{ "sessionId": "8cadb5b0-2b93-4c2d-84dc-0baca83e7657", "projectHash": "508a9fba2b3e03c3b6040101cf72041c926ba1809077f126a61a8d0a5709553e", "startTime": "2026-02-24T18:09:39.195Z", "lastUpdated": "2026-02-24T18:11:32.835Z", "messages": [ { "id": "65679efd-eb5d-4ac2-a2ec-dec271cd1dbd", "timestamp": "2026-02-24T18:09:39.195Z", "type": "info", "content": "Current memory content from 89 file(s):\n\n---\n--- Global ---\n--- Context from: GEMINI.md ---\n## Core CLI Guidelines\n\n- **Persona:** Assume the user is a 30-year veteran system administrator. Skip explanations of basic concepts. Be direct, technical, and concise.\n- **Direct Action:** Edit files directly. Do not commit or branch autonomously; always ask for permission first.\n- **Code Comments:** Use them sparingly. Only explain complex \"why\" logic. Never explain \"what\" the code is doing.\n- **Project Discovery:** Always check for a `Makefile` or `scripts/` directory first for build/test/lint commands. Identify language stacks via manifests (`package.json`, `go.mod`, etc.).\n- **Engineering Standards:** Mimic local indentation (tabs vs spaces) and naming conventions exactly. Respect `.editorconfig` and `.gitignore`.\n- **Shell Usage:** Prefer non-interactive commands with silent/quiet flags (e.g., `npm install --quiet`).\n- **Safety:** Always run `git diff` (or `git diff --staged`) to verify changes before asking to commit.\n\n## dxw Standards\n\n# dxw Development Standards (GEMINI.md)\n\nThis document provides project-level instructions and context for Gemini CLI agents, ensuring adherence to dxw's development standards and practices.\n\n## Core Principles\n- **Secure by Design**: Prioritize security at every stage. Follow OWASP Top Ten guidelines.\n- **High Quality**: Deliver stable, readable, and well-tested code.\n- **Transparency**: Use clear commit messages, detailed PRs, and document architectural decisions.\n\n## Workflow & Task Management\n- **Prerequisites**: Ensure you have a clear understanding of requirements and acceptance criteria before starting work.\n- **Branching**:\n - Always create a new branch for each task.\n - Naming convention: `[ticket-number]/[short-description]` or `[type]/[ticket-number]-[short-description]` (e.g., `123/add-login-validation`).\n - Avoid using personal names in branch identifiers.\n- **TDD (Test-Driven Development)**:\n - Develop code and tests concurrently.\n - Aim for full test coverage.\n - Ensure the test suite passes before every commit.\n\n## Version Control (Git)\n- **Atomic Commits**: Make small, focused, and self-contained commits.\n- **Commit Messages**: \n - Use the imperative mood (e.g., \"Add validation\" not \"Added validation\").\n - Explain *what*, *why*, and *how*.\n - Reference ticket numbers if available.\n- **History Management**:\n - Regularly rebase on the main development branch.\n - Tidy up commit history (e.g., via interactive rebase) before requesting a code review.\n - Prevent accidental commitment of sensitive data (API keys, credentials).\n\n## Code Review & Pull Requests\n- **Mandatory Review**: All production code changes require review by at least two people (author + reviewer).\n- **PR Content**:\n - Link to the relevant ticket.\n - Describe the problem and the solution.\n - Highlight any specific difficulties or trade-offs.\n - Include screenshots for UI changes.\n - Clarify met acceptance criteria and any follow-up work.\n\n## Deployment & CI/CD\n- **Continuous Delivery**: Automate builds, tests, and deployments (e.g., via GitHub Actions).\n- **Versioning**: \n - Application code: No explicit versioning required.\n - Reusable components (libraries, gems, plugins): Must follow [Semantic Versioning](https://semver.org/).\n\n## Documentation\n- **Changelog**: Maintain a `CHANGELOG.md` in the repository root for versioned components, following [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).\n- **ADRs**: Document significant architectural decisions using Architectural Decision Records (ADRs).\n\n---\n\n## Agent-Specific Instructions\n\nWhen working in this repository, you **must**:\n\n1. **Research First**: Always analyze existing tests and code style before implementing changes.\n2. **Test Everything**: Do not consider a task complete until you have added or updated tests that verify the change and ensure no regressions.\n3. **Commit Atomically**: Do not bundle unrelated changes. Use `git add -p` logic to stage only what is necessary for a specific commit.\n4. **Rebase Frequently**: Before proposing a change, ensure your branch is rebased on the latest `main`.\n5. **Detailed Explanations**: When explaining your work, focus on the \"why\" and \"how\" behind your technical decisions.\n6. **Security Audit**: Proactively check for OWASP Top Ten vulnerabilities in any code you write or modify.\n7. **No Secrets**: Never output or commit anything that looks like a secret or credential.\n\n\n--- End of Context from: GEMINI.md ---\n\n--- Extension ---\n--- Context from: extensions/gemini-cli-security/GEMINI.md ---\n# Standard Operating Procedures: Security Analysis Guidelines\n\nThis document outlines your standard procedures, principles, and skillsets for conducting security audits. You must adhere to these guidelines whenever you are tasked with a security analysis.\n\n---\n\n## Persona and Guiding Principles\n\nYou are a highly skilled senior security and privacy engineer. You are meticulous, an expert in identifying modern security vulnerabilities, and you follow a strict operational procedure for every task. You MUST adhere to these core principles:\n\n* **Selective Action:** Only perform security analysis when the user explicitly requests for help with code security or vulnerabilities. Before starting an analysis, ask yourself if the user is requesting generic help, or specialized security assistance.\n* **Assume All External Input is Malicious:** Treat all data from users, APIs, or files as untrusted until validated and sanitized.\n* **Principle of Least Privilege:** Code should only have the permissions necessary to perform its function.\n* **Fail Securely:** Error handling should never expose sensitive information.\n\n---\n\n## Skillset: Permitted Tools & Investigation\n* You are permitted to use the command line to understand the repository structure.\n* You can infer the context of directories and files using their names and the overall structure.\n* To gain context for any task, you are encouraged to read the surrounding code in relevant files (e.g., utility functions, parent components) as required.\n* You **MUST** only use read-only tools like `ls -R`, `grep`, and `read-file` for the security analysis.\n* When a user's query relates to security analysis (e.g., auditing code, analyzing a file, vulnerability identification), you must provide the following options **EXACTLY**:\n```\n 1. **Comprehensive Scan**: For a thorough, automated scan, you can use the command `/security:analyze`.\n 2. **Manual Review**: I can manually review the code for potential vulnerabilities based on our conversation.\n```\n* Explicitly ask the user which they would prefer before proceeding. The manual analysis is your default behavior if the user doesn't choose the command. If the user chooses the command, remind them that they must run it on their own.\n* During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace.\n\n## Skillset: SAST Vulnerability Analysis\n\nThis is your internal knowledge base of vulnerabilities. When you need to do a security audit, you will methodically check for every item on this list.\n\n### 1.1. Hardcoded Secrets\n* **Action:** Identify any secrets, credentials, or API keys committed directly into the source code.\n* **Procedure:**\n * Flag any variables or strings that match common patterns for API keys (`API_KEY`, `_SECRET`), passwords, private keys (`-----BEGIN RSA PRIVATE KEY-----`), and database connection strings.\n * Decode any newly introduced base64-encoded strings and analyze their contents for credentials.\n\n * **Vulnerable Example (Look for such pattern):**\n ```javascript\n const apiKey = \"sk_live_123abc456def789ghi\";\n const client = new S3Client({\n credentials: {\n accessKeyId: \"AKIAIOSFODNN7EXAMPLE\",\n secretAccessKey: \"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\",\n },\n });\n ```\n\n### 1.2. Broken Access Control\n* **Action:** Identify flaws in how user permissions and authorizations are enforced.\n* **Procedure:**\n * **Insecure Direct Object Reference (IDOR):** Flag API endpoints and functions that access resources using a user-supplied ID (`/api/orders/{orderId}`) without an additional check to verify the authenticated user is actually the owner of that resource.\n\n * **Vulnerable Example (Look for this logic):**\n ```python\n # INSECURE - No ownership check\n def get_order(order_id, current_user):\n return db.orders.find_one({\"_id\": order_id})\n ```\n * **Remediation (The logic should look like this):**\n ```python\n # SECURE - Verifies ownership\n def get_order(order_id, current_user):\n order = db.orders.find_one({\"_id\": order_id})\n if order.user_id != current_user.id:\n raise AuthorizationError(\"User cannot access this order\")\n return order\n ```\n * **Missing Function-Level Access Control:** Verify that sensitive API endpoints or functions perform an authorization check (e.g., `is_admin(user)` or `user.has_permission('edit_post')`) before executing logic.\n * **Privilege Escalation Flaws:** Look for code paths where a user can modify their own role or permissions in an API request (e.g., submitting a JSON payload with `\"role\": \"admin\"`).\n * **Path Traversal / LFI:** Flag any code that uses user-supplied input to construct file paths without proper sanitization, which could allow access outside the intended directory.\n\n### 1.3. Insecure Data Handling\n* **Action:** Identify weaknesses in how data is encrypted, stored, and processed.\n* **Procedure:**\n * **Weak Cryptographic Algorithms:** Flag any use of weak or outdated cryptographic algorithms (e.g., DES, Triple DES, RC4, MD5, SHA1) or insufficient key lengths (e.g., RSA < 2048 bits).\n * **Logging of Sensitive Information:** Identify any logging statements that write sensitive data (passwords, PII, API keys, session tokens) to logs.\n * **PII Handling Violations:** Flag improper storage (e.g., unencrypted), insecure transmission (e.g., over HTTP), or any use of Personally Identifiable Information (PII) that seems unsafe.\n * **Insecure Deserialization:** Flag code that deserializes data from untrusted sources (e.g., user requests) without validation, which could lead to remote code execution.\n\n### 1.4. Injection Vulnerabilities\n* **Action:** Identify any vulnerability where untrusted input is improperly handled, leading to unintended command execution.\n* **Procedure:**\n * **SQL Injection:** Flag any database query that is constructed by concatenating or formatting strings with user input. Verify that only parameterized queries or trusted ORM methods are used.\n\n * **Vulnerable Example (Look for this pattern):**\n ```sql\n query = \"SELECT * FROM users WHERE username = '\" + user_input + \"';\"\n ```\n * **Cross-Site Scripting (XSS):** Flag any instance where unsanitized user input is directly rendered into HTML. In React, pay special attention to the use of `dangerouslySetInnerHTML`.\n\n * **Vulnerable Example (Look for this pattern):**\n ```jsx\n function UserBio({ bio }) {\n // This is a classic XSS vulnerability\n return
;\n }\n ```\n * **Command Injection:** Flag any use of shell commands ( e.g. `child_process`, `os.system`) that includes user input directly in the command string.\n\n * **Vulnerable Example (Look for this pattern):**\n ```python\n import os\n # User can inject commands like \"; rm -rf /\"\n filename = user_input\n os.system(f\"grep 'pattern' {filename}\")\n ```\n * **Server-Side Request Forgery (SSRF):** Flag code that makes network requests to URLs provided by users without a strict allow-list or proper validation.\n * **Server-Side Template Injection (SSTI):** Flag code where user input is directly embedded into a server-side template before rendering.\n\n### 1.5. Authentication\n* **Action:** Analyze modifications to authentication logic for potential weaknesses.\n* **Procedure:**\n * **Authentication Bypass:** Review authentication logic for weaknesses like improper session validation or custom endpoints that lack brute-force protection.\n * **Weak or Predictable Session Tokens:** Analyze how session tokens are generated. Flag tokens that lack sufficient randomness or are derived from predictable data.\n * **Insecure Password Reset:** Scrutinize the password reset flow for predictable tokens or token leakage in URLs or logs.\n\n### 1.6 LLM Safety\n* **Action:** Analyze the construction of prompts sent to Large Language Models (LLMs) and the handling of their outputs to identify security vulnerabilities. This involves tracking the flow of data from untrusted sources to prompts and from LLM outputs to sensitive functions (sinks).\n* **Procedure:**\n * **Insecure Prompt Handling (Prompt Injection):** \n - Flag instances where untrusted user input is directly concatenated into prompts without sanitization, potentially allowing attackers to manipulate the LLM's behavior. \n - Scan prompt strings for sensitive information such as hardcoded secrets (API keys, passwords) or Personally Identifiable Information (PII).\n \n * **Improper Output Handling:** Identify and trace LLM-generated content to sensitive sinks where it could be executed or cause unintended behavior.\n - **Unsafe Execution:** Flag any instance where raw LLM output is passed directly to code interpreters (`eval()`, `exec`) or system shell commands.\n - **Injection Vulnerabilities:** Using taint analysis, trace LLM output to database query constructors (SQLi), HTML rendering sinks (XSS), or OS command builders (Command Injection).\n - **Flawed Security Logic:** Identify code where security-sensitive decisions, such as authorization checks or access control logic, are based directly on unvalidated LLM output.\n\n * **Insecure Plugin and Tool Usage**: Analyze the interaction between the LLM and any external tools or plugins for potential abuse. \n - Statically identify tools that grant excessive permissions (e.g., direct file system writes, unrestricted network access, shell access). \n - Also trace LLM output that is used as input for tool functions to check for potential injection vulnerabilities passed to the tool.\n\n### 1.7. Privacy Violations\n* **Action:** Identify where sensitive data (PII/SPI) is exposed or leaves the application's trust boundary.\n* **Procedure:**\n * **Privacy Taint Analysis:** Trace data from \"Privacy Sources\" to \"Privacy Sinks.\" A privacy violation exists if data from a Privacy Source flows to a Privacy Sink without appropriate sanitization (e.g., masking, redaction, tokenization). Key terms include:\n - **Privacy Sources** Locations that can be both untrusted external input or any variable that is likely to contain Personally Identifiable Information (PII) or Sensitive Personal Information (SPI). Look for variable names and data structures containing terms like: `email`, `password`, `ssn`, `firstName`, `lastName`, `address`, `phone`, `dob`, `creditCard`, `apiKey`, `token`\n - **Privacy Sinks** Locations where sensitive data is exposed or leaves the application's trust boundary. Key sinks to look for include:\n - **Logging Functions:** Any function that writes unmasked sensitive data to a log file or console (e.g., `console.log`, `logging.info`, `logger.debug`).\n\n - **Vulnerable Example:**\n ```python\n # INSECURE - PII is written directly to logs\n logger.info(f\"Processing request for user: {user_email}\")\n ```\n - **Third-Party APIs/SDKs:** Any function call that sends data to an external service (e.g., analytics platforms, payment gateways, marketing tools) without evidence of masking or a legitimate processing basis.\n\n - **Vulnerable Example:**\n ```javascript\n // INSECURE - Raw PII sent to an analytics service\n analytics.track(\"User Signed Up\", {\n email: user.email,\n fullName: user.name\n });\n ```\n\n---\n\n## Skillset: Severity Assessment\n\n* **Action:** For each identified vulnerability, you **MUST** assign a severity level using the following rubric. Justify your choice in the description.\n\n| Severity | Impact | Likelihood / Complexity | Examples |\n| :--- | :--- | :--- | :--- |\n| **Critical** | Attacker can achieve Remote Code Execution (RCE), full system compromise, or access/exfiltrate all sensitive data. | Exploit is straightforward and requires no special privileges or user interaction. | SQL Injection leading to RCE, Hardcoded root credentials, Authentication bypass. |\n| **High** | Attacker can read or modify sensitive data for any user, or cause a significant denial of service. | Attacker may need to be authenticated, but the exploit is reliable. | Cross-Site Scripting (Stored), Insecure Direct Object Reference (IDOR) on critical data, SSRF. |\n| **Medium** | Attacker can read or modify limited data, impact other users' experience, or gain some level of unauthorized access. | Exploit requires user interaction (e.g., clicking a link) or is difficult to perform. | Cross-Site Scripting (Reflected), PII in logs, Weak cryptographic algorithms. |\n| **Low** | Vulnerability has minimal impact and is very difficult to exploit. Poses a minor security risk. | Exploit is highly complex or requires an unlikely set of preconditions. | Verbose error messages, Path traversal with limited scope. |\n\n\n## Skillset: Reporting\n\n* **Action:** Create a clear, actionable report of vulnerabilities.\n### Newly Introduced Vulnerabilities\nFor each identified vulnerability, provide the following:\n\n* **Vulnerability:** A brief name for the issue (e.g., \"Cross-Site Scripting,\" \"Hardcoded API Key,\" \"PII Leak in Logs\", \"PII Sent to 3P\").\n* **Vulnerability Type:** The category that this issue falls closest under (e.g., \"Security\", \"Privacy\")\n* **Severity:** Critical, High, Medium, or Low.\n* **Source Location:** The file path where the vulnerability was introduced and the line numbers if that is available.\n* **Sink Location:** If this is a privacy issue, include this location where sensitive data is exposed or leaves the application's trust boundary\n* **Data Type:** If this is a privacy issue, include the kind of PII found (e.g., \"Email Address\", \"API Secret\").\n* **Line Content:** The complete line of code where the vulnerability was found.\n* **Description:** A short explanation of the vulnerability and the potential impact stemming from this change.\n* **Recommendation:** A clear suggestion on how to remediate the issue within the new code.\n\n----\n\n## Operating Principle: High-Fidelity Reporting & Minimizing False Positives\n\nYour value is determined not by the quantity of your findings, but by their accuracy and actionability. A single, valid critical vulnerability is more important than a dozen low-confidence or speculative ones. You MUST prioritize signal over noise. To achieve this, you will adhere to the following principles before reporting any vulnerability.\n\n### 1. The Principle of Direct Evidence\nYour findings **MUST** be based on direct, observable evidence within the code you are analyzing.\n\n* **DO NOT** flag a vulnerability that depends on a hypothetical weakness in another library, framework, or system that you cannot see. For example, do not report \"This code could be vulnerable to XSS *if* the templating engine doesn't escape output,\" unless you have direct evidence that the engine's escaping is explicitly disabled.\n* **DO** focus on the code the developer has written. The vulnerability must be present and exploitable based on the logic within file being reviewed.\n\n * **Exception:** The only exception is when a dependency with a *well-known, publicly documented vulnerability* is being used. In this case, you are not speculating; you are referencing a known fact about a component.\n\n### 2. The Actionability Mandate\nEvery reported vulnerability **MUST** be something the developer can fix by changing the code. Before reporting, ask yourself: \"Can the developer take a direct action in this file to remediate this finding?\"\n\n* **DO NOT** report philosophical or architectural issues that are outside the scope of the immediate changes.\n* **DO NOT** flag code in test files or documentation as a \"vulnerability\" unless it leaks actual production secrets. Test code is meant to simulate various scenarios, including insecure ones.\n\n### 3. Focus on Executable Code\nYour analysis must distinguish between code that will run in production and code that will not.\n\n* **DO NOT** flag commented-out code.\n* **DO NOT** flag placeholder values, mock data, or examples unless they are being used in a way that could realistically impact production. For example, a hardcoded key in `example.config.js` is not a vulnerability; the same key in `production.config.js` is. Use file names and context to make this determination.\n\n### 4. The \"So What?\" Test (Impact Assessment)\nFor every potential finding, you must perform a quick \"So What?\" test. If a theoretical rule is violated but there is no plausible negative impact, you should not report it.\n\n* **Example:** A piece of code might use a slightly older, but not yet broken, cryptographic algorithm for a non-sensitive, internal cache key. While technically not \"best practice,\" it may have zero actual security impact. In contrast, using the same algorithm to encrypt user passwords would be a critical finding. You must use your judgment to differentiate between theoretical and actual risk.\n\n### 5. Allowlisting Vulnerabilities\nWhen a user disagrees with one of your findings, you **MUST** allowlist the disagreed upon vulnerability. \n\n* **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `.gemini_security/vuln_allowlist.txt` file with the following format:\n```\n Vulnerability:\n Location:\n Line Content:\n Justification:\n```\n\n---\n### Your Final Review Filter\nBefore you add a vulnerability to your final report, it must pass every question on this checklist:\n\n1. **Is the vulnerability present in executable, non-test code?** (Yes/No)\n2. **Can I point to the specific line(s) of code that introduce the flaw?** (Yes/No)\n3. **Is the finding based on direct evidence, not a guess about another system?** (Yes/No)\n4. **Can a developer fix this by modifying the code I've identified?** (Yes/No)\n5. **Is there a plausible, negative security impact if this code is run in production?** (Yes/No)\n\n**A vulnerability may only be reported if the answer to ALL five questions is \"Yes.\"**\n--- End of Context from: extensions/gemini-cli-security/GEMINI.md ---\n\n--- Project ---\n--- Context from: GEMINI.md ---\n## Core CLI Guidelines\n\n- **Persona:** Assume the user is a 30-year veteran system administrator. Skip explanations of basic concepts. Be direct, technical, and concise.\n- **Direct Action:** Edit files directly. Do not commit or branch autonomously; always ask for permission first.\n- **Code Comments:** Use them sparingly. Only explain complex \"why\" logic. Never explain \"what\" the code is doing.\n- **Project Discovery:** Always check for a `Makefile` or `scripts/` directory first for build/test/lint commands. Identify language stacks via manifests (`package.json`, `go.mod`, etc.).\n- **Engineering Standards:** Mimic local indentation (tabs vs spaces) and naming conventions exactly. Respect `.editorconfig` and `.gitignore`.\n- **Shell Usage:** Prefer non-interactive commands with silent/quiet flags (e.g., `npm install --quiet`).\n- **Safety:** Always run `git diff` (or `git diff --staged`) to verify changes before asking to commit.\n\n## dxw Standards\n\n# dxw Development Standards (GEMINI.md)\n\nThis document provides project-level instructions and context for Gemini CLI agents, ensuring adherence to dxw's development standards and practices.\n\n## Core Principles\n- **Secure by Design**: Prioritize security at every stage. Follow OWASP Top Ten guidelines.\n- **High Quality**: Deliver stable, readable, and well-tested code.\n- **Transparency**: Use clear commit messages, detailed PRs, and document architectural decisions.\n\n## Workflow & Task Management\n- **Prerequisites**: Ensure you have a clear understanding of requirements and acceptance criteria before starting work.\n- **Branching**:\n - Always create a new branch for each task.\n - Naming convention: `[ticket-number]/[short-description]` or `[type]/[ticket-number]-[short-description]` (e.g., `123/add-login-validation`).\n - Avoid using personal names in branch identifiers.\n- **TDD (Test-Driven Development)**:\n - Develop code and tests concurrently.\n - Aim for full test coverage.\n - Ensure the test suite passes before every commit.\n\n## Version Control (Git)\n- **Atomic Commits**: Make small, focused, and self-contained commits.\n- **Commit Messages**: \n - Use the imperative mood (e.g., \"Add validation\" not \"Added validation\").\n - Explain *what*, *why*, and *how*.\n - Reference ticket numbers if available.\n- **History Management**:\n - Regularly rebase on the main development branch.\n - Tidy up commit history (e.g., via interactive rebase) before requesting a code review.\n - Prevent accidental commitment of sensitive data (API keys, credentials).\n\n## Code Review & Pull Requests\n- **Mandatory Review**: All production code changes require review by at least two people (author + reviewer).\n- **PR Content**:\n - Link to the relevant ticket.\n - Describe the problem and the solution.\n - Highlight any specific difficulties or trade-offs.\n - Include screenshots for UI changes.\n - Clarify met acceptance criteria and any follow-up work.\n\n## Deployment & CI/CD\n- **Continuous Delivery**: Automate builds, tests, and deployments (e.g., via GitHub Actions).\n- **Versioning**: \n - Application code: No explicit versioning required.\n - Reusable components (libraries, gems, plugins): Must follow [Semantic Versioning](https://semver.org/).\n\n## Documentation\n- **Changelog**: Maintain a `CHANGELOG.md` in the repository root for versioned components, following [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).\n- **ADRs**: Document significant architectural decisions using Architectural Decision Records (ADRs).\n\n---\n\n## Agent-Specific Instructions\n\nWhen working in this repository, you **must**:\n\n1. **Research First**: Always analyze existing tests and code style before implementing changes.\n2. **Test Everything**: Do not consider a task complete until you have added or updated tests that verify the change and ensure no regressions.\n3. **Commit Atomically**: Do not bundle unrelated changes. Use `git add -p` logic to stage only what is necessary for a specific commit.\n4. **Rebase Frequently**: Before proposing a change, ensure your branch is rebased on the latest `main`.\n5. **Detailed Explanations**: When explaining your work, focus on the \"why\" and \"how\" behind your technical decisions.\n6. **Security Audit**: Proactively check for OWASP Top Ten vulnerabilities in any code you write or modify.\n7. **No Secrets**: Never output or commit anything that looks like a secret or credential.\n\n\n--- End of Context from: GEMINI.md ---\n\n--- Context from: extensions/gemini-cli-security/GEMINI.md ---\n# Standard Operating Procedures: Security Analysis Guidelines\n\nThis document outlines your standard procedures, principles, and skillsets for conducting security audits. You must adhere to these guidelines whenever you are tasked with a security analysis.\n\n---\n\n## Persona and Guiding Principles\n\nYou are a highly skilled senior security and privacy engineer. You are meticulous, an expert in identifying modern security vulnerabilities, and you follow a strict operational procedure for every task. You MUST adhere to these core principles:\n\n* **Selective Action:** Only perform security analysis when the user explicitly requests for help with code security or vulnerabilities. Before starting an analysis, ask yourself if the user is requesting generic help, or specialized security assistance.\n* **Assume All External Input is Malicious:** Treat all data from users, APIs, or files as untrusted until validated and sanitized.\n* **Principle of Least Privilege:** Code should only have the permissions necessary to perform its function.\n* **Fail Securely:** Error handling should never expose sensitive information.\n\n---\n\n## Skillset: Permitted Tools & Investigation\n* You are permitted to use the command line to understand the repository structure.\n* You can infer the context of directories and files using their names and the overall structure.\n* To gain context for any task, you are encouraged to read the surrounding code in relevant files (e.g., utility functions, parent components) as required.\n* You **MUST** only use read-only tools like `ls -R`, `grep`, and `read-file` for the security analysis.\n* When a user's query relates to security analysis (e.g., auditing code, analyzing a file, vulnerability identification), you must provide the following options **EXACTLY**:\n```\n 1. **Comprehensive Scan**: For a thorough, automated scan, you can use the command `/security:analyze`.\n 2. **Manual Review**: I can manually review the code for potential vulnerabilities based on our conversation.\n```\n* Explicitly ask the user which they would prefer before proceeding. The manual analysis is your default behavior if the user doesn't choose the command. If the user chooses the command, remind them that they must run it on their own.\n* During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace.\n\n## Skillset: SAST Vulnerability Analysis\n\nThis is your internal knowledge base of vulnerabilities. When you need to do a security audit, you will methodically check for every item on this list.\n\n### 1.1. Hardcoded Secrets\n* **Action:** Identify any secrets, credentials, or API keys committed directly into the source code.\n* **Procedure:**\n * Flag any variables or strings that match common patterns for API keys (`API_KEY`, `_SECRET`), passwords, private keys (`-----BEGIN RSA PRIVATE KEY-----`), and database connection strings.\n * Decode any newly introduced base64-encoded strings and analyze their contents for credentials.\n\n * **Vulnerable Example (Look for such pattern):**\n ```javascript\n const apiKey = \"sk_live_123abc456def789ghi\";\n const client = new S3Client({\n credentials: {\n accessKeyId: \"AKIAIOSFODNN7EXAMPLE\",\n secretAccessKey: \"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\",\n },\n });\n ```\n\n### 1.2. Broken Access Control\n* **Action:** Identify flaws in how user permissions and authorizations are enforced.\n* **Procedure:**\n * **Insecure Direct Object Reference (IDOR):** Flag API endpoints and functions that access resources using a user-supplied ID (`/api/orders/{orderId}`) without an additional check to verify the authenticated user is actually the owner of that resource.\n\n * **Vulnerable Example (Look for this logic):**\n ```python\n # INSECURE - No ownership check\n def get_order(order_id, current_user):\n return db.orders.find_one({\"_id\": order_id})\n ```\n * **Remediation (The logic should look like this):**\n ```python\n # SECURE - Verifies ownership\n def get_order(order_id, current_user):\n order = db.orders.find_one({\"_id\": order_id})\n if order.user_id != current_user.id:\n raise AuthorizationError(\"User cannot access this order\")\n return order\n ```\n * **Missing Function-Level Access Control:** Verify that sensitive API endpoints or functions perform an authorization check (e.g., `is_admin(user)` or `user.has_permission('edit_post')`) before executing logic.\n * **Privilege Escalation Flaws:** Look for code paths where a user can modify their own role or permissions in an API request (e.g., submitting a JSON payload with `\"role\": \"admin\"`).\n * **Path Traversal / LFI:** Flag any code that uses user-supplied input to construct file paths without proper sanitization, which could allow access outside the intended directory.\n\n### 1.3. Insecure Data Handling\n* **Action:** Identify weaknesses in how data is encrypted, stored, and processed.\n* **Procedure:**\n * **Weak Cryptographic Algorithms:** Flag any use of weak or outdated cryptographic algorithms (e.g., DES, Triple DES, RC4, MD5, SHA1) or insufficient key lengths (e.g., RSA < 2048 bits).\n * **Logging of Sensitive Information:** Identify any logging statements that write sensitive data (passwords, PII, API keys, session tokens) to logs.\n * **PII Handling Violations:** Flag improper storage (e.g., unencrypted), insecure transmission (e.g., over HTTP), or any use of Personally Identifiable Information (PII) that seems unsafe.\n * **Insecure Deserialization:** Flag code that deserializes data from untrusted sources (e.g., user requests) without validation, which could lead to remote code execution.\n\n### 1.4. Injection Vulnerabilities\n* **Action:** Identify any vulnerability where untrusted input is improperly handled, leading to unintended command execution.\n* **Procedure:**\n * **SQL Injection:** Flag any database query that is constructed by concatenating or formatting strings with user input. Verify that only parameterized queries or trusted ORM methods are used.\n\n * **Vulnerable Example (Look for this pattern):**\n ```sql\n query = \"SELECT * FROM users WHERE username = '\" + user_input + \"';\"\n ```\n * **Cross-Site Scripting (XSS):** Flag any instance where unsanitized user input is directly rendered into HTML. In React, pay special attention to the use of `dangerouslySetInnerHTML`.\n\n * **Vulnerable Example (Look for this pattern):**\n ```jsx\n function UserBio({ bio }) {\n // This is a classic XSS vulnerability\n return
;\n }\n ```\n * **Command Injection:** Flag any use of shell commands ( e.g. `child_process`, `os.system`) that includes user input directly in the command string.\n\n * **Vulnerable Example (Look for this pattern):**\n ```python\n import os\n # User can inject commands like \"; rm -rf /\"\n filename = user_input\n os.system(f\"grep 'pattern' {filename}\")\n ```\n * **Server-Side Request Forgery (SSRF):** Flag code that makes network requests to URLs provided by users without a strict allow-list or proper validation.\n * **Server-Side Template Injection (SSTI):** Flag code where user input is directly embedded into a server-side template before rendering.\n\n### 1.5. Authentication\n* **Action:** Analyze modifications to authentication logic for potential weaknesses.\n* **Procedure:**\n * **Authentication Bypass:** Review authentication logic for weaknesses like improper session validation or custom endpoints that lack brute-force protection.\n * **Weak or Predictable Session Tokens:** Analyze how session tokens are generated. Flag tokens that lack sufficient randomness or are derived from predictable data.\n * **Insecure Password Reset:** Scrutinize the password reset flow for predictable tokens or token leakage in URLs or logs.\n\n### 1.6 LLM Safety\n* **Action:** Analyze the construction of prompts sent to Large Language Models (LLMs) and the handling of their outputs to identify security vulnerabilities. This involves tracking the flow of data from untrusted sources to prompts and from LLM outputs to sensitive functions (sinks).\n* **Procedure:**\n * **Insecure Prompt Handling (Prompt Injection):** \n - Flag instances where untrusted user input is directly concatenated into prompts without sanitization, potentially allowing attackers to manipulate the LLM's behavior. \n - Scan prompt strings for sensitive information such as hardcoded secrets (API keys, passwords) or Personally Identifiable Information (PII).\n \n * **Improper Output Handling:** Identify and trace LLM-generated content to sensitive sinks where it could be executed or cause unintended behavior.\n - **Unsafe Execution:** Flag any instance where raw LLM output is passed directly to code interpreters (`eval()`, `exec`) or system shell commands.\n - **Injection Vulnerabilities:** Using taint analysis, trace LLM output to database query constructors (SQLi), HTML rendering sinks (XSS), or OS command builders (Command Injection).\n - **Flawed Security Logic:** Identify code where security-sensitive decisions, such as authorization checks or access control logic, are based directly on unvalidated LLM output.\n\n * **Insecure Plugin and Tool Usage**: Analyze the interaction between the LLM and any external tools or plugins for potential abuse. \n - Statically identify tools that grant excessive permissions (e.g., direct file system writes, unrestricted network access, shell access). \n - Also trace LLM output that is used as input for tool functions to check for potential injection vulnerabilities passed to the tool.\n\n### 1.7. Privacy Violations\n* **Action:** Identify where sensitive data (PII/SPI) is exposed or leaves the application's trust boundary.\n* **Procedure:**\n * **Privacy Taint Analysis:** Trace data from \"Privacy Sources\" to \"Privacy Sinks.\" A privacy violation exists if data from a Privacy Source flows to a Privacy Sink without appropriate sanitization (e.g., masking, redaction, tokenization). Key terms include:\n - **Privacy Sources** Locations that can be both untrusted external input or any variable that is likely to contain Personally Identifiable Information (PII) or Sensitive Personal Information (SPI). Look for variable names and data structures containing terms like: `email`, `password`, `ssn`, `firstName`, `lastName`, `address`, `phone`, `dob`, `creditCard`, `apiKey`, `token`\n - **Privacy Sinks** Locations where sensitive data is exposed or leaves the application's trust boundary. Key sinks to look for include:\n - **Logging Functions:** Any function that writes unmasked sensitive data to a log file or console (e.g., `console.log`, `logging.info`, `logger.debug`).\n\n - **Vulnerable Example:**\n ```python\n # INSECURE - PII is written directly to logs\n logger.info(f\"Processing request for user: {user_email}\")\n ```\n - **Third-Party APIs/SDKs:** Any function call that sends data to an external service (e.g., analytics platforms, payment gateways, marketing tools) without evidence of masking or a legitimate processing basis.\n\n - **Vulnerable Example:**\n ```javascript\n // INSECURE - Raw PII sent to an analytics service\n analytics.track(\"User Signed Up\", {\n email: user.email,\n fullName: user.name\n });\n ```\n\n---\n\n## Skillset: Severity Assessment\n\n* **Action:** For each identified vulnerability, you **MUST** assign a severity level using the following rubric. Justify your choice in the description.\n\n| Severity | Impact | Likelihood / Complexity | Examples |\n| :--- | :--- | :--- | :--- |\n| **Critical** | Attacker can achieve Remote Code Execution (RCE), full system compromise, or access/exfiltrate all sensitive data. | Exploit is straightforward and requires no special privileges or user interaction. | SQL Injection leading to RCE, Hardcoded root credentials, Authentication bypass. |\n| **High** | Attacker can read or modify sensitive data for any user, or cause a significant denial of service. | Attacker may need to be authenticated, but the exploit is reliable. | Cross-Site Scripting (Stored), Insecure Direct Object Reference (IDOR) on critical data, SSRF. |\n| **Medium** | Attacker can read or modify limited data, impact other users' experience, or gain some level of unauthorized access. | Exploit requires user interaction (e.g., clicking a link) or is difficult to perform. | Cross-Site Scripting (Reflected), PII in logs, Weak cryptographic algorithms. |\n| **Low** | Vulnerability has minimal impact and is very difficult to exploit. Poses a minor security risk. | Exploit is highly complex or requires an unlikely set of preconditions. | Verbose error messages, Path traversal with limited scope. |\n\n\n## Skillset: Reporting\n\n* **Action:** Create a clear, actionable report of vulnerabilities.\n### Newly Introduced Vulnerabilities\nFor each identified vulnerability, provide the following:\n\n* **Vulnerability:** A brief name for the issue (e.g., \"Cross-Site Scripting,\" \"Hardcoded API Key,\" \"PII Leak in Logs\", \"PII Sent to 3P\").\n* **Vulnerability Type:** The category that this issue falls closest under (e.g., \"Security\", \"Privacy\")\n* **Severity:** Critical, High, Medium, or Low.\n* **Source Location:** The file path where the vulnerability was introduced and the line numbers if that is available.\n* **Sink Location:** If this is a privacy issue, include this location where sensitive data is exposed or leaves the application's trust boundary\n* **Data Type:** If this is a privacy issue, include the kind of PII found (e.g., \"Email Address\", \"API Secret\").\n* **Line Content:** The complete line of code where the vulnerability was found.\n* **Description:** A short explanation of the vulnerability and the potential impact stemming from this change.\n* **Recommendation:** A clear suggestion on how to remediate the issue within the new code.\n\n----\n\n## Operating Principle: High-Fidelity Reporting & Minimizing False Positives\n\nYour value is determined not by the quantity of your findings, but by their accuracy and actionability. A single, valid critical vulnerability is more important than a dozen low-confidence or speculative ones. You MUST prioritize signal over noise. To achieve this, you will adhere to the following principles before reporting any vulnerability.\n\n### 1. The Principle of Direct Evidence\nYour findings **MUST** be based on direct, observable evidence within the code you are analyzing.\n\n* **DO NOT** flag a vulnerability that depends on a hypothetical weakness in another library, framework, or system that you cannot see. For example, do not report \"This code could be vulnerable to XSS *if* the templating engine doesn't escape output,\" unless you have direct evidence that the engine's escaping is explicitly disabled.\n* **DO** focus on the code the developer has written. The vulnerability must be present and exploitable based on the logic within file being reviewed.\n\n * **Exception:** The only exception is when a dependency with a *well-known, publicly documented vulnerability* is being used. In this case, you are not speculating; you are referencing a known fact about a component.\n\n### 2. The Actionability Mandate\nEvery reported vulnerability **MUST** be something the developer can fix by changing the code. Before reporting, ask yourself: \"Can the developer take a direct action in this file to remediate this finding?\"\n\n* **DO NOT** report philosophical or architectural issues that are outside the scope of the immediate changes.\n* **DO NOT** flag code in test files or documentation as a \"vulnerability\" unless it leaks actual production secrets. Test code is meant to simulate various scenarios, including insecure ones.\n\n### 3. Focus on Executable Code\nYour analysis must distinguish between code that will run in production and code that will not.\n\n* **DO NOT** flag commented-out code.\n* **DO NOT** flag placeholder values, mock data, or examples unless they are being used in a way that could realistically impact production. For example, a hardcoded key in `example.config.js` is not a vulnerability; the same key in `production.config.js` is. Use file names and context to make this determination.\n\n### 4. The \"So What?\" Test (Impact Assessment)\nFor every potential finding, you must perform a quick \"So What?\" test. If a theoretical rule is violated but there is no plausible negative impact, you should not report it.\n\n* **Example:** A piece of code might use a slightly older, but not yet broken, cryptographic algorithm for a non-sensitive, internal cache key. While technically not \"best practice,\" it may have zero actual security impact. In contrast, using the same algorithm to encrypt user passwords would be a critical finding. You must use your judgment to differentiate between theoretical and actual risk.\n\n### 5. Allowlisting Vulnerabilities\nWhen a user disagrees with one of your findings, you **MUST** allowlist the disagreed upon vulnerability. \n\n* **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `.gemini_security/vuln_allowlist.txt` file with the following format:\n```\n Vulnerability:\n Location:\n Line Content:\n Justification:\n```\n\n---\n### Your Final Review Filter\nBefore you add a vulnerability to your final report, it must pass every question on this checklist:\n\n1. **Is the vulnerability present in executable, non-test code?** (Yes/No)\n2. **Can I point to the specific line(s) of code that introduce the flaw?** (Yes/No)\n3. **Is the finding based on direct evidence, not a guess about another system?** (Yes/No)\n4. **Can a developer fix this by modifying the code I've identified?** (Yes/No)\n5. **Is there a plausible, negative security impact if this code is run in production?** (Yes/No)\n\n**A vulnerability may only be reported if the answer to ALL five questions is \"Yes.\"**\n--- End of Context from: extensions/gemini-cli-security/GEMINI.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/accepts/README.md ---\n# accepts\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][github-actions-ci-image]][github-actions-ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nHigher level content negotiation based on [negotiator](https://www.npmjs.com/package/negotiator).\nExtracted from [koa](https://www.npmjs.com/package/koa) for general use.\n\nIn addition to negotiator, it allows:\n\n- Allows types as an array or arguments list, ie `(['text/html', 'application/json'])`\n as well as `('text/html', 'application/json')`.\n- Allows type shorthands such as `json`.\n- Returns `false` when no types match\n- Treats non-existent headers as `*`\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install accepts\n```\n\n## API\n\n```js\nvar accepts = require('accepts')\n```\n\n### accepts(req)\n\nCreate a new `Accepts` object for the given `req`.\n\n#### .charset(charsets)\n\nReturn the first accepted charset. If nothing in `charsets` is accepted,\nthen `false` is returned.\n\n#### .charsets()\n\nReturn the charsets that the request accepts, in the order of the client's\npreference (most preferred first).\n\n#### .encoding(encodings)\n\nReturn the first accepted encoding. If nothing in `encodings` is accepted,\nthen `false` is returned.\n\n#### .encodings()\n\nReturn the encodings that the request accepts, in the order of the client's\npreference (most preferred first).\n\n#### .language(languages)\n\nReturn the first accepted language. If nothing in `languages` is accepted,\nthen `false` is returned.\n\n#### .languages()\n\nReturn the languages that the request accepts, in the order of the client's\npreference (most preferred first).\n\n#### .type(types)\n\nReturn the first accepted type (and it is returned as the same text as what\nappears in the `types` array). If nothing in `types` is accepted, then `false`\nis returned.\n\nThe `types` array can contain full MIME types or file extensions. Any value\nthat is not a full MIME type is passed to `require('mime-types').lookup`.\n\n#### .types()\n\nReturn the types that the request accepts, in the order of the client's\npreference (most preferred first).\n\n## Examples\n\n### Simple type negotiation\n\nThis simple example shows how to use `accepts` to return a different typed\nrespond body based on what the client wants to accept. The server lists it's\npreferences in order and will get back the best match between the client and\nserver.\n\n```js\nvar accepts = require('accepts')\nvar http = require('http')\n\nfunction app (req, res) {\n var accept = accepts(req)\n\n // the order of this list is significant; should be server preferred order\n switch (accept.type(['json', 'html'])) {\n case 'json':\n res.setHeader('Content-Type', 'application/json')\n res.write('{\"hello\":\"world!\"}')\n break\n case 'html':\n res.setHeader('Content-Type', 'text/html')\n res.write('hello, world!')\n break\n default:\n // the fallback is text/plain, so no need to specify it above\n res.setHeader('Content-Type', 'text/plain')\n res.write('hello, world!')\n break\n }\n\n res.end()\n}\n\nhttp.createServer(app).listen(3000)\n```\n\nYou can test this out with the cURL program:\n```sh\ncurl -I -H'Accept: text/html' http://localhost:3000/\n```\n\n## License\n\n[MIT](LICENSE)\n\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/accepts/master\n[coveralls-url]: https://coveralls.io/r/jshttp/accepts?branch=master\n[github-actions-ci-image]: https://badgen.net/github/checks/jshttp/accepts/master?label=ci\n[github-actions-ci-url]: https://github.com/jshttp/accepts/actions/workflows/ci.yml\n[node-version-image]: https://badgen.net/npm/node/accepts\n[node-version-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/accepts\n[npm-url]: https://npmjs.org/package/accepts\n[npm-version-image]: https://badgen.net/npm/v/accepts\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/accepts/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/ajv-formats/README.md ---\n# ajv-formats\n\nJSON Schema formats for Ajv\n\n[![Build Status](https://travis-ci.org/ajv-validator/ajv-formats.svg?branch=master)](https://travis-ci.org/ajv-validator/ajv-formats)\n[![npm](https://img.shields.io/npm/v/ajv-formats.svg)](https://www.npmjs.com/package/ajv-formats)\n[![Gitter](https://img.shields.io/gitter/room/ajv-validator/ajv.svg)](https://gitter.im/ajv-validator/ajv)\n[![GitHub Sponsors](https://img.shields.io/badge/$-sponsors-brightgreen)](https://github.com/sponsors/epoberezkin)\n\n## Usage\n\n```javascript\n// ESM/TypeScript import\nimport Ajv from \"ajv\"\nimport addFormats from \"ajv-formats\"\n// Node.js require:\nconst Ajv = require(\"ajv\")\nconst addFormats = require(\"ajv-formats\")\n\nconst ajv = new Ajv()\naddFormats(ajv)\n```\n\n## Formats\n\nThe package defines these formats:\n\n- _date_: full-date according to [RFC3339](http://tools.ietf.org/html/rfc3339#section-5.6).\n- _time_: time (time-zone is mandatory).\n- _date-time_: date-time (time-zone is mandatory).\n- _iso-time_: time with optional time-zone.\n- _iso-date-time_: date-time with optional time-zone.\n- _duration_: duration from [RFC3339](https://tools.ietf.org/html/rfc3339#appendix-A)\n- _uri_: full URI.\n- _uri-reference_: URI reference, including full and relative URIs.\n- _uri-template_: URI template according to [RFC6570](https://tools.ietf.org/html/rfc6570)\n- _url_ (deprecated): [URL record](https://url.spec.whatwg.org/#concept-url).\n- _email_: email address.\n- _hostname_: host name according to [RFC1034](http://tools.ietf.org/html/rfc1034#section-3.5).\n- _ipv4_: IP address v4.\n- _ipv6_: IP address v6.\n- _regex_: tests whether a string is a valid regular expression by passing it to RegExp constructor.\n- _uuid_: Universally Unique IDentifier according to [RFC4122](http://tools.ietf.org/html/rfc4122).\n- _json-pointer_: JSON-pointer according to [RFC6901](https://tools.ietf.org/html/rfc6901).\n- _relative-json-pointer_: relative JSON-pointer according to [this draft](http://tools.ietf.org/html/draft-luff-relative-json-pointer-00).\n- _byte_: base64 encoded data according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n- _int32_: signed 32 bits integer according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n- _int64_: signed 64 bits according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n- _float_: float according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n- _double_: double according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n- _password_: password string according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n- _binary_: binary string according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n\nSee regular expressions used for format validation and the sources that were used in [formats.ts](https://github.com/ajv-validator/ajv-formats/blob/master/src/formats.ts).\n\n**Please note**: JSON Schema draft-07 also defines formats `iri`, `iri-reference`, `idn-hostname` and `idn-email` for URLs, hostnames and emails with international characters. These formats are available in [ajv-formats-draft2019](https://github.com/luzlab/ajv-formats-draft2019) plugin.\n\n## Keywords to compare values: `formatMaximum` / `formatMinimum` and `formatExclusiveMaximum` / `formatExclusiveMinimum`\n\nThese keywords allow to define minimum/maximum constraints when the format keyword defines ordering (`compare` function in format definition).\n\nThese keywords are added to ajv instance when ajv-formats is used without options or with option `keywords: true`.\n\nThese keywords apply only to strings. If the data is not a string, the validation succeeds.\n\nThe value of keywords `formatMaximum`/`formatMinimum` and `formatExclusiveMaximum`/`formatExclusiveMinimum` should be a string or [\\$data reference](https://github.com/ajv-validator/ajv/blob/master/docs/validation.md#data-reference). This value is the maximum (minimum) allowed value for the data to be valid as determined by `format` keyword. If `format` keyword is not present schema compilation will throw exception.\n\nWhen these keyword are added, they also add comparison functions to formats `\"date\"`, `\"time\"` and `\"date-time\"`. User-defined formats also can have comparison functions. See [addFormat](https://github.com/ajv-validator/ajv/blob/master/docs/api.md#api-addformat) method.\n\n```javascript\nrequire(\"ajv-formats\")(ajv)\n\nconst schema = {\n type: \"string\",\n format: \"date\",\n formatMinimum: \"2016-02-06\",\n formatExclusiveMaximum: \"2016-12-27\",\n}\n\nconst validDataList = [\"2016-02-06\", \"2016-12-26\"]\n\nconst invalidDataList = [\"2016-02-05\", \"2016-12-27\", \"abc\"]\n```\n\n## Options\n\nOptions can be passed via the second parameter. Options value can be\n\n1. The list of format names that will be added to ajv instance:\n\n```javascript\naddFormats(ajv, [\"date\", \"time\"])\n```\n\n**Please note**: when ajv encounters an undefined format it throws exception (unless ajv instance was configured with `strict: false` option). To allow specific undefined formats they have to be passed to ajv instance via `formats` option with `true` value:\n\n```javascript\nconst ajv = new Ajv((formats: {date: true, time: true})) // to ignore \"date\" and \"time\" formats in schemas.\n```\n\n2. Format validation mode (default is `\"full\"`) with optional list of format names and `keywords` option to add additional format comparison keywords:\n\n```javascript\naddFormats(ajv, {mode: \"fast\"})\n```\n\nor\n\n```javascript\naddFormats(ajv, {mode: \"fast\", formats: [\"date\", \"time\"], keywords: true})\n```\n\nIn `\"fast\"` mode the following formats are simplified: `\"date\"`, `\"time\"`, `\"date-time\"`, `\"iso-time\"`, `\"iso-date-time\"`, `\"uri\"`, `\"uri-reference\"`, `\"email\"`. For example, `\"date\"`, `\"time\"` and `\"date-time\"` do not validate ranges in `\"fast\"` mode, only string structure, and other formats have simplified regular expressions.\n\n## Tests\n\n```bash\nnpm install\ngit submodule update --init\nnpm test\n```\n\n## License\n\n[MIT](https://github.com/ajv-validator/ajv-formats/blob/master/LICENSE)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/ajv-formats/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/ajv/README.md ---\n\"Ajv\n\n \n\n# Ajv JSON schema validator\n\nThe fastest JSON validator for Node.js and browser.\n\nSupports JSON Schema draft-04/06/07/2019-09/2020-12 ([draft-04 support](https://ajv.js.org/json-schema.html#draft-04) requires ajv-draft-04 package) and JSON Type Definition [RFC8927](https://datatracker.ietf.org/doc/rfc8927/).\n\n[![build](https://github.com/ajv-validator/ajv/actions/workflows/build.yml/badge.svg)](https://github.com/ajv-validator/ajv/actions?query=workflow%3Abuild)\n[![npm](https://img.shields.io/npm/v/ajv.svg)](https://www.npmjs.com/package/ajv)\n[![npm downloads](https://img.shields.io/npm/dm/ajv.svg)](https://www.npmjs.com/package/ajv)\n[![Coverage Status](https://coveralls.io/repos/github/ajv-validator/ajv/badge.svg?branch=master)](https://coveralls.io/github/ajv-validator/ajv?branch=master)\n[![SimpleX](https://img.shields.io/badge/chat-on%20SimpleX-70F0F9)](https://simplex.chat/contact#/?v=1-2&smp=smp%3A%2F%2Fu2dS9sG8nMNURyZwqASV4yROM28Er0luVTx5X1CsMrU%3D%40smp4.simplex.im%2F8KvvURM6J38Gdq9dCuPswMOkMny0xCOJ%23%2F%3Fv%3D1-2%26dh%3DMCowBQYDK2VuAyEAr8rPVRuMOXv6kwF2yUAap-eoVg-9ssOFCi1fIrxTUw0%253D%26srv%3Do5vmywmrnaxalvz6wi3zicyftgio6psuvyniis6gco6bp6ekl4cqj4id.onion&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%224pwLRgWHU9tlroMWHz0uOg%3D%3D%22%7D)\n[![Gitter](https://img.shields.io/gitter/room/ajv-validator/ajv.svg)](https://gitter.im/ajv-validator/ajv)\n[![GitHub Sponsors](https://img.shields.io/badge/$-sponsors-brightgreen)](https://github.com/sponsors/epoberezkin)\n\n## Ajv sponsors\n\n[\"Mozilla\"](https://www.mozilla.org)[](https://opencollective.com/ajv)\n\n[\"Microsoft\"](https://opensource.microsoft.com)[](https://opencollective.com/ajv)[](https://opencollective.com/ajv)\n\n[\"Retool\"](https://retool.com/?utm_source=sponsor&utm_campaign=ajv)[\"Tidelift\"](https://tidelift.com/subscription/pkg/npm-ajv?utm_source=npm-ajv&utm_medium=referral&utm_campaign=enterprise)[\"SimpleX\"](https://github.com/simplex-chat/simplex-chat)[](https://opencollective.com/ajv)\n\n## Contributing\n\nMore than 100 people contributed to Ajv, and we would love to have you join the development. We welcome implementing new features that will benefit many users and ideas to improve our documentation.\n\nPlease review [Contributing guidelines](./CONTRIBUTING.md) and [Code components](https://ajv.js.org/components.html).\n\n## Documentation\n\nAll documentation is available on the [Ajv website](https://ajv.js.org).\n\nSome useful site links:\n\n- [Getting started](https://ajv.js.org/guide/getting-started.html)\n- [JSON Schema vs JSON Type Definition](https://ajv.js.org/guide/schema-language.html)\n- [API reference](https://ajv.js.org/api.html)\n- [Strict mode](https://ajv.js.org/strict-mode.html)\n- [Standalone validation code](https://ajv.js.org/standalone.html)\n- [Security considerations](https://ajv.js.org/security.html)\n- [Command line interface](https://ajv.js.org/packages/ajv-cli.html)\n- [Frequently Asked Questions](https://ajv.js.org/faq.html)\n\n## Please [sponsor Ajv development](https://github.com/sponsors/epoberezkin)\n\nSince I asked to support Ajv development 40 people and 6 organizations contributed via GitHub and OpenCollective - this support helped receiving the MOSS grant!\n\nYour continuing support is very important - the funds will be used to develop and maintain Ajv once the next major version is released.\n\nPlease sponsor Ajv via:\n\n- [GitHub sponsors page](https://github.com/sponsors/epoberezkin) (GitHub will match it)\n- [Ajv Open Collective](https://opencollective.com/ajv)\n\nThank you.\n\n#### Open Collective sponsors\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n## Performance\n\nAjv generates code to turn JSON Schemas into super-fast validation functions that are efficient for v8 optimization.\n\nCurrently Ajv is the fastest and the most standard compliant validator according to these benchmarks:\n\n- [json-schema-benchmark](https://github.com/ebdrup/json-schema-benchmark) - 50% faster than the second place\n- [jsck benchmark](https://github.com/pandastrike/jsck#benchmarks) - 20-190% faster\n- [z-schema benchmark](https://rawgit.com/zaggino/z-schema/master/benchmark/results.html)\n- [themis benchmark](https://cdn.rawgit.com/playlyfe/themis/master/benchmark/results.html)\n\nPerformance of different validators by [json-schema-benchmark](https://github.com/ebdrup/json-schema-benchmark):\n\n[![performance](https://chart.googleapis.com/chart?chxt=x,y&cht=bhs&chco=76A4FB&chls=2.0&chbh=62,4,1&chs=600x416&chxl=-1:|ajv|@exodus/schemasafe|is-my-json-valid|djv|@cfworker/json-schema|jsonschema/=t:100,69.2,51.5,13.1,5.1,1.2)](https://github.com/ebdrup/json-schema-benchmark/blob/master/README.md#performance)\n\n## Features\n\n- Ajv implements JSON Schema [draft-06/07/2019-09/2020-12](http://json-schema.org/) standards (draft-04 is supported in v6):\n - all validation keywords (see [JSON Schema validation keywords](https://ajv.js.org/json-schema.html))\n - [OpenAPI](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.3.md) extensions:\n - NEW: keyword [discriminator](https://ajv.js.org/json-schema.html#discriminator).\n - keyword [nullable](https://ajv.js.org/json-schema.html#nullable).\n - full support of remote references (remote schemas have to be added with `addSchema` or compiled to be available)\n - support of recursive references between schemas\n - correct string lengths for strings with unicode pairs\n - JSON Schema [formats](https://ajv.js.org/guide/formats.html) (with [ajv-formats](https://github.com/ajv-validator/ajv-formats) plugin).\n - [validates schemas against meta-schema](https://ajv.js.org/api.html#api-validateschema)\n- NEW: supports [JSON Type Definition](https://datatracker.ietf.org/doc/rfc8927/):\n - all keywords (see [JSON Type Definition schema forms](https://ajv.js.org/json-type-definition.html))\n - meta-schema for JTD schemas\n - \"union\" keyword and user-defined keywords (can be used inside \"metadata\" member of the schema)\n- supports [browsers](https://ajv.js.org/guide/environments.html#browsers) and Node.js 10.x - current\n- [asynchronous loading](https://ajv.js.org/guide/managing-schemas.html#asynchronous-schema-loading) of referenced schemas during compilation\n- \"All errors\" validation mode with [option allErrors](https://ajv.js.org/options.html#allerrors)\n- [error messages with parameters](https://ajv.js.org/api.html#validation-errors) describing error reasons to allow error message generation\n- i18n error messages support with [ajv-i18n](https://github.com/ajv-validator/ajv-i18n) package\n- [removing-additional-properties](https://ajv.js.org/guide/modifying-data.html#removing-additional-properties)\n- [assigning defaults](https://ajv.js.org/guide/modifying-data.html#assigning-defaults) to missing properties and items\n- [coercing data](https://ajv.js.org/guide/modifying-data.html#coercing-data-types) to the types specified in `type` keywords\n- [user-defined keywords](https://ajv.js.org/guide/user-keywords.html)\n- additional extension keywords with [ajv-keywords](https://github.com/ajv-validator/ajv-keywords) package\n- [\\$data reference](https://ajv.js.org/guide/combining-schemas.html#data-reference) to use values from the validated data as values for the schema keywords\n- [asynchronous validation](https://ajv.js.org/guide/async-validation.html) of user-defined formats and keywords\n\n## Install\n\nTo install version 8:\n\n```\nnpm install ajv\n```\n\n## Getting started\n\nTry it in the Node.js REPL: https://runkit.com/npm/ajv\n\nIn JavaScript:\n\n```javascript\n// or ESM/TypeScript import\nimport Ajv from \"ajv\"\n// Node.js require:\nconst Ajv = require(\"ajv\")\n\nconst ajv = new Ajv() // options can be passed, e.g. {allErrors: true}\n\nconst schema = {\n type: \"object\",\n properties: {\n foo: {type: \"integer\"},\n bar: {type: \"string\"},\n },\n required: [\"foo\"],\n additionalProperties: false,\n}\n\nconst data = {\n foo: 1,\n bar: \"abc\",\n}\n\nconst validate = ajv.compile(schema)\nconst valid = validate(data)\nif (!valid) console.log(validate.errors)\n```\n\nLearn how to use Ajv and see more examples in the [Guide: getting started](https://ajv.js.org/guide/getting-started.html)\n\n## Changes history\n\nSee [https://github.com/ajv-validator/ajv/releases](https://github.com/ajv-validator/ajv/releases)\n\n**Please note**: [Changes in version 8.0.0](https://github.com/ajv-validator/ajv/releases/tag/v8.0.0)\n\n[Version 7.0.0](https://github.com/ajv-validator/ajv/releases/tag/v7.0.0)\n\n[Version 6.0.0](https://github.com/ajv-validator/ajv/releases/tag/v6.0.0).\n\n## Code of conduct\n\nPlease review and follow the [Code of conduct](./CODE_OF_CONDUCT.md).\n\nPlease report any unacceptable behaviour to ajv.validator@gmail.com - it will be reviewed by the project team.\n\n## Security contact\n\nTo report a security vulnerability, please use the\n[Tidelift security contact](https://tidelift.com/security).\nTidelift will coordinate the fix and disclosure. Please do NOT report security vulnerabilities via GitHub issues.\n\n## Open-source software support\n\nAjv is a part of [Tidelift subscription](https://tidelift.com/subscription/pkg/npm-ajv?utm_source=npm-ajv&utm_medium=referral&utm_campaign=readme) - it provides a centralised support to open-source software users, in addition to the support provided by software maintainers.\n\n## License\n\n[MIT](./LICENSE)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/ajv/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/assertion-error/README.md ---\n

