
+        /db\.insert\s*\(\s*health/i,
+        /db\.insert\s*\(\s*medical/i,
+        /db\.insert\s*\(\s*clinical/i,
+        /\.insert\s*\(.*\)\s*\.into\s*\(\s*['"`]patient/i,
+        /\.insert\s*\(.*\)\s*\.into\s*\(\s*['"`]health/i,
+        // Sequelize operations
+        /Patient\.create\s*\(\s*\{/i,
+        /Health.*Model\.create\s*\(/i,
+        /Medical.*\.upsert\s*\(/i,
+        // Drizzle operations
+        /db\.insert\s*\(.*patient.*\)/i,
+        /insertInto\s*\(\s*patient/i,
+        // Supabase operations
+        /supabase\.from\s*\(\s*['"`]patient.*['"]\s*\)\.insert/i,
+        /supabase\.from\s*\(\s*['"`]health.*['"]\s*\)\.insert/i,
+        /supabase\.from\s*\(\s*['"`]medical.*['"]\s*\)\.insert/i,
+    ],
+    negativePatterns: [
+        // Retention fields
+        /expiresAt/i,
+        /ttl/i,
+        /retainUntil/i,
+        /retentionPeriod/i,
+        /deleteAfter/i,
+        /retention_date/i,
+        /expiration/i,
+        /expires_at/i,
+        /retain_until/i,
+        /delete_after/i,
+        // Test files
+        /\.test\./i,
+        /\.spec\./i,
+        /describe\(/i,
+        /it\(/i,
+    ],
+    recommendation: 'Add retention fields to PHI record creation. Example: { ...patientData, expiresAt: new Date(Date.now() + 7 * 365 * 24 * 60 * 60 * 1000) } or { ...data, retentionPeriod: "7years", deleteAfter: calculateDeleteDate() }. Define retention policy based on record type and regulatory requirements.',
+    category: 'data-retention',
+};
+/**
+ * API-002: JSON Body Parser Without Size Limit
+ * Detects express.json() or bodyParser.json() without limit configuration
+ */
+export const BODY_PARSER_WITHOUT_LIMIT = {
+    id: 'API-002',
+    name: 'JSON Body Parser Without Size Limit',
+    description: 'express.json() or bodyParser.json() configured without limit option. Unlimited body size can lead to DoS attacks via large payload submissions.',
+    severity: 'low',
+    hipaaReference: '45 CFR §164.308(a)(1)(ii)(D) - System Security',
+    patterns: [
+        // express.json()
+        /express\.json\s*\(\s*\)/i,
+        /app\.use\s*\(\s*express\.json\s*\(\s*\)\s*\)/i,
+        // bodyParser.json()
+        /bodyParser\.json\s*\(\s*\)/i,
+        /app\.use\s*\(\s*bodyParser\.json\s*\(\s*\)\s*\)/i,
+        // express.json() with empty object
+        /express\.json\s*\(\s*\{\s*\}\s*\)/i,
+        /bodyParser\.json\s*\(\s*\{\s*\}\s*\)/i,
+    ],
+    negativePatterns: [
+        // Has limit configured
+        /limit\s*:/i,
+        /\{\s*limit/i,
+        /"limit"/i,
+        /'limit'/i,
+        // Has size configuration
+        /size:/i,
+        /maxBodySize/i,
+    ],
+    recommendation: 'Configure body size limits. Example: app.use(express.json({ limit: "10mb" })) or bodyParser.json({ limit: "1mb" }). Set limit based on expected payload size. Typical values: 1mb for APIs, 10mb for file uploads.',
