{"version":3,"file":"index.cjs","sources":["../src/flags/flags.helpers.ts","../src/config/config-operands.ts","../src/config/detect-config-action.ts","../src/config/analyse-config.ts","../src/tokens/flag-specs.ts","../src/tokens/token-expander.ts","../src/flags/parse-global-flags.ts","../src/flags/parse-task-flags.ts","../src/vulnerabilities/detect-vulnerable-config-writes.ts","../src/vulnerabilities/detect-vulnerable-flags.ts","../src/vulnerabilities/vulnerability-analysis.ts","../src/args/parse-argv.ts","../src/env/parse-env.ts","../src/vulnerabilities/vulnerability-check.ts"],"sourcesContent":["export interface Flag {\n   name: string;\n   value?: string;\n   /** Value came from the next token rather than being embedded after `=`. */\n   absorbedNext: boolean;\n   /** Switch appeared before the git sub-command. */\n   isGlobal: boolean;\n}\n\nexport function* scopedFlags(flags: Flag[], scope: 'global' | 'task') {\n   const findGlobal = scope === 'global';\n   for (const flag of flags) {\n      if (flag.isGlobal === findGlobal) {\n         yield flag;\n      }\n   }\n}\n","// Flags that unambiguously signal a write operation on git config.\nexport const CONFIG_WRITE_FLAGS = new Set([\n   '--add',\n   '--edit',\n   '--remove-section',\n   '--rename-section',\n   '--replace-all',\n   '--unset',\n   '--unset-all',\n   '-e',\n]);\n\n// Flags that unambiguously signal a read operation.\nexport const CONFIG_READ_FLAGS = new Set([\n   '--get',\n   '--get-all',\n   '--get-color',\n   '--get-colorbool',\n   '--get-regexp',\n   '--get-urlmatch',\n   '--list',\n   '-l',\n]);\n\n// Sub-command verbs accepted as the first positional by newer git versions.\nexport const CONFIG_WRITE_VERBS = new Set([\n   'edit',\n   'remove-section',\n   'rename-section',\n   'set',\n   'unset',\n]);\nexport const CONFIG_READ_VERBS = new Set(['get', 'get-color', 'get-colorbool', 'list']);\n","import type { ConfigScope } from '../args/parse-argv.types';\nimport { type Flag, scopedFlags } from '../flags/flags.helpers';\nimport type { ConfigOperation } from './config.types';\nimport {\n   CONFIG_READ_FLAGS,\n   CONFIG_READ_VERBS,\n   CONFIG_WRITE_FLAGS,\n   CONFIG_WRITE_VERBS,\n} from './config-operands';\n\nexport function detectConfigAction(flags: Flag[], positionals: string[]): ConfigOperation | null {\n   for (const { name } of scopedFlags(flags, 'task')) {\n      if (CONFIG_WRITE_FLAGS.has(name)) {\n         return configOperation(true, positionals);\n      }\n      if (CONFIG_READ_FLAGS.has(name)) {\n         return configOperation(false, positionals);\n      }\n   }\n\n   const verb = positionals.at(0)?.toLowerCase();\n\n   if (verb === undefined) {\n      return null;\n   }\n\n   if (CONFIG_WRITE_VERBS.has(verb)) {\n      return configOperation(true, positionals.slice(1));\n   }\n\n   if (CONFIG_READ_VERBS.has(verb)) {\n      return configOperation(false, positionals.slice(1));\n   }\n\n   if (positionals.length === 1) {\n      return configOperation(false, positionals);\n   }\n\n   return configOperation(true, positionals);\n}\n\nfunction configOperation(isWrite = false, positionals: string[] = []): ConfigOperation | null {\n   const key = positionals.at(0)?.toLowerCase();\n\n   if (key === undefined) {\n      return null;\n   }\n\n   return {\n      isWrite,\n      isRead: !isWrite,\n      key,\n      value: positionals.at(1),\n   };\n}\n\nexport function toOperation(scope: ConfigScope, operation: ConfigOperation) {\n   if (operation.isWrite && operation.value !== undefined) {\n      return { key: operation.key, value: operation.value, scope };\n   }\n   return { key: operation.key, scope };\n}\n","import type { ConfigScope, ConfigWrite, ParsedConfigActivity } from '../args/parse-argv.types';\nimport { type Flag, scopedFlags } from '../flags/flags.helpers';\nimport type { ConfigOperation } from './config.types';\nimport { detectConfigAction, toOperation } from './detect-config-action';\n\nfunction parseAssignment(raw: string | undefined): { key: string; value: string } | null {\n   const eq = raw?.indexOf('=') || -1;\n\n   if (!raw || eq < 0) {\n      return null;\n   }\n\n   return {\n      key: raw.slice(0, eq).trim().toLowerCase(),\n      value: raw.slice(eq + 1),\n   };\n}\n\nfunction detectConfigScope(flags: Flag[]): ConfigScope {\n   for (const { name } of scopedFlags(flags, 'task')) {\n      switch (name) {\n         case '--global':\n            return 'global';\n         case '--system':\n            return 'system';\n         case '--worktree':\n            return 'worktree';\n         case '--local':\n            return 'local';\n         case '--file':\n         case '-f':\n            return 'file';\n      }\n   }\n   return 'local';\n}\n\nfunction detectConfigOverrideScope({ name }: Flag): ConfigScope | void {\n   if (name === '-c' || name === '--config') {\n      return 'inline';\n   }\n   if (name === '--config-env') {\n      return 'env';\n   }\n}\n\n/**\n * Generates the stream of ConfigWrite settings found in the supplied flags,\n * triggered by `-c` and `--config` for inline configuration and `--config-env`\n * to set a config setting based on environment variable.