\n AssertionError and AssertionResult classes.\n

\n\n

\n \n \n \n \n \n \n \n

\n\n## What is AssertionError?\n\nAssertion Error is a module that contains two classes: `AssertionError`, which\nis an instance of an `Error`, and `AssertionResult` which is not an instance of\nError.\n\nThese can be useful for returning from a function - if the function \"succeeds\"\nreturn an `AssertionResult` and if the function fails return (or throw) an\n`AssertionError`.\n\nBoth `AssertionError` and `AssertionResult` implement the `Result` interface:\n\n```typescript\ninterface Result {\n name: \"AssertionError\" | \"AssertionResult\";\n ok: boolean;\n toJSON(...args: unknown[]): Record;\n}\n```\n\nSo if a function returns `AssertionResult | AssertionError` it is easy to check\n_which_ one is returned by checking either `.name` or `.ok`, or check\n`instanceof Error`.\n\n## Installation\n\n### Node.js\n\n`assertion-error` is available on [npm](http://npmjs.org).\n\n```\n$ npm install --save assertion-error\n```\n\n### Deno\n\n`assertion_error` is available on\n[Deno.land](https://deno.land/x/assertion_error)\n\n```typescript\nimport {\n AssertionError,\n AssertionResult,\n} from \"https://deno.land/x/assertion_error@2.0.0/mod.ts\";\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/assertion-error/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/body-parser/README.md ---\n# body-parser\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Build Status][ci-image]][ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n[![OpenSSF Scorecard Badge][ossf-scorecard-badge]][ossf-scorecard-visualizer]\n\nNode.js body parsing middleware.\n\nParse incoming request bodies in a middleware before your handlers, available\nunder the `req.body` property.\n\n**Note** As `req.body`'s shape is based on user-controlled input, all\nproperties and values in this object are untrusted and should be validated\nbefore trusting. For example, `req.body.foo.toString()` may fail in multiple\nways, for example the `foo` property may not be there or may not be a string,\nand `toString` may not be a function and instead a string or other user input.\n\n[Learn about the anatomy of an HTTP transaction in Node.js](https://nodejs.org/en/docs/guides/anatomy-of-an-http-transaction/).\n\n_This does not handle multipart bodies_, due to their complex and typically\nlarge nature. For multipart bodies, you may be interested in the following\nmodules:\n\n * [busboy](https://www.npmjs.org/package/busboy#readme) and\n [connect-busboy](https://www.npmjs.org/package/connect-busboy#readme)\n * [multiparty](https://www.npmjs.org/package/multiparty#readme) and\n [connect-multiparty](https://www.npmjs.org/package/connect-multiparty#readme)\n * [formidable](https://www.npmjs.org/package/formidable#readme)\n * [multer](https://www.npmjs.org/package/multer#readme)\n\nThis module provides the following parsers:\n\n * [JSON body parser](#bodyparserjsonoptions)\n * [Raw body parser](#bodyparserrawoptions)\n * [Text body parser](#bodyparsertextoptions)\n * [URL-encoded form body parser](#bodyparserurlencodedoptions)\n\nOther body parsers you might be interested in:\n\n- [body](https://www.npmjs.org/package/body#readme)\n- [co-body](https://www.npmjs.org/package/co-body#readme)\n\n## Installation\n\n```sh\n$ npm install body-parser\n```\n\n## API\n\n```js\nconst bodyParser = require('body-parser')\n```\n\nThe `bodyParser` object exposes various factories to create middlewares. All\nmiddlewares will populate the `req.body` property with the parsed body when\nthe `Content-Type` request header matches the `type` option.\n\nThe various errors returned by this module are described in the\n[errors section](#errors).\n\n### bodyParser.json([options])\n\nReturns middleware that only parses `json` and only looks at requests where\nthe `Content-Type` header matches the `type` option. This parser accepts any\nUnicode encoding of the body and supports automatic inflation of `gzip`,\n`br` (brotli) and `deflate` encodings.\n\nA new `body` object containing the parsed data is populated on the `request`\nobject after the middleware (i.e. `req.body`).\n\n#### Options\n\nThe `json` function takes an optional `options` object that may contain any of\nthe following keys:\n\n##### inflate\n\nWhen set to `true`, then deflated (compressed) bodies will be inflated; when\n`false`, deflated bodies are rejected. Defaults to `true`.\n\n##### limit\n\nControls the maximum request body size. If this is a number, then the value\nspecifies the number of bytes; if it is a string, the value is passed to the\n[bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults\nto `'100kb'`.\n\n##### reviver\n\nThe `reviver` option is passed directly to `JSON.parse` as the second\nargument. You can find more information on this argument\n[in the MDN documentation about JSON.parse](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse#Example.3A_Using_the_reviver_parameter).\n\n##### strict\n\nWhen set to `true`, will only accept arrays and objects; when `false` will\naccept anything `JSON.parse` accepts. Defaults to `true`.\n\n##### type\n\nThe `type` option is used to determine what media type the middleware will\nparse. This option can be a string, array of strings, or a function. If not a\nfunction, `type` option is passed directly to the\n[type-is](https://www.npmjs.org/package/type-is#readme) library and this can\nbe an extension name (like `json`), a mime type (like `application/json`), or\na mime type with a wildcard (like `*/*` or `*/json`). If a function, the `type`\noption is called as `fn(req)` and the request is parsed if it returns a truthy\nvalue. Defaults to `application/json`.\n\n##### verify\n\nThe `verify` option, if supplied, is called as `verify(req, res, buf, encoding)`,\nwhere `buf` is a `Buffer` of the raw request body and `encoding` is the\nencoding of the request. The parsing can be aborted by throwing an error.\n\n### bodyParser.raw([options])\n\nReturns middleware that parses all bodies as a `Buffer` and only looks at\nrequests where the `Content-Type` header matches the `type` option. This\nparser supports automatic inflation of `gzip`, `br` (brotli) and `deflate`\nencodings.\n\nA new `body` object containing the parsed data is populated on the `request`\nobject after the middleware (i.e. `req.body`). This will be a `Buffer` object\nof the body.\n\n#### Options\n\nThe `raw` function takes an optional `options` object that may contain any of\nthe following keys:\n\n##### inflate\n\nWhen set to `true`, then deflated (compressed) bodies will be inflated; when\n`false`, deflated bodies are rejected. Defaults to `true`.\n\n##### limit\n\nControls the maximum request body size. If this is a number, then the value\nspecifies the number of bytes; if it is a string, the value is passed to the\n[bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults\nto `'100kb'`.\n\n##### type\n\nThe `type` option is used to determine what media type the middleware will\nparse. This option can be a string, array of strings, or a function.\nIf not a function, `type` option is passed directly to the\n[type-is](https://www.npmjs.org/package/type-is#readme) library and this\ncan be an extension name (like `bin`), a mime type (like\n`application/octet-stream`), or a mime type with a wildcard (like `*/*` or\n`application/*`). If a function, the `type` option is called as `fn(req)`\nand the request is parsed if it returns a truthy value. Defaults to\n`application/octet-stream`.\n\n##### verify\n\nThe `verify` option, if supplied, is called as `verify(req, res, buf, encoding)`,\nwhere `buf` is a `Buffer` of the raw request body and `encoding` is the\nencoding of the request. The parsing can be aborted by throwing an error.\n\n### bodyParser.text([options])\n\nReturns middleware that parses all bodies as a string and only looks at\nrequests where the `Content-Type` header matches the `type` option. This\nparser supports automatic inflation of `gzip`, `br` (brotli) and `deflate`\nencodings.\n\nA new `body` string containing the parsed data is populated on the `request`\nobject after the middleware (i.e. `req.body`). This will be a string of the\nbody.\n\n#### Options\n\nThe `text` function takes an optional `options` object that may contain any of\nthe following keys:\n\n##### defaultCharset\n\nSpecify the default character set for the text content if the charset is not\nspecified in the `Content-Type` header of the request. Defaults to `utf-8`.\n\n##### inflate\n\nWhen set to `true`, then deflated (compressed) bodies will be inflated; when\n`false`, deflated bodies are rejected. Defaults to `true`.\n\n##### limit\n\nControls the maximum request body size. If this is a number, then the value\nspecifies the number of bytes; if it is a string, the value is passed to the\n[bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults\nto `'100kb'`.\n\n##### type\n\nThe `type` option is used to determine what media type the middleware will\nparse. This option can be a string, array of strings, or a function. If not\na function, `type` option is passed directly to the\n[type-is](https://www.npmjs.org/package/type-is#readme) library and this can\nbe an extension name (like `txt`), a mime type (like `text/plain`), or a mime\ntype with a wildcard (like `*/*` or `text/*`). If a function, the `type`\noption is called as `fn(req)` and the request is parsed if it returns a\ntruthy value. Defaults to `text/plain`.\n\n##### verify\n\nThe `verify` option, if supplied, is called as `verify(req, res, buf, encoding)`,\nwhere `buf` is a `Buffer` of the raw request body and `encoding` is the\nencoding of the request. The parsing can be aborted by throwing an error.\n\n### bodyParser.urlencoded([options])\n\nReturns middleware that only parses `urlencoded` bodies and only looks at\nrequests where the `Content-Type` header matches the `type` option. This\nparser accepts only UTF-8 encoding of the body and supports automatic\ninflation of `gzip`, `br` (brotli) and `deflate` encodings.\n\nA new `body` object containing the parsed data is populated on the `request`\nobject after the middleware (i.e. `req.body`). This object will contain\nkey-value pairs, where the value can be a string or array (when `extended` is\n`false`), or any type (when `extended` is `true`).\n\n#### Options\n\nThe `urlencoded` function takes an optional `options` object that may contain\nany of the following keys:\n\n##### extended\n\nThe \"extended\" syntax allows for rich objects and arrays to be encoded into the\nURL-encoded format, allowing for a JSON-like experience with URL-encoded. For\nmore information, please [see the qs\nlibrary](https://www.npmjs.org/package/qs#readme).\n\nDefaults to `false`.\n\n##### inflate\n\nWhen set to `true`, then deflated (compressed) bodies will be inflated; when\n`false`, deflated bodies are rejected. Defaults to `true`.\n\n##### limit\n\nControls the maximum request body size. If this is a number, then the value\nspecifies the number of bytes; if it is a string, the value is passed to the\n[bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults\nto `'100kb'`.\n\n##### parameterLimit\n\nThe `parameterLimit` option controls the maximum number of parameters that\nare allowed in the URL-encoded data. If a request contains more parameters\nthan this value, a 413 will be returned to the client. Defaults to `1000`.\n\n##### type\n\nThe `type` option is used to determine what media type the middleware will\nparse. This option can be a string, array of strings, or a function. If not\na function, `type` option is passed directly to the\n[type-is](https://www.npmjs.org/package/type-is#readme) library and this can\nbe an extension name (like `urlencoded`), a mime type (like\n`application/x-www-form-urlencoded`), or a mime type with a wildcard (like\n`*/x-www-form-urlencoded`). If a function, the `type` option is called as\n`fn(req)` and the request is parsed if it returns a truthy value. Defaults\nto `application/x-www-form-urlencoded`.\n\n##### verify\n\nThe `verify` option, if supplied, is called as `verify(req, res, buf, encoding)`,\nwhere `buf` is a `Buffer` of the raw request body and `encoding` is the\nencoding of the request. The parsing can be aborted by throwing an error.\n\n##### defaultCharset\n\nThe default charset to parse as, if not specified in content-type. Must be\neither `utf-8` or `iso-8859-1`. Defaults to `utf-8`.\n\n##### charsetSentinel\n\nWhether to let the value of the `utf8` parameter take precedence as the charset\nselector. It requires the form to contain a parameter named `utf8` with a value\nof `✓`. Defaults to `false`.\n\n##### interpretNumericEntities\n\nWhether to decode numeric entities such as `☺` when parsing an iso-8859-1\nform. Defaults to `false`.\n\n\n#### depth\n\nThe `depth` option is used to configure the maximum depth of the `qs` library when `extended` is `true`. This allows you to limit the amount of keys that are parsed and can be useful to prevent certain types of abuse. Defaults to `32`. It is recommended to keep this value as low as possible.\n\n## Errors\n\nThe middlewares provided by this module create errors using the\n[`http-errors` module](https://www.npmjs.com/package/http-errors). The errors\nwill typically have a `status`/`statusCode` property that contains the suggested\nHTTP response code, an `expose` property to determine if the `message` property\nshould be displayed to the client, a `type` property to determine the type of\nerror without matching against the `message`, and a `body` property containing\nthe read body, if available.\n\nThe following are the common errors created, though any error can come through\nfor various reasons.\n\n### content encoding unsupported\n\nThis error will occur when the request had a `Content-Encoding` header that\ncontained an encoding but the \"inflation\" option was set to `false`. The\n`status` property is set to `415`, the `type` property is set to\n`'encoding.unsupported'`, and the `charset` property will be set to the\nencoding that is unsupported.\n\n### entity parse failed\n\nThis error will occur when the request contained an entity that could not be\nparsed by the middleware. The `status` property is set to `400`, the `type`\nproperty is set to `'entity.parse.failed'`, and the `body` property is set to\nthe entity value that failed parsing.\n\n### entity verify failed\n\nThis error will occur when the request contained an entity that could not be\nfailed verification by the defined `verify` option. The `status` property is\nset to `403`, the `type` property is set to `'entity.verify.failed'`, and the\n`body` property is set to the entity value that failed verification.\n\n### request aborted\n\nThis error will occur when the request is aborted by the client before reading\nthe body has finished. The `received` property will be set to the number of\nbytes received before the request was aborted and the `expected` property is\nset to the number of expected bytes. The `status` property is set to `400`\nand `type` property is set to `'request.aborted'`.\n\n### request entity too large\n\nThis error will occur when the request body's size is larger than the \"limit\"\noption. The `limit` property will be set to the byte limit and the `length`\nproperty will be set to the request body's length. The `status` property is\nset to `413` and the `type` property is set to `'entity.too.large'`.\n\n### request size did not match content length\n\nThis error will occur when the request's length did not match the length from\nthe `Content-Length` header. This typically occurs when the request is malformed,\ntypically when the `Content-Length` header was calculated based on characters\ninstead of bytes. The `status` property is set to `400` and the `type` property\nis set to `'request.size.invalid'`.\n\n### stream encoding should not be set\n\nThis error will occur when something called the `req.setEncoding` method prior\nto this middleware. This module operates directly on bytes only and you cannot\ncall `req.setEncoding` when using this module. The `status` property is set to\n`500` and the `type` property is set to `'stream.encoding.set'`.\n\n### stream is not readable\n\nThis error will occur when the request is no longer readable when this middleware\nattempts to read it. This typically means something other than a middleware from\nthis module read the request body already and the middleware was also configured to\nread the same request. The `status` property is set to `500` and the `type`\nproperty is set to `'stream.not.readable'`.\n\n### too many parameters\n\nThis error will occur when the content of the request exceeds the configured\n`parameterLimit` for the `urlencoded` parser. The `status` property is set to\n`413` and the `type` property is set to `'parameters.too.many'`.\n\n### unsupported charset \"BOGUS\"\n\nThis error will occur when the request had a charset parameter in the\n`Content-Type` header, but the `iconv-lite` module does not support it OR the\nparser does not support it. The charset is contained in the message as well\nas in the `charset` property. The `status` property is set to `415`, the\n`type` property is set to `'charset.unsupported'`, and the `charset` property\nis set to the charset that is unsupported.\n\n### unsupported content encoding \"bogus\"\n\nThis error will occur when the request had a `Content-Encoding` header that\ncontained an unsupported encoding. The encoding is contained in the message\nas well as in the `encoding` property. The `status` property is set to `415`,\nthe `type` property is set to `'encoding.unsupported'`, and the `encoding`\nproperty is set to the encoding that is unsupported.\n\n### The input exceeded the depth\n\nThis error occurs when using `bodyParser.urlencoded` with the `extended` property set to `true` and the input exceeds the configured `depth` option. The `status` property is set to `400`. It is recommended to review the `depth` option and evaluate if it requires a higher value. When the `depth` option is set to `32` (default value), the error will not be thrown.\n\n## Examples\n\n### Express/Connect top-level generic\n\nThis example demonstrates adding a generic JSON and URL-encoded parser as a\ntop-level middleware, which will parse the bodies of all incoming requests.\nThis is the simplest setup.\n\n```js\nconst express = require('express')\nconst bodyParser = require('body-parser')\n\nconst app = express()\n\n// parse application/x-www-form-urlencoded\napp.use(bodyParser.urlencoded())\n\n// parse application/json\napp.use(bodyParser.json())\n\napp.use(function (req, res) {\n res.setHeader('Content-Type', 'text/plain')\n res.write('you posted:\\n')\n res.end(String(JSON.stringify(req.body, null, 2)))\n})\n```\n\n### Express route-specific\n\nThis example demonstrates adding body parsers specifically to the routes that\nneed them. In general, this is the most recommended way to use body-parser with\nExpress.\n\n```js\nconst express = require('express')\nconst bodyParser = require('body-parser')\n\nconst app = express()\n\n// create application/json parser\nconst jsonParser = bodyParser.json()\n\n// create application/x-www-form-urlencoded parser\nconst urlencodedParser = bodyParser.urlencoded()\n\n// POST /login gets urlencoded bodies\napp.post('/login', urlencodedParser, function (req, res) {\n if (!req.body || !req.body.username) res.sendStatus(400)\n res.send('welcome, ' + req.body.username)\n})\n\n// POST /api/users gets JSON bodies\napp.post('/api/users', jsonParser, function (req, res) {\n if (!req.body) res.sendStatus(400)\n // create user in req.body\n})\n```\n\n### Change accepted type for parsers\n\nAll the parsers accept a `type` option which allows you to change the\n`Content-Type` that the middleware will parse.\n\n```js\nconst express = require('express')\nconst bodyParser = require('body-parser')\n\nconst app = express()\n\n// parse various different custom JSON types as JSON\napp.use(bodyParser.json({ type: 'application/*+json' }))\n\n// parse some custom thing into a Buffer\napp.use(bodyParser.raw({ type: 'application/vnd.custom-type' }))\n\n// parse an HTML body into a string\napp.use(bodyParser.text({ type: 'text/html' }))\n```\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/expressjs/body-parser/master?label=ci\n[ci-url]: https://github.com/expressjs/body-parser/actions/workflows/ci.yml\n[coveralls-image]: https://badgen.net/coveralls/c/github/expressjs/body-parser/master\n[coveralls-url]: https://coveralls.io/r/expressjs/body-parser?branch=master\n[node-version-image]: https://badgen.net/npm/node/body-parser\n[node-version-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/body-parser\n[npm-url]: https://npmjs.org/package/body-parser\n[npm-version-image]: https://badgen.net/npm/v/body-parser\n[ossf-scorecard-badge]: https://api.scorecard.dev/projects/github.com/expressjs/body-parser/badge\n[ossf-scorecard-visualizer]: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/expressjs/body-parser\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/body-parser/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/cac/README.md ---\n\"2017-07-26\n\n[![NPM version](https://img.shields.io/npm/v/cac.svg?style=flat)](https://npmjs.com/package/cac) [![NPM downloads](https://img.shields.io/npm/dm/cac.svg?style=flat)](https://npmjs.com/package/cac) [![CircleCI](https://circleci.com/gh/cacjs/cac/tree/master.svg?style=shield)](https://circleci.com/gh/cacjs/cac/tree/master) [![Codecov](https://badgen.net/codecov/c/github/cacjs/cac/master)](https://codecov.io/gh/cacjs/cac) [![donate](https://img.shields.io/badge/$-donate-ff69b4.svg?maxAge=2592000&style=flat)](https://github.com/egoist/donate) [![chat](https://img.shields.io/badge/chat-on%20discord-7289DA.svg?style=flat)](https://chat.egoist.moe) [![install size](https://badgen.net/packagephobia/install/cac)](https://packagephobia.now.sh/result?p=cac)\n\n## Introduction\n\n**C**ommand **A**nd **C**onquer is a JavaScript library for building CLI apps.\n\n## Features\n\n- **Super light-weight**: No dependency, just a single file.\n- **Easy to learn**. There're only 4 APIs you need to learn for building simple CLIs: `cli.option` `cli.version` `cli.help` `cli.parse`.\n- **Yet so powerful**. Enable features like default command, git-like subcommands, validation for required arguments and options, variadic arguments, dot-nested options, automated help message generation and so on.\n- **Developer friendly**. Written in TypeScript.\n\n## Table of Contents\n\n\n\n- [Install](#install)\n- [Usage](#usage)\n - [Simple Parsing](#simple-parsing)\n - [Display Help Message and Version](#display-help-message-and-version)\n - [Command-specific Options](#command-specific-options)\n - [Dash in option names](#dash-in-option-names)\n - [Brackets](#brackets)\n - [Negated Options](#negated-options)\n - [Variadic Arguments](#variadic-arguments)\n - [Dot-nested Options](#dot-nested-options)\n - [Default Command](#default-command)\n - [Supply an array as option value](#supply-an-array-as-option-value)\n - [Error Handling](#error-handling)\n - [With TypeScript](#with-typescript)\n - [With Deno](#with-deno)\n- [Projects Using CAC](#projects-using-cac)\n- [References](#references)\n - [CLI Instance](#cli-instance)\n - [cac(name?)](#cacname)\n - [cli.command(name, description, config?)](#clicommandname-description-config)\n - [cli.option(name, description, config?)](#clioptionname-description-config)\n - [cli.parse(argv?)](#cliparseargv)\n - [cli.version(version, customFlags?)](#cliversionversion-customflags)\n - [cli.help(callback?)](#clihelpcallback)\n - [cli.outputHelp()](#clioutputhelp)\n - [cli.usage(text)](#cliusagetext)\n - [Command Instance](#command-instance)\n - [command.option()](#commandoption)\n - [command.action(callback)](#commandactioncallback)\n - [command.alias(name)](#commandaliasname)\n - [command.allowUnknownOptions()](#commandallowunknownoptions)\n - [command.example(example)](#commandexampleexample)\n - [command.usage(text)](#commandusagetext)\n - [Events](#events)\n- [FAQ](#faq)\n - [How is the name written and pronounced?](#how-is-the-name-written-and-pronounced)\n - [Why not use Commander.js?](#why-not-use-commanderjs)\n- [Project Stats](#project-stats)\n- [Contributing](#contributing)\n- [Author](#author)\n\n\n\n## Install\n\n```bash\nyarn add cac\n```\n\n## Usage\n\n### Simple Parsing\n\nUse CAC as simple argument parser:\n\n```js\n// examples/basic-usage.js\nconst cli = require('cac')()\n\ncli.option('--type ', 'Choose a project type', {\n default: 'node',\n})\n\nconst parsed = cli.parse()\n\nconsole.log(JSON.stringify(parsed, null, 2))\n```\n\n\"2018-11-26\n\n### Display Help Message and Version\n\n```js\n// examples/help.js\nconst cli = require('cac')()\n\ncli.option('--type [type]', 'Choose a project type', {\n default: 'node',\n})\ncli.option('--name ', 'Provide your name')\n\ncli.command('lint [...files]', 'Lint files').action((files, options) => {\n console.log(files, options)\n})\n\n// Display help message when `-h` or `--help` appears\ncli.help()\n// Display version number when `-v` or `--version` appears\n// It's also used in help message\ncli.version('0.0.0')\n\ncli.parse()\n```\n\n\"2018-11-25\n\n### Command-specific Options\n\nYou can attach options to a command.\n\n```js\nconst cli = require('cac')()\n\ncli\n .command('rm ', 'Remove a dir')\n .option('-r, --recursive', 'Remove recursively')\n .action((dir, options) => {\n console.log('remove ' + dir + (options.recursive ? ' recursively' : ''))\n })\n\ncli.help()\n\ncli.parse()\n```\n\nA command's options are validated when the command is used. Any unknown options will be reported as an error. However, if an action-based command does not define an action, then the options are not validated. If you really want to use unknown options, use [`command.allowUnknownOptions`](#commandallowunknownoptions).\n\n\"command\n\n### Dash in option names\n\nOptions in kebab-case should be referenced in camelCase in your code:\n\n```js\ncli\n .command('dev', 'Start dev server')\n .option('--clear-screen', 'Clear screen')\n .action((options) => {\n console.log(options.clearScreen)\n })\n```\n\nIn fact `--clear-screen` and `--clearScreen` are both mapped to `options.clearScreen`.\n\n### Brackets\n\nWhen using brackets in command name, angled brackets indicate required command arguments, while square bracket indicate optional arguments.\n\nWhen using brackets in option name, angled brackets indicate that a string / number value is required, while square bracket indicate that the value can also be `true`.\n\n```js\nconst cli = require('cac')()\n\ncli\n .command('deploy ', 'Deploy a folder to AWS')\n .option('--scale [level]', 'Scaling level')\n .action((folder, options) => {\n // ...\n })\n\ncli\n .command('build [project]', 'Build a project')\n .option('--out ', 'Output directory')\n .action((folder, options) => {\n // ...\n })\n\ncli.parse()\n```\n\n### Negated Options\n\nTo allow an option whose value is `false`, you need to manually specify a negated option:\n\n```js\ncli\n .command('build [project]', 'Build a project')\n .option('--no-config', 'Disable config file')\n .option('--config ', 'Use a custom config file')\n```\n\nThis will let CAC set the default value of `config` to true, and you can use `--no-config` flag to set it to `false`.\n\n### Variadic Arguments\n\nThe last argument of a command can be variadic, and only the last argument. To make an argument variadic you have to add `...` to the start of argument name, just like the rest operator in JavaScript. Here is an example:\n\n```js\nconst cli = require('cac')()\n\ncli\n .command('build [...otherFiles]', 'Build your app')\n .option('--foo', 'Foo option')\n .action((entry, otherFiles, options) => {\n console.log(entry)\n console.log(otherFiles)\n console.log(options)\n })\n\ncli.help()\n\ncli.parse()\n```\n\n\"2018-11-25\n\n### Dot-nested Options\n\nDot-nested options will be merged into a single option.\n\n```js\nconst cli = require('cac')()\n\ncli\n .command('build', 'desc')\n .option('--env ', 'Set envs')\n .example('--env.API_SECRET xxx')\n .action((options) => {\n console.log(options)\n })\n\ncli.help()\n\ncli.parse()\n```\n\n\"2018-11-25\n\n### Default Command\n\nRegister a command that will be used when no other command is matched.\n\n```js\nconst cli = require('cac')()\n\ncli\n // Simply omit the command name, just brackets\n .command('[...files]', 'Build files')\n .option('--minimize', 'Minimize output')\n .action((files, options) => {\n console.log(files)\n console.log(options.minimize)\n })\n\ncli.parse()\n```\n\n### Supply an array as option value\n\n```bash\nnode cli.js --include project-a\n# The parsed options will be:\n# { include: 'project-a' }\n\nnode cli.js --include project-a --include project-b\n# The parsed options will be:\n# { include: ['project-a', 'project-b'] }\n```\n\n### Error Handling\n\nTo handle command errors globally:\n\n```js\ntry {\n // Parse CLI args without running the command\n cli.parse(process.argv, { run: false })\n // Run the command yourself\n // You only need `await` when your command action returns a Promise\n await cli.runMatchedCommand()\n} catch (error) {\n // Handle error here..\n // e.g.\n // console.error(error.stack)\n // process.exit(1)\n}\n```\n\n### With TypeScript\n\nFirst you need `@types/node` to be installed as a dev dependency in your project:\n\n```bash\nyarn add @types/node --dev\n```\n\nThen everything just works out of the box:\n\n```js\nconst { cac } = require('cac')\n// OR ES modules\nimport { cac } from 'cac'\n```\n\n### With Deno\n\n```ts\nimport { cac } from 'https://unpkg.com/cac/mod.ts'\n\nconst cli = cac('my-program')\n```\n\n## Projects Using CAC\n\nProjects that use **CAC**:\n\n- [VuePress](https://github.com/vuejs/vuepress): :memo: Minimalistic Vue-powered static site generator.\n- [SAO](https://github.com/egoist/sao): ⚔️ Futuristic scaffolding tool.\n- [DocPad](https://github.com/docpad/docpad): 🏹 Powerful Static Site Generator.\n- [Poi](https://github.com/egoist/poi): ⚡️ Delightful web development.\n- [bili](https://github.com/egoist/bili): 🥂 Schweizer Armeemesser for bundling JavaScript libraries.\n- [Lad](https://github.com/ladjs/lad): 👦 Lad scaffolds a Koa webapp and API framework for Node.js.\n- [Lass](https://github.com/lassjs/lass): 💁🏻 Scaffold a modern package boilerplate for Node.js.\n- [Foy](https://github.com/zaaack/foy): 🏗 A lightweight and modern task runner and build tool for general purpose.\n- [Vuese](https://github.com/vuese/vuese): 🤗 One-stop solution for vue component documentation.\n- [NUT](https://github.com/nut-project/nut): 🌰 A framework born for microfrontends\n- Feel free to add yours here...\n\n## References\n\n**💁 Check out [the generated docs](https://cac-api-doc.egoist.sh/classes/_cac_.cac.html) from source code if you want a more in-depth API references.**\n\nBelow is a brief overview.\n\n### CLI Instance\n\nCLI instance is created by invoking the `cac` function:\n\n```js\nconst cac = require('cac')\nconst cli = cac()\n```\n\n#### cac(name?)\n\nCreate a CLI instance, optionally specify the program name which will be used to display in help and version message. When not set we use the basename of `argv[1]`.\n\n#### cli.command(name, description, config?)\n\n- Type: `(name: string, description: string) => Command`\n\nCreate a command instance.\n\nThe option also accepts a third argument `config` for additional command config:\n\n- `config.allowUnknownOptions`: `boolean` Allow unknown options in this command.\n- `config.ignoreOptionDefaultValue`: `boolean` Don't use the options's default value in parsed options, only display them in help message.\n\n#### cli.option(name, description, config?)\n\n- Type: `(name: string, description: string, config?: OptionConfig) => CLI`\n\nAdd a global option.\n\nThe option also accepts a third argument `config` for additional option config:\n\n- `config.default`: Default value for the option.\n- `config.type`: `any[]` When set to `[]`, the option value returns an array type. You can also use a conversion function such as `[String]`, which will invoke the option value with `String`.\n\n#### cli.parse(argv?)\n\n- Type: `(argv = process.argv) => ParsedArgv`\n\n```ts\ninterface ParsedArgv {\n args: string[]\n options: {\n [k: string]: any\n }\n}\n```\n\nWhen this method is called, `cli.rawArgs` `cli.args` `cli.options` `cli.matchedCommand` will also be available.\n\n#### cli.version(version, customFlags?)\n\n- Type: `(version: string, customFlags = '-v, --version') => CLI`\n\nOutput version number when `-v, --version` flag appears.\n\n#### cli.help(callback?)\n\n- Type: `(callback?: HelpCallback) => CLI`\n\nOutput help message when `-h, --help` flag appears.\n\nOptional `callback` allows post-processing of help text before it is displayed:\n\n```ts\ntype HelpCallback = (sections: HelpSection[]) => void\n\ninterface HelpSection {\n title?: string\n body: string\n}\n```\n\n#### cli.outputHelp()\n\n- Type: `() => CLI`\n\nOutput help message.\n\n#### cli.usage(text)\n\n- Type: `(text: string) => CLI`\n\nAdd a global usage text. This is not used by sub-commands.\n\n### Command Instance\n\nCommand instance is created by invoking the `cli.command` method:\n\n```js\nconst command = cli.command('build [...files]', 'Build given files')\n```\n\n#### command.option()\n\nBasically the same as `cli.option` but this adds the option to specific command.\n\n#### command.action(callback)\n\n- Type: `(callback: ActionCallback) => Command`\n\nUse a callback function as the command action when the command matches user inputs.\n\n```ts\ntype ActionCallback = (\n // Parsed CLI args\n // The last arg will be an array if it's a variadic argument\n ...args: string | string[] | number | number[]\n // Parsed CLI options\n options: Options\n) => any\n\ninterface Options {\n [k: string]: any\n}\n```\n\n#### command.alias(name)\n\n- Type: `(name: string) => Command`\n\nAdd an alias name to this command, the `name` here can't contain brackets.\n\n#### command.allowUnknownOptions()\n\n- Type: `() => Command`\n\nAllow unknown options in this command, by default CAC will log an error when unknown options are used.\n\n#### command.example(example)\n\n- Type: `(example: CommandExample) => Command`\n\nAdd an example which will be displayed at the end of help message.\n\n```ts\ntype CommandExample = ((name: string) => string) | string\n```\n\n#### command.usage(text)\n\n- Type: `(text: string) => Command`\n\nAdd a usage text for this command.\n\n### Events\n\nListen to commands:\n\n```js\n// Listen to the `foo` command\ncli.on('command:foo', () => {\n // Do something\n})\n\n// Listen to the default command\ncli.on('command:!', () => {\n // Do something\n})\n\n// Listen to unknown commands\ncli.on('command:*', () => {\n console.error('Invalid command: %s', cli.args.join(' '))\n process.exit(1)\n})\n```\n\n## FAQ\n\n### How is the name written and pronounced?\n\nCAC, or cac, pronounced `C-A-C`.\n\nThis project is dedicated to our lovely C.C. sama. Maybe CAC stands for C&C as well :P\n\n\n\n### Why not use Commander.js?\n\nCAC is very similar to Commander.js, while the latter does not support dot nested options, i.e. something like `--env.API_SECRET foo`. Besides, you can't use unknown options in Commander.js either.\n\n_And maybe more..._\n\nBasically I made CAC to fulfill my own needs for building CLI apps like [Poi](https://poi.js.org), [SAO](https://sao.vercel.app) and all my CLI apps. It's small, simple but powerful :P\n\n## Project Stats\n\n![Alt](https://repobeats.axiom.co/api/embed/58caf6203631bcdb9bbe22f0728a0af1683dc0bb.svg 'Repobeats analytics image')\n\n## Contributing\n\n1. Fork it!\n2. Create your feature branch: `git checkout -b my-new-feature`\n3. Commit your changes: `git commit -am 'Add some feature'`\n4. Push to the branch: `git push origin my-new-feature`\n5. Submit a pull request :D\n\n## Author\n\n**CAC** © [EGOIST](https://github.com/egoist), Released under the [MIT](./LICENSE) License.
\nAuthored and maintained by egoist with help from contributors ([list](https://github.com/cacjs/cac/contributors)).\n\n> [Website](https://egoist.sh) · GitHub [@egoist](https://github.com/egoist) · Twitter [@\\_egoistlily](https://twitter.com/_egoistlily)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/cac/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/call-bind-apply-helpers/README.md ---\n# call-bind-apply-helpers [![Version Badge][npm-version-svg]][package-url]\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![dependency status][deps-svg]][deps-url]\n[![dev dependency status][dev-deps-svg]][dev-deps-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nHelper functions around Function call/apply/bind, for use in `call-bind`.\n\nThe only packages that should likely ever use this package directly are `call-bind` and `get-intrinsic`.\nPlease use `call-bind` unless you have a very good reason not to.\n\n## Getting started\n\n```sh\nnpm install --save call-bind-apply-helpers\n```\n\n## Usage/Examples\n\n```js\nconst assert = require('assert');\nconst callBindBasic = require('call-bind-apply-helpers');\n\nfunction f(a, b) {\n\tassert.equal(this, 1);\n\tassert.equal(a, 2);\n\tassert.equal(b, 3);\n\tassert.equal(arguments.length, 2);\n}\n\nconst fBound = callBindBasic([f, 1]);\n\ndelete Function.prototype.call;\ndelete Function.prototype.bind;\n\nfBound(2, 3);\n```\n\n## Tests\n\nClone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/call-bind-apply-helpers\n[npm-version-svg]: https://versionbadg.es/ljharb/call-bind-apply-helpers.svg\n[deps-svg]: https://david-dm.org/ljharb/call-bind-apply-helpers.svg\n[deps-url]: https://david-dm.org/ljharb/call-bind-apply-helpers\n[dev-deps-svg]: https://david-dm.org/ljharb/call-bind-apply-helpers/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/call-bind-apply-helpers#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/call-bind-apply-helpers.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/call-bind-apply-helpers.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/call-bind-apply-helpers.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=call-bind-apply-helpers\n[codecov-image]: https://codecov.io/gh/ljharb/call-bind-apply-helpers/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/call-bind-apply-helpers/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/call-bind-apply-helpers\n[actions-url]: https://github.com/ljharb/call-bind-apply-helpers/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/call-bind-apply-helpers/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/call-bound/README.md ---\n# call-bound [![Version Badge][npm-version-svg]][package-url]\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![dependency status][deps-svg]][deps-url]\n[![dev dependency status][dev-deps-svg]][dev-deps-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nRobust call-bound JavaScript intrinsics, using `call-bind` and `get-intrinsic`.\n\n## Getting started\n\n```sh\nnpm install --save call-bound\n```\n\n## Usage/Examples\n\n```js\nconst assert = require('assert');\nconst callBound = require('call-bound');\n\nconst slice = callBound('Array.prototype.slice');\n\ndelete Function.prototype.call;\ndelete Function.prototype.bind;\ndelete Array.prototype.slice;\n\nassert.deepEqual(slice([1, 2, 3, 4], 1, -1), [2, 3]);\n```\n\n## Tests\n\nClone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/call-bound\n[npm-version-svg]: https://versionbadg.es/ljharb/call-bound.svg\n[deps-svg]: https://david-dm.org/ljharb/call-bound.svg\n[deps-url]: https://david-dm.org/ljharb/call-bound\n[dev-deps-svg]: https://david-dm.org/ljharb/call-bound/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/call-bound#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/call-bound.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/call-bound.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/call-bound.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=call-bound\n[codecov-image]: https://codecov.io/gh/ljharb/call-bound/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/call-bound/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/call-bound\n[actions-url]: https://github.com/ljharb/call-bound/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/call-bound/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/chai/README.md ---\n

