npm - verimu - Versions diffs - 0.0.2 → 0.0.3 - Mend

verimu 0.0.2 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/generate-sbom.ts","../src/scan.ts","../src/scanners/npm/npm-scanner.ts","../src/core/errors.ts","../src/scanners/nuget/nuget-scanner.ts","../src/scanners/cargo/cargo-scanner.ts","../src/scanners/registry.ts","../src/sbom/cyclonedx.ts","../src/cve/osv.ts","../src/cve/aggregator.ts","../src/reporters/console.ts"],"sourcesContent":["import { randomUUID } from 'crypto';\nimport type {\n GenerateSbomInput,\n GenerateSbomResult,\n SbomDependency,\n Ecosystem,\n} from './core/types.js';\n\n/*\n Generates an NTIA-compliant CycloneDX 1.7 SBOM from structured dependency data.\n \n This is a pure function — no filesystem access, no network calls, no side effects.\n * It takes a project name, version, and list of dependencies, and returns a complete\n * CycloneDX 1.7 JSON SBOM that passes NTIA minimum-element validation.\n \n @example\n * ```ts\n * import { generateSbom } from 'verimu';\n \n const result = generateSbom({\n * projectName: 'my-app',\n * projectVersion: '1.0.0',\n * dependencies: [\n * { name: 'express', version: '4.18.2', ecosystem: 'npm' },\n * { name: '@types/node', version: '20.11.5', ecosystem: 'npm', direct: false },\n * ],\n * });\n \n console.log(result.componentCount); // 2\n * console.log(result.content); // formatted JSON string\n * ```\n /\nexport function generateSbom(input: GenerateSbomInput): GenerateSbomResult {\n const {\n projectName,\n projectVersion = '0.0.0',\n dependencies,\n } = input;\n\n const timestamp = new Date().toISOString();\n\n // Resolve PURLs for any deps that don't have one\n const resolvedDeps = dependencies.map((dep) => ({\n ...dep,\n direct: dep.direct ?? true,\n purl: dep.purl ?? buildPurl(dep.name, dep.version, dep.ecosystem),\n }));\n\n const rootPurl = buildPurl(projectName, projectVersion, 'npm');\n\n const sbom = {\n $schema: 'http://cyclonedx.org/schema/bom-1.7.schema.json',\n bomFormat: 'CycloneDX',\n specVersion: '1.7',\n serialNumber: `urn:uuid:${randomUUID()}`,\n version: 1,\n metadata: {\n timestamp,\n tools: {\n components: [\n {\n type: 'application',\n name: 'verimu',\n version: '0.0.1',\n description: 'Verimu CRA Compliance Scanner',\n supplier: { name: 'Verimu' },\n externalReferences: [\n { type: 'website', url: 'https://verimu.com' },\n ],\n },\n ],\n },\n supplier: { name: projectName },\n component: {\n type: 'application',\n name: projectName,\n version: projectVersion,\n 'bom-ref': rootPurl,\n supplier: { name: projectName },\n },\n },\n components: resolvedDeps.map((dep) => ({\n type: 'library',\n name: dep.name,\n version: dep.version,\n purl: dep.purl,\n 'bom-ref': dep.purl,\n scope: dep.direct ? 'required' : 'optional',\n supplier: { name: deriveSupplierName(dep.name) },\n })),\n dependencies: [\n {\n ref: rootPurl,\n dependsOn: resolvedDeps.map((d) => d.purl),\n },\n ],\n };\n\n const content = JSON.stringify(sbom, null, 2);\n\n return {\n sbom,\n content,\n componentCount: resolvedDeps.length,\n specVersion: '1.7',\n generatedAt: timestamp,\n };\n}\n\n// ─── Internal helpers ───────────────────────────────────────────\n\nconst PURL_TYPE_MAP: Record<Ecosystem, string> = {\n npm: 'npm',\n nuget: 'nuget',\n cargo: 'cargo',\n maven: 'maven',\n pip: 'pypi',\n go: 'golang',\n};\n\n/\n Builds a Package URL (purl) per the purl spec.\n \n For npm scoped packages, the @ prefix is percent-encoded as %40:\n * @types/node@20.11.5 → pkg:npm/%40types/node@20.11.5\n \n See: https://github.com/package-url/purl-spec/blob/main/types-doc/npm-definition.md\n /\nfunction buildPurl(name: string, version: string, ecosystem: Ecosystem): string {\n const type = PURL_TYPE_MAP[ecosystem] \|\| ecosystem;\n\n if (ecosystem === 'npm' && name.startsWith('@')) {\n return `pkg:${type}/%40${name.slice(1)}@${version}`;\n }\n\n return `pkg:${type}/${name}@${version}`;\n}\n\n/\n Derives supplier name from a package name.\n * Scoped packages: \"@vue/reactivity\" → \"@vue\"\n * Unscoped packages: \"express\" → \"express\"\n /\nfunction deriveSupplierName(packageName: string): string {\n if (packageName.startsWith('@')) {\n return packageName.split('/')[0];\n }\n return packageName;\n}\n","import { writeFile } from 'fs/promises';\nimport { ScannerRegistry } from './scanners/registry.js';\nimport { CycloneDxGenerator } from './sbom/cyclonedx.js';\nimport { CveAggregator } from './cve/aggregator.js';\nimport { ConsoleReporter } from './reporters/console.js';\nimport type { VerimuConfig, VerimuReport, Severity } from './core/types.js';\n\n/\n Main scan pipeline — orchestrates the full Verimu workflow:\n * 1. Detect ecosystem & parse lockfile\n * 2. Generate CycloneDX SBOM\n * 3. Check dependencies for CVEs\n * 4. Produce report\n * 5. Optionally upload snapshot to Verimu API\n /\nexport async function scan(config: VerimuConfig): Promise<VerimuReport> {\n const {\n projectPath,\n sbomOutput = './sbom.cdx.json',\n skipCveCheck = false,\n } = config;\n\n // 1. Scan dependencies\n const registry = new ScannerRegistry();\n const scanResult = await registry.detectAndScan(projectPath);\n\n // 2. Generate SBOM\n const sbomGenerator = new CycloneDxGenerator();\n const sbom = sbomGenerator.generate(scanResult);\n\n // 3. Write SBOM to disk\n await writeFile(sbomOutput, sbom.content, 'utf-8');\n\n // 4. Check CVEs (unless skipped)\n let cveCheck;\n if (skipCveCheck) {\n cveCheck = {\n vulnerabilities: [],\n sourcesQueried: [],\n sourceErrors: [],\n checkDurationMs: 0,\n };\n } else {\n const aggregator = new CveAggregator();\n cveCheck = await aggregator.check(scanResult.dependencies);\n }\n\n // 5. Build report\n const summary = {\n totalDependencies: scanResult.dependencies.length,\n totalVulnerabilities: cveCheck.vulnerabilities.length,\n critical: cveCheck.vulnerabilities.filter((v) => v.severity === 'CRITICAL').length,\n high: cveCheck.vulnerabilities.filter((v) => v.severity === 'HIGH').length,\n medium: cveCheck.vulnerabilities.filter((v) => v.severity === 'MEDIUM').length,\n low: cveCheck.vulnerabilities.filter((v) => v.severity === 'LOW').length,\n exploitedInWild: cveCheck.vulnerabilities.filter((v) => v.exploitedInWild).length,\n };\n\n const report: VerimuReport = {\n project: {\n path: projectPath,\n ecosystem: scanResult.ecosystem,\n dependencyCount: scanResult.dependencies.length,\n },\n sbom,\n cveCheck,\n summary,\n generatedAt: new Date().toISOString(),\n };\n\n return report;\n}\n\n/\n Determines if the scan should fail CI based on severity threshold.\n /\nexport function shouldFailCi(report: VerimuReport, threshold: Severity): boolean {\n const severityOrder: Record<Severity, number> = {\n CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3, UNKNOWN: 4,\n };\n const thresholdLevel = severityOrder[threshold] ?? 4;\n\n return report.cveCheck.vulnerabilities.some(\n (v) => severityOrder[v.severity] <= thresholdLevel\n );\n}\n\n/\n Prints a console report to stdout.\n /\nexport function printReport(report: VerimuReport): void {\n const reporter = new ConsoleReporter();\n console.log(reporter.report(report));\n}\n","import { readFile } from 'fs/promises';\nimport { existsSync } from 'fs';\nimport path from 'path';\nimport type { DependencyScanner } from '../scanner.interface.js';\nimport type { Dependency, Ecosystem, ScanResult } from '../../core/types.js';\nimport { LockfileParseError } from '../../core/errors.js';\n\n/\n npm / Node.js dependency scanner.\n \n Parses package-lock.json (v2/v3 format) to extract the full\n * resolved dependency tree. Also reads package.json to determine\n * which dependencies are direct vs transitive.\n /\nexport class NpmScanner implements DependencyScanner {\n readonly ecosystem: Ecosystem = 'npm';\n readonly lockfileNames = ['package-lock.json'];\n\n async detect(projectPath: string): Promise<string \| null> {\n const lockfilePath = path.join(projectPath, 'package-lock.json');\n return existsSync(lockfilePath) ? lockfilePath : null;\n }\n\n async scan(projectPath: string, lockfilePath: string): Promise<ScanResult> {\n const [lockfileRaw, packageJsonRaw] = await Promise.all([\n readFile(lockfilePath, 'utf-8'),\n readFile(path.join(projectPath, 'package.json'), 'utf-8').catch(() => null),\n ]);\n\n let lockfile: NpmLockfile;\n try {\n lockfile = JSON.parse(lockfileRaw);\n } catch {\n throw new LockfileParseError(lockfilePath, 'Invalid JSON');\n }\n\n // Determine direct dependency names from package.json\n const directNames = new Set<string>();\n if (packageJsonRaw) {\n try {\n const pkg = JSON.parse(packageJsonRaw);\n for (const name of Object.keys(pkg.dependencies ?? {})) {\n directNames.add(name);\n }\n for (const name of Object.keys(pkg.devDependencies ?? {})) {\n directNames.add(name);\n }\n } catch {\n // If package.json can't be parsed, all deps are \"unknown\" direct status\n }\n }\n\n const dependencies = this.parseLockfile(lockfile, directNames);\n\n return {\n projectPath,\n ecosystem: 'npm',\n dependencies,\n lockfilePath,\n scannedAt: new Date().toISOString(),\n };\n }\n\n /\n Parses package-lock.json and extracts dependencies.\n * Supports lockfile v2 and v3 (uses the `packages` field).\n * Falls back to `dependencies` field for lockfile v1.\n /\n private parseLockfile(lockfile: NpmLockfile, directNames: Set<string>): Dependency[] {\n const deps: Dependency[] = [];\n\n if (lockfile.packages) {\n // Lockfile v2/v3: `packages` is a flat map of \"node_modules/name\" → info\n for (const [pkgPath, pkgInfo] of Object.entries(lockfile.packages)) {\n // Skip the root package (empty string key)\n if (pkgPath === '') continue;\n\n // Extract package name from the path\n // e.g., \"node_modules/express\" → \"express\"\n // e.g., \"node_modules/@types/node\" → \"@types/node\"\n const name = this.extractPackageName(pkgPath);\n if (!name \|\| !pkgInfo.version) continue;\n\n // Skip link: true entries (workspace references)\n if (pkgInfo.link) continue;\n\n deps.push({\n name,\n version: pkgInfo.version,\n direct: directNames.has(name),\n ecosystem: 'npm',\n purl: this.buildPurl(name, pkgInfo.version),\n });\n }\n } else if (lockfile.dependencies) {\n // Lockfile v1 fallback: `dependencies` is a nested tree\n this.parseDependenciesV1(lockfile.dependencies, directNames, deps);\n }\n\n return deps;\n }\n\n /\n Builds a purl (Package URL) for an npm package.\n \n Per the purl spec (https://github.com/package-url/purl-spec/blob/main/types-doc/npm-definition.md):\n * \"The npm scope @ sign prefix is always percent encoded.\"\n \n So @types/node@20.11.5 → pkg:npm/%40types/node@20.11.5\n * And express@4.18.2 → pkg:npm/express@4.18.2\n /\n private buildPurl(name: string, version: string): string {\n if (name.startsWith('@')) {\n // Scoped: encode the @ as %40 per purl spec\n return `pkg:npm/%40${name.slice(1)}@${version}`;\n }\n return `pkg:npm/${name}@${version}`;\n }\n\n /* Extracts the package name from a node_modules path /\n private extractPackageName(pkgPath: string): string \| null {\n // \"node_modules/@scope/name\" → \"@scope/name\"\n // \"node_modules/name\" → \"name\"\n // \"node_modules/a/node_modules/b\" → \"b\" (nested)\n const parts = pkgPath.split('node_modules/');\n const last = parts[parts.length - 1];\n return last \|\| null;\n }\n\n /* Recursively parses lockfile v1 `dependencies` tree /\n private parseDependenciesV1(\n depsObj: Record<string, NpmLockfileV1Dep>,\n directNames: Set<string>,\n result: Dependency[]\n ): void {\n for (const [name, info] of Object.entries(depsObj)) {\n if (info.version) {\n result.push({\n name,\n version: info.version,\n direct: directNames.has(name),\n ecosystem: 'npm',\n purl: this.buildPurl(name, info.version),\n });\n }\n // Recurse into nested dependencies\n if (info.dependencies) {\n this.parseDependenciesV1(info.dependencies, directNames, result);\n }\n }\n }\n}\n\n// ─── Types for package-lock.json parsing ─────────────────────────\n\ninterface NpmLockfile {\n name?: string;\n version?: string;\n lockfileVersion?: number;\n packages?: Record<string, NpmLockfilePackage>;\n dependencies?: Record<string, NpmLockfileV1Dep>;\n}\n\ninterface NpmLockfilePackage {\n version?: string;\n resolved?: string;\n integrity?: string;\n dev?: boolean;\n optional?: boolean;\n link?: boolean;\n dependencies?: Record<string, string>;\n devDependencies?: Record<string, string>;\n}\n\ninterface NpmLockfileV1Dep {\n version?: string;\n resolved?: string;\n integrity?: string;\n requires?: Record<string, string>;\n dependencies?: Record<string, NpmLockfileV1Dep>;\n}\n","/* Base error for all Verimu errors /\nexport class VerimuError extends Error {\n constructor(message: string, public readonly code: string) {\n super(message);\n this.name = 'VerimuError';\n }\n}\n\n/* Thrown when no supported lockfile is found /\nexport class NoLockfileError extends VerimuError {\n constructor(projectPath: string) {\n super(\n `No supported lockfile found in ${projectPath}. ` +\n `Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust)`,\n 'NO_LOCKFILE'\n );\n this.name = 'NoLockfileError';\n }\n}\n\n/* Thrown when lockfile parsing fails /\nexport class LockfileParseError extends VerimuError {\n constructor(lockfilePath: string, reason: string) {\n super(`Failed to parse ${lockfilePath}: ${reason}`, 'LOCKFILE_PARSE_ERROR');\n this.name = 'LockfileParseError';\n }\n}\n\n/* Thrown when a CVE source query fails /\nexport class CveSourceError extends VerimuError {\n constructor(source: string, reason: string) {\n super(`CVE source \"${source}\" failed: ${reason}`, 'CVE_SOURCE_ERROR');\n this.name = 'CveSourceError';\n }\n}\n\n/* Thrown when API key is required but missing /\nexport class ApiKeyRequiredError extends VerimuError {\n constructor(feature: string) {\n super(\n `API key required for \"${feature}\". Get one at https://verimu.com/dashboard`,\n 'API_KEY_REQUIRED'\n );\n this.name = 'ApiKeyRequiredError';\n }\n}\n","import type { DependencyScanner } from '../scanner.interface.js';\nimport type { Ecosystem, ScanResult } from '../../core/types.js';\n\n/\n C# / NuGet dependency scanner (STUB).\n \n TODO: Implement parsing of:\n * - packages.lock.json (NuGet lock file)\n * - .csproj files (for direct dependency list)\n /\nexport class NugetScanner implements DependencyScanner {\n readonly ecosystem: Ecosystem = 'nuget';\n readonly lockfileNames = ['packages.lock.json'];\n\n async detect(_projectPath: string): Promise<string \| null> {\n // TODO: Check for packages.lock.json\n return null;\n }\n\n async scan(_projectPath: string, _lockfilePath: string): Promise<ScanResult> {\n throw new Error('NuGet scanner not yet implemented. Coming soon.');\n }\n}\n","import type { DependencyScanner } from '../scanner.interface.js';\nimport type { Ecosystem, ScanResult } from '../../core/types.js';\n\n/*\n Rust / Cargo dependency scanner (STUB).\n \n TODO: Implement parsing of:\n * - Cargo.lock (resolved dependency tree)\n * - Cargo.toml (for direct dependency list)\n /\nexport class CargoScanner implements DependencyScanner {\n readonly ecosystem: Ecosystem = 'cargo';\n readonly lockfileNames = ['Cargo.lock'];\n\n async detect(_projectPath: string): Promise<string \| null> {\n // TODO: Check for Cargo.lock\n return null;\n }\n\n async scan(_projectPath: string, _lockfilePath: string): Promise<ScanResult> {\n throw new Error('Cargo scanner not yet implemented. Coming soon.');\n }\n}\n","import type { DependencyScanner } from './scanner.interface.js';\nimport type { ScanResult } from '../core/types.js';\nimport { NpmScanner } from './npm/npm-scanner.js';\nimport { NugetScanner } from './nuget/nuget-scanner.js';\nimport { CargoScanner } from './cargo/cargo-scanner.js';\nimport { NoLockfileError } from '../core/errors.js';\n\n/\n Registry of all available dependency scanners.\n * Auto-detects the correct scanner for a given project.\n /\nexport class ScannerRegistry {\n private scanners: DependencyScanner[];\n\n constructor() {\n this.scanners = [\n new NpmScanner(),\n new NugetScanner(),\n new CargoScanner(),\n // Add new scanners here as they're implemented\n ];\n }\n\n /\n Auto-detects the project's ecosystem and scans dependencies.\n * Tries each registered scanner in order until one matches.\n /\n async detectAndScan(projectPath: string): Promise<ScanResult> {\n for (const scanner of this.scanners) {\n const lockfilePath = await scanner.detect(projectPath);\n if (lockfilePath) {\n return scanner.scan(projectPath, lockfilePath);\n }\n }\n throw new NoLockfileError(projectPath);\n }\n\n /* Returns a specific scanner by ecosystem name /\n getScanner(ecosystem: string): DependencyScanner \| undefined {\n return this.scanners.find((s) => s.ecosystem === ecosystem);\n }\n\n /* Lists all registered ecosystems /\n listEcosystems(): string[] {\n return this.scanners.map((s) => s.ecosystem);\n }\n}\n","import { randomUUID } from 'crypto';\nimport type { SbomGenerator } from './generator.interface.js';\nimport type { ScanResult, Sbom, SbomFormat, Dependency } from '../core/types.js';\n\n/\n Generates CycloneDX 1.7 JSON SBOMs.\n \n CycloneDX is the preferred SBOM format for CRA compliance.\n * Spec: https://cyclonedx.org/docs/1.7/json/\n \n NTIA minimum elements are satisfied:\n * - metadata.supplier (supplier of the root software)\n * - components[].supplier (supplier of each dependency)\n * - components[].name, version, purl, bom-ref\n * - dependencies[] graph\n /\nexport class CycloneDxGenerator implements SbomGenerator {\n readonly format: SbomFormat = 'cyclonedx-json';\n\n generate(scanResult: ScanResult, toolVersion: string = '0.1.0'): Sbom {\n const bom = this.buildBom(scanResult, toolVersion);\n const content = JSON.stringify(bom, null, 2);\n\n return {\n format: 'cyclonedx-json',\n specVersion: '1.7',\n content,\n componentCount: scanResult.dependencies.length,\n generatedAt: new Date().toISOString(),\n };\n }\n\n private buildBom(scanResult: ScanResult, toolVersion: string): CycloneDxBom {\n const projectName = this.extractProjectName(scanResult.projectPath);\n\n return {\n $schema: 'http://cyclonedx.org/schema/bom-1.7.schema.json',\n bomFormat: 'CycloneDX',\n specVersion: '1.7',\n serialNumber: `urn:uuid:${randomUUID()}`,\n version: 1,\n metadata: {\n timestamp: new Date().toISOString(),\n tools: {\n components: [\n {\n type: 'application',\n name: 'verimu',\n version: toolVersion,\n description: 'Verimu CRA Compliance Scanner',\n supplier: { name: 'Verimu' },\n externalReferences: [\n {\n type: 'website',\n url: 'https://verimu.com',\n },\n ],\n },\n ],\n },\n // NTIA: metadata.supplier — the org supplying the root software\n supplier: {\n name: projectName,\n },\n component: {\n type: 'application',\n name: projectName,\n 'bom-ref': 'root-component',\n supplier: { name: projectName },\n },\n },\n components: scanResult.dependencies.map((dep) => this.toComponent(dep)),\n dependencies: this.buildDependencyGraph(scanResult),\n };\n }\n\n /* Converts a Verimu Dependency to a CycloneDX component /\n private toComponent(dep: Dependency): CycloneDxComponent {\n return {\n type: 'library',\n name: dep.name,\n version: dep.version,\n purl: dep.purl,\n 'bom-ref': dep.purl,\n scope: dep.direct ? 