verification-layer 0.20.0 → 0.22.0

package/dist/scanners/revocation/patterns.js

@@ -0,0 +1,109 @@
+/**
+ * Token Revocation Security Detection Patterns
+ * Detects JWT usage without revocation mechanisms and excessive token expiration
+ */
+/**
+ * REVOKE-001: JWT Without Server-Side Revocation Mechanism
+ * Detects JWT usage without revocation support
+ */
+export const JWT_WITHOUT_REVOCATION = {
+    id: 'REVOKE-001',
+    name: 'JWT Without Server-Side Revocation Mechanism',
+    description: 'JWT token generation (jwt.sign, jsonwebtoken, jose) without server-side revocation mechanism (revoke, blacklist, allowlist, tokenStore, invalidate, denylist). HIPAA NPRM requires ability to revoke access within 1 hour.',
+    severity: 'high',
+    hipaaReference: 'NPRM §164.308(a)(3)(ii)(C) - Access Revocation',
+    patterns: [
+        // jwt.sign() calls
+        /jwt\.sign\s*\(/i,
+        // jsonwebtoken.sign() calls
+        /jsonwebtoken\.sign\s*\(/i,
+        // jose sign methods
+        /new\s+(?:SignJWT|CompactSign)\s*\(/i,
+        /jose\.(?:SignJWT|sign)/i,
+        // JWT token generation
+        /(?:create|generate)(?:Access)?Token\s*\([^)]*\)/i,
+        // Sign JWT patterns
+        /\.sign\s*\([^)]*jwt/i,
+    ],
+    negativePatterns: [
+        // Revocation mechanisms
+        /revoke/i,
+        /blacklist/i,
+        /allowlist/i,
+        /whitelist/i,
+        /denylist/i,
+        /tokenStore/i,
+        /invalidate/i,
+        /revokedTokens/i,
+        /tokenBlacklist/i,
+        /redis/i, // Common for token storage
+        /session/i, // Session-based auth has built-in revocation
+        // Database token storage
+        /tokenRepository/i,
+        /saveToken/i,
+        /storeToken/i,
+        // Revocation libraries
+        /express-jwt-blacklist/i,
+        /jwt-redis/i,
+        // Comments indicating revocation is handled elsewhere
+        /revocation.*handled/i,
+        /revoke.*separate/i,
+    ],
+    recommendation: 'Implement server-side token revocation mechanism. Store active tokens in Redis/database with TTL, or maintain a blacklist of revoked tokens. Example: await redis.set(`token:${userId}`, token, "EX", 3600); await redis.del(`token:${userId}`) to revoke. HIPAA requires ability to revoke access within 1 hour.',
+    category: 'access-control',
+};
+/**
+ * REVOKE-002: Excessive Token Expiration Time
+ * Detects tokens with expirations longer than recommended
+ */
+export const EXCESSIVE_TOKEN_EXPIRATION = {
+    id: 'REVOKE-002',
+    name: 'Excessive Token Expiration Time',
+    description: 'JWT token with excessive expiration time. Access tokens should expire within 24 hours (expiresIn: "24h" or less). Refresh tokens should not exceed 7 days for sensitive data.',
+    severity: 'medium',
+    hipaaReference: 'NPRM §164.308(a)(3)(ii)(C) - Access Revocation',
+    patterns: [
+        // expiresIn with excessive time
+        // Days: 2d, 3d, 7d, 30d, 90d, etc. (more than 1 day)
+        /expiresIn\s*:\s*['"`](?:[2-9]|[1-9]\d+)d['"`]/i,
+        // Hours: 25h, 48h, 72h, etc. (more than 24 hours)
+        /expiresIn\s*:\s*['"`](?:2[5-9]|[3-9]\d|\d{3,})h['"`]/i,
+        // Weeks, years (w, y - note: m in JWT means minutes, not months)
+        /expiresIn\s*:\s*['"`]\d+[wy]['"`]/i,
+        // Months (spelled out)
+        /expiresIn\s*:\s*['"`]\d+\s*(?:month|months|mo)['"`]/i,
+        // Numeric seconds: more than 86400 (24 hours)
+        /expiresIn\s*:\s*(?:8[7-9]\d{3}|\d{6,})\b/i,
+        // maxAge with excessive time (more than 7 days = 604800000 ms)
+        /maxAge\s*:\s*(?:6[1-9]\d{7}|[7-9]\d{8}|\d{9,})\b/i,
+        // exp claim with far future timestamps (common mistake)
+        /exp\s*:\s*Math\.floor\s*\([^)]*\+\s*(?:2[5-9]|[3-9]\d|\d{3,})\s*\*\s*(?:60\s*\*\s*60|3600)/i,
+    ],
+    negativePatterns: [
+        // Acceptable expirations for access tokens (1h - 24h)
+        /expiresIn\s*:\s*['"`](?:1?\d|2[0-4])h['"`]/i,
+        /expiresIn\s*:\s*['"`]1d['"`]/i,
+        // Minutes (m in JWT means minutes, not months)
+        /expiresIn\s*:\s*['"`]\d+m['"`]/i,
+        // Seconds (s)
+        /expiresIn\s*:\s*['"`]\d+s['"`]/i,
+        // Acceptable numeric values (up to 24 hours = 86400 seconds)