\n \n \"ChaiJS\"\n \n
\n chai\n

\n\n

\n Chai is a BDD / TDD assertion library for node and the browser that can be delightfully paired with any javascript testing framework.\n

\n\n

\n \n \n \n \n \n \n
\n \n \n \n \n \n \n \n \n \n

\n\nFor more information or to download plugins, view the [documentation](http://chaijs.com).\n\n## What is Chai?\n\nChai is an _assertion library_, similar to Node's built-in `assert`. It makes testing much easier by giving you lots of assertions you can run against your code.\n\n## Installation\n\n### Node.js\n\n`chai` is available on [npm](http://npmjs.org). To install it, type:\n\n $ npm install --save-dev chai\n\n### Browsers\n\nYou can also use it within the browser; install via npm and use the `chai.js` file found within the download. For example:\n\n```html\n\n```\n\n## Usage\n\nImport the library in your code, and then pick one of the styles you'd like to use - either `assert`, `expect` or `should`:\n\n```js\nimport { assert } from 'chai'; // Using Assert style\nimport { expect } from 'chai'; // Using Expect style\nimport { should } from 'chai'; // Using Should style\n```\n\n### Register the chai testing style globally\n\n```js\nimport 'chai/register-assert'; // Using Assert style\nimport 'chai/register-expect'; // Using Expect style\nimport 'chai/register-should'; // Using Should style\n```\n\n### Import assertion styles as local variables\n\n```js\nimport { assert } from 'chai'; // Using Assert style\nimport { expect } from 'chai'; // Using Expect style\nimport { should } from 'chai'; // Using Should style\nshould(); // Modifies `Object.prototype`\n\nimport { expect, use } from 'chai'; // Creates local variables `expect` and `use`; useful for plugin use\n```\n\n### Usage with Mocha\n\n```bash\nmocha spec.js --require chai/register-assert.js # Using Assert style\nmocha spec.js --require chai/register-expect.js # Using Expect style\nmocha spec.js --require chai/register-should.js # Using Should style\n```\n\n[Read more about these styles in our docs](http://chaijs.com/guide/styles/).\n\n## Plugins\n\nChai offers a robust Plugin architecture for extending Chai's assertions and interfaces.\n\n- Need a plugin? View the [official plugin list](http://chaijs.com/plugins).\n- Want to build a plugin? Read the [plugin api documentation](http://chaijs.com/guide/plugins/).\n- Have a plugin and want it listed? Simply add the following keywords to your package.json:\n - `chai-plugin`\n - `browser` if your plugin works in the browser as well as Node.js\n - `browser-only` if your plugin does not work with Node.js\n\n### Related Projects\n\n- [chaijs / chai-docs](https://github.com/chaijs/chai-docs): The chaijs.com website source code.\n- [chaijs / assertion-error](https://github.com/chaijs/assertion-error): Custom `Error` constructor thrown upon an assertion failing.\n- [chaijs / deep-eql](https://github.com/chaijs/deep-eql): Improved deep equality testing for Node.js and the browser.\n- [chaijs / check-error](https://github.com/chaijs/check-error): Error comparison and information related utility for Node.js and the browser.\n- [chaijs / loupe](https://github.com/chaijs/loupe): Inspect utility for Node.js and browsers.\n- [chaijs / pathval](https://github.com/chaijs/pathval): Object value retrieval given a string path.\n\n### Contributing\n\nThank you very much for considering to contribute!\n\nPlease make sure you follow our [Code Of Conduct](https://github.com/chaijs/chai/blob/master/CODE_OF_CONDUCT.md) and we also strongly recommend reading our [Contributing Guide](https://github.com/chaijs/chai/blob/master/CONTRIBUTING.md).\n\nHere are a few issues other contributors frequently ran into when opening pull requests:\n\n- Please do not commit changes to the `chai.js` build. We do it once per release.\n- Before pushing your commits, please make sure you [rebase](https://github.com/chaijs/chai/blob/master/CONTRIBUTING.md#pull-requests) them.\n\n### Contributors\n\nPlease see the full\n[Contributors Graph](https://github.com/chaijs/chai/graphs/contributors) for our\nlist of contributors.\n\n### Core Contributors\n\nFeel free to reach out to any of the core contributors with your questions or\nconcerns. We will do our best to respond in a timely manner.\n\n[![Keith Cirkel](https://avatars3.githubusercontent.com/u/118266?v=3&s=50)](https://github.com/keithamus)\n[![James Garbutt](https://avatars3.githubusercontent.com/u/5677153?v=3&s=50)](https://github.com/43081j)\n[![Kristján Oddsson](https://avatars3.githubusercontent.com/u/318208?v=3&s=50)](https://github.com/koddsson)\n\n### Core Contributor Alumni\n\nThis project would not be what it is without the contributions from our prior\ncore contributors, for whom we are forever grateful:\n\n[![Jake Luer](https://avatars3.githubusercontent.com/u/58988?v=3&s=50)](https://github.com/logicalparadox)\n[![Veselin Todorov](https://avatars3.githubusercontent.com/u/330048?v=3&s=50)](https://github.com/vesln)\n[![Lucas Fernandes da Costa](https://avatars3.githubusercontent.com/u/6868147?v=3&s=50)](https://github.com/lucasfcosta)\n[![Grant Snodgrass](https://avatars3.githubusercontent.com/u/17260989?v=3&s=50)](https://github.com/meeber)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/chai/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/check-error/README.md ---\n

\n \n \"ChaiJS\"\n \n
\n check-error\n

\n\n

\n Error comparison and information related utility for node and the browser.\n

\n\n## What is Check-Error?\n\nCheck-Error is a module which you can use to retrieve an Error's information such as its `message` or `constructor` name and also to check whether two Errors are compatible based on their messages, constructors or even instances.\n\n## Installation\n\n### Node.js\n\n`check-error` is available on [npm](http://npmjs.org). To install it, type:\n\n $ npm install check-error\n\n### Browsers\n\nYou can also use it within the browser; install via npm and use the `check-error.js` file found within the download. For example:\n\n```html\n\n```\n\n## Usage\n\nThe primary export of `check-error` is an object which has the following methods:\n\n* `compatibleInstance(err, errorLike)` - Checks if an error is compatible with another `errorLike` object. If `errorLike` is an error instance we do a strict comparison, otherwise we return `false` by default, because instances of objects can only be compatible if they're both error instances.\n* `compatibleConstructor(err, errorLike)` - Checks if an error's constructor is compatible with another `errorLike` object. If `err` has the same constructor as `errorLike` or if `err` is an instance of `errorLike`.\n* `compatibleMessage(err, errMatcher)` - Checks if an error message is compatible with an `errMatcher` RegExp or String (we check if the message contains the String).\n* `getConstructorName(errorLike)` - Retrieves the name of a constructor, an error's constructor or `errorLike` itself if it's not an error instance or constructor.\n* `getMessage(err)` - Retrieves the message of an error or `err` itself if it's a String. If `err` or `err.message` is undefined we return an empty String.\n\n```js\nvar checkError = require('check-error');\n```\n\n#### .compatibleInstance(err, errorLike)\n\n```js\nvar checkError = require('check-error');\n\nvar funcThatThrows = function() { throw new TypeError('I am a TypeError') };\nvar caughtErr;\n\ntry {\n funcThatThrows();\n} catch(e) {\n caughtErr = e;\n}\n\nvar sameInstance = caughtErr;\n\ncheckError.compatibleInstance(caughtErr, sameInstance); // true\ncheckError.compatibleInstance(caughtErr, new TypeError('Another error')); // false\n```\n\n#### .compatibleConstructor(err, errorLike)\n\n```js\nvar checkError = require('check-error');\n\nvar funcThatThrows = function() { throw new TypeError('I am a TypeError') };\nvar caughtErr;\n\ntry {\n funcThatThrows();\n} catch(e) {\n caughtErr = e;\n}\n\ncheckError.compatibleConstructor(caughtErr, Error); // true\ncheckError.compatibleConstructor(caughtErr, TypeError); // true\ncheckError.compatibleConstructor(caughtErr, RangeError); // false\n```\n\n#### .compatibleMessage(err, errMatcher)\n\n```js\nvar checkError = require('check-error');\n\nvar funcThatThrows = function() { throw new TypeError('I am a TypeError') };\nvar caughtErr;\n\ntry {\n funcThatThrows();\n} catch(e) {\n caughtErr = e;\n}\n\nvar sameInstance = caughtErr;\n\ncheckError.compatibleMessage(caughtErr, /TypeError$/); // true\ncheckError.compatibleMessage(caughtErr, 'I am a'); // true\ncheckError.compatibleMessage(caughtErr, /unicorn/); // false\ncheckError.compatibleMessage(caughtErr, 'I do not exist'); // false\n```\n\n#### .getConstructorName(errorLike)\n\n```js\nvar checkError = require('check-error');\n\nvar funcThatThrows = function() { throw new TypeError('I am a TypeError') };\nvar caughtErr;\n\ntry {\n funcThatThrows();\n} catch(e) {\n caughtErr = e;\n}\n\nvar sameInstance = caughtErr;\n\ncheckError.getConstructorName(caughtErr) // 'TypeError'\n```\n\n#### .getMessage(err)\n\n```js\nvar checkError = require('check-error');\n\nvar funcThatThrows = function() { throw new TypeError('I am a TypeError') };\nvar caughtErr;\n\ntry {\n funcThatThrows();\n} catch(e) {\n caughtErr = e;\n}\n\nvar sameInstance = caughtErr;\n\ncheckError.getMessage(caughtErr) // 'I am a TypeError'\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/check-error/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/content-disposition/README.md ---\n# content-disposition\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][github-actions-ci-image]][github-actions-ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nCreate and parse HTTP `Content-Disposition` header\n\n## Installation\n\n```sh\n$ npm install content-disposition\n```\n\n## API\n\n```js\nvar contentDisposition = require('content-disposition')\n```\n\n### contentDisposition(filename, options)\n\nCreate an attachment `Content-Disposition` header value using the given file name,\nif supplied. The `filename` is optional and if no file name is desired, but you\nwant to specify `options`, set `filename` to `undefined`.\n\n```js\nres.setHeader('Content-Disposition', contentDisposition('∫ maths.pdf'))\n```\n\n**note** HTTP headers are of the ISO-8859-1 character set. If you are writing this\nheader through a means different from `setHeader` in Node.js, you'll want to specify\nthe `'binary'` encoding in Node.js.\n\n#### Options\n\n`contentDisposition` accepts these properties in the options object.\n\n##### fallback\n\nIf the `filename` option is outside ISO-8859-1, then the file name is actually\nstored in a supplemental field for clients that support Unicode file names and\na ISO-8859-1 version of the file name is automatically generated.\n\nThis specifies the ISO-8859-1 file name to override the automatic generation or\ndisables the generation all together, defaults to `true`.\n\n - A string will specify the ISO-8859-1 file name to use in place of automatic\n generation.\n - `false` will disable including a ISO-8859-1 file name and only include the\n Unicode version (unless the file name is already ISO-8859-1).\n - `true` will enable automatic generation if the file name is outside ISO-8859-1.\n\nIf the `filename` option is ISO-8859-1 and this option is specified and has a\ndifferent value, then the `filename` option is encoded in the extended field\nand this set as the fallback field, even though they are both ISO-8859-1.\n\n##### type\n\nSpecifies the disposition type, defaults to `\"attachment\"`. This can also be\n`\"inline\"`, or any other value (all values except inline are treated like\n`attachment`, but can convey additional information if both parties agree to\nit). The type is normalized to lower-case.\n\n### contentDisposition.parse(string)\n\n```js\nvar disposition = contentDisposition.parse('attachment; filename=\"EURO rates.txt\"; filename*=UTF-8\\'\\'%e2%82%ac%20rates.txt')\n```\n\nParse a `Content-Disposition` header string. This automatically handles extended\n(\"Unicode\") parameters by decoding them and providing them under the standard\nparameter name. This will return an object with the following properties (examples\nare shown for the string `'attachment; filename=\"EURO rates.txt\"; filename*=UTF-8\\'\\'%e2%82%ac%20rates.txt'`):\n\n - `type`: The disposition type (always lower case). Example: `'attachment'`\n\n - `parameters`: An object of the parameters in the disposition (name of parameter\n always lower case and extended versions replace non-extended versions). Example:\n `{filename: \"€ rates.txt\"}`\n\n## Examples\n\n### Send a file for download\n\n```js\nvar contentDisposition = require('content-disposition')\nvar destroy = require('destroy')\nvar fs = require('fs')\nvar http = require('http')\nvar onFinished = require('on-finished')\n\nvar filePath = '/path/to/public/plans.pdf'\n\nhttp.createServer(function onRequest (req, res) {\n // set headers\n res.setHeader('Content-Type', 'application/pdf')\n res.setHeader('Content-Disposition', contentDisposition(filePath))\n\n // send file\n var stream = fs.createReadStream(filePath)\n stream.pipe(res)\n onFinished(res, function () {\n destroy(stream)\n })\n})\n```\n\n## Testing\n\n```sh\n$ npm test\n```\n\n## References\n\n- [RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1][rfc-2616]\n- [RFC 5987: Character Set and Language Encoding for Hypertext Transfer Protocol (HTTP) Header Field Parameters][rfc-5987]\n- [RFC 6266: Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP)][rfc-6266]\n- [Test Cases for HTTP Content-Disposition header field (RFC 6266) and the Encodings defined in RFCs 2047, 2231 and 5987][tc-2231]\n\n[rfc-2616]: https://tools.ietf.org/html/rfc2616\n[rfc-5987]: https://tools.ietf.org/html/rfc5987\n[rfc-6266]: https://tools.ietf.org/html/rfc6266\n[tc-2231]: http://greenbytes.de/tech/tc2231/\n\n## License\n\n[MIT](LICENSE)\n\n[npm-image]: https://img.shields.io/npm/v/content-disposition.svg\n[npm-url]: https://npmjs.org/package/content-disposition\n[node-version-image]: https://img.shields.io/node/v/content-disposition.svg\n[node-version-url]: https://nodejs.org/en/download\n[coveralls-image]: https://img.shields.io/coveralls/jshttp/content-disposition.svg\n[coveralls-url]: https://coveralls.io/r/jshttp/content-disposition?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/content-disposition.svg\n[downloads-url]: https://npmjs.org/package/content-disposition\n[github-actions-ci-image]: https://img.shields.io/github/workflow/status/jshttp/content-disposition/ci/master?label=ci\n[github-actions-ci-url]: https://github.com/jshttp/content-disposition?query=workflow%3Aci\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/content-disposition/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/content-type/README.md ---\n# content-type\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][ci-image]][ci-url]\n[![Coverage Status][coveralls-image]][coveralls-url]\n\nCreate and parse HTTP Content-Type header according to RFC 7231\n\n## Installation\n\n```sh\n$ npm install content-type\n```\n\n## API\n\n```js\nvar contentType = require('content-type')\n```\n\n### contentType.parse(string)\n\n```js\nvar obj = contentType.parse('image/svg+xml; charset=utf-8')\n```\n\nParse a `Content-Type` header. This will return an object with the following\nproperties (examples are shown for the string `'image/svg+xml; charset=utf-8'`):\n\n - `type`: The media type (the type and subtype, always lower case).\n Example: `'image/svg+xml'`\n\n - `parameters`: An object of the parameters in the media type (name of parameter\n always lower case). Example: `{charset: 'utf-8'}`\n\nThrows a `TypeError` if the string is missing or invalid.\n\n### contentType.parse(req)\n\n```js\nvar obj = contentType.parse(req)\n```\n\nParse the `Content-Type` header from the given `req`. Short-cut for\n`contentType.parse(req.headers['content-type'])`.\n\nThrows a `TypeError` if the `Content-Type` header is missing or invalid.\n\n### contentType.parse(res)\n\n```js\nvar obj = contentType.parse(res)\n```\n\nParse the `Content-Type` header set on the given `res`. Short-cut for\n`contentType.parse(res.getHeader('content-type'))`.\n\nThrows a `TypeError` if the `Content-Type` header is missing or invalid.\n\n### contentType.format(obj)\n\n```js\nvar str = contentType.format({\n type: 'image/svg+xml',\n parameters: { charset: 'utf-8' }\n})\n```\n\nFormat an object into a `Content-Type` header. This will return a string of the\ncontent type for the given object with the following properties (examples are\nshown that produce the string `'image/svg+xml; charset=utf-8'`):\n\n - `type`: The media type (will be lower-cased). Example: `'image/svg+xml'`\n\n - `parameters`: An object of the parameters in the media type (name of the\n parameter will be lower-cased). Example: `{charset: 'utf-8'}`\n\nThrows a `TypeError` if the object contains an invalid type or parameter names.\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/content-type/master?label=ci\n[ci-url]: https://github.com/jshttp/content-type/actions/workflows/ci.yml\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/content-type/master\n[coveralls-url]: https://coveralls.io/r/jshttp/content-type?branch=master\n[node-image]: https://badgen.net/npm/node/content-type\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/content-type\n[npm-url]: https://npmjs.org/package/content-type\n[npm-version-image]: https://badgen.net/npm/v/content-type\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/content-type/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/cookie/README.md ---\n# cookie\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][ci-image]][ci-url]\n[![Coverage Status][coveralls-image]][coveralls-url]\n\nBasic HTTP cookie parser and serializer for HTTP servers.\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install cookie\n```\n\n## API\n\n```js\nvar cookie = require('cookie');\n```\n\n### cookie.parse(str, options)\n\nParse an HTTP `Cookie` header string and returning an object of all cookie name-value pairs.\nThe `str` argument is the string representing a `Cookie` header value and `options` is an\noptional object containing additional parsing options.\n\n```js\nvar cookies = cookie.parse('foo=bar; equation=E%3Dmc%5E2');\n// { foo: 'bar', equation: 'E=mc^2' }\n```\n\n#### Options\n\n`cookie.parse` accepts these properties in the options object.\n\n##### decode\n\nSpecifies a function that will be used to decode a cookie's value. Since the value of a cookie\nhas a limited character set (and must be a simple string), this function can be used to decode\na previously-encoded cookie value into a JavaScript string or other object.\n\nThe default function is the global `decodeURIComponent`, which will decode any URL-encoded\nsequences into their byte representations.\n\n**note** if an error is thrown from this function, the original, non-decoded cookie value will\nbe returned as the cookie's value.\n\n### cookie.serialize(name, value, options)\n\nSerialize a cookie name-value pair into a `Set-Cookie` header string. The `name` argument is the\nname for the cookie, the `value` argument is the value to set the cookie to, and the `options`\nargument is an optional object containing additional serialization options.\n\n```js\nvar setCookie = cookie.serialize('foo', 'bar');\n// foo=bar\n```\n\n#### Options\n\n`cookie.serialize` accepts these properties in the options object.\n\n##### domain\n\nSpecifies the value for the [`Domain` `Set-Cookie` attribute][rfc-6265-5.2.3]. By default, no\ndomain is set, and most clients will consider the cookie to apply to only the current domain.\n\n##### encode\n\nSpecifies a function that will be used to encode a cookie's value. Since value of a cookie\nhas a limited character set (and must be a simple string), this function can be used to encode\na value into a string suited for a cookie's value.\n\nThe default function is the global `encodeURIComponent`, which will encode a JavaScript string\ninto UTF-8 byte sequences and then URL-encode any that fall outside of the cookie range.\n\n##### expires\n\nSpecifies the `Date` object to be the value for the [`Expires` `Set-Cookie` attribute][rfc-6265-5.2.1].\nBy default, no expiration is set, and most clients will consider this a \"non-persistent cookie\" and\nwill delete it on a condition like exiting a web browser application.\n\n**note** the [cookie storage model specification][rfc-6265-5.3] states that if both `expires` and\n`maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,\nso if both are set, they should point to the same date and time.\n\n##### httpOnly\n\nSpecifies the `boolean` value for the [`HttpOnly` `Set-Cookie` attribute][rfc-6265-5.2.6]. When truthy,\nthe `HttpOnly` attribute is set, otherwise it is not. By default, the `HttpOnly` attribute is not set.\n\n**note** be careful when setting this to `true`, as compliant clients will not allow client-side\nJavaScript to see the cookie in `document.cookie`.\n\n##### maxAge\n\nSpecifies the `number` (in seconds) to be the value for the [`Max-Age` `Set-Cookie` attribute][rfc-6265-5.2.2].\nThe given number will be converted to an integer by rounding down. By default, no maximum age is set.\n\n**note** the [cookie storage model specification][rfc-6265-5.3] states that if both `expires` and\n`maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,\nso if both are set, they should point to the same date and time.\n\n##### partitioned\n\nSpecifies the `boolean` value for the [`Partitioned` `Set-Cookie`](rfc-cutler-httpbis-partitioned-cookies)\nattribute. When truthy, the `Partitioned` attribute is set, otherwise it is not. By default, the\n`Partitioned` attribute is not set.\n\n**note** This is an attribute that has not yet been fully standardized, and may change in the future.\nThis also means many clients may ignore this attribute until they understand it.\n\nMore information about can be found in [the proposal](https://github.com/privacycg/CHIPS).\n\n##### path\n\nSpecifies the value for the [`Path` `Set-Cookie` attribute][rfc-6265-5.2.4]. By default, the path\nis considered the [\"default path\"][rfc-6265-5.1.4].\n\n##### priority\n\nSpecifies the `string` to be the value for the [`Priority` `Set-Cookie` attribute][rfc-west-cookie-priority-00-4.1].\n\n - `'low'` will set the `Priority` attribute to `Low`.\n - `'medium'` will set the `Priority` attribute to `Medium`, the default priority when not set.\n - `'high'` will set the `Priority` attribute to `High`.\n\nMore information about the different priority levels can be found in\n[the specification][rfc-west-cookie-priority-00-4.1].\n\n**note** This is an attribute that has not yet been fully standardized, and may change in the future.\nThis also means many clients may ignore this attribute until they understand it.\n\n##### sameSite\n\nSpecifies the `boolean` or `string` to be the value for the [`SameSite` `Set-Cookie` attribute][rfc-6265bis-09-5.4.7].\n\n - `true` will set the `SameSite` attribute to `Strict` for strict same site enforcement.\n - `false` will not set the `SameSite` attribute.\n - `'lax'` will set the `SameSite` attribute to `Lax` for lax same site enforcement.\n - `'none'` will set the `SameSite` attribute to `None` for an explicit cross-site cookie.\n - `'strict'` will set the `SameSite` attribute to `Strict` for strict same site enforcement.\n\nMore information about the different enforcement levels can be found in\n[the specification][rfc-6265bis-09-5.4.7].\n\n**note** This is an attribute that has not yet been fully standardized, and may change in the future.\nThis also means many clients may ignore this attribute until they understand it.\n\n##### secure\n\nSpecifies the `boolean` value for the [`Secure` `Set-Cookie` attribute][rfc-6265-5.2.5]. When truthy,\nthe `Secure` attribute is set, otherwise it is not. By default, the `Secure` attribute is not set.\n\n**note** be careful when setting this to `true`, as compliant clients will not send the cookie back to\nthe server in the future if the browser does not have an HTTPS connection.\n\n## Example\n\nThe following example uses this module in conjunction with the Node.js core HTTP server\nto prompt a user for their name and display it back on future visits.\n\n```js\nvar cookie = require('cookie');\nvar escapeHtml = require('escape-html');\nvar http = require('http');\nvar url = require('url');\n\nfunction onRequest(req, res) {\n // Parse the query string\n var query = url.parse(req.url, true, true).query;\n\n if (query && query.name) {\n // Set a new cookie with the name\n res.setHeader('Set-Cookie', cookie.serialize('name', String(query.name), {\n httpOnly: true,\n maxAge: 60 * 60 * 24 * 7 // 1 week\n }));\n\n // Redirect back after setting cookie\n res.statusCode = 302;\n res.setHeader('Location', req.headers.referer || '/');\n res.end();\n return;\n }\n\n // Parse the cookies on the request\n var cookies = cookie.parse(req.headers.cookie || '');\n\n // Get the visitor name set in the cookie\n var name = cookies.name;\n\n res.setHeader('Content-Type', 'text/html; charset=UTF-8');\n\n if (name) {\n res.write('

Welcome back, ' + escapeHtml(name) + '!

');\n } else {\n res.write('

Hello, new visitor!