'required' : 'optional',\n // NTIA: component.supplier — derived from npm scope or package name\n supplier: {\n name: this.deriveSupplierName(dep.name),\n },\n };\n }\n\n /\n Derives a supplier name from a package name.\n \n For scoped packages like \"@vue/reactivity\" → \"@vue\"\n * For unscoped packages like \"express\" → \"express\"\n \n This is the same heuristic used by Syft, Trivy, and other SBOM tools\n * when registry metadata (author/publisher) isn't available from the lockfile.\n /\n private deriveSupplierName(packageName: string): string {\n if (packageName.startsWith('@')) {\n // Scoped package: \"@scope/name\" → \"@scope\"\n const scope = packageName.split('/')[0];\n return scope;\n }\n return packageName;\n }\n\n /\n Builds the dependency graph section of the SBOM.\n \n The root component depends on all dependencies (direct + transitive).\n * This ensures a single root node in the graph, which NTIA validators expect.\n \n We include ALL deps under root (not just direct) because from a flat lockfile\n * we can't reliably reconstruct which transitive dep belongs to which direct dep.\n * This is still valid per the CycloneDX spec — it represents a complete but flat\n * dependency relationship.\n /\n private buildDependencyGraph(scanResult: ScanResult): CycloneDxDependencyEntry[] {\n const allDepPurls = scanResult.dependencies.map((d) => d.purl);\n\n return [\n {\n ref: 'root-component',\n dependsOn: allDepPurls,\n },\n ];\n }\n\n /* Extracts project name from path /\n private extractProjectName(projectPath: string): string {\n const parts = projectPath.replace(/\\\\/g, '/').split('/');\n return parts[parts.length - 1] \|\| 'unknown-project';\n }\n}\n\n// ─── CycloneDX 1.7 JSON Types ──────────────────────────────────\n\ninterface OrganizationalEntity {\n name: string;\n url?: string[];\n contact?: Array<{ name?: string; email?: string; phone?: string }>;\n}\n\ninterface CycloneDxBom {\n $schema: string;\n bomFormat: string;\n specVersion: string;\n serialNumber: string;\n version: number;\n metadata: {\n timestamp: string;\n tools: {\n components: Array<{\n type: string;\n name: string;\n version: string;\n description?: string;\n supplier?: OrganizationalEntity;\n externalReferences?: Array<{ type: string; url: string }>;\n }>;\n };\n supplier: OrganizationalEntity;\n component: {\n type: string;\n name: string;\n 'bom-ref': string;\n supplier: OrganizationalEntity;\n };\n };\n components: CycloneDxComponent[];\n dependencies: CycloneDxDependencyEntry[];\n}\n\ninterface CycloneDxComponent {\n type: string;\n name: string;\n version: string;\n purl: string;\n 'bom-ref': string;\n scope?: string;\n supplier: OrganizationalEntity;\n}\n\ninterface CycloneDxDependencyEntry {\n ref: string;\n dependsOn: string[];\n}\n","import type { CveSource } from './source.interface.js';\nimport type { Dependency, Vulnerability, VulnerabilitySource, Severity } from '../core/types.js';\n\nconst OSV_API_BASE = 'https://api.osv.dev/v1';\nconst BATCH_SIZE = 1000; // OSV querybatch supports up to 1000\n\n/\n OSV.dev (Google Open Source Vulnerabilities) CVE source.\n \n Primary CVE source for Verimu because:\n * - Supports direct package name + ecosystem + version queries\n * - Has batch query endpoint for efficiency\n * - No authentication required\n * - Covers npm, PyPI, Go, Rust, Maven, NuGet, etc.\n * - Aggregates data from GitHub Advisory, NVD, and others\n \n API docs: https://google.github.io/osv.dev/api/\n /\nexport class OsvSource implements CveSource {\n readonly sourceId: VulnerabilitySource = 'osv';\n readonly name = 'OSV.dev (Google Open Source Vulnerabilities)';\n\n private fetchFn: typeof fetch;\n\n constructor(fetchImpl?: typeof fetch) {\n // Allow injecting fetch for testing\n this.fetchFn = fetchImpl ?? globalThis.fetch;\n }\n\n async checkDependencies(dependencies: Dependency[]): Promise<Vulnerability[]> {\n if (dependencies.length === 0) return [];\n\n const allVulns: Vulnerability[] = [];\n\n // Process in batches of BATCH_SIZE\n for (let i = 0; i < dependencies.length; i += BATCH_SIZE) {\n const batch = dependencies.slice(i, i + BATCH_SIZE);\n const batchVulns = await this.queryBatch(batch);\n allVulns.push(...batchVulns);\n }\n\n return allVulns;\n }\n\n /* Uses OSV's /querybatch endpoint for efficient bulk lookups /\n private async queryBatch(dependencies: Dependency[]): Promise<Vulnerability[]> {\n const queries = dependencies.map((dep) => ({\n version: dep.version,\n package: {\n name: dep.name,\n ecosystem: this.mapEcosystem(dep.ecosystem),\n },\n }));\n\n const response = await this.fetchFn(`${OSV_API_BASE}/querybatch`, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ queries }),\n });\n\n if (!response.ok) {\n throw new Error(`OSV API error: ${response.status} ${response.statusText}`);\n }\n\n const data = (await response.json()) as OsvBatchResponse;\n const vulnerabilities: Vulnerability[] = [];\n\n // Each result in `results` corresponds to the query at the same index\n for (let i = 0; i < data.results.length; i++) {\n const result = data.results[i];\n const dep = dependencies[i];\n\n if (result.vulns && result.vulns.length > 0) {\n for (const vuln of result.vulns) {\n vulnerabilities.push(this.mapVulnerability(vuln, dep));\n }\n }\n }\n\n return vulnerabilities;\n }\n\n /* Maps an OSV vulnerability record to our Vulnerability type /\n private mapVulnerability(osvVuln: OsvVulnerability, dep: Dependency): Vulnerability {\n const cveId = this.extractCveId(osvVuln);\n const severity = this.extractSeverity(osvVuln);\n\n return {\n id: cveId \|\| osvVuln.id,\n aliases: Array.from(new Set([osvVuln.id, ...(osvVuln.aliases ?? [])])),\n summary: osvVuln.summary ?? osvVuln.details?.slice(0, 200) ?? 'No description available',\n severity: severity.level,\n cvssScore: severity.score,\n packageName: dep.name,\n ecosystem: dep.ecosystem,\n affectedVersionRange: this.extractAffectedRange(osvVuln, dep.name),\n fixedVersion: this.extractFixedVersion(osvVuln, dep.name),\n exploitedInWild: false, // OSV doesn't track this — CISA KEV does\n source: 'osv',\n referenceUrl: `https://osv.dev/vulnerability/${osvVuln.id}`,\n publishedAt: osvVuln.published,\n };\n }\n\n /* Extracts CVE ID from aliases (prefers CVE-xxxx over GHSA-xxxx) /\n private extractCveId(vuln: OsvVulnerability): string \| null {\n // Check the main ID first\n if (vuln.id.startsWith('CVE-')) return vuln.id;\n\n // Check aliases\n if (vuln.aliases) {\n const cve = vuln.aliases.find((a) => a.startsWith('CVE-'));\n if (cve) return cve;\n }\n\n return null;\n }\n\n /* Extracts severity from CVSS scores in the OSV record /\n private extractSeverity(vuln: OsvVulnerability): { level: Severity; score?: number } {\n // Try database_specific first (often has CVSS)\n if (vuln.severity && vuln.severity.length > 0) {\n for (const sev of vuln.severity) {\n if (sev.type === 'CVSS_V3') {\n const score = this.parseCvssScore(sev.score);\n if (score !== null) {\n return { level: this.scoreToSeverity(score), score };\n }\n }\n }\n }\n\n // Try to extract from database_specific\n if (vuln.database_specific?.severity) {\n const s = vuln.database_specific.severity.toUpperCase();\n if (['CRITICAL', 'HIGH', 'MEDIUM', 'LOW'].includes(s)) {\n return { level: s as Severity };\n }\n }\n\n return { level: 'UNKNOWN' };\n }\n\n /* Parses CVSS v3 vector string to extract the base score /\n private parseCvssScore(vectorOrScore: string): number \| null {\n // Could be a raw score like \"7.5\" or a vector like \"CVSS:3.1/AV:N/AC:L/...\"\n const num = parseFloat(vectorOrScore);\n if (!isNaN(num) && num >= 0 && num <= 10) return num;\n\n // If it's a vector string, we'd need to calculate — for now return null\n // and rely on severity text\n return null;\n }\n\n /* Converts a CVSS score (0-10) to a severity level /\n private scoreToSeverity(score: number): Severity {\n if (score >= 9.0) return 'CRITICAL';\n if (score >= 7.0) return 'HIGH';\n if (score >= 4.0) return 'MEDIUM';\n if (score > 0.0) return 'LOW';\n return 'UNKNOWN';\n }\n\n /* Extracts affected version range for a specific package /\n private extractAffectedRange(vuln: OsvVulnerability, packageName: string): string \| undefined {\n if (!vuln.affected) return undefined;\n\n for (const affected of vuln.affected) {\n if (affected.package?.name === packageName && affected.ranges) {\n for (const range of affected.ranges) {\n if (range.events) {\n const introduced = range.events.find((e) => e.introduced)?.introduced;\n const fixed = range.events.find((e) => e.fixed)?.fixed;\n if (introduced && fixed) return `>=${introduced}, <${fixed}`;\n if (introduced) return `>=${introduced}`;\n }\n }\n }\n }\n return undefined;\n }\n\n /* Extracts the fixed version for a specific package /\n private extractFixedVersion(vuln: OsvVulnerability, packageName: string): string \| undefined {\n if (!vuln.affected) return undefined;\n\n for (const affected of vuln.affected) {\n if (affected.package?.name === packageName && affected.ranges) {\n for (const range of affected.ranges) {\n if (range.events) {\n const fixed = range.events.find((e) => e.fixed)?.fixed;\n if (fixed) return fixed;\n }\n }\n }\n }\n return undefined;\n }\n\n /* Maps our ecosystem names to OSV ecosystem names /\n private mapEcosystem(ecosystem: string): string {\n const map: Record<string, string> = {\n npm: 'npm',\n nuget: 'NuGet',\n cargo: 'crates.io',\n maven: 'Maven',\n pip: 'PyPI',\n go: 'Go',\n };\n return map[ecosystem] ?? ecosystem;\n }\n}\n\n// ─── OSV API Response Types ─────────────────────────────────────\n\ninterface OsvBatchResponse {\n results: Array<{\n vulns?: OsvVulnerability[];\n }>;\n}\n\ninterface OsvVulnerability {\n id: string;\n summary?: string;\n details?: string;\n aliases?: string[];\n published?: string;\n modified?: string;\n severity?: Array<{\n type: string;\n score: string;\n }>;\n affected?: Array<{\n package?: {\n name: string;\n ecosystem: string;\n };\n ranges?: Array<{\n type: string;\n events: Array<{\n introduced?: string;\n fixed?: string;\n last_affected?: string;\n }>;\n }>;\n versions?: string[];\n }>;\n database_specific?: {\n severity?: string;\n [key: string]: unknown;\n };\n references?: Array<{\n type: string;\n url: string;\n }>;\n}\n","import type { CveSource } from './source.interface.js';\nimport type { Dependency, CveCheckResult, Vulnerability, VulnerabilitySource } from '../core/types.js';\nimport { OsvSource } from './osv.js';\n\n/\n Aggregates vulnerability data from multiple CVE sources.\n * Deduplicates results by CVE ID across sources.\n /\nexport class CveAggregator {\n private sources: CveSource[];\n\n constructor(sources?: CveSource[]) {\n this.sources = sources ?? [\n new OsvSource(),\n // Future: new NvdSource(), new EuvdSource(), new CisaKevSource()\n ];\n }\n\n /\n Checks dependencies against all registered CVE sources.\n * Runs sources in parallel and merges/deduplicates results.\n /\n async check(dependencies: Dependency[]): Promise<CveCheckResult> {\n const startTime = Date.now();\n const sourcesQueried: VulnerabilitySource[] = [];\n const sourceErrors: { source: VulnerabilitySource; error: string }[] = [];\n const allVulns: Vulnerability[] = [];\n\n // Run all sources in parallel\n const results = await Promise.allSettled(\n this.sources.map(async (source) => {\n const vulns = await source.checkDependencies(dependencies);\n return { sourceId: source.sourceId, vulns };\n })\n );\n\n for (const result of results) {\n if (result.status === 'fulfilled') {\n sourcesQueried.push(result.value.sourceId);\n allVulns.push(...result.value.vulns);\n } else {\n // Extract the source ID from the error context\n const sourceIndex = results.indexOf(result);\n const sourceId = this.sources[sourceIndex].sourceId;\n sourceErrors.push({\n source: sourceId,\n error: result.reason instanceof Error ? result.reason.message : String(result.reason),\n });\n }\n }\n\n // Deduplicate by CVE ID (prefer the entry with more data)\n const deduplicated = this.deduplicateVulnerabilities(allVulns);\n\n return {\n vulnerabilities: deduplicated,\n sourcesQueried,\n sourceErrors,\n checkDurationMs: Date.now() - startTime,\n };\n }\n\n /\n Deduplicates vulnerabilities by ID.\n * When the same CVE appears from multiple sources,\n * keeps the one with more complete data (has CVSS score, has fix version, etc.)\n /\n private deduplicateVulnerabilities(vulns: Vulnerability[]): Vulnerability[] {\n const byKey = new Map<string, Vulnerability>();\n\n for (const vuln of vulns) {\n // Key by (vulnerability ID + package name) to handle the same CVE\n // affecting multiple packages\n const key = `${vuln.id}::${vuln.packageName}`;\n const existing = byKey.get(key);\n\n if (!existing) {\n byKey.set(key, vuln);\n } else {\n // Keep the one with more data\n byKey.set(key, this.pickBetterEntry(existing, vuln));\n }\n }\n\n return Array.from(byKey.values());\n }\n\n /* Picks the vulnerability entry with more complete data /\n private pickBetterEntry(a: Vulnerability, b: Vulnerability): Vulnerability {\n let scoreA = 0;\n let scoreB = 0;\n\n if (a.cvssScore !== undefined) scoreA++;\n if (b.cvssScore !== undefined) scoreB++;\n if (a.fixedVersion) scoreA++;\n if (b.fixedVersion) scoreB++;\n if (a.affectedVersionRange) scoreA++;\n if (b.affectedVersionRange) scoreB++;\n if (a.severity !== 'UNKNOWN') scoreA++;\n if (b.severity !== 'UNKNOWN') scoreB++;\n\n // Merge: start with the lesser entry, overlay with the better one.\n // Strip undefined/null values so they don't overwrite real data.\n const strip = (obj: Record<string, unknown>) =>\n Object.fromEntries(Object.entries(obj).filter(([, v]) => v !== undefined && v !== null));\n\n const winner = scoreB > scoreA\n ? { ...strip(a as unknown as Record<string, unknown>), ...strip(b as unknown as Record<string, unknown>) } as unknown as Vulnerability\n : { ...strip(b as unknown as Record<string, unknown>), ...strip(a as unknown as Record<string, unknown>) } as unknown as Vulnerability;\n\n // Merge aliases\n const allAliases = new Set([...a.aliases, ...b.aliases]);\n winner.aliases = Array.from(allAliases);\n\n // If either says exploited, it's exploited\n winner.exploitedInWild = a.exploitedInWild \|\| b.exploitedInWild;\n\n return winner;\n }\n}\n","import type { Reporter } from './reporter.interface.js';\nimport type { VerimuReport, Vulnerability, Severity } from '../core/types.js';\n\n/* Outputs a human-readable console report */\nexport class ConsoleReporter implements Reporter {\n readonly name = 'console';\n\n report(result: VerimuReport): string {\n const lines: string[] = [];\n\n lines.push('');\n lines.push('┌─────────────────────────────────────────────┐');\n lines.push('│ VERIMU CRA COMPLIANCE SCAN │');\n lines.push('└─────────────────────────────────────────────┘');\n lines.push('');\n\n // Project info\n lines.push(` Project: ${result.project.path}`);\n lines.push(` Ecosystem: ${result.project.ecosystem}`);\n lines.push(` Dependencies: ${result.project.dependencyCount}`);\n lines.push(` Scanned at: ${result.generatedAt}`);\n lines.push('');\n\n // SBOM info\n lines.push(` ✓ SBOM generated (${result.sbom.format}, ${result.sbom.specVersion})`);\n lines.push(` Components: ${result.sbom.componentCount}`);\n lines.push('');\n\n // CVE results\n const vulns = result.cveCheck.vulnerabilities;\n if (vulns.length === 0) {\n lines.push(' ✓ No known vulnerabilities found');\n } else {\n lines.push(` ⚠ ${vulns.length} vulnerabilit${vulns.length === 1 ? 'y' : 'ies'} found:`);\n lines.push('');\n\n // Sort by severity: CRITICAL → HIGH → MEDIUM → LOW → UNKNOWN\n const sorted = [...vulns].sort((a, b) => severityOrder(a.severity) - severityOrder(b.severity));\n\n for (const vuln of sorted) {\n const badge = severityBadge(vuln.severity);\n const fix = vuln.fixedVersion ? ` → fix: ${vuln.fixedVersion}` : '';\n lines.push(` ${badge} ${vuln.id}`);\n lines.push(` ${vuln.packageName}@${vuln.affectedVersionRange ?? '?'}${fix}`);\n lines.push(` ${vuln.summary.slice(0, 100)}`);\n if (vuln.exploitedInWild) {\n lines.push(` 🔴 ACTIVELY EXPLOITED — 24h CRA reporting required`);\n }\n lines.push('');\n }\n }\n\n // Sources\n const sources = result.cveCheck.sourcesQueried.join(', ');\n lines.push(` Sources queried: ${sources} (${result.cveCheck.checkDurationMs}ms)`);\n\n if (result.cveCheck.sourceErrors.length > 0) {\n for (const err of result.cveCheck.sourceErrors) {\n lines.push(` ⚠ ${err.source}: ${err.error}`);\n }\n }\n\n // Summary\n lines.push('');\n lines.push(' ─── Summary ───');\n lines.push(` Total: ${result.summary.totalVulnerabilities} \| ` +\n `Critical: ${result.summary.critical} \| ` +\n `High: ${result.summary.high} \| ` +\n `Medium: ${result.summary.medium} \| ` +\n `Low: ${result.summary.low}`);\n\n if (result.summary.exploitedInWild > 0) {\n lines.push(` 🔴 ${result.summary.exploitedInWild} actively exploited — immediate action required`);\n }\n\n lines.push('');\n return lines.join('\\n');\n }\n}\n\nfunction severityOrder(s: Severity): number {\n const order: Record<Severity, number> = {\n CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3, UNKNOWN: 4,\n };\n return order[s] ?? 