+        /expiresIn\s*:\s*(?:[1-7]\d{3}|[1-8][0-5]\d{3}|86[0-3]\d{2}|8640{1,2})\b/i,
+        // Refresh tokens (explicitly marked as such)
+        /refresh.*token/i,
+        /refreshToken/i,
+        // Remember me tokens (longer expiration is acceptable)
+        /remember.*me/i,
+        /rememberMe/i,
+        // API keys (different from access tokens)
+        /api.*key/i,
+        /apiKey/i,
+    ],
+    recommendation: 'Use short-lived access tokens (≤ 24 hours): expiresIn: "1h" or expiresIn: "15m". For longer sessions, implement refresh token rotation. Example: accessToken with expiresIn: "1h", refreshToken with expiresIn: "7d". Reduce attack window if token is compromised.',
+    category: 'access-control',
+};
+export const ALL_REVOCATION_PATTERNS = [
+    JWT_WITHOUT_REVOCATION,
+    EXCESSIVE_TOKEN_EXPIRATION,
+];
+//# sourceMappingURL=patterns.js.map

package/dist/scanners/revocation/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/scanners/revocation/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAcH;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAsB;IACvD,EAAE,EAAE,YAAY;IAChB,IAAI,EAAE,8CAA8C;IACpD,WAAW,EACT,4NAA4N;IAC9N,QAAQ,EAAE,MAAM;IAChB,cAAc,EAAE,gDAAgD;IAChE,QAAQ,EAAE;QACR,mBAAmB;QACnB,iBAAiB;QAEjB,4BAA4B;QAC5B,0BAA0B;QAE1B,oBAAoB;QACpB,qCAAqC;QACrC,yBAAyB;QAEzB,uBAAuB;QACvB,kDAAkD;QAElD,oBAAoB;QACpB,sBAAsB;KACvB;IACD,gBAAgB,EAAE;QAChB,wBAAwB;QACxB,SAAS;QACT,YAAY;QACZ,YAAY;QACZ,YAAY;QACZ,WAAW;QACX,aAAa;QACb,aAAa;QACb,gBAAgB;QAChB,iBAAiB;QACjB,QAAQ,EAAE,2BAA2B;QACrC,UAAU,EAAE,6CAA6C;QAEzD,yBAAyB;QACzB,kBAAkB;QAClB,YAAY;QACZ,aAAa;QAEb,uBAAuB;QACvB,wBAAwB;QACxB,YAAY;QAEZ,sDAAsD;QACtD,sBAAsB;QACtB,mBAAmB;KACpB;IACD,cAAc,EACZ,mTAAmT;IACrT,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAsB;IAC3D,EAAE,EAAE,YAAY;IAChB,IAAI,EAAE,iCAAiC;IACvC,WAAW,EACT,+KAA+K;IACjL,QAAQ,EAAE,QAAQ;IAClB,cAAc,EAAE,gDAAgD;IAChE,QAAQ,EAAE;QACR,gCAAgC;QAChC,qDAAqD;QACrD,gDAAgD;QAEhD,kDAAkD;QAClD,uDAAuD;QAEvD,iEAAiE;QACjE,oCAAoC;QAEpC,uBAAuB;QACvB,sDAAsD;QAEtD,8CAA8C;QAC9C,2CAA2C;QAE3C,+DAA+D;QAC/D,mDAAmD;QAEnD,wDAAwD;QACxD,6FAA6F;KAC9F;IACD,gBAAgB,EAAE;QAChB,sDAAsD;QACtD,6CAA6C;QAC7C,+BAA+B;QAE/B,+CAA+C;QAC/C,iCAAiC;QAEjC,cAAc;QACd,iCAAiC;QAEjC,6DAA6D;QAC7D,0EAA0E;QAE1E,6CAA6C;QAC7C,iBAAiB;QACjB,eAAe;QAEf,uDAAuD;QACvD,eAAe;QACf,aAAa;QAEb,0CAA0C;QAC1C,WAAW;QACX,SAAS;KACV;IACD,cAAc,EACZ,qQAAqQ;IACvQ,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF,MAAM,CAAC,MAAM,uBAAuB,GAAwB;IAC1D,sBAAsB;IACtB,0BAA0B;CAC3B,CAAC"}

package/dist/scanners/sanitization/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Input Sanitization Security Scanner
+ * Detects unsafe user input handling and file upload configurations
+ */
+import type { Scanner } from '../../types.js';
+export declare const sanitizationScanner: Scanner;
+export default sanitizationScanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/sanitization/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/sanitization/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAwB,MAAM,gBAAgB,CAAC;AAGpE,eAAO,MAAM,mBAAmB,EAAE,OA8GjC,CAAC;AAEF,eAAe,mBAAmB,CAAC"}

package/dist/scanners/sanitization/index.js

@@ -0,0 +1,98 @@
+/**
+ * Input Sanitization Security Scanner
+ * Detects unsafe user input handling and file upload configurations
+ */
+import * as fs from 'fs/promises';
+import { ALL_SANITIZATION_PATTERNS } from './patterns.js';
+export const sanitizationScanner = {
+    name: 'Input Sanitization Security Scanner',
+    category: 'access-control',
+    async scan(files, options) {
+        const findings = [];
+        // Filter to code files
+        const codeFiles = files.filter((f) => /\.(ts|tsx|js|jsx)$/.test(f));
+        for (const file of codeFiles) {
+            try {
+                const content = await fs.readFile(file, 'utf-8');
+                const lines = content.split('\n');
+                for (let i = 0; i < lines.length; i++) {
+                    const line = lines[i];
+                    const lineNumber = i + 1;
+                    // Skip empty lines and comments
+                    if (/^\s*$/.test(line) || /^\s*\/\//.test(line))
+                        continue;
+                    // Scan each pattern
+                    for (const pattern of ALL_SANITIZATION_PATTERNS) {