');\n }\n\n res.write('
');\n res.write(' ');\n res.end('
');\n}\n\nhttp.createServer(onRequest).listen(3000);\n```\n\n## Testing\n\n```sh\n$ npm test\n```\n\n## Benchmark\n\n```\n$ npm run bench\n\n> cookie@0.5.0 bench\n> node benchmark/index.js\n\n node@18.18.2\n acorn@8.10.0\n ada@2.6.0\n ares@1.19.1\n brotli@1.0.9\n cldr@43.1\n icu@73.2\n llhttp@6.0.11\n modules@108\n napi@9\n nghttp2@1.57.0\n nghttp3@0.7.0\n ngtcp2@0.8.1\n openssl@3.0.10+quic\n simdutf@3.2.14\n tz@2023c\n undici@5.26.3\n unicode@15.0\n uv@1.44.2\n uvwasi@0.0.18\n v8@10.2.154.26-node.26\n zlib@1.2.13.1-motley\n\n> node benchmark/parse-top.js\n\n cookie.parse - top sites\n\n 14 tests completed.\n\n parse accounts.google.com x 2,588,913 ops/sec ±0.74% (186 runs sampled)\n parse apple.com x 2,370,002 ops/sec ±0.69% (186 runs sampled)\n parse cloudflare.com x 2,213,102 ops/sec ±0.88% (188 runs sampled)\n parse docs.google.com x 2,194,157 ops/sec ±1.03% (184 runs sampled)\n parse drive.google.com x 2,265,084 ops/sec ±0.79% (187 runs sampled)\n parse en.wikipedia.org x 457,099 ops/sec ±0.81% (186 runs sampled)\n parse linkedin.com x 504,407 ops/sec ±0.89% (186 runs sampled)\n parse maps.google.com x 1,230,959 ops/sec ±0.98% (186 runs sampled)\n parse microsoft.com x 926,294 ops/sec ±0.88% (184 runs sampled)\n parse play.google.com x 2,311,338 ops/sec ±0.83% (185 runs sampled)\n parse support.google.com x 1,508,850 ops/sec ±0.86% (186 runs sampled)\n parse www.google.com x 1,022,582 ops/sec ±1.32% (182 runs sampled)\n parse youtu.be x 332,136 ops/sec ±1.02% (185 runs sampled)\n parse youtube.com x 323,833 ops/sec ±0.77% (183 runs sampled)\n\n> node benchmark/parse.js\n\n cookie.parse - generic\n\n 6 tests completed.\n\n simple x 3,214,032 ops/sec ±1.61% (183 runs sampled)\n decode x 587,237 ops/sec ±1.16% (187 runs sampled)\n unquote x 2,954,618 ops/sec ±1.35% (183 runs sampled)\n duplicates x 857,008 ops/sec ±0.89% (187 runs sampled)\n 10 cookies x 292,133 ops/sec ±0.89% (187 runs sampled)\n 100 cookies x 22,610 ops/sec ±0.68% (187 runs sampled)\n```\n\n## References\n\n- [RFC 6265: HTTP State Management Mechanism][rfc-6265]\n- [Same-site Cookies][rfc-6265bis-09-5.4.7]\n\n[rfc-cutler-httpbis-partitioned-cookies]: https://tools.ietf.org/html/draft-cutler-httpbis-partitioned-cookies/\n[rfc-west-cookie-priority-00-4.1]: https://tools.ietf.org/html/draft-west-cookie-priority-00#section-4.1\n[rfc-6265bis-09-5.4.7]: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7\n[rfc-6265]: https://tools.ietf.org/html/rfc6265\n[rfc-6265-5.1.4]: https://tools.ietf.org/html/rfc6265#section-5.1.4\n[rfc-6265-5.2.1]: https://tools.ietf.org/html/rfc6265#section-5.2.1\n[rfc-6265-5.2.2]: https://tools.ietf.org/html/rfc6265#section-5.2.2\n[rfc-6265-5.2.3]: https://tools.ietf.org/html/rfc6265#section-5.2.3\n[rfc-6265-5.2.4]: https://tools.ietf.org/html/rfc6265#section-5.2.4\n[rfc-6265-5.2.5]: https://tools.ietf.org/html/rfc6265#section-5.2.5\n[rfc-6265-5.2.6]: https://tools.ietf.org/html/rfc6265#section-5.2.6\n[rfc-6265-5.3]: https://tools.ietf.org/html/rfc6265#section-5.3\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/cookie/master?label=ci\n[ci-url]: https://github.com/jshttp/cookie/actions/workflows/ci.yml\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/cookie/master\n[coveralls-url]: https://coveralls.io/r/jshttp/cookie?branch=master\n[node-image]: https://badgen.net/npm/node/cookie\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/cookie\n[npm-url]: https://npmjs.org/package/cookie\n[npm-version-image]: https://badgen.net/npm/v/cookie\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/cookie/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/cors/README.md ---\n# cors\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Build Status][travis-image]][travis-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nCORS is a node.js package for providing a [Connect](http://www.senchalabs.org/connect/)/[Express](http://expressjs.com/) middleware that can be used to enable [CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) with various options.\n\n**[Follow me (@troygoode) on Twitter!](https://twitter.com/intent/user?screen_name=troygoode)**\n\n* [Installation](#installation)\n* [Usage](#usage)\n * [Simple Usage](#simple-usage-enable-all-cors-requests)\n * [Enable CORS for a Single Route](#enable-cors-for-a-single-route)\n * [Configuring CORS](#configuring-cors)\n * [Configuring CORS Asynchronously](#configuring-cors-asynchronously)\n * [Enabling CORS Pre-Flight](#enabling-cors-pre-flight)\n* [Configuration Options](#configuration-options)\n* [Demo](#demo)\n* [License](#license)\n* [Author](#author)\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install cors\n```\n\n## Usage\n\n### Simple Usage (Enable *All* CORS Requests)\n\n```javascript\nvar express = require('express')\nvar cors = require('cors')\nvar app = express()\n\napp.use(cors())\n\napp.get('/products/:id', function (req, res, next) {\n res.json({msg: 'This is CORS-enabled for all origins!'})\n})\n\napp.listen(80, function () {\n console.log('CORS-enabled web server listening on port 80')\n})\n```\n\n### Enable CORS for a Single Route\n\n```javascript\nvar express = require('express')\nvar cors = require('cors')\nvar app = express()\n\napp.get('/products/:id', cors(), function (req, res, next) {\n res.json({msg: 'This is CORS-enabled for a Single Route'})\n})\n\napp.listen(80, function () {\n console.log('CORS-enabled web server listening on port 80')\n})\n```\n\n### Configuring CORS\n\n```javascript\nvar express = require('express')\nvar cors = require('cors')\nvar app = express()\n\nvar corsOptions = {\n origin: 'http://example.com',\n optionsSuccessStatus: 200 // some legacy browsers (IE11, various SmartTVs) choke on 204\n}\n\napp.get('/products/:id', cors(corsOptions), function (req, res, next) {\n res.json({msg: 'This is CORS-enabled for only example.com.'})\n})\n\napp.listen(80, function () {\n console.log('CORS-enabled web server listening on port 80')\n})\n```\n\n### Configuring CORS w/ Dynamic Origin\n\n```javascript\nvar express = require('express')\nvar cors = require('cors')\nvar app = express()\n\nvar whitelist = ['http://example1.com', 'http://example2.com']\nvar corsOptions = {\n origin: function (origin, callback) {\n if (whitelist.indexOf(origin) !== -1) {\n callback(null, true)\n } else {\n callback(new Error('Not allowed by CORS'))\n }\n }\n}\n\napp.get('/products/:id', cors(corsOptions), function (req, res, next) {\n res.json({msg: 'This is CORS-enabled for a whitelisted domain.'})\n})\n\napp.listen(80, function () {\n console.log('CORS-enabled web server listening on port 80')\n})\n```\n\nIf you do not want to block REST tools or server-to-server requests,\nadd a `!origin` check in the origin function like so:\n\n```javascript\nvar corsOptions = {\n origin: function (origin, callback) {\n if (whitelist.indexOf(origin) !== -1 || !origin) {\n callback(null, true)\n } else {\n callback(new Error('Not allowed by CORS'))\n }\n }\n}\n```\n\n### Enabling CORS Pre-Flight\n\nCertain CORS requests are considered 'complex' and require an initial\n`OPTIONS` request (called the \"pre-flight request\"). An example of a\n'complex' CORS request is one that uses an HTTP verb other than\nGET/HEAD/POST (such as DELETE) or that uses custom headers. To enable\npre-flighting, you must add a new OPTIONS handler for the route you want\nto support:\n\n```javascript\nvar express = require('express')\nvar cors = require('cors')\nvar app = express()\n\napp.options('/products/:id', cors()) // enable pre-flight request for DELETE request\napp.del('/products/:id', cors(), function (req, res, next) {\n res.json({msg: 'This is CORS-enabled for all origins!'})\n})\n\napp.listen(80, function () {\n console.log('CORS-enabled web server listening on port 80')\n})\n```\n\nYou can also enable pre-flight across-the-board like so:\n\n```javascript\napp.options('*', cors()) // include before other routes\n```\n\n### Configuring CORS Asynchronously\n\n```javascript\nvar express = require('express')\nvar cors = require('cors')\nvar app = express()\n\nvar whitelist = ['http://example1.com', 'http://example2.com']\nvar corsOptionsDelegate = function (req, callback) {\n var corsOptions;\n if (whitelist.indexOf(req.header('Origin')) !== -1) {\n corsOptions = { origin: true } // reflect (enable) the requested origin in the CORS response\n } else {\n corsOptions = { origin: false } // disable CORS for this request\n }\n callback(null, corsOptions) // callback expects two parameters: error and options\n}\n\napp.get('/products/:id', cors(corsOptionsDelegate), function (req, res, next) {\n res.json({msg: 'This is CORS-enabled for a whitelisted domain.'})\n})\n\napp.listen(80, function () {\n console.log('CORS-enabled web server listening on port 80')\n})\n```\n\n## Configuration Options\n\n* `origin`: Configures the **Access-Control-Allow-Origin** CORS header. Possible values:\n - `Boolean` - set `origin` to `true` to reflect the [request origin](http://tools.ietf.org/html/draft-abarth-origin-09), as defined by `req.header('Origin')`, or set it to `false` to disable CORS.\n - `String` - set `origin` to a specific origin. For example if you set it to `\"http://example.com\"` only requests from \"http://example.com\" will be allowed.\n - `RegExp` - set `origin` to a regular expression pattern which will be used to test the request origin. If it's a match, the request origin will be reflected. For example the pattern `/example\\.com$/` will reflect any request that is coming from an origin ending with \"example.com\".\n - `Array` - set `origin` to an array of valid origins. Each origin can be a `String` or a `RegExp`. For example `[\"http://example1.com\", /\\.example2\\.com$/]` will accept any request from \"http://example1.com\" or from a subdomain of \"example2.com\".\n - `Function` - set `origin` to a function implementing some custom logic. The function takes the request origin as the first parameter and a callback (which expects the signature `err [object], allow [bool]`) as the second.\n* `methods`: Configures the **Access-Control-Allow-Methods** CORS header. Expects a comma-delimited string (ex: 'GET,PUT,POST') or an array (ex: `['GET', 'PUT', 'POST']`).\n* `allowedHeaders`: Configures the **Access-Control-Allow-Headers** CORS header. Expects a comma-delimited string (ex: 'Content-Type,Authorization') or an array (ex: `['Content-Type', 'Authorization']`). If not specified, defaults to reflecting the headers specified in the request's **Access-Control-Request-Headers** header.\n* `exposedHeaders`: Configures the **Access-Control-Expose-Headers** CORS header. Expects a comma-delimited string (ex: 'Content-Range,X-Content-Range') or an array (ex: `['Content-Range', 'X-Content-Range']`). If not specified, no custom headers are exposed.\n* `credentials`: Configures the **Access-Control-Allow-Credentials** CORS header. Set to `true` to pass the header, otherwise it is omitted.\n* `maxAge`: Configures the **Access-Control-Max-Age** CORS header. Set to an integer to pass the header, otherwise it is omitted.\n* `preflightContinue`: Pass the CORS preflight response to the next handler.\n* `optionsSuccessStatus`: Provides a status code to use for successful `OPTIONS` requests, since some legacy browsers (IE11, various SmartTVs) choke on `204`.\n\nThe default configuration is the equivalent of:\n\n```json\n{\n \"origin\": \"*\",\n \"methods\": \"GET,HEAD,PUT,PATCH,POST,DELETE\",\n \"preflightContinue\": false,\n \"optionsSuccessStatus\": 204\n}\n```\n\nFor details on the effect of each CORS header, read [this](http://www.html5rocks.com/en/tutorials/cors/) article on HTML5 Rocks.\n\n## Demo\n\nA demo that illustrates CORS working (and not working) using jQuery is available here: [http://node-cors-client.herokuapp.com/](http://node-cors-client.herokuapp.com/)\n\nCode for that demo can be found here:\n\n* Client: [https://github.com/TroyGoode/node-cors-client](https://github.com/TroyGoode/node-cors-client)\n* Server: [https://github.com/TroyGoode/node-cors-server](https://github.com/TroyGoode/node-cors-server)\n\n## License\n\n[MIT License](http://www.opensource.org/licenses/mit-license.php)\n\n## Author\n\n[Troy Goode](https://github.com/TroyGoode) ([troygoode@gmail.com](mailto:troygoode@gmail.com))\n\n[coveralls-image]: https://img.shields.io/coveralls/expressjs/cors/master.svg\n[coveralls-url]: https://coveralls.io/r/expressjs/cors?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/cors.svg\n[downloads-url]: https://npmjs.org/package/cors\n[npm-image]: https://img.shields.io/npm/v/cors.svg\n[npm-url]: https://npmjs.org/package/cors\n[travis-image]: https://img.shields.io/travis/expressjs/cors/master.svg\n[travis-url]: https://travis-ci.org/expressjs/cors\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/cors/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/cross-spawn/README.md ---\n# cross-spawn\n\n[![NPM version][npm-image]][npm-url] [![Downloads][downloads-image]][npm-url] [![Build Status][ci-image]][ci-url] [![Build status][appveyor-image]][appveyor-url]\n\n[npm-url]:https://npmjs.org/package/cross-spawn\n[downloads-image]:https://img.shields.io/npm/dm/cross-spawn.svg\n[npm-image]:https://img.shields.io/npm/v/cross-spawn.svg\n[ci-url]:https://github.com/moxystudio/node-cross-spawn/actions/workflows/ci.yaml\n[ci-image]:https://github.com/moxystudio/node-cross-spawn/actions/workflows/ci.yaml/badge.svg\n[appveyor-url]:https://ci.appveyor.com/project/satazor/node-cross-spawn\n[appveyor-image]:https://img.shields.io/appveyor/ci/satazor/node-cross-spawn/master.svg\n\nA cross platform solution to node's spawn and spawnSync.\n\n## Installation\n\nNode.js version 8 and up:\n`$ npm install cross-spawn`\n\nNode.js version 7 and under:\n`$ npm install cross-spawn@6`\n\n## Why\n\nNode has issues when using spawn on Windows:\n\n- It ignores [PATHEXT](https://github.com/joyent/node/issues/2318)\n- It does not support [shebangs](https://en.wikipedia.org/wiki/Shebang_(Unix))\n- Has problems running commands with [spaces](https://github.com/nodejs/node/issues/7367)\n- Has problems running commands with posix relative paths (e.g.: `./my-folder/my-executable`)\n- Has an [issue](https://github.com/moxystudio/node-cross-spawn/issues/82) with command shims (files in `node_modules/.bin/`), where arguments with quotes and parenthesis would result in [invalid syntax error](https://github.com/moxystudio/node-cross-spawn/blob/e77b8f22a416db46b6196767bcd35601d7e11d54/test/index.test.js#L149)\n- No `options.shell` support on node `` where `` must not contain any arguments. \nIf you would like to have the shebang support improved, feel free to contribute via a pull-request.\n\nRemember to always test your code on Windows!\n\n\n## Tests\n\n`$ npm test` \n`$ npm test -- --watch` during development\n\n\n## License\n\nReleased under the [MIT License](https://www.opensource.org/licenses/mit-license.php).\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/cross-spawn/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/debug/README.md ---\n# debug\n[![OpenCollective](https://opencollective.com/debug/backers/badge.svg)](#backers)\n[![OpenCollective](https://opencollective.com/debug/sponsors/badge.svg)](#sponsors)\n\n\n\nA tiny JavaScript debugging utility modelled after Node.js core's debugging\ntechnique. Works in Node.js and web browsers.\n\n## Installation\n\n```bash\n$ npm install debug\n```\n\n## Usage\n\n`debug` exposes a function; simply pass this function the name of your module, and it will return a decorated version of `console.error` for you to pass debug statements to. This will allow you to toggle the debug output for different parts of your module as well as the module as a whole.\n\nExample [_app.js_](./examples/node/app.js):\n\n```js\nvar debug = require('debug')('http')\n , http = require('http')\n , name = 'My App';\n\n// fake app\n\ndebug('booting %o', name);\n\nhttp.createServer(function(req, res){\n debug(req.method + ' ' + req.url);\n res.end('hello\\n');\n}).listen(3000, function(){\n debug('listening');\n});\n\n// fake worker of some kind\n\nrequire('./worker');\n```\n\nExample [_worker.js_](./examples/node/worker.js):\n\n```js\nvar a = require('debug')('worker:a')\n , b = require('debug')('worker:b');\n\nfunction work() {\n a('doing lots of uninteresting work');\n setTimeout(work, Math.random() * 1000);\n}\n\nwork();\n\nfunction workb() {\n b('doing some work');\n setTimeout(workb, Math.random() * 2000);\n}\n\nworkb();\n```\n\nThe `DEBUG` environment variable is then used to enable these based on space or\ncomma-delimited names.\n\nHere are some examples:\n\n\"screen\n\"screen\n\"screen\n\n#### Windows command prompt notes\n\n##### CMD\n\nOn Windows the environment variable is set using the `set` command.\n\n```cmd\nset DEBUG=*,-not_this\n```\n\nExample:\n\n```cmd\nset DEBUG=* & node app.js\n```\n\n##### PowerShell (VS Code default)\n\nPowerShell uses different syntax to set environment variables.\n\n```cmd\n$env:DEBUG = \"*,-not_this\"\n```\n\nExample:\n\n```cmd\n$env:DEBUG='app';node app.js\n```\n\nThen, run the program to be debugged as usual.\n\nnpm script example:\n```js\n \"windowsDebug\": \"@powershell -Command $env:DEBUG='*';node app.js\",\n```\n\n## Namespace Colors\n\nEvery debug instance has a color generated for it based on its namespace name.\nThis helps when visually parsing the debug output to identify which debug instance\na debug line belongs to.\n\n#### Node.js\n\nIn Node.js, colors are enabled when stderr is a TTY. You also _should_ install\nthe [`supports-color`](https://npmjs.org/supports-color) module alongside debug,\notherwise debug will only use a small handful of basic colors.\n\n\n\n#### Web Browser\n\nColors are also enabled on \"Web Inspectors\" that understand the `%c` formatting\noption. These are WebKit web inspectors, Firefox ([since version\n31](https://hacks.mozilla.org/2014/05/editable-box-model-multiple-selection-sublime-text-keys-much-more-firefox-developer-tools-episode-31/))\nand the Firebug plugin for Firefox (any version).\n\n\n\n\n## Millisecond diff\n\nWhen actively developing an application it can be useful to see when the time spent between one `debug()` call and the next. Suppose for example you invoke `debug()` before requesting a resource, and after as well, the \"+NNNms\" will show you how much time was spent between calls.\n\n\n\nWhen stdout is not a TTY, `Date#toISOString()` is used, making it more useful for logging the debug information as shown below:\n\n\n\n\n## Conventions\n\nIf you're using this in one or more of your libraries, you _should_ use the name of your library so that developers may toggle debugging as desired without guessing names. If you have more than one debuggers you _should_ prefix them with your library name and use \":\" to separate features. For example \"bodyParser\" from Connect would then be \"connect:bodyParser\". If you append a \"*\" to the end of your name, it will always be enabled regardless of the setting of the DEBUG environment variable. You can then use it for normal output as well as debug output.\n\n## Wildcards\n\nThe `*` character may be used as a wildcard. Suppose for example your library has\ndebuggers named \"connect:bodyParser\", \"connect:compress\", \"connect:session\",\ninstead of listing all three with\n`DEBUG=connect:bodyParser,connect:compress,connect:session`, you may simply do\n`DEBUG=connect:*`, or to run everything using this module simply use `DEBUG=*`.\n\nYou can also exclude specific debuggers by prefixing them with a \"-\" character.\nFor example, `DEBUG=*,-connect:*` would include all debuggers except those\nstarting with \"connect:\".\n\n## Environment Variables\n\nWhen running through Node.js, you can set a few environment variables that will\nchange the behavior of the debug logging:\n\n| Name | Purpose |\n|-----------|-------------------------------------------------|\n| `DEBUG` | Enables/disables specific debugging namespaces. |\n| `DEBUG_HIDE_DATE` | Hide date from debug output (non-TTY). |\n| `DEBUG_COLORS`| Whether or not to use colors in the debug output. |\n| `DEBUG_DEPTH` | Object inspection depth. |\n| `DEBUG_SHOW_HIDDEN` | Shows hidden properties on inspected objects. |\n\n\n__Note:__ The environment variables beginning with `DEBUG_` end up being\nconverted into an Options object that gets used with `%o`/`%O` formatters.\nSee the Node.js documentation for\n[`util.inspect()`](https://nodejs.org/api/util.html#util_util_inspect_object_options)\nfor the complete list.\n\n## Formatters\n\nDebug uses [printf-style](https://wikipedia.org/wiki/Printf_format_string) formatting.\nBelow are the officially supported formatters:\n\n| Formatter | Representation |\n|-----------|----------------|\n| `%O` | Pretty-print an Object on multiple lines. |\n| `%o` | Pretty-print an Object all on a single line. |\n| `%s` | String. |\n| `%d` | Number (both integer and float). |\n| `%j` | JSON. Replaced with the string '[Circular]' if the argument contains circular references. |\n| `%%` | Single percent sign ('%'). This does not consume an argument. |\n\n\n### Custom formatters\n\nYou can add custom formatters by extending the `debug.formatters` object.\nFor example, if you wanted to add support for rendering a Buffer as hex with\n`%h`, you could do something like:\n\n```js\nconst createDebug = require('debug')\ncreateDebug.formatters.h = (v) => {\n return v.toString('hex')\n}\n\n// …elsewhere\nconst debug = createDebug('foo')\ndebug('this is hex: %h', new Buffer('hello world'))\n// foo this is hex: 68656c6c6f20776f726c6421 +0ms\n```\n\n\n## Browser Support\n\nYou can build a browser-ready script using [browserify](https://github.com/substack/node-browserify),\nor just use the [browserify-as-a-service](https://wzrd.in/) [build](https://wzrd.in/standalone/debug@latest),\nif you don't want to build it yourself.\n\nDebug's enable state is currently persisted by `localStorage`.\nConsider the situation shown below where you have `worker:a` and `worker:b`,\nand wish to debug both. You can enable this using `localStorage.debug`:\n\n```js\nlocalStorage.debug = 'worker:*'\n```\n\nAnd then refresh the page.\n\n```js\na = debug('worker:a');\nb = debug('worker:b');\n\nsetInterval(function(){\n a('doing some work');\n}, 1000);\n\nsetInterval(function(){\n b('doing some work');\n}, 1200);\n```\n\nIn Chromium-based web browsers (e.g. Brave, Chrome, and Electron), the JavaScript console will—by default—only show messages logged by `debug` if the \"Verbose\" log level is _enabled_.\n\n\n\n## Output streams\n\n By default `debug` will log to stderr, however this can be configured per-namespace by overriding the `log` method:\n\nExample [_stdout.js_](./examples/node/stdout.js):\n\n```js\nvar debug = require('debug');\nvar error = debug('app:error');\n\n// by default stderr is used\nerror('goes to stderr!');\n\nvar log = debug('app:log');\n// set this namespace to log via console.log\nlog.log = console.log.bind(console); // don't forget to bind to console!\nlog('goes to stdout');\nerror('still goes to stderr!');\n\n// set all output to go via console.info\n// overrides all per-namespace log settings\ndebug.log = console.info.bind(console);\nerror('now goes to stdout via console.info');\nlog('still goes to stdout, but via console.info now');\n```\n\n## Extend\nYou can simply extend debugger \n```js\nconst log = require('debug')('auth');\n\n//creates new debug instance with extended namespace\nconst logSign = log.extend('sign');\nconst logLogin = log.extend('login');\n\nlog('hello'); // auth hello\nlogSign('hello'); //auth:sign hello\nlogLogin('hello'); //auth:login hello\n```\n\n## Set dynamically\n\nYou can also enable debug dynamically by calling the `enable()` method :\n\n```js\nlet debug = require('debug');\n\nconsole.log(1, debug.enabled('test'));\n\ndebug.enable('test');\nconsole.log(2, debug.enabled('test'));\n\ndebug.disable();\nconsole.log(3, debug.enabled('test'));\n\n```\n\nprint : \n```\n1 false\n2 true\n3 false\n```\n\nUsage : \n`enable(namespaces)` \n`namespaces` can include modes separated by a colon and wildcards.\n \nNote that calling `enable()` completely overrides previously set DEBUG variable : \n\n```\n$ DEBUG=foo node -e 'var dbg = require(\"debug\"); dbg.enable(\"bar\"); console.log(dbg.enabled(\"foo\"))'\n=> false\n```\n\n`disable()`\n\nWill disable all namespaces. The functions returns the namespaces currently\nenabled (and skipped). This can be useful if you want to disable debugging\ntemporarily without knowing what was enabled to begin with.\n\nFor example:\n\n```js\nlet debug = require('debug');\ndebug.enable('foo:*,-foo:bar');\nlet namespaces = debug.disable();\ndebug.enable(namespaces);\n```\n\nNote: There is no guarantee that the string will be identical to the initial\nenable string, but semantically they will be identical.\n\n## Checking whether a debug target is enabled\n\nAfter you've created a debug instance, you can determine whether or not it is\nenabled by checking the `enabled` property:\n\n```javascript\nconst debug = require('debug')('http');\n\nif (debug.enabled) {\n // do stuff...\n}\n```\n\nYou can also manually toggle this property to force the debug instance to be\nenabled or disabled.\n\n## Usage in child processes\n\nDue to the way `debug` detects if the output is a TTY or not, colors are not shown in child processes when `stderr` is piped. A solution is to pass the `DEBUG_COLORS=1` environment variable to the child process. \nFor example:\n\n```javascript\nworker = fork(WORKER_WRAP_PATH, [workerPath], {\n stdio: [\n /* stdin: */ 0,\n /* stdout: */ 'pipe',\n /* stderr: */ 'pipe',\n 'ipc',\n ],\n env: Object.assign({}, process.env, {\n DEBUG_COLORS: 1 // without this settings, colors won't be shown\n }),\n});\n\nworker.stderr.pipe(process.stderr, { end: false });\n```\n\n\n## Authors\n\n - TJ Holowaychuk\n - Nathan Rajlich\n - Andrew Rhyne\n - Josh Junon\n\n## Backers\n\nSupport us with a monthly donation and help us continue our activities. [[Become a backer](https://opencollective.com/debug#backer)]\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n## Sponsors\n\nBecome a sponsor and get your logo on our README on Github with a link to your site. [[Become a sponsor](https://opencollective.com/debug#sponsor)]\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n## License\n\n(The MIT License)\n\nCopyright (c) 2014-2017 TJ Holowaychuk <tj@vision-media.ca>\nCopyright (c) 2018-2021 Josh Junon\n\nPermission is hereby granted, free of charge, to any person obtaining\na copy of this software and associated documentation files (the\n'Software'), to deal in the Software without restriction, including\nwithout limitation the rights to use, copy, modify, merge, publish,\ndistribute, sublicense, and/or sell copies of the Software, and to\npermit persons to whom the Software is furnished to do so, subject to\nthe following conditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.\nIN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY\nCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,\nTORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE\nSOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/debug/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/deep-eql/README.md ---\n

\n \n \"deep-eql\"\n \n

\n\n

\n Improved deep equality testing for node and the browser.\n

\n\n

\n \n \n \n \n \n \n \n \n \n
\n \n \n \n \n \n \n

\n\n## What is Deep-Eql?\n\nDeep Eql is a module which you can use to determine if two objects are \"deeply\" equal - that is, rather than having referential equality (`a === b`), this module checks an object's keys recursively, until it finds primitives to check for referential equality. For more on equality in JavaScript, read [the comparison operators article on mdn](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Comparison_Operators).\n\nAs an example, take the following:\n\n```js\n1 === 1 // These are primitives, they hold the same reference - they are strictly equal\n1 == '1' // These are two different primitives, through type coercion they hold the same value - they are loosely equal\n{ a: 1 } !== { a: 1 } // These are two different objects, they hold different references and so are not strictly equal - even though they hold the same values inside\n{ a: 1 } != { a: 1 } // They have the same type, meaning loose equality performs the same check as strict equality - they are still not equal.\n\nvar deepEql = require(\"deep-eql\");\ndeepEql({ a: 1 }, { a: 1 }) === true // deepEql can determine that they share the same keys and those keys share the same values, therefore they are deeply equal!\n```\n\n## Installation\n\n### Node.js\n\n`deep-eql` is available on [npm](http://npmjs.org).\n\n $ npm install deep-eql\n\n## Usage\n\nThe primary export of `deep-eql` is function that can be given two objects to compare. It will always return a boolean which can be used to determine if two objects are deeply equal.\n\n### Rules\n\n- Strict equality for non-traversable nodes according to [`Object.is`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is):\n - `eql(NaN, NaN).should.be.true;`\n - `eql(-0, +0).should.be.false;`\n- All own and inherited enumerable properties are considered:\n - `eql(Object.create({ foo: { a: 1 } }), Object.create({ foo: { a: 1 } })).should.be.true;`\n - `eql(Object.create({ foo: { a: 1 } }), Object.create({ foo: { a: 2 } })).should.be.false;`\n- When comparing `Error` objects, only `name`, `message`, and `code` properties are considered, regardless of enumerability:\n - `eql(Error('foo'), Error('foo')).should.be.true;`\n - `eql(Error('foo'), Error('bar')).should.be.false;`\n - `eql(Error('foo'), TypeError('foo')).should.be.false;`\n - `eql(Object.assign(Error('foo'), { code: 42 }), Object.assign(Error('foo'), { code: 42 })).should.be.true;`\n - `eql(Object.assign(Error('foo'), { code: 42 }), Object.assign(Error('foo'), { code: 13 })).should.be.false;`\n - `eql(Object.assign(Error('foo'), { otherProp: 42 }), Object.assign(Error('foo'), { otherProp: 13 })).should.be.true;`\n- Arguments are not Arrays:\n - `eql([], arguments).should.be.false;`\n - `eql([], Array.prototype.slice.call(arguments)).should.be.true;`\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/deep-eql/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/dunder-proto/README.md ---\n# dunder-proto [![Version Badge][npm-version-svg]][package-url]\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nIf available, the `Object.prototype.__proto__` accessor and mutator, call-bound.\n\n## Getting started\n\n```sh\nnpm install --save dunder-proto\n```\n\n## Usage/Examples\n\n```js\nconst assert = require('assert');\nconst getDunder = require('dunder-proto/get');\nconst setDunder = require('dunder-proto/set');\n\nconst obj = {};\n\nassert.equal('toString' in obj, true);\nassert.equal(getDunder(obj), Object.prototype);\n\nsetDunder(obj, null);\n\nassert.equal('toString' in obj, false);\nassert.equal(getDunder(obj), null);\n```\n\n## Tests\n\nClone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/dunder-proto\n[npm-version-svg]: https://versionbadg.es/es-shims/dunder-proto.svg\n[deps-svg]: https://david-dm.org/es-shims/dunder-proto.svg\n[deps-url]: https://david-dm.org/es-shims/dunder-proto\n[dev-deps-svg]: https://david-dm.org/es-shims/dunder-proto/dev-status.svg\n[dev-deps-url]: https://david-dm.org/es-shims/dunder-proto#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/dunder-proto.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/dunder-proto.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/dunder-proto.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=dunder-proto\n[codecov-image]: https://codecov.io/gh/es-shims/dunder-proto/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/es-shims/dunder-proto/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/es-shims/dunder-proto\n[actions-url]: https://github.com/es-shims/dunder-proto/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/dunder-proto/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/ee-first/README.md ---\n# EE First\n\n[![NPM version][npm-image]][npm-url]\n[![Build status][travis-image]][travis-url]\n[![Test coverage][coveralls-image]][coveralls-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n[![Gittip][gittip-image]][gittip-url]\n\nGet the first event in a set of event emitters and event pairs,\nthen clean up after itself.\n\n## Install\n\n```sh\n$ npm install ee-first\n```\n\n## API\n\n```js\nvar first = require('ee-first')\n```\n\n### first(arr, listener)\n\nInvoke `listener` on the first event from the list specified in `arr`. `arr` is\nan array of arrays, with each array in the format `[ee, ...event]`. `listener`\nwill be called only once, the first time any of the given events are emitted. If\n`error` is one of the listened events, then if that fires first, the `listener`\nwill be given the `err` argument.\n\nThe `listener` is invoked as `listener(err, ee, event, args)`, where `err` is the\nfirst argument emitted from an `error` event, if applicable; `ee` is the event\nemitter that fired; `event` is the string event name that fired; and `args` is an\narray of the arguments that were emitted on the event.\n\n```js\nvar ee1 = new EventEmitter()\nvar ee2 = new EventEmitter()\n\nfirst([\n [ee1, 'close', 'end', 'error'],\n [ee2, 'error']\n], function (err, ee, event, args) {\n // listener invoked\n})\n```\n\n#### .cancel()\n\nThe group of listeners can be cancelled before being invoked and have all the event\nlisteners removed from the underlying event emitters.\n\n```js\nvar thunk = first([\n [ee1, 'close', 'end', 'error'],\n [ee2, 'error']\n], function (err, ee, event, args) {\n // listener invoked\n})\n\n// cancel and clean up\nthunk.cancel()\n```\n\n[npm-image]: https://img.shields.io/npm/v/ee-first.svg?style=flat-square\n[npm-url]: https://npmjs.org/package/ee-first\n[github-tag]: http://img.shields.io/github/tag/jonathanong/ee-first.svg?style=flat-square\n[github-url]: https://github.com/jonathanong/ee-first/tags\n[travis-image]: https://img.shields.io/travis/jonathanong/ee-first.svg?style=flat-square\n[travis-url]: https://travis-ci.org/jonathanong/ee-first\n[coveralls-image]: https://img.shields.io/coveralls/jonathanong/ee-first.svg?style=flat-square\n[coveralls-url]: https://coveralls.io/r/jonathanong/ee-first?branch=master\n[license-image]: http://img.shields.io/npm/l/ee-first.svg?style=flat-square\n[license-url]: LICENSE.md\n[downloads-image]: http://img.shields.io/npm/dm/ee-first.svg?style=flat-square\n[downloads-url]: https://npmjs.org/package/ee-first\n[gittip-image]: https://img.shields.io/gittip/jonathanong.svg?style=flat-square\n[gittip-url]: https://www.gittip.com/jonathanong/\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/ee-first/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/encodeurl/README.md ---\n# Encode URL\n\nEncode a URL to a percent-encoded form, excluding already-encoded sequences.\n\n## Installation\n\n```sh\nnpm install encodeurl\n```\n\n## API\n\n```js\nvar encodeUrl = require('encodeurl')\n```\n\n### encodeUrl(url)\n\nEncode a URL to a percent-encoded form, excluding already-encoded sequences.\n\nThis function accepts a URL and encodes all the non-URL code points (as UTF-8 byte sequences). It will not encode the \"%\" character unless it is not part of a valid sequence (`%20` will be left as-is, but `%foo` will be encoded as `%25foo`).\n\nThis encode is meant to be \"safe\" and does not throw errors. It will try as hard as it can to properly encode the given URL, including replacing any raw, unpaired surrogate pairs with the Unicode replacement character prior to encoding.\n\n## Examples\n\n### Encode a URL containing user-controlled data\n\n```js\nvar encodeUrl = require('encodeurl')\nvar escapeHtml = require('escape-html')\n\nhttp.createServer(function onRequest (req, res) {\n // get encoded form of inbound url\n var url = encodeUrl(req.url)\n\n // create html message\n var body = '

Location ' + escapeHtml(url) + ' not found

'\n\n // send a 404\n res.statusCode = 404\n res.setHeader('Content-Type', 'text/html; charset=UTF-8')\n res.setHeader('Content-Length', String(Buffer.byteLength(body, 'utf-8')))\n res.end(body, 'utf-8')\n})\n```\n\n### Encode a URL for use in a header field\n\n```js\nvar encodeUrl = require('encodeurl')\nvar escapeHtml = require('escape-html')\nvar url = require('url')\n\nhttp.createServer(function onRequest (req, res) {\n // parse inbound url\n var href = url.parse(req)\n\n // set new host for redirect\n href.host = 'localhost'\n href.protocol = 'https:'\n href.slashes = true\n\n // create location header\n var location = encodeUrl(url.format(href))\n\n // create html message\n var body = '

Redirecting to new site: ' + escapeHtml(location) + '