\n */\nfunction* collectWriteFlags(flags: Flag[]): Generator<ConfigWrite> {\n   for (const flag of flags) {\n      const scope = detectConfigOverrideScope(flag);\n      const assignment = scope && parseAssignment(flag.value);\n\n      if (assignment) {\n         yield {\n            ...assignment,\n            scope,\n         };\n      }\n   }\n}\n\nexport function collectConfigAccess(\n   task: string | null,\n   flags: Flag[],\n   positionals: string[]\n): ParsedConfigActivity {\n   const parsedConfig: ParsedConfigActivity = {\n      read: [],\n      write: [...collectWriteFlags(flags)],\n   };\n\n   if (task === 'config') {\n      appendParsedConfigAction(\n         parsedConfig,\n         detectConfigScope(flags),\n         detectConfigAction(flags, positionals)\n      );\n   }\n\n   return parsedConfig;\n}\n\nfunction appendParsedConfigAction(\n   parsedConfig: ParsedConfigActivity,\n   scope: ConfigScope,\n   action: ConfigOperation | null\n) {\n   if (action === null) {\n      return;\n   }\n\n   const config = toOperation(scope, action);\n   if (action.isWrite) {\n      parsedConfig.write.push(config);\n   } else {\n      parsedConfig.read.push(config);\n   }\n}\n","// ── Option tables ─────────────────────────────────────────────────────────────\n//\n// Each scope has:\n//   short  – Map<char, consumesNext>  (known single-letter switches; true = takes next token)\n//   long   – Set<stem>                (long switch stems, without --, that take the next token)\n//\n// Only switches listed here are \"known\". An unknown char anywhere in a combined\n// cluster causes the entire cluster to be kept as one opaque token.\n\nexport interface FlagSpec {\n   readonly short: ReadonlyMap<string, boolean>;\n   readonly long: ReadonlySet<string>;\n}\n\nconst UNIVERSAL: FlagSpec = {\n   short: new Map([\n      ['c', true], //  -c <k=v>    set config key for this invocation\n   ]),\n   long: new Set(),\n};\n\nexport const GLOBAL: FlagSpec = {\n   short: new Map([\n      ['C', true], //  -C <path>   change working directory\n      ['P', false], // -P          no pager (alias for --no-pager)\n      ['h', false], // -h          help\n      ['p', false], // -p          paginate\n      ['v', false], // -v          version\n      ...UNIVERSAL.short.entries(),\n   ]),\n   long: new Set([\n      'attr-source',\n      'config-env',\n      'exec-path',\n      'git-dir',\n      'list-cmds',\n      'namespace',\n      'super-prefix',\n      'work-tree',\n   ]),\n};\n\nconst COMMANDS: Record<string, FlagSpec> = {\n   clone: {\n      short: new Map([\n         ['b', true], // -b <branch>\n         ['j', true], // -j <n>          parallel jobs\n         ['l', false], // -l local\n         ['n', false], // -n no-checkout\n         ['o', true], // -o <name>       remote name\n         ['q', false], // -q quiet\n         ['s', false], // -s shared\n         ['u', true], // -u <upload-pack>\n      ]),\n      long: new Set(['branch', 'config', 'jobs', 'origin', 'upload-pack', 'u', 'template']),\n   },\n   commit: {\n      short: new Map([\n         ['C', true], // -C <commit>  reuse message\n         ['F', true], // -F <file>    read message from file\n         ['c', true], // -c <commit>  reedit message\n         ['m', true], // -m <msg>\n         ['t', true], // -t <template>\n      ]),\n      long: new Set(['file', 'message', 'reedit-message', 'reuse-message', 'template']),\n   },\n   config: {\n      short: new Map([\n         ['e', false], // -e  open editor\n         ['f', true], //  -f <file>\n         ['l', false], // -l  list\n      ]),\n      long: new Set(['blob', 'comment', 'default', 'file', 'type', 'value']),\n   },\n   fetch: {\n      short: new Map(),\n      long: new Set(['upload-pack']),\n   },\n   init: {\n      short: new Map(),\n      long: new Set(['template']),\n   },\n   pull: {\n      short: new Map(),\n      long: new Set(['upload-pack']),\n   },\n   push: {\n      short: new Map(),\n      long: new Set(['exec', 'receive-pack']),\n   },\n};\n\nconst EMPTY: FlagSpec = { short: new Map(), long: new Set() };\n\nexport function getFlagSpecForTask(task?: string | null) {\n   const spec = COMMANDS[task ?? ''] ?? EMPTY;\n\n   return {\n      short: new Map([...UNIVERSAL.short.entries(), ...spec.short.entries()]),\n      long: spec.long,\n   };\n}\n","import { GLOBAL } from './flag-specs';\n\n/** Parse a single raw token (e.g. `'-m'`, `'--amend'`, `'-uc'`) into one or\n *  more switch descriptors.  