+                        // Check if line matches violation pattern
+                        const matched = pattern.patterns.some((regex) => regex.test(line));
+                        if (!matched)
+                            continue;
+                        // Get surrounding context (10 lines before and 5 after), excluding comments
+                        const contextStart = Math.max(0, i - 10);
+                        const contextEnd = Math.min(lines.length, i + 6);
+                        const contextLines = lines.slice(contextStart, contextEnd);
+                        // Filter out comment lines from context
+                        const codeOnlyContext = contextLines
+                            .filter(l => !/^\s*\/\//.test(l) && !/^\s*\/\*/.test(l) && !/^\s*\*/.test(l))
+                            .join('\n');
+                        // Check negative patterns (safe usage indicators)
+                        // For SANITIZE-001, check context for validation
+                        // For SANITIZE-002, check if config object has required fields
+                        const isSafe = pattern.negativePatterns?.some((regex) => {
+                            const patternStr = regex.source;
+                            // For file upload patterns, check the entire config block
+                            if (pattern.id === 'SANITIZE-002') {
+                                // Check if the line has the required validation fields
+                                // or if they appear in the surrounding context
+                                return regex.test(codeOnlyContext);
+                            }
+                            // For SANITIZE-001, check surrounding context for validation
+                            if (pattern.id === 'SANITIZE-001') {
+                                // Check if validation happens in surrounding code (excluding comments)
+                                return regex.test(codeOnlyContext);
+                            }
+                            return regex.test(line);
+                        });
+                        if (isSafe)
+                            continue;
+                        // Additional check for SANITIZE-002: ensure it's an actual configuration
+                        if (pattern.id === 'SANITIZE-002') {
+                            // Skip if it's just a variable reference or import
+                            if (/^import\s/i.test(line) ||
+                                /^const\s+\w+\s*=\s*require/i.test(line)) {
+                                continue;
+                            }
+                            // Only flag if it looks like actual middleware configuration
+                            if (!/\bmulter\s*\(/i.test(line) &&
+                                !/\bformidable\s*\(/i.test(line) &&
+                                !/\bBusboy\s*\(/i.test(line) &&
+                                !/IncomingForm\s*\(/i.test(line)) {
+                                continue;
+                            }
+                        }
+                        // Create finding
+                        const finding = {
+                            id: pattern.id,
+                            category: pattern.category,
+                            severity: pattern.severity,
+                            title: pattern.name,
+                            description: `${pattern.description}\n\nCode: ${line.trim()}`,
+                            file: file,
+                            line: lineNumber,
+                            recommendation: pattern.recommendation,
+                            hipaaReference: pattern.hipaaReference,
+                            confidence: 'high',
+                        };
+                        findings.push(finding);
+                    }
+                }
+            }
+            catch (error) {
+                // Skip files that can't be read
+            }
+        }
+        return findings;
+    },
+};
+export default sanitizationScanner;
+//# sourceMappingURL=index.js.map