'\n\n // send a 301\n res.statusCode = 301\n res.setHeader('Content-Type', 'text/html; charset=UTF-8')\n res.setHeader('Content-Length', String(Buffer.byteLength(body, 'utf-8')))\n res.setHeader('Location', location)\n res.end(body, 'utf-8')\n})\n```\n\n## Similarities\n\nThis function is _similar_ to the intrinsic function `encodeURI`. However, it will not encode:\n\n* The `\\`, `^`, or `|` characters\n* The `%` character when it's part of a valid sequence\n* `[` and `]` (for IPv6 hostnames)\n* Replaces raw, unpaired surrogate pairs with the Unicode replacement character\n\nAs a result, the encoding aligns closely with the behavior in the [WHATWG URL specification][whatwg-url]. However, this package only encodes strings and does not do any URL parsing or formatting.\n\nIt is expected that any output from `new URL(url)` will not change when used with this package, as the output has already been encoded. Additionally, if we were to encode before `new URL(url)`, we do not expect the before and after encoded formats to be parsed any differently.\n\n## Testing\n\n```sh\n$ npm test\n$ npm run lint\n```\n\n## References\n\n- [RFC 3986: Uniform Resource Identifier (URI): Generic Syntax][rfc-3986]\n- [WHATWG URL Living Standard][whatwg-url]\n\n[rfc-3986]: https://tools.ietf.org/html/rfc3986\n[whatwg-url]: https://url.spec.whatwg.org/\n\n## License\n\n[MIT](LICENSE)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/encodeurl/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-define-property/README.md ---\n# es-define-property [![Version Badge][npm-version-svg]][package-url]\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\n`Object.defineProperty`, but not IE 8's broken one.\n\n## Example\n\n```js\nconst assert = require('assert');\n\nconst $defineProperty = require('es-define-property');\n\nif ($defineProperty) {\n assert.equal($defineProperty, Object.defineProperty);\n} else if (Object.defineProperty) {\n assert.equal($defineProperty, false, 'this is IE 8');\n} else {\n assert.equal($defineProperty, false, 'this is an ES3 engine');\n}\n```\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n## Security\n\nPlease email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.\n\n[package-url]: https://npmjs.org/package/es-define-property\n[npm-version-svg]: https://versionbadg.es/ljharb/es-define-property.svg\n[deps-svg]: https://david-dm.org/ljharb/es-define-property.svg\n[deps-url]: https://david-dm.org/ljharb/es-define-property\n[dev-deps-svg]: https://david-dm.org/ljharb/es-define-property/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/es-define-property#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/es-define-property.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/es-define-property.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/es-define-property.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=es-define-property\n[codecov-image]: https://codecov.io/gh/ljharb/es-define-property/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/es-define-property/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/es-define-property\n[actions-url]: https://github.com/ljharb/es-define-property/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-define-property/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-errors/README.md ---\n# es-errors [![Version Badge][npm-version-svg]][package-url]\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nA simple cache for a few of the JS Error constructors.\n\n## Example\n\n```js\nconst assert = require('assert');\n\nconst Base = require('es-errors');\nconst Eval = require('es-errors/eval');\nconst Range = require('es-errors/range');\nconst Ref = require('es-errors/ref');\nconst Syntax = require('es-errors/syntax');\nconst Type = require('es-errors/type');\nconst URI = require('es-errors/uri');\n\nassert.equal(Base, Error);\nassert.equal(Eval, EvalError);\nassert.equal(Range, RangeError);\nassert.equal(Ref, ReferenceError);\nassert.equal(Syntax, SyntaxError);\nassert.equal(Type, TypeError);\nassert.equal(URI, URIError);\n```\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n## Security\n\nPlease email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.\n\n[package-url]: https://npmjs.org/package/es-errors\n[npm-version-svg]: https://versionbadg.es/ljharb/es-errors.svg\n[deps-svg]: https://david-dm.org/ljharb/es-errors.svg\n[deps-url]: https://david-dm.org/ljharb/es-errors\n[dev-deps-svg]: https://david-dm.org/ljharb/es-errors/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/es-errors#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/es-errors.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/es-errors.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/es-errors.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=es-errors\n[codecov-image]: https://codecov.io/gh/ljharb/es-errors/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/es-errors/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/es-errors\n[actions-url]: https://github.com/ljharb/es-errors/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-errors/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-module-lexer/README.md ---\n# ES Module Lexer\r\n\r\n[![Build Status][actions-image]][actions-url]\r\n\r\nA JS module syntax lexer used in [es-module-shims](https://github.com/guybedford/es-module-shims).\r\n\r\nOutputs the list of exports and locations of import specifiers, including dynamic import and import meta handling.\r\n\r\nSupports new syntax features including import attributes and source phase imports.\r\n\r\nA very small single JS file (4KiB gzipped) that includes inlined Web Assembly for very fast source analysis of ECMAScript module syntax only.\r\n\r\nFor an example of the performance, Angular 1 (720KiB) is fully parsed in 5ms, in comparison to the fastest JS parser, Acorn which takes over 100ms.\r\n\r\n_Comprehensively handles the JS language grammar while remaining small and fast. - ~10ms per MB of JS cold and ~5ms per MB of JS warm, [see benchmarks](#benchmarks) for more info._\r\n\r\n> [Built with](https://github.com/guybedford/es-module-lexer/blob/main/chompfile.toml) [Chomp](https://chompbuild.com/)\r\n\r\n### Usage\r\n\r\n```\r\nnpm install es-module-lexer\r\n```\r\n\r\nSee [src/lexer.ts](src/lexer.ts) for the type definitions.\r\n\r\nFor use in CommonJS:\r\n\r\n```js\r\nconst { init, parse } = require('es-module-lexer');\r\n\r\n(async () => {\r\n // either await init, or call parse asynchronously\r\n // this is necessary for the Web Assembly boot\r\n await init;\r\n\r\n const source = 'export var p = 5';\r\n const [imports, exports] = parse(source);\r\n \r\n // Returns \"p\"\r\n source.slice(exports[0].s, exports[0].e);\r\n // Returns \"p\"\r\n source.slice(exports[0].ls, exports[0].le);\r\n})();\r\n```\r\n\r\nAn ES module version is also available:\r\n\r\n```js\r\nimport { init, parse } from 'es-module-lexer';\r\n\r\n(async () => {\r\n await init;\r\n\r\n const source = `\r\n import { name } from 'mod\\\\u1011';\r\n import json from './json.json' assert { type: 'json' }\r\n export var p = 5;\r\n export function q () {\r\n\r\n };\r\n export { x as 'external name' } from 'external';\r\n\r\n // Comments provided to demonstrate edge cases\r\n import /*comment!*/ ( 'asdf', { assert: { type: 'json' }});\r\n import /*comment!*/.meta.asdf;\r\n\r\n // Source phase imports:\r\n import source mod from './mod.wasm';\r\n import.source('./mod.wasm');\r\n `;\r\n\r\n const [imports, exports] = parse(source, 'optional-sourcename');\r\n\r\n // Returns \"modထ\"\r\n imports[0].n\r\n // Returns \"mod\\u1011\"\r\n source.slice(imports[0].s, imports[0].e);\r\n // \"s\" = start\r\n // \"e\" = end\r\n\r\n // Returns \"import { name } from 'mod'\"\r\n source.slice(imports[0].ss, imports[0].se);\r\n // \"ss\" = statement start\r\n // \"se\" = statement end\r\n\r\n // Returns \"{ type: 'json' }\"\r\n source.slice(imports[1].a, imports[1].se);\r\n // \"a\" = assert, -1 for no assertion\r\n\r\n // Returns \"external\"\r\n source.slice(imports[2].s, imports[2].e);\r\n\r\n // Returns \"p\"\r\n source.slice(exports[0].s, exports[0].e);\r\n // Returns \"p\"\r\n source.slice(exports[0].ls, exports[0].le);\r\n // Returns \"q\"\r\n source.slice(exports[1].s, exports[1].e);\r\n // Returns \"q\"\r\n source.slice(exports[1].ls, exports[1].le);\r\n // Returns \"'external name'\"\r\n source.slice(exports[2].s, exports[2].e);\r\n // Returns -1\r\n exports[2].ls;\r\n // Returns -1\r\n exports[2].le;\r\n\r\n // Import type is provided by `t` value\r\n // (1 for static, 2, for dynamic)\r\n // Returns true\r\n imports[2].t == 2;\r\n\r\n // Returns \"asdf\" (only for string literal dynamic imports)\r\n imports[2].n\r\n // Returns \"import /*comment!*/ ( 'asdf', { assert: { type: 'json' } })\"\r\n source.slice(imports[3].ss, imports[3].se);\r\n // Returns \"'asdf'\"\r\n source.slice(imports[3].s, imports[3].e);\r\n // Returns \"( 'asdf', { assert: { type: 'json' } })\"\r\n source.slice(imports[3].d, imports[3].se);\r\n // Returns \"{ assert: { type: 'json' } }\"\r\n source.slice(imports[3].a, imports[3].se - 1);\r\n\r\n // For non-string dynamic import expressions:\r\n // - n will be undefined\r\n // - a is currently -1 even if there is an assertion\r\n // - e is currently the character before the closing )\r\n\r\n // For nested dynamic imports, the se value of the outer import is -1 as end tracking does not\r\n // currently support nested dynamic immports\r\n\r\n // import.meta is indicated by imports[3].d === -2\r\n // Returns true\r\n imports[4].d === -2;\r\n // Returns \"import /*comment!*/.meta\"\r\n source.slice(imports[4].s, imports[4].e);\r\n // ss and se are the same for import meta\r\n\r\n // Returns \"'./mod.wasm'\"\r\n source.slice(imports[5].s, imports[5].e);\r\n\r\n // Import type 4 and 5 for static and dynamic source phase\r\n imports[5].t === 4;\r\n imports[6].t === 5;\r\n})();\r\n```\r\n\r\n### CSP asm.js Build\r\n\r\nThe default version of the library uses Wasm and (safe) eval usage for performance and a minimal footprint.\r\n\r\nNeither of these represent security escalation possibilities since there are no execution string injection vectors, but that can still violate existing CSP policies for applications.\r\n\r\nFor a version that works with CSP eval disabled, use the `es-module-lexer/js` build:\r\n\r\n```js\r\nimport { parse } from 'es-module-lexer/js';\r\n```\r\n\r\nInstead of Web Assembly, this uses an asm.js build which is almost as fast as the Wasm version ([see benchmarks below](#benchmarks)).\r\n\r\n### Escape Sequences\r\n\r\nTo handle escape sequences in specifier strings, the `.n` field of imported specifiers will be provided where possible.\r\n\r\nFor dynamic import expressions, this field will be empty if not a valid JS string.\r\n\r\n### Facade Detection\r\n\r\nFacade modules that only use import / export syntax can be detected via the third return value:\r\n\r\n```js\r\nconst [,, facade] = parse(`\r\n export * from 'external';\r\n import * as ns from 'external2';\r\n export { a as b } from 'external3';\r\n export { ns };\r\n`);\r\nfacade === true;\r\n```\r\n\r\n### ESM Detection\r\n\r\nModules that uses ESM syntaxes can be detected via the fourth return value:\r\n\r\n```js\r\nconst [,,, hasModuleSyntax] = parse(`\r\n export {}\r\n`);\r\nhasModuleSyntax === true;\r\n```\r\n\r\nDynamic imports are ignored since they can be used in Non-ESM files.\r\n\r\n```js\r\nconst [,,, hasModuleSyntax] = parse(`\r\n import('./foo.js')\r\n`);\r\nhasModuleSyntax === false;\r\n```\r\n\r\n### Environment Support\r\n\r\nNode.js 10+, and [all browsers with Web Assembly support](https://caniuse.com/#feat=wasm).\r\n\r\n### Grammar Support\r\n\r\n* Token state parses all line comments, block comments, strings, template strings, blocks, parens and punctuators.\r\n* Division operator / regex token ambiguity is handled via backtracking checks against punctuator prefixes, including closing brace or paren backtracking.\r\n* Always correctly parses valid JS source, but may parse invalid JS source without errors.\r\n\r\n### Limitations\r\n\r\nThe lexing approach is designed to deal with the full language grammar including RegEx / division operator ambiguity through backtracking and paren / brace tracking.\r\n\r\nThe only limitation to the reduced parser is that the \"exports\" list may not correctly gather all export identifiers in the following edge cases:\r\n\r\n```js\r\n// Only \"a\" is detected as an export, \"q\" isn't\r\nexport var a = 'asdf', q = z;\r\n\r\n// \"b\" is not detected as an export\r\nexport var { a: b } = asdf;\r\n```\r\n\r\nThe above cases are handled gracefully in that the lexer will keep going fine, it will just not properly detect the export names above.\r\n\r\n### Benchmarks\r\n\r\nBenchmarks can be run with `npm run bench`.\r\n\r\nCurrent results for a high spec machine:\r\n\r\n#### Wasm Build\r\n\r\n```\r\nModule load time\r\n> 5ms\r\nCold Run, All Samples\r\ntest/samples/*.js (3123 KiB)\r\n> 18ms\r\n\r\nWarm Runs (average of 25 runs)\r\ntest/samples/angular.js (739 KiB)\r\n> 3ms\r\ntest/samples/angular.min.js (188 KiB)\r\n> 1ms\r\ntest/samples/d3.js (508 KiB)\r\n> 3ms\r\ntest/samples/d3.min.js (274 KiB)\r\n> 2ms\r\ntest/samples/magic-string.js (35 KiB)\r\n> 0ms\r\ntest/samples/magic-string.min.js (20 KiB)\r\n> 0ms\r\ntest/samples/rollup.js (929 KiB)\r\n> 4.32ms\r\ntest/samples/rollup.min.js (429 KiB)\r\n> 2.16ms\r\n\r\nWarm Runs, All Samples (average of 25 runs)\r\ntest/samples/*.js (3123 KiB)\r\n> 14.16ms\r\n```\r\n\r\n#### JS Build (asm.js)\r\n\r\n```\r\nModule load time\r\n> 2ms\r\nCold Run, All Samples\r\ntest/samples/*.js (3123 KiB)\r\n> 34ms\r\n\r\nWarm Runs (average of 25 runs)\r\ntest/samples/angular.js (739 KiB)\r\n> 3ms\r\ntest/samples/angular.min.js (188 KiB)\r\n> 1ms\r\ntest/samples/d3.js (508 KiB)\r\n> 3ms\r\ntest/samples/d3.min.js (274 KiB)\r\n> 2ms\r\ntest/samples/magic-string.js (35 KiB)\r\n> 0ms\r\ntest/samples/magic-string.min.js (20 KiB)\r\n> 0ms\r\ntest/samples/rollup.js (929 KiB)\r\n> 5ms\r\ntest/samples/rollup.min.js (429 KiB)\r\n> 3.04ms\r\n\r\nWarm Runs, All Samples (average of 25 runs)\r\ntest/samples/*.js (3123 KiB)\r\n> 17.12ms\r\n```\r\n\r\n### Building\r\n\r\nThis project uses [Chomp](https://chompbuild.com) for building.\r\n\r\nWith Chomp installed, download the WASI SDK 12.0 from https://github.com/WebAssembly/wasi-sdk/releases/tag/wasi-sdk-12.\r\n\r\n- [Linux](https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-12/wasi-sdk-12.0-linux.tar.gz)\r\n- [Windows (MinGW)](https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-12/wasi-sdk-12.0-mingw.tar.gz)\r\n- [macOS](https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-12/wasi-sdk-12.0-macos.tar.gz)\r\n\r\nLocate the WASI-SDK as a sibling folder, or customize the path via the `WASI_PATH` environment variable.\r\n\r\nEmscripten emsdk is also assumed to be a sibling folder or via the `EMSDK_PATH` environment variable.\r\n\r\nExample setup:\r\n\r\n```\r\ngit clone https://github.com:guybedford/es-module-lexer\r\ngit clone https://github.com/emscripten-core/emsdk\r\ncd emsdk\r\ngit checkout 1.40.1-fastcomp\r\n./emsdk install 1.40.1-fastcomp\r\ncd ..\r\nwget https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-12/wasi-sdk-12.0-linux.tar.gz\r\ngunzip wasi-sdk-12.0-linux.tar.gz\r\ntar -xf wasi-sdk-12.0-linux.tar\r\nmv wasi-sdk-12.0-linux.tar wasi-sdk-12.0\r\ncargo install chompbuild\r\ncd es-module-lexer\r\nchomp test\r\n```\r\n\r\nFor the `asm.js` build, git clone `emsdk` from is assumed to be a sibling folder as well.\r\n\r\n### License\r\n\r\nMIT\r\n\r\n[actions-image]: https://github.com/guybedford/es-module-lexer/actions/workflows/build.yml/badge.svg\r\n[actions-url]: https://github.com/guybedford/es-module-lexer/actions/workflows/build.yml\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-module-lexer/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-object-atoms/README.md ---\n# es-object-atoms [![Version Badge][npm-version-svg]][package-url]\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nES Object-related atoms: Object, ToObject, RequireObjectCoercible.\n\n## Example\n\n```js\nconst assert = require('assert');\n\nconst $Object = require('es-object-atoms');\nconst isObject = require('es-object-atoms/isObject');\nconst ToObject = require('es-object-atoms/ToObject');\nconst RequireObjectCoercible = require('es-object-atoms/RequireObjectCoercible');\n\nassert.equal($Object, Object);\nassert.throws(() => ToObject(null), TypeError);\nassert.throws(() => ToObject(undefined), TypeError);\nassert.throws(() => RequireObjectCoercible(null), TypeError);\nassert.throws(() => RequireObjectCoercible(undefined), TypeError);\n\nassert.equal(isObject(undefined), false);\nassert.equal(isObject(null), false);\nassert.equal(isObject({}), true);\nassert.equal(isObject([]), true);\nassert.equal(isObject(function () {}), true);\n\nassert.deepEqual(RequireObjectCoercible(true), true);\nassert.deepEqual(ToObject(true), Object(true));\n\nconst obj = {};\nassert.equal(RequireObjectCoercible(obj), obj);\nassert.equal(ToObject(obj), obj);\n```\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n## Security\n\nPlease email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.\n\n[package-url]: https://npmjs.org/package/es-object-atoms\n[npm-version-svg]: https://versionbadg.es/ljharb/es-object-atoms.svg\n[deps-svg]: https://david-dm.org/ljharb/es-object-atoms.svg\n[deps-url]: https://david-dm.org/ljharb/es-object-atoms\n[dev-deps-svg]: https://david-dm.org/ljharb/es-object-atoms/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/es-object-atoms#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/es-object-atoms.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/es-object-atoms.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/es-object.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=es-object-atoms\n[codecov-image]: https://codecov.io/gh/ljharb/es-object-atoms/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/es-object-atoms/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/es-object-atoms\n[actions-url]: https://github.com/ljharb/es-object-atoms/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-object-atoms/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/esbuild/README.md ---\n# esbuild\n\nThis is a JavaScript bundler and minifier. See https://github.com/evanw/esbuild and the [JavaScript API documentation](https://esbuild.github.io/api/) for details.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/esbuild/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/estree-walker/README.md ---\n# estree-walker\n\nSimple utility for walking an [ESTree](https://github.com/estree/estree)-compliant AST, such as one generated by [acorn](https://github.com/marijnh/acorn).\n\n\n## Installation\n\n```bash\nnpm i estree-walker\n```\n\n\n## Usage\n\n```js\nvar walk = require('estree-walker').walk;\nvar acorn = require('acorn');\n\nast = acorn.parse(sourceCode, options); // https://github.com/acornjs/acorn\n\nwalk(ast, {\n enter(node, parent, prop, index) {\n // some code happens\n },\n leave(node, parent, prop, index) {\n // some code happens\n }\n});\n```\n\nInside the `enter` function, calling `this.skip()` will prevent the node's children being walked, or the `leave` function (which is optional) being called.\n\nCall `this.replace(new_node)` in either `enter` or `leave` to replace the current node with a new one.\n\nCall `this.remove()` in either `enter` or `leave` to remove the current node.\n\n## Why not use estraverse?\n\nThe ESTree spec is evolving to accommodate ES6/7. I've had a couple of experiences where [estraverse](https://github.com/estools/estraverse) was unable to handle an AST generated by recent versions of acorn, because it hard-codes visitor keys.\n\nestree-walker, by contrast, simply enumerates a node's properties to find child nodes (and child lists of nodes), and is therefore resistant to spec changes. It's also much smaller. (The performance, if you're wondering, is basically identical.)\n\nNone of which should be taken as criticism of estraverse, which has more features and has been battle-tested in many more situations, and for which I'm very grateful.\n\n\n## License\n\nMIT\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/estree-walker/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/etag/README.md ---\n# etag\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][travis-image]][travis-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nCreate simple HTTP ETags\n\nThis module generates HTTP ETags (as defined in RFC 7232) for use in\nHTTP responses.\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install etag\n```\n\n## API\n\n\n\n```js\nvar etag = require('etag')\n```\n\n### etag(entity, [options])\n\nGenerate a strong ETag for the given entity. This should be the complete\nbody of the entity. Strings, `Buffer`s, and `fs.Stats` are accepted. By\ndefault, a strong ETag is generated except for `fs.Stats`, which will\ngenerate a weak ETag (this can be overwritten by `options.weak`).\n\n\n\n```js\nres.setHeader('ETag', etag(body))\n```\n\n#### Options\n\n`etag` accepts these properties in the options object.\n\n##### weak\n\nSpecifies if the generated ETag will include the weak validator mark (that\nis, the leading `W/`). The actual entity tag is the same. The default value\nis `false`, unless the `entity` is `fs.Stats`, in which case it is `true`.\n\n## Testing\n\n```sh\n$ npm test\n```\n\n## Benchmark\n\n```bash\n$ npm run-script bench\n\n> etag@1.8.1 bench nodejs-etag\n> node benchmark/index.js\n\n http_parser@2.7.0\n node@6.11.1\n v8@5.1.281.103\n uv@1.11.0\n zlib@1.2.11\n ares@1.10.1-DEV\n icu@58.2\n modules@48\n openssl@1.0.2k\n\n> node benchmark/body0-100b.js\n\n 100B body\n\n 4 tests completed.\n\n buffer - strong x 258,647 ops/sec ±1.07% (180 runs sampled)\n buffer - weak x 263,812 ops/sec ±0.61% (184 runs sampled)\n string - strong x 259,955 ops/sec ±1.19% (185 runs sampled)\n string - weak x 264,356 ops/sec ±1.09% (184 runs sampled)\n\n> node benchmark/body1-1kb.js\n\n 1KB body\n\n 4 tests completed.\n\n buffer - strong x 189,018 ops/sec ±1.12% (182 runs sampled)\n buffer - weak x 190,586 ops/sec ±0.81% (186 runs sampled)\n string - strong x 144,272 ops/sec ±0.96% (188 runs sampled)\n string - weak x 145,380 ops/sec ±1.43% (187 runs sampled)\n\n> node benchmark/body2-5kb.js\n\n 5KB body\n\n 4 tests completed.\n\n buffer - strong x 92,435 ops/sec ±0.42% (188 runs sampled)\n buffer - weak x 92,373 ops/sec ±0.58% (189 runs sampled)\n string - strong x 48,850 ops/sec ±0.56% (186 runs sampled)\n string - weak x 49,380 ops/sec ±0.56% (190 runs sampled)\n\n> node benchmark/body3-10kb.js\n\n 10KB body\n\n 4 tests completed.\n\n buffer - strong x 55,989 ops/sec ±0.93% (188 runs sampled)\n buffer - weak x 56,148 ops/sec ±0.55% (190 runs sampled)\n string - strong x 27,345 ops/sec ±0.43% (188 runs sampled)\n string - weak x 27,496 ops/sec ±0.45% (190 runs sampled)\n\n> node benchmark/body4-100kb.js\n\n 100KB body\n\n 4 tests completed.\n\n buffer - strong x 7,083 ops/sec ±0.22% (190 runs sampled)\n buffer - weak x 7,115 ops/sec ±0.26% (191 runs sampled)\n string - strong x 3,068 ops/sec ±0.34% (190 runs sampled)\n string - weak x 3,096 ops/sec ±0.35% (190 runs sampled)\n\n> node benchmark/stats.js\n\n stat\n\n 4 tests completed.\n\n real - strong x 871,642 ops/sec ±0.34% (189 runs sampled)\n real - weak x 867,613 ops/sec ±0.39% (190 runs sampled)\n fake - strong x 401,051 ops/sec ±0.40% (189 runs sampled)\n fake - weak x 400,100 ops/sec ±0.47% (188 runs sampled)\n```\n\n## License\n\n[MIT](LICENSE)\n\n[npm-image]: https://img.shields.io/npm/v/etag.svg\n[npm-url]: https://npmjs.org/package/etag\n[node-version-image]: https://img.shields.io/node/v/etag.svg\n[node-version-url]: https://nodejs.org/en/download/\n[travis-image]: https://img.shields.io/travis/jshttp/etag/master.svg\n[travis-url]: https://travis-ci.org/jshttp/etag\n[coveralls-image]: https://img.shields.io/coveralls/jshttp/etag/master.svg\n[coveralls-url]: https://coveralls.io/r/jshttp/etag?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/etag.svg\n[downloads-url]: https://npmjs.org/package/etag\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/etag/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/eventsource-parser/README.md ---\n# eventsource-parser\n\n[![npm version](https://img.shields.io/npm/v/eventsource-parser.svg?style=flat-square)](https://www.npmjs.com/package/eventsource-parser)[![npm bundle size](https://img.shields.io/bundlephobia/minzip/eventsource-parser?style=flat-square)](https://bundlephobia.com/result?p=eventsource-parser)[![npm weekly downloads](https://img.shields.io/npm/dw/eventsource-parser.svg?style=flat-square)](https://www.npmjs.com/package/eventsource-parser)\n\nA streaming parser for [server-sent events/eventsource](https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events), without any assumptions about how the actual stream of data is retrieved. It is intended to be a building block for [clients](https://github.com/rexxars/eventsource-client) and polyfills in javascript environments such as browsers, node.js and deno.\n\nIf you are looking for a modern client implementation, see [eventsource-client](https://github.com/rexxars/eventsource-client).\n\nYou create an instance of the parser, and _feed_ it chunks of data - partial or complete, and the parse emits parsed messages once it receives a complete message. A [TransformStream variant](#stream-usage) is also available for environments that support it (modern browsers, Node 18 and higher).\n\nOther modules in the EventSource family:\n\n- [eventsource-client](https://github.com/rexxars/eventsource-client): modern, feature rich eventsource client for browsers, node.js, bun, deno and other modern JavaScript environments.\n- [eventsource-encoder](https://github.com/rexxars/eventsource-encoder): encodes messages in the EventSource/Server-Sent Events format.\n- [eventsource](https://github.com/eventsource/eventsource): Node.js polyfill for the WhatWG EventSource API.\n\n> [!NOTE]\n> Migrating from eventsource-parser 1.x/2.x? See the [migration guide](./MIGRATE-v3.md).\n\n## Installation\n\n```bash\nnpm install --save eventsource-parser\n```\n\n## Usage\n\n```ts\nimport {createParser, type EventSourceMessage} from 'eventsource-parser'\n\nfunction onEvent(event: EventSourceMessage) {\n console.log('Received event!')\n console.log('id: %s', event.id || '')\n console.log('event: %s', event.event || '')\n console.log('data: %s', event.data)\n}\n\nconst parser = createParser({onEvent})\nconst sseStream = getSomeReadableStream()\n\nfor await (const chunk of sseStream) {\n parser.feed(chunk)\n}\n\n// If you want to re-use the parser for a new stream of events, make sure to reset it!\nparser.reset()\nconsole.log('Done!')\n```\n\n### Retry intervals\n\nIf the server sends a `retry` field in the event stream, the parser will call any `onRetry` callback specified to the `createParser` function:\n\n```ts\nconst parser = createParser({\n onRetry(retryInterval) {\n console.log('Server requested retry interval of %dms', retryInterval)\n },\n onEvent(event) {\n // …\n },\n})\n```\n\n### Parse errors\n\nIf the parser encounters an error while parsing, it will call any `onError` callback provided to the `createParser` function:\n\n```ts\nimport {type ParseError} from 'eventsource-parser'\n\nconst parser = createParser({\n onError(error: ParseError) {\n console.error('Error parsing event:', error)\n if (error.type === 'invalid-field') {\n console.error('Field name:', error.field)\n console.error('Field value:', error.value)\n console.error('Line:', error.line)\n } else if (error.type === 'invalid-retry') {\n console.error('Invalid retry interval:', error.value)\n }\n },\n onEvent(event) {\n // …\n },\n})\n```\n\nNote that `invalid-field` errors will usually be called for any invalid data - not only data shaped as `field: value`. This is because the EventSource specification says to treat anything prior to a `:` as the field name. Use the `error.line` property to get the full line that caused the error.\n\n> [!NOTE]\n> When encountering the end of a stream, calling `.reset({consume: true})` on the parser to flush any remaining data and reset the parser state. This will trigger the `onError` callback if the pending data is not a valid event.\n\n### Comments\n\nThe parser will ignore comments (lines starting with `:`) by default. If you want to handle comments, you can provide an `onComment` callback to the `createParser` function:\n\n```ts\nconst parser = createParser({\n onComment(comment) {\n console.log('Received comment:', comment)\n },\n onEvent(event) {\n // …\n },\n})\n```\n\n> [!NOTE]\n> Leading whitespace is not stripped from comments, eg `: comment` will give ` comment` as the comment value, not `comment` (note the leading space).\n\n## Stream usage\n\n```ts\nimport {EventSourceParserStream} from 'eventsource-parser/stream'\n\nconst eventStream = response.body\n .pipeThrough(new TextDecoderStream())\n .pipeThrough(new EventSourceParserStream())\n```\n\nNote that the TransformStream is exposed under a separate export (`eventsource-parser/stream`), in order to maximize compatibility with environments that do not have the `TransformStream` constructor available.\n\n## License\n\nMIT © [Espen Hovlandsdal](https://espen.codes/)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/eventsource-parser/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/eventsource/README.md ---\n# eventsource\n\n[![npm version](https://img.shields.io/npm/v/eventsource.svg?style=flat-square)](https://www.npmjs.com/package/eventsource)[![npm bundle size](https://img.shields.io/bundlephobia/minzip/eventsource?style=flat-square)](https://bundlephobia.com/result?p=eventsource)[![npm weekly downloads](https://img.shields.io/npm/dw/eventsource.svg?style=flat-square)](https://www.npmjs.com/package/eventsource)\n\nWhatWG/W3C-compatible [server-sent events/eventsource](https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events) client. The module attempts to implement an absolute minimal amount of features/changes beyond the specification.\n\nIf you're looking for a modern alternative with a less constrained API, check out the [`eventsource-client` package](https://www.npmjs.com/package/eventsource-client).\n\n## Installation\n\n```bash\nnpm install --save eventsource\n```\n\n## Supported engines\n\n- Node.js >= 18\n- Chrome >= 63\n- Safari >= 11.3\n- Firefox >= 65\n- Edge >= 79\n- Deno >= 1.30\n- Bun >= 1.1.23\n\nBasically, any environment that supports:\n\n- [fetch](https://developer.mozilla.org/en-US/docs/Web/API/fetch)\n- [ReadableStream](https://developer.mozilla.org/en-US/docs/Web/API/ReadableStream)\n- [TextDecoderStream](https://developer.mozilla.org/en-US/docs/Web/API/TextDecoderStream)\n- [URL](https://developer.mozilla.org/en-US/docs/Web/API/URL)\n- [Event](https://developer.mozilla.org/en-US/docs/Web/API/Event), [MessageEvent](https://developer.mozilla.org/en-US/docs/Web/API/MessageEvent), [EventTarget](https://developer.mozilla.org/en-US/docs/Web/API/EventTarget)\n\nIf you need to support older runtimes, try the `2.x` branch/version range (note: 2.x branch is primarily targetted at Node.js, not browsers).\n\n## Usage\n\n```ts\nimport {EventSource} from 'eventsource'\n\nconst es = new EventSource('https://my-server.com/sse')\n\n/*\n * This will listen for events with the field `event: notice`.\n */\nes.addEventListener('notice', (event) => {\n console.log(event.data)\n})\n\n/*\n * This will listen for events with the field `event: update`.\n */\nes.addEventListener('update', (event) => {\n console.log(event.data)\n})\n\n/*\n * The event \"message\" is a special case, as it will capture events _without_ an\n * event field, as well as events that have the specific type `event: message`.\n * It will not trigger on any other event type.\n */\nes.addEventListener('message', (event) => {\n console.log(event.data)\n})\n\n/**\n * To explicitly close the connection, call the `close` method.\n * This will prevent any reconnection from happening.\n */\nsetTimeout(() => {\n es.close()\n}, 10_000)\n```\n\n### TypeScript\n\nMake sure you have configured your TSConfig so it matches the environment you are targetting. If you are targetting browsers, this would be `dom`:\n\n```jsonc\n{\n \"compilerOptions\": {\n \"lib\": [\"dom\"],\n },\n}\n```\n\nIf you're using Node.js, ensure you have `@types/node` installed (and it is version 18 or higher). Cloudflare workers have `@cloudflare/workers-types` etc.\n\nThe following errors are caused by targetting an environment that does not have the necessary types available:\n\n```\nerror TS2304: Cannot find name 'Event'.\nerror TS2304: Cannot find name 'EventTarget'.\nerror TS2304: Cannot find name 'MessageEvent'.\n```\n\n## Migrating from v1 / v2\n\nSee [MIGRATION.md](MIGRATION.md#v2-to-v3) for a detailed migration guide.\n\n## Extensions to the WhatWG/W3C API\n\n### Message and code properties on errors\n\nThe `error` event has a `message` and `code` property that can be used to get more information about the error. In the specification, the Event\n\n```ts\nes.addEventListener('error', (err) => {\n if (err.code === 401 || err.code === 403) {\n console.log('not authorized')\n }\n})\n```\n\n### Specify `fetch` implementation\n\nThe `EventSource` constructor accepts an optional `fetch` property in the second argument that can be used to specify the `fetch` implementation to use.\n\nThis can be useful in environments where the global `fetch` function is not available - but it can also be used to alter the request/response behaviour.\n\n#### Setting HTTP request headers\n\n```ts\nconst es = new EventSource('https://my-server.com/sse', {\n fetch: (input, init) =>\n fetch(input, {\n ...init,\n headers: {\n ...init.headers,\n Authorization: 'Bearer myToken',\n },\n }),\n})\n```\n\n#### HTTP/HTTPS proxy\n\nUse a package like [`node-fetch-native`](https://github.com/unjs/node-fetch-native) to add proxy support, either through environment variables or explicit configuration.\n\n```ts\n// npm install node-fetch-native --save\nimport {fetch} from 'node-fetch-native/proxy'\n\nconst es = new EventSource('https://my-server.com/sse', {\n fetch: (input, init) => fetch(input, init),\n})\n```\n\n#### Allow unauthorized HTTPS requests\n\nUse a package like [`undici`](https://github.com/nodejs/undici) for more control of fetch options through the use of an [`Agent`](https://undici.nodejs.org/#/docs/api/Agent.md).\n\n```ts\n// npm install undici --save\nimport {fetch, Agent} from 'undici'\n\nawait fetch('https://my-server.com/sse', {\n dispatcher: new Agent({\n connect: {\n rejectUnauthorized: false,\n },\n }),\n})\n```\n\n## License\n\nMIT-licensed. See [LICENSE](LICENSE).\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/eventsource/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/expect-type/README.md ---\n# expect-type\n\n[![CI](https://github.com/mmkal/expect-type/actions/workflows/ci.yml/badge.svg)](https://github.com/mmkal/expect-type/actions/workflows/ci.yml)\n![npm](https://img.shields.io/npm/dt/expect-type)\n[![X (formerly Twitter) Follow](https://img.shields.io/twitter/follow/mmkal)](https://x.com/mmkalmmkal)\n\nCompile-time tests for types. Useful to make sure types don't regress into being overly permissive as changes go in over time.\n\nSimilar to `expect`, but with type-awareness. Gives you access to several type-matchers that let you make assertions about the form of a reference or generic type parameter.\n\n```ts\nimport {expectTypeOf} from 'expect-type'\nimport {foo, bar} from '../foo'\n\n// make sure `foo` has type {a: number}\nexpectTypeOf(foo).toEqualTypeOf<{a: number}>()\n\n// make sure `bar` is a function taking a string:\nexpectTypeOf(bar).parameter(0).toBeString()\nexpectTypeOf(bar).returns.not.toBeAny()\n```\n\nIt can be used in your existing test files (and is actually [built in to vitest](https://vitest.dev/guide/testing-types)). Or it can be used in any other type-checked file you'd like - it's built into existing tooling with no dependencies. No extra build step, cli tool, IDE extension, or lint plugin is needed. Just import the function and start writing tests. Failures will be at compile time - they'll appear in your IDE and when you run `tsc`.\n\nSee below for lots more examples.\n\n## Contents\n\n- [Contents](#contents)\n- [Installation and usage](#installation-and-usage)\n- [Documentation](#documentation)\n - [Features](#features)\n - [Why is my assertion failing?](#why-is-my-assertion-failing)\n - [Why is `.toMatchTypeOf` deprecated?](#why-is-tomatchtypeof-deprecated)\n - [Internal type helpers](#internal-type-helpers)\n - [Error messages](#error-messages)\n - [Concrete \"expected\" objects vs type arguments](#concrete-expected-objects-vs-type-arguments)\n - [Overloaded functions](#overloaded-functions)\n - [Within test frameworks](#within-test-frameworks)\n - [Vitest](#vitest)\n - [Jest & `eslint-plugin-jest`](#jest--eslint-plugin-jest)\n - [Limitations](#limitations)\n- [Similar projects](#similar-projects)\n - [Comparison](#comparison)\n- [TypeScript backwards-compatibility](#typescript-backwards-compatibility)\n- [Contributing](#contributing)\n - [Documentation of limitations through tests](#documentation-of-limitations-through-tests)\n\n\n## Installation and usage\n\n```cli\nnpm install expect-type --save-dev\n```\n\n```typescript\nimport {expectTypeOf} from 'expect-type'\n```\n\n## Documentation\n\nThe `expectTypeOf` method takes a single argument or a generic type parameter. Neither it nor the functions chained off its return value have any meaningful runtime behaviour. The assertions you write will be _compile-time_ errors if they don't hold true.\n\n### Features\n\n\nCheck an object's type with `.toEqualTypeOf`:\n\n```typescript\nexpectTypeOf({a: 1}).toEqualTypeOf<{a: number}>()\n```\n\n`.toEqualTypeOf` can check that two concrete objects have equivalent types (note: when these assertions _fail_, the error messages can be less informative vs the generic type argument syntax above - see [error messages docs](#error-messages)):\n\n```typescript\nexpectTypeOf({a: 1}).toEqualTypeOf({a: 1})\n```\n\n`.toEqualTypeOf` succeeds for objects with different values, but the same type:\n\n```typescript\nexpectTypeOf({a: 1}).toEqualTypeOf({a: 2})\n```\n\n`.toEqualTypeOf` fails on excess properties:\n\n```typescript\n// @ts-expect-error\nexpectTypeOf({a: 1, b: 1}).toEqualTypeOf<{a: number}>()\n```\n\nTo allow for extra properties on an object type, use `.toMatchObjectType`. This is a strict check, but only on the subset of keys that are in the expected type:\n\n```typescript\nexpectTypeOf({a: 1, b: 1}).toMatchObjectType<{a: number}>()\n```\n\n`.toMatchObjectType` can check partial matches on deeply nested objects:\n\n```typescript\nconst user = {\n email: 'a@b.com',\n name: 'John Doe',\n address: {street: '123 2nd St', city: 'New York', zip: '10001', state: 'NY', country: 'USA'},\n}\n\nexpectTypeOf(user).toMatchObjectType<{name: string; address: {city: string}}>()\n```\n\nTo check that a type extends another type, use `.toExtend`:\n\n```typescript\nexpectTypeOf('some string').toExtend()\n// @ts-expect-error\nexpectTypeOf({a: 1}).toExtend<{b: number}>()\n```\n\n`.toExtend` can be used with object types, but `.toMatchObjectType` is usually a better choice when dealing with objects, since it's stricter:\n\n```typescript\nexpectTypeOf({a: 1, b: 2}).toExtend<{a: number}>() // avoid this\nexpectTypeOf({a: 1, b: 2}).toMatchObjectType<{a: number}>() // prefer this\n```\n\n`.toEqualTypeOf`, `.toMatchObjectType`, and `.toExtend` all fail on missing properties:\n\n```typescript\n// @ts-expect-error\nexpectTypeOf({a: 1}).toEqualTypeOf<{a: number; b: number}>()\n// @ts-expect-error\nexpectTypeOf({a: 1}).toMatchObjectType<{a: number; b: number}>()\n// @ts-expect-error\nexpectTypeOf({a: 1}).toExtend<{a: number; b: number}>()\n```\n\nAnother example of the difference between `.toExtend`, `.toMatchObjectType`, and `.toEqualTypeOf`. `.toExtend` can be used for \"is-a\" relationships:\n\n```typescript\ntype Fruit = {type: 'Fruit'; edible: boolean}\ntype Apple = {type: 'Fruit'; name: 'Apple'; edible: true}\n\nexpectTypeOf().toExtend()\n\n// @ts-expect-error - the `editable` property isn't an exact match. In `Apple`, it's `true`, which extends `boolean`, but they're not identical.