5;\n}\n\nfunction severityBadge(s: Severity): string {\n const badges: Record<Severity, string> = {\n CRITICAL: '[CRIT]',\n HIGH: '[HIGH]',\n MEDIUM: '[MED] ',\n LOW: '[LOW] ',\n UNKNOWN: '[???] ',\n };\n return badges[s] ?? '[???] ';\n}\n"],"mappings":";AAAA,SAAS,kBAAkB;AAgCpB,SAAS,aAAa,OAA8C;AACzE,QAAM;AAAA,IACJ;AAAA,IACA,iBAAiB;AAAA,IACjB;AAAA,EACF,IAAI;AAEJ,QAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AAGzC,QAAM,eAAe,aAAa,IAAI,CAAC,SAAS;AAAA,IAC9C,GAAG;AAAA,IACH,QAAQ,IAAI,UAAU;AAAA,IACtB,MAAM,IAAI,QAAQ,UAAU,IAAI,MAAM,IAAI,SAAS,IAAI,SAAS;AAAA,EAClE,EAAE;AAEF,QAAM,WAAW,UAAU,aAAa,gBAAgB,KAAK;AAE7D,QAAM,OAAO;AAAA,IACX,SAAS;AAAA,IACT,WAAW;AAAA,IACX,aAAa;AAAA,IACb,cAAc,YAAY,WAAW,CAAC;AAAA,IACtC,SAAS;AAAA,IACT,UAAU;AAAA,MACR;AAAA,MACA,OAAO;AAAA,QACL,YAAY;AAAA,UACV;AAAA,YACE,MAAM;AAAA,YACN,MAAM;AAAA,YACN,SAAS;AAAA,YACT,aAAa;AAAA,YACb,UAAU,EAAE,MAAM,SAAS;AAAA,YAC3B,oBAAoB;AAAA,cAClB,EAAE,MAAM,WAAW,KAAK,qBAAqB;AAAA,YAC/C;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,MACA,UAAU,EAAE,MAAM,YAAY;AAAA,MAC9B,WAAW;AAAA,QACT,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS;AAAA,QACT,WAAW;AAAA,QACX,UAAU,EAAE,MAAM,YAAY;AAAA,MAChC;AAAA,IACF;AAAA,IACA,YAAY,aAAa,IAAI,CAAC,SAAS;AAAA,MACrC,MAAM;AAAA,MACN,MAAM,IAAI;AAAA,MACV,SAAS,IAAI;AAAA,MACb,MAAM,IAAI;AAAA,MACV,WAAW,IAAI;AAAA,MACf,OAAO,IAAI,SAAS,aAAa;AAAA,MACjC,UAAU,EAAE,MAAM,mBAAmB,IAAI,IAAI,EAAE;AAAA,IACjD,EAAE;AAAA,IACF,cAAc;AAAA,MACZ;AAAA,QACE,KAAK;AAAA,QACL,WAAW,aAAa,IAAI,CAAC,MAAM,EAAE,IAAI;AAAA,MAC3C;AAAA,IACF;AAAA,EACF;AAEA,QAAM,UAAU,KAAK,UAAU,MAAM,MAAM,CAAC;AAE5C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,gBAAgB,aAAa;AAAA,IAC7B,aAAa;AAAA,IACb,aAAa;AAAA,EACf;AACF;AAIA,IAAM,gBAA2C;AAAA,EAC/C,KAAK;AAAA,EACL,OAAO;AAAA,EACP,OAAO;AAAA,EACP,OAAO;AAAA,EACP,KAAK;AAAA,EACL,IAAI;AACN;AAUA,SAAS,UAAU,MAAc,SAAiB,WAA8B;AAC9E,QAAM,OAAO,cAAc,SAAS,KAAK;AAEzC,MAAI,cAAc,SAAS,KAAK,WAAW,GAAG,GAAG;AAC/C,WAAO,OAAO,IAAI,OAAO,KAAK,MAAM,CAAC,CAAC,IAAI,OAAO;AAAA,EACnD;AAEA,SAAO,OAAO,IAAI,IAAI,IAAI,IAAI,OAAO;AACvC;AAOA,SAAS,mBAAmB,aAA6B;AACvD,MAAI,YAAY,WAAW,GAAG,GAAG;AAC/B,WAAO,YAAY,MAAM,GAAG,EAAE,CAAC;AAAA,EACjC;AACA,SAAO;AACT;;;ACpJA,SAAS,iBAAiB;;;ACA1B,SAAS,gBAAgB;AACzB,SAAS,kBAAkB;AAC3B,OAAO,UAAU;;;ACDV,IAAM,cAAN,cAA0B,MAAM;AAAA,EACrC,YAAY,SAAiC,MAAc;AACzD,UAAM,OAAO;AAD8B;AAE3C,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,kBAAN,cAA8B,YAAY;AAAA,EAC/C,YAAY,aAAqB;AAC/B;AAAA,MACE,kCAAkC,WAAW;AAAA,MAE7C;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,qBAAN,cAAiC,YAAY;AAAA,EAClD,YAAY,cAAsB,QAAgB;AAChD,UAAM,mBAAmB,YAAY,KAAK,MAAM,IAAI,sBAAsB;AAC1E,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,iBAAN,cAA6B,YAAY;AAAA,EAC9C,YAAY,QAAgB,QAAgB;AAC1C,UAAM,eAAe,MAAM,aAAa,MAAM,IAAI,kBAAkB;AACpE,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,sBAAN,cAAkC,YAAY;AAAA,EACnD,YAAY,SAAiB;AAC3B;AAAA,MACE,yBAAyB,OAAO;AAAA,MAChC;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;;;AD/BO,IAAM,aAAN,MAA8C;AAAA,EAC1C,YAAuB;AAAA,EACvB,gBAAgB,CAAC,mBAAmB;AAAA,EAE7C,MAAM,OAAO,aAA6C;AACxD,UAAM,eAAe,KAAK,KAAK,aAAa,mBAAmB;AAC/D,WAAO,WAAW,YAAY,IAAI,eAAe;AAAA,EACnD;AAAA,EAEA,MAAM,KAAK,aAAqB,cAA2C;AACzE,UAAM,CAAC,aAAa,cAAc,IAAI,MAAM,QAAQ,IAAI;AAAA,MACtD,SAAS,cAAc,OAAO;AAAA,MAC9B,SAAS,KAAK,KAAK,aAAa,cAAc,GAAG,OAAO,EAAE,MAAM,MAAM,IAAI;AAAA,IAC5E,CAAC;AAED,QAAI;AACJ,QAAI;AACF,iBAAW,KAAK,MAAM,WAAW;AAAA,IACnC,QAAQ;AACN,YAAM,IAAI,mBAAmB,cAAc,cAAc;AAAA,IAC3D;AAGA,UAAM,cAAc,oBAAI,IAAY;AACpC,QAAI,gBAAgB;AAClB,UAAI;AACF,cAAM,MAAM,KAAK,MAAM,cAAc;AACrC,mBAAW,QAAQ,OAAO,KAAK,IAAI,gBAAgB,CAAC,CAAC,GAAG;AACtD,sBAAY,IAAI,IAAI;AAAA,QACtB;AACA,mBAAW,QAAQ,OAAO,KAAK,IAAI,mBAAmB,CAAC,CAAC,GAAG;AACzD,sBAAY,IAAI,IAAI;AAAA,QACtB;AAAA,MACF,QAAQ;AAAA,MAER;AAAA,IACF;AAEA,UAAM,eAAe,KAAK,cAAc,UAAU,WAAW;AAE7D,WAAO;AAAA,MACL;AAAA,MACA,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,cAAc,UAAuB,aAAwC;AACnF,UAAM,OAAqB,CAAC;AAE5B,QAAI,SAAS,UAAU;AAErB,iBAAW,CAAC,SAAS,OAAO,KAAK,OAAO,QAAQ,SAAS,QAAQ,GAAG;AAElE,YAAI,YAAY,GAAI;AAKpB,cAAM,OAAO,KAAK,mBAAmB,OAAO;AAC5C,YAAI,CAAC,QAAQ,CAAC,QAAQ,QAAS;AAG/B,YAAI,QAAQ,KAAM;AAElB,aAAK,KAAK;AAAA,UACR;AAAA,UACA,SAAS,QAAQ;AAAA,UACjB,QAAQ,YAAY,IAAI,IAAI;AAAA,UAC5B,WAAW;AAAA,UACX,MAAM,KAAK,UAAU,MAAM,QAAQ,OAAO;AAAA,QAC5C,CAAC;AAAA,MACH;AAAA,IACF,WAAW,SAAS,cAAc;AAEhC,WAAK,oBAAoB,SAAS,cAAc,aAAa,IAAI;AAAA,IACnE;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWQ,UAAU,MAAc,SAAyB;AACvD,QAAI,KAAK,WAAW,GAAG,GAAG;AAExB,aAAO,cAAc,KAAK,MAAM,CAAC,CAAC,IAAI,OAAO;AAAA,IAC/C;AACA,WAAO,WAAW,IAAI,IAAI,OAAO;AAAA,EACnC;AAAA;AAAA,EAGQ,mBAAmB,SAAgC;AAIzD,UAAM,QAAQ,QAAQ,MAAM,eAAe;AAC3C,UAAM,OAAO,MAAM,MAAM,SAAS,CAAC;AACnC,WAAO,QAAQ;AAAA,EACjB;AAAA;AAAA,EAGQ,oBACN,SACA,aACA,QACM;AACN,eAAW,CAAC,MAAM,IAAI,KAAK,OAAO,QAAQ,OAAO,GAAG;AAClD,UAAI,KAAK,SAAS;AAChB,eAAO,KAAK;AAAA,UACV;AAAA,UACA,SAAS,KAAK;AAAA,UACd,QAAQ,YAAY,IAAI,IAAI;AAAA,UAC5B,WAAW;AAAA,UACX,MAAM,KAAK,UAAU,MAAM,KAAK,OAAO;AAAA,QACzC,CAAC;AAAA,MACH;AAEA,UAAI,KAAK,cAAc;AACrB,aAAK,oBAAoB,KAAK,cAAc,aAAa,MAAM;AAAA,MACjE;AAAA,IACF;AAAA,EACF;AACF;;;AE7IO,IAAM,eAAN,MAAgD;AAAA,EAC5C,YAAuB;AAAA,EACvB,gBAAgB,CAAC,oBAAoB;AAAA,EAE9C,MAAM,OAAO,cAA8C;AAEzD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,KAAK,cAAsB,eAA4C;AAC3E,UAAM,IAAI,MAAM,iDAAiD;AAAA,EACnE;AACF;;;ACZO,IAAM,eAAN,MAAgD;AAAA,EAC5C,YAAuB;AAAA,EACvB,gBAAgB,CAAC,YAAY;AAAA,EAEtC,MAAM,OAAO,cAA8C;AAEzD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,KAAK,cAAsB,eAA4C;AAC3E,UAAM,IAAI,MAAM,iDAAiD;AAAA,EACnE;AACF;;;ACXO,IAAM,kBAAN,MAAsB;AAAA,EACnB;AAAA,EAER,cAAc;AACZ,SAAK,WAAW;AAAA,MACd,IAAI,WAAW;AAAA,MACf,IAAI,aAAa;AAAA,MACjB,IAAI,aAAa;AAAA;AAAA,IAEnB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,cAAc,aAA0C;AAC5D,eAAW,WAAW,KAAK,UAAU;AACnC,YAAM,eAAe,MAAM,QAAQ,OAAO,WAAW;AACrD,UAAI,cAAc;AAChB,eAAO,QAAQ,KAAK,aAAa,YAAY;AAAA,MAC/C;AAAA,IACF;AACA,UAAM,IAAI,gBAAgB,WAAW;AAAA,EACvC;AAAA;AAAA,EAGA,WAAW,WAAkD;AAC3D,WAAO,KAAK,SAAS,KAAK,CAAC,MAAM,EAAE,cAAc,SAAS;AAAA,EAC5D;AAAA;AAAA,EAGA,iBAA2B;AACzB,WAAO,KAAK,SAAS,IAAI,CAAC,MAAM,EAAE,SAAS;AAAA,EAC7C;AACF;;;AC9CA,SAAS,cAAAA,mBAAkB;AAgBpB,IAAM,qBAAN,MAAkD;AAAA,EAC9C,SAAqB;AAAA,EAE9B,SAAS,YAAwB,cAAsB,SAAe;AACpE,UAAM,MAAM,KAAK,SAAS,YAAY,WAAW;AACjD,UAAM,UAAU,KAAK,UAAU,KAAK,MAAM,CAAC;AAE3C,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,aAAa;AAAA,MACb;AAAA,MACA,gBAAgB,WAAW,aAAa;AAAA,MACxC,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,IACtC;AAAA,EACF;AAAA,EAEQ,SAAS,YAAwB,aAAmC;AAC1E,UAAM,cAAc,KAAK,mBAAmB,WAAW,WAAW;AAElE,WAAO;AAAA,MACL,SAAS;AAAA,MACT,WAAW;AAAA,MACX,aAAa;AAAA,MACb,cAAc,YAAYA,YAAW,CAAC;AAAA,MACtC,SAAS;AAAA,MACT,UAAU;AAAA,QACR,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,QAClC,OAAO;AAAA,UACL,YAAY;AAAA,YACV;AAAA,cACE,MAAM;AAAA,cACN,MAAM;AAAA,cACN,SAAS;AAAA,cACT,aAAa;AAAA,cACb,UAAU,EAAE,MAAM,SAAS;AAAA,cAC3B,oBAAoB;AAAA,gBAClB;AAAA,kBACE,MAAM;AAAA,kBACN,KAAK;AAAA,gBACP;AAAA,cACF;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA;AAAA,QAEA,UAAU;AAAA,UACR,MAAM;AAAA,QACR;AAAA,QACA,WAAW;AAAA,UACT,MAAM;AAAA,UACN,MAAM;AAAA,UACN,WAAW;AAAA,UACX,UAAU,EAAE,MAAM,YAAY;AAAA,QAChC;AAAA,MACF;AAAA,MACA,YAAY,WAAW,aAAa,IAAI,CAAC,QAAQ,KAAK,YAAY,GAAG,CAAC;AAAA,MACtE,cAAc,KAAK,qBAAqB,UAAU;AAAA,IACpD;AAAA,EACF;AAAA;AAAA,EAGQ,YAAY,KAAqC;AACvD,WAAO;AAAA,MACL,MAAM;AAAA,MACN,MAAM,IAAI;AAAA,MACV,SAAS,IAAI;AAAA,MACb,MAAM,IAAI;AAAA,MACV,WAAW,IAAI;AAAA,MACf,OAAO,IAAI,SAAS,aAAa;AAAA;AAAA,MAEjC,UAAU;AAAA,QACR,MAAM,KAAK,mBAAmB,IAAI,IAAI;AAAA,MACxC;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWQ,mBAAmB,aAA6B;AACtD,QAAI,YAAY,WAAW,GAAG,GAAG;AAE/B,YAAM,QAAQ,YAAY,MAAM,GAAG,EAAE,CAAC;AACtC,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaQ,qBAAqB,YAAoD;AAC/E,UAAM,cAAc,WAAW,aAAa,IAAI,CAAC,MAAM,EAAE,IAAI;AAE7D,WAAO;AAAA,MACL;AAAA,QACE,KAAK;AAAA,QACL,WAAW;AAAA,MACb;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGQ,mBAAmB,aAA6B;AACtD,UAAM,QAAQ,YAAY,QAAQ,OAAO,GAAG,EAAE,MAAM,GAAG;AACvD,WAAO,MAAM,MAAM,SAAS,CAAC,KAAK;AAAA,EACpC;AACF;;;ACtIA,IAAM,eAAe;AACrB,IAAM,aAAa;AAcZ,IAAM,YAAN,MAAqC;AAAA,EACjC,WAAgC;AAAA,EAChC,OAAO;AAAA,EAER;AAAA,EAER,YAAY,WAA0B;AAEpC,SAAK,UAAU,aAAa,WAAW;AAAA,EACzC;AAAA,EAEA,MAAM,kBAAkB,cAAsD;AAC5E,QAAI,aAAa,WAAW,EAAG,QAAO,CAAC;AAEvC,UAAM,WAA4B,CAAC;AAGnC,aAAS,IAAI,GAAG,IAAI,aAAa,QAAQ,KAAK,YAAY;AACxD,YAAM,QAAQ,aAAa,MAAM,GAAG,IAAI,UAAU;AAClD,YAAM,aAAa,MAAM,KAAK,WAAW,KAAK;AAC9C,eAAS,KAAK,GAAG,UAAU;AAAA,IAC7B;AAEA,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,MAAc,WAAW,cAAsD;AAC7E,UAAM,UAAU,aAAa,IAAI,CAAC,SAAS;AAAA,MACzC,SAAS,IAAI;AAAA,MACb,SAAS;AAAA,QACP,MAAM,IAAI;AAAA,QACV,WAAW,KAAK,aAAa,IAAI,SAAS;AAAA,MAC5C;AAAA,IACF,EAAE;AAEF,UAAM,WAAW,MAAM,KAAK,QAAQ,GAAG,YAAY,eAAe;AAAA,MAChE,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,QAAQ,CAAC;AAAA,IAClC,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI,MAAM,kBAAkB,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,IAC5E;AAEA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,UAAM,kBAAmC,CAAC;AAG1C,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,QAAQ,KAAK;AAC5C,YAAM,SAAS,KAAK,QAAQ,CAAC;AAC7B,YAAM,MAAM,aAAa,CAAC;AAE1B,UAAI,OAAO,SAAS,OAAO,MAAM,SAAS,GAAG;AAC3C,mBAAW,QAAQ,OAAO,OAAO;AAC/B,0BAAgB,KAAK,KAAK,iBAAiB,MAAM,GAAG,CAAC;AAAA,QACvD;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,iBAAiB,SAA2B,KAAgC;AAClF,UAAM,QAAQ,KAAK,aAAa,OAAO;AACvC,UAAM,WAAW,KAAK,gBAAgB,OAAO;AAE7C,WAAO;AAAA,MACL,IAAI,SAAS,QAAQ;AAAA,MACrB,SAAS,MAAM,KAAK,oBAAI,IAAI,CAAC,QAAQ,IAAI,GAAI,QAAQ,WAAW,CAAC,CAAE,CAAC,CAAC;AAAA,MACrE,SAAS,QAAQ,WAAW,QAAQ,SAAS,MAAM,GAAG,GAAG,KAAK;AAAA,MAC9D,UAAU,SAAS;AAAA,MACnB,WAAW,SAAS;AAAA,MACpB,aAAa,IAAI;AAAA,MACjB,WAAW,IAAI;AAAA,MACf,sBAAsB,KAAK,qBAAqB,SAAS,IAAI,IAAI;AAAA,MACjE,cAAc,KAAK,oBAAoB,SAAS,IAAI,IAAI;AAAA,MACxD,iBAAiB;AAAA;AAAA,MACjB,QAAQ;AAAA,MACR,cAAc,iCAAiC,QAAQ,EAAE;AAAA,MACzD,aAAa,QAAQ;AAAA,IACvB;AAAA,EACF;AAAA;AAAA,EAGQ,aAAa,MAAuC;AAE1D,QAAI,KAAK,GAAG,WAAW,MAAM,EAAG,QAAO,KAAK;AAG5C,QAAI,KAAK,SAAS;AAChB,YAAM,MAAM,KAAK,QAAQ,KAAK,CAAC,MAAM,EAAE,WAAW,MAAM,CAAC;AACzD,UAAI,IAAK,QAAO;AAAA,IAClB;AAEA,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,gBAAgB,MAA6D;AAEnF,QAAI,KAAK,YAAY,KAAK,SAAS,SAAS,GAAG;AAC7C,iBAAW,OAAO,KAAK,UAAU;AAC/B,YAAI,IAAI,SAAS,WAAW;AAC1B,gBAAM,QAAQ,KAAK,eAAe,IAAI,KAAK;AAC3C,cAAI,UAAU,MAAM;AAClB,mBAAO,EAAE,OAAO,KAAK,gBAAgB,KAAK,GAAG,MAAM;AAAA,UACrD;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,KAAK,mBAAmB,UAAU;AACpC,YAAM,IAAI,KAAK,kBAAkB,SAAS,YAAY;AACtD,UAAI,CAAC,YAAY,QAAQ,UAAU,KAAK,EAAE,SAAS,CAAC,GAAG;AACrD,eAAO,EAAE,OAAO,EAAc;AAAA,MAChC;AAAA,IACF;AAEA,WAAO,EAAE,OAAO,UAAU;AAAA,EAC5B;AAAA;AAAA,EAGQ,eAAe,eAAsC;AAE3D,UAAM,MAAM,WAAW,aAAa;AACpC,QAAI,CAAC,MAAM,GAAG,KAAK,OAAO,KAAK,OAAO,GAAI,QAAO;AAIjD,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,gBAAgB,OAAyB;AAC/C,QAAI,SAAS,EAAK,QAAO;AACzB,QAAI,SAAS,EAAK,QAAO;AACzB,QAAI,SAAS,EAAK,QAAO;AACzB,QAAI,QAAQ,EAAK,QAAO;AACxB,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,qBAAqB,MAAwB,aAAyC;AAC5F,QAAI,CAAC,KAAK,SAAU,QAAO;AAE3B,eAAW,YAAY,KAAK,UAAU;AACpC,UAAI,SAAS,SAAS,SAAS,eAAe,SAAS,QAAQ;AAC7D,mBAAW,SAAS,SAAS,QAAQ;AACnC,cAAI,MAAM,QAAQ;AAChB,kBAAM,aAAa,MAAM,OAAO,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG;AAC3D,kBAAM,QAAQ,MAAM,OAAO,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG;AACjD,gBAAI,cAAc,MAAO,QAAO,KAAK,UAAU,MAAM,KAAK;AAC1D,gBAAI,WAAY,QAAO,KAAK,UAAU;AAAA,UACxC;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,oBAAoB,MAAwB,aAAyC;AAC3F,QAAI,CAAC,KAAK,SAAU,QAAO;AAE3B,eAAW,YAAY,KAAK,UAAU;AACpC,UAAI,SAAS,SAAS,SAAS,eAAe,SAAS,QAAQ;AAC7D,mBAAW,SAAS,SAAS,QAAQ;AACnC,cAAI,MAAM,QAAQ;AAChB,kBAAM,QAAQ,MAAM,OAAO,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG;AACjD,gBAAI,MAAO,QAAO;AAAA,UACpB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,aAAa,WAA2B;AAC9C,UAAM,MAA8B;AAAA,MAClC,KAAK;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,KAAK;AAAA,MACL,IAAI;AAAA,IACN;AACA,WAAO,IAAI,SAAS,KAAK;AAAA,EAC3B;AACF;;;AC3MO,IAAM,gBAAN,MAAoB;AAAA,EACjB;AAAA,EAER,YAAY,SAAuB;AACjC,SAAK,UAAU,WAAW;AAAA,MACxB,IAAI,UAAU;AAAA;AAAA,IAEhB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,MAAM,cAAqD;AAC/D,UAAM,YAAY,KAAK,IAAI;AAC3B,UAAM,iBAAwC,CAAC;AAC/C,UAAM,eAAiE,CAAC;AACxE,UAAM,WAA4B,CAAC;AAGnC,UAAM,UAAU,MAAM,QAAQ;AAAA,MAC5B,KAAK,QAAQ,IAAI,OAAO,WAAW;AACjC,cAAM,QAAQ,MAAM,OAAO,kBAAkB,YAAY;AACzD,eAAO,EAAE,UAAU,OAAO,UAAU,MAAM;AAAA,MAC5C,CAAC;AAAA,IACH;AAEA,eAAW,UAAU,SAAS;AAC5B,UAAI,OAAO,WAAW,aAAa;AACjC,uBAAe,KAAK,OAAO,MAAM,QAAQ;AACzC,iBAAS,KAAK,GAAG,OAAO,MAAM,KAAK;AAAA,MACrC,OAAO;AAEL,cAAM,cAAc,QAAQ,QAAQ,MAAM;AAC1C,cAAM,WAAW,KAAK,QAAQ,WAAW,EAAE;AAC3C,qBAAa,KAAK;AAAA,UAChB,QAAQ;AAAA,UACR,OAAO,OAAO,kBAAkB,QAAQ,OAAO,OAAO,UAAU,OAAO,OAAO,MAAM;AAAA,QACtF,CAAC;AAAA,MACH;AAAA,IACF;AAGA,UAAM,eAAe,KAAK,2BAA2B,QAAQ;AAE7D,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB;AAAA,MACA;AAAA,MACA,iBAAiB,KAAK,IAAI,IAAI;AAAA,IAChC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,2BAA2B,OAAyC;AAC1E,UAAM,QAAQ,oBAAI,IAA2B;AAE7C,eAAW,QAAQ,OAAO;AAGxB,YAAM,MAAM,GAAG,KAAK,EAAE,KAAK,KAAK,WAAW;AAC3C,YAAM,WAAW,MAAM,IAAI,GAAG;AAE9B,UAAI,CAAC,UAAU;AACb,cAAM,IAAI,KAAK,IAAI;AAAA,MACrB,OAAO;AAEL,cAAM,IAAI,KAAK,KAAK,gBAAgB,UAAU,IAAI,CAAC;AAAA,MACrD;AAAA,IACF;AAEA,WAAO,MAAM,KAAK,MAAM,OAAO,CAAC;AAAA,EAClC;AAAA;AAAA,EAGQ,gBAAgB,GAAkB,GAAiC;AACzE,QAAI,SAAS;AACb,QAAI,SAAS;AAEb,QAAI,EAAE,cAAc,OAAW;AAC/B,QAAI,EAAE,cAAc,OAAW;AAC/B,QAAI,EAAE,aAAc;AACpB,QAAI,EAAE,aAAc;AACpB,QAAI,EAAE,qBAAsB;AAC5B,QAAI,EAAE,qBAAsB;AAC5B,QAAI,EAAE,aAAa,UAAW;AAC9B,QAAI,EAAE,aAAa,UAAW;AAI9B,UAAM,QAAQ,CAAC,QACb,OAAO,YAAY,OAAO,QAAQ,GAAG,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC,MAAM,MAAM,UAAa,MAAM,IAAI,CAAC;AAEzF,UAAM,SAAS,SAAS,SACpB,EAAE,GAAG,MAAM,CAAuC,GAAG,GAAG,MAAM,CAAuC,EAAE,IACvG,EAAE,GAAG,MAAM,CAAuC,GAAG,GAAG,MAAM,CAAuC,EAAE;AAG3G,UAAM,aAAa,oBAAI,IAAI,CAAC,GAAG,EAAE,SAAS,GAAG,EAAE,OAAO,CAAC;AACvD,WAAO,UAAU,MAAM,KAAK,UAAU;AAGtC,WAAO,kBAAkB,EAAE,mBAAmB,EAAE;AAEhD,WAAO;AAAA,EACT;AACF;;;ACnHO,IAAM,kBAAN,MAA0C;AAAA,EACtC,OAAO;AAAA,EAEhB,OAAO,QAA8B;AACnC,UAAM,QAAkB,CAAC;AAEzB,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,4RAAiD;AAC5D,UAAM,KAAK,2DAAiD;AAC5D,UAAM,KAAK,4RAAiD;AAC5D,UAAM,KAAK,EAAE;AAGb,UAAM,KAAK,mBAAmB,OAAO,QAAQ,IAAI,EAAE;AACnD,UAAM,KAAK,mBAAmB,OAAO,QAAQ,SAAS,EAAE;AACxD,UAAM,KAAK,mBAAmB,OAAO,QAAQ,eAAe,EAAE;AAC9D,UAAM,KAAK,mBAAmB,OAAO,WAAW,EAAE;AAClD,UAAM,KAAK,EAAE;AAGb,UAAM,KAAK,4BAAuB,OAAO,KAAK,MAAM,KAAK,OAAO,KAAK,WAAW,GAAG;AACnF,UAAM,KAAK,mBAAmB,OAAO,KAAK,cAAc,EAAE;AAC1D,UAAM,KAAK,EAAE;AAGb,UAAM,QAAQ,OAAO,SAAS;AAC9B,QAAI,MAAM,WAAW,GAAG;AACtB,YAAM,KAAK,yCAAoC;AAAA,IACjD,OAAO;AACL,YAAM,KAAK,YAAO,MAAM,MAAM,gBAAgB,MAAM,WAAW,IAAI,MAAM,KAAK,SAAS;AACvF,YAAM,KAAK,EAAE;AAGb,YAAM,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,CAAC,GAAG,MAAM,cAAc,EAAE,QAAQ,IAAI,cAAc,EAAE,QAAQ,CAAC;AAE9F,iBAAW,QAAQ,QAAQ;AACzB,cAAM,QAAQ,cAAc,KAAK,QAAQ;AACzC,cAAM,MAAM,KAAK,eAAe,gBAAW,KAAK,YAAY,KAAK;AACjE,cAAM,KAAK,OAAO,KAAK,KAAK,KAAK,EAAE,EAAE;AACrC,cAAM,KAAK,cAAc,KAAK,WAAW,IAAI,KAAK,wBAAwB,GAAG,GAAG,GAAG,EAAE;AACrF,cAAM,KAAK,cAAc,KAAK,QAAQ,MAAM,GAAG,GAAG,CAAC,EAAE;AACrD,YAAI,KAAK,iBAAiB;AACxB,gBAAM,KAAK,2EAA+D;AAAA,QAC5E;AACA,cAAM,KAAK,EAAE;AAAA,MACf;AAAA,IACF;AAGA,UAAM,UAAU,OAAO,SAAS,eAAe,KAAK,IAAI;AACxD,UAAM,KAAK,sBAAsB,OAAO,KAAK,OAAO,SAAS,eAAe,KAAK;AAEjF,QAAI,OAAO,SAAS,aAAa,SAAS,GAAG;AAC3C,iBAAW,OAAO,OAAO,SAAS,cAAc;AAC9C,cAAM,KAAK,YAAO,IAAI,MAAM,KAAK,IAAI,KAAK,EAAE;AAAA,MAC9C;AAAA,IACF;AAGA,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,iDAAmB;AAC9B,UAAM,KAAK,YAAY,OAAO,QAAQ,oBAAoB,kBAC3C,OAAO,QAAQ,QAAQ,cAC3B,OAAO,QAAQ,IAAI,gBACjB,OAAO,QAAQ,MAAM,aACxB,OAAO,QAAQ,GAAG,EAAE;AAE9B,QAAI,OAAO,QAAQ,kBAAkB,GAAG;AACtC,YAAM,KAAK,eAAQ,OAAO,QAAQ,eAAe,sDAAiD;AAAA,IACpG;AAEA,UAAM,KAAK,EAAE;AACb,WAAO,MAAM,KAAK,IAAI;AAAA,EACxB;AACF;AAEA,SAAS,cAAc,GAAqB;AAC1C,QAAM,QAAkC;AAAA,IACtC,UAAU;AAAA,IAAG,MAAM;AAAA,IAAG,QAAQ;AAAA,IAAG,KAAK;AAAA,IAAG,SAAS;AAAA,EACpD;AACA,SAAO,MAAM,CAAC,KAAK;AACrB;AAEA,SAAS,cAAc,GAAqB;AAC1C,QAAM,SAAmC;AAAA,IACvC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK;AAAA,IACL,SAAS;AAAA,EACX;AACA,SAAO,OAAO,CAAC,KAAK;AACtB;;;ATjFA,eAAsB,KAAK,QAA6C;AACtE,QAAM;AAAA,IACJ;AAAA,IACA,aAAa;AAAA,IACb,eAAe;AAAA,EACjB,IAAI;AAGJ,QAAM,WAAW,IAAI,gBAAgB;AACrC,QAAM,aAAa,MAAM,SAAS,cAAc,WAAW;AAG3D,QAAM,gBAAgB,IAAI,mBAAmB;AAC7C,QAAM,OAAO,cAAc,SAAS,UAAU;AAG9C,QAAM,UAAU,YAAY,KAAK,SAAS,OAAO;AAGjD,MAAI;AACJ,MAAI,cAAc;AAChB,eAAW;AAAA,MACT,iBAAiB,CAAC;AAAA,MAClB,gBAAgB,CAAC;AAAA,MACjB,cAAc,CAAC;AAAA,MACf,iBAAiB;AAAA,IACnB;AAAA,EACF,OAAO;AACL,UAAM,aAAa,IAAI,cAAc;AACrC,eAAW,MAAM,WAAW,MAAM,WAAW,YAAY;AAAA,EAC3D;AAGA,QAAM,UAAU;AAAA,IACd,mBAAmB,WAAW,aAAa;AAAA,IAC3C,sBAAsB,SAAS,gBAAgB;AAAA,IAC/C,UAAU,SAAS,gBAAgB,OAAO,CAAC,MAAM,EAAE,aAAa,UAAU,EAAE;AAAA,IAC5E,MAAM,SAAS,gBAAgB,OAAO,CAAC,MAAM,EAAE,aAAa,MAAM,EAAE;AAAA,IACpE,QAAQ,SAAS,gBAAgB,OAAO,CAAC,MAAM,EAAE,aAAa,QAAQ,EAAE;AAAA,IACxE,KAAK,SAAS,gBAAgB,OAAO,CAAC,MAAM,EAAE,aAAa,KAAK,EAAE;AAAA,IAClE,iBAAiB,SAAS,gBAAgB,OAAO,CAAC,MAAM,EAAE,eAAe,EAAE;AAAA,EAC7E;AAEA,QAAM,SAAuB;AAAA,IAC3B,SAAS;AAAA,MACP,MAAM;AAAA,MACN,WAAW,WAAW;AAAA,MACtB,iBAAiB,WAAW,aAAa;AAAA,IAC3C;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,EACtC;AAEA,SAAO;AACT;AAKO,SAAS,aAAa,QAAsB,WAA8B;AAC/E,QAAMC,iBAA0C;AAAA,IAC9C,UAAU;AAAA,IAAG,MAAM;AAAA,IAAG,QAAQ;AAAA,IAAG,KAAK;AAAA,IAAG,SAAS;AAAA,EACpD;AACA,QAAM,iBAAiBA,eAAc,SAAS,KAAK;AAEnD,SAAO,OAAO,SAAS,gBAAgB;AAAA,IACrC,CAAC,MAAMA,eAAc,EAAE,QAAQ,KAAK;AAAA,EACtC;AACF;AAKO,SAAS,YAAY,QAA4B;AACtD,QAAM,WAAW,IAAI,gBAAgB;AACrC,UAAQ,IAAI,SAAS,OAAO,MAAM,CAAC;AACrC;","names":["randomUUID","severityOrder"]}