package/dist/scanners/sanitization/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/sanitization/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAElC,OAAO,EAAE,yBAAyB,EAAE,MAAM,eAAe,CAAC;AAE1D,MAAM,CAAC,MAAM,mBAAmB,GAAY;IAC1C,IAAI,EAAE,qCAAqC;IAC3C,QAAQ,EAAE,gBAAgB;IAE1B,KAAK,CAAC,IAAI,CAAC,KAAe,EAAE,OAAoB;QAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,uBAAuB;QACvB,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACnC,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,CAC7B,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;gBACjD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACtB,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAC;oBAEzB,gCAAgC;oBAChC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;wBAAE,SAAS;oBAE1D,oBAAoB;oBACpB,KAAK,MAAM,OAAO,IAAI,yBAAyB,EAAE,CAAC;wBAChD,0CAA0C;wBAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;wBAEnE,IAAI,CAAC,OAAO;4BAAE,SAAS;wBAEvB,4EAA4E;wBAC5E,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;wBACzC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;wBACjD,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;wBAE3D,wCAAwC;wBACxC,MAAM,eAAe,GAAG,YAAY;6BACjC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;6BAC5E,IAAI,CAAC,IAAI,CAAC,CAAC;wBAEd,kDAAkD;wBAClD,iDAAiD;wBACjD,+DAA+D;wBAC/D,MAAM,MAAM,GAAG,OAAO,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;4BACtD,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC;4BAEhC,0DAA0D;4BAC1D,IAAI,OAAO,CAAC,EAAE,KAAK,cAAc,EAAE,CAAC;gCAClC,uDAAuD;gCACvD,+CAA+C;gCAC/C,OAAO,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;4BACrC,CAAC;4BAED,6DAA6D;4BAC7D,IAAI,OAAO,CAAC,EAAE,KAAK,cAAc,EAAE,CAAC;gCAClC,uEAAuE;gCACvE,OAAO,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;4BACrC,CAAC;4BAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;wBAC1B,CAAC,CAAC,CAAC;wBAEH,IAAI,MAAM;4BAAE,SAAS;wBAErB,yEAAyE;wBACzE,IAAI,OAAO,CAAC,EAAE,KAAK,cAAc,EAAE,CAAC;4BAClC,mDAAmD;4BACnD,IACE,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC;gCACvB,6BAA6B,CAAC,IAAI,CAAC,IAAI,CAAC,EACxC,CAAC;gCACD,SAAS;4BACX,CAAC;4BAED,6DAA6D;4BAC7D,IACE,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;gCAC5B,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC;gCAChC,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;gCAC5B,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAChC,CAAC;gCACD,SAAS;4BACX,CAAC;wBACH,CAAC;wBAED,iBAAiB;wBACjB,MAAM,OAAO,GAAY;4BACvB,EAAE,EAAE,OAAO,CAAC,EAAE;4BACd,QAAQ,EAAE,OAAO,CAAC,QAAe;4BACjC,QAAQ,EAAE,OAAO,CAAC,QAAQ;4BAC1B,KAAK,EAAE,OAAO,CAAC,IAAI;4BACnB,WAAW,EAAE,GAAG,OAAO,CAAC,WAAW,aAAa,IAAI,CAAC,IAAI,EAAE,EAAE;4BAC7D,IAAI,EAAE,IAAI;4BACV,IAAI,EAAE,UAAU;4BAChB,cAAc,EAAE,OAAO,CAAC,cAAc;4BACtC,cAAc,EAAE,OAAO,CAAC,cAAc;4BACtC,UAAU,EAAE,MAAM;yBACnB,CAAC;wBAEF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;oBACzB,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,mBAAmB,CAAC"}

package/dist/scanners/sanitization/index.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Input Sanitization Security Scanner Tests
+ */
+export {};
+//# sourceMappingURL=index.test.d.ts.map

package/dist/scanners/sanitization/index.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.d.ts","sourceRoot":"","sources":["../../../src/scanners/sanitization/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/scanners/sanitization/index.test.js

@@ -0,0 +1,370 @@
+/**
+ * Input Sanitization Security Scanner Tests
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { sanitizationScanner } from './index.js';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+describe('Input Sanitization Security Scanner', () => {
+    let tempDir = '';
+    let testFiles = [];
+    beforeEach(async () => {
+        tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'sanitize-test-'));
+    });
+    afterEach(async () => {
+        // Cleanup
+        for (const file of testFiles) {
+            try {
+                await fs.unlink(file);
+            }
+            catch {
+                // Ignore
+            }
+        }
+        try {
+            await fs.rm(tempDir, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore
+        }
+        testFiles = [];
+    });
+    async function createTestFile(filename, content) {
+        const filePath = path.join(tempDir, filename);
+        await fs.writeFile(filePath, content, 'utf-8');
+        testFiles.push(filePath);