Values are not yet resolved for needsNext=true. */\nexport function expandToken(\n   raw: string,\n   spec = GLOBAL\n): Array<{\n   name: string;\n   value?: string;\n   needsNext: boolean;\n}> {\n   if (raw.startsWith('--')) {\n      const eq = raw.indexOf('=');\n      if (eq > 2) {\n         return [{ name: raw.slice(0, eq), value: raw.slice(eq + 1), needsNext: false }];\n      }\n      const stem = raw.slice(2);\n      return [{ name: raw, needsNext: spec.long.has(stem) }];\n   }\n\n   // Single short switch\n   if (raw.length === 2) {\n      const char = raw.charAt(1);\n      const consumes = spec.short.get(char);\n      return [{ name: raw, needsNext: consumes === true }];\n   }\n\n   // Combined short cluster: try to expand char-by-char\n   return expandCluster(raw, spec.short);\n}\n\nfunction expandCluster(\n   raw: string,\n   shortSpec: ReadonlyMap<string, boolean>\n): Array<{ name: string; value?: string; needsNext: boolean }> {\n   const chars = raw.slice(1).split('');\n   const result: Array<{ name: string; value?: string; needsNext: boolean }> = [];\n\n   for (let i = 0; i < chars.length; i++) {\n      const char = chars[i];\n      const consumes = shortSpec.get(char);\n\n      if (consumes === undefined) {\n         // Unknown char: keep the whole raw token as opaque\n         return [{ name: raw, needsNext: false }];\n      }\n\n      if (consumes) {\n         const remainder = chars.slice(i + 1).join('');\n         if (remainder) {\n            const remainderAllKnown = [...remainder].every((c) => shortSpec.has(c));\n            if (!remainderAllKnown) {\n               // Remaining chars are the embedded value, not separate flags\n               result.push({ name: `-${char}`, value: remainder, needsNext: false });\n               return result;\n            }\n         }\n      }\n\n      result.push({ name: `-${char}`, needsNext: consumes });\n   }\n\n   return result;\n}\n","import { expandToken } from '../tokens/token-expander';\nimport type { Flag } from './flags.helpers';\n\nexport interface GlobalFlags {\n   flags: Flag[];\n   taskIndex: number;\n}\n\nexport function parseGlobalFlags(tokens: readonly unknown[], flags: Flag[] = []): GlobalFlags {\n   let i = 0;\n\n   while (i < tokens.length) {\n      const raw = String(tokens[i]);\n      if (!raw.startsWith('-') || raw.length < 2) break;\n\n      const parsed = expandToken(raw);\n      let next = i + 1;\n\n      for (const token of parsed) {\n         const flag: Flag = {\n            name: token.name,\n            value: token.value,\n            absorbedNext: false,\n            isGlobal: true,\n         };\n         if (token.needsNext && flag.value === undefined && next < tokens.length) {\n            flag.value = String(tokens[next]);\n            flag.absorbedNext = true;\n            next++;\n         }\n         flags.push(flag);\n      }\n\n      i = next;\n   }\n\n   return { flags, taskIndex: i };\n}\n","import { isPathSpec, toPaths } from '@simple-git/args-pathspec';\n\nimport { getFlagSpecForTask } from '../tokens/flag-specs';\nimport { expandToken } from '../tokens/token-expander';\nimport type { Flag } from './flags.helpers';\n\ntype TaskFlags = {\n   flags: Flag[];\n   positionals: string[];\n   pathspecs: string[];\n};\n\nexport function parseTaskFlags(\n   tokens: readonly unknown[],\n   task: string | null,\n   flags: Flag[] = []\n): TaskFlags {\n   const spec = getFlagSpecForTask(task);\n   const positionals: string[] = [];\n   const pathspecs: string[] = [];\n\n   let i = 0;\n   while (i < tokens.length) {\n      const current = tokens[i];\n\n      if (isPathSpec(current)) {\n         pathspecs.push(...toPaths(current as string));\n         i++;\n         continue;\n      }\n\n      const raw = String(current);\n\n      if (raw === '--') {\n         for (let j = i + 1; j < tokens.length; j++) {\n            const t = tokens[j];\n            