1	+ {"version":3,"sources":["../src/generate-sbom.ts","../src/scan.ts","../src/scanners/npm/npm-scanner.ts","../src/core/errors.ts","../src/scanners/nuget/nuget-scanner.ts","../src/scanners/cargo/cargo-scanner.ts","../src/scanners/pip/pip-scanner.ts","../src/scanners/maven/maven-scanner.ts","../src/scanners/go/go-scanner.ts","../src/scanners/ruby/ruby-scanner.ts","../src/scanners/registry.ts","../src/sbom/cyclonedx.ts","../src/cve/osv.ts","../src/cve/aggregator.ts","../src/reporters/console.ts"],"sourcesContent":["import { randomUUID } from 'crypto';\nimport type {\n GenerateSbomInput,\n GenerateSbomResult,\n SbomDependency,\n Ecosystem,\n} from './core/types.js';\n\n/*\n Generates an NTIA-compliant CycloneDX 1.7 SBOM from structured dependency data.\n \n This is a pure function — no filesystem access, no network calls, no side effects.\n * It takes a project name, version, and list of dependencies, and returns a complete\n * CycloneDX 1.7 JSON SBOM that passes NTIA minimum-element validation.\n \n @example\n * ```ts\n * import { generateSbom } from 'verimu';\n \n const result = generateSbom({\n * projectName: 'my-app',\n * projectVersion: '1.0.0',\n * dependencies: [\n * { name: 'express', version: '4.18.2', ecosystem: 'npm' },\n * { name: '@types/node', version: '20.11.5', ecosystem: 'npm', direct: false },\n * ],\n * });\n \n console.log(result.componentCount); // 2\n * console.log(result.content); // formatted JSON string\n * ```\n /\nexport function generateSbom(input: GenerateSbomInput): GenerateSbomResult {\n const {\n projectName,\n projectVersion = '0.0.0',\n dependencies,\n } = input;\n\n const timestamp = new Date().toISOString();\n\n // Resolve PURLs for any deps that don't have one\n const resolvedDeps = dependencies.map((dep) => ({\n ...dep,\n direct: dep.direct ?? true,\n purl: dep.purl ?? buildPurl(dep.name, dep.version, dep.ecosystem),\n }));\n\n const rootPurl = buildPurl(projectName, projectVersion, 'npm');\n\n const sbom = {\n $schema: 'http://cyclonedx.org/schema/bom-1.7.schema.json',\n bomFormat: 'CycloneDX',\n specVersion: '1.7',\n serialNumber: `urn:uuid:${randomUUID()}`,\n version: 1,\n metadata: {\n timestamp,\n tools: {\n components: [\n {\n type: 'application',\n name: 'verimu',\n version: '0.0.1',\n description: 'Verimu CRA Compliance Scanner',\n supplier: { name: 'Verimu' },\n externalReferences: [\n { type: 'website', url: 'https://verimu.com' },\n ],\n },\n ],\n },\n supplier: { name: projectName },\n component: {\n type: 'application',\n name: projectName,\n version: projectVersion,\n 'bom-ref': rootPurl,\n supplier: { name: projectName },\n },\n },\n components: resolvedDeps.map((dep) => ({\n type: 'library',\n name: dep.name,\n version: dep.version,\n purl: dep.purl,\n 'bom-ref': dep.purl,\n scope: dep.direct ? 'required' : 'optional',\n supplier: { name: deriveSupplierName(dep.name) },\n })),\n dependencies: [\n {\n ref: rootPurl,\n dependsOn: resolvedDeps.map((d) => d.purl),\n },\n ],\n };\n\n const content = JSON.stringify(sbom, null, 2);\n\n return {\n sbom,\n content,\n componentCount: resolvedDeps.length,\n specVersion: '1.7',\n generatedAt: timestamp,\n };\n}\n\n// ─── Internal helpers ───────────────────────────────────────────\n\nconst PURL_TYPE_MAP: Record<Ecosystem, string> = {\n npm: 'npm',\n nuget: 'nuget',\n cargo: 'cargo',\n maven: 'maven',\n pip: 'pypi',\n go: 'golang',\n ruby: 'gem',\n};\n\n/\n Builds a Package URL (purl) per the purl spec.\n \n For npm scoped packages, the @ prefix is percent-encoded as %40:\n * @types/node@20.11.5 → pkg:npm/%40types/node@20.11.5\n \n See: https://github.com/package-url/purl-spec/blob/main/types-doc/npm-definition.md\n /\nfunction buildPurl(name: string, version: string, ecosystem: Ecosystem): string {\n const type = PURL_TYPE_MAP[ecosystem] \|\| ecosystem;\n\n if (ecosystem === 'npm' && name.startsWith('@')) {\n return `pkg:${type}/%40${name.slice(1)}@${version}`;\n }\n\n return `pkg:${type}/${name}@${version}`;\n}\n\n/\n Derives supplier name from a package name.\n * Scoped packages: \"@vue/reactivity\" → \"@vue\"\n * Unscoped packages: \"express\" → \"express\"\n /\nfunction deriveSupplierName(packageName: string): string {\n if (packageName.startsWith('@')) {\n return packageName.split('/')[0];\n }\n return packageName;\n}\n","import { writeFile } from 'fs/promises';\nimport { ScannerRegistry } from './scanners/registry.js';\nimport { CycloneDxGenerator } from './sbom/cyclonedx.js';\nimport { CveAggregator } from './cve/aggregator.js';\nimport { ConsoleReporter } from './reporters/console.js';\nimport type { VerimuConfig, VerimuReport, Severity } from './core/types.js';\n\n/\n Main scan pipeline — orchestrates the full Verimu workflow:\n * 1. Detect ecosystem & parse lockfile\n * 2. Generate CycloneDX SBOM\n * 3. Check dependencies for CVEs\n * 4. Produce report\n * 5. Optionally upload snapshot to Verimu API\n /\nexport async function scan(config: VerimuConfig): Promise<VerimuReport> {\n const {\n projectPath,\n sbomOutput = './sbom.cdx.json',\n skipCveCheck = false,\n } = config;\n\n // 1. Scan dependencies\n const registry = new ScannerRegistry();\n const scanResult = await registry.detectAndScan(projectPath);\n\n // 2. Generate SBOM\n const sbomGenerator = new CycloneDxGenerator();\n const sbom = sbomGenerator.generate(scanResult);\n\n // 3. Write SBOM to disk\n await writeFile(sbomOutput, sbom.content, 'utf-8');\n\n // 4. Check CVEs (unless skipped)\n let cveCheck;\n if (skipCveCheck) {\n cveCheck = {\n vulnerabilities: [],\n sourcesQueried: [],\n sourceErrors: [],\n checkDurationMs: 0,\n };\n } else {\n const aggregator = new CveAggregator();\n cveCheck = await aggregator.check(scanResult.dependencies);\n }\n\n // 5. Build report\n const summary = {\n totalDependencies: scanResult.dependencies.length,\n totalVulnerabilities: cveCheck.vulnerabilities.length,\n critical: cveCheck.vulnerabilities.filter((v) => v.severity === 'CRITICAL').length,\n high: cveCheck.vulnerabilities.filter((v) => v.severity === 'HIGH').length,\n medium: cveCheck.vulnerabilities.filter((v) => v.severity === 'MEDIUM').length,\n low: cveCheck.vulnerabilities.filter((v) => v.severity === 'LOW').length,\n exploitedInWild: cveCheck.vulnerabilities.filter((v) => v.exploitedInWild).length,\n };\n\n const report: VerimuReport = {\n project: {\n path: projectPath,\n ecosystem: scanResult.ecosystem,\n dependencyCount: scanResult.dependencies.length,\n },\n sbom,\n cveCheck,\n summary,\n generatedAt: new Date().toISOString(),\n };\n\n return report;\n}\n\n/\n Determines if the scan should fail CI based on severity threshold.\n /\nexport function shouldFailCi(report: VerimuReport, threshold: Severity): boolean {\n const severityOrder: Record<Severity, number> = {\n CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3, UNKNOWN: 4,\n };\n const thresholdLevel = severityOrder[threshold] ?? 4;\n\n return report.cveCheck.vulnerabilities.some(\n (v) => severityOrder[v.severity] <= thresholdLevel\n );\n}\n\n/\n Prints a console report to stdout.\n /\nexport function printReport(report: VerimuReport): void {\n const reporter = new ConsoleReporter();\n console.log(reporter.report(report));\n}\n","import { readFile } from 'fs/promises';\nimport { existsSync } from 'fs';\nimport path from 'path';\nimport type { DependencyScanner } from '../scanner.interface.js';\nimport type { Dependency, Ecosystem, ScanResult } from '../../core/types.js';\nimport { LockfileParseError } from '../../core/errors.js';\n\n/\n npm / Node.js dependency scanner.\n \n Parses package-lock.json (v2/v3 format) to extract the full\n * resolved dependency tree. Also reads package.json to determine\n * which dependencies are direct vs transitive.\n /\nexport class NpmScanner implements DependencyScanner {\n readonly ecosystem: Ecosystem = 'npm';\n readonly lockfileNames = ['package-lock.json'];\n\n async detect(projectPath: string): Promise<string \| null> {\n const lockfilePath = path.join(projectPath, 'package-lock.json');\n return existsSync(lockfilePath) ? lockfilePath : null;\n }\n\n async scan(projectPath: string, lockfilePath: string): Promise<ScanResult> {\n const [lockfileRaw, packageJsonRaw] = await Promise.all([\n readFile(lockfilePath, 'utf-8'),\n readFile(path.join(projectPath, 'package.json'), 'utf-8').catch(() => null),\n ]);\n\n let lockfile: NpmLockfile;\n try {\n lockfile = JSON.parse(lockfileRaw);\n } catch {\n throw new LockfileParseError(lockfilePath, 'Invalid JSON');\n }\n\n // Determine direct dependency names from package.json\n const directNames = new Set<string>();\n if (packageJsonRaw) {\n try {\n const pkg = JSON.parse(packageJsonRaw);\n for (const name of Object.keys(pkg.dependencies ?? {})) {\n directNames.add(name);\n }\n for (const name of Object.keys(pkg.devDependencies ?? {})) {\n directNames.add(name);\n }\n } catch {\n // If package.json can't be parsed, all deps are \"unknown\" direct status\n }\n }\n\n const dependencies = this.parseLockfile(lockfile, directNames);\n\n return {\n projectPath,\n ecosystem: 'npm',\n dependencies,\n lockfilePath,\n scannedAt: new Date().toISOString(),\n };\n }\n\n /\n Parses package-lock.json and extracts dependencies.\n * Supports lockfile v2 and v3 (uses the `packages` field).\n * Falls back to `dependencies` field for lockfile v1.\n /\n private parseLockfile(lockfile: NpmLockfile, directNames: Set<string>): Dependency[] {\n const deps: Dependency[] = [];\n\n if (lockfile.packages) {\n // Lockfile v2/v3: `packages` is a flat map of \"node_modules/name\" → info\n for (const [pkgPath, pkgInfo] of Object.entries(lockfile.packages)) {\n // Skip the root package (empty string key)\n if (pkgPath === '') continue;\n\n // Extract package name from the path\n // e.g., \"node_modules/express\" → \"express\"\n // e.g., \"node_modules/@types/node\" → \"@types/node\"\n const name = this.extractPackageName(pkgPath);\n if (!name \|\| !pkgInfo.version) continue;\n\n // Skip link: true entries (workspace references)\n if (pkgInfo.link) continue;\n\n deps.push({\n name,\n version: pkgInfo.version,\n direct: directNames.has(name),\n ecosystem: 'npm',\n purl: this.buildPurl(name, pkgInfo.version),\n });\n }\n } else if (lockfile.dependencies) {\n // Lockfile v1 fallback: `dependencies` is a nested tree\n this.parseDependenciesV1(lockfile.dependencies, directNames, deps);\n }\n\n return deps;\n }\n\n /\n Builds a purl (Package URL) for an npm package.\n \n Per the purl spec (https://github.com/package-url/purl-spec/blob/main/types-doc/npm-definition.md):\n * \"The npm scope @ sign prefix is always percent encoded.\"\n \n So @types/node@20.11.5 → pkg:npm/%40types/node@20.11.5\n * And express@4.18.2 → pkg:npm/express@4.18.2\n /\n private buildPurl(name: string, version: string): string {\n if (name.startsWith('@')) {\n // Scoped: encode the @ as %40 per purl spec\n return `pkg:npm/%40${name.slice(1)}@${version}`;\n }\n return `pkg:npm/${name}@${version}`;\n }\n\n /* Extracts the package name from a node_modules path /\n private extractPackageName(pkgPath: string): string \| null {\n // \"node_modules/@scope/name\" → \"@scope/name\"\n // \"node_modules/name\" → \"name\"\n // \"node_modules/a/node_modules/b\" → \"b\" (nested)\n const parts = pkgPath.split('node_modules/');\n const last = parts[parts.length - 1];\n return last \|\| null;\n }\n\n /* Recursively parses lockfile v1 `dependencies` tree /\n private parseDependenciesV1(\n depsObj: Record<string, NpmLockfileV1Dep>,\n directNames: Set<string>,\n result: Dependency[]\n ): void {\n for (const [name, info] of Object.entries(depsObj)) {\n if (info.version) {\n result.push({\n name,\n version: info.version,\n direct: directNames.has(name),\n ecosystem: 'npm',\n purl: this.buildPurl(name, info.version),\n });\n }\n // Recurse into nested dependencies\n if (info.dependencies) {\n this.parseDependenciesV1(info.dependencies, directNames, result);\n }\n }\n }\n}\n\n// ─── Types for package-lock.json parsing ─────────────────────────\n\ninterface NpmLockfile {\n name?: string;\n version?: string;\n lockfileVersion?: number;\n packages?: Record<string, NpmLockfilePackage>;\n dependencies?: Record<string, NpmLockfileV1Dep>;\n}\n\ninterface NpmLockfilePackage {\n version?: string;\n resolved?: string;\n integrity?: string;\n dev?: boolean;\n optional?: boolean;\n link?: boolean;\n dependencies?: Record<string, string>;\n devDependencies?: Record<string, string>;\n}\n\ninterface NpmLockfileV1Dep {\n version?: string;\n resolved?: string;\n integrity?: string;\n requires?: Record<string, string>;\n dependencies?: Record<string, NpmLockfileV1Dep>;\n}\n","/* Base error for all Verimu errors /\nexport class VerimuError extends Error {\n constructor(message: string, public readonly code: string) {\n super(message);\n this.name = 'VerimuError';\n }\n}\n\n/* Thrown when no supported lockfile is found /\nexport class NoLockfileError extends VerimuError {\n constructor(projectPath: string) {\n super(\n `No supported lockfile found in ${projectPath}. ` +\n `Supported: package-lock.json (npm), packages.lock.json (NuGet), ` +\n `Cargo.lock (Rust), requirements.txt / Pipfile.lock (Python), pom.xml (Maven), go.sum (Go), Gemfile.lock (Ruby)`,\n 'NO_LOCKFILE'\n );\n this.name = 'NoLockfileError';\n }\n}\n\n/* Thrown when lockfile parsing fails /\nexport class LockfileParseError extends VerimuError {\n constructor(lockfilePath: string, reason: string) {\n super(`Failed to parse ${lockfilePath}: ${reason}`, 'LOCKFILE_PARSE_ERROR');\n this.name = 'LockfileParseError';\n }\n}\n\n/* Thrown when a CVE source query fails /\nexport class CveSourceError extends VerimuError {\n constructor(source: string, reason: string) {\n super(`CVE source \"${source}\" failed: ${reason}`, 'CVE_SOURCE_ERROR');\n this.name = 'CveSourceError';\n }\n}\n\n/* Thrown when API key is required but missing /\nexport class ApiKeyRequiredError extends VerimuError {\n constructor(feature: string) {\n super(\n `API key required for \"${feature}\". Get one at https://verimu.com/dashboard`,\n 'API_KEY_REQUIRED'\n );\n this.name = 'ApiKeyRequiredError';\n }\n}\n","import { readFile } from 'fs/promises';\nimport { existsSync } from 'fs';\nimport path from 'path';\nimport type { DependencyScanner } from '../scanner.interface.js';\nimport type { Dependency, Ecosystem, ScanResult } from '../../core/types.js';\nimport { LockfileParseError } from '../../core/errors.js';\n\n/\n C# / NuGet dependency scanner.\n \n Parses `packages.lock.json` (NuGet lock file, generated by\n * `dotnet restore --use-lock-file`) to extract the full resolved\n * dependency tree. The lock file itself tracks Direct vs Transitive.\n \n Lock file format (NuGet v1):\n * ```json\n * {\n * \"version\": 1,\n * \"dependencies\": {\n * \"net8.0\": {\n * \"PackageName\": {\n * \"type\": \"Direct\" \| \"Transitive\",\n * \"resolved\": \"13.0.3\",\n * \"contentHash\": \"...\"\n * }\n * }\n * }\n * }\n * ```\n /\nexport class NugetScanner implements DependencyScanner {\n readonly ecosystem: Ecosystem = 'nuget';\n readonly lockfileNames = ['packages.lock.json'];\n\n async detect(projectPath: string): Promise<string \| null> {\n const lockfilePath = path.join(projectPath, 'packages.lock.json');\n return existsSync(lockfilePath) ? lockfilePath : null;\n }\n\n async scan(projectPath: string, lockfilePath: string): Promise<ScanResult> {\n const lockfileRaw = await readFile(lockfilePath, 'utf-8');\n\n let lockfile: NugetLockfile;\n try {\n lockfile = JSON.parse(lockfileRaw);\n } catch {\n throw new LockfileParseError(lockfilePath, 'Invalid JSON');\n }\n\n if (!lockfile.dependencies) {\n throw new LockfileParseError(lockfilePath, 'Missing \"dependencies\" field');\n }\n\n const dependencies = this.parseLockfile(lockfile);\n\n return {\n projectPath,\n ecosystem: 'nuget',\n dependencies,\n lockfilePath,\n scannedAt: new Date().toISOString(),\n };\n }\n\n /\n Parses packages.lock.json and extracts dependencies across all\n * target frameworks. Deduplicates by package name (keeps highest version\n * if the same package appears under multiple frameworks).\n /\n private parseLockfile(lockfile: NugetLockfile): Dependency[] {\n const depMap = new Map<string, Dependency>();\n\n for (const [_framework, packages] of Object.entries(lockfile.dependencies)) {\n for (const [name, info] of Object.entries(packages)) {\n if (!info.resolved) continue;\n\n // \"Direct\" in the lock file means it's a PackageReference in .csproj\n const isDirect = info.type === 'Direct';\n\n const existing = depMap.get(name);\n if (!existing) {\n depMap.set(name, {\n name,\n version: info.resolved,\n direct: isDirect,\n ecosystem: 'nuget',\n purl: this.buildPurl(name, info.resolved),\n });\n }\n // If already seen, keep the direct flag if either occurrence is direct\n else if (isDirect && !existing.direct) {\n existing.direct = true;\n }\n }\n }\n\n return Array.from(depMap.values());\n }\n\n /\n Builds a purl for a NuGet package.\n * NuGet purls are straightforward: pkg:nuget/Name@Version\n /\n private buildPurl(name: string, version: string): string {\n return `pkg:nuget/${name}@${version}`;\n }\n}\n\n// ─── Types for packages.lock.json parsing ────────────────────────\n\ninterface NugetLockfile {\n version?: number;\n dependencies: Record<string, Record<string, NugetLockfileEntry>>;\n}\n\ninterface NugetLockfileEntry {\n type?: 'Direct' \| 'Transitive';\n resolved?: string;\n contentHash?: string;\n dependencies?: Record<string, string>;\n}\n","import { readFile } from 'fs/promises';\nimport { existsSync } from 'fs';\nimport path from 'path';\nimport type { DependencyScanner } from '../scanner.interface.js';\nimport type { Dependency, Ecosystem, ScanResult } from '../../core/types.js';\nimport { LockfileParseError } from '../../core/errors.js';\n\n/\n Rust / Cargo dependency scanner.\n \n Parses `Cargo.lock` (TOML format) to extract the full resolved\n * dependency tree. Reads `Cargo.toml` to determine which packages\n * are direct dependencies vs transitive.\n \n Cargo.lock format (v3):\n * ```toml\n * [[package]]\n * name = \"serde\"\n * version = \"1.0.195\"\n * source = \"registry+https://github.com/rust-lang/crates.io-index\"\n * checksum = \"abc123...\"\n * dependencies = [\n * \"serde_derive\",\n * ]\n * ```\n \n Note: We use a simple TOML parser since Cargo.lock has a very\n * regular structure (just [[package]] entries). No need for a full\n * TOML library.\n /\nexport class CargoScanner implements DependencyScanner {\n readonly ecosystem: Ecosystem = 'cargo';\n readonly lockfileNames = ['Cargo.lock'];\n\n async detect(projectPath: string): Promise<string \| null> {\n const lockfilePath = path.join(projectPath, 'Cargo.lock');\n return existsSync(lockfilePath) ? lockfilePath : null;\n }\n\n async scan(projectPath: string, lockfilePath: string): Promise<ScanResult> {\n const [lockfileRaw, cargoTomlRaw] = await Promise.all([\n readFile(lockfilePath, 'utf-8'),\n readFile(path.join(projectPath, 'Cargo.toml'), 'utf-8').catch(() => null),\n ]);\n\n const packages = this.parseLockfile(lockfileRaw, lockfilePath);\n const directNames = cargoTomlRaw ? this.parseCargoToml(cargoTomlRaw) : new Set<string>();\n\n // The first [[package]] is typically the root project — skip it\n const rootName = packages.length > 0 ? packages[0].name : null;\n\n const dependencies: Dependency[] = [];\n for (const pkg of packages) {\n // Skip the root project itself\n if (pkg.name === rootName && pkg.source === undefined) continue;\n\n dependencies.push({\n name: pkg.name,\n version: pkg.version,\n direct: directNames.has(pkg.name),\n ecosystem: 'cargo',\n purl: this.buildPurl(pkg.name, pkg.version),\n });\n }\n\n return {\n projectPath,\n ecosystem: 'cargo',\n dependencies,\n lockfilePath,\n scannedAt: new Date().toISOString(),\n };\n }\n\n /\n Parses Cargo.lock by splitting on [[package]] blocks.\n * This is a lightweight parser that handles the regular structure\n * of Cargo.lock without needing a full TOML parser.\n /\n private parseLockfile(content: string, lockfilePath: string): CargoPackage[] {\n const packages: CargoPackage[] = [];\n const blocks = content.split(/^\\[\\[package\\]\\]$/m);\n\n for (const block of blocks) {\n if (!block.trim()) continue;\n\n const name = this.extractField(block, 'name');\n const version = this.extractField(block, 'version');\n const source = this.extractField(block, 'source');\n\n if (name && version) {\n packages.push({ name, version, source: source \|\| undefined });\n }\n }\n\n if (packages.length === 0 && content.includes('[[package]]')) {\n throw new LockfileParseError(lockfilePath, 'Failed to parse any packages from Cargo.lock');\n }\n\n return packages;\n }\n\n /\n Extracts a string field value from a TOML block.