+        return filePath;
+    }
+    const scanOptions = {
+        path: tempDir,
+    };
+    describe('SANITIZE-001: Unsanitized User Input in Database Operations', () => {
+        it('should detect req.body in insert operation', async () => {
+            const file = await createTestFile('db-insert.ts', `
+// VIOLATION SANITIZE-001: Direct req.body in insert
+app.post('/users', async (req, res) => {
+  await db.insert('users').values(req.body);
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            const sanitizeFindings = findings.filter((f) => f.id === 'SANITIZE-001');
+            expect(sanitizeFindings.length).toBeGreaterThan(0);
+            expect(sanitizeFindings[0].severity).toBe('critical');
+        });
+        it('should detect req.params in query operation', async () => {
+            const file = await createTestFile('db-query.ts', `
+// VIOLATION SANITIZE-001: Direct req.params in query
+app.get('/users/:id', async (req, res) => {
+  const user = await db.query('SELECT * FROM users WHERE id = ' + req.params.id);
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'SANITIZE-001')).toBe(true);
+        });
+        it('should detect req.query in where clause', async () => {
+            const file = await createTestFile('db-where.ts', `
+// VIOLATION SANITIZE-001: Direct req.query in where
+app.get('/search', async (req, res) => {
+  const results = await db.select().from('users').where('name', req.query.name);
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'SANITIZE-001')).toBe(true);
+        });
+        it('should detect req.body in update operation', async () => {
+            const file = await createTestFile('db-update.ts', `
+// VIOLATION SANITIZE-001: Direct req.body in update
+app.put('/users/:id', async (req, res) => {
+  await db.update('users').set(req.body).where({ id: req.params.id });
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            const sanitizeFindings = findings.filter((f) => f.id === 'SANITIZE-001');
+            expect(sanitizeFindings.length).toBeGreaterThan(0);
+        });
+        it('should detect req.body in Prisma create', async () => {
+            const file = await createTestFile('prisma-create.ts', `
+// VIOLATION SANITIZE-001: Direct req.body in Prisma
+app.post('/users', async (req, res) => {
+  const user = await prisma.user.create({ data: req.body });
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'SANITIZE-001')).toBe(true);
+        });
+        it('should detect req.body in Mongoose create', async () => {
+            const file = await createTestFile('mongoose-create.ts', `
+// VIOLATION SANITIZE-001: Direct req.body in Mongoose
+app.post('/users', async (req, res) => {
+  await User.create(req.body);
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'SANITIZE-001')).toBe(true);
+        });
+        it('should detect SQL template literals with req.query', async () => {
+            const file = await createTestFile('sql-template.ts', `
+// VIOLATION SANITIZE-001: SQL injection via template literal
+app.get('/users', async (req, res) => {
+  const results = await db.query(\`SELECT * FROM users WHERE email = '\${req.query.email}'\`);
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'SANITIZE-001')).toBe(true);
+        });
+        it('should detect raw SQL concatenation', async () => {
+            const file = await createTestFile('sql-concat.ts', `
+// VIOLATION SANITIZE-001: SQL injection via concatenation
+app.get('/search', async (req, res) => {
+  const sql = 'SELECT * FROM products WHERE name = ' + req.query.name;
+  await db.execute(sql);
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'SANITIZE-001')).toBe(true);
+        });
+        it('should NOT flag when Zod validation is used', async () => {
+            const file = await createTestFile('zod-validation.ts', `
+// SECURE: Zod validation before DB operation
+import { z } from 'zod';
+
+const userSchema = z.object({
+  name: z.string(),
+  email: z.string().email(),
+});
+
+app.post('/users', async (req, res) => {
+  const validated = userSchema.parse(req.body);
+  await db.insert('users').values(validated);
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            const sanitizeFindings = findings.filter((f) => f.id === 'SANITIZE-001');