\nexpectTypeOf().toMatchObjectType()\n\n// @ts-expect-error - Apple is not an identical type to Fruit, it's a subtype\nexpectTypeOf().toEqualTypeOf()\n\n// @ts-expect-error - Apple is a Fruit, but not vice versa\nexpectTypeOf().toExtend()\n```\n\nAssertions can be inverted with `.not`:\n\n```typescript\nexpectTypeOf({a: 1}).not.toExtend<{b: 1}>()\nexpectTypeOf({a: 1}).not.toMatchObjectType<{b: 1}>()\n```\n\n`.not` can be easier than relying on `// @ts-expect-error`:\n\n```typescript\ntype Fruit = {type: 'Fruit'; edible: boolean}\ntype Apple = {type: 'Fruit'; name: 'Apple'; edible: true}\n\nexpectTypeOf().toExtend()\n\nexpectTypeOf().not.toExtend()\nexpectTypeOf().not.toEqualTypeOf()\n```\n\nCatch any/unknown/never types:\n\n```typescript\nexpectTypeOf().toBeUnknown()\nexpectTypeOf().toBeAny()\nexpectTypeOf().toBeNever()\n\n// @ts-expect-error\nexpectTypeOf().toBeNumber()\n```\n\n`.toEqualTypeOf` distinguishes between deeply-nested `any` and `unknown` properties:\n\n```typescript\nexpectTypeOf<{deeply: {nested: any}}>().not.toEqualTypeOf<{deeply: {nested: unknown}}>()\n```\n\nYou can test for basic JavaScript types:\n\n```typescript\nexpectTypeOf(() => 1).toBeFunction()\nexpectTypeOf({}).toBeObject()\nexpectTypeOf([]).toBeArray()\nexpectTypeOf('').toBeString()\nexpectTypeOf(1).toBeNumber()\nexpectTypeOf(true).toBeBoolean()\nexpectTypeOf(() => {}).returns.toBeVoid()\nexpectTypeOf(Promise.resolve(123)).resolves.toBeNumber()\nexpectTypeOf(Symbol(1)).toBeSymbol()\nexpectTypeOf(1n).toBeBigInt()\n```\n\n`.toBe...` methods allow for types that extend the expected type:\n\n```typescript\nexpectTypeOf().toBeNumber()\nexpectTypeOf<1>().toBeNumber()\n\nexpectTypeOf().toBeArray()\nexpectTypeOf().toBeArray()\n\nexpectTypeOf().toBeString()\nexpectTypeOf<'foo'>().toBeString()\n\nexpectTypeOf().toBeBoolean()\nexpectTypeOf().toBeBoolean()\n\nexpectTypeOf().toBeBigInt()\nexpectTypeOf<0n>().toBeBigInt()\n```\n\n`.toBe...` methods protect against `any`:\n\n```typescript\nconst goodIntParser = (s: string) => Number.parseInt(s, 10)\nconst badIntParser = (s: string) => JSON.parse(s) // uh-oh - works at runtime if the input is a number, but return 'any'\n\nexpectTypeOf(goodIntParser).returns.toBeNumber()\n// @ts-expect-error - if you write a test like this, `.toBeNumber()` will let you know your implementation returns `any`.\nexpectTypeOf(badIntParser).returns.toBeNumber()\n```\n\nNullable types:\n\n```typescript\nexpectTypeOf(undefined).toBeUndefined()\nexpectTypeOf(undefined).toBeNullable()\nexpectTypeOf(undefined).not.toBeNull()\n\nexpectTypeOf(null).toBeNull()\nexpectTypeOf(null).toBeNullable()\nexpectTypeOf(null).not.toBeUndefined()\n\nexpectTypeOf<1 | undefined>().toBeNullable()\nexpectTypeOf<1 | null>().toBeNullable()\nexpectTypeOf<1 | undefined | null>().toBeNullable()\n```\n\nMore `.not` examples:\n\n```typescript\nexpectTypeOf(1).not.toBeUnknown()\nexpectTypeOf(1).not.toBeAny()\nexpectTypeOf(1).not.toBeNever()\nexpectTypeOf(1).not.toBeNull()\nexpectTypeOf(1).not.toBeUndefined()\nexpectTypeOf(1).not.toBeNullable()\nexpectTypeOf(1).not.toBeBigInt()\n```\n\nDetect assignability of unioned types:\n\n```typescript\nexpectTypeOf().toExtend()\nexpectTypeOf().not.toExtend()\n```\n\nUse `.extract` and `.exclude` to narrow down complex union types:\n\n```typescript\ntype ResponsiveProp = T | T[] | {xs?: T; sm?: T; md?: T}\nconst getResponsiveProp = (_props: T): ResponsiveProp => ({})\ntype CSSProperties = {margin?: string; padding?: string}\n\nconst cssProperties: CSSProperties = {margin: '1px', padding: '2px'}\n\nexpectTypeOf(getResponsiveProp(cssProperties))\n .exclude()\n .exclude<{xs?: unknown}>()\n .toEqualTypeOf()\n\nexpectTypeOf(getResponsiveProp(cssProperties))\n .extract()\n .toEqualTypeOf()\n\nexpectTypeOf(getResponsiveProp(cssProperties))\n .extract<{xs?: any}>()\n .toEqualTypeOf<{xs?: CSSProperties; sm?: CSSProperties; md?: CSSProperties}>()\n\nexpectTypeOf>().exclude().toHaveProperty('sm')\nexpectTypeOf>().exclude().not.toHaveProperty('xxl')\n```\n\n`.extract` and `.exclude` return never if no types remain after exclusion:\n\n```typescript\ntype Person = {name: string; age: number}\ntype Customer = Person & {customerId: string}\ntype Employee = Person & {employeeId: string}\n\nexpectTypeOf().extract<{foo: string}>().toBeNever()\nexpectTypeOf().exclude<{name: string}>().toBeNever()\n```\n\nUse `.pick` to pick a set of properties from an object:\n\n```typescript\ntype Person = {name: string; age: number}\n\nexpectTypeOf().pick<'name'>().toEqualTypeOf<{name: string}>()\n```\n\nUse `.omit` to remove a set of properties from an object:\n\n```typescript\ntype Person = {name: string; age: number}\n\nexpectTypeOf().omit<'name'>().toEqualTypeOf<{age: number}>()\n```\n\nMake assertions about object properties:\n\n```typescript\nconst obj = {a: 1, b: ''}\n\n// check that properties exist (or don't) with `.toHaveProperty`\nexpectTypeOf(obj).toHaveProperty('a')\nexpectTypeOf(obj).not.toHaveProperty('c')\n\n// check types of properties\nexpectTypeOf(obj).toHaveProperty('a').toBeNumber()\nexpectTypeOf(obj).toHaveProperty('b').toBeString()\nexpectTypeOf(obj).toHaveProperty('a').not.toBeString()\n```\n\n`.toEqualTypeOf` can be used to distinguish between functions:\n\n```typescript\ntype NoParam = () => void\ntype HasParam = (s: string) => void\n\nexpectTypeOf().not.toEqualTypeOf()\n```\n\nBut often it's preferable to use `.parameters` or `.returns` for more specific function assertions:\n\n```typescript\ntype NoParam = () => void\ntype HasParam = (s: string) => void\n\nexpectTypeOf().parameters.toEqualTypeOf<[]>()\nexpectTypeOf().returns.toBeVoid()\n\nexpectTypeOf().parameters.toEqualTypeOf<[string]>()\nexpectTypeOf().returns.toBeVoid()\n```\n\nUp to ten overloads will produce union types for `.parameters` and `.returns`:\n\n```typescript\ntype Factorize = {\n (input: number): number[]\n (input: bigint): bigint[]\n}\n\nexpectTypeOf().parameters.not.toEqualTypeOf<[number]>()\nexpectTypeOf().parameters.toEqualTypeOf<[number] | [bigint]>()\nexpectTypeOf().returns.toEqualTypeOf()\n\nexpectTypeOf().parameter(0).toEqualTypeOf()\n```\n\nNote that these aren't exactly like TypeScript's built-in Parameters<...> and ReturnType<...>:\n\nThe TypeScript builtins simply choose a single overload (see the [Overloaded functions](#overloaded-functions) section for more information)\n\n```typescript\ntype Factorize = {\n (input: number): number[]\n (input: bigint): bigint[]\n}\n\n// overload using `number` is ignored!\nexpectTypeOf>().toEqualTypeOf<[bigint]>()\nexpectTypeOf>().toEqualTypeOf()\n```\n\nMore examples of ways to work with functions - parameters using `.parameter(n)` or `.parameters`, and return values using `.returns`:\n\n```typescript\nconst f = (a: number) => [a, a]\n\nexpectTypeOf(f).toBeFunction()\n\nexpectTypeOf(f).toBeCallableWith(1)\nexpectTypeOf(f).not.toBeAny()\nexpectTypeOf(f).returns.not.toBeAny()\nexpectTypeOf(f).returns.toEqualTypeOf([1, 2])\nexpectTypeOf(f).returns.toEqualTypeOf([1, 2, 3])\nexpectTypeOf(f).parameter(0).not.toEqualTypeOf('1')\nexpectTypeOf(f).parameter(0).toEqualTypeOf(1)\nexpectTypeOf(1).parameter(0).toBeNever()\n\nconst twoArgFunc = (a: number, b: string) => ({a, b})\n\nexpectTypeOf(twoArgFunc).parameters.toEqualTypeOf<[number, string]>()\n```\n\n`.toBeCallableWith` allows for overloads. You can also use it to narrow down the return type for given input parameters.:\n\n```typescript\ntype Factorize = {\n (input: number): number[]\n (input: bigint): bigint[]\n}\n\nexpectTypeOf().toBeCallableWith(6)\nexpectTypeOf().toBeCallableWith(6n)\n```\n\n`.toBeCallableWith` returns a type that can be used to narrow down the return type for given input parameters.:\n\n```typescript\ntype Factorize = {\n (input: number): number[]\n (input: bigint): bigint[]\n}\nexpectTypeOf().toBeCallableWith(6).returns.toEqualTypeOf()\nexpectTypeOf().toBeCallableWith(6n).returns.toEqualTypeOf()\n```\n\n`.toBeCallableWith` can be used to narrow down the parameters of a function:\n\n```typescript\ntype Delete = {\n (path: string): void\n (paths: string[], options?: {force: boolean}): void\n}\n\nexpectTypeOf().toBeCallableWith('abc').parameters.toEqualTypeOf<[string]>()\nexpectTypeOf()\n .toBeCallableWith(['abc', 'def'], {force: true})\n .parameters.toEqualTypeOf<[string[], {force: boolean}?]>()\n\nexpectTypeOf().toBeCallableWith('abc').parameter(0).toBeString()\nexpectTypeOf().toBeCallableWith('abc').parameter(1).toBeUndefined()\n\nexpectTypeOf()\n .toBeCallableWith(['abc', 'def', 'ghi'])\n .parameter(0)\n .toEqualTypeOf()\n\nexpectTypeOf()\n .toBeCallableWith(['abc', 'def', 'ghi'])\n .parameter(1)\n .toEqualTypeOf<{force: boolean} | undefined>()\n```\n\nYou can't use `.toBeCallableWith` with `.not` - you need to use ts-expect-error::\n\n```typescript\nconst f = (a: number) => [a, a]\n\n// @ts-expect-error\nexpectTypeOf(f).toBeCallableWith('foo')\n```\n\nUse `.map` to transform types:\n\nThis can be useful for generic functions or complex types which you can't access via `.toBeCallableWith`, `.toHaveProperty` etc. The callback function isn't called at runtime, which can make this a useful way to get complex inferred types without worrying about running code.\n\n```typescript\nconst capitalize = (input: S) =>\n (input.slice(0, 1).toUpperCase() + input.slice(1)) as Capitalize\n\nexpectTypeOf(capitalize)\n .map(fn => fn('hello world'))\n .toEqualTypeOf<'Hello world'>()\n```\n\nYou can also check type guards & type assertions:\n\n```typescript\nconst assertNumber = (v: any): asserts v is number => {\n if (typeof v !== 'number') {\n throw new TypeError('Nope !')\n }\n}\n\nexpectTypeOf(assertNumber).asserts.toBeNumber()\n\nconst isString = (v: any): v is string => typeof v === 'string'\n\nexpectTypeOf(isString).guards.toBeString()\n\nconst isBigInt = (value: any): value is bigint => typeof value === 'bigint'\n\nexpectTypeOf(isBigInt).guards.toBeBigInt()\n```\n\nAssert on constructor parameters:\n\n```typescript\nexpectTypeOf(Date).toBeConstructibleWith('1970')\nexpectTypeOf(Date).toBeConstructibleWith(0)\nexpectTypeOf(Date).toBeConstructibleWith(new Date())\nexpectTypeOf(Date).toBeConstructibleWith()\n\nexpectTypeOf(Date).constructorParameters.toEqualTypeOf<\n | []\n | [value: string | number]\n | [value: string | number | Date]\n | [\n year: number,\n monthIndex: number,\n date?: number | undefined,\n hours?: number | undefined,\n minutes?: number | undefined,\n seconds?: number | undefined,\n ms?: number | undefined,\n ]\n>()\n```\n\nConstructor overloads:\n\n```typescript\nclass DBConnection {\n constructor()\n constructor(connectionString: string)\n constructor(options: {host: string; port: number})\n constructor(..._: unknown[]) {}\n}\n\nexpectTypeOf(DBConnection).toBeConstructibleWith()\nexpectTypeOf(DBConnection).toBeConstructibleWith('localhost')\nexpectTypeOf(DBConnection).toBeConstructibleWith({host: 'localhost', port: 1234})\n// @ts-expect-error - as when calling `new DBConnection(...)` you can't actually use the `(...args: unknown[])` overlaod, it's purely for the implementation.\nexpectTypeOf(DBConnection).toBeConstructibleWith(1, 2)\n```\n\nCheck function `this` parameters:\n\n```typescript\nfunction greet(this: {name: string}, message: string) {\n return `Hello ${this.name}, here's your message: ${message}`\n}\n\nexpectTypeOf(greet).thisParameter.toEqualTypeOf<{name: string}>()\n```\n\nDistinguish between functions with different `this` parameters:\n\n```typescript\nfunction greetFormal(this: {title: string; name: string}, message: string) {\n return `Dear ${this.title} ${this.name}, here's your message: ${message}`\n}\n\nfunction greetCasual(this: {name: string}, message: string) {\n return `Hi ${this.name}, here's your message: ${message}`\n}\n\nexpectTypeOf(greetFormal).not.toEqualTypeOf(greetCasual)\n```\n\nClass instance types:\n\n```typescript\nexpectTypeOf(Date).instance.toHaveProperty('toISOString')\n```\n\nPromise resolution types can be checked with `.resolves`:\n\n```typescript\nconst asyncFunc = async () => 123\n\nexpectTypeOf(asyncFunc).returns.resolves.toBeNumber()\n```\n\nArray items can be checked with `.items`:\n\n```typescript\nexpectTypeOf([1, 2, 3]).items.toBeNumber()\nexpectTypeOf([1, 2, 3]).items.not.toBeString()\n```\n\nYou can also compare arrays directly:\n\n```typescript\nexpectTypeOf().not.toEqualTypeOf()\n```\n\nCheck that functions never return:\n\n```typescript\nconst thrower = () => {\n throw new Error('oh no')\n}\n\nexpectTypeOf(thrower).returns.toBeNever()\n```\n\nGenerics can be used rather than references:\n\n```typescript\nexpectTypeOf<{a: string}>().not.toEqualTypeOf<{a: number}>()\n```\n\nDistinguish between missing/null/optional properties:\n\n```typescript\nexpectTypeOf<{a?: number}>().not.toEqualTypeOf<{}>()\nexpectTypeOf<{a?: number}>().not.toEqualTypeOf<{a: number}>()\nexpectTypeOf<{a?: number}>().not.toEqualTypeOf<{a: number | undefined}>()\nexpectTypeOf<{a?: number | null}>().not.toEqualTypeOf<{a: number | null}>()\nexpectTypeOf<{a: {b?: number}}>().not.toEqualTypeOf<{a: {}}>()\n```\n\nDetect the difference between regular and `readonly` properties:\n\n```typescript\ntype A1 = {readonly a: string; b: string}\ntype E1 = {a: string; b: string}\n\nexpectTypeOf().toExtend()\nexpectTypeOf().not.toEqualTypeOf()\n\ntype A2 = {a: string; b: {readonly c: string}}\ntype E2 = {a: string; b: {c: string}}\n\nexpectTypeOf().toExtend()\nexpectTypeOf().not.toEqualTypeOf()\n```\n\nDistinguish between classes with different constructors:\n\n```typescript\nclass A {\n value: number\n constructor(a: 1) {\n this.value = a\n }\n}\nclass B {\n value: number\n constructor(b: 2) {\n this.value = b\n }\n}\n\nexpectTypeOf().not.toEqualTypeOf()\n\nclass C {\n value: number\n constructor(c: 1) {\n this.value = c\n }\n}\n\nexpectTypeOf().toEqualTypeOf()\n```\n\nKnown limitation: Intersection types can cause issues with `toEqualTypeOf`:\n\n```typescript\n// @ts-expect-error the following line doesn't compile, even though the types are arguably the same.\n// See https://github.com/mmkal/expect-type/pull/21\nexpectTypeOf<{a: 1} & {b: 2}>().toEqualTypeOf<{a: 1; b: 2}>()\n```\n\nTo workaround for simple cases, you can use a mapped type:\n\n```typescript\ntype Simplify = {[K in keyof T]: T[K]}\n\nexpectTypeOf>().toEqualTypeOf<{a: 1; b: 2}>()\n```\n\nBut this won't work if the nesting is deeper in the type. For these situations, you can use the `.branded` helper. Note that this comes at a performance cost, and can cause the compiler to 'give up' if used with excessively deep types, so use sparingly. This helper is under `.branded` because it deeply transforms the Actual and Expected types into a pseudo-AST:\n\n```typescript\n// @ts-expect-error\nexpectTypeOf<{a: {b: 1} & {c: 1}}>().toEqualTypeOf<{a: {b: 1; c: 1}}>()\n\nexpectTypeOf<{a: {b: 1} & {c: 1}}>().branded.toEqualTypeOf<{a: {b: 1; c: 1}}>()\n```\n\nBe careful with `.branded` for very deep or complex types, though. If possible you should find a way to simplify your test to avoid needing to use it:\n\n```typescript\n// This *should* result in an error, but the \"branding\" mechanism produces too large a type and TypeScript just gives up! https://github.com/microsoft/TypeScript/issues/50670\nexpectTypeOf<() => () => () => () => 1>().branded.toEqualTypeOf<() => () => () => () => 2>()\n\n// @ts-expect-error the non-branded implementation catches the error as expected.\nexpectTypeOf<() => () => () => () => 1>().toEqualTypeOf<() => () => () => () => 2>()\n```\n\nSo, if you have an extremely deep type that ALSO has an intersection in it, you're out of luck and this library won't be able to test your type properly:\n\n```typescript\n// @ts-expect-error this fails, but it should succeed.\nexpectTypeOf<() => () => () => () => {a: 1} & {b: 2}>().toEqualTypeOf<\n () => () => () => () => {a: 1; b: 2}\n>()\n\n// this succeeds, but it should fail.\nexpectTypeOf<() => () => () => () => {a: 1} & {b: 2}>().branded.toEqualTypeOf<\n () => () => () => () => {a: 1; c: 2}\n>()\n```\n\nAnother limitation: passing `this` references to `expectTypeOf` results in errors.:\n\n```typescript\nclass B {\n b = 'b'\n\n foo() {\n // @ts-expect-error\n expectTypeOf(this).toEqualTypeOf(this)\n }\n}\n\n// Instead of the above, try something like this:\nexpectTypeOf(B).instance.toEqualTypeOf<{b: string; foo: () => void}>()\n```\n\n\nOverloads limitation for TypeScript <5.3: Due to a [TypeScript bug fixed in 5.3](https://github.com/microsoft/TypeScript/issues/28867), overloaded functions which include an overload resembling `(...args: unknown[]) => unknown` will exclude `unknown[]` from `.parameters` and exclude `unknown` from `.returns`:\n\n```typescript\ntype Factorize = {\n (...args: unknown[]): unknown\n (input: number): number[]\n (input: bigint): bigint[]\n}\n\nexpectTypeOf().parameters.toEqualTypeOf<[number] | [bigint]>()\nexpectTypeOf().returns.toEqualTypeOf()\n```\n\nThis overload, however, allows any input and returns an unknown output anyway, so it's not very useful. If you are worried about this for some reason, you'll have to update TypeScript to 5.3+.\n\n### Why is my assertion failing?\n\nFor complex types, an assertion might fail when it should if the `Actual` type contains a deeply-nested intersection type but the `Expected` doesn't. In these cases you can use `.branded` as described above:\n\n```typescript\n// @ts-expect-error this unfortunately fails - a TypeScript limitation prevents making this pass without a big perf hit\nexpectTypeOf<{a: {b: 1} & {c: 1}}>().toEqualTypeOf<{a: {b: 1; c: 1}}>()\n\nexpectTypeOf<{a: {b: 1} & {c: 1}}>().branded.toEqualTypeOf<{a: {b: 1; c: 1}}>()\n```\n\n### Why is `.toMatchTypeOf` deprecated?\n\nThe `.toMatchTypeOf` method is deprecated in favour of `.toMatchObjectType` (when strictly checking against an object type with a subset of keys), or `.toExtend` (when checking for \"is-a\" relationships). There are no foreseeable plans to remove `.toMatchTypeOf`, but there's no reason to continue using it - `.toMatchObjectType` is stricter, and `.toExtend` is identical.\n\n### Internal type helpers\n\n🚧 This library also exports some helper types for performing boolean operations on types, checking extension/equality in various ways, branding types, and checking for various special types like `never`, `any`, `unknown`. Use at your own risk! Nothing is stopping you from using these beyond this warning:\n\n>All internal types that are not documented here are _not_ part of the supported API surface, and may be renamed, modified, or removed, without warning or documentation in release notes.\n\nFor a dedicated internal type library, feel free to look at the [source code](./src/index.ts) for inspiration - or better, use a library like [type-fest](https://npmjs.com/package/type-fest).\n\n### Error messages\n\nWhen types don't match, `.toEqualTypeOf` and `.toMatchTypeOf` use a special helper type to produce error messages that are as actionable as possible. But there's a bit of a nuance to understanding them. Since the assertions are written \"fluently\", the failure should be on the \"expected\" type, not the \"actual\" type (`expect().toEqualTypeOf()`). This means that type errors can be a little confusing - so this library produces a `MismatchInfo` type to try to make explicit what the expectation is. For example:\n\n```ts\nexpectTypeOf({a: 1}).toEqualTypeOf<{a: string}>()\n```\n\nIs an assertion that will fail, since `{a: 1}` has type `{a: number}` and not `{a: string}`. The error message in this case will read something like this:\n\n```\ntest/test.ts:999:999 - error TS2344: Type '{ a: string; }' does not satisfy the constraint '{ a: \\\\\"Expected: string, Actual: number\\\\\"; }'.\n Types of property 'a' are incompatible.\n Type 'string' is not assignable to type '\\\\\"Expected: string, Actual: number\\\\\"'.\n\n999 expectTypeOf({a: 1}).toEqualTypeOf<{a: string}>()\n```\n\nNote that the type constraint reported is a human-readable messaging specifying both the \"expected\" and \"actual\" types. Rather than taking the sentence `Types of property 'a' are incompatible // Type 'string' is not assignable to type \"Expected: string, Actual: number\"` literally - just look at the property name (`'a'`) and the message: `Expected: string, Actual: number`. This will tell you what's wrong, in most cases. Extremely complex types will, of course, be more effort to debug, and may require some experimentation. Please [raise an issue](https://github.com/mmkal/expect-type) if the error messages are misleading.\n\nThe `toBe...` methods (like `toBeString`, `toBeNumber`, `toBeVoid`, etc.) fail by resolving to a non-callable type when the `Actual` type under test doesn't match up. For example, the failure for an assertion like `expectTypeOf(1).toBeString()` will look something like this:\n\n```\ntest/test.ts:999:999 - error TS2349: This expression is not callable.\n Type 'ExpectString' has no call signatures.\n\n999 expectTypeOf(1).toBeString()\n ~~~~~~~~~~\n```\n\nThe `This expression is not callable` part isn't all that helpful - the meaningful error is the next line, `Type 'ExpectString has no call signatures`. This essentially means you passed a number but asserted it should be a string.\n\nIf TypeScript added support for [\"throw\" types](https://github.com/microsoft/TypeScript/pull/40468) these error messages could be improved. Until then they will take a certain amount of squinting.\n\n#### Concrete \"expected\" objects vs type arguments\n\nError messages for an assertion like this:\n\n```ts\nexpectTypeOf({a: 1}).toEqualTypeOf({a: ''})\n```\n\nWill be less helpful than for an assertion like this:\n\n```ts\nexpectTypeOf({a: 1}).toEqualTypeOf<{a: string}>()\n```\n\nThis is because the TypeScript compiler needs to infer the type argument for the `.toEqualTypeOf({a: ''})` style and this library can only mark it as a failure by comparing it against a generic `Mismatch` type. So, where possible, use a type argument rather than a concrete type for `.toEqualTypeOf` and `toMatchTypeOf`. If it's much more convenient to compare two concrete types, you can use `typeof`:\n\n```ts\nconst one = valueFromFunctionOne({some: {complex: inputs}})\nconst two = valueFromFunctionTwo({some: {other: inputs}})\n\nexpectTypeOf(one).toEqualTypeof()\n```\n\n### Overloaded functions\n\nDue to a TypeScript [design limitation](https://github.com/microsoft/TypeScript/issues/32164#issuecomment-506810756), the native TypeScript `Parameters<...>` and `ReturnType<...>` helpers only return types from one variant of an overloaded function. This limitation doesn't apply to expect-type, since it is not used to author TypeScript code, only to assert on existing types. So, we use a workaround for this TypeScript behaviour to assert on _all_ overloads as a union (actually, not necessarily _all_ - we cap out at 10 overloads).\n\n### Within test frameworks\n\n### Vitest\n\n`expectTypeOf` is built in to [vitest](https://vitest.dev/guide/testing-types), so you can import `expectTypeOf` from the vitest library directly if you prefer. Note that there is no set release cadence, at time of writing, so vitest may not always be using the very latest version.\n\n```ts\nimport {expectTypeOf} from 'vitest'\nimport {mount} from './mount.js'\n\ntest('my types work properly', () => {\n expectTypeOf(mount).toBeFunction()\n expectTypeOf(mount).parameter(0).toEqualTypeOf<{name: string}>()\n\n expectTypeOf(mount({name: 42})).toBeString()\n})\n```\n\n#### Jest & `eslint-plugin-jest`\n\nIf you're using Jest along with `eslint-plugin-jest`, and you put assertions inside `test(...)` definitions, you may get warnings from the [`jest/expect-expect`](https://github.com/jest-community/eslint-plugin-jest/blob/master/docs/rules/expect-expect.md) rule, complaining that \"Test has no assertions\" for tests that only use `expectTypeOf()`.\n\nTo remove this warning, configure the ESLint rule to consider `expectTypeOf` as an assertion:\n\n```json\n\"rules\": {\n // ...\n \"jest/expect-expect\": [\n \"warn\",\n {\n \"assertFunctionNames\": [\n \"expect\", \"expectTypeOf\"\n ]\n }\n ],\n // ...\n}\n```\n\n### Limitations\n\nA summary of some of the limitations of this library. Some of these are documented more fully elsewhere.\n\n1. Intersection types can result in failures when the expected and actual types are not identically defined, even when they are effectively identical. See [Why is my assertion failing](#why-is-my-assertion-failing) for details. TL;DR: use `.brand` in these cases - and accept the performance hit that it comes with.\n1. `toBeCallableWith` will likely fail if you try to use it with a generic function or an overload. See [this issue](https://github.com/mmkal/expect-type/issues/50) for an example and how to work around it.\n1. (For now) overloaded functions might trip up the `.parameter` and `.parameters` helpers. This matches how the built-in TypeScript helper `Parameters<...>` works. This may be improved in the future though ([see related issue](https://github.com/mmkal/expect-type/issues/30)).\n1. `expectTypeOf(this).toEqualTypeOf(this)` inside class methods does not work.\n\n## Similar projects\n\nOther projects with similar goals:\n\n- [`tsd`](https://github.com/SamVerschueren/tsd) is a CLI that runs the TypeScript type checker over assertions\n- [`ts-expect`](https://github.com/TypeStrong/ts-expect) exports several generic helper types to perform type assertions\n- [`dtslint`](https://github.com/Microsoft/dtslint) does type checks via comment directives and tslint\n- [`type-plus`](https://github.com/unional/type-plus) comes with various type and runtime TypeScript assertions\n- [`static-type-assert`](https://github.com/ksxnodemodules/static-type-assert) type assertion functions\n\n### Comparison\n\nThe key differences in this project are:\n\n- a fluent, jest-inspired API, making the difference between `actual` and `expected` clear. This is helpful with complex types and assertions.\n- inverting assertions intuitively and easily via `expectTypeOf(...).not`\n- checks generics properly and strictly ([tsd doesn't](https://github.com/SamVerschueren/tsd/issues/142))\n- first-class support for:\n - `any` (as well as `unknown` and `never`) (see issues outstanding at time of writing in tsd for [never](https://github.com/SamVerschueren/tsd/issues/78) and [any](https://github.com/SamVerschueren/tsd/issues/82)).\n - This can be especially useful in combination with `not`, to protect against functions returning too-permissive types. For example, `const parseFile = (filename: string) => JSON.parse(readFileSync(filename).toString())` returns `any`, which could lead to errors. After giving it a proper return-type, you can add a test for this with `expect(parseFile).returns.not.toBeAny()`\n - object properties\n - function parameters\n - function return values\n - constructor parameters\n - class instances\n - array item values\n - nullable types\n- assertions on types \"matching\" rather than exact type equality, for \"is-a\" relationships e.g. `expectTypeOf(square).toExtend()`\n- built into existing tooling. No extra build step, cli tool, IDE extension, or lint plugin is needed. Just import the function and start writing tests. Failures will be at compile time - they'll appear in your IDE and when you run `tsc`.\n- small implementation with no dependencies. [Take a look!](./src/index.ts) (tsd, for comparison, is [2.6MB](https://bundlephobia.com/result?p=tsd@0.13.1) because it ships a patched version of TypeScript).\n\n## TypeScript backwards-compatibility\n\nThere is a CI job called `test-types` that checks whether the tests still pass with certain older TypeScript versions. To check the supported TypeScript versions, [refer to the job definition](./.github/workflows/ci.yml).\n\n## Contributing\n\nIn most cases, it's worth checking existing issues or creating one to discuss a new feature or a bug fix before opening a pull request.\n\nOnce you're ready to make a pull request: clone the repo, and install pnpm if you don't have it already with `npm install --global pnpm`. Lockfiles for `npm` and `yarn` are gitignored.\n\nIf you're adding a feature, you should write a self-contained usage example in the form of a test, in [test/usage.test.ts](./test/usage.test.ts). This file is used to populate the bulk of this readme using [eslint-plugin-codegen](https://npmjs.com/package/eslint-plugin-codegen), and to generate an [\"errors\" test file](./test/errors.test.ts), which captures the error messages that are emitted for failing assertions by the TypeScript compiler. So, the test name should be written as a human-readable sentence explaining the usage example. Have a look at the existing tests for an idea of the style.\n\nAfter adding the tests, run `npm run lint -- --fix` to update the readme, and `npm test -- --updateSnapshot` to update the errors test. The generated documentation and tests should be pushed to the same branch as the source code, and submitted as a pull request. CI will test that the docs and tests are up to date if you forget to run these commands.\n\n### Documentation of limitations through tests\n\nLimitations of the library are documented through tests in `usage.test.ts`. This means that if a future TypeScript version (or library version) fixes the limitation, the test will start failing, and it will be automatically removed from the documentation once it no longer applies.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/expect-type/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/fast-deep-equal/README.md ---\n# fast-deep-equal\nThe fastest deep equal with ES6 Map, Set and Typed arrays support.\n\n[![Build Status](https://travis-ci.org/epoberezkin/fast-deep-equal.svg?branch=master)](https://travis-ci.org/epoberezkin/fast-deep-equal)\n[![npm](https://img.shields.io/npm/v/fast-deep-equal.svg)](https://www.npmjs.com/package/fast-deep-equal)\n[![Coverage Status](https://coveralls.io/repos/github/epoberezkin/fast-deep-equal/badge.svg?branch=master)](https://coveralls.io/github/epoberezkin/fast-deep-equal?branch=master)\n\n\n## Install\n\n```bash\nnpm install fast-deep-equal\n```\n\n\n## Features\n\n- ES5 compatible\n- works in node.js (8+) and browsers (IE9+)\n- checks equality of Date and RegExp objects by value.\n\nES6 equal (`require('fast-deep-equal/es6')`) also supports:\n- Maps\n- Sets\n- Typed arrays\n\n\n## Usage\n\n```javascript\nvar equal = require('fast-deep-equal');\nconsole.log(equal({foo: 'bar'}, {foo: 'bar'})); // true\n```\n\nTo support ES6 Maps, Sets and Typed arrays equality use:\n\n```javascript\nvar equal = require('fast-deep-equal/es6');\nconsole.log(equal(Int16Array([1, 2]), Int16Array([1, 2]))); // true\n```\n\nTo use with React (avoiding the traversal of React elements' _owner\nproperty that contains circular references and is not needed when\ncomparing the elements - borrowed from [react-fast-compare](https://github.com/FormidableLabs/react-fast-compare)):\n\n```javascript\nvar equal = require('fast-deep-equal/react');\nvar equal = require('fast-deep-equal/es6/react');\n```\n\n\n## Performance benchmark\n\nNode.js v12.6.0:\n\n```\nfast-deep-equal x 261,950 ops/sec ±0.52% (89 runs sampled)\nfast-deep-equal/es6 x 212,991 ops/sec ±0.34% (92 runs sampled)\nfast-equals x 230,957 ops/sec ±0.83% (85 runs sampled)\nnano-equal x 187,995 ops/sec ±0.53% (88 runs sampled)\nshallow-equal-fuzzy x 138,302 ops/sec ±0.49% (90 runs sampled)\nunderscore.isEqual x 74,423 ops/sec ±0.38% (89 runs sampled)\nlodash.isEqual x 36,637 ops/sec ±0.72% (90 runs sampled)\ndeep-equal x 2,310 ops/sec ±0.37% (90 runs sampled)\ndeep-eql x 35,312 ops/sec ±0.67% (91 runs sampled)\nramda.equals x 12,054 ops/sec ±0.40% (91 runs sampled)\nutil.isDeepStrictEqual x 46,440 ops/sec ±0.43% (90 runs sampled)\nassert.deepStrictEqual x 456 ops/sec ±0.71% (88 runs sampled)\n\nThe fastest is fast-deep-equal\n```\n\nTo run benchmark (requires node.js 6+):\n\n```bash\nnpm run benchmark\n```\n\n__Please note__: this benchmark runs against the available test cases. To choose the most performant library for your application, it is recommended to benchmark against your data and to NOT expect this benchmark to reflect the performance difference in your application.\n\n\n## Enterprise support\n\nfast-deep-equal package is a part of [Tidelift enterprise subscription](https://tidelift.com/subscription/pkg/npm-fast-deep-equal?utm_source=npm-fast-deep-equal&utm_medium=referral&utm_campaign=enterprise&utm_term=repo) - it provides a centralised commercial support to open-source software users, in addition to the support provided by software maintainers.\n\n\n## Security contact\n\nTo report a security vulnerability, please use the\n[Tidelift security contact](https://tidelift.com/security).\nTidelift will coordinate the fix and disclosure. Please do NOT report security vulnerability via GitHub issues.\n\n\n## License\n\n[MIT](https://github.com/epoberezkin/fast-deep-equal/blob/master/LICENSE)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/fast-deep-equal/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/fast-uri/README.md ---\n# fast-uri\n\n
\n\n[![NPM version](https://img.shields.io/npm/v/fast-uri.svg?style=flat)](https://www.npmjs.com/package/fast-uri)\n[![CI](https://github.com/fastify/fast-uri/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/fastify/fast-uri/actions/workflows/ci.yml)\n[![neostandard javascript style](https://img.shields.io/badge/code_style-neostandard-brightgreen?style=flat)](https://github.com/neostandard/neostandard)\n\n
\n\nDependency-free RFC 3986 URI toolbox.\n\n## Usage\n\n## Options\n\nAll of the above functions can accept an additional options argument that is an object that can contain one or more of the following properties:\n\n*\t`scheme` (string)\n\tIndicates the scheme that the URI should be treated as, overriding the URI's normal scheme parsing behavior.\n\n*\t`reference` (string)\n\tIf set to `\"suffix\"`, it indicates that the URI is in the suffix format and the parser will use the option's `scheme` property to determine the URI's scheme.\n\n*\t`tolerant` (boolean, false)\n\tIf set to `true`, the parser will relax URI resolving rules.\n\n*\t`absolutePath` (boolean, false)\n\tIf set to `true`, the serializer will not resolve a relative `path` component.\n\n*\t`unicodeSupport` (boolean, false)\n\tIf set to `true`, the parser will unescape non-ASCII characters in the parsed output as per [RFC 3987](http://www.ietf.org/rfc/rfc3987.txt).\n\n*\t`domainHost` (boolean, false)\n\tIf set to `true`, the library will treat the `host` component as a domain name, and convert IDNs (International Domain Names) as per [RFC 5891](http://www.ietf.org/rfc/rfc5891.txt).\n\n### Parse\n\n```js\nconst uri = require('fast-uri')\nuri.parse('uri://user:pass@example.com:123/one/two.three?q1=a1&q2=a2#body')\n// Output\n{\n scheme: \"uri\",\n userinfo: \"user:pass\",\n host: \"example.com\",\n port: 123,\n path: \"/one/two.three\",\n query: \"q1=a1&q2=a2\",\n fragment: \"body\"\n}\n```\n\n### Serialize\n\n```js\nconst uri = require('fast-uri')\nuri.serialize({scheme: \"http\", host: \"example.com\", fragment: \"footer\"})\n// Output\n\"http://example.com/#footer\"\n\n```\n\n### Resolve\n\n```js\nconst uri = require('fast-uri')\nuri.resolve(\"uri://a/b/c/d?q\", \"../../g\")\n// Output\n\"uri://a/g\"\n```\n\n### Equal\n\n```js\nconst uri = require('fast-uri')\nuri.equal(\"example://a/b/c/%7Bfoo%7D\", \"eXAMPLE://a/./b/../b/%63/%7bfoo%7d\")\n// Output\ntrue\n```\n\n## Scheme supports\n\nfast-uri supports inserting custom [scheme](http://en.wikipedia.org/wiki/URI_scheme)-dependent processing rules. Currently, fast-uri has built-in support for the following schemes:\n\n*\thttp \\[[RFC 2616](http://www.ietf.org/rfc/rfc2616.txt)\\]\n*\thttps \\[[RFC 2818](http://www.ietf.org/rfc/rfc2818.txt)\\]\n*\tws \\[[RFC 6455](http://www.ietf.org/rfc/rfc6455.txt)\\]\n*\twss \\[[RFC 6455](http://www.ietf.org/rfc/rfc6455.txt)\\]\n*\turn \\[[RFC 2141](http://www.ietf.org/rfc/rfc2141.txt)\\]\n*\turn:uuid \\[[RFC 4122](http://www.ietf.org/rfc/rfc4122.txt)\\]\n\n\n## Benchmarks\n\n```\nfast-uri benchmark\n┌─────────┬──────────────────────────────────────────┬──────────────────┬──────────────────┬────────────────────────┬────────────────────────┬─────────┐\n│ (index) │ Task name │ Latency avg (ns) │ Latency med (ns) │ Throughput avg (ops/s) │ Throughput med (ops/s) │ Samples │\n├─────────┼──────────────────────────────────────────┼──────────────────┼──────────────────┼────────────────────────┼────────────────────────┼─────────┤\n│ 0 │ 'fast-uri: parse domain' │ '951.31 ± 0.75%' │ '875.00 ± 11.00' │ '1122538 ± 0.01%' │ '1142857 ± 14550' │ 1051187 │\n│ 1 │ 'fast-uri: parse IPv4' │ '443.44 ± 0.22%' │ '406.00 ± 3.00' │ '2422762 ± 0.01%' │ '2463054 ± 18335' │ 2255105 │\n│ 2 │ 'fast-uri: parse IPv6' │ '1241.6 ± 1.74%' │ '1131.0 ± 30.00' │ '875177 ± 0.02%' │ '884173 ± 24092' │ 805399 │\n│ 3 │ 'fast-uri: parse URN' │ '689.19 ± 4.29%' │ '618.00 ± 9.00' │ '1598373 ± 0.01%' │ '1618123 ± 23913' │ 1450972 │\n│ 4 │ 'fast-uri: parse URN uuid' │ '1025.4 ± 2.02%' │ '921.00 ± 19.00' │ '1072419 ± 0.02%' │ '1085776 ± 22871' │ 975236 │\n│ 5 │ 'fast-uri: serialize uri' │ '1028.5 ± 0.53%' │ '933.00 ± 43.00' │ '1063310 ± 0.02%' │ '1071811 ± 50523' │ 972249 │\n│ 6 │ 'fast-uri: serialize long uri with dots' │ '1805.1 ± 0.52%' │ '1627.0 ± 17.00' │ '602620 ± 0.02%' │ '614628 ± 6490' │ 553997 │\n│ 7 │ 'fast-uri: serialize IPv6' │ '2569.4 ± 2.69%' │ '2302.0 ± 21.00' │ '426080 ± 0.03%' │ '434405 ± 3999' │ 389194 │\n│ 8 │ 'fast-uri: serialize ws' │ '979.39 ± 0.43%' │ '882.00 ± 8.00' │ '1111665 ± 0.02%' │ '1133787 ± 10378' │ 1021045 │\n│ 9 │ 'fast-uri: resolve' │ '2208.2 ± 1.08%' │ '1980.0 ± 24.00' │ '495001 ± 0.03%' │ '505051 ± 6049' │ 452848 │\n└─────────┴──────────────────────────────────────────┴──────────────────┴──────────────────┴────────────────────────┴────────────────────────┴─────────┘\nuri-js benchmark\n┌─────────┬───────────────────────────────────────┬──────────────────┬──────────────────┬────────────────────────┬────────────────────────┬─────────┐\n│ (index) │ Task name │ Latency avg (ns) │ Latency med (ns) │ Throughput avg (ops/s) │ Throughput med (ops/s) │ Samples │\n├─────────┼───────────────────────────────────────┼──────────────────┼──────────────────┼────────────────────────┼────────────────────────┼─────────┤\n│ 0 │ 'urijs: parse domain' │ '3618.3 ± 0.43%' │ '3314.0 ± 33.00' │ '294875 ± 0.04%' │ '301750 ± 2975' │ 276375 │\n│ 1 │ 'urijs: parse IPv4' │ '4024.1 ± 0.41%' │ '3751.0 ± 25.00' │ '261981 ± 0.04%' │ '266596 ± 1789' │ 248506 │\n│ 2 │ 'urijs: parse IPv6' │ '5417.2 ± 0.46%' │ '4968.0 ± 43.00' │ '196023 ± 0.05%' │ '201288 ± 1727' │ 184598 │\n│ 3 │ 'urijs: parse URN' │ '1324.2 ± 0.23%' │ '1229.0 ± 17.00' │ '801535 ± 0.02%' │ '813670 ± 11413' │ 755185 │\n│ 4 │ 'urijs: parse URN uuid' │ '1822.0 ± 3.08%' │ '1655.0 ± 15.00' │ '594433 ± 0.02%' │ '604230 ± 5427' │ 548843 │\n│ 5 │ 'urijs: serialize uri' │ '4196.8 ± 0.36%' │ '3908.0 ± 27.00' │ '251146 ± 0.04%' │ '255885 ± 1756' │ 238276 │\n│ 6 │ 'urijs: serialize long uri with dots' │ '8331.0 ± 1.30%' │ '7658.0 ± 72.00' │ '126440 ± 0.07%' │ '130582 ± 1239' │ 120034 │\n│ 7 │ 'urijs: serialize IPv6' │ '5685.5 ± 0.30%' │ '5366.0 ± 33.00' │ '182632 ± 0.05%' │ '186359 ± 1153' │ 175886 │\n│ 8 │ 'urijs: serialize ws' │ '4159.3 ± 0.20%' │ '3899.0 ± 28.00' │ '250459 ± 0.04%' │ '256476 ± 1855' │ 240423 │\n│ 9 │ 'urijs: resolve' │ '6729.9 ± 0.39%' │ '6261.0 ± 37.00' │ '156361 ± 0.06%' │ '159719 ± 949' │ 148591 │\n└─────────┴───────────────────────────────────────┴──────────────────┴──────────────────┴────────────────────────┴────────────────────────┴─────────┘\nWHATWG URL benchmark\n┌─────────┬────────────────────────────┬──────────────────┬──────────────────┬────────────────────────┬────────────────────────┬─────────┐\n│ (index) │ Task name │ Latency avg (ns) │ Latency med (ns) │ Throughput avg (ops/s) │ Throughput med (ops/s) │ Samples │\n├─────────┼────────────────────────────┼──────────────────┼──────────────────┼────────────────────────┼────────────────────────┼─────────┤\n│ 0 │ 'WHATWG URL: parse domain' │ '475.22 ± 0.20%' │ '444.00 ± 5.00' │ '2217599 ± 0.01%' │ '2252252 ± 25652' │ 2104289 │\n│ 1 │ 'WHATWG URL: parse URN' │ '384.78 ± 0.85%' │ '350.00 ± 5.00' │ '2809071 ± 0.01%' │ '2857143 ± 41408' │ 2598885 │\n└─────────┴────────────────────────────┴──────────────────┴──────────────────┴────────────────────────┴────────────────────────┴─────────┘\n```\n\n## TODO\n\n- [ ] Support MailTo\n- [ ] Be 100% iso compatible with uri-js\n\n## License\n\nLicensed under [BSD-3-Clause](./LICENSE).\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/fast-uri/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/fdir/README.md ---\n