\n * Handles: `name = \"value\"` format.\n /\n private extractField(block: string, fieldName: string): string \| null {\n const regex = new RegExp(`^${fieldName}\\\\s=\\\\s\"([^\"])\"`, 'm');\n const match = block.match(regex);\n return match ? match[1] : null;\n }\n\n /*\n Parses Cargo.toml to extract direct dependency names.\n * Looks for [dependencies] and [dev-dependencies] sections.\n /\n private parseCargoToml(content: string): Set<string> {\n const directNames = new Set<string>();\n let inDepsSection = false;\n\n for (const rawLine of content.split('\\n')) {\n const line = rawLine.trim();\n\n // Detect section headers\n if (line.startsWith('[')) {\n inDepsSection =\n line === '[dependencies]' \|\|\n line === '[dev-dependencies]' \|\|\n line === '[build-dependencies]';\n continue;\n }\n\n if (inDepsSection && line && !line.startsWith('#')) {\n // Extract package name from \"name = ...\" or \"name = { version = ... }\"\n const match = line.match(/^([a-zA-Z0-9_-]+)\\s=/);\n if (match) {\n directNames.add(match[1]);\n }\n }\n }\n\n return directNames;\n }\n\n /*\n Builds a purl for a Cargo (crates.io) package.\n /\n private buildPurl(name: string, version: string): string {\n return `pkg:cargo/${name}@${version}`;\n }\n}\n\n// ─── Internal types ──────────────────────────────────────────────\n\ninterface CargoPackage {\n name: string;\n version: string;\n source?: string;\n}\n","import { readFile } from 'fs/promises';\nimport { existsSync } from 'fs';\nimport path from 'path';\nimport type { DependencyScanner } from '../scanner.interface.js';\nimport type { Dependency, Ecosystem, ScanResult } from '../../core/types.js';\nimport { LockfileParseError } from '../../core/errors.js';\n\n/\n Python / pip dependency scanner.\n \n Supports multiple Python dependency file formats (in priority order):\n * 1. `requirements.txt` — flat list of pinned dependencies\n * 2. `Pipfile.lock` — Pipenv lock file with exact versions\n \n For `requirements.txt`, all listed packages are treated as direct\n * dependencies (the file doesn't distinguish direct vs transitive).\n * For `Pipfile.lock`, `default` packages are direct and `develop`\n * packages are dev dependencies.\n \n Limitation: `requirements.txt` doesn't capture transitive deps unless\n * generated with `pip freeze`. If using `pip freeze` output, all deps\n * are listed but we can't distinguish direct vs transitive.\n /\nexport class PipScanner implements DependencyScanner {\n readonly ecosystem: Ecosystem = 'pip';\n readonly lockfileNames = ['requirements.txt', 'Pipfile.lock'];\n\n async detect(projectPath: string): Promise<string \| null> {\n // Check in priority order\n for (const lockfile of this.lockfileNames) {\n const fullPath = path.join(projectPath, lockfile);\n if (existsSync(fullPath)) return fullPath;\n }\n return null;\n }\n\n async scan(projectPath: string, lockfilePath: string): Promise<ScanResult> {\n const raw = await readFile(lockfilePath, 'utf-8');\n const filename = path.basename(lockfilePath);\n\n let dependencies: Dependency[];\n\n if (filename === 'Pipfile.lock') {\n dependencies = this.parsePipfileLock(raw, lockfilePath);\n } else {\n dependencies = this.parseRequirementsTxt(raw, lockfilePath);\n }\n\n return {\n projectPath,\n ecosystem: 'pip',\n dependencies,\n lockfilePath,\n scannedAt: new Date().toISOString(),\n };\n }\n\n /\n Parses `requirements.txt` format.\n \n Supports:\n * - `package==1.2.3` (pinned)\n * - `package>=1.2.0` (minimum — uses the specified version)\n * - `package~=1.2.0` (compatible release)\n * - Comments (`#`) and blank lines are skipped\n * - `-r other-file.txt` (include directive) — skipped for now\n * - `--index-url` and other pip flags — skipped\n /\n private parseRequirementsTxt(content: string, lockfilePath: string): Dependency[] {\n const deps: Dependency[] = [];\n\n for (const rawLine of content.split('\\n')) {\n const line = rawLine.trim();\n\n // Skip comments, blank lines, flags, and include directives\n if (!line \|\| line.startsWith('#') \|\| line.startsWith('-') \|\| line.startsWith('--')) {\n continue;\n }\n\n // Parse \"package==version\", \"package>=version\", \"package~=version\"\n const match = line.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-])\\s(?:[~=!<>]=?)\\s(.+)$/);\n if (match) {\n const [, name, versionSpec] = match;\n // Extract the first version number from the spec\n const version = this.extractVersion(versionSpec);\n if (name && version) {\n deps.push({\n name: this.normalizePipName(name),\n version,\n direct: true, // requirements.txt doesn't distinguish\n ecosystem: 'pip',\n purl: this.buildPurl(name, version),\n });\n }\n }\n }\n\n return deps;\n }\n\n /*\n Parses `Pipfile.lock` (JSON format from Pipenv).\n \n Structure:\n * ```json\n * {\n * \"_meta\": { ... },\n * \"default\": {\n * \"requests\": { \"version\": \"==2.31.0\", ... }\n * },\n * \"develop\": {\n * \"pytest\": { \"version\": \"==7.4.0\", ... }\n * }\n * }\n * ```\n /\n private parsePipfileLock(content: string, lockfilePath: string): Dependency[] {\n let lockfile: PipfileLock;\n try {\n lockfile = JSON.parse(content);\n } catch {\n throw new LockfileParseError(lockfilePath, 'Invalid JSON in Pipfile.lock');\n }\n\n const deps: Dependency[] = [];\n\n // Parse \"default\" (production) dependencies\n if (lockfile.default) {\n for (const [name, info] of Object.entries(lockfile.default)) {\n const version = info.version?.replace(/^==/, '') ?? '';\n if (version) {\n deps.push({\n name: this.normalizePipName(name),\n version,\n direct: true,\n ecosystem: 'pip',\n purl: this.buildPurl(name, version),\n });\n }\n }\n }\n\n // Parse \"develop\" dependencies\n if (lockfile.develop) {\n for (const [name, info] of Object.entries(lockfile.develop)) {\n const version = info.version?.replace(/^==/, '') ?? '';\n if (version) {\n deps.push({\n name: this.normalizePipName(name),\n version,\n direct: true,\n ecosystem: 'pip',\n purl: this.buildPurl(name, version),\n });\n }\n }\n }\n\n return deps;\n }\n\n /\n Extracts the version number from a pip version specifier.\n * \"1.2.3\" → \"1.2.3\"\n * \"1.2.3,<2.0\" → \"1.2.3\"\n /\n private extractVersion(spec: string): string {\n const cleaned = spec.split(',')[0].trim();\n return cleaned;\n }\n\n /\n Normalizes a pip package name per PEP 503.\n * Converts to lowercase and replaces any run of [-_.] with a single hyphen.\n /\n private normalizePipName(name: string): string {\n return name.toLowerCase().replace(/[-_.]+/g, '-');\n }\n\n /\n Builds a purl for a PyPI package.\n * Per purl spec, the type is \"pypi\" (not \"pip\").\n /\n private buildPurl(name: string, version: string): string {\n return `pkg:pypi/${this.normalizePipName(name)}@${version}`;\n }\n}\n\n// ─── Types for Pipfile.lock parsing ──────────────────────────────\n\ninterface PipfileLock {\n _meta?: Record<string, unknown>;\n default?: Record<string, PipfileLockEntry>;\n develop?: Record<string, PipfileLockEntry>;\n}\n\ninterface PipfileLockEntry {\n version?: string;\n hashes?: string[];\n markers?: string;\n index?: string;\n}\n","import { readFile } from 'fs/promises';\nimport { existsSync } from 'fs';\nimport { execSync } from 'child_process';\nimport path from 'path';\nimport type { DependencyScanner } from '../scanner.interface.js';\nimport type { Dependency, Ecosystem, ScanResult } from '../../core/types.js';\nimport { LockfileParseError } from '../../core/errors.js';\n\n/\n Java / Maven dependency scanner.\n \n Maven doesn't have a lockfile. This scanner uses two strategies:\n \n 1. Primary (auto): If `mvn` is on `$PATH`, runs\n * `mvn dependency:list -DoutputType=text` to get the resolved\n * dependency tree including transitive dependencies.\n \n 2. Fallback (pre-generated): Looks for a `dependency-tree.txt`\n * file in the project root. Users can generate this with:\n * ```\n * mvn dependency:list -DoutputFile=dependency-tree.txt -DoutputType=text\n * ```\n \n The scanner detects a Maven project by the presence of `pom.xml`.\n \n Maven dependency:list output format (one per line):\n * ```\n * com.google.guava:guava:jar:32.1.3-jre:compile\n * org.slf4j:slf4j-api:jar:2.0.9:compile\n * junit:junit:jar:4.13.2:test\n * ```\n * Fields: groupId:artifactId:type:version:scope\n /\nexport class MavenScanner implements DependencyScanner {\n readonly ecosystem: Ecosystem = 'maven';\n readonly lockfileNames = ['pom.xml'];\n\n /* Allow injection for testing /\n private execSyncFn: typeof execSync;\n\n constructor(execSyncImpl?: typeof execSync) {\n this.execSyncFn = execSyncImpl ?? execSync;\n }\n\n async detect(projectPath: string): Promise<string \| null> {\n const pomPath = path.join(projectPath, 'pom.xml');\n return existsSync(pomPath) ? pomPath : null;\n }\n\n async scan(projectPath: string, _lockfilePath: string): Promise<ScanResult> {\n // Strategy 1: Try pre-generated dependency-tree.txt\n const depTreePath = path.join(projectPath, 'dependency-tree.txt');\n if (existsSync(depTreePath)) {\n const content = await readFile(depTreePath, 'utf-8');\n const dependencies = this.parseDependencyList(content, depTreePath);\n return this.buildResult(projectPath, depTreePath, dependencies);\n }\n\n // Strategy 2: Try running `mvn dependency:list`\n if (this.isMavenAvailable()) {\n const output = this.runMavenDependencyList(projectPath);\n const dependencies = this.parseDependencyList(output, 'mvn dependency:list');\n return this.buildResult(projectPath, path.join(projectPath, 'pom.xml'), dependencies);\n }\n\n throw new LockfileParseError(\n path.join(projectPath, 'pom.xml'),\n 'Maven project detected (pom.xml found) but could not resolve dependencies. ' +\n 'Either install Maven (`mvn` must be on $PATH) or pre-generate a dependency list:\\n' +\n ' mvn dependency:list -DoutputFile=dependency-tree.txt -DappendOutput=true'\n );\n }\n\n /\n Parses Maven `dependency:list` output.\n \n Each dependency line has the format:\n * groupId:artifactId:type:version:scope\n * groupId:artifactId:type:classifier:version:scope\n \n Lines are typically indented with leading whitespace.\n /\n private parseDependencyList(content: string, source: string): Dependency[] {\n const deps: Dependency[] = [];\n const depPattern = /^\\s([a-zA-Z0-9._-]+):([a-zA-Z0-9._-]+):([a-z]+):(?:([a-zA-Z0-9._-]+):)?([a-zA-Z0-9._-]+):([a-z]+)/;\n\n for (const rawLine of content.split('\\n')) {\n const line = rawLine.trim();\n if (!line) continue;\n\n const match = line.match(depPattern);\n if (match) {\n const groupId = match[1];\n const artifactId = match[2];\n // match[3] = type (jar, etc.)\n // match[4] = classifier (optional — may be undefined)\n const version = match[4] && match[5] ? match[5] : (match[4] ?? match[5]);\n const scope = match[4] && match[5] ? match[6] : (match[5] && match[6] ? match[6] : match[5]);\n\n // Re-parse more carefully: the regex groups shift with/without classifier\n const parts = line.split(':');\n if (parts.length >= 5) {\n const gId = parts[0].trim();\n const aId = parts[1];\n const ver = parts.length === 6 ? parts[4] : parts[3];\n const scp = parts.length === 6 ? parts[5] : parts[4];\n\n if (gId && aId && ver) {\n const name = `${gId}:${aId}`;\n deps.push({\n name,\n version: ver,\n direct: scp === 'compile' \|\| scp === 'runtime' \|\| scp === 'provided',\n ecosystem: 'maven',\n purl: this.buildPurl(gId, aId, ver),\n });\n }\n }\n }\n }\n\n return deps;\n }\n\n /** Checks if `mvn` is available on PATH /\n private isMavenAvailable(): boolean {\n try {\n this.execSyncFn('mvn --version', { stdio: 'pipe', timeout: 10_000 });\n return true;\n } catch {\n return false;\n }\n }\n\n /\n Runs `mvn dependency:list` and returns the output.\n /\n private runMavenDependencyList(projectPath: string): string {\n try {\n const output = this.execSyncFn(\n 'mvn dependency:list -DoutputType=text -DincludeScope=compile',\n {\n cwd: projectPath,\n stdio: 'pipe',\n timeout: 120_000, // 2 minute timeout\n encoding: 'utf-8',\n }\n );\n return output.toString();\n } catch (err: unknown) {\n const message = err instanceof Error ? err.message : String(err);\n throw new LockfileParseError(\n path.join(projectPath, 'pom.xml'),\n `Failed to run 'mvn dependency:list': ${message}`\n );\n }\n }\n\n /\n Builds a purl for a Maven package.\n * Format: pkg:maven/groupId/artifactId@version\n /\n private buildPurl(groupId: string, artifactId: string, version: string): string {\n return `pkg:maven/${groupId}/${artifactId}@${version}`;\n }\n\n private buildResult(\n projectPath: string,\n lockfilePath: string,\n dependencies: Dependency[]\n ): ScanResult {\n return {\n projectPath,\n ecosystem: 'maven',\n dependencies,\n lockfilePath,\n scannedAt: new Date().toISOString(),\n };\n }\n}\n","import { readFile } from 'fs/promises';\nimport { existsSync } from 'fs';\nimport path from 'path';\nimport type { DependencyScanner } from '../scanner.interface.js';\nimport type { Dependency, Ecosystem, ScanResult } from '../../core/types.js';\nimport { LockfileParseError } from '../../core/errors.js';\n\n/\n Go module dependency scanner.\n \n Parses `go.sum` to extract the full resolved dependency list, and\n * cross-references `go.mod` to distinguish direct vs indirect (transitive)\n * dependencies.\n \n go.sum format (one or two lines per module):\n * ```\n * github.com/gin-gonic/gin v1.9.1 h1:abc123...=\n * github.com/gin-gonic/gin v1.9.1/go.mod h1:def456...=\n * ```\n \n Lines ending in `/go.mod` are checksums of the module's go.mod file —\n * we skip those and only keep the `h1:` lines (source archive checksums).\n \n go.mod `require` block format:\n * ```\n * require (\n * github.com/gin-gonic/gin v1.9.1\n * golang.org/x/text v0.14.0 // indirect\n * )\n * ```\n \n Dependencies marked `// indirect` are transitive.\n /\nexport class GoScanner implements DependencyScanner {\n readonly ecosystem: Ecosystem = 'go';\n readonly lockfileNames = ['go.sum'];\n\n async detect(projectPath: string): Promise<string \| null> {\n const goSumPath = path.join(projectPath, 'go.sum');\n return existsSync(goSumPath) ? goSumPath : null;\n }\n\n async scan(projectPath: string, lockfilePath: string): Promise<ScanResult> {\n const [goSumRaw, goModRaw] = await Promise.all([\n readFile(lockfilePath, 'utf-8'),\n readFile(path.join(projectPath, 'go.mod'), 'utf-8').catch(() => null),\n ]);\n\n const { directNames, indirectNames } = goModRaw\n ? this.parseGoMod(goModRaw)\n : { directNames: new Set<string>(), indirectNames: new Set<string>() };\n\n const dependencies = this.parseGoSum(goSumRaw, lockfilePath, directNames, indirectNames);\n\n return {\n projectPath,\n ecosystem: 'go',\n dependencies,\n lockfilePath,\n scannedAt: new Date().toISOString(),\n };\n }\n\n /\n Parses go.sum and extracts unique module dependencies.\n \n Each module may appear twice in go.sum (once for the source archive,\n * once for go.mod). We deduplicate by module path + version, keeping\n * only the `h1:` entry (not the `/go.mod` entry).\n /\n private parseGoSum(\n content: string,\n lockfilePath: string,\n directNames: Set<string>,\n indirectNames: Set<string>,\n ): Dependency[] {\n const depMap = new Map<string, Dependency>();\n\n for (const rawLine of content.split('\\n')) {\n const line = rawLine.trim();\n if (!line) continue;\n\n // Format: \"module version hash\"\n const parts = line.split(/\\s+/);\n if (parts.length < 3) continue;\n\n const modulePath = parts[0];\n let version = parts[1];\n\n // Skip /go.mod checksum lines\n if (version.endsWith('/go.mod')) continue;\n\n // Strip any +incompatible suffix for cleaner versions\n version = version.replace(/\\+incompatible$/, '');\n\n const key = `${modulePath}@${version}`;\n if (depMap.has(key)) continue;\n\n // Determine direct/indirect from go.mod data\n // If go.mod is available: explicit direct or not marked indirect = direct\n // If go.mod is not available: default to direct (conservative)\n const isDirect = directNames.size > 0 \|\| indirectNames.size > 0\n ? directNames.has(modulePath) \|\| (!indirectNames.has(modulePath) && !directNames.has(modulePath) ? false : directNames.has(modulePath))\n : true;\n\n depMap.set(key, {\n name: modulePath,\n version,\n direct: isDirect,\n ecosystem: 'go',\n purl: this.buildPurl(modulePath, version),\n });\n }\n\n return Array.from(depMap.values());\n }\n\n /\n Parses go.mod to extract direct and indirect dependency names.\n \n Handles both single-line and block `require` directives:\n * ```\n * require github.com/pkg/errors v0.9.1\n \n require (\n * github.com/gin-gonic/gin v1.9.1\n * golang.org/x/text v0.14.0 // indirect\n * )\n * ```\n /\n private parseGoMod(content: string): { directNames: Set<string>; indirectNames: Set<string> } {\n const directNames = new Set<string>();\n const indirectNames = new Set<string>();\n\n let inRequireBlock = false;\n\n for (const rawLine of content.split('\\n')) {\n const line = rawLine.trim();\n\n // Single-line require: `require github.com/pkg/errors v0.9.1`\n if (line.startsWith('require ') && !line.includes('(')) {\n const match = line.match(/^require\\s+(\\S+)\\s+\\S+(.)$/);\n if (match) {\n const modulePath = match[1];\n const rest = match[2];\n if (rest.includes('// indirect')) {\n indirectNames.add(modulePath);\n } else {\n directNames.add(modulePath);\n }\n }\n continue;\n }\n\n // Start of require block\n if (line === 'require (' \|\| line.startsWith('require (')) {\n inRequireBlock = true;\n continue;\n }\n\n // End of require block\n if (inRequireBlock && line === ')') {\n inRequireBlock = false;\n continue;\n }\n\n // Inside require block\n if (inRequireBlock && line && !line.startsWith('//')) {\n const match = line.match(/^(\\S+)\\s+\\S+(.)$/);\n if (match) {\n const modulePath = match[1];\n const rest = match[2];\n if (rest.includes('// indirect')) {\n indirectNames.add(modulePath);\n } else {\n directNames.add(modulePath);\n }\n }\n }\n }\n\n return { directNames, indirectNames };\n }\n\n /\n Builds a purl for a Go module.\n \n Per purl spec, the type is \"golang\" and the module path\n * uses `/` separators (no encoding needed for path segments).