+            expect(sanitizeFindings.length).toBe(0);
+        });
+        it('should NOT flag when Joi validation is used', async () => {
+            const file = await createTestFile('joi-validation.ts', `
+// SECURE: Joi validation
+const Joi = require('joi');
+const schema = Joi.object({ name: Joi.string() });
+
+app.post('/users', async (req, res) => {
+  const { value } = schema.validate(req.body);
+  await db.insert('users').values(value);
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            const sanitizeFindings = findings.filter((f) => f.id === 'SANITIZE-001');
+            expect(sanitizeFindings.length).toBe(0);
+        });
+        it('should NOT flag when Yup validation is used', async () => {
+            const file = await createTestFile('yup-validation.ts', `
+// SECURE: Yup validation
+import * as yup from 'yup';
+
+const schema = yup.object({ email: yup.string().email() });
+
+app.post('/users', async (req, res) => {
+  const validated = await schema.validate(req.body);
+  await db.insert('users').values(validated);
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            const sanitizeFindings = findings.filter((f) => f.id === 'SANITIZE-001');
+            expect(sanitizeFindings.length).toBe(0);
+        });
+        it('should NOT flag when custom validation function is used', async () => {
+            const file = await createTestFile('custom-validation.ts', `
+// SECURE: Custom validation
+app.post('/users', async (req, res) => {
+  const sanitized = sanitizeUserInput(req.body);
+  await db.insert('users').values(sanitized);
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            const sanitizeFindings = findings.filter((f) => f.id === 'SANITIZE-001');
+            expect(sanitizeFindings.length).toBe(0);
+        });
+        it('should NOT flag when safeParse is used', async () => {
+            const file = await createTestFile('safe-parse.ts', `
+// SECURE: safeParse validation
+const result = schema.safeParse(req.body);
+if (result.success) {
+  await db.insert('users').values(result.data);
+}
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            const sanitizeFindings = findings.filter((f) => f.id === 'SANITIZE-001');
+            expect(sanitizeFindings.length).toBe(0);
+        });
+    });
+    describe('SANITIZE-002: Insecure File Upload Configuration', () => {
+        it('should detect multer without fileFilter', async () => {
+            const file = await createTestFile('multer-basic.ts', `
+// VIOLATION SANITIZE-002: Multer without validation
+const upload = multer({ dest: 'uploads/' });
+app.post('/upload', upload.single('file'), (req, res) => {
+  res.send('File uploaded');
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            const sanitizeFindings = findings.filter((f) => f.id === 'SANITIZE-002');
+            expect(sanitizeFindings.length).toBeGreaterThan(0);
+            expect(sanitizeFindings[0].severity).toBe('high');
+        });
+        it('should detect multer without limits', async () => {
+            const file = await createTestFile('multer-no-limits.ts', `
+// VIOLATION SANITIZE-002: Multer without file size limits
+const upload = multer({
+  storage: multer.diskStorage({
+    destination: 'uploads/',
+    filename: (req, file, cb) => cb(null, file.originalname)
+  })
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'SANITIZE-002')).toBe(true);
+        });
+        it('should detect formidable without validation', async () => {
+            const file = await createTestFile('formidable-basic.ts', `
+// VIOLATION SANITIZE-002: Formidable without validation
+app.post('/upload', (req, res) => {
+  const form = new formidable.IncomingForm({ uploadDir: './uploads' });
+  form.parse(req);
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'SANITIZE-002')).toBe(true);
+        });
+        it('should detect Busboy without limits', async () => {
+            const file = await createTestFile('busboy-basic.ts', `
+// VIOLATION SANITIZE-002: Busboy without limits
+const busboy = new Busboy({ headers: req.headers });
+busboy.on('file', (fieldname, file, filename) => {
+  file.pipe(fs.createWriteStream('./uploads/' + filename));