isPathSpec(t) ? pathspecs.push(...toPaths(t as string)) : pathspecs.push(String(t));\n         }\n         break;\n      }\n\n      if (!raw.startsWith('-') || raw.length < 2) {\n         positionals.push(raw);\n         i++;\n         continue;\n      }\n\n      const parsed = expandToken(raw, spec);\n      let next = i + 1;\n\n      for (const token of parsed) {\n         const flag: Flag = {\n            name: token.name,\n            value: token.value,\n            absorbedNext: false,\n            isGlobal: false,\n         };\n         if (\n            token.needsNext &&\n            flag.value === undefined &&\n            next < tokens.length &&\n            !isPathSpec(tokens[next])\n         ) {\n            flag.value = String(tokens[next]);\n            flag.absorbedNext = true;\n            next++;\n         }\n         flags.push(flag);\n      }\n\n      i = next;\n   }\n\n   return { flags, positionals, pathspecs };\n}\n","import type { ParsedConfigActivity } from '../args/parse-argv.types';\nimport type { Vulnerability, VulnerabilityCategory } from './vulnerability.types';\n\nexport function* detectVulnerableConfigWrites({\n   write,\n}: ParsedConfigActivity): Generator<Vulnerability> {\n   for (const config of write) {\n      for (const helper of preventUnsafeConfig) {\n         const vulnerability = helper(config.key);\n         if (vulnerability) {\n            yield vulnerability;\n         }\n      }\n   }\n}\n\nfunction preventConfigBuilder(\n   config: string | RegExp,\n   category: VulnerabilityCategory,\n   message = String(config)\n) {\n   const regex = typeof config === 'string' ? new RegExp(`\\\\s*${config.toLowerCase()}`) : config;\n\n   return function preventCommand(key: string): Vulnerability | void {\n      if (regex.test(key)) {\n         return {\n            category,\n            message: `Configuring ${message} is not permitted without enabling ${category}`,\n         };\n      }\n   };\n}\n\nfunction preventExpandedConfigBuilder(config: string, category: VulnerabilityCategory) {\n   const regex = new RegExp(`\\\\s*${config.toLowerCase().replace(/\\./g, '(\\..+)?.')}`);\n   return preventConfigBuilder(regex, category, config);\n}\n\nconst preventUnsafeConfig = [\n   preventConfigBuilder('alias', 'allowUnsafeAlias'),\n   preventConfigBuilder('core.askPass', 'allowUnsafeAskPass'),\n   preventConfigBuilder('core.editor', 'allowUnsafeEditor'),\n   preventConfigBuilder('core.fsmonitor', 'allowUnsafeFsMonitor'),\n   preventConfigBuilder('core.gitProxy', 'allowUnsafeGitProxy'),\n   preventConfigBuilder('core.hooksPath', 'allowUnsafeHooksPath'),\n   preventConfigBuilder('core.pager', 'allowUnsafePager'),\n   preventConfigBuilder('core.sshCommand', 'allowUnsafeSshCommand'),\n   preventExpandedConfigBuilder('credential.helper', 'allowUnsafeCredentialHelper'),\n   preventExpandedConfigBuilder('diff.command', 'allowUnsafeDiffExternal'),\n   preventConfigBuilder('diff.external', 'allowUnsafeDiffExternal'),\n   preventExpandedConfigBuilder('diff.textconv', 'allowUnsafeDiffTextConv'),\n   preventExpandedConfigBuilder('filter.clean', 'allowUnsafeFilter'),\n   preventExpandedConfigBuilder('filter.smudge', 'allowUnsafeFilter'),\n   preventExpandedConfigBuilder('gpg.program', 'allowUnsafeGpgProgram'),\n   preventConfigBuilder('init.templateDir', 'allowUnsafeTemplateDir'),\n   preventExpandedConfigBuilder('merge.driver', 'allowUnsafeMergeDriver'),\n   preventExpandedConfigBuilder('mergetool.path', 'allowUnsafeMergeDriver'),\n   preventExpandedConfigBuilder('mergetool.cmd', 'allowUnsafeMergeDriver'),\n   preventExpandedConfigBuilder('protocol.allow', 'allowUnsafeProtocolOverride'),\n   preventExpandedConfigBuilder('remote.receivepack', 'allowUnsafePack'),\n   preventExpandedConfigBuilder('remote.uploadpack', 'allowUnsafePack'),\n   preventConfigBuilder('sequence.editor', 'allowUnsafeEditor'),\n];\n","import type { Flag } from '../flags/flags.helpers';\nimport type { Vulnerability, VulnerabilityCategory } from './vulnerability.types';\n\nexport function* detectVulnerableFlags(\n   task: null | string,\n   flags: Flag[]\n): Generator<Vulnerability> {\n   for (const flag of flags) {\n      for (const helper of preventUnsafeFlags) {\n         const vulnerability = helper(task, flag.name);\n         if (vulnerability) {\n            yield vulnerability;\n         }\n      }\n   }\n}\n\nfunction preventFlagBuilder(\n   task: string | null,\n   flag: string | RegExp,\n   category: VulnerabilityCategory,\n   name = String(flag)\n) {\n   const regex = typeof flag === 'string' ? new RegExp(`\\\\s*${flag.toLowerCase()}`) : flag;\n   const message = `Use of ${task ? `${task} with option ` : ''}${name} is not permitted without enabling ${category}`;\n\n   return function preventFlag(currentTask: string | null, flagName: string): Vulnerability | void {\n      if ((!task || currentTask === task) && regex.test(flagName)) {\n         return {\n            category,\n            message,\n         };\n      }\n   };\n}\n\nconst preventUnsafeFlags = [\n   preventFlagBuilder(\n      null,\n      /--(upload|receive)-pack/,\n      'allowUnsafePack',\n      '--upload-pack or --receive-pack'\n   ),\n   preventFlagBuilder('clone', /^-\\w*u/, 'allowUnsafePack'),\n   preventFlagBuilder('clone', '--u', 'allowUnsafePack'),\n   preventFlagBuilder('push', '--exec', 'allowUnsafePack'),\n   preventFlagBuilder(null, '--template', 'allowUnsafeTemplateDir'),\n];\n","import type { ParsedConfigActivity } from '../args/parse-argv.types';\nimport type { Flag } from '../flags/flags.helpers';\nimport { detectVulnerableConfigWrites } from './detect-vulnerable-config-writes';\nimport { detectVulnerableFlags } from './detect-vulnerable-flags';\nimport type { Vulnerability } from './vulnerability.types';\n\nexport function vulnerabilityAnalysis(\n   task: null | string,\n   flags: Flag[],\n   config: ParsedConfigActivity\n): Vulnerability[] {\n   return [...detectVulnerableFlags(task, flags), ...detectVulnerableConfigWrites(config)];\n}\n","import { collectConfigAccess } from '../config/analyse-config';\nimport type { Flag } from '../flags/flags.helpers';\nimport { parseGlobalFlags } from '../flags/parse-global-flags';\nimport { parseTaskFlags } from '../flags/parse-task-flags';\nimport type { Vulnerability } from '../vulnerabilities/vulnerability.types';\nimport { vulnerabilityAnalysis } from '../vulnerabilities/vulnerability-analysis';\nimport type { ParsedArgv, ParsedFlag } from './parse-argv.types';\n\n/**\n * Parse the tokens that would be forwarded to a `git` child-process and\n * return a structured summary of what the invocation does.\n */\nexport function parseArgv(...tokens: readonly unknown[]): ParsedArgv {\n   const { flags, taskIndex } = parseGlobalFlags(tokens);\n\n   const task = taskIndex < tokens.length ? String(tokens[taskIndex]).toLowerCase() : null;\n   const taskTokens = task !== null ? tokens.slice(taskIndex + 1) : [];\n\n   const { positionals, pathspecs } = parseTaskFlags(taskTokens, task, flags);\n   const config = collectConfigAccess(task, flags, positionals);\n\n   return {\n      task,\n      flags: flags.map(toParsedFlag),\n      paths: pathspecs,\n      config,\n      vulnerabilities: vulnerabilityList(vulnerabilityAnalysis(task, flags, config)),\n   };\n}\n\nfunction vulnerabilityList(vulnerabilities: Vulnerability[]) {\n   return Object.defineProperty(vulnerabilities, 'vulnerabilities', {\n      value: vulnerabilities,\n   });\n}\n\nfunction toParsedFlag({ value, name }: Flag): ParsedFlag {\n   return value !== undefined ? { name, value } : { name };\n}\n","import type { ConfigWrite, ParsedConfigActivity } from '../args/parse-argv.types';\nimport type { Vulnerability, VulnerabilityCategory } from '../vulnerabilities/vulnerability.types';\nimport { vulnerabilityAnalysis } from '../vulnerabilities/vulnerability-analysis';\n\nconst GitEnvKeys = {\n   'editor': 'allowUnsafeEditor',\n   'git_askpass': 'allowUnsafeAskPass',\n   'git_config_global': 'allowUnsafeConfigPaths',\n   'git_config_system': 'allowUnsafeConfigPaths',\n   'git_config_count': 'allowUnsafeConfigEnvCount',\n   'git_config': 'allowUnsafeConfigPaths',\n   'git_editor': 'allowUnsafeEditor',\n   'git_exec_path': 'allowUnsafeConfigPaths',\n   'git_external_diff': 'allowUnsafeDiffExternal',\n   'git_pager': 'allowUnsafePager',\n   'git_proxy_command': 'allowUnsafeGitProxy',\n   'git_template_dir': 'allowUnsafeTemplateDir',\n   'git_sequence_editor': 'allowUnsafeEditor',\n   'git_ssh': 'allowUnsafeSshCommand',\n   'git_ssh_command': 'allowUnsafeSshCommand',\n   'pager': 'allowUnsafePager',\n   'prefix': 'allowUnsafeConfigPaths',\n   'ssh_askpass': 'allowUnsafeAskPass',\n} as const satisfies Record<string, VulnerabilityCategory>;\n\ntype GitEnv = Record<string, string> & {\n   git_config_count?: string;\n};\n\nfunction* collectConfigByCount(env: GitEnv): Generator<ConfigWrite> {\n   const count = parseInt(env.git_config_count ?? '0', 10);\n   for (let index = 0; index < count; index++) {\n      const key = env[`git_config_key_${index}`];\n      const value = env[`git_config_value_${index}`];\n\n      if (key !