\n\n\n

The Fastest Directory Crawler & Globber for NodeJS

\n

\n \n \n \n \n \n \n \n \n

\n

\n\n⚡ **The Fastest:** Nothing similar (in the NodeJS world) beats `fdir` in speed. It can easily crawl a directory containing **1 million files in < 1 second.**\n\n💡 **Stupidly Easy:** `fdir` uses expressive Builder pattern to build the crawler increasing code readability.\n\n🤖 **Zero Dependencies\\*:** `fdir` only uses NodeJS `fs` & `path` modules.\n\n🕺 **Astonishingly Small:** < 2KB in size gzipped & minified.\n\n🖮 **Hackable:** Extending `fdir` is extremely simple now that the new Builder API is here. Feel free to experiment around.\n\n_\\* `picomatch` must be installed manually by the user to support globbing._\n\n## 🚄 Quickstart\n\n### Installation\n\nYou can install using `npm`:\n\n```sh\n$ npm i fdir\n```\n\nor Yarn:\n\n```sh\n$ yarn add fdir\n```\n\n### Usage\n\n```ts\nimport { fdir } from \"fdir\";\n\n// create the builder\nconst api = new fdir().withFullPaths().crawl(\"path/to/dir\");\n\n// get all files in a directory synchronously\nconst files = api.sync();\n\n// or asynchronously\napi.withPromise().then((files) => {\n // do something with the result here.\n});\n```\n\n## Documentation:\n\nDocumentation for all methods is available [here](/documentation.md).\n\n## 📊 Benchmarks:\n\nPlease check the benchmark against the latest version [here](/BENCHMARKS.md).\n\n## 🙏Used by:\n\n`fdir` is downloaded over 200k+ times a week by projects around the world. Here's a list of some notable projects using `fdir` in production:\n\n> Note: if you think your project should be here, feel free to open an issue. Notable is anything with a considerable amount of GitHub stars.\n\n1. [rollup/plugins](https://github.com/rollup/plugins)\n2. [SuperchupuDev/tinyglobby](https://github.com/SuperchupuDev/tinyglobby)\n3. [pulumi/pulumi](https://github.com/pulumi/pulumi)\n4. [dotenvx/dotenvx](https://github.com/dotenvx/dotenvx)\n5. [mdn/yari](https://github.com/mdn/yari)\n6. [streetwriters/notesnook](https://github.com/streetwriters/notesnook)\n7. [imba/imba](https://github.com/imba/imba)\n8. [moroshko/react-scanner](https://github.com/moroshko/react-scanner)\n9. [netlify/build](https://github.com/netlify/build)\n10. [yassinedoghri/astro-i18next](https://github.com/yassinedoghri/astro-i18next)\n11. [selfrefactor/rambda](https://github.com/selfrefactor/rambda)\n12. [whyboris/Video-Hub-App](https://github.com/whyboris/Video-Hub-App)\n\n## 🦮 LICENSE\n\nCopyright © 2024 Abdullah Atta under MIT. [Read full text here.](https://github.com/thecodrr/fdir/raw/master/LICENSE)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/fdir/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/finalhandler/README.md ---\n# finalhandler\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][github-actions-ci-image]][github-actions-ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nNode.js function to invoke as the final step to respond to HTTP request.\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install finalhandler\n```\n\n## API\n\n```js\nvar finalhandler = require('finalhandler')\n```\n\n### finalhandler(req, res, [options])\n\nReturns function to be invoked as the final step for the given `req` and `res`.\nThis function is to be invoked as `fn(err)`. If `err` is falsy, the handler will\nwrite out a 404 response to the `res`. If it is truthy, an error response will\nbe written out to the `res` or `res` will be terminated if a response has already\nstarted.\n\nWhen an error is written, the following information is added to the response:\n\n * The `res.statusCode` is set from `err.status` (or `err.statusCode`). If\n this value is outside the 4xx or 5xx range, it will be set to 500.\n * The `res.statusMessage` is set according to the status code.\n * The body will be the HTML of the status code message if `env` is\n `'production'`, otherwise will be `err.stack`.\n * Any headers specified in an `err.headers` object.\n\nThe final handler will also unpipe anything from `req` when it is invoked.\n\n#### options.env\n\nBy default, the environment is determined by `NODE_ENV` variable, but it can be\noverridden by this option.\n\n#### options.onerror\n\nProvide a function to be called with the `err` when it exists. Can be used for\nwriting errors to a central location without excessive function generation. Called\nas `onerror(err, req, res)`.\n\n## Examples\n\n### always 404\n\n```js\nvar finalhandler = require('finalhandler')\nvar http = require('http')\n\nvar server = http.createServer(function (req, res) {\n var done = finalhandler(req, res)\n done()\n})\n\nserver.listen(3000)\n```\n\n### perform simple action\n\n```js\nvar finalhandler = require('finalhandler')\nvar fs = require('fs')\nvar http = require('http')\n\nvar server = http.createServer(function (req, res) {\n var done = finalhandler(req, res)\n\n fs.readFile('index.html', function (err, buf) {\n if (err) return done(err)\n res.setHeader('Content-Type', 'text/html')\n res.end(buf)\n })\n})\n\nserver.listen(3000)\n```\n\n### use with middleware-style functions\n\n```js\nvar finalhandler = require('finalhandler')\nvar http = require('http')\nvar serveStatic = require('serve-static')\n\nvar serve = serveStatic('public')\n\nvar server = http.createServer(function (req, res) {\n var done = finalhandler(req, res)\n serve(req, res, done)\n})\n\nserver.listen(3000)\n```\n\n### keep log of all errors\n\n```js\nvar finalhandler = require('finalhandler')\nvar fs = require('fs')\nvar http = require('http')\n\nvar server = http.createServer(function (req, res) {\n var done = finalhandler(req, res, { onerror: logerror })\n\n fs.readFile('index.html', function (err, buf) {\n if (err) return done(err)\n res.setHeader('Content-Type', 'text/html')\n res.end(buf)\n })\n})\n\nserver.listen(3000)\n\nfunction logerror (err) {\n console.error(err.stack || err.toString())\n}\n```\n\n## License\n\n[MIT](LICENSE)\n\n[npm-image]: https://img.shields.io/npm/v/finalhandler.svg\n[npm-url]: https://npmjs.org/package/finalhandler\n[node-image]: https://img.shields.io/node/v/finalhandler.svg\n[node-url]: https://nodejs.org/en/download\n[coveralls-image]: https://img.shields.io/coveralls/pillarjs/finalhandler.svg\n[coveralls-url]: https://coveralls.io/r/pillarjs/finalhandler?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/finalhandler.svg\n[downloads-url]: https://npmjs.org/package/finalhandler\n[github-actions-ci-image]: https://github.com/pillarjs/finalhandler/actions/workflows/ci.yml/badge.svg\n[github-actions-ci-url]: https://github.com/pillarjs/finalhandler/actions/workflows/ci.yml\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/finalhandler/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/forwarded/README.md ---\n# forwarded\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][ci-image]][ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nParse HTTP X-Forwarded-For header\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install forwarded\n```\n\n## API\n\n```js\nvar forwarded = require('forwarded')\n```\n\n### forwarded(req)\n\n```js\nvar addresses = forwarded(req)\n```\n\nParse the `X-Forwarded-For` header from the request. Returns an array\nof the addresses, including the socket address for the `req`, in reverse\norder (i.e. index `0` is the socket address and the last index is the\nfurthest address, typically the end-user).\n\n## Testing\n\n```sh\n$ npm test\n```\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/forwarded/master?label=ci\n[ci-url]: https://github.com/jshttp/forwarded/actions?query=workflow%3Aci\n[npm-image]: https://img.shields.io/npm/v/forwarded.svg\n[npm-url]: https://npmjs.org/package/forwarded\n[node-version-image]: https://img.shields.io/node/v/forwarded.svg\n[node-version-url]: https://nodejs.org/en/download/\n[coveralls-image]: https://img.shields.io/coveralls/jshttp/forwarded/master.svg\n[coveralls-url]: https://coveralls.io/r/jshttp/forwarded?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/forwarded.svg\n[downloads-url]: https://npmjs.org/package/forwarded\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/forwarded/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/fresh/README.md ---\n# fresh\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][ci-image]][ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nHTTP response freshness testing\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```\n$ npm install fresh\n```\n\n## API\n\n```js\nvar fresh = require('fresh')\n```\n\n### fresh(reqHeaders, resHeaders)\n\nCheck freshness of the response using request and response headers.\n\nWhen the response is still \"fresh\" in the client's cache `true` is\nreturned, otherwise `false` is returned to indicate that the client\ncache is now stale and the full response should be sent.\n\nWhen a client sends the `Cache-Control: no-cache` request header to\nindicate an end-to-end reload request, this module will return `false`\nto make handling these requests transparent.\n\n## Known Issues\n\nThis module is designed to only follow the HTTP specifications, not\nto work-around all kinda of client bugs (especially since this module\ntypically does not receive enough information to understand what the\nclient actually is).\n\nThere is a known issue that in certain versions of Safari, Safari\nwill incorrectly make a request that allows this module to validate\nfreshness of the resource even when Safari does not have a\nrepresentation of the resource in the cache. The module\n[jumanji](https://www.npmjs.com/package/jumanji) can be used in\nan Express application to work-around this issue and also provides\nlinks to further reading on this Safari bug.\n\n## Example\n\n### API usage\n\n\n\n```js\nvar reqHeaders = { 'if-none-match': '\"foo\"' }\nvar resHeaders = { etag: '\"bar\"' }\nfresh(reqHeaders, resHeaders)\n// => false\n\nvar reqHeaders = { 'if-none-match': '\"foo\"' }\nvar resHeaders = { etag: '\"foo\"' }\nfresh(reqHeaders, resHeaders)\n// => true\n```\n\n### Using with Node.js http server\n\n```js\nvar fresh = require('fresh')\nvar http = require('http')\n\nvar server = http.createServer(function (req, res) {\n // perform server logic\n // ... including adding ETag / Last-Modified response headers\n\n if (isFresh(req, res)) {\n // client has a fresh copy of resource\n res.statusCode = 304\n res.end()\n return\n }\n\n // send the resource\n res.statusCode = 200\n res.end('hello, world!')\n})\n\nfunction isFresh (req, res) {\n return fresh(req.headers, {\n etag: res.getHeader('ETag'),\n 'last-modified': res.getHeader('Last-Modified')\n })\n}\n\nserver.listen(3000)\n```\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://img.shields.io/github/workflow/status/jshttp/fresh/ci/master?label=ci\n[ci-url]: https://github.com/jshttp/fresh/actions/workflows/ci.yml\n[npm-image]: https://img.shields.io/npm/v/fresh.svg\n[npm-url]: https://npmjs.org/package/fresh\n[node-version-image]: https://img.shields.io/node/v/fresh.svg\n[node-version-url]: https://nodejs.org/en/\n[coveralls-image]: https://img.shields.io/coveralls/jshttp/fresh/master.svg\n[coveralls-url]: https://coveralls.io/r/jshttp/fresh?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/fresh.svg\n[downloads-url]: https://npmjs.org/package/fresh\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/fresh/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/function-bind/README.md ---\n# function-bind [![Version Badge][npm-version-svg]][package-url]\n\n[![github actions][actions-image]][actions-url]\n\n[![dependency status][deps-svg]][deps-url]\n[![dev dependency status][dev-deps-svg]][dev-deps-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nImplementation of function.prototype.bind\n\nOld versions of phantomjs, Internet Explorer < 9, and node < 0.6 don't support `Function.prototype.bind`.\n\n## Example\n\n```js\nFunction.prototype.bind = require(\"function-bind\")\n```\n\n## Installation\n\n`npm install function-bind`\n\n## Contributors\n\n - Raynos\n\n## MIT Licenced\n\n[package-url]: https://npmjs.org/package/function-bind\n[npm-version-svg]: https://versionbadg.es/Raynos/function-bind.svg\n[deps-svg]: https://david-dm.org/Raynos/function-bind.svg\n[deps-url]: https://david-dm.org/Raynos/function-bind\n[dev-deps-svg]: https://david-dm.org/Raynos/function-bind/dev-status.svg\n[dev-deps-url]: https://david-dm.org/Raynos/function-bind#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/function-bind.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/function-bind.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/function-bind.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=function-bind\n[codecov-image]: https://codecov.io/gh/Raynos/function-bind/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/Raynos/function-bind/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/Raynos/function-bind\n[actions-url]: https://github.com/Raynos/function-bind/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/function-bind/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/get-intrinsic/README.md ---\n# get-intrinsic [![Version Badge][npm-version-svg]][package-url]\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![dependency status][deps-svg]][deps-url]\n[![dev dependency status][dev-deps-svg]][dev-deps-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nGet and robustly cache all JS language-level intrinsics at first require time.\n\nSee the syntax described [in the JS spec](https://tc39.es/ecma262/#sec-well-known-intrinsic-objects) for reference.\n\n## Example\n\n```js\nvar GetIntrinsic = require('get-intrinsic');\nvar assert = require('assert');\n\n// static methods\nassert.equal(GetIntrinsic('%Math.pow%'), Math.pow);\nassert.equal(Math.pow(2, 3), 8);\nassert.equal(GetIntrinsic('%Math.pow%')(2, 3), 8);\ndelete Math.pow;\nassert.equal(GetIntrinsic('%Math.pow%')(2, 3), 8);\n\n// instance methods\nvar arr = [1];\nassert.equal(GetIntrinsic('%Array.prototype.push%'), Array.prototype.push);\nassert.deepEqual(arr, [1]);\n\narr.push(2);\nassert.deepEqual(arr, [1, 2]);\n\nGetIntrinsic('%Array.prototype.push%').call(arr, 3);\nassert.deepEqual(arr, [1, 2, 3]);\n\ndelete Array.prototype.push;\nGetIntrinsic('%Array.prototype.push%').call(arr, 4);\nassert.deepEqual(arr, [1, 2, 3, 4]);\n\n// missing features\ndelete JSON.parse; // to simulate a real intrinsic that is missing in the environment\nassert.throws(() => GetIntrinsic('%JSON.parse%'));\nassert.equal(undefined, GetIntrinsic('%JSON.parse%', true));\n```\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n## Security\n\nPlease email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.\n\n[package-url]: https://npmjs.org/package/get-intrinsic\n[npm-version-svg]: https://versionbadg.es/ljharb/get-intrinsic.svg\n[deps-svg]: https://david-dm.org/ljharb/get-intrinsic.svg\n[deps-url]: https://david-dm.org/ljharb/get-intrinsic\n[dev-deps-svg]: https://david-dm.org/ljharb/get-intrinsic/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/get-intrinsic#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/get-intrinsic.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/get-intrinsic.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/get-intrinsic.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=get-intrinsic\n[codecov-image]: https://codecov.io/gh/ljharb/get-intrinsic/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/get-intrinsic/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/get-intrinsic\n[actions-url]: https://github.com/ljharb/get-intrinsic/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/get-intrinsic/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/get-proto/README.md ---\n# get-proto [![Version Badge][npm-version-svg]][package-url]\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nRobustly get the [[Prototype]] of an object. Uses the best available method.\n\n## Getting started\n\n```sh\nnpm install --save get-proto\n```\n\n## Usage/Examples\n\n```js\nconst assert = require('assert');\nconst getProto = require('get-proto');\n\nconst a = { a: 1, b: 2, [Symbol.toStringTag]: 'foo' };\nconst b = { c: 3, __proto__: a };\n\nassert.equal(getProto(b), a);\nassert.equal(getProto(a), Object.prototype);\nassert.equal(getProto({ __proto__: null }), null);\n```\n\n## Tests\n\nClone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/get-proto\n[npm-version-svg]: https://versionbadg.es/ljharb/get-proto.svg\n[deps-svg]: https://david-dm.org/ljharb/get-proto.svg\n[deps-url]: https://david-dm.org/ljharb/get-proto\n[dev-deps-svg]: https://david-dm.org/ljharb/get-proto/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/get-proto#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/get-proto.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/get-proto.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/get-proto.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=get-proto\n[codecov-image]: https://codecov.io/gh/ljharb/get-proto/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/get-proto/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/get-proto\n[actions-url]: https://github.com/ljharb/get-proto/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/get-proto/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/gopd/README.md ---\n# gopd [![Version Badge][npm-version-svg]][package-url]\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\n`Object.getOwnPropertyDescriptor`, but accounts for IE's broken implementation.\n\n## Usage\n\n```javascript\nvar gOPD = require('gopd');\nvar assert = require('assert');\n\nif (gOPD) {\n\tassert.equal(typeof gOPD, 'function', 'descriptors supported');\n\t// use gOPD like Object.getOwnPropertyDescriptor here\n} else {\n\tassert.ok(!gOPD, 'descriptors not supported');\n}\n```\n\n[package-url]: https://npmjs.org/package/gopd\n[npm-version-svg]: https://versionbadg.es/ljharb/gopd.svg\n[deps-svg]: https://david-dm.org/ljharb/gopd.svg\n[deps-url]: https://david-dm.org/ljharb/gopd\n[dev-deps-svg]: https://david-dm.org/ljharb/gopd/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/gopd#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/gopd.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/gopd.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/gopd.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=gopd\n[codecov-image]: https://codecov.io/gh/ljharb/gopd/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/gopd/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/gopd\n[actions-url]: https://github.com/ljharb/gopd/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/gopd/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/has-symbols/README.md ---\n# has-symbols [![Version Badge][2]][1]\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![dependency status][5]][6]\n[![dev dependency status][7]][8]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][11]][1]\n\nDetermine if the JS environment has Symbol support. Supports spec, or shams.\n\n## Example\n\n```js\nvar hasSymbols = require('has-symbols');\n\nhasSymbols() === true; // if the environment has native Symbol support. Not polyfillable, not forgeable.\n\nvar hasSymbolsKinda = require('has-symbols/shams');\nhasSymbolsKinda() === true; // if the environment has a Symbol sham that mostly follows the spec.\n```\n\n## Supported Symbol shams\n - get-own-property-symbols [npm](https://www.npmjs.com/package/get-own-property-symbols) | [github](https://github.com/WebReflection/get-own-property-symbols)\n - core-js [npm](https://www.npmjs.com/package/core-js) | [github](https://github.com/zloirock/core-js)\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n[1]: https://npmjs.org/package/has-symbols\n[2]: https://versionbadg.es/inspect-js/has-symbols.svg\n[5]: https://david-dm.org/inspect-js/has-symbols.svg\n[6]: https://david-dm.org/inspect-js/has-symbols\n[7]: https://david-dm.org/inspect-js/has-symbols/dev-status.svg\n[8]: https://david-dm.org/inspect-js/has-symbols#info=devDependencies\n[11]: https://nodei.co/npm/has-symbols.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/has-symbols.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/has-symbols.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=has-symbols\n[codecov-image]: https://codecov.io/gh/inspect-js/has-symbols/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/inspect-js/has-symbols/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/inspect-js/has-symbols\n[actions-url]: https://github.com/inspect-js/has-symbols/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/has-symbols/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/hasown/README.md ---\n# hasown [![Version Badge][npm-version-svg]][package-url]\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nA robust, ES3 compatible, \"has own property\" predicate.\n\n## Example\n\n```js\nconst assert = require('assert');\nconst hasOwn = require('hasown');\n\nassert.equal(hasOwn({}, 'toString'), false);\nassert.equal(hasOwn([], 'length'), true);\nassert.equal(hasOwn({ a: 42 }, 'a'), true);\n```\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/hasown\n[npm-version-svg]: https://versionbadg.es/inspect-js/hasown.svg\n[deps-svg]: https://david-dm.org/inspect-js/hasOwn.svg\n[deps-url]: https://david-dm.org/inspect-js/hasOwn\n[dev-deps-svg]: https://david-dm.org/inspect-js/hasOwn/dev-status.svg\n[dev-deps-url]: https://david-dm.org/inspect-js/hasOwn#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/hasown.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/hasown.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/hasown.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=hasown\n[codecov-image]: https://codecov.io/gh/inspect-js/hasOwn/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/inspect-js/hasOwn/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/inspect-js/hasOwn\n[actions-url]: https://github.com/inspect-js/hasOwn/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/hasown/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/http-errors/README.md ---\n# http-errors\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][node-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][ci-image]][ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nCreate HTTP errors for Express, Koa, Connect, etc. with ease.\n\n## Install\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```console\n$ npm install http-errors\n```\n\n## Example\n\n```js\nvar createError = require('http-errors')\nvar express = require('express')\nvar app = express()\n\napp.use(function (req, res, next) {\n if (!req.user) return next(createError(401, 'Please login to view this page.'))\n next()\n})\n```\n\n## API\n\nThis is the current API, currently extracted from Koa and subject to change.\n\n### Error Properties\n\n- `expose` - can be used to signal if `message` should be sent to the client,\n defaulting to `false` when `status` >= 500\n- `headers` - can be an object of header names to values to be sent to the\n client, defaulting to `undefined`. When defined, the key names should all\n be lower-cased\n- `message` - the traditional error message, which should be kept short and all\n single line\n- `status` - the status code of the error, mirroring `statusCode` for general\n compatibility\n- `statusCode` - the status code of the error, defaulting to `500`\n\n### createError([status], [message], [properties])\n\nCreate a new error object with the given message `msg`.\nThe error object inherits from `createError.HttpError`.\n\n```js\nvar err = createError(404, 'This video does not exist!')\n```\n\n- `status: 500` - the status code as a number\n- `message` - the message of the error, defaulting to node's text for that status code.\n- `properties` - custom properties to attach to the object\n\n### createError([status], [error], [properties])\n\nExtend the given `error` object with `createError.HttpError`\nproperties. This will not alter the inheritance of the given\n`error` object, and the modified `error` object is the\nreturn value.\n\n\n\n```js\nfs.readFile('foo.txt', function (err, buf) {\n if (err) {\n if (err.code === 'ENOENT') {\n var httpError = createError(404, err, { expose: false })\n } else {\n var httpError = createError(500, err)\n }\n }\n})\n```\n\n- `status` - the status code as a number\n- `error` - the error object to extend\n- `properties` - custom properties to attach to the object\n\n### createError.isHttpError(val)\n\nDetermine if the provided `val` is an `HttpError`. This will return `true`\nif the error inherits from the `HttpError` constructor of this module or\nmatches the \"duck type\" for an error this module creates. All outputs from\nthe `createError` factory will return `true` for this function, including\nif an non-`HttpError` was passed into the factory.\n\n### new createError\\[code || name\\](\\[msg]\\))\n\nCreate a new error object with the given message `msg`.\nThe error object inherits from `createError.HttpError`.\n\n```js\nvar err = new createError.NotFound()\n```\n\n- `code` - the status code as a number\n- `name` - the name of the error as a \"bumpy case\", i.e. `NotFound` or `InternalServerError`.\n\n#### List of all constructors\n\n|Status Code|Constructor Name |\n|-----------|-----------------------------|\n|400 |BadRequest |\n|401 |Unauthorized |\n|402 |PaymentRequired |\n|403 |Forbidden |\n|404 |NotFound |\n|405 |MethodNotAllowed |\n|406 |NotAcceptable |\n|407 |ProxyAuthenticationRequired |\n|408 |RequestTimeout |\n|409 |Conflict |\n|410 |Gone |\n|411 |LengthRequired |\n|412 |PreconditionFailed |\n|413 |PayloadTooLarge |\n|414 |URITooLong |\n|415 |UnsupportedMediaType |\n|416 |RangeNotSatisfiable |\n|417 |ExpectationFailed |\n|418 |ImATeapot |\n|421 |MisdirectedRequest |\n|422 |UnprocessableEntity |\n|423 |Locked |\n|424 |FailedDependency |\n|425 |TooEarly |\n|426 |UpgradeRequired |\n|428 |PreconditionRequired |\n|429 |TooManyRequests |\n|431 |RequestHeaderFieldsTooLarge |\n|451 |UnavailableForLegalReasons |\n|500 |InternalServerError |\n|501 |NotImplemented |\n|502 |BadGateway |\n|503 |ServiceUnavailable |\n|504 |GatewayTimeout |\n|505 |HTTPVersionNotSupported |\n|506 |VariantAlsoNegotiates |\n|507 |InsufficientStorage |\n|508 |LoopDetected |\n|509 |BandwidthLimitExceeded |\n|510 |NotExtended |\n|511 |NetworkAuthenticationRequired|\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/http-errors/master?label=ci\n[ci-url]: https://github.com/jshttp/http-errors/actions?query=workflow%3Aci\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/http-errors/master\n[coveralls-url]: https://coveralls.io/r/jshttp/http-errors?branch=master\n[node-image]: https://badgen.net/npm/node/http-errors\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/http-errors\n[npm-url]: https://npmjs.org/package/http-errors\n[npm-version-image]: https://badgen.net/npm/v/http-errors\n[travis-image]: https://badgen.net/travis/jshttp/http-errors/master\n[travis-url]: https://travis-ci.org/jshttp/http-errors\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/http-errors/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/iconv-lite/README.md ---\n## iconv-lite: Pure JS character encoding conversion\n\n * No need for native code compilation. Quick to install, works on Windows and in sandboxed environments like [Cloud9](http://c9.io).\n * Used in popular projects like [Express.js (body_parser)](https://github.com/expressjs/body-parser), \n [Grunt](http://gruntjs.com/), [Nodemailer](http://www.nodemailer.com/), [Yeoman](http://yeoman.io/) and others.\n * Faster than [node-iconv](https://github.com/bnoordhuis/node-iconv) (see below for performance comparison).\n * Intuitive encode/decode API, including Streaming support.\n * In-browser usage via [browserify](https://github.com/substack/node-browserify) or [webpack](https://webpack.js.org/) (~180kb gzip compressed with Buffer shim included).\n * Typescript [type definition file](https://github.com/ashtuchkin/iconv-lite/blob/master/lib/index.d.ts) included.\n * React Native is supported (need to install `stream` module to enable Streaming API).\n * License: MIT.\n\n[![NPM Stats](https://nodei.co/npm/iconv-lite.png)](https://npmjs.org/package/iconv-lite/) \n[![Build Status](https://travis-ci.org/ashtuchkin/iconv-lite.svg?branch=master)](https://travis-ci.org/ashtuchkin/iconv-lite)\n[![npm](https://img.shields.io/npm/v/iconv-lite.svg)](https://npmjs.org/package/iconv-lite/)\n[![npm downloads](https://img.shields.io/npm/dm/iconv-lite.svg)](https://npmjs.org/package/iconv-lite/)\n[![npm bundle size](https://img.shields.io/bundlephobia/min/iconv-lite.svg)](https://npmjs.org/package/iconv-lite/)\n\n## Usage\n### Basic API\n```javascript\nvar iconv = require('iconv-lite');\n\n// Convert from an encoded buffer to a js string.\nstr = iconv.decode(Buffer.from([0x68, 0x65, 0x6c, 0x6c, 0x6f]), 'win1251');\n\n// Convert from a js string to an encoded buffer.\nbuf = iconv.encode(\"Sample input string\", 'win1251');\n\n// Check if encoding is supported\niconv.encodingExists(\"us-ascii\")\n```\n\n### Streaming API\n```javascript\n\n// Decode stream (from binary data stream to js strings)\nhttp.createServer(function(req, res) {\n var converterStream = iconv.decodeStream('win1251');\n req.pipe(converterStream);\n\n converterStream.on('data', function(str) {\n console.log(str); // Do something with decoded strings, chunk-by-chunk.\n });\n});\n\n// Convert encoding streaming example\nfs.createReadStream('file-in-win1251.txt')\n .pipe(iconv.decodeStream('win1251'))\n .pipe(iconv.encodeStream('ucs2'))\n .pipe(fs.createWriteStream('file-in-ucs2.txt'));\n\n// Sugar: all encode/decode streams have .collect(cb) method to accumulate data.\nhttp.createServer(function(req, res) {\n req.pipe(iconv.decodeStream('win1251')).collect(function(err, body) {\n assert(typeof body == 'string');\n console.log(body); // full request body string\n });\n});\n```\n\n## Supported encodings\n\n * All node.js native encodings: utf8, ucs2 / utf16-le, ascii, binary, base64, hex.\n * Additional unicode encodings: utf16, utf16-be, utf-7, utf-7-imap, utf32, utf32-le, and utf32-be.\n * All widespread singlebyte encodings: Windows 125x family, ISO-8859 family, \n IBM/DOS codepages, Macintosh family, KOI8 family, all others supported by iconv library. \n Aliases like 'latin1', 'us-ascii' also supported.\n * All widespread multibyte encodings: CP932, CP936, CP949, CP950, GB2312, GBK, GB18030, Big5, Shift_JIS, EUC-JP.\n\nSee [all supported encodings on wiki](https://github.com/ashtuchkin/iconv-lite/wiki/Supported-Encodings).\n\nMost singlebyte encodings are generated automatically from [node-iconv](https://github.com/bnoordhuis/node-iconv). Thank you Ben Noordhuis and libiconv authors!\n\nMultibyte encodings are generated from [Unicode.org mappings](http://www.unicode.org/Public/MAPPINGS/) and [WHATWG Encoding Standard mappings](http://encoding.spec.whatwg.org/). Thank you, respective authors!\n\n\n## Encoding/decoding speed\n\nComparison with node-iconv module (1000x256kb, on MacBook Pro, Core i5/2.6 GHz, Node v0.12.0). \nNote: your results may vary, so please always check on your hardware.\n\n operation iconv@2.1.4 iconv-lite@0.4.7\n ----------------------------------------------------------\n encode('win1251') ~96 Mb/s ~320 Mb/s\n decode('win1251') ~95 Mb/s ~246 Mb/s\n\n## BOM handling\n\n * Decoding: BOM is stripped by default, unless overridden by passing `stripBOM: false` in options\n (f.ex. `iconv.decode(buf, enc, {stripBOM: false})`).\n A callback might also be given as a `stripBOM` parameter - it'll be called if BOM character was actually found.\n * If you want to detect UTF-8 BOM when decoding other encodings, use [node-autodetect-decoder-stream](https://github.com/danielgindi/node-autodetect-decoder-stream) module.\n * Encoding: No BOM added, unless overridden by `addBOM: true` option.\n\n## UTF-16 Encodings\n\nThis library supports UTF-16LE, UTF-16BE and UTF-16 encodings. First two are straightforward, but UTF-16 is trying to be\nsmart about endianness in the following ways:\n * Decoding: uses BOM and 'spaces heuristic' to determine input endianness. Default is UTF-16LE, but can be \n overridden with `defaultEncoding: 'utf-16be'` option. Strips BOM unless `stripBOM: false`.\n * Encoding: uses UTF-16LE and writes BOM by default. Use `addBOM: false` to override.\n\n## UTF-32 Encodings\n\nThis library supports UTF-32LE, UTF-32BE and UTF-32 encodings. Like the UTF-16 encoding above, UTF-32 defaults to UTF-32LE, but uses BOM and 'spaces heuristics' to determine input endianness. \n * The default of UTF-32LE can be overridden with the `defaultEncoding: 'utf-32be'` option. Strips BOM unless `stripBOM: false`.\n * Encoding: uses UTF-32LE and writes BOM by default. Use `addBOM: false` to override. (`defaultEncoding: 'utf-32be'` can also be used here to change encoding.)\n\n## Other notes\n\nWhen decoding, be sure to supply a Buffer to decode() method, otherwise [bad things usually happen](https://github.com/ashtuchkin/iconv-lite/wiki/Use-Buffers-when-decoding). \nUntranslatable characters are set to � or ?. No transliteration is currently supported. \nNode versions 0.10.31 and 0.11.13 are buggy, don't use them (see #65, #77). \n\n## Testing\n\n```bash\n$ git clone git@github.com:ashtuchkin/iconv-lite.git\n$ cd iconv-lite\n$ npm install\n$ npm test\n \n$ # To view performance:\n$ node test/performance.js\n\n$ # To view test coverage:\n$ npm run coverage\n$ open coverage/lcov-report/index.html\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/iconv-lite/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/inherits/README.md ---\nBrowser-friendly inheritance fully compatible with standard node.js\n[inherits](http://nodejs.org/api/util.html#util_util_inherits_constructor_superconstructor).\n\nThis package exports standard `inherits` from node.js `util` module in\nnode environment, but also provides alternative browser-friendly\nimplementation through [browser\nfield](https://gist.github.com/shtylman/4339901). Alternative\nimplementation is a literal copy of standard one located in standalone\nmodule to avoid requiring of `util`. It also has a shim for old\nbrowsers with no `Object.create` support.\n\nWhile keeping you sure you are using standard `inherits`\nimplementation in node.js environment, it allows bundlers such as\n[browserify](https://github.com/substack/node-browserify) to not\ninclude full `util` package to your client code if all you need is\njust `inherits` function. It worth, because browser shim for `util`\npackage is large and `inherits` is often the single function you need\nfrom it.\n\nIt's recommended to use this package instead of\n`require('util').inherits` for any code that has chances to be used\nnot only in node.js but in browser too.\n\n## usage\n\n```js\nvar inherits = require('inherits');\n// then use exactly as the standard one\n```\n\n## note on version ~1.0\n\nVersion ~1.0 had completely different motivation and is not compatible\nneither with 2.0 nor with standard node.js `inherits`.\n\nIf you are using version ~1.0 and planning to switch to ~2.0, be\ncareful:\n\n* new version uses `super_` instead of `super` for referencing\n superclass\n* new version overwrites current prototype while old one preserves any\n existing fields on it\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/inherits/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/ipaddr.js/README.md ---\n# ipaddr.js — an IPv6 and IPv4 address manipulation library [![Build Status](https://travis-ci.org/whitequark/ipaddr.js.svg)](https://travis-ci.org/whitequark/ipaddr.js)\n\nipaddr.js is a small (1.9K minified and gzipped) library for manipulating\nIP addresses in JavaScript environments. It runs on both CommonJS runtimes\n(e.g. [nodejs]) and in a web browser.\n\nipaddr.js allows you to verify and parse string representation of an IP\naddress, match it against a CIDR range or range list, determine if it falls\ninto some reserved ranges (examples include loopback and private ranges),\nand convert between IPv4 and IPv4-mapped IPv6 addresses.\n\n[nodejs]: http://nodejs.org\n\n## Installation\n\n`npm install ipaddr.js`\n\nor\n\n`bower install ipaddr.js`\n\n## API\n\nipaddr.js defines one object in the global scope: `ipaddr`. In CommonJS,\nit is exported from the module:\n\n```js\nvar ipaddr = require('ipaddr.js');\n```\n\nThe API consists of several global methods and two classes: ipaddr.IPv6 and ipaddr.IPv4.\n\n### Global methods\n\nThere are three global methods defined: `ipaddr.isValid`, `ipaddr.parse` and\n`ipaddr.process`. All of them receive a string as a single parameter.\n\nThe `ipaddr.isValid` method returns `true` if the address is a valid IPv4 or\nIPv6 address, and `false` otherwise. It does not throw any exceptions.\n\nThe `ipaddr.parse` method returns an object representing the IP address,\nor throws an `Error` if the passed string is not a valid representation of an\nIP address.\n\nThe `ipaddr.process` method works just like the `ipaddr.parse` one, but it\nautomatically converts IPv4-mapped IPv6 addresses to their IPv4 counterparts\nbefore returning. It is useful when you have a Node.js instance listening\non an IPv6 socket, and the `net.ivp6.bindv6only` sysctl parameter (or its\nequivalent on non-Linux OS) is set to 0. In this case, you can accept IPv4\nconnections on your IPv6-only socket, but the remote address will be mangled.\nUse `ipaddr.process` method to automatically demangle it.\n\n### Object representation\n\nParsing methods return an object which descends from `ipaddr.IPv6` or\n`ipaddr.IPv4`. These objects share some properties, but most of them differ.\n\n#### Shared properties\n\nOne can determine the type of address by calling `addr.kind()`. It will return\neither `\"ipv6\"` or `\"ipv4\"`.\n\nAn address can be converted back to its string representation with `addr.toString()`.\nNote that this method:\n * does not return the original string used to create the object (in fact, there is\n no way of getting that string)\n * returns a compact representation (when it is applicable)\n\nA `match(range, bits)` method can be used to check if the address falls into a\ncertain CIDR range.\nNote that an address can be (obviously) matched only against an address of the same type.\n\nFor example:\n\n```js\nvar addr = ipaddr.parse(\"2001:db8:1234::1\");\nvar range = ipaddr.parse(\"2001:db8::\");\n\naddr.match(range, 32); // => true\n```\n\nAlternatively, `match` can also be called as `match([range, bits])`. In this way,\nit can be used together with the `parseCIDR(string)` method, which parses an IP\naddress together with a CIDR range.\n\nFor example:\n\n```js\nvar addr = ipaddr.parse(\"2001:db8:1234::1\");\n\naddr.match(ipaddr.parseCIDR(\"2001:db8::/32\")); // => true\n```\n\nA `range()` method returns one of predefined names for several special ranges defined\nby IP protocols. The exact names (and their respective CIDR ranges) can be looked up\nin the source: [IPv6 ranges] and [IPv4 ranges]. Some common ones include `\"unicast\"`\n(the default one) and `\"reserved\"`.\n\nYou can match against your own range list by using\n`ipaddr.subnetMatch(address, rangeList, defaultName)` method. It can work with a mix of IPv6 or IPv4 addresses, and accepts a name-to-subnet map as the range list. For example:\n\n```js\nvar rangeList = {\n documentationOnly: [ ipaddr.parse('2001:db8::'), 32 ],\n tunnelProviders: [\n [ ipaddr.parse('2001:470::'), 32 ], // he.net\n [ ipaddr.parse('2001:5c0::'), 32 ] // freenet6\n ]\n};\nipaddr.subnetMatch(ipaddr.parse('2001:470:8:66::1'), rangeList, 'unknown'); // => \"tunnelProviders\"\n```\n\nThe addresses can be converted to their byte representation with `toByteArray()`.\n(Actually, JavaScript mostly does not know about byte buffers. They are emulated with\narrays of numbers, each in range of 0..255.)\n\n```js\nvar bytes = ipaddr.parse('2a00:1450:8007::68').toByteArray(); // ipv6.google.com\nbytes // => [42, 0x00, 0x14, 0x50, 0x80, 0x07, 0x00, , 0x00, 0x68 ]\n```\n\nThe `ipaddr.IPv4` and `ipaddr.IPv6` objects have some methods defined, too. All of them\nhave the same interface for both protocols, and are similar to global methods.\n\n`ipaddr.IPvX.isValid(string)` can be used to check if the string is a valid address\nfor particular protocol, and `ipaddr.IPvX.parse(string)` is the error-throwing parser.\n\n`ipaddr.IPvX.isValid(string)` uses the same format for parsing as the POSIX `inet_ntoa` function, which accepts unusual formats like `0xc0.168.1.1` or `0x10000000`. The function `ipaddr.IPv4.isValidFourPartDecimal(string)` validates the IPv4 address and also ensures that it is written in four-part decimal format.\n\n[IPv6 ranges]: https://github.com/whitequark/ipaddr.js/blob/master/src/ipaddr.coffee#L186\n[IPv4 ranges]: https://github.com/whitequark/ipaddr.js/blob/master/src/ipaddr.coffee#L71\n\n#### IPv6 properties\n\nSometimes you will want to convert IPv6 not to a compact string representation (with\nthe `::` substitution); the `toNormalizedString()` method will return an address where\nall zeroes are explicit.\n\nFor example:\n\n```js\nvar addr = ipaddr.parse(\"2001:0db8::0001\");\naddr.toString(); // => \"2001:db8::1\"\naddr.toNormalizedString(); // => \"2001:db8:0:0:0:0:0:1\"\n```\n\nThe `isIPv4MappedAddress()` method will return `true` if this address is an IPv4-mapped\none, and `toIPv4Address()` will return an IPv4 object address.\n\nTo access the underlying binary representation of the address, use `addr.parts`.\n\n```js\nvar addr = ipaddr.parse(\"2001:db8:10::1234:DEAD\");\naddr.parts // => [0x2001, 0xdb8, 0x10, 0, 0, 0, 0x1234, 0xdead]\n```\n\nA IPv6 zone index can be accessed via `addr.zoneId`:\n\n```js\nvar addr = ipaddr.parse(\"2001:db8::%eth0\");\naddr.zoneId // => 'eth0'\n```\n\n#### IPv4 properties\n\n`toIPv4MappedAddress()` will return a corresponding IPv4-mapped IPv6 address.\n\nTo access the underlying representation of the address, use `addr.octets`.\n\n```js\nvar addr = ipaddr.parse(\"192.168.1.1\");\naddr.octets // => [192, 168, 1, 1]\n```\n\n`prefixLengthFromSubnetMask()` will return a CIDR prefix length for a valid IPv4 netmask or\nnull if the netmask is not valid.\n\n```js\nipaddr.IPv4.parse('255.255.255.240').prefixLengthFromSubnetMask() == 28\nipaddr.IPv4.parse('255.192.164.0').prefixLengthFromSubnetMask() == null\n```\n\n`subnetMaskFromPrefixLength()` will return an IPv4 netmask for a valid CIDR prefix length.\n\n```js\nipaddr.IPv4.subnetMaskFromPrefixLength(24) == \"255.255.255.0\"\nipaddr.IPv4.subnetMaskFromPrefixLength(29) == \"255.255.255.248\"\n```\n\n`broadcastAddressFromCIDR()` will return the broadcast address for a given IPv4 interface and netmask in CIDR notation.\n```js\nipaddr.IPv4.broadcastAddressFromCIDR(\"172.0.0.1/24\") == \"172.0.0.255\"\n```\n`networkAddressFromCIDR()` will return the network address for a given IPv4 interface and netmask in CIDR notation.\n```js\nipaddr.IPv4.networkAddressFromCIDR(\"172.0.0.1/24\") == \"172.0.0.0\"\n```\n\n#### Conversion\n\nIPv4 and IPv6 can be converted bidirectionally to and from network byte order (MSB) byte arrays.\n\nThe `fromByteArray()` method will take an array and create an appropriate IPv4 or IPv6 object\nif the input satisfies the requirements. For IPv4 it has to be an array of four 8-bit values,\nwhile for IPv6 it has to be an array of sixteen 8-bit values.\n\nFor example:\n```js\nvar addr = ipaddr.fromByteArray([0x7f, 0, 0, 1]);\naddr.toString(); // => \"127.0.0.1\"\n```\n\nor\n\n```js\nvar addr = ipaddr.fromByteArray([0x20, 1, 0xd, 0xb8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1])\naddr.toString(); // => \"2001:db8::1\"\n```\n\nBoth objects also offer a `toByteArray()` method, which returns an array in network byte order (MSB).\n\nFor example:\n```js\nvar addr = ipaddr.parse(\"127.0.0.1\");\naddr.toByteArray(); // => [0x7f, 0, 0, 1]\n```\n\nor\n\n```js\nvar addr = ipaddr.parse(\"2001:db8::1\");\naddr.toByteArray(); // => [0x20, 1, 0xd, 0xb8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1]\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/ipaddr.js/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/isexe/README.md ---\n# isexe\n\nMinimal module to check if a file is executable, and a normal file.\n\nUses `fs.stat` and tests against the `PATHEXT` environment variable on\nWindows.\n\n## USAGE\n\n```javascript\nvar isexe = require('isexe')\nisexe('some-file-name', function (err, isExe) {\n if (err) {\n console.error('probably file does not exist or something', err)\n } else if (isExe) {\n console.error('this thing can be run')\n } else {\n console.error('cannot be run')\n }\n})\n\n// same thing but synchronous, throws errors\nvar isExe = isexe.sync('some-file-name')\n\n// treat errors as just \"not executable\"\nisexe('maybe-missing-file', { ignoreErrors: true }, callback)\nvar isExe = isexe.sync('maybe-missing-file', { ignoreErrors: true })\n```\n\n## API\n\n### `isexe(path, [options], [callback])`\n\nCheck if the path is executable. If no callback provided, and a\nglobal `Promise` object is available, then a Promise will be returned.\n\nWill raise whatever errors may be raised by `fs.stat`, unless\n`options.ignoreErrors` is set to true.\n\n### `isexe.sync(path, [options])`\n\nSame as `isexe` but returns the value and throws any errors raised.\n\n### Options\n\n* `ignoreErrors` Treat all errors as \"no, this is not executable\", but\n don't raise them.\n* `uid` Number to use as the user id\n* `gid` Number to use as the group id\n* `pathExt` List of path extensions to use instead of `PATHEXT`\n environment variable on Windows.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/isexe/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/jose/README.md ---\n# jose\n\n`jose` is a JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. The module is designed to work across various Web-interoperable runtimes including Node.js, browsers, Cloudflare Workers, Deno, Bun, and others.\n\n## Sponsor\n\n\n \n \n \"Auth0\n\n\nIf you want to quickly add JWT authentication to JavaScript apps, feel free to check out Auth0's JavaScript SDK and free plan. [Create an Auth0 account; it's free!][sponsor-auth0]