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'SANITIZE-002')).toBe(true);
+        });
+        it('should NOT flag multer with fileFilter', async () => {
+            const file = await createTestFile('multer-secure.ts', `
+// SECURE: Multer with fileFilter and limits
+const upload = multer({
+  dest: 'uploads/',
+  fileFilter: (req, file, cb) => {
+    const allowedMimes = ['image/jpeg', 'image/png'];
+    if (allowedMimes.includes(file.mimetype)) {
+      cb(null, true);
+    } else {
+      cb(new Error('Invalid file type'));
+    }
+  },
+  limits: { fileSize: 5 * 1024 * 1024 }
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            const sanitizeFindings = findings.filter((f) => f.id === 'SANITIZE-002');
+            expect(sanitizeFindings.length).toBe(0);
+        });
+        it('should NOT flag multer with mimetype validation', async () => {
+            const file = await createTestFile('multer-mimetype.ts', `
+// SECURE: Multer with mimetype validation
+const upload = multer({
+  storage: multer.diskStorage({
+    destination: 'uploads/',
+    filename: (req, file, cb) => {
+      if (!file.mimetype.startsWith('image/')) {
+        return cb(new Error('Invalid file type'));
+      }
+      cb(null, file.originalname);
+    }
+  })
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            const sanitizeFindings = findings.filter((f) => f.id === 'SANITIZE-002');
+            expect(sanitizeFindings.length).toBe(0);
+        });
+        it('should NOT flag formidable with file validation', async () => {
+            const file = await createTestFile('formidable-secure.ts', `
+// SECURE: Formidable with validation
+const form = new formidable.IncomingForm({
+  uploadDir: './uploads',
+  maxFileSize: 10 * 1024 * 1024,
+  filter: function ({ name, originalFilename, mimetype }) {
+    return mimetype && mimetype.includes('image');
+  }
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            const sanitizeFindings = findings.filter((f) => f.id === 'SANITIZE-002');
+            expect(sanitizeFindings.length).toBe(0);
+        });
+        it('should NOT flag Busboy with limits and validation', async () => {
+            const file = await createTestFile('busboy-secure.ts', `
+// SECURE: Busboy with limits
+const busboy = new Busboy({
+  headers: req.headers,
+  limits: {
+    fileSize: 10 * 1024 * 1024,
+    files: 1
+  }
+});
+
+busboy.on('file', (fieldname, file, filename, encoding, mimetype) => {
+  if (!mimetype.startsWith('image/')) {
+    file.resume();
+    return;
+  }
+  file.pipe(fs.createWriteStream('./uploads/' + filename));
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            const sanitizeFindings = findings.filter((f) => f.id === 'SANITIZE-002');
+            expect(sanitizeFindings.length).toBe(0);
+        });
+    });
+    describe('Combined violations', () => {
+        it('should detect both SANITIZE-001 and SANITIZE-002 in same file', async () => {
+            const file = await createTestFile('combined.ts', `
+const upload = multer({ dest: 'uploads/' });
+
+app.post('/upload-profile', upload.single('avatar'), async (req, res) => {
+  await db.insert('users').values(req.body);
+});
+`);
+            const findings = await sanitizationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'SANITIZE-001')).toBe(true);
+            expect(findings.some((f) => f.id === 'SANITIZE-002')).toBe(true);
+        });
+    });
+    it('should provide correct HIPAA references', async () => {
+        const file = await createTestFile('hipaa-refs.ts', `
+app.post('/test', async (req, res) => {
+  await db.insert('users').values(req.body);
+  const upload = multer({ dest: 'uploads/' });
+});
+`);
+        const findings = await sanitizationScanner.scan([file], scanOptions);
+        const sanitize001 = findings.find((f) => f.id === 'SANITIZE-001');
+        const sanitize002 = findings.find((f) => f.id === 'SANITIZE-002');
+        expect(sanitize001?.hipaaReference).toContain('NPRM Anti-malware');
+        expect(sanitize002?.hipaaReference).toContain('NPRM Anti-malware');
+    });
+    it('should have correct severity levels', async () => {
+        const file = await createTestFile('severity.ts', `