+    category: 'access-control',
+};
+export const ALL_OPERATIONAL_PATTERNS = [
+    DATABASE_WITHOUT_BACKUP,
+    PHI_RECORDS_WITHOUT_RETENTION,
+    BODY_PARSER_WITHOUT_LIMIT,
+];
+//# sourceMappingURL=patterns.js.map

package/dist/scanners/operational/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/scanners/operational/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAeH;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAuB;IACzD,EAAE,EAAE,YAAY;IAChB,IAAI,EAAE,uCAAuC;IAC7C,WAAW,EACT,gOAAgO;IAClO,QAAQ,EAAE,QAAQ;IAClB,cAAc,EAAE,iDAAiD;IACjE,QAAQ,EAAE;QACR,2BAA2B;QAC3B,gDAAgD;QAChD,yCAAyC;QACzC,gCAAgC;QAChC,kCAAkC;QAClC,qCAAqC;QACrC,iCAAiC;QACjC,mCAAmC;QACnC,8BAA8B;QAE9B,iCAAiC;QACjC,0BAA0B;QAC1B,yBAAyB;QACzB,8BAA8B;QAC9B,uBAAuB;QACvB,iCAAiC;KAClC;IACD,gBAAgB,EAAE;QAChB,wEAAwE;QACxE,SAAS;QACT,WAAW;QACX,YAAY;QACZ,UAAU;QACV,YAAY;QACZ,UAAU;QACV,aAAa;QACb,iBAAiB;QACjB,kBAAkB;KACnB;IACD,cAAc,EACZ,gPAAgP;IAClP,QAAQ,EAAE,gBAAgB;IAC1B,mBAAmB,EAAE,IAAI,EAAE,4CAA4C;CACxE,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAuB;IAC/D,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,8CAA8C;IACpD,WAAW,EACT,qOAAqO;IACvO,QAAQ,EAAE,QAAQ;IAClB,cAAc,EAAE,6CAA6C;IAC7D,QAAQ,EAAE;QACR,oBAAoB;QACpB,+BAA+B;QAC/B,gCAAgC;QAChC,iCAAiC;QACjC,kCAAkC;QAClC,+BAA+B;QAC/B,gCAAgC;QAEhC,sBAAsB;QACtB,uBAAuB;QACvB,wBAAwB;QACxB,yBAAyB;QACzB,0BAA0B;QAC1B,oCAAoC;QAEpC,4BAA4B;QAC5B,4BAA4B;QAC5B,2BAA2B;QAC3B,4BAA4B;QAC5B,6BAA6B;QAC7B,iDAAiD;QACjD,gDAAgD;QAEhD,uBAAuB;QACvB,4BAA4B;QAC5B,6BAA6B;QAC7B,yBAAyB;QAEzB,qBAAqB;QACrB,+BAA+B;QAC/B,4BAA4B;QAE5B,sBAAsB;QACtB,wDAAwD;QACxD,uDAAuD;QACvD,wDAAwD;KACzD;IACD,gBAAgB,EAAE;QAChB,mBAAmB;QACnB,YAAY;QACZ,MAAM;QACN,cAAc;QACd,kBAAkB;QAClB,cAAc;QACd,iBAAiB;QACjB,aAAa;QACb,aAAa;QACb,eAAe;QACf,eAAe;QAEf,aAAa;QACb,WAAW;QACX,WAAW;QACX,aAAa;QACb,OAAO;KACR;IACD,cAAc,EACZ,oSAAoS;IACtS,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAuB;IAC3D,EAAE,EAAE,SAAS;IACb,IAAI,EAAE,qCAAqC;IAC3C,WAAW,EACT,iJAAiJ;IACnJ,QAAQ,EAAE,KAAK;IACf,cAAc,EAAE,gDAAgD;IAChE,QAAQ,EAAE;QACR,iBAAiB;QACjB,0BAA0B;QAC1B,+CAA+C;QAE/C,oBAAoB;QACpB,6BAA6B;QAC7B,kDAAkD;QAElD,mCAAmC;QACnC,oCAAoC;QACpC,uCAAuC;KACxC;IACD,gBAAgB,EAAE;QAChB,uBAAuB;QACvB,YAAY;QACZ,aAAa;QACb,UAAU;QACV,UAAU;QAEV,yBAAyB;QACzB,QAAQ;QACR,cAAc;KACf;IACD,cAAc,EACZ,oNAAoN;IACtN,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF,MAAM,CAAC,MAAM,wBAAwB,GAAyB;IAC5D,uBAAuB;IACvB,6BAA6B;IAC7B,yBAAyB;CAC1B,CAAC"}

package/dist/scanners/rbac/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Role-Based Access Control (RBAC) Scanner
+ * Detects missing authorization checks and HIPAA minimum necessary violations
+ */
+import type { Scanner } from '../../types.js';
+export declare const rbacScanner: Scanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/rbac/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/rbac/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAwB,MAAM,gBAAgB,CAAC;AAGpE,eAAO,MAAM,WAAW,EAAE,OAqFzB,CAAC"}