\n \n Example: `pkg:golang/github.com/gin-gonic/gin@v1.9.1`\n /\n private buildPurl(modulePath: string, version: string): string {\n return `pkg:golang/${modulePath}@${version}`;\n }\n}\n","import { readFile } from 'fs/promises';\nimport { existsSync } from 'fs';\nimport path from 'path';\nimport type { DependencyScanner } from '../scanner.interface.js';\nimport type { Dependency, Ecosystem, ScanResult } from '../../core/types.js';\nimport { LockfileParseError } from '../../core/errors.js';\n\n/\n Ruby dependency scanner (Bundler).\n \n Parses `Gemfile.lock` to extract the full resolved dependency list,\n * and cross-references the `DEPENDENCIES` section to distinguish\n * direct vs transitive gems.\n \n Gemfile.lock format:\n * ```\n * GEM\n * remote: https://rubygems.org/\n * specs:\n * actioncable (7.1.2)\n * actionpack (= 7.1.2)\n * activesupport (= 7.1.2)\n * rack (3.0.8)\n \n PLATFORMS\n * ruby\n \n DEPENDENCIES\n * puma (>= 5.0)\n * rails (~> 7.1.2)\n \n BUNDLED WITH\n * 2.5.3\n * ```\n \n The `GEM > specs:` section lists all resolved gems with exact versions.\n * The `DEPENDENCIES` section lists direct gems (from the Gemfile).\n /\nexport class RubyScanner implements DependencyScanner {\n readonly ecosystem: Ecosystem = 'ruby';\n readonly lockfileNames = ['Gemfile.lock'];\n\n async detect(projectPath: string): Promise<string \| null> {\n const lockfilePath = path.join(projectPath, 'Gemfile.lock');\n return existsSync(lockfilePath) ? lockfilePath : null;\n }\n\n async scan(projectPath: string, lockfilePath: string): Promise<ScanResult> {\n const content = await readFile(lockfilePath, 'utf-8');\n\n const specs = this.parseSpecs(content, lockfilePath);\n const directNames = this.parseDependencies(content);\n\n const dependencies: Dependency[] = specs.map(({ name, version }) => ({\n name,\n version,\n direct: directNames.has(name),\n ecosystem: 'ruby' as Ecosystem,\n purl: `pkg:gem/${name}@${version}`,\n }));\n\n return {\n projectPath,\n ecosystem: 'ruby',\n dependencies,\n lockfilePath,\n scannedAt: new Date().toISOString(),\n };\n }\n\n /\n Parses the GEM > specs section to extract all resolved gems.\n \n Gems at the top level of the specs section (indented 4 spaces) are\n * resolved packages. Their sub-dependencies (indented 6+ spaces) are\n * constraints, not separate entries — those sub-deps appear as their\n * own top-level spec entries elsewhere.\n \n Format: ` gem-name (1.2.3)`\n /\n private parseSpecs(\n content: string,\n lockfilePath: string,\n ): Array<{ name: string; version: string }> {\n const gems: Array<{ name: string; version: string }> = [];\n\n let inGemSection = false;\n let inSpecs = false;\n\n for (const rawLine of content.split('\\n')) {\n const line = rawLine;\n\n // Detect section boundaries (lines with no leading whitespace)\n if (line.length > 0 && line[0] !== ' ') {\n if (line.startsWith('GEM')) {\n inGemSection = true;\n inSpecs = false;\n continue;\n }\n // Any other top-level section ends GEM\n inGemSection = false;\n inSpecs = false;\n continue;\n }\n\n if (inGemSection && line.trimStart().startsWith('specs:')) {\n inSpecs = true;\n continue;\n }\n\n if (!inSpecs) continue;\n\n // Top-level gems are indented exactly 4 spaces: \" gem-name (1.2.3)\"\n // Sub-dependencies are indented 6+ spaces: \" dep-name (>= 1.0)\"\n // We only want the 4-space entries (actual resolved packages)\n const match = line.match(/^ {4}(\\S+)\\s+\$([^)]+)\$$/);\n if (match) {\n const [, name, version] = match;\n gems.push({ name, version });\n }\n }\n\n if (gems.length === 0) {\n throw new LockfileParseError(\n lockfilePath,\n 'No gems found in GEM specs section',\n );\n }\n\n return gems;\n }\n\n /\n Parses the DEPENDENCIES section to get direct dependency names.\n \n Format: ` gem-name (>= 1.0)` or ` gem-name`\n * The version constraint is optional and we only need the name.\n /\n private parseDependencies(content: string): Set<string> {\n const directNames = new Set<string>();\n let inDependencies = false;\n\n for (const rawLine of content.split('\\n')) {\n const line = rawLine;\n\n // Section header (no leading space)\n if (line.length > 0 && line[0] !== ' ') {\n if (line.startsWith('DEPENDENCIES')) {\n inDependencies = true;\n continue;\n }\n if (inDependencies) break; // Next section → stop\n continue;\n }\n\n if (!inDependencies) continue;\n\n // Dependencies are indented 2 spaces: \" gem-name\" or \" gem-name (>= 1.0)\"\n // The ! suffix indicates a gem loaded from a specific source/path\n const match = line.match(/^ {2}(\\S+?)!?\\s(?:\\(\|$)/);\n if (match) {\n directNames.add(match[1]);\n }\n }\n\n return directNames;\n }\n}\n","import type { DependencyScanner } from './scanner.interface.js';\nimport type { ScanResult } from '../core/types.js';\nimport { NpmScanner } from './npm/npm-scanner.js';\nimport { NugetScanner } from './nuget/nuget-scanner.js';\nimport { CargoScanner } from './cargo/cargo-scanner.js';\nimport { PipScanner } from './pip/pip-scanner.js';\nimport { MavenScanner } from './maven/maven-scanner.js';\nimport { GoScanner } from './go/go-scanner.js';\nimport { RubyScanner } from './ruby/ruby-scanner.js';\nimport { NoLockfileError } from '../core/errors.js';\n\n/*\n Registry of all available dependency scanners.\n * Auto-detects the correct scanner for a given project.\n /\nexport class ScannerRegistry {\n private scanners: DependencyScanner[];\n\n constructor() {\n this.scanners = [\n new NpmScanner(),\n new NugetScanner(),\n new CargoScanner(),\n new PipScanner(),\n new MavenScanner(),\n new GoScanner(),\n new RubyScanner(),\n ];\n }\n\n /\n Auto-detects the project's ecosystem and scans dependencies.\n * Tries each registered scanner in order until one matches.\n /\n async detectAndScan(projectPath: string): Promise<ScanResult> {\n for (const scanner of this.scanners) {\n const lockfilePath = await scanner.detect(projectPath);\n if (lockfilePath) {\n return scanner.scan(projectPath, lockfilePath);\n }\n }\n throw new NoLockfileError(projectPath);\n }\n\n /* Returns a specific scanner by ecosystem name /\n getScanner(ecosystem: string): DependencyScanner \| undefined {\n return this.scanners.find((s) => s.ecosystem === ecosystem);\n }\n\n /* Lists all registered ecosystems /\n listEcosystems(): string[] {\n return this.scanners.map((s) => s.ecosystem);\n }\n}\n","import { randomUUID } from 'crypto';\nimport type { SbomGenerator } from './generator.interface.js';\nimport type { ScanResult, Sbom, SbomFormat, Dependency } from '../core/types.js';\n\n/\n Generates CycloneDX 1.7 JSON SBOMs.\n \n CycloneDX is the preferred SBOM format for CRA compliance.\n * Spec: https://cyclonedx.org/docs/1.7/json/\n \n NTIA minimum elements are satisfied:\n * - metadata.supplier (supplier of the root software)\n * - components[].supplier (supplier of each dependency)\n * - components[].name, version, purl, bom-ref\n * - dependencies[] graph\n /\nexport class CycloneDxGenerator implements SbomGenerator {\n readonly format: SbomFormat = 'cyclonedx-json';\n\n generate(scanResult: ScanResult, toolVersion: string = '0.1.0'): Sbom {\n const bom = this.buildBom(scanResult, toolVersion);\n const content = JSON.stringify(bom, null, 2);\n\n return {\n format: 'cyclonedx-json',\n specVersion: '1.7',\n content,\n componentCount: scanResult.dependencies.length,\n generatedAt: new Date().toISOString(),\n };\n }\n\n private buildBom(scanResult: ScanResult, toolVersion: string): CycloneDxBom {\n const projectName = this.extractProjectName(scanResult.projectPath);\n\n return {\n $schema: 'http://cyclonedx.org/schema/bom-1.7.schema.json',\n bomFormat: 'CycloneDX',\n specVersion: '1.7',\n serialNumber: `urn:uuid:${randomUUID()}`,\n version: 1,\n metadata: {\n timestamp: new Date().toISOString(),\n tools: {\n components: [\n {\n type: 'application',\n name: 'verimu',\n version: toolVersion,\n description: 'Verimu CRA Compliance Scanner',\n supplier: { name: 'Verimu' },\n externalReferences: [\n {\n type: 'website',\n url: 'https://verimu.com',\n },\n ],\n },\n ],\n },\n // NTIA: metadata.supplier — the org supplying the root software\n supplier: {\n name: projectName,\n },\n component: {\n type: 'application',\n name: projectName,\n 'bom-ref': 'root-component',\n supplier: { name: projectName },\n },\n },\n components: scanResult.dependencies.map((dep) => this.toComponent(dep)),\n dependencies: this.buildDependencyGraph(scanResult),\n };\n }\n\n /* Converts a Verimu Dependency to a CycloneDX component /\n private toComponent(dep: Dependency): CycloneDxComponent {\n return {\n type: 'library',\n name: dep.name,\n version: dep.version,\n purl: dep.purl,\n 'bom-ref': dep.purl,\n scope: dep.direct ? 'required' : 'optional',\n // NTIA: component.supplier — derived from npm scope or package name\n supplier: {\n name: this.deriveSupplierName(dep.name),\n },\n };\n }\n\n /\n Derives a supplier name from a package name.\n \n For scoped packages like \"@vue/reactivity\" → \"@vue\"\n * For unscoped packages like \"express\" → \"express\"\n \n This is the same heuristic used by Syft, Trivy, and other SBOM tools\n * when registry metadata (author/publisher) isn't available from the lockfile.\n /\n private deriveSupplierName(packageName: string): string {\n if (packageName.startsWith('@')) {\n // Scoped package: \"@scope/name\" → \"@scope\"\n const scope = packageName.split('/')[0];\n return scope;\n }\n return packageName;\n }\n\n /\n Builds the dependency graph section of the SBOM.\n \n The root component depends on all dependencies (direct + transitive).\n * This ensures a single root node in the graph, which NTIA validators expect.\n \n We include ALL deps under root (not just direct) because from a flat lockfile\n * we can't reliably reconstruct which transitive dep belongs to which direct dep.\n * This is still valid per the CycloneDX spec — it represents a complete but flat\n * dependency relationship.\n /\n private buildDependencyGraph(scanResult: ScanResult): CycloneDxDependencyEntry[] {\n const allDepPurls = scanResult.dependencies.map((d) => d.purl);\n\n return [\n {\n ref: 'root-component',\n dependsOn: allDepPurls,\n },\n ];\n }\n\n /* Extracts project name from path /\n private extractProjectName(projectPath: string): string {\n const parts = projectPath.replace(/\\\\/g, '/').split('/');\n return parts[parts.length - 1] \|\| 'unknown-project';\n }\n}\n\n// ─── CycloneDX 1.7 JSON Types ──────────────────────────────────\n\ninterface OrganizationalEntity {\n name: string;\n url?: string[];\n contact?: Array<{ name?: string; email?: string; phone?: string }>;\n}\n\ninterface CycloneDxBom {\n $schema: string;\n bomFormat: string;\n specVersion: string;\n serialNumber: string;\n version: number;\n metadata: {\n timestamp: string;\n tools: {\n components: Array<{\n type: string;\n name: string;\n version: string;\n description?: string;\n supplier?: OrganizationalEntity;\n externalReferences?: Array<{ type: string; url: string }>;\n }>;\n };\n supplier: OrganizationalEntity;\n component: {\n type: string;\n name: string;\n 'bom-ref': string;\n supplier: OrganizationalEntity;\n };\n };\n components: CycloneDxComponent[];\n dependencies: CycloneDxDependencyEntry[];\n}\n\ninterface CycloneDxComponent {\n type: string;\n name: string;\n version: string;\n purl: string;\n 'bom-ref': string;\n scope?: string;\n supplier: OrganizationalEntity;\n}\n\ninterface CycloneDxDependencyEntry {\n ref: string;\n dependsOn: string[];\n}\n","import type { CveSource } from './source.interface.js';\nimport type { Dependency, Vulnerability, VulnerabilitySource, Severity } from '../core/types.js';\n\nconst OSV_API_BASE = 'https://api.osv.dev/v1';\nconst BATCH_SIZE = 1000; // OSV querybatch supports up to 1000\n\n/\n OSV.dev (Google Open Source Vulnerabilities) CVE source.\n \n Primary CVE source for Verimu because:\n * - Supports direct package name + ecosystem + version queries\n * - Has batch query endpoint for efficiency\n * - No authentication required\n * - Covers npm, PyPI, Go, Rust, Maven, NuGet, etc.\n * - Aggregates data from GitHub Advisory, NVD, and others\n \n API docs: https://google.github.io/osv.dev/api/\n /\nexport class OsvSource implements CveSource {\n readonly sourceId: VulnerabilitySource = 'osv';\n readonly name = 'OSV.dev (Google Open Source Vulnerabilities)';\n\n private fetchFn: typeof fetch;\n\n constructor(fetchImpl?: typeof fetch) {\n // Allow injecting fetch for testing\n this.fetchFn = fetchImpl ?? globalThis.fetch;\n }\n\n async checkDependencies(dependencies: Dependency[]): Promise<Vulnerability[]> {\n if (dependencies.length === 0) return [];\n\n const allVulns: Vulnerability[] = [];\n\n // Process in batches of BATCH_SIZE\n for (let i = 0; i < dependencies.length; i += BATCH_SIZE) {\n const batch = dependencies.slice(i, i + BATCH_SIZE);\n const batchVulns = await this.queryBatch(batch);\n allVulns.push(...batchVulns);\n }\n\n return allVulns;\n }\n\n /* Uses OSV's /querybatch endpoint for efficient bulk lookups /\n private async queryBatch(dependencies: Dependency[]): Promise<Vulnerability[]> {\n const queries = dependencies.map((dep) => ({\n version: dep.version,\n package: {\n name: dep.name,\n ecosystem: this.mapEcosystem(dep.ecosystem),\n },\n }));\n\n const response = await this.fetchFn(`${OSV_API_BASE}/querybatch`, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ queries }),\n });\n\n if (!response.ok) {\n throw new Error(`OSV API error: ${response.status} ${response.statusText}`);\n }\n\n const data = (await response.json()) as OsvBatchResponse;\n const vulnerabilities: Vulnerability[] = [];\n\n // Each result in `results` corresponds to the query at the same index\n for (let i = 0; i < data.results.length; i++) {\n const result = data.results[i];\n const dep = dependencies[i];\n\n if (result.vulns && result.vulns.length > 0) {\n for (const vuln of result.vulns) {\n vulnerabilities.push(this.mapVulnerability(vuln, dep));\n }\n }\n }\n\n return vulnerabilities;\n }\n\n /* Maps an OSV vulnerability record to our Vulnerability type /\n private mapVulnerability(osvVuln: OsvVulnerability, dep: Dependency): Vulnerability {\n const cveId = this.extractCveId(osvVuln);\n const severity = this.extractSeverity(osvVuln);\n\n return {\n id: cveId \|\| osvVuln.id,\n aliases: Array.from(new Set([osvVuln.id, ...(osvVuln.aliases ?? [])])),\n summary: osvVuln.summary ?? osvVuln.details?.slice(0, 200) ?? 'No description available',\n severity: severity.level,\n cvssScore: severity.score,\n packageName: dep.name,\n ecosystem: dep.ecosystem,\n affectedVersionRange: this.extractAffectedRange(osvVuln, dep.name),\n fixedVersion: this.extractFixedVersion(osvVuln, dep.name),\n exploitedInWild: false, // OSV doesn't track this — CISA KEV does\n source: 'osv',\n referenceUrl: `https://osv.dev/vulnerability/${osvVuln.id}`,\n publishedAt: osvVuln.published,\n };\n }\n\n /* Extracts CVE ID from aliases (prefers CVE-xxxx over GHSA-xxxx) /\n private extractCveId(vuln: OsvVulnerability): string \| null {\n // Check the main ID first\n if (vuln.id.startsWith('CVE-')) return vuln.id;\n\n // Check aliases\n if (vuln.aliases) {\n const cve = vuln.aliases.find((a) => a.startsWith('CVE-'));\n if (cve) return cve;\n }\n\n return null;\n }\n\n /* Extracts severity from CVSS scores in the OSV record /\n private extractSeverity(vuln: OsvVulnerability): { level: Severity; score?: number } {\n // Try database_specific first (often has CVSS)\n if (vuln.severity && vuln.severity.length > 0) {\n for (const sev of vuln.severity) {\n if (sev.type === 'CVSS_V3') {\n const score = this.parseCvssScore(sev.score);\n if (score !== null) {\n return { level: this.scoreToSeverity(score), score };\n }\n }\n }\n }\n\n // Try to extract from database_specific\n if (vuln.database_specific?.severity) {\n const s = vuln.database_specific.severity.toUpperCase();\n if (['CRITICAL', 'HIGH', 'MEDIUM', 'LOW'].includes(s)) {\n return { level: s as Severity };\n }\n }\n\n return { level: 'UNKNOWN' };\n }\n\n /* Parses CVSS v3 vector string to extract the base score /\n private parseCvssScore(vectorOrScore: string): number \| null {\n // Could be a raw score like \"7.5\" or a vector like \"CVSS:3.1/AV:N/AC:L/...\"\n const num = parseFloat(vectorOrScore);\n if (!isNaN(num) && num >= 0 && num <= 10) return num;\n\n // If it's a vector string, we'd need to calculate — for now return null\n // and rely on severity text\n return null;\n }\n\n /* Converts a CVSS score (0-10) to a severity level /\n private scoreToSeverity(score: number): Severity {\n if (score >= 9.0) return 'CRITICAL';\n if (score >= 7.0) return 'HIGH';\n if (score >= 4.0) return 'MEDIUM';\n if (score > 0.0) return 'LOW';\n return 'UNKNOWN';\n }\n\n /* Extracts affected version range for a specific package /\n private extractAffectedRange(vuln: OsvVulnerability, packageName: string): string \| undefined {\n if (!vuln.affected) return undefined;\n\n for (const affected of vuln.affected) {\n if (affected.package?.name === packageName && affected.ranges) {\n for (const range of affected.ranges) {\n if (range.events) {\n const introduced = range.events.find((e) => e.introduced)?.introduced;\n const fixed = range.events.find((e) => e.fixed)?.fixed;\n if (introduced && fixed) return `>=${introduced}, <${fixed}`;\n if (introduced) return `>=${introduced}`;\n }\n }\n }\n }\n return undefined;\n }\n\n /* Extracts the fixed version for a specific package /\n private extractFixedVersion(vuln: OsvVulnerability, packageName: string): string \| undefined {\n if (!vuln.affected) return undefined;\n\n for (const affected of vuln.affected) {\n if (affected.package?.name === packageName && affected.ranges) {\n for (const range of affected.ranges) {\n if (range.events) {\n const fixed = range.events.find((e) => e.fixed)?.fixed;\n if (fixed) return fixed;\n }\n }\n }\n }\n return undefined;\n }\n\n /* Maps our ecosystem names to OSV ecosystem names /\n private mapEcosystem(ecosystem: string): string {\n const map: Record<string, string> = {\n npm: 'npm',\n nuget: 'NuGet',\n cargo: 'crates.io',\n maven: 'Maven',\n pip: 'PyPI',\n go: 'Go',\n ruby: 'RubyGems',\n };\n return map[ecosystem] ?? ecosystem;\n }\n}\n\n// ─── OSV API Response Types ─────────────────────────────────────\n\ninterface OsvBatchResponse {\n results: Array<{\n vulns?: OsvVulnerability[];\n }>;\n}\n\ninterface OsvVulnerability {\n id: string;\n summary?: string;\n details?: string;\n aliases?: string[];\n published?: string;\n modified?: string;\n severity?: Array<{\n type: string;\n score: string;\n }>;\n affected?: Array<{\n package?: {\n name: string;\n ecosystem: string;\n };\n ranges?: Array<{\n type: string;\n events: Array<{\n introduced?: string;\n fixed?: string;\n last_affected?: string;\n }>;\n }>;\n versions?: string[];\n }>;\n database_specific?: {\n severity?: string;\n [key: string]: unknown;\n };\n references?: Array<{\n type: string;\n url: string;\n }>;\n}\n","import type { CveSource } from './source.interface.js';\nimport type { Dependency, CveCheckResult, Vulnerability, VulnerabilitySource } from '../core/types.js';\nimport { OsvSource } from './osv.js';\n\n/\n Aggregates vulnerability data from multiple CVE sources.