== undefined) {\n         yield { key: key.toLowerCase().trim(), value, scope: 'env' };\n      }\n   }\n}\n\nfunction* collectConfigVulnerabilities(env: GitEnv): Generator<Vulnerability> {\n   for (const key of Object.keys(env)) {\n      if (isGitEnvKey(key)) {\n         const category = GitEnvKeys[key];\n         yield {\n            category,\n            message: `Use of \"${key.toUpperCase()}\" is not permitted without enabling ${category}`,\n         };\n      }\n   }\n}\n\nfunction isGitEnvKey(key: string): key is keyof typeof GitEnvKeys {\n   return Object.hasOwn(GitEnvKeys, key);\n}\n\nfunction prepareEnv(env: Record<string, unknown>): GitEnv {\n   const gitEnv: GitEnv = {};\n   for (const [key, value] of Object.entries(env)) {\n      const envKey = key.toLowerCase().trim();\n      if (isGitEnvKey(envKey) || envKey.startsWith('git')) {\n         gitEnv[envKey] = String(value);\n      }\n   }\n   return gitEnv;\n}\n\nexport function parseEnv(raw: Record<string, unknown>) {\n   const env = prepareEnv(raw);\n   const config: ParsedConfigActivity = {\n      read: [],\n      write: [...collectConfigByCount(env)],\n   };\n   const vulnerabilities = [\n      ...collectConfigVulnerabilities(env),\n      ...vulnerabilityAnalysis(null, [], config),\n   ];\n\n   return {\n      config,\n      vulnerabilities,\n   };\n}\n","import { parseArgv } from '../args/parse-argv';\nimport { parseEnv } from '../env/parse-env';\n\n/**\n * Retrieves just the vulnerabilities identified in the supplied varargs tokens\n * and environment variables.\n */\nexport function vulnerabilityCheck(tokens: readonly string[], env: Record<string, unknown>) {\n   return [...parseArgv(...tokens).vulnerabilities, ...parseEnv(env).vulnerabilities];\n}\n"],"names":["scopedFlags","flags","scope","findGlobal","flag","CONFIG_WRITE_FLAGS","CONFIG_READ_FLAGS","CONFIG_WRITE_VERBS","CONFIG_READ_VERBS","detectConfigAction","positionals","name","configOperation","verb","isWrite","key","toOperation","operation","parseAssignment","raw","eq","detectConfigScope","detectConfigOverrideScope","collectWriteFlags","assignment","collectConfigAccess","task","parsedConfig","appendParsedConfigAction","action","config","UNIVERSAL","GLOBAL","COMMANDS","EMPTY","getFlagSpecForTask","spec","expandToken","stem","char","consumes","expandCluster","shortSpec","chars","result","i","remainder","c","parseGlobalFlags","tokens","parsed","next","token","parseTaskFlags","pathspecs","current","isPathSpec","toPaths","j","t","detectVulnerableConfigWrites","write","helper","preventUnsafeConfig","vulnerability","preventConfigBuilder","category","message","regex","preventExpandedConfigBuilder","detectVulnerableFlags","preventUnsafeFlags","preventFlagBuilder","currentTask","flagName","vulnerabilityAnalysis","parseArgv","taskIndex","taskTokens","toParsedFlag","vulnerabilityList","vulnerabilities","value","GitEnvKeys","collectConfigByCount","env","count","index","collectConfigVulnerabilities","isGitEnvKey","prepareEnv","gitEnv","envKey","parseEnv","vulnerabilityCheck"],"mappings":"6HASO,SAAUA,EAAYC,EAAeC,EAA0B,CACnE,MAAMC,EAAaD,IAAU,SAC7B,UAAWE,KAAQH,EACZG,EAAK,WAAaD,IACnB,MAAMC,EAGf,CCfO,MAAMC,MAAyB,IAAI,CACvC,QACA,SACA,mBACA,mBACA,gBACA,UACA,cACA,IACH,CAAC,EAGYC,MAAwB,IAAI,CACtC,QACA,YACA,cACA,kBACA,eACA,iBACA,SACA,IACH,CAAC,EAGYC,MAAyB,IAAI,CACvC,OACA,iBACA,iBACA,MACA,OACH,CAAC,EACYC,MAAwB,IAAI,CAAC,MAAO,YAAa,gBAAiB,MAAM,CAAC,ECtB/E,SAASC,EAAmBR,EAAeS,EAA+C,CAC9F,SAAW,CAAE,KAAAC,CAAA,IAAUX,EAAYC,EAAO,MAAM,EAAG,CAChD,GAAII,EAAmB,IAAIM,CAAI,EAC5B,OAAOC,EAAgB,GAAMF,CAAW,EAE3C,GAAIJ,EAAkB,IAAIK,CAAI,EAC3B,OAAOC,EAAgB,GAAOF,CAAW,CAE/C,CAEA,MAAMG,EAAOH,EAAY,GAAG,CAAC,GAAG,YAAA,EAEhC,OAAIG,IAAS,OACH,KAGNN,EAAmB,IAAIM,CAAI,EACrBD,EAAgB,GAAMF,EAAY,MAAM,CAAC,CAAC,EAGhDF,EAAkB,IAAIK,CAAI,EACpBD,EAAgB,GAAOF,EAAY,MAAM,CAAC,CAAC,EAGjDA,EAAY,SAAW,EACjBE,EAAgB,GAAOF,CAAW,EAGrCE,EAAgB,GAAMF,CAAW,CAC3C,CAEA,SAASE,EAAgBE,EAAU,GAAOJ,EAAwB,CAAA,EAA4B,CAC3F,MAAMK,EAAML,EAAY,GAAG,CAAC,GAAG,YAAA,EAE/B,OAAIK,IAAQ,OACF,KAGH,CACJ,QAAAD,EACA,OAAQ,CAACA,EACT,IAAAC,EACA,MAAOL,EAAY,GAAG,CAAC,CAAA,CAE7B,CAEO,SAASM,EAAYd,EAAoBe,EAA4B,CACzE,OAAIA,EAAU,SAAWA,EAAU,QAAU,OACnC,CAAE,IAAKA,EAAU,IAAK,MAAOA,EAAU,MAAO,MAAAf,CAAA,EAEjD,CAAE,IAAKe,EAAU,IAAK,MAAAf,CAAA,CAChC,CCxDA,SAASgB,EAAgBC,EAAgE,CACtF,MAAMC,EAAKD,GAAK,QAAQ,GAAG,GAAK,GAEhC,MAAI,CAACA,GAAOC,EAAK,EACP,KAGH,CACJ,IAAKD,EAAI,MAAM,EAAGC,CAAE,EAAE,KAAA,EAAO,YAAA,EAC7B,MAAOD,EAAI,MAAMC