+app.post('/test', async (req, res) => {
+  await db.query(req.body);
+});
+const upload = multer({});
+`);
+        const findings = await sanitizationScanner.scan([file], scanOptions);
+        const sanitize001 = findings.find((f) => f.id === 'SANITIZE-001');
+        const sanitize002 = findings.find((f) => f.id === 'SANITIZE-002');
+        expect(sanitize001?.severity).toBe('critical');
+        expect(sanitize002?.severity).toBe('high');
+    });
+});
+//# sourceMappingURL=index.test.js.map

package/dist/scanners/sanitization/index.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.js","sourceRoot":"","sources":["../../../src/scanners/sanitization/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAEjD,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB,QAAQ,CAAC,qCAAqC,EAAE,GAAG,EAAE;IACnD,IAAI,OAAO,GAAW,EAAE,CAAC;IACzB,IAAI,SAAS,GAAa,EAAE,CAAC;IAE7B,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,gBAAgB,CAAC,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,UAAU;QACV,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC,CAAC,CAAC;IAEH,KAAK,UAAU,cAAc,CAC3B,QAAgB,EAChB,OAAe;QAEf,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC/C,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,OAAO;KACd,CAAC;IAEF,QAAQ,CAAC,6DAA6D,EAAE,GAAG,EAAE;QAC3E,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;YAC1D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;YACzE,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACnD,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;YAC1D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;YACzE,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,oBAAoB,EACpB;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;YAClE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,mBAAmB,EACnB;;;;;;;;;;;;;CAaP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;YACzE,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,mBAAmB,EACnB;;;;;;;;;CASP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;YACzE,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,mBAAmB,EACnB;;;;;;;;;;CAUP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;YACzE,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;YACvE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,sBAAsB,EACtB;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;YACzE,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;YACzE,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAChE,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;YACzE,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACnD,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,qBAAqB,EACrB;;;;;;;;CAQP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,qBAAqB,EACrB;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;;;;;;;;;;;;;CAcP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;YACzE,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;YAC/D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,oBAAoB,EACpB;;;;;;;;;;;;;CAaP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;YACzE,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;YAC/D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,sBAAsB,EACtB;;;;;;;;;CASP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;YACzE,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;YACjE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;;;;;;;;;;;;;;;;CAiBP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;YACzE,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACnC,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;YAC7E,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;;CAKL,CACI,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;QACrE,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;QAClE,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;QAElE,MAAM,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACnE,MAAM,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;;CAKL,CACI,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;QACrE,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;QAClE,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,CAAC,CAAC;QAElE,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC/C,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}