\n * Deduplicates results by CVE ID across sources.\n /\nexport class CveAggregator {\n private sources: CveSource[];\n\n constructor(sources?: CveSource[]) {\n this.sources = sources ?? [\n new OsvSource(),\n // Future: new NvdSource(), new EuvdSource(), new CisaKevSource()\n ];\n }\n\n /\n Checks dependencies against all registered CVE sources.\n * Runs sources in parallel and merges/deduplicates results.\n /\n async check(dependencies: Dependency[]): Promise<CveCheckResult> {\n const startTime = Date.now();\n const sourcesQueried: VulnerabilitySource[] = [];\n const sourceErrors: { source: VulnerabilitySource; error: string }[] = [];\n const allVulns: Vulnerability[] = [];\n\n // Run all sources in parallel\n const results = await Promise.allSettled(\n this.sources.map(async (source) => {\n const vulns = await source.checkDependencies(dependencies);\n return { sourceId: source.sourceId, vulns };\n })\n );\n\n for (const result of results) {\n if (result.status === 'fulfilled') {\n sourcesQueried.push(result.value.sourceId);\n allVulns.push(...result.value.vulns);\n } else {\n // Extract the source ID from the error context\n const sourceIndex = results.indexOf(result);\n const sourceId = this.sources[sourceIndex].sourceId;\n sourceErrors.push({\n source: sourceId,\n error: result.reason instanceof Error ? result.reason.message : String(result.reason),\n });\n }\n }\n\n // Deduplicate by CVE ID (prefer the entry with more data)\n const deduplicated = this.deduplicateVulnerabilities(allVulns);\n\n return {\n vulnerabilities: deduplicated,\n sourcesQueried,\n sourceErrors,\n checkDurationMs: Date.now() - startTime,\n };\n }\n\n /\n Deduplicates vulnerabilities by ID.\n * When the same CVE appears from multiple sources,\n * keeps the one with more complete data (has CVSS score, has fix version, etc.)\n /\n private deduplicateVulnerabilities(vulns: Vulnerability[]): Vulnerability[] {\n const byKey = new Map<string, Vulnerability>();\n\n for (const vuln of vulns) {\n // Key by (vulnerability ID + package name) to handle the same CVE\n // affecting multiple packages\n const key = `${vuln.id}::${vuln.packageName}`;\n const existing = byKey.get(key);\n\n if (!existing) {\n byKey.set(key, vuln);\n } else {\n // Keep the one with more data\n byKey.set(key, this.pickBetterEntry(existing, vuln));\n }\n }\n\n return Array.from(byKey.values());\n }\n\n /* Picks the vulnerability entry with more complete data /\n private pickBetterEntry(a: Vulnerability, b: Vulnerability): Vulnerability {\n let scoreA = 0;\n let scoreB = 0;\n\n if (a.cvssScore !== undefined) scoreA++;\n if (b.cvssScore !== undefined) scoreB++;\n if (a.fixedVersion) scoreA++;\n if (b.fixedVersion) scoreB++;\n if (a.affectedVersionRange) scoreA++;\n if (b.affectedVersionRange) scoreB++;\n if (a.severity !== 'UNKNOWN') scoreA++;\n if (b.severity !== 'UNKNOWN') scoreB++;\n\n // Merge: start with the lesser entry, overlay with the better one.\n // Strip undefined/null values so they don't overwrite real data.\n const strip = (obj: Record<string, unknown>) =>\n Object.fromEntries(Object.entries(obj).filter(([, v]) => v !== undefined && v !== null));\n\n const winner = scoreB > scoreA\n ? { ...strip(a as unknown as Record<string, unknown>), ...strip(b as unknown as Record<string, unknown>) } as unknown as Vulnerability\n : { ...strip(b as unknown as Record<string, unknown>), ...strip(a as unknown as Record<string, unknown>) } as unknown as Vulnerability;\n\n // Merge aliases\n const allAliases = new Set([...a.aliases, ...b.aliases]);\n winner.aliases = Array.from(allAliases);\n\n // If either says exploited, it's exploited\n winner.exploitedInWild = a.exploitedInWild \|\| b.exploitedInWild;\n\n return winner;\n }\n}\n","import type { Reporter } from './reporter.interface.js';\nimport type { VerimuReport, Vulnerability, Severity } from '../core/types.js';\n\n/* Outputs a human-readable console report */\nexport class ConsoleReporter implements Reporter {\n readonly name = 'console';\n\n report(result: VerimuReport): string {\n const lines: string[] = [];\n\n lines.push('');\n lines.push('┌─────────────────────────────────────────────┐');\n lines.push('│ VERIMU CRA COMPLIANCE SCAN │');\n lines.push('└─────────────────────────────────────────────┘');\n lines.push('');\n\n // Project info\n lines.push(` Project: ${result.project.path}`);\n lines.push(` Ecosystem: ${result.project.ecosystem}`);\n lines.push(` Dependencies: ${result.project.dependencyCount}`);\n lines.push(` Scanned at: ${result.generatedAt}`);\n lines.push('');\n\n // SBOM info\n lines.push(` ✓ SBOM generated (${result.sbom.format}, ${result.sbom.specVersion})`);\n lines.push(` Components: ${result.sbom.componentCount}`);\n lines.push('');\n\n // CVE results\n const vulns = result.cveCheck.vulnerabilities;\n if (vulns.length === 0) {\n lines.push(' ✓ No known vulnerabilities found');\n } else {\n lines.push(` ⚠ ${vulns.length} vulnerabilit${vulns.length === 1 ? 'y' : 'ies'} found:`);\n lines.push('');\n\n // Sort by severity: CRITICAL → HIGH → MEDIUM → LOW → UNKNOWN\n const sorted = [...vulns].sort((a, b) => severityOrder(a.severity) - severityOrder(b.severity));\n\n for (const vuln of sorted) {\n const badge = severityBadge(vuln.severity);\n const fix = vuln.fixedVersion ? ` → fix: ${vuln.fixedVersion}` : '';\n lines.push(` ${badge} ${vuln.id}`);\n lines.push(` ${vuln.packageName}@${vuln.affectedVersionRange ?? '?'}${fix}`);\n lines.push(` ${vuln.summary.slice(0, 100)}`);\n if (vuln.exploitedInWild) {\n lines.push(` 🔴 ACTIVELY EXPLOITED — 24h CRA reporting required`);\n }\n lines.push('');\n }\n }\n\n // Sources\n const sources = result.cveCheck.sourcesQueried.join(', ');\n lines.push(` Sources queried: ${sources} (${result.cveCheck.checkDurationMs}ms)`);\n\n if (result.cveCheck.sourceErrors.length > 0) {\n for (const err of result.cveCheck.sourceErrors) {\n lines.push(` ⚠ ${err.source}: ${err.error}`);\n }\n }\n\n // Summary\n lines.push('');\n lines.push(' ─── Summary ───');\n lines.push(` Total: ${result.summary.totalVulnerabilities} \| ` +\n `Critical: ${result.summary.critical} \| ` +\n `High: ${result.summary.high} \| ` +\n `Medium: ${result.summary.medium} \| ` +\n `Low: ${result.summary.low}`);\n\n if (result.summary.exploitedInWild > 0) {\n lines.push(` 🔴 ${result.summary.exploitedInWild} actively exploited — immediate action required`);\n }\n\n lines.push('');\n return lines.join('\\n');\n }\n}\n\nfunction severityOrder(s: Severity): number {\n const order: Record<Severity, number> = {\n CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3, UNKNOWN: 4,\n };\n return order[s] ?? 5;\n}\n\nfunction severityBadge(s: Severity): string {\n const badges: Record<Severity, string> = {\n CRITICAL: '[CRIT]',\n HIGH: '[HIGH]',\n MEDIUM: '[MED] ',\n LOW: '[LOW] ',\n UNKNOWN: '[???] ',\n };\n return badges[s] ?? '[???] ';\n}\n"],"mappings":";AAAA,SAAS,kBAAkB;AAgCpB,SAAS,aAAa,OAA8C;AACzE,QAAM;AAAA,IACJ;AAAA,IACA,iBAAiB;AAAA,IACjB;AAAA,EACF,IAAI;AAEJ,QAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AAGzC,QAAM,eAAe,aAAa,IAAI,CAAC,SAAS;AAAA,IAC9C,GAAG;AAAA,IACH,QAAQ,IAAI,UAAU;AAAA,IACtB,MAAM,IAAI,QAAQ,UAAU,IAAI,MAAM,IAAI,SAAS,IAAI,SAAS;AAAA,EAClE,EAAE;AAEF,QAAM,WAAW,UAAU,aAAa,gBAAgB,KAAK;AAE7D,QAAM,OAAO;AAAA,IACX,SAAS;AAAA,IACT,WAAW;AAAA,IACX,aAAa;AAAA,IACb,cAAc,YAAY,WAAW,CAAC;AAAA,IACtC,SAAS;AAAA,IACT,UAAU;AAAA,MACR;AAAA,MACA,OAAO;AAAA,QACL,YAAY;AAAA,UACV;AAAA,YACE,MAAM;AAAA,YACN,MAAM;AAAA,YACN,SAAS;AAAA,YACT,aAAa;AAAA,YACb,UAAU,EAAE,MAAM,SAAS;AAAA,YAC3B,oBAAoB;AAAA,cAClB,EAAE,MAAM,WAAW,KAAK,qBAAqB;AAAA,YAC/C;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,MACA,UAAU,EAAE,MAAM,YAAY;AAAA,MAC9B,WAAW;AAAA,QACT,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS;AAAA,QACT,WAAW;AAAA,QACX,UAAU,EAAE,MAAM,YAAY;AAAA,MAChC;AAAA,IACF;AAAA,IACA,YAAY,aAAa,IAAI,CAAC,SAAS;AAAA,MACrC,MAAM;AAAA,MACN,MAAM,IAAI;AAAA,MACV,SAAS,IAAI;AAAA,MACb,MAAM,IAAI;AAAA,MACV,WAAW,IAAI;AAAA,MACf,OAAO,IAAI,SAAS,aAAa;AAAA,MACjC,UAAU,EAAE,MAAM,mBAAmB,IAAI,IAAI,EAAE;AAAA,IACjD,EAAE;AAAA,IACF,cAAc;AAAA,MACZ;AAAA,QACE,KAAK;AAAA,QACL,WAAW,aAAa,IAAI,CAAC,MAAM,EAAE,IAAI;AAAA,MAC3C;AAAA,IACF;AAAA,EACF;AAEA,QAAM,UAAU,KAAK,UAAU,MAAM,MAAM,CAAC;AAE5C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,gBAAgB,aAAa;AAAA,IAC7B,aAAa;AAAA,IACb,aAAa;AAAA,EACf;AACF;AAIA,IAAM,gBAA2C;AAAA,EAC/C,KAAK;AAAA,EACL,OAAO;AAAA,EACP,OAAO;AAAA,EACP,OAAO;AAAA,EACP,KAAK;AAAA,EACL,IAAI;AAAA,EACJ,MAAM;AACR;AAUA,SAAS,UAAU,MAAc,SAAiB,WAA8B;AAC9E,QAAM,OAAO,cAAc,SAAS,KAAK;AAEzC,MAAI,cAAc,SAAS,KAAK,WAAW,GAAG,GAAG;AAC/C,WAAO,OAAO,IAAI,OAAO,KAAK,MAAM,CAAC,CAAC,IAAI,OAAO;AAAA,EACnD;AAEA,SAAO,OAAO,IAAI,IAAI,IAAI,IAAI,OAAO;AACvC;AAOA,SAAS,mBAAmB,aAA6B;AACvD,MAAI,YAAY,WAAW,GAAG,GAAG;AAC/B,WAAO,YAAY,MAAM,GAAG,EAAE,CAAC;AAAA,EACjC;AACA,SAAO;AACT;;;ACrJA,SAAS,iBAAiB;;;ACA1B,SAAS,gBAAgB;AACzB,SAAS,kBAAkB;AAC3B,OAAO,UAAU;;;ACDV,IAAM,cAAN,cAA0B,MAAM;AAAA,EACrC,YAAY,SAAiC,MAAc;AACzD,UAAM,OAAO;AAD8B;AAE3C,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,kBAAN,cAA8B,YAAY;AAAA,EAC/C,YAAY,aAAqB;AAC/B;AAAA,MACE,kCAAkC,WAAW;AAAA,MAG7C;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,qBAAN,cAAiC,YAAY;AAAA,EAClD,YAAY,cAAsB,QAAgB;AAChD,UAAM,mBAAmB,YAAY,KAAK,MAAM,IAAI,sBAAsB;AAC1E,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,iBAAN,cAA6B,YAAY;AAAA,EAC9C,YAAY,QAAgB,QAAgB;AAC1C,UAAM,eAAe,MAAM,aAAa,MAAM,IAAI,kBAAkB;AACpE,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,sBAAN,cAAkC,YAAY;AAAA,EACnD,YAAY,SAAiB;AAC3B;AAAA,MACE,yBAAyB,OAAO;AAAA,MAChC;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;;;ADhCO,IAAM,aAAN,MAA8C;AAAA,EAC1C,YAAuB;AAAA,EACvB,gBAAgB,CAAC,mBAAmB;AAAA,EAE7C,MAAM,OAAO,aAA6C;AACxD,UAAM,eAAe,KAAK,KAAK,aAAa,mBAAmB;AAC/D,WAAO,WAAW,YAAY,IAAI,eAAe;AAAA,EACnD;AAAA,EAEA,MAAM,KAAK,aAAqB,cAA2C;AACzE,UAAM,CAAC,aAAa,cAAc,IAAI,MAAM,QAAQ,IAAI;AAAA,MACtD,SAAS,cAAc,OAAO;AAAA,MAC9B,SAAS,KAAK,KAAK,aAAa,cAAc,GAAG,OAAO,EAAE,MAAM,MAAM,IAAI;AAAA,IAC5E,CAAC;AAED,QAAI;AACJ,QAAI;AACF,iBAAW,KAAK,MAAM,WAAW;AAAA,IACnC,QAAQ;AACN,YAAM,IAAI,mBAAmB,cAAc,cAAc;AAAA,IAC3D;AAGA,UAAM,cAAc,oBAAI,IAAY;AACpC,QAAI,gBAAgB;AAClB,UAAI;AACF,cAAM,MAAM,KAAK,MAAM,cAAc;AACrC,mBAAW,QAAQ,OAAO,KAAK,IAAI,gBAAgB,CAAC,CAAC,GAAG;AACtD,sBAAY,IAAI,IAAI;AAAA,QACtB;AACA,mBAAW,QAAQ,OAAO,KAAK,IAAI,mBAAmB,CAAC,CAAC,GAAG;AACzD,sBAAY,IAAI,IAAI;AAAA,QACtB;AAAA,MACF,QAAQ;AAAA,MAER;AAAA,IACF;AAEA,UAAM,eAAe,KAAK,cAAc,UAAU,WAAW;AAE7D,WAAO;AAAA,MACL;AAAA,MACA,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,cAAc,UAAuB,aAAwC;AACnF,UAAM,OAAqB,CAAC;AAE5B,QAAI,SAAS,UAAU;AAErB,iBAAW,CAAC,SAAS,OAAO,KAAK,OAAO,QAAQ,SAAS,QAAQ,GAAG;AAElE,YAAI,YAAY,GAAI;AAKpB,cAAM,OAAO,KAAK,mBAAmB,OAAO;AAC5C,YAAI,CAAC,QAAQ,CAAC,QAAQ,QAAS;AAG/B,YAAI,QAAQ,KAAM;AAElB,aAAK,KAAK;AAAA,UACR;AAAA,UACA,SAAS,QAAQ;AAAA,UACjB,QAAQ,YAAY,IAAI,IAAI;AAAA,UAC5B,WAAW;AAAA,UACX,MAAM,KAAK,UAAU,MAAM,QAAQ,OAAO;AAAA,QAC5C,CAAC;AAAA,MACH;AAAA,IACF,WAAW,SAAS,cAAc;AAEhC,WAAK,oBAAoB,SAAS,cAAc,aAAa,IAAI;AAAA,IACnE;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWQ,UAAU,MAAc,SAAyB;AACvD,QAAI,KAAK,WAAW,GAAG,GAAG;AAExB,aAAO,cAAc,KAAK,MAAM,CAAC,CAAC,IAAI,OAAO;AAAA,IAC/C;AACA,WAAO,WAAW,IAAI,IAAI,OAAO;AAAA,EACnC;AAAA;AAAA,EAGQ,mBAAmB,SAAgC;AAIzD,UAAM,QAAQ,QAAQ,MAAM,eAAe;AAC3C,UAAM,OAAO,MAAM,MAAM,SAAS,CAAC;AACnC,WAAO,QAAQ;AAAA,EACjB;AAAA;AAAA,EAGQ,oBACN,SACA,aACA,QACM;AACN,eAAW,CAAC,MAAM,IAAI,KAAK,OAAO,QAAQ,OAAO,GAAG;AAClD,UAAI,KAAK,SAAS;AAChB,eAAO,KAAK;AAAA,UACV;AAAA,UACA,SAAS,KAAK;AAAA,UACd,QAAQ,YAAY,IAAI,IAAI;AAAA,UAC5B,WAAW;AAAA,UACX,MAAM,KAAK,UAAU,MAAM,KAAK,OAAO;AAAA,QACzC,CAAC;AAAA,MACH;AAEA,UAAI,KAAK,cAAc;AACrB,aAAK,oBAAoB,KAAK,cAAc,aAAa,MAAM;AAAA,MACjE;AAAA,IACF;AAAA,EACF;AACF;;;AEvJA,SAAS,YAAAA,iBAAgB;AACzB,SAAS,cAAAC,mBAAkB;AAC3B,OAAOC,WAAU;AA4BV,IAAM,eAAN,MAAgD;AAAA,EAC5C,YAAuB;AAAA,EACvB,gBAAgB,CAAC,oBAAoB;AAAA,EAE9C,MAAM,OAAO,aAA6C;AACxD,UAAM,eAAeC,MAAK,KAAK,aAAa,oBAAoB;AAChE,WAAOC,YAAW,YAAY,IAAI,eAAe;AAAA,EACnD;AAAA,EAEA,MAAM,KAAK,aAAqB,cAA2C;AACzE,UAAM,cAAc,MAAMC,UAAS,cAAc,OAAO;AAExD,QAAI;AACJ,QAAI;AACF,iBAAW,KAAK,MAAM,WAAW;AAAA,IACnC,QAAQ;AACN,YAAM,IAAI,mBAAmB,cAAc,cAAc;AAAA,IAC3D;AAEA,QAAI,CAAC,SAAS,cAAc;AAC1B,YAAM,IAAI,mBAAmB,cAAc,8BAA8B;AAAA,IAC3E;AAEA,UAAM,eAAe,KAAK,cAAc,QAAQ;AAEhD,WAAO;AAAA,MACL;AAAA,MACA,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,cAAc,UAAuC;AAC3D,UAAM,SAAS,oBAAI,IAAwB;AAE3C,eAAW,CAAC,YAAY,QAAQ,KAAK,OAAO,QAAQ,SAAS,YAAY,GAAG;AAC1E,iBAAW,CAAC,MAAM,IAAI,KAAK,OAAO,QAAQ,QAAQ,GAAG;AACnD,YAAI,CAAC,KAAK,SAAU;AAGpB,cAAM,WAAW,KAAK,SAAS;AAE/B,cAAM,WAAW,OAAO,IAAI,IAAI;AAChC,YAAI,CAAC,UAAU;AACb,iBAAO,IAAI,MAAM;AAAA,YACf;AAAA,YACA,SAAS,KAAK;AAAA,YACd,QAAQ;AAAA,YACR,WAAW;AAAA,YACX,MAAM,KAAK,UAAU,MAAM,KAAK,QAAQ;AAAA,UAC1C,CAAC;AAAA,QACH,WAES,YAAY,CAAC,SAAS,QAAQ;AACrC,mBAAS,SAAS;AAAA,QACpB;AAAA,MACF;AAAA,IACF;AAEA,WAAO,MAAM,KAAK,OAAO,OAAO,CAAC;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,UAAU,MAAc,SAAyB;AACvD,WAAO,aAAa,IAAI,IAAI,OAAO;AAAA,EACrC;AACF;;;AC1GA,SAAS,YAAAC,iBAAgB;AACzB,SAAS,cAAAC,mBAAkB;AAC3B,OAAOC,WAAU;AA4BV,IAAM,eAAN,MAAgD;AAAA,EAC5C,YAAuB;AAAA,EACvB,gBAAgB,CAAC,YAAY;AAAA,EAEtC,MAAM,OAAO,aAA6C;AACxD,UAAM,eAAeC,MAAK,KAAK,aAAa,YAAY;AACxD,WAAOC,YAAW,YAAY,IAAI,eAAe;AAAA,EACnD;AAAA,EAEA,MAAM,KAAK,aAAqB,cAA2C;AACzE,UAAM,CAAC,aAAa,YAAY,IAAI,MAAM,QAAQ,IAAI;AAAA,MACpDC,UAAS,cAAc,OAAO;AAAA,MAC9BA,UAASF,MAAK,KAAK,aAAa,YAAY,GAAG,OAAO,EAAE,MAAM,MAAM,IAAI;AAAA,IAC1E,CAAC;AAED,UAAM,WAAW,KAAK,cAAc,aAAa,YAAY;AAC7D,UAAM,cAAc,eAAe,KAAK,eAAe,YAAY,IAAI,oBAAI,IAAY;AAGvF,UAAM,WAAW,SAAS,SAAS,IAAI,SAAS,CAAC,EAAE,OAAO;AAE1D,UAAM,eAA6B,CAAC;AACpC,eAAW,OAAO,UAAU;AAE1B,UAAI,IAAI,SAAS,YAAY,IAAI,WAAW,OAAW;AAEvD,mBAAa,KAAK;AAAA,QAChB,MAAM,IAAI;AAAA,QACV,SAAS,IAAI;AAAA,QACb,QAAQ,YAAY,IAAI,IAAI,IAAI;AAAA,QAChC,WAAW;AAAA,QACX,MAAM,KAAK,UAAU,IAAI,MAAM,IAAI,OAAO;AAAA,MAC5C,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL;AAAA,MACA,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,cAAc,SAAiB,cAAsC;AAC3E,UAAM,WAA2B,CAAC;AAClC,UAAM,SAAS,QAAQ,MAAM,oBAAoB;AAEjD,eAAW,SAAS,QAAQ;AAC1B,UAAI,CAAC,MAAM,KAAK,EAAG;AAEnB,YAAM,OAAO,KAAK,aAAa,OAAO,MAAM;AAC5C,YAAM,UAAU,KAAK,aAAa,OAAO,SAAS;AAClD,YAAM,SAAS,KAAK,aAAa,OAAO,QAAQ;AAEhD,UAAI,QAAQ,SAAS;AACnB,iBAAS,KAAK,EAAE,MAAM,SAAS,QAAQ,UAAU,OAAU,CAAC;AAAA,MAC9D;AAAA,IACF;AAEA,QAAI,SAAS,WAAW,KAAK,QAAQ,SAAS,aAAa,GAAG;AAC5D,YAAM,IAAI,mBAAmB,cAAc,8CAA8C;AAAA,IAC3F;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,aAAa,OAAe,WAAkC;AACpE,UAAM,QAAQ,IAAI,OAAO,IAAI,SAAS,sBAAsB,GAAG;AAC/D,UAAM,QAAQ,MAAM,MAAM,KAAK;AAC/B,WAAO,QAAQ,MAAM,CAAC,IAAI;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,eAAe,SAA8B;AACnD,UAAM,cAAc,oBAAI,IAAY;AACpC,QAAI,gBAAgB;AAEpB,eAAW,WAAW,QAAQ,MAAM,IAAI,GAAG;AACzC,YAAM,OAAO,QAAQ,KAAK;AAG1B,UAAI,KAAK,WAAW,GAAG,GAAG;AACxB,wBACE,SAAS,oBACT,SAAS,wBACT,SAAS;AACX;AAAA,MACF;AAEA,UAAI,iBAAiB,QAAQ,CAAC,KAAK,WAAW,GAAG,GAAG;AAElD,cAAM,QAAQ,KAAK,MAAM,uBAAuB;AAChD,YAAI,OAAO;AACT,sBAAY,IAAI,MAAM,CAAC,CAAC;AAAA,QAC1B;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,UAAU,MAAc,SAAyB;AACvD,WAAO,aAAa,IAAI,IAAI,OAAO;AAAA,EACrC;AACF;;;ACtJA,SAAS,YAAAG,iBAAgB;AACzB,SAAS,cAAAC,mBAAkB;AAC3B,OAAOC,WAAU;AAqBV,IAAM,aAAN,MAA8C;AAAA,EAC1C,YAAuB;AAAA,EACvB,gBAAgB,CAAC,oBAAoB,cAAc;AAAA,EAE5D,MAAM,OAAO,aAA6C;AAExD,eAAW,YAAY,KAAK,eAAe;AACzC,YAAM,WAAWC,MAAK,KAAK,aAAa,QAAQ;AAChD,UAAIC,YAAW,QAAQ,EAAG,QAAO;AAAA,IACnC;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,KAAK,aAAqB,cAA2C;AACzE,UAAM,MAAM,MAAMC,UAAS,cAAc,OAAO;AAChD,UAAM,WAAWF,MAAK,SAAS,YAAY;AAE3C,QAAI;AAEJ,QAAI,aAAa,gBAAgB;AAC/B,qBAAe,KAAK,iBAAiB,KAAK,YAAY;AAAA,IACxD,OAAO;AACL,qBAAe,KAAK,qBAAqB,KAAK,YAAY;AAAA,IAC5D;AAEA,WAAO;AAAA,MACL;AAAA,MACA,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaQ,qBAAqB,SAAiB,cAAoC;AAChF,UAAM,OAAqB,CAAC;AAE5B,eAAW,WAAW,QAAQ,MAAM,IAAI,GAAG;AACzC,YAAM,OAAO,QAAQ,KAAK;AAG1B,UAAI,CAAC,QAAQ,KAAK,WAAW,GAAG,KAAK,KAAK,WAAW,GAAG,KAAK,KAAK,WAAW,IAAI,GAAG;AAClF;AAAA,MACF;AAGA,YAAM,QAAQ,KAAK,MAAM,wDAAwD;AACjF,UAAI,OAAO;AACT,cAAM,CAAC,EAAE,MAAM,WAAW,IAAI;AAE9B,cAAM,UAAU,KAAK,eAAe,WAAW;AAC/C,YAAI,QAAQ,SAAS;AACnB,eAAK,KAAK;AAAA,YACR,MAAM,KAAK,iBAAiB,IAAI;AAAA,YAChC;AAAA,YACA,QAAQ;AAAA;AAAA,YACR,WAAW;AAAA,YACX,MAAM,KAAK,UAAU,MAAM,OAAO;AAAA,UACpC,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBQ,iBAAiB,SAAiB,cAAoC;AAC5E,QAAI;AACJ,QAAI;AACF,iBAAW,KAAK,MAAM,OAAO;AAAA,IAC/B,QAAQ;AACN,YAAM,IAAI,mBAAmB,cAAc,8BAA8B;AAAA,IAC3E;AAEA,UAAM,OAAqB,CAAC;AAG5B,QAAI,SAAS,SAAS;AACpB,iBAAW,CAAC,MAAM,IAAI,KAAK,OAAO,QAAQ,SAAS,OAAO,GAAG;AAC3D,cAAM,UAAU,KAAK,SAAS,QAAQ,OAAO,EAAE,KAAK;AACpD,YAAI,SAAS;AACX,eAAK,KAAK;AAAA,YACR,MAAM,KAAK,iBAAiB,IAAI;AAAA,YAChC;AAAA,YACA,QAAQ;AAAA,YACR,WAAW;AAAA,YACX,MAAM,KAAK,UAAU,MAAM,OAAO;AAAA,UACpC,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAGA,QAAI,SAAS,SAAS;AACpB,iBAAW,CAAC,MAAM,IAAI,KAAK,OAAO,QAAQ,SAAS,OAAO,GAAG;AAC3D,cAAM,UAAU,KAAK,SAAS,QAAQ,OAAO,EAAE,KAAK;AACpD,YAAI,SAAS;AACX,eAAK,KAAK;AAAA,YACR,MAAM,KAAK,iBAAiB,IAAI;AAAA,YAChC;AAAA,YACA,QAAQ;AAAA,YACR,WAAW;AAAA,YACX,MAAM,KAAK,UAAU,MAAM,OAAO;AAAA,UACpC,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,eAAe,MAAsB;AAC3C,UAAM,UAAU,KAAK,MAAM,GAAG,EAAE,CAAC,EAAE,KAAK;AACxC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,iBAAiB,MAAsB;AAC7C,WAAO,KAAK,YAAY,EAAE,QAAQ,WAAW,GAAG;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,UAAU,MAAc,SAAyB;AACvD,WAAO,YAAY,KAAK,iBAAiB,IAAI,CAAC,IAAI,OAAO;AAAA,EAC3D;AACF;;;AC1LA,SAAS,YAAAG,iBAAgB;AACzB,SAAS,cAAAC,mBAAkB;AAC3B,SAAS,gBAAgB;AACzB,OAAOC,WAAU;AA8BV,IAAM,eAAN,MAAgD;AAAA,EAC5C,YAAuB;AAAA,EACvB,gBAAgB,CAAC,SAAS;AAAA;AAAA,EAG3B;AAAA,EAER,YAAY,cAAgC;AAC1C,SAAK,aAAa,gBAAgB;AAAA,EACpC;AAAA,EAEA,MAAM,OAAO,aAA6C;AACxD,UAAM,UAAUC,MAAK,KAAK,aAAa,SAAS;AAChD,WAAOC,YAAW,OAAO,IAAI,UAAU;AAAA,EACzC;AAAA,EAEA,MAAM,KAAK,aAAqB,eAA4C;AAE1E,UAAM,cAAcD,MAAK,KAAK,aAAa,qBAAqB;AAChE,QAAIC,YAAW,WAAW,GAAG;AAC3B,YAAM,UAAU,MAAMC,UAAS,aAAa,OAAO;AACnD,YAAM,eAAe,KAAK,oBAAoB,SAAS,WAAW;AAClE,aAAO,KAAK,YAAY,aAAa,aAAa,YAAY;AAAA,IAChE;AAGA,QAAI,KAAK,iBAAiB,GAAG;AAC3B,YAAM,SAAS,KAAK,uBAAuB,WAAW;AACtD,YAAM