,EAAK,CAAC,CAAA,CAE7B,CAEA,SAASC,EAAkBpB,EAA4B,CACpD,SAAW,CAAE,KAAAU,CAAA,IAAUX,EAAYC,EAAO,MAAM,EAC7C,OAAQU,EAAA,CACL,IAAK,WACF,MAAO,SACV,IAAK,WACF,MAAO,SACV,IAAK,aACF,MAAO,WACV,IAAK,UACF,MAAO,QACV,IAAK,SACL,IAAK,KACF,MAAO,MAAA,CAGhB,MAAO,OACV,CAEA,SAASW,EAA0B,CAAE,KAAAX,GAAkC,CACpE,GAAIA,IAAS,MAAQA,IAAS,WAC3B,MAAO,SAEV,GAAIA,IAAS,eACV,MAAO,KAEb,CAOA,SAAUY,EAAkBtB,EAAuC,CAChE,UAAWG,KAAQH,EAAO,CACvB,MAAMC,EAAQoB,EAA0BlB,CAAI,EACtCoB,EAAatB,GAASgB,EAAgBd,EAAK,KAAK,EAElDoB,IACD,KAAM,CACH,GAAGA,EACH,MAAAtB,CAAA,EAGT,CACH,CAEO,SAASuB,EACbC,EACAzB,EACAS,EACqB,CACrB,MAAMiB,EAAqC,CACxC,KAAM,CAAA,EACN,MAAO,CAAC,GAAGJ,EAAkBtB,CAAK,CAAC,CAAA,EAGtC,OAAIyB,IAAS,UACVE,EACGD,EACAN,EAAkBpB,CAAK,EACvBQ,EAAmBR,EAAOS,CAAW,CAAA,EAIpCiB,CACV,CAEA,SAASC,EACND,EACAzB,EACA2B,EACD,CACC,GAAIA,IAAW,KACZ,OAGH,MAAMC,EAASd,EAAYd,EAAO2B,CAAM,EACpCA,EAAO,QACRF,EAAa,MAAM,KAAKG,CAAM,EAE9BH,EAAa,KAAK,KAAKG,CAAM,CAEnC,CCvFA,MAAMC,EAAsB,CACzB,UAAW,IAAI,CACZ,CAAC,IAAK,EAAI,CAAA,CACZ,CAEJ,EAEaC,EAAmB,CAC7B,MAAO,IAAI,IAAI,CACZ,CAAC,IAAK,EAAI,EACV,CAAC,IAAK,EAAK,EACX,CAAC,IAAK,EAAK,EACX,CAAC,IAAK,EAAK,EACX,CAAC,IAAK,EAAK,EACX,GAAGD,EAAU,MAAM,QAAA,CAAQ,CAC7B,EACD,SAAU,IAAI,CACX,cACA,aACA,YACA,UACA,YACA,YACA,eACA,WAAA,CACF,CACJ,EAEME,EAAqC,CACxC,MAAO,CACJ,UAAW,IAAI,CACZ,CAAC,IAAK,EAAI,EACV,CAAC,IAAK,EAAI,EACV,CAAC,IAAK,EAAK,EACX,CAAC,IAAK,EAAK,EACX,CAAC,IAAK,EAAI,EACV,CAAC,IAAK,EAAK,EACX,CAAC,IAAK,EAAK,EACX,CAAC,IAAK,EAAI,CAAA,CACZ,EACD,KAAM,IAAI,IAAI,CAAC,SAAU,SAAU,OAAQ,SAAU,cAAe,IAAK,UAAU,CAAC,CAAA,EAEvF,OAAQ,CACL,UAAW,IAAI,CACZ,CAAC,IAAK,EAAI,EACV,CAAC,IAAK,EAAI,EACV,CAAC,IAAK,EAAI,EACV,CAAC,IAAK,EAAI,EACV,CAAC,IAAK,EAAI,CAAA,CACZ,EACD,SAAU,IAAI,CAAC,OAAQ,UAAW,iBAAkB,gBAAiB,UAAU,CAAC,CAAA,EAEnF,OAAQ,CACL,UAAW,IAAI,CACZ,CAAC,IAAK,EAAK,EACX,CAAC,IAAK,EAAI,EACV,CAAC,IAAK,EAAK,CAAA,CACb,EACD,KAAM,IAAI,IAAI,CAAC,OAAQ,UAAW,UAAW,OAAQ,OAAQ,OAAO,CAAC,CAAA,EAExE,MAAO,CACJ,UAAW,IACX,KAAM,IAAI,IAAI,CAAC,aAAa,CAAC,CAAA,EAEhC,KAAM,CACH,UAAW,IACX,KAAM,IAAI,IAAI,CAAC,UAAU,CAAC,CAAA,EAE7B,KAAM,CACH,UAAW,IACX,KAAM,IAAI,IAAI,CAAC,aAAa,CAAC,CAAA,EAEhC,KAAM,CACH,UAAW,IACX,KAAM,IAAI,IAAI,CAAC,OAAQ,cAAc,CAAC,CAAA,CAE5C,EAEMC,EAAkB,CAAE,MAAO,IAAI,IAAO,KAAM,IAAI,GAAI,EAEnD,SAASC,EAAmBT,EAAsB,CACtD,MAAMU,EAAOH,EAASP,GAAQ,EAAE,GAAKQ,EAErC,MAAO,CACJ,MAAO,IAAI,IAAI,CAAC,GAAGH,EAAU,MAAM,QAAA,EAAW,GAAGK,EAAK,MAAM,QAAA,CAAS,CAAC,EACtE,KAAMA,EAAK,IAAA,CAEjB,CCjGO,SAASC,EACblB,EACAiB,EAAOJ,EAKP,CACA,GAAIb,EAAI,WAAW,IAAI,EAAG,CACvB,MAAMC,EAAKD,EAAI,QAAQ,GAAG,EAC1B,GAAIC,EAAK,EACN,MAAO,CAAC,CAAE,KAAMD,EAAI,MAAM,EAAGC,CAAE,EAAG,MAAOD,EAAI,MAAMC,EAAK,CAAC,EAAG,UAAW,GAAO,EAEjF,MAAMkB,EAAOnB,EAAI,MAAM,CAAC,EACxB,MAAO,CAAC,CAAE,KAAMA,EAAK,UAAWiB,EAAK,KAAK,IAAIE,CAAI,EAAG,CACxD,CAGA,GAAInB,EAAI,SAAW,EAAG,CACnB,MAAMoB,EAAOpB,EAAI,OAAO,CAAC,EACnBqB,EAAWJ,EAAK,MAAM,IAAIG,CAAI,EACpC,MAAO,CAAC,CAAE,KAAMpB,EAAK,UAAWqB,IAAa,GAAM,CACtD,CAGA,OAAOC,EAActB,EAAKiB,EAAK,KAAK,CACvC,CAEA,SAASK,EACNtB,EACAuB,EAC4D,CAC5D,MAAMC,EAAQxB,EAAI,MAAM,CAAC,EAAE,MAAM,EAAE,EAC7ByB,EAAsE,CAAA,EAE5E,QAASC,EAAI,EAAGA,EAAIF,EAAM,OAAQE,IAAK,CACpC,MAAMN,EAAOI,EAAME,CAAC,EACdL,EAAWE,EAAU,IAAIH,CAAI,EAEnC,GAAIC,IAAa,OAEd,MAAO,CAAC,CAAE,KAAMrB,EAAK,UAAW,GAAO,EAG1C,GAAIqB,EAAU,CACX,MAAMM,EAAYH,EAAM,MAAME,EAAI,CAAC,EAAE,KAAK,EAAE,EAC5C,GAAIC,GAEG,CADsB,CAAC,GAAGA,CAAS,EAAE,MAAOC,GAAML,EAAU,IAAIK,CAAC,CAAC,EAGnE,OAAAH,EAAO,KAAK,CAAE,KAAM,IAAIL,CAAI,GAAI,MAAOO,EAAW,UAAW,EAAA,CAAO,EAC7DF,CAGhB,CAEAA,EAAO,KAAK,CAAE,KAAM,IAAIL,CAAI,GAAI,UAAWC,EAAU,CACxD,CAEA,OAAOI,CACV,CCxDO,SAASI,EAAiBC,EAA4BhD,EAAgB,GAAiB,CAC3F,IAAI4C,EAAI,EAER,KAAOA,EAAII,EAAO,QAAQ,CACvB,MAAM9B,EAAM,OAAO8B,EAAOJ,CAAC,CAAC,EAC5B,GAAI,CAAC1B,EAAI,WAAW,GAAG,GAAKA,EAAI,OAAS,EAAG,MAE5C,MAAM+B,EAASb,EAAYlB,CAAG,EAC9B,IAAIgC,EAAON,EAAI,EAEf,UAAWO,KAASF,EAAQ,CACzB,MAAM9C,EAAa,CAChB,KAAMgD,EAAM,KACZ,MAAOA,EAAM,MACb,aAAc,GACd,SAAU,EAAA,EAETA,EAAM,WAAahD,EAAK,QAAU,QAAa+C,EAAOF,EAAO,SAC9D7C,EAAK,MAAQ,OAAO6C,EAAOE,CAAI,CAAC,EAChC/C,EAAK,aAAe,GACpB+C,KAEHlD,EAAM,KAAKG,CAAI,CAClB,CAEAyC,EAAIM,CACP,CAEA,MAAO,CAAE,MAAAlD,EAAO,UAAW4C,CAAA,CAC9B,CCzBO,SAASQ,EACbJ,EACAvB,EACAzB,EAAgB,CAAA,EACN,CACV,MAAMmC,EAAOD,EAAmBT,CAAI,EAC9BhB,EAAwB,CAAA,EACxB4C,EAAsB,CAAA,EAE5B,IAAIT,EAAI,EACR,KAAOA,EAAII,EAAO,QAAQ,CACvB,MAAMM,EAAUN,EAAOJ,CAAC,EAExB,GAAIW,EAAAA,WAAWD,CAAO,EAAG,CACtBD,EAAU,KAAK,GAAGG,EAAAA,QAAQF,CAAiB,CAAC,EAC5CV,IACA,QACH,CAEA,MAAM1B,EAAM,OAAOoC,CAAO,EAE1B,GAAIpC,IAAQ,KAAM,CACf,QAASuC,EAAIb,EAAI,EAAGa,EAAIT,EAAO,OAAQS,IAAK,CACzC,MAAMC,EAAIV,EAAOS,CAAC,EAClBF,EAAAA,WAAWG,CAAC,EAAIL,EAAU,KAAK,GAAGG,EAAAA,QAAQE,CAAW,CAAC,EAAIL,EAAU,KAAK,OAAOK,CAAC,CAAC,CACrF,CACA,KACH,CAEA,GAAI,CAACxC,EAAI,WAAW,GAAG,GAAKA,EAAI,OAAS,EAAG,CACzCT,EAAY,KAAKS,CAAG,EACpB0B,IACA,QACH,CAEA,MAAMK,EAASb,EAAYlB,EAAKiB,CAAI,EACpC,IAAIe,EAAON,EAAI,EAEf,UAAWO,KAASF,EAAQ,CACzB,MAAM9C,EAAa,CAChB,KAAMgD,EAAM,KACZ,MAAOA,EAAM,MACb,aAAc,GACd,SAAU,EAAA,EAGVA,EAAM,WACNhD,EAAK,QAAU,QACf+C,EAAOF,EAAO,QACd,CAACO,EAAAA,WAAWP,EAAOE,CAAI,CAAC,IAExB/C,EAAK,MAAQ,OAAO6C,EAAOE,CAAI,CAAC,EAChC/C,EAAK,aAAe,GACpB+C,KAEHlD,EAAM,KAAKG,CAAI,CAClB,CAEAyC,EAAIM,CACP,CAEA,MAAO,CAAE,MAAAlD,EAAO,YAAAS,EAAa,UAAA4C,CAAA,CAChC,CCvEO,SAAUM,EAA6B,CAC3C,MAAAC,CACH,EAAmD,CAChD,UAAW/B,KAAU+B,EAClB,UAAWC,KAAUC,EAAqB,CACvC,MAAMC,EAAgBF,EAAOhC,EAAO,GAAG,EACnCkC,IACD,MAAMA,EAEZ,CAEN,CAEA,SAASC,EACNnC,EACAoC,EACAC,EAAU,OAAOrC,CAAM,EACxB,CACC,MAAMsC,EAAQ,OAAOtC,GAAW,SAAW,IAAI,OAAO,OAAOA,EAAO,aAAa,EAAE,EAAIA,EAEvF,OAAO,SAAwBf,EAAmC,CAC/D,GAAIqD,EAAM,KAAKrD,CAAG,EACf,MAAO,CACJ,SAAAmD,EACA,QAAS,eAAeC,CAAO,sCAAsCD,CAAQ,EAAA,CAGtF,CACH,CAEA,SAASG,EAA6BvC,EAAgBoC,EAAiC,CACpF,MAAME,EAAQ,IAAI,OAAO,OAAOtC,EAAO,YAAA,EAAc,QAAQ,MAAO,SAAU,CAAC,EAAE,EACjF,OAAOmC,EAAqBG,EAAOF,EAAUpC,CAAM,CACtD,CAEA,MAAMiC,EAAsB,CACzBE,EAAqB,QAAS,kBAAkB,EAChDA,EAAqB,eAAgB,oBAAoB,EACzDA,EAAqB,cAAe,mBAAmB,EACvDA,EAAqB,iBAAkB,sBAAsB,EAC7DA,EAAqB,gBAAiB,qBAAqB,EAC3DA,EAAqB,iBAAkB,sBAAsB,EAC7DA,EAAqB,aAAc,kBAAkB,EACrDA,EAAqB,kBAAmB,uBAAuB,EAC/DI,EAA6B,oBAAqB,6BAA6B,EAC/EA,EAA6B,eAAgB,yBAAyB,EACtEJ,EAAqB,gBAAiB,yBAAyB,EAC/DI,EAA6B,gBAAiB,yBAAyB,EACvEA,EAA6B,eAAgB,mBAAmB,EAChEA,EAA6B,gBAAiB,mBAAmB,EACjEA,EAA6B,cAAe,uBAAuB,EACnEJ,EAAqB,mBAAoB,wBAAwB,EACjEI,EAA6B,eAAgB,wBAAwB,EACrEA,EAA6B,iBAAkB,wBAAwB,EACvEA,EAA6B,gBAAiB,wBAAwB,EACtEA,EAA6B,iBAAkB,6BAA6B,EAC5EA,EAA6B,qBAAsB,iBAAiB,EACpEA,EAA6B,oBAAqB,iBAAiB,EACnEJ,EAAqB,kBAAmB,mBAAmB,CAC9D,EC3DO,SAAUK,EACd5C,EACAzB,EACyB,CACzB,UAAWG,KAAQH,EAChB,UAAW6D,KAAUS,EAAoB,CACtC,MAAMP,EAAgBF,EAAOpC,EAAMtB,EAAK,IAAI,EACxC4D,IACD,MAAMA,EAEZ,CAEN,CAEA,SAASQ,EACN9C,EACAtB,EACA8D,EACAvD,EAAO,OAAOP,CAAI,EACnB,CACC,MAAMgE,EAAQ,OAAOhE,GAAS,SAAW,IAAI,OAAO,OAAOA,EAAK,aAAa,EAAE,EAAIA,EAC7E+D,EAAU,UAAUzC,EAAO,GAAGA,CAAI,gBAAkB,EAAE,GAAGf,CAAI,sCAAsCuD,CAAQ,GAEjH,OAAO,SAAqBO,EAA4BC,EAAwC,CAC7F,IAAK,CAAChD,GAAQ+C,IAAgB/C,IAAS0C,EAAM,KAAKM,CAAQ,EACvD,MAAO,CACJ,SAAAR,EACA,QAAAC,CAAA,CAGT,CACH,CAEA,MAAMI,EAAqB,CACxBC,EACG,KACA,0BACA,kBACA,iCAAA,EAEHA,EAAmB,QAAS,SAAU,iBAAiB,EACvDA,EAAmB,QAAS,MAAO,iBAAiB,EACpDA,EAAmB,OAAQ,SAAU,iBAAiB,EACtDA,EAAmB,KAAM,aAAc,wBAAwB,CAClE,ECzCO,SAASG,EACbjD,EACAzB,EACA6B,EACgB,CAChB,MAAO,CAAC,GAAGwC,EAAsB5C,EAAMzB,CAAK,EAAG,GAAG2D,EAA6B9B,CAAM,CAAC,CACzF,CCAO,SAAS8C,KAAa3B,EAAwC,CAClE,KAAM,CAAE,MAAAhD,EAAO,UAAA4E,GAAc7B,EAAiBC,CAAM,EAE9CvB,EAAOmD,EAAY5B,EAAO,OAAS,OAAOA,EAAO4B,CAAS,CAAC,EAAE,YAAA,EAAgB,KAC7EC,EAAapD,IAAS,KAAOuB,EAAO,MAAM4B,EAAY,CAAC,EAAI,CAAA,EAE3D,CAAE,YAAAnE,EAAa,UAAA4C,CAAA,EAAcD,EAAeyB,EAAYpD,EAAMzB,CAAK,EACnE6B,EAASL,EAAoBC,EAAMzB,EAAOS,CAAW,EAE3D,MAAO,CACJ,KAAAgB,EACA,MAAOzB,EAAM,IAAI8E,CAAY,EAC7B,MAAOzB,EACP,OAAAxB,EACA,gBAAiBkD,EAAkBL,EAAsBjD,EAAMzB,EAAO6B,CAAM,CAAC,CAAA,CAEnF,CAEA,SAASkD,EAAkBC,EAAkC,CAC1D,OAAO,OAAO,eAAeA,EAAiB,kBAAmB,CAC9D,MAAOA,CAAA,CACT,CACJ,CAEA,SAASF,EAAa,CAAE,MAAAG,EAAO,KAAAvE,GAA0B,CACtD,OAAOuE,IAAU,OAAY,CAAE,KAAAvE,EAAM,MAAAuE,CAAA,EAAU,CAAE,KAAAvE,CAAA,CACpD,CClCA,MAAMwE,EAAa,CAChB,OAAU,oBACV,YAAe,qBACf,kBAAqB,yBACrB,kBAAqB,yBACrB,iBAAoB,4BACpB,WAAc,yBACd,WAAc,oBACd,cAAiB,yBACjB,kBAAqB,0BACrB,UAAa,mBACb,kBAAqB,sBACrB,iBAAoB,yBACpB,oBAAuB,oBACvB,QAAW,wBACX,gBAAmB,wBACnB,MAAS,mBACT,OAAU,yBACV,YAAe,oBAClB,EAMA,SAAUC,EAAqBC,EAAqC,CACjE,MAAMC,EAAQ,SAASD,EAAI,kBAAoB,IAAK,EAAE,EACtD,QAASE,EAAQ,EAAGA,EAAQD,EAAOC,IAAS,CACzC,MAAMxE,EAAMsE,EAAI,kBAAkBE,CAAK,EAAE,EACnCL,EAAQG,EAAI,oBAAoBE,CAAK,EAAE,EAEzCxE,IAAQ,SACT,KAAM,CAAE,IAAKA,EAAI,YAAA,EAAc,OAAQ,MAAAmE,EAAO,MAAO,KAAA,EAE3D,CACH,CAEA,SAAUM,EAA6BH,EAAuC,CAC3E,UAAWtE,KAAO,OAAO,KAAKsE,CAAG,EAC9B,GAAII,EAAY1E,CAAG,EAAG,CACnB,MAAMmD,EAAWiB,EAAWpE,CAAG,EAC/B,KAAM,CACH,SAAAmD,EACA,QAAS,WAAWnD,EAAI,YAAA,CAAa,uCAAuCmD,CAAQ,EAAA,CAE1F,CAEN,CAEA,SAASuB,EAAY1E,EAA6C,CAC/D,OAAO,OAAO,OAAOoE,EAAYpE,CAAG,CACvC,CAEA,SAAS2E,EAAWL,EAAsC,CACvD,MAAMM,EAAiB,CAAA,EACvB,SAAW,CAAC5E,EAAKmE,CAAK,IAAK,OAAO,QAAQG,CAAG,EAAG,CAC7C,MAAMO,EAAS7E,EAAI,YAAA,EAAc,KAAA,GAC7B0E,EAAYG,CAAM,GAAKA,EAAO,WAAW,KAAK,KAC/CD,EAAOC,CAAM,EAAI,OAAOV,CAAK,EAEnC,CACA,OAAOS,CACV,CAEO,SAASE,EAAS1E,EAA8B,CACpD,MAAMkE,EAAMK,EAAWvE,CAAG,EACpBW,EAA+B,CAClC,KAAM,CAAA,EACN,MAAO,CAAC,GAAGsD,EAAqBC,CAAG,CAAC,CAAA,EAEjCJ,EAAkB,CACrB,GAAGO,EAA6BH,CAAG,EACnC,GAAGV,EAAsB,KAAM,CAAA,EAAI7C,CAAM,CAAA,EAG5C,MAAO,CACJ,OAAAA,EACA,gBAAAmD,CAAA,CAEN,CC5EO,SAASa,GAAmB7C,EAA2BoC,EAA8B,CACzF,MAAO,CAAC,GAAGT,EAAU,GAAG3B,CAAM,EAAE,gBAAiB,GAAG4C,EAASR,CAAG,EAAE,eAAe,CACpF"}