,eAAe,KAAK,oBAAoB,QAAQ,qBAAqB;AAC3E,aAAO,KAAK,YAAY,aAAaF,MAAK,KAAK,aAAa,SAAS,GAAG,YAAY;AAAA,IACtF;AAEA,UAAM,IAAI;AAAA,MACRA,MAAK,KAAK,aAAa,SAAS;AAAA,MAChC;AAAA,IAGF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWQ,oBAAoB,SAAiB,QAA8B;AACzE,UAAM,OAAqB,CAAC;AAC5B,UAAM,aAAa;AAEnB,eAAW,WAAW,QAAQ,MAAM,IAAI,GAAG;AACzC,YAAM,OAAO,QAAQ,KAAK;AAC1B,UAAI,CAAC,KAAM;AAEX,YAAM,QAAQ,KAAK,MAAM,UAAU;AACnC,UAAI,OAAO;AACT,cAAM,UAAU,MAAM,CAAC;AACvB,cAAM,aAAa,MAAM,CAAC;AAG1B,cAAM,UAAU,MAAM,CAAC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAK,MAAM,CAAC,KAAK,MAAM,CAAC;AACtE,cAAM,QAAQ,MAAM,CAAC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAK,MAAM,CAAC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,MAAM,CAAC;AAG1F,cAAM,QAAQ,KAAK,MAAM,GAAG;AAC5B,YAAI,MAAM,UAAU,GAAG;AACrB,gBAAM,MAAM,MAAM,CAAC,EAAE,KAAK;AAC1B,gBAAM,MAAM,MAAM,CAAC;AACnB,gBAAM,MAAM,MAAM,WAAW,IAAI,MAAM,CAAC,IAAI,MAAM,CAAC;AACnD,gBAAM,MAAM,MAAM,WAAW,IAAI,MAAM,CAAC,IAAI,MAAM,CAAC;AAEnD,cAAI,OAAO,OAAO,KAAK;AACrB,kBAAM,OAAO,GAAG,GAAG,IAAI,GAAG;AAC1B,iBAAK,KAAK;AAAA,cACR;AAAA,cACA,SAAS;AAAA,cACT,QAAQ,QAAQ,aAAa,QAAQ,aAAa,QAAQ;AAAA,cAC1D,WAAW;AAAA,cACX,MAAM,KAAK,UAAU,KAAK,KAAK,GAAG;AAAA,YACpC,CAAC;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,mBAA4B;AAClC,QAAI;AACF,WAAK,WAAW,iBAAiB,EAAE,OAAO,QAAQ,SAAS,IAAO,CAAC;AACnE,aAAO;AAAA,IACT,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,uBAAuB,aAA6B;AAC1D,QAAI;AACF,YAAM,SAAS,KAAK;AAAA,QAClB;AAAA,QACA;AAAA,UACE,KAAK;AAAA,UACL,OAAO;AAAA,UACP,SAAS;AAAA;AAAA,UACT,UAAU;AAAA,QACZ;AAAA,MACF;AACA,aAAO,OAAO,SAAS;AAAA,IACzB,SAAS,KAAc;AACrB,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,YAAM,IAAI;AAAA,QACRA,MAAK,KAAK,aAAa,SAAS;AAAA,QAChC,wCAAwC,OAAO;AAAA,MACjD;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,UAAU,SAAiB,YAAoB,SAAyB;AAC9E,WAAO,aAAa,OAAO,IAAI,UAAU,IAAI,OAAO;AAAA,EACtD;AAAA,EAEQ,YACN,aACA,cACA,cACY;AACZ,WAAO;AAAA,MACL;AAAA,MACA,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpC;AAAA,EACF;AACF;;;ACnLA,SAAS,YAAAG,iBAAgB;AACzB,SAAS,cAAAC,mBAAkB;AAC3B,OAAOC,WAAU;AA+BV,IAAM,YAAN,MAA6C;AAAA,EACzC,YAAuB;AAAA,EACvB,gBAAgB,CAAC,QAAQ;AAAA,EAElC,MAAM,OAAO,aAA6C;AACxD,UAAM,YAAYA,MAAK,KAAK,aAAa,QAAQ;AACjD,WAAOD,YAAW,SAAS,IAAI,YAAY;AAAA,EAC7C;AAAA,EAEA,MAAM,KAAK,aAAqB,cAA2C;AACzE,UAAM,CAAC,UAAU,QAAQ,IAAI,MAAM,QAAQ,IAAI;AAAA,MAC7CD,UAAS,cAAc,OAAO;AAAA,MAC9BA,UAASE,MAAK,KAAK,aAAa,QAAQ,GAAG,OAAO,EAAE,MAAM,MAAM,IAAI;AAAA,IACtE,CAAC;AAED,UAAM,EAAE,aAAa,cAAc,IAAI,WACnC,KAAK,WAAW,QAAQ,IACxB,EAAE,aAAa,oBAAI,IAAY,GAAG,eAAe,oBAAI,IAAY,EAAE;AAEvE,UAAM,eAAe,KAAK,WAAW,UAAU,cAAc,aAAa,aAAa;AAEvF,WAAO;AAAA,MACL;AAAA,MACA,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,WACN,SACA,cACA,aACA,eACc;AACd,UAAM,SAAS,oBAAI,IAAwB;AAE3C,eAAW,WAAW,QAAQ,MAAM,IAAI,GAAG;AACzC,YAAM,OAAO,QAAQ,KAAK;AAC1B,UAAI,CAAC,KAAM;AAGX,YAAM,QAAQ,KAAK,MAAM,KAAK;AAC9B,UAAI,MAAM,SAAS,EAAG;AAEtB,YAAM,aAAa,MAAM,CAAC;AAC1B,UAAI,UAAU,MAAM,CAAC;AAGrB,UAAI,QAAQ,SAAS,SAAS,EAAG;AAGjC,gBAAU,QAAQ,QAAQ,mBAAmB,EAAE;AAE/C,YAAM,MAAM,GAAG,UAAU,IAAI,OAAO;AACpC,UAAI,OAAO,IAAI,GAAG,EAAG;AAKrB,YAAM,WAAW,YAAY,OAAO,KAAK,cAAc,OAAO,IAC1D,YAAY,IAAI,UAAU,MAAM,CAAC,cAAc,IAAI,UAAU,KAAK,CAAC,YAAY,IAAI,UAAU,IAAI,QAAQ,YAAY,IAAI,UAAU,KACnI;AAEJ,aAAO,IAAI,KAAK;AAAA,QACd,MAAM;AAAA,QACN;AAAA,QACA,QAAQ;AAAA,QACR,WAAW;AAAA,QACX,MAAM,KAAK,UAAU,YAAY,OAAO;AAAA,MAC1C,CAAC;AAAA,IACH;AAEA,WAAO,MAAM,KAAK,OAAO,OAAO,CAAC;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeQ,WAAW,SAA2E;AAC5F,UAAM,cAAc,oBAAI,IAAY;AACpC,UAAM,gBAAgB,oBAAI,IAAY;AAEtC,QAAI,iBAAiB;AAErB,eAAW,WAAW,QAAQ,MAAM,IAAI,GAAG;AACzC,YAAM,OAAO,QAAQ,KAAK;AAG1B,UAAI,KAAK,WAAW,UAAU,KAAK,CAAC,KAAK,SAAS,GAAG,GAAG;AACtD,cAAM,QAAQ,KAAK,MAAM,6BAA6B;AACtD,YAAI,OAAO;AACT,gBAAM,aAAa,MAAM,CAAC;AAC1B,gBAAM,OAAO,MAAM,CAAC;AACpB,cAAI,KAAK,SAAS,aAAa,GAAG;AAChC,0BAAc,IAAI,UAAU;AAAA,UAC9B,OAAO;AACL,wBAAY,IAAI,UAAU;AAAA,UAC5B;AAAA,QACF;AACA;AAAA,MACF;AAGA,UAAI,SAAS,eAAe,KAAK,WAAW,WAAW,GAAG;AACxD,yBAAiB;AACjB;AAAA,MACF;AAGA,UAAI,kBAAkB,SAAS,KAAK;AAClC,yBAAiB;AACjB;AAAA,MACF;AAGA,UAAI,kBAAkB,QAAQ,CAAC,KAAK,WAAW,IAAI,GAAG;AACpD,cAAM,QAAQ,KAAK,MAAM,mBAAmB;AAC5C,YAAI,OAAO;AACT,gBAAM,aAAa,MAAM,CAAC;AAC1B,gBAAM,OAAO,MAAM,CAAC;AACpB,cAAI,KAAK,SAAS,aAAa,GAAG;AAChC,0BAAc,IAAI,UAAU;AAAA,UAC9B,OAAO;AACL,wBAAY,IAAI,UAAU;AAAA,UAC5B;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,WAAO,EAAE,aAAa,cAAc;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,UAAU,YAAoB,SAAyB;AAC7D,WAAO,cAAc,UAAU,IAAI,OAAO;AAAA,EAC5C;AACF;;;ACnMA,SAAS,YAAAC,iBAAgB;AACzB,SAAS,cAAAC,mBAAkB;AAC3B,OAAOC,WAAU;AAoCV,IAAM,cAAN,MAA+C;AAAA,EAC3C,YAAuB;AAAA,EACvB,gBAAgB,CAAC,cAAc;AAAA,EAExC,MAAM,OAAO,aAA6C;AACxD,UAAM,eAAeC,MAAK,KAAK,aAAa,cAAc;AAC1D,WAAOC,YAAW,YAAY,IAAI,eAAe;AAAA,EACnD;AAAA,EAEA,MAAM,KAAK,aAAqB,cAA2C;AACzE,UAAM,UAAU,MAAMC,UAAS,cAAc,OAAO;AAEpD,UAAM,QAAQ,KAAK,WAAW,SAAS,YAAY;AACnD,UAAM,cAAc,KAAK,kBAAkB,OAAO;AAElD,UAAM,eAA6B,MAAM,IAAI,CAAC,EAAE,MAAM,QAAQ,OAAO;AAAA,MACnE;AAAA,MACA;AAAA,MACA,QAAQ,YAAY,IAAI,IAAI;AAAA,MAC5B,WAAW;AAAA,MACX,MAAM,WAAW,IAAI,IAAI,OAAO;AAAA,IAClC,EAAE;AAEF,WAAO;AAAA,MACL;AAAA,MACA,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYQ,WACN,SACA,cAC0C;AAC1C,UAAM,OAAiD,CAAC;AAExD,QAAI,eAAe;AACnB,QAAI,UAAU;AAEd,eAAW,WAAW,QAAQ,MAAM,IAAI,GAAG;AACzC,YAAM,OAAO;AAGb,UAAI,KAAK,SAAS,KAAK,KAAK,CAAC,MAAM,KAAK;AACtC,YAAI,KAAK,WAAW,KAAK,GAAG;AAC1B,yBAAe;AACf,oBAAU;AACV;AAAA,QACF;AAEA,uBAAe;AACf,kBAAU;AACV;AAAA,MACF;AAEA,UAAI,gBAAgB,KAAK,UAAU,EAAE,WAAW,QAAQ,GAAG;AACzD,kBAAU;AACV;AAAA,MACF;AAEA,UAAI,CAAC,QAAS;AAKd,YAAM,QAAQ,KAAK,MAAM,2BAA2B;AACpD,UAAI,OAAO;AACT,cAAM,CAAC,EAAE,MAAM,OAAO,IAAI;AAC1B,aAAK,KAAK,EAAE,MAAM,QAAQ,CAAC;AAAA,MAC7B;AAAA,IACF;AAEA,QAAI,KAAK,WAAW,GAAG;AACrB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,kBAAkB,SAA8B;AACtD,UAAM,cAAc,oBAAI,IAAY;AACpC,QAAI,iBAAiB;AAErB,eAAW,WAAW,QAAQ,MAAM,IAAI,GAAG;AACzC,YAAM,OAAO;AAGb,UAAI,KAAK,SAAS,KAAK,KAAK,CAAC,MAAM,KAAK;AACtC,YAAI,KAAK,WAAW,cAAc,GAAG;AACnC,2BAAiB;AACjB;AAAA,QACF;AACA,YAAI,eAAgB;AACpB;AAAA,MACF;AAEA,UAAI,CAAC,eAAgB;AAIrB,YAAM,QAAQ,KAAK,MAAM,0BAA0B;AACnD,UAAI,OAAO;AACT,oBAAY,IAAI,MAAM,CAAC,CAAC;AAAA,MAC1B;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;;;ACxJO,IAAM,kBAAN,MAAsB;AAAA,EACnB;AAAA,EAER,cAAc;AACZ,SAAK,WAAW;AAAA,MACd,IAAI,WAAW;AAAA,MACf,IAAI,aAAa;AAAA,MACjB,IAAI,aAAa;AAAA,MACjB,IAAI,WAAW;AAAA,MACf,IAAI,aAAa;AAAA,MACjB,IAAI,UAAU;AAAA,MACd,IAAI,YAAY;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,cAAc,aAA0C;AAC5D,eAAW,WAAW,KAAK,UAAU;AACnC,YAAM,eAAe,MAAM,QAAQ,OAAO,WAAW;AACrD,UAAI,cAAc;AAChB,eAAO,QAAQ,KAAK,aAAa,YAAY;AAAA,MAC/C;AAAA,IACF;AACA,UAAM,IAAI,gBAAgB,WAAW;AAAA,EACvC;AAAA;AAAA,EAGA,WAAW,WAAkD;AAC3D,WAAO,KAAK,SAAS,KAAK,CAAC,MAAM,EAAE,cAAc,SAAS;AAAA,EAC5D;AAAA;AAAA,EAGA,iBAA2B;AACzB,WAAO,KAAK,SAAS,IAAI,CAAC,MAAM,EAAE,SAAS;AAAA,EAC7C;AACF;;;ACrDA,SAAS,cAAAC,mBAAkB;AAgBpB,IAAM,qBAAN,MAAkD;AAAA,EAC9C,SAAqB;AAAA,EAE9B,SAAS,YAAwB,cAAsB,SAAe;AACpE,UAAM,MAAM,KAAK,SAAS,YAAY,WAAW;AACjD,UAAM,UAAU,KAAK,UAAU,KAAK,MAAM,CAAC;AAE3C,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,aAAa;AAAA,MACb;AAAA,MACA,gBAAgB,WAAW,aAAa;AAAA,MACxC,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,IACtC;AAAA,EACF;AAAA,EAEQ,SAAS,YAAwB,aAAmC;AAC1E,UAAM,cAAc,KAAK,mBAAmB,WAAW,WAAW;AAElE,WAAO;AAAA,MACL,SAAS;AAAA,MACT,WAAW;AAAA,MACX,aAAa;AAAA,MACb,cAAc,YAAYA,YAAW,CAAC;AAAA,MACtC,SAAS;AAAA,MACT,UAAU;AAAA,QACR,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,QAClC,OAAO;AAAA,UACL,YAAY;AAAA,YACV;AAAA,cACE,MAAM;AAAA,cACN,MAAM;AAAA,cACN,SAAS;AAAA,cACT,aAAa;AAAA,cACb,UAAU,EAAE,MAAM,SAAS;AAAA,cAC3B,oBAAoB;AAAA,gBAClB;AAAA,kBACE,MAAM;AAAA,kBACN,KAAK;AAAA,gBACP;AAAA,cACF;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA;AAAA,QAEA,UAAU;AAAA,UACR,MAAM;AAAA,QACR;AAAA,QACA,WAAW;AAAA,UACT,MAAM;AAAA,UACN,MAAM;AAAA,UACN,WAAW;AAAA,UACX,UAAU,EAAE,MAAM,YAAY;AAAA,QAChC;AAAA,MACF;AAAA,MACA,YAAY,WAAW,aAAa,IAAI,CAAC,QAAQ,KAAK,YAAY,GAAG,CAAC;AAAA,MACtE,cAAc,KAAK,qBAAqB,UAAU;AAAA,IACpD;AAAA,EACF;AAAA;AAAA,EAGQ,YAAY,KAAqC;AACvD,WAAO;AAAA,MACL,MAAM;AAAA,MACN,MAAM,IAAI;AAAA,MACV,SAAS,IAAI;AAAA,MACb,MAAM,IAAI;AAAA,MACV,WAAW,IAAI;AAAA,MACf,OAAO,IAAI,SAAS,aAAa;AAAA;AAAA,MAEjC,UAAU;AAAA,QACR,MAAM,KAAK,mBAAmB,IAAI,IAAI;AAAA,MACxC;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWQ,mBAAmB,aAA6B;AACtD,QAAI,YAAY,WAAW,GAAG,GAAG;AAE/B,YAAM,QAAQ,YAAY,MAAM,GAAG,EAAE,CAAC;AACtC,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaQ,qBAAqB,YAAoD;AAC/E,UAAM,cAAc,WAAW,aAAa,IAAI,CAAC,MAAM,EAAE,IAAI;AAE7D,WAAO;AAAA,MACL;AAAA,QACE,KAAK;AAAA,QACL,WAAW;AAAA,MACb;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGQ,mBAAmB,aAA6B;AACtD,UAAM,QAAQ,YAAY,QAAQ,OAAO,GAAG,EAAE,MAAM,GAAG;AACvD,WAAO,MAAM,MAAM,SAAS,CAAC,KAAK;AAAA,EACpC;AACF;;;ACtIA,IAAM,eAAe;AACrB,IAAM,aAAa;AAcZ,IAAM,YAAN,MAAqC;AAAA,EACjC,WAAgC;AAAA,EAChC,OAAO;AAAA,EAER;AAAA,EAER,YAAY,WAA0B;AAEpC,SAAK,UAAU,aAAa,WAAW;AAAA,EACzC;AAAA,EAEA,MAAM,kBAAkB,cAAsD;AAC5E,QAAI,aAAa,WAAW,EAAG,QAAO,CAAC;AAEvC,UAAM,WAA4B,CAAC;AAGnC,aAAS,IAAI,GAAG,IAAI,aAAa,QAAQ,KAAK,YAAY;AACxD,YAAM,QAAQ,aAAa,MAAM,GAAG,IAAI,UAAU;AAClD,YAAM,aAAa,MAAM,KAAK,WAAW,KAAK;AAC9C,eAAS,KAAK,GAAG,UAAU;AAAA,IAC7B;AAEA,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,MAAc,WAAW,cAAsD;AAC7E,UAAM,UAAU,aAAa,IAAI,CAAC,SAAS;AAAA,MACzC,SAAS,IAAI;AAAA,MACb,SAAS;AAAA,QACP,MAAM,IAAI;AAAA,QACV,WAAW,KAAK,aAAa,IAAI,SAAS;AAAA,MAC5C;AAAA,IACF,EAAE;AAEF,UAAM,WAAW,MAAM,KAAK,QAAQ,GAAG,YAAY,eAAe;AAAA,MAChE,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,QAAQ,CAAC;AAAA,IAClC,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI,MAAM,kBAAkB,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,IAC5E;AAEA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,UAAM,kBAAmC,CAAC;AAG1C,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,QAAQ,KAAK;AAC5C,YAAM,SAAS,KAAK,QAAQ,CAAC;AAC7B,YAAM,MAAM,aAAa,CAAC;AAE1B,UAAI,OAAO,SAAS,OAAO,MAAM,SAAS,GAAG;AAC3C,mBAAW,QAAQ,OAAO,OAAO;AAC/B,0BAAgB,KAAK,KAAK,iBAAiB,MAAM,GAAG,CAAC;AAAA,QACvD;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,iBAAiB,SAA2B,KAAgC;AAClF,UAAM,QAAQ,KAAK,aAAa,OAAO;AACvC,UAAM,WAAW,KAAK,gBAAgB,OAAO;AAE7C,WAAO;AAAA,MACL,IAAI,SAAS,QAAQ;AAAA,MACrB,SAAS,MAAM,KAAK,oBAAI,IAAI,CAAC,QAAQ,IAAI,GAAI,QAAQ,WAAW,CAAC,CAAE,CAAC,CAAC;AAAA,MACrE,SAAS,QAAQ,WAAW,QAAQ,SAAS,MAAM,GAAG,GAAG,KAAK;AAAA,MAC9D,UAAU,SAAS;AAAA,MACnB,WAAW,SAAS;AAAA,MACpB,aAAa,IAAI;AAAA,MACjB,WAAW,IAAI;AAAA,MACf,sBAAsB,KAAK,qBAAqB,SAAS,IAAI,IAAI;AAAA,MACjE,cAAc,KAAK,oBAAoB,SAAS,IAAI,IAAI;AAAA,MACxD,iBAAiB;AAAA;AAAA,MACjB,QAAQ;AAAA,MACR,cAAc,iCAAiC,QAAQ,EAAE;AAAA,MACzD,aAAa,QAAQ;AAAA,IACvB;AAAA,EACF;AAAA;AAAA,EAGQ,aAAa,MAAuC;AAE1D,QAAI,KAAK,GAAG,WAAW,MAAM,EAAG,QAAO,KAAK;AAG5C,QAAI,KAAK,SAAS;AAChB,YAAM,MAAM,KAAK,QAAQ,KAAK,CAAC,MAAM,EAAE,WAAW,MAAM,CAAC;AACzD,UAAI,IAAK,QAAO;AAAA,IAClB;AAEA,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,gBAAgB,MAA6D;AAEnF,QAAI,KAAK,YAAY,KAAK,SAAS,SAAS,GAAG;AAC7C,iBAAW,OAAO,KAAK,UAAU;AAC/B,YAAI,IAAI,SAAS,WAAW;AAC1B,gBAAM,QAAQ,KAAK,eAAe,IAAI,KAAK;AAC3C,cAAI,UAAU,MAAM;AAClB,mBAAO,EAAE,OAAO,KAAK,gBAAgB,KAAK,GAAG,MAAM;AAAA,UACrD;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,KAAK,mBAAmB,UAAU;AACpC,YAAM,IAAI,KAAK,kBAAkB,SAAS,YAAY;AACtD,UAAI,CAAC,YAAY,QAAQ,UAAU,KAAK,EAAE,SAAS,CAAC,GAAG;AACrD,eAAO,EAAE,OAAO,EAAc;AAAA,MAChC;AAAA,IACF;AAEA,WAAO,EAAE,OAAO,UAAU;AAAA,EAC5B;AAAA;AAAA,EAGQ,eAAe,eAAsC;AAE3D,UAAM,MAAM,WAAW,aAAa;AACpC,QAAI,CAAC,MAAM,GAAG,KAAK,OAAO,KAAK,OAAO,GAAI,QAAO;AAIjD,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,gBAAgB,OAAyB;AAC/C,QAAI,SAAS,EAAK,QAAO;AACzB,QAAI,SAAS,EAAK,QAAO;AACzB,QAAI,SAAS,EAAK,QAAO;AACzB,QAAI,QAAQ,EAAK,QAAO;AACxB,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,qBAAqB,MAAwB,aAAyC;AAC5F,QAAI,CAAC,KAAK,SAAU,QAAO;AAE3B,eAAW,YAAY,KAAK,UAAU;AACpC,UAAI,SAAS,SAAS,SAAS,eAAe,SAAS,QAAQ;AAC7D,mBAAW,SAAS,SAAS,QAAQ;AACnC,cAAI,MAAM,QAAQ;AAChB,kBAAM,aAAa,MAAM,OAAO,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG;AAC3D,kBAAM,QAAQ,MAAM,OAAO,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG;AACjD,gBAAI,cAAc,MAAO,QAAO,KAAK,UAAU,MAAM,KAAK;AAC1D,gBAAI,WAAY,QAAO,KAAK,UAAU;AAAA,UACxC;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,oBAAoB,MAAwB,aAAyC;AAC3F,QAAI,CAAC,KAAK,SAAU,QAAO;AAE3B,eAAW,YAAY,KAAK,UAAU;AACpC,UAAI,SAAS,SAAS,SAAS,eAAe,SAAS,QAAQ;AAC7D,mBAAW,SAAS,SAAS,QAAQ;AACnC,cAAI,MAAM,QAAQ;AAChB,kBAAM,QAAQ,MAAM,OAAO,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG;AACjD,gBAAI,MAAO,QAAO;AAAA,UACpB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,aAAa,WAA2B;AAC9C,UAAM,MAA8B;AAAA,MAClC,KAAK;AAAA,MACL,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,KAAK;AAAA,MACL,IAAI;AAAA,MACJ,MAAM;AAAA,IACR;AACA,WAAO,IAAI,SAAS,KAAK;AAAA,EAC3B;AACF;;;AC5MO,IAAM,gBAAN,MAAoB;AAAA,EACjB;AAAA,EAER,YAAY,SAAuB;AACjC,SAAK,UAAU,WAAW;AAAA,MACxB,IAAI,UAAU;AAAA;AAAA,IAEhB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,MAAM,cAAqD;AAC/D,UAAM,YAAY,KAAK,IAAI;AAC3B,UAAM,iBAAwC,CAAC;AAC/C,UAAM,eAAiE,CAAC;AACxE,UAAM,WAA4B,CAAC;AAGnC,UAAM,UAAU,MAAM,QAAQ;AAAA,MAC5B,KAAK,QAAQ,IAAI,OAAO,WAAW;AACjC,cAAM,QAAQ,MAAM,OAAO,kBAAkB,YAAY;AACzD,eAAO,EAAE,UAAU,OAAO,UAAU,MAAM;AAAA,MAC5C,CAAC;AAAA,IACH;AAEA,eAAW,UAAU,SAAS;AAC5B,UAAI,OAAO,WAAW,aAAa;AACjC,uBAAe,KAAK,OAAO,MAAM,QAAQ;AACzC,iBAAS,KAAK,GAAG,OAAO,MAAM,KAAK;AAAA,MACrC,OAAO;AAEL,cAAM,cAAc,QAAQ,QAAQ,MAAM;AAC1C,cAAM,WAAW,KAAK,QAAQ,WAAW,EAAE;AAC3C,qBAAa,KAAK;AAAA,UAChB,QAAQ;AAAA,UACR,OAAO,OAAO,kBAAkB,QAAQ,OAAO,OAAO,UAAU,OAAO,OAAO,MAAM;AAAA,QACtF,CAAC;AAAA,MACH;AAAA,IACF;AAGA,UAAM,eAAe,KAAK,2BAA2B,QAAQ;AAE7D,WAAO;AAAA,MACL,iBAAiB;AAAA,MACjB;AAAA,MACA;AAAA,MACA,iBAAiB,KAAK,IAAI,IAAI;AAAA,IAChC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,2BAA2B,OAAyC;AAC1E,UAAM,QAAQ,oBAAI,IAA2B;AAE7C,eAAW,QAAQ,OAAO;AAGxB,YAAM,MAAM,GAAG,KAAK,EAAE,KAAK,KAAK,WAAW;AAC3C,YAAM,WAAW,MAAM,IAAI,GAAG;AAE9B,UAAI,CAAC,UAAU;AACb,cAAM,IAAI,KAAK,IAAI;AAAA,MACrB,OAAO;AAEL,cAAM,IAAI,KAAK,KAAK,gBAAgB,UAAU,IAAI,CAAC;AAAA,MACrD;AAAA,IACF;AAEA,WAAO,MAAM,KAAK,MAAM,OAAO,CAAC;AAAA,EAClC;AAAA;AAAA,EAGQ,gBAAgB,GAAkB,GAAiC;AACzE,QAAI,SAAS;AACb,QAAI,SAAS;AAEb,QAAI,EAAE,cAAc,OAAW;AAC/B,QAAI,EAAE,cAAc,OAAW;AAC/B,QAAI,EAAE,aAAc;AACpB,QAAI,EAAE,aAAc;AACpB,QAAI,EAAE,qBAAsB;AAC5B,QAAI,EAAE,qBAAsB;AAC5B,QAAI,EAAE,aAAa,UAAW;AAC9B,QAAI,EAAE,aAAa,UAAW;AAI9B,UAAM,QAAQ,CAAC,QACb,OAAO,YAAY,OAAO,QAAQ,GAAG,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC,MAAM,MAAM,UAAa,MAAM,IAAI,CAAC;AAEzF,UAAM,SAAS,SAAS,SACpB,EAAE,GAAG,MAAM,CAAuC,GAAG,GAAG,MAAM,CAAuC,EAAE,IACvG,EAAE,GAAG,MAAM,CAAuC,GAAG,GAAG,MAAM,CAAuC,EAAE;AAG3G,UAAM,aAAa,oBAAI,IAAI,CAAC,GAAG,EAAE,SAAS,GAAG,EAAE,OAAO,CAAC;AACvD,WAAO,UAAU,MAAM,KAAK,UAAU;AAGtC,WAAO,kBAAkB,EAAE,mBAAmB,EAAE;AAEhD,WAAO;AAAA,EACT;AACF;;;ACnHO,IAAM,kBAAN,MAA0C;AAAA,EACtC,OAAO;AAAA,EAEhB,OAAO,QAA8B;AACnC,UAAM,QAAkB,CAAC;AAEzB,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,4RAAiD;AAC5D,UAAM,KAAK,2DAAiD;AAC5D,UAAM,KAAK,4RAAiD;AAC5D,UAAM,KAAK,EAAE;AAGb,UAAM,KAAK,mBAAmB,OAAO,QAAQ,IAAI,EAAE;AACnD,UAAM,KAAK,mBAAmB,OAAO,QAAQ,SAAS,EAAE;AACxD,UAAM,KAAK,mBAAmB,OAAO,QAAQ,eAAe,EAAE;AAC9D,UAAM,KAAK,mBAAmB,OAAO,WAAW,EAAE;AAClD,UAAM,KAAK,EAAE;AAGb,UAAM,KAAK,4BAAuB,OAAO,KAAK,MAAM,KAAK,OAAO,KAAK,WAAW,GAAG;AACnF,UAAM,KAAK,mBAAmB,OAAO,KAAK,cAAc,EAAE;AAC1D,UAAM,KAAK,EAAE;AAGb,UAAM,QAAQ,OAAO,SAAS;AAC9B,QAAI,MAAM,WAAW,GAAG;AACtB,YAAM,KAAK,yCAAoC;AAAA,IACjD,OAAO;AACL,YAAM,KAAK,YAAO,MAAM,MAAM,gBAAgB,MAAM,WAAW,IAAI,MAAM,KAAK,SAAS;AACvF,YAAM,KAAK,EAAE;AAGb,YAAM,SAAS,CAAC,GAAG,KAAK,EAAE,KAAK,CAAC,GAAG,MAAM,cAAc,EAAE,QAAQ,IAAI,cAAc,EAAE,QAAQ,CAAC;AAE9F,iBAAW,QAAQ,QAAQ;AACzB,cAAM,QAAQ,cAAc,KAAK,QAAQ;AACzC,cAAM,MAAM,KAAK,eAAe,gBAAW,KAAK,YAAY,KAAK;AACjE,cAAM,KAAK,OAAO,KAAK,KAAK,KAAK,EAAE,EAAE;AACrC,cAAM,KAAK,cAAc,KAAK,WAAW,IAAI,KAAK,wBAAwB,GAAG,GAAG,GAAG,EAAE;AACrF,cAAM,KAAK,cAAc,KAAK,QAAQ,MAAM,GAAG,GAAG,CAAC,EAAE;AACrD,YAAI,KAAK,iBAAiB;AACxB,gBAAM,KAAK,2EAA+D;AAAA,QAC5E;AACA,cAAM,KAAK,EAAE;AAAA,MACf;AAAA,IACF;AAGA,UAAM,UAAU,OAAO,SAAS,eAAe,KAAK,IAAI;AACxD,UAAM,KAAK,sBAAsB,OAAO,KAAK,OAAO,SAAS,eAAe,KAAK;AAEjF,QAAI,OAAO,SAAS,aAAa,SAAS,GAAG;AAC3C,iBAAW,OAAO,OAAO,SAAS,cAAc;AAC9C,cAAM,KAAK,YAAO,IAAI,MAAM,KAAK,IAAI,KAAK,EAAE;AAAA,MAC9C;AAAA,IACF;AAGA,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,iDAAmB;AAC9B,UAAM,KAAK,YAAY,OAAO,QAAQ,oBAAoB,kBAC3C,OAAO,QAAQ,QAAQ,cAC3B,OAAO,QAAQ,IAAI,gBACjB,OAAO,QAAQ,MAAM,aACxB,OAAO,QAAQ,GAAG,EAAE;AAE9B,QAAI,OAAO,QAAQ,kBAAkB,GAAG;AACtC,YAAM,KAAK,eAAQ,OAAO,QAAQ,eAAe,sDAAiD;AAAA,IACpG;AAEA,UAAM,KAAK,EAAE;AACb,WAAO,MAAM,KAAK,IAAI;AAAA,EACxB;AACF;AAEA,SAAS,cAAc,GAAqB;AAC1C,QAAM,QAAkC;AAAA,IACtC,UAAU;AAAA,IAAG,MAAM;AAAA,IAAG,QAAQ;AAAA,IAAG,KAAK;AAAA,IAAG,SAAS;AAAA,EACpD;AACA,SAAO,MAAM,CAAC,KAAK;AACrB;AAEA,SAAS,cAAc,GAAqB;AAC1C,QAAM,SAAmC;AAAA,IACvC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,KAAK;AAAA,IACL,SAAS;AAAA,EACX;AACA,SAAO,OAAO,CAAC,KAAK;AACtB;;;AbjFA,eAAsB,KAAK,QAA6C;AACtE,QAAM;AAAA,IACJ;AAAA,IACA,aAAa;AAAA,IACb,eAAe;AAAA,EACjB,IAAI;AAGJ,QAAM,WAAW,IAAI,gBAAgB;AACrC,QAAM,aAAa,MAAM,SAAS,cAAc,WAAW;AAG3D,QAAM,gBAAgB,IAAI,mBAAmB;AAC7C,QAAM,OAAO,cAAc,SAAS,UAAU;AAG9C,QAAM,UAAU,YAAY,KAAK,SAAS,OAAO;AAGjD,MAAI;AACJ,MAAI,cAAc;AAChB,eAAW;AAAA,MACT,iBAAiB,CAAC;AAAA,MAClB,gBAAgB,CAAC;AAAA,MACjB,cAAc,CAAC;AAAA,MACf,iBAAiB;AAAA,IACnB;AAAA,EACF,OAAO;AACL,UAAM,aAAa,IAAI,cAAc;AACrC,eAAW,MAAM,WAAW,MAAM,WAAW,YAAY;AAAA,EAC3D;AAGA,QAAM,UAAU;AAAA,IACd,mBAAmB,WAAW,aAAa;AAAA,IAC3C,sBAAsB,SAAS,gBAAgB;AAAA,IAC/C,UAAU,SAAS,gBAAgB,OAAO,CAAC,MAAM,EAAE,aAAa,UAAU,EAAE;AAAA,IAC5E,MAAM,SAAS,gBAAgB,OAAO,CAAC,MAAM,EAAE,aAAa,MAAM,EAAE;AAAA,IACpE,QAAQ,SAAS,gBAAgB,OAAO,CAAC,MAAM,EAAE,aAAa,QAAQ,EAAE;AAAA,IACxE,KAAK,SAAS,gBAAgB,OAAO,CAAC,MAAM,EAAE,aAAa,KAAK,EAAE;AAAA,IAClE,iBAAiB,SAAS,gBAAgB,OAAO,CAAC,MAAM,EAAE,eAAe,EAAE;AAAA,EAC7E;AAEA,QAAM,SAAuB;AAAA,IAC3B,SAAS;AAAA,MACP,MAAM;AAAA,MACN,WAAW,WAAW;AAAA,MACtB,iBAAiB,WAAW,aAAa;AAAA,IAC3C;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,EACtC;AAEA,SAAO;AACT;AAKO,SAAS,aAAa,QAAsB,WAA8B;AAC/E,QAAMC,iBAA0C;AAAA,IAC9C,UAAU;AAAA,IAAG,MAAM;AAAA,IAAG,QAAQ;AAAA,IAAG,KAAK;AAAA,IAAG,SAAS;AAAA,EACpD;AACA,QAAM,iBAAiBA,eAAc,SAAS,KAAK;AAEnD,SAAO,OAAO,SAAS,gBAAgB;AAAA,IACrC,CAAC,MAAMA,eAAc,EAAE,QAAQ,KAAK;AAAA,EACtC;AACF;AAKO,SAAS,YAAY,QAA4B;AACtD,QAAM,WAAW,IAAI,gBAAgB;AACrC,UAAQ,IAAI,SAAS,OAAO,MAAM,CAAC;AACrC;","names":["readFile","existsSync","path","path","existsSync","readFile","readFile","existsSync","path","path","existsSync","readFile","readFile","existsSync","path","path","existsSync","readFile","readFile","existsSync","path","path","existsSync","readFile","readFile","existsSync","path","readFile","existsSync","path","path","existsSync","readFile","randomUUID","severityOrder"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "verimu",
-  "version": "0.0.2",
+  "version": "0.0.3",
   "description": "CRA compliance automation - SBOM generation, CVE monitoring, and vulnerability reporting for the EU Cyber Resilience Act.",
   "type": "module",
   "exports": {