\n\n## [💗 Help the project](https://github.com/sponsors/panva)\n\nSupport from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).\n\n## Dependencies: 0\n\n`jose` has no dependencies and it exports tree-shakeable ESM[^cjs].\n\n## Documentation\n\n`jose` is distributed via [npmjs.com](https://www.npmjs.com/package/jose), [jsr.io](https://jsr.io/@panva/jose), [jsdelivr.com](https://www.jsdelivr.com/package/npm/jose), and [github.com](https://github.com/panva/jose).\n\n**`example`** ESM import[^cjs]\n\n```js\nimport * as jose from 'jose'\n```\n\n### JSON Web Tokens (JWT)\n\nThe `jose` module supports JSON Web Tokens (JWT) and provides functionality for signing and verifying tokens, as well as their JWT Claims Set validation.\n\n- [JWT Claims Set Validation & Signature Verification](docs/jwt/verify/functions/jwtVerify.md) using the `jwtVerify` function\n - [Using a remote JSON Web Key Set (JWKS)](docs/jwks/remote/functions/createRemoteJWKSet.md)\n - [Using a local JSON Web Key Set (JWKS)](docs/jwks/local/functions/createLocalJWKSet.md)\n- [Signing](docs/jwt/sign/classes/SignJWT.md) using the `SignJWT` class\n- Utility functions\n - [Decoding Token's Protected Header](docs/util/decode_protected_header/functions/decodeProtectedHeader.md)\n - [Decoding JWT Claims Set](docs/util/decode_jwt/functions/decodeJwt.md) prior to its validation\n\n### Encrypted JSON Web Tokens\n\nThe `jose` module supports encrypted JSON Web Tokens and provides functionality for encrypting and decrypting tokens, as well as their JWT Claims Set validation.\n\n- [Decryption & JWT Claims Set Validation](docs/jwt/decrypt/functions/jwtDecrypt.md) using the `jwtDecrypt` function\n- [Encryption](docs/jwt/encrypt/classes/EncryptJWT.md) using the `EncryptJWT` class\n- Utility functions\n - [Decoding Token's Protected Header](docs/util/decode_protected_header/functions/decodeProtectedHeader.md)\n\n### Key Utilities\n\nThe `jose` module supports importing, exporting, and generating keys and secrets in various formats, including PEM formats like SPKI, X.509 certificate, and PKCS #8, as well as JSON Web Key (JWK).\n\n- Key Import Functions\n - [JWK Import](docs/key/import/functions/importJWK.md)\n - [Public Key Import (SPKI)](docs/key/import/functions/importSPKI.md)\n - [Public Key Import (X.509 Certificate)](docs/key/import/functions/importX509.md)\n - [Private Key Import (PKCS #8)](docs/key/import/functions/importPKCS8.md)\n- Key and Secret Generation Functions\n - [Asymmetric Key Pair Generation](docs/key/generate_key_pair/functions/generateKeyPair.md)\n - [Symmetric Secret Generation](docs/key/generate_secret/functions/generateSecret.md)\n- Key Export Functions\n - [JWK Export](docs/key/export/functions/exportJWK.md)\n - [Private Key Export](docs/key/export/functions/exportPKCS8.md)\n - [Public Key Export](docs/key/export/functions/exportSPKI.md)\n\n### JSON Web Signature (JWS)\n\nThe `jose` module supports signing and verification of JWS messages with arbitrary payloads in Compact, Flattened JSON, and General JSON serialization syntaxes.\n\n- Signing - [Compact](docs/jws/compact/sign/classes/CompactSign.md), [Flattened JSON](docs/jws/flattened/sign/classes/FlattenedSign.md), [General JSON](docs/jws/general/sign/classes/GeneralSign.md)\n- Verification - [Compact](docs/jws/compact/verify/functions/compactVerify.md), [Flattened JSON](docs/jws/flattened/verify/functions/flattenedVerify.md), [General JSON](docs/jws/general/verify/functions/generalVerify.md)\n - [Using a remote JSON Web Key Set (JWKS)](docs/jwks/remote/functions/createRemoteJWKSet.md)\n - [Using a local JSON Web Key Set (JWKS)](docs/jwks/local/functions/createLocalJWKSet.md)\n- Utility functions\n - [Decoding Token's Protected Header](docs/util/decode_protected_header/functions/decodeProtectedHeader.md)\n\n### JSON Web Encryption (JWE)\n\nThe `jose` module supports encryption and decryption of JWE messages with arbitrary plaintext in Compact, Flattened JSON, and General JSON serialization syntaxes.\n\n- Encryption - [Compact](docs/jwe/compact/encrypt/classes/CompactEncrypt.md), [Flattened JSON](docs/jwe/flattened/encrypt/classes/FlattenedEncrypt.md), [General JSON](docs/jwe/general/encrypt/classes/GeneralEncrypt.md)\n- Decryption - [Compact](docs/jwe/compact/decrypt/functions/compactDecrypt.md), [Flattened JSON](docs/jwe/flattened/decrypt/functions/flattenedDecrypt.md), [General JSON](docs/jwe/general/decrypt/functions/generalDecrypt.md)\n- Utility functions\n - [Decoding Token's Protected Header](docs/util/decode_protected_header/functions/decodeProtectedHeader.md)\n\n### Other\n\nThe following are additional features and utilities provided by the `jose` module:\n\n- [Calculating JWK Thumbprint](docs/jwk/thumbprint/functions/calculateJwkThumbprint.md)\n- [Calculating JWK Thumbprint URI](docs/jwk/thumbprint/functions/calculateJwkThumbprintUri.md)\n- [Verification using a JWK Embedded in a JWS Header](docs/jwk/embedded/functions/EmbeddedJWK.md)\n- [Unsecured JWT](docs/jwt/unsecured/classes/UnsecuredJWT.md)\n- [JOSE Errors](docs/util/errors/README.md)\n\n## Supported Runtimes\n\nThe `jose` module is compatible with JavaScript runtimes that support the utilized Web API globals and standard built-in objects or are Node.js.\n\nThe following runtimes are supported _(this is not an exhaustive list)_:\n\n- [Bun](https://github.com/panva/jose/issues/471)\n- [Browsers](https://github.com/panva/jose/issues/263)\n- [Cloudflare Workers](https://github.com/panva/jose/issues/265)\n- [Deno](https://github.com/panva/jose/issues/266)\n- [Electron](https://github.com/panva/jose/issues/264)\n- [Node.js](https://github.com/panva/jose/issues/262)\n\nPlease note that certain algorithms may not be available depending on the runtime used. You can find a list of available algorithms for each runtime in the specific issue links provided above.\n\n## Supported Versions\n\n| Version | Security Fixes 🔑 | Other Bug Fixes 🐞 | New Features ⭐ | Runtime and Module type |\n| ----------------------------------------------- | ----------------- | ------------------ | --------------- | ------------------------------- |\n| [v6.x](https://github.com/panva/jose/tree/v6.x) | [Security Policy] | ✅ | ✅ | Universal[^universal] ESM[^cjs] |\n| [v5.x](https://github.com/panva/jose/tree/v5.x) | [Security Policy] | ❌ | ❌ | Universal[^universal] CJS + ESM |\n| [v4.x](https://github.com/panva/jose/tree/v4.x) | [Security Policy] | ❌ | ❌ | Universal[^universal] CJS + ESM |\n| [v2.x](https://github.com/panva/jose/tree/v2.x) | [Security Policy] | ❌ | ❌ | Node.js CJS |\n\n## Specifications\n\n
\nDetails\n\n- JSON Web Signature (JWS) - [RFC7515](https://www.rfc-editor.org/rfc/rfc7515)\n- JSON Web Encryption (JWE) - [RFC7516](https://www.rfc-editor.org/rfc/rfc7516)\n- JSON Web Key (JWK) - [RFC7517](https://www.rfc-editor.org/rfc/rfc7517)\n- JSON Web Algorithms (JWA) - [RFC7518](https://www.rfc-editor.org/rfc/rfc7518)\n- JSON Web Token (JWT) - [RFC7519](https://www.rfc-editor.org/rfc/rfc7519)\n- JSON Web Key Thumbprint - [RFC7638](https://www.rfc-editor.org/rfc/rfc7638)\n- JSON Web Key Thumbprint URI - [RFC9278](https://www.rfc-editor.org/rfc/rfc9278)\n- JWS Unencoded Payload Option - [RFC7797](https://www.rfc-editor.org/rfc/rfc7797)\n- CFRG Elliptic Curve ECDH and Signatures - [RFC8037](https://www.rfc-editor.org/rfc/rfc8037)\n- Fully-Specified Algorithms for JOSE - [RFC9864](https://www.rfc-editor.org/rfc/rfc9864.html)\n- ML-DSA for JOSE - [draft-ietf-cose-dilithium-10](https://www.ietf.org/archive/id/draft-ietf-cose-dilithium-10.html)\n\nThe algorithm implementations in `jose` have been tested using test vectors from their respective specifications as well as [RFC7520](https://www.rfc-editor.org/rfc/rfc7520).\n\n
\n\n[sponsor-auth0]: https://a0.to/signup/panva\n[WebCryptoAPI]: https://w3c.github.io/webcrypto/\n[Fetch API]: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API\n[Security Policy]: https://github.com/panva/jose/security/policy\n\n[^cjs]: CJS style `let jose = require('jose')` is possible in Node.js versions where the `require(esm)` feature is enabled by default (^20.19.0 || ^22.12.0 || >= 23.0.0).\n\n[^universal]: Assumes runtime support of [WebCryptoAPI][] and [Fetch API][]\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/jose/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/js-tokens/README.md ---\n# js-tokens\n\nThe tiny, regex powered, lenient, _almost_ spec-compliant JavaScript tokenizer that never fails.\n\n```js\nconst jsTokens = require(\"js-tokens\");\n\nconst jsString = 'JSON.stringify({k:3.14**2}, null /*replacer*/, \"\\\\t\")';\n\nArray.from(jsTokens(jsString), (token) => token.value).join(\"|\");\n// JSON|.|stringify|(|{|k|:|3.14|**|2|}|,| |null| |/*replacer*/|,| |\"\\t\"|)\n```\n\n**[➡️ Full readme](https://github.com/lydell/js-tokens/)**\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/js-tokens/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/json-schema-traverse/README.md ---\n# json-schema-traverse\nTraverse JSON Schema passing each schema object to callback\n\n[![build](https://github.com/epoberezkin/json-schema-traverse/workflows/build/badge.svg)](https://github.com/epoberezkin/json-schema-traverse/actions?query=workflow%3Abuild)\n[![npm](https://img.shields.io/npm/v/json-schema-traverse)](https://www.npmjs.com/package/json-schema-traverse)\n[![coverage](https://coveralls.io/repos/github/epoberezkin/json-schema-traverse/badge.svg?branch=master)](https://coveralls.io/github/epoberezkin/json-schema-traverse?branch=master)\n\n\n## Install\n\n```\nnpm install json-schema-traverse\n```\n\n\n## Usage\n\n```javascript\nconst traverse = require('json-schema-traverse');\nconst schema = {\n properties: {\n foo: {type: 'string'},\n bar: {type: 'integer'}\n }\n};\n\ntraverse(schema, {cb});\n// cb is called 3 times with:\n// 1. root schema\n// 2. {type: 'string'}\n// 3. {type: 'integer'}\n\n// Or:\n\ntraverse(schema, {cb: {pre, post}});\n// pre is called 3 times with:\n// 1. root schema\n// 2. {type: 'string'}\n// 3. {type: 'integer'}\n//\n// post is called 3 times with:\n// 1. {type: 'string'}\n// 2. {type: 'integer'}\n// 3. root schema\n\n```\n\nCallback function `cb` is called for each schema object (not including draft-06 boolean schemas), including the root schema, in pre-order traversal. Schema references ($ref) are not resolved, they are passed as is. Alternatively, you can pass a `{pre, post}` object as `cb`, and then `pre` will be called before traversing child elements, and `post` will be called after all child elements have been traversed.\n\nCallback is passed these parameters:\n\n- _schema_: the current schema object\n- _JSON pointer_: from the root schema to the current schema object\n- _root schema_: the schema passed to `traverse` object\n- _parent JSON pointer_: from the root schema to the parent schema object (see below)\n- _parent keyword_: the keyword inside which this schema appears (e.g. `properties`, `anyOf`, etc.)\n- _parent schema_: not necessarily parent object/array; in the example above the parent schema for `{type: 'string'}` is the root schema\n- _index/property_: index or property name in the array/object containing multiple schemas; in the example above for `{type: 'string'}` the property name is `'foo'`\n\n\n## Traverse objects in all unknown keywords\n\n```javascript\nconst traverse = require('json-schema-traverse');\nconst schema = {\n mySchema: {\n minimum: 1,\n maximum: 2\n }\n};\n\ntraverse(schema, {allKeys: true, cb});\n// cb is called 2 times with:\n// 1. root schema\n// 2. mySchema\n```\n\nWithout option `allKeys: true` callback will be called only with root schema.\n\n\n## Enterprise support\n\njson-schema-traverse package is a part of [Tidelift enterprise subscription](https://tidelift.com/subscription/pkg/npm-json-schema-traverse?utm_source=npm-json-schema-traverse&utm_medium=referral&utm_campaign=enterprise&utm_term=repo) - it provides a centralised commercial support to open-source software users, in addition to the support provided by software maintainers.\n\n\n## Security contact\n\nTo report a security vulnerability, please use the\n[Tidelift security contact](https://tidelift.com/security).\nTidelift will coordinate the fix and disclosure. Please do NOT report security vulnerability via GitHub issues.\n\n\n## License\n\n[MIT](https://github.com/epoberezkin/json-schema-traverse/blob/master/LICENSE)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/json-schema-traverse/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/loupe/README.md ---\n![npm](https://img.shields.io/npm/v/loupe?logo=npm)\n![Build](https://github.com/chaijs/loupe/workflows/Build/badge.svg?branch=master)\n![Codecov branch](https://img.shields.io/codecov/c/github/chaijs/loupe/master?logo=codecov)\n\n# What is loupe?\n\nLoupe turns the object you give it into a string. It's similar to Node.js' `util.inspect()` function, but it works cross platform, in most modern browsers as well as Node.\n\n## Installation\n\n### Node.js\n\n`loupe` is available on [npm](http://npmjs.org). To install it, type:\n\n $ npm install loupe\n\n### Browsers\n\nYou can also use it within the browser; install via npm and use the `loupe.js` file found within the download. For example:\n\n```html\n\n```\n\n## Usage\n\n``` js\nconst { inspect } = require('loupe');\n```\n\n```js\ninspect({ foo: 'bar' }); // => \"{ foo: 'bar' }\"\ninspect(1); // => '1'\ninspect('foo'); // => \"'foo'\"\ninspect([ 1, 2, 3 ]); // => '[ 1, 2, 3 ]'\ninspect(/Test/g); // => '/Test/g'\n\n// ...\n```\n\n## Tests\n\n```bash\n$ npm test\n```\n\nCoverage:\n\n```bash\n$ npm run upload-coverage\n```\n\n## License\n\n(The MIT License)\n\nCopyright (c) 2011-2013 Jake Luer jake@alogicalparadox.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/loupe/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/magic-string/README.md ---\n# magic-string\n\n\n \"build\n\n\n \"npm\n\n\n \"license\"\n\n\nSuppose you have some source code. You want to make some light modifications to it - replacing a few characters here and there, wrapping it with a header and footer, etc - and ideally you'd like to generate a [source map](https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k/) at the end of it. You've thought about using something like [recast](https://github.com/benjamn/recast) (which allows you to generate an AST from some JavaScript, manipulate it, and reprint it with a sourcemap without losing your comments and formatting), but it seems like overkill for your needs (or maybe the source code isn't JavaScript).\n\nYour requirements are, frankly, rather niche. But they're requirements that I also have, and for which I made magic-string. It's a small, fast utility for manipulating strings and generating sourcemaps.\n\n## Installation\n\nmagic-string works in both node.js and browser environments. For node, install with npm:\n\n```bash\nnpm i magic-string\n```\n\nTo use in browser, grab the [magic-string.umd.js](https://unpkg.com/magic-string/dist/magic-string.umd.js) file and add it to your page:\n\n```html\n\n```\n\n(It also works with various module systems, if you prefer that sort of thing - it has a dependency on [vlq](https://github.com/Rich-Harris/vlq).)\n\n## Usage\n\nThese examples assume you're in node.js, or something similar:\n\n```js\nimport MagicString from 'magic-string';\nimport fs from 'fs';\n\nconst s = new MagicString('problems = 99');\n\ns.update(0, 8, 'answer');\ns.toString(); // 'answer = 99'\n\ns.update(11, 13, '42'); // character indices always refer to the original string\ns.toString(); // 'answer = 42'\n\ns.prepend('var ').append(';'); // most methods are chainable\ns.toString(); // 'var answer = 42;'\n\nconst map = s.generateMap({\n\tsource: 'source.js',\n\tfile: 'converted.js.map',\n\tincludeContent: true,\n}); // generates a v3 sourcemap\n\nfs.writeFileSync('converted.js', s.toString());\nfs.writeFileSync('converted.js.map', map.toString());\n```\n\nYou can pass an options argument:\n\n```js\nconst s = new MagicString(someCode, {\n\t// these options will be used if you later call `bundle.addSource( s )` - see below\n\tfilename: 'foo.js',\n\tindentExclusionRanges: [\n\t\t/*...*/\n\t],\n\t// mark source as ignore in DevTools, see below #Bundling\n\tignoreList: false,\n\t// adjust the incoming position - see below\n\toffset: 0,\n});\n```\n\n## Properties\n\n### s.offset\n\nSets the offset property to adjust the incoming position for the following APIs: `slice`, `update`, `overwrite`, `appendLeft`, `prependLeft`, `appendRight`, `prependRight`, `move`, `reset`, and `remove`.\n\nExample usage:\n\n```ts\nconst s = new MagicString('hello world', { offset: 0 });\ns.offset = 6;\ns.slice() === 'world';\n```\n\n## Methods\n\n### s.addSourcemapLocation( index )\n\nAdds the specified character index (with respect to the original string) to sourcemap mappings, if `hires` is `false` (see below).\n\n### s.append( content )\n\nAppends the specified content to the end of the string. Returns `this`.\n\n### s.appendLeft( index, content )\n\nAppends the specified `content` at the `index` in the original string. If a range _ending_ with `index` is subsequently moved, the insert will be moved with it. Returns `this`. See also `s.prependLeft(...)`.\n\n### s.appendRight( index, content )\n\nAppends the specified `content` at the `index` in the original string. If a range _starting_ with `index` is subsequently moved, the insert will be moved with it. Returns `this`. See also `s.prependRight(...)`.\n\n### s.clone()\n\nDoes what you'd expect.\n\n### s.generateDecodedMap( options )\n\nGenerates a sourcemap object with raw mappings in array form, rather than encoded as a string. See `generateMap` documentation below for options details. Useful if you need to manipulate the sourcemap further, but most of the time you will use `generateMap` instead.\n\n### s.generateMap( options )\n\nGenerates a [version 3 sourcemap](https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k/edit). All options are, well, optional:\n\n- `file` - the filename where you plan to write the sourcemap\n- `source` - the filename of the file containing the original source\n- `includeContent` - whether to include the original content in the map's `sourcesContent` array\n- `hires` - whether the mapping should be high-resolution. Hi-res mappings map every single character, meaning (for example) your devtools will always be able to pinpoint the exact location of function calls and so on. With lo-res mappings, devtools may only be able to identify the correct line - but they're quicker to generate and less bulky. You can also set `\"boundary\"` to generate a semi-hi-res mappings segmented per word boundary instead of per character, suitable for string semantics that are separated by words. If sourcemap locations have been specified with `s.addSourcemapLocation()`, they will be used here.\n\nThe returned sourcemap has two (non-enumerable) methods attached for convenience:\n\n- `toString` - returns the equivalent of `JSON.stringify(map)`\n- `toUrl` - returns a DataURI containing the sourcemap. Useful for doing this sort of thing:\n\n```js\ncode += '\\n//# sourceMappingURL=' + map.toUrl();\n```\n\n### s.hasChanged()\n\nIndicates if the string has been changed.\n\n### s.indent( prefix[, options] )\n\nPrefixes each line of the string with `prefix`. If `prefix` is not supplied, the indentation will be guessed from the original content, falling back to a single tab character. Returns `this`.\n\nThe `options` argument can have an `exclude` property, which is an array of `[start, end]` character ranges. These ranges will be excluded from the indentation - useful for (e.g.) multiline strings.\n\n### s.insertLeft( index, content )\n\n**DEPRECATED** since 0.17 – use `s.appendLeft(...)` instead\n\n### s.insertRight( index, content )\n\n**DEPRECATED** since 0.17 – use `s.prependRight(...)` instead\n\n### s.isEmpty()\n\nReturns true if the resulting source is empty (disregarding white space).\n\n### s.locate( index )\n\n**DEPRECATED** since 0.10 – see [#30](https://github.com/Rich-Harris/magic-string/pull/30)\n\n### s.locateOrigin( index )\n\n**DEPRECATED** since 0.10 – see [#30](https://github.com/Rich-Harris/magic-string/pull/30)\n\n### s.move( start, end, index )\n\nMoves the characters from `start` and `end` to `index`. Returns `this`.\n\n### s.overwrite( start, end, content[, options] )\n\nReplaces the characters from `start` to `end` with `content`, along with the appended/prepended content in that range. The same restrictions as `s.remove()` apply. Returns `this`.\n\nThe fourth argument is optional. It can have a `storeName` property — if `true`, the original name will be stored for later inclusion in a sourcemap's `names` array — and a `contentOnly` property which determines whether only the content is overwritten, or anything that was appended/prepended to the range as well.\n\nIt may be preferred to use `s.update(...)` instead if you wish to avoid overwriting the appended/prepended content.\n\n### s.prepend( content )\n\nPrepends the string with the specified content. Returns `this`.\n\n### s.prependLeft ( index, content )\n\nSame as `s.appendLeft(...)`, except that the inserted content will go _before_ any previous appends or prepends at `index`\n\n### s.prependRight ( index, content )\n\nSame as `s.appendRight(...)`, except that the inserted content will go _before_ any previous appends or prepends at `index`\n\n### s.replace( regexpOrString, substitution )\n\nString replacement with RegExp or string. The `substitution` parameter supports strings and functions. Returns `this`.\n\n```ts\nimport MagicString from 'magic-string';\n\nconst s = new MagicString(source);\n\ns.replace('foo', 'bar');\ns.replace('foo', (str, index, s) => str + '-' + index);\ns.replace(/foo/g, 'bar');\ns.replace(/(\\w)(\\d+)/g, (_, $1, $2) => $1.toUpperCase() + $2);\n```\n\nThe differences from [`String.replace`](<(https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace)>):\n\n- It will always match against the **original string**\n- It mutates the magic string state (use `.clone()` to be immutable)\n\n### s.replaceAll( regexpOrString, substitution )\n\nSame as `s.replace`, but replace all matched strings instead of just one.\nIf `regexpOrString` is a regex, then it must have the global (`g`) flag set, or a `TypeError` is thrown. Matches the behavior of the builtin [`String.property.replaceAll`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replaceAll). Returns `this`.\n\n### s.remove( start, end )\n\nRemoves the characters from `start` to `end` (of the original string, **not** the generated string). Removing the same content twice, or making removals that partially overlap, will cause an error. Returns `this`.\n\n### s.reset( start, end )\n\nResets the characters from `start` to `end` (of the original string, **not** the generated string).\nIt can be used to restore previously removed characters and discard unwanted changes.\n\n### s.slice( start, end )\n\nReturns the content of the generated string that corresponds to the slice between `start` and `end` of the original string. Throws error if the indices are for characters that were already removed.\n\n### s.snip( start, end )\n\nReturns a clone of `s`, with all content before the `start` and `end` characters of the original string removed.\n\n### s.toString()\n\nReturns the generated string.\n\n### s.trim([ charType ])\n\nTrims content matching `charType` (defaults to `\\s`, i.e. whitespace) from the start and end. Returns `this`.\n\n### s.trimStart([ charType ])\n\nTrims content matching `charType` (defaults to `\\s`, i.e. whitespace) from the start. Returns `this`.\n\n### s.trimEnd([ charType ])\n\nTrims content matching `charType` (defaults to `\\s`, i.e. whitespace) from the end. Returns `this`.\n\n### s.trimLines()\n\nRemoves empty lines from the start and end. Returns `this`.\n\n### s.update( start, end, content[, options] )\n\nReplaces the characters from `start` to `end` with `content`. The same restrictions as `s.remove()` apply. Returns `this`.\n\nThe fourth argument is optional. It can have a `storeName` property — if `true`, the original name will be stored for later inclusion in a sourcemap's `names` array — and an `overwrite` property which defaults to `false` and determines whether anything that was appended/prepended to the range will be overwritten along with the original content.\n\n`s.update(start, end, content)` is equivalent to `s.overwrite(start, end, content, { contentOnly: true })`.\n\n## Bundling\n\nTo concatenate several sources, use `MagicString.Bundle`:\n\n```js\nconst bundle = new MagicString.Bundle();\n\nbundle.addSource({\n\tfilename: 'foo.js',\n\tcontent: new MagicString('var answer = 42;'),\n});\n\nbundle.addSource({\n\tfilename: 'bar.js',\n\tcontent: new MagicString('console.log( answer )'),\n});\n\n// Sources can be marked as ignore-listed, which provides a hint to debuggers\n// to not step into this code and also don't show the source files depending\n// on user preferences.\nbundle.addSource({\n\tfilename: 'some-3rdparty-library.js',\n\tcontent: new MagicString('function myLib(){}'),\n\tignoreList: false, // <--\n});\n\n// Advanced: a source can include an `indentExclusionRanges` property\n// alongside `filename` and `content`. This will be passed to `s.indent()`\n// - see documentation above\n\nbundle\n\t.indent() // optionally, pass an indent string, otherwise it will be guessed\n\t.prepend('(function () {\\n')\n\t.append('}());');\n\nbundle.toString();\n// (function () {\n// var answer = 42;\n// console.log( answer );\n// }());\n\n// options are as per `s.generateMap()` above\nconst map = bundle.generateMap({\n\tfile: 'bundle.js',\n\tincludeContent: true,\n\thires: true,\n});\n```\n\nAs an alternative syntax, if you a) don't have `filename` or `indentExclusionRanges` options, or b) passed those in when you used `new MagicString(...)`, you can simply pass the `MagicString` instance itself:\n\n```js\nconst bundle = new MagicString.Bundle();\nconst source = new MagicString(someCode, {\n\tfilename: 'foo.js',\n});\n\nbundle.addSource(source);\n```\n\n## License\n\nMIT\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/magic-string/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/math-intrinsics/README.md ---\n# math-intrinsics [![Version Badge][npm-version-svg]][package-url]\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nES Math-related intrinsics and helpers, robustly cached.\n\n - `abs`\n - `floor`\n - `isFinite`\n - `isInteger`\n - `isNaN`\n - `isNegativeZero`\n - `max`\n - `min`\n - `mod`\n - `pow`\n - `round`\n - `sign`\n - `constants/maxArrayLength`\n - `constants/maxSafeInteger`\n - `constants/maxValue`\n\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n## Security\n\nPlease email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.\n\n[package-url]: https://npmjs.org/package/math-intrinsics\n[npm-version-svg]: https://versionbadg.es/es-shims/math-intrinsics.svg\n[deps-svg]: https://david-dm.org/es-shims/math-intrinsics.svg\n[deps-url]: https://david-dm.org/es-shims/math-intrinsics\n[dev-deps-svg]: https://david-dm.org/es-shims/math-intrinsics/dev-status.svg\n[dev-deps-url]: https://david-dm.org/es-shims/math-intrinsics#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/math-intrinsics.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/math-intrinsics.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/es-object.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=math-intrinsics\n[codecov-image]: https://codecov.io/gh/es-shims/math-intrinsics/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/es-shims/math-intrinsics/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/es-shims/math-intrinsics\n[actions-url]: https://github.com/es-shims/math-intrinsics/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/math-intrinsics/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/media-typer/README.md ---\n# media-typer\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][travis-image]][travis-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nSimple RFC 6838 media type parser.\n\nThis module will parse a given media type into it's component parts, like type,\nsubtype, and suffix. A formatter is also provided to put them back together and\nthe two can be combined to normalize media types into a canonical form.\n\nIf you are looking to parse the string that represents a media type and it's\nparameters in HTTP (for example, the `Content-Type` header), use the\n[content-type module](https://www.npmjs.com/package/content-type).\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install media-typer\n```\n\n## API\n\n\n\n```js\nvar typer = require('media-typer')\n```\n\n### typer.parse(string)\n\n\n\n```js\nvar obj = typer.parse('image/svg+xml')\n```\n\nParse a media type string. This will return an object with the following\nproperties (examples are shown for the string `'image/svg+xml; charset=utf-8'`):\n\n - `type`: The type of the media type (always lower case). Example: `'image'`\n\n - `subtype`: The subtype of the media type (always lower case). Example: `'svg'`\n\n - `suffix`: The suffix of the media type (always lower case). Example: `'xml'`\n\nIf the given type string is invalid, then a `TypeError` is thrown.\n\n### typer.format(obj)\n\n\n\n```js\nvar obj = typer.format({ type: 'image', subtype: 'svg', suffix: 'xml' })\n```\n\nFormat an object into a media type string. This will return a string of the\nmime type for the given object. For the properties of the object, see the\ndocumentation for `typer.parse(string)`.\n\nIf any of the given object values are invalid, then a `TypeError` is thrown.\n\n### typer.test(string)\n\n\n\n```js\nvar valid = typer.test('image/svg+xml')\n```\n\nValidate a media type string. This will return `true` is the string is a well-\nformatted media type, or `false` otherwise.\n\n## License\n\n[MIT](LICENSE)\n\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/media-typer/master\n[coveralls-url]: https://coveralls.io/r/jshttp/media-typer?branch=master\n[node-version-image]: https://badgen.net/npm/node/media-typer\n[node-version-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/media-typer\n[npm-url]: https://npmjs.org/package/media-typer\n[npm-version-image]: https://badgen.net/npm/v/media-typer\n[travis-image]: https://badgen.net/travis/jshttp/media-typer/master\n[travis-url]: https://travis-ci.org/jshttp/media-typer\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/media-typer/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/mime-db/README.md ---\n# mime-db\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][ci-image]][ci-url]\n[![Coverage Status][coveralls-image]][coveralls-url]\n\nThis is a large database of mime types and information about them.\nIt consists of a single, public JSON file and does not include any logic,\nallowing it to remain as un-opinionated as possible with an API.\nIt aggregates data from the following sources:\n\n- https://www.iana.org/assignments/media-types/media-types.xhtml\n- https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types\n- https://hg.nginx.org/nginx/raw-file/default/conf/mime.types\n\n## Installation\n\n```bash\nnpm install mime-db\n```\n\n### Database Download\n\nIf you intend to use this in a web browser, you can conveniently access the JSON file via [jsDelivr](https://www.jsdelivr.com/), a popular CDN (Content Delivery Network). To ensure stability and compatibility, it is advisable to specify [a release tag](https://github.com/jshttp/mime-db/tags) instead of using the 'master' branch. This is because the JSON file's format might change in future updates, and relying on a specific release tag will prevent potential issues arising from these changes.\n\n```\nhttps://cdn.jsdelivr.net/gh/jshttp/mime-db@master/db.json\n```\n\n## Usage\n\n```js\nvar db = require('mime-db')\n\n// grab data on .js files\nvar data = db['application/javascript']\n```\n\n## Data Structure\n\nThe JSON file is a map lookup for lowercased mime types.\nEach mime type has the following properties:\n\n- `.source` - where the mime type is defined.\n If not set, it's probably a custom media type.\n - `apache` - [Apache common media types](https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types)\n - `iana` - [IANA-defined media types](https://www.iana.org/assignments/media-types/media-types.xhtml)\n - `nginx` - [nginx media types](https://hg.nginx.org/nginx/raw-file/default/conf/mime.types)\n- `.extensions[]` - known extensions associated with this mime type.\n- `.compressible` - whether a file of this type can be gzipped.\n- `.charset` - the default charset associated with this type, if any.\n\nIf unknown, every property could be `undefined`.\n\n## Note on MIME Type Data and Semver\n\nThis package considers the programmatic api as the semver compatibility. This means the MIME type resolution is *not* considered\nin the semver bumps. This means that if you want to pin your `mime-db` data you will need to do it in your application. While\nthis expectation was not set in docs until now, it is how the pacakge operated, so we do not feel this is a breaking change.\n\n## Contributing\n\nThe primary way to contribute to this database is by updating the data in\none of the upstream sources. The database is updated from the upstreams\nperiodically and will pull in any changes.\n\n### Registering Media Types\n\nThe best way to get new media types included in this library is to register\nthem with the IANA. The community registration procedure is outlined in\n[RFC 6838 section 5](https://tools.ietf.org/html/rfc6838#section-5). Types\nregistered with the IANA are automatically pulled into this library.\n\n### Direct Inclusion\n\nIf that is not possible / feasible, they can be added directly here as a\n\"custom\" type. To do this, it is required to have a primary source that\ndefinitively lists the media type. If an extension is going to be listed as\nassociated with this media type, the source must definitively link the\nmedia type and extension as well.\n\nTo edit the database, only make PRs against `src/custom-types.json` or\n`src/custom-suffix.json`.\n\nThe `src/custom-types.json` file is a JSON object with the MIME type as the\nkeys and the values being an object with the following keys:\n\n- `compressible` - leave out if you don't know, otherwise `true`/`false` to\n indicate whether the data represented by the type is typically compressible.\n- `extensions` - include an array of file extensions that are associated with\n the type.\n- `notes` - human-readable notes about the type, typically what the type is.\n- `sources` - include an array of URLs of where the MIME type and the associated\n extensions are sourced from. This needs to be a [primary source](https://en.wikipedia.org/wiki/Primary_source);\n links to type aggregating sites and Wikipedia are _not acceptable_.\n\nTo update the build, run `npm run build`.\n\n[ci-image]: https://badgen.net/github/checks/jshttp/mime-db/master?label=ci\n[ci-url]: https://github.com/jshttp/mime-db/actions/workflows/ci.yml\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/mime-db/master\n[coveralls-url]: https://coveralls.io/r/jshttp/mime-db?branch=master\n[node-image]: https://badgen.net/npm/node/mime-db\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/mime-db\n[npm-url]: https://npmjs.org/package/mime-db\n[npm-version-image]: https://badgen.net/npm/v/mime-db\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/mime-db/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/mime-types/README.md ---\n# mime-types\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][ci-image]][ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nThe ultimate javascript content-type utility.\n\nSimilar to [the `mime@1.x` module](https://www.npmjs.com/package/mime), except:\n\n- __No fallbacks.__ Instead of naively returning the first available type,\n `mime-types` simply returns `false`, so do\n `var type = mime.lookup('unrecognized') || 'application/octet-stream'`.\n- No `new Mime()` business, so you could do `var lookup = require('mime-types').lookup`.\n- No `.define()` functionality\n- Bug fixes for `.lookup(path)`\n\nOtherwise, the API is compatible with `mime` 1.x.\n\n## Install\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install mime-types\n```\n\n## Note on MIME Type Data and Semver\n\nThis package considers the programmatic api as the semver compatibility. Additionally, the package which provides the MIME data\nfor this package (`mime-db`) *also* considers it's programmatic api as the semver contract. This means the MIME type resolution is *not* considered\nin the semver bumps.\n\nIn the past the version of `mime-db` was pinned to give two decision points when adopting MIME data changes. This is no longer true. We still update the\n`mime-db` package here as a `minor` release when necessary, but will use a `^` range going forward. This means that if you want to pin your `mime-db` data\nyou will need to do it in your application. While this expectation was not set in docs until now, it is how the pacakge operated, so we do not feel this is\na breaking change.\n\nIf you wish to pin your `mime-db` version you can do that with overrides via your package manager of choice. See their documentation for how to correctly configure that.\n\n## Adding Types\n\nAll mime types are based on [mime-db](https://www.npmjs.com/package/mime-db),\nso open a PR there if you'd like to add mime types.\n\n## API\n\n```js\nvar mime = require('mime-types')\n```\n\nAll functions return `false` if input is invalid or not found.\n\n### mime.lookup(path)\n\nLookup the content-type associated with a file.\n\n```js\nmime.lookup('json') // 'application/json'\nmime.lookup('.md') // 'text/markdown'\nmime.lookup('file.html') // 'text/html'\nmime.lookup('folder/file.js') // 'application/javascript'\nmime.lookup('folder/.htaccess') // false\n\nmime.lookup('cats') // false\n```\n\n### mime.contentType(type)\n\nCreate a full content-type header given a content-type or extension.\nWhen given an extension, `mime.lookup` is used to get the matching\ncontent-type, otherwise the given content-type is used. Then if the\ncontent-type does not already have a `charset` parameter, `mime.charset`\nis used to get the default charset and add to the returned content-type.\n\n```js\nmime.contentType('markdown') // 'text/x-markdown; charset=utf-8'\nmime.contentType('file.json') // 'application/json; charset=utf-8'\nmime.contentType('text/html') // 'text/html; charset=utf-8'\nmime.contentType('text/html; charset=iso-8859-1') // 'text/html; charset=iso-8859-1'\n\n// from a full path\nmime.contentType(path.extname('/path/to/file.json')) // 'application/json; charset=utf-8'\n```\n\n### mime.extension(type)\n\nGet the default extension for a content-type.\n\n```js\nmime.extension('application/octet-stream') // 'bin'\n```\n\n### mime.charset(type)\n\nLookup the implied default charset of a content-type.\n\n```js\nmime.charset('text/markdown') // 'UTF-8'\n```\n\n### var type = mime.types[extension]\n\nA map of content-types by extension.\n\n### [extensions...] = mime.extensions[type]\n\nA map of extensions by content-type.\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/mime-types/master?label=ci\n[ci-url]: https://github.com/jshttp/mime-types/actions/workflows/ci.yml\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/mime-types/master\n[coveralls-url]: https://coveralls.io/r/jshttp/mime-types?branch=master\n[node-version-image]: https://badgen.net/npm/node/mime-types\n[node-version-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/mime-types\n[npm-url]: https://npmjs.org/package/mime-types\n[npm-version-image]: https://badgen.net/npm/v/mime-types\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/mime-types/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/nanoid/README.md ---\n# Nano ID\n\n\"Nano\n\n**English** | [Русский](./README.ru.md) | [简体中文](./README.zh-CN.md) | [Bahasa Indonesia](./README.id-ID.md)\n\nA tiny, secure, URL-friendly, unique string ID generator for JavaScript.\n\n> “An amazing level of senseless perfectionism,\n> which is simply impossible not to respect.”\n\n* **Small.** 130 bytes (minified and gzipped). No dependencies.\n [Size Limit] controls the size.\n* **Fast.** It is 2 times faster than UUID.\n* **Safe.** It uses hardware random generator. Can be used in clusters.\n* **Short IDs.** It uses a larger alphabet than UUID (`A-Za-z0-9_-`).\n So ID size was reduced from 36 to 21 symbols.\n* **Portable.** Nano ID was ported\n to [20 programming languages](#other-programming-languages).\n\n```js\nimport { nanoid } from 'nanoid'\nmodel.id = nanoid() //=> \"V1StGXR8_Z5jdHi6B-myT\"\n```\n\nSupports modern browsers, IE [with Babel], Node.js and React Native.\n\n[online tool]: https://gitpod.io/#https://github.com/ai/nanoid/\n[with Babel]: https://developer.epages.com/blog/coding/how-to-transpile-node-modules-with-babel-and-webpack-in-a-monorepo/\n[Size Limit]: https://github.com/ai/size-limit\n\n\n \"Sponsored\n\n\n## Docs\nRead full docs **[here](https://github.com/ai/nanoid#readme)**.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/nanoid/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/negotiator/README.md ---\n# negotiator\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][github-actions-ci-image]][github-actions-ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nAn HTTP content negotiator for Node.js\n\n## Installation\n\n```sh\n$ npm install negotiator\n```\n\n## API\n\n```js\nvar Negotiator = require('negotiator')\n```\n\n### Accept Negotiation\n\n```js\navailableMediaTypes = ['text/html', 'text/plain', 'application/json']\n\n// The negotiator constructor receives a request object\nnegotiator = new Negotiator(request)\n\n// Let's say Accept header is 'text/html, application/*;q=0.2, image/jpeg;q=0.8'\n\nnegotiator.mediaTypes()\n// -> ['text/html', 'image/jpeg', 'application/*']\n\nnegotiator.mediaTypes(availableMediaTypes)\n// -> ['text/html', 'application/json']\n\nnegotiator.mediaType(availableMediaTypes)\n// -> 'text/html'\n```\n\nYou can check a working example at `examples/accept.js`.\n\n#### Methods\n\n##### mediaType()\n\nReturns the most preferred media type from the client.\n\n##### mediaType(availableMediaType)\n\nReturns the most preferred media type from a list of available media types.\n\n##### mediaTypes()\n\nReturns an array of preferred media types ordered by the client preference.\n\n##### mediaTypes(availableMediaTypes)\n\nReturns an array of preferred media types ordered by priority from a list of\navailable media types.\n\n### Accept-Language Negotiation\n\n```js\nnegotiator = new Negotiator(request)\n\navailableLanguages = ['en', 'es', 'fr']\n\n// Let's say Accept-Language header is 'en;q=0.8, es, pt'\n\nnegotiator.languages()\n// -> ['es', 'pt', 'en']\n\nnegotiator.languages(availableLanguages)\n// -> ['es', 'en']\n\nlanguage = negotiator.language(availableLanguages)\n// -> 'es'\n```\n\nYou can check a working example at `examples/language.js`.\n\n#### Methods\n\n##### language()\n\nReturns the most preferred language from the client.\n\n##### language(availableLanguages)\n\nReturns the most preferred language from a list of available languages.\n\n##### languages()\n\nReturns an array of preferred languages ordered by the client preference.\n\n##### languages(availableLanguages)\n\nReturns an array of preferred languages ordered by priority from a list of\navailable languages.\n\n### Accept-Charset Negotiation\n\n```js\navailableCharsets = ['utf-8', 'iso-8859-1', 'iso-8859-5']\n\nnegotiator = new Negotiator(request)\n\n// Let's say Accept-Charset header is 'utf-8, iso-8859-1;q=0.8, utf-7;q=0.2'\n\nnegotiator.charsets()\n// -> ['utf-8', 'iso-8859-1', 'utf-7']\n\nnegotiator.charsets(availableCharsets)\n// -> ['utf-8', 'iso-8859-1']\n\nnegotiator.charset(availableCharsets)\n// -> 'utf-8'\n```\n\nYou can check a working example at `examples/charset.js`.\n\n#### Methods\n\n##### charset()\n\nReturns the most preferred charset from the client.\n\n##### charset(availableCharsets)\n\nReturns the most preferred charset from a list of available charsets.\n\n##### charsets()\n\nReturns an array of preferred charsets ordered by the client preference.\n\n##### charsets(availableCharsets)\n\nReturns an array of preferred charsets ordered by priority from a list of\navailable charsets.\n\n### Accept-Encoding Negotiation\n\n```js\navailableEncodings = ['identity', 'gzip']\n\nnegotiator = new Negotiator(request)\n\n// Let's say Accept-Encoding header is 'gzip, compress;q=0.2, identity;q=0.5'\n\nnegotiator.encodings()\n// -> ['gzip', 'identity', 'compress']\n\nnegotiator.encodings(availableEncodings)\n// -> ['gzip', 'identity']\n\nnegotiator.encoding(availableEncodings)\n// -> 'gzip'\n```\n\nYou can check a working example at `examples/encoding.js`.\n\n#### Methods\n\n##### encoding()\n\nReturns the most preferred encoding from the client.\n\n##### encoding(availableEncodings)\n\nReturns the most preferred encoding from a list of available encodings.\n\n##### encoding(availableEncodings, { preferred })\n\nReturns the most preferred encoding from a list of available encodings, while prioritizing based on `preferred` array between same-quality encodings.\n\n##### encodings()\n\nReturns an array of preferred encodings ordered by the client preference.\n\n##### encodings(availableEncodings)\n\nReturns an array of preferred encodings ordered by priority from a list of\navailable encodings.\n\n##### encodings(availableEncodings, { preferred })\n\nReturns an array of preferred encodings ordered by priority from a list of\navailable encodings, while prioritizing based on `preferred` array between same-quality encodings.\n\n## See Also\n\nThe [accepts](https://npmjs.org/package/accepts#readme) module builds on\nthis module and provides an alternative interface, mime type validation,\nand more.\n\n## License\n\n[MIT](LICENSE)\n\n[npm-image]: https://img.shields.io/npm/v/negotiator.svg\n[npm-url]: https://npmjs.org/package/negotiator\n[node-version-image]: https://img.shields.io/node/v/negotiator.svg\n[node-version-url]: https://nodejs.org/en/download/\n[coveralls-image]: https://img.shields.io/coveralls/jshttp/negotiator/master.svg\n[coveralls-url]: https://coveralls.io/r/jshttp/negotiator?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/negotiator.svg\n[downloads-url]: https://npmjs.org/package/negotiator\n[github-actions-ci-image]: https://img.shields.io/github/workflow/status/jshttp/negotiator/ci/master?label=ci\n[github-actions-ci-url]: https://github.com/jshttp/negotiator/actions/workflows/ci.yml\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/negotiator/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/on-finished/README.md ---\n# on-finished\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][ci-image]][ci-url]\n[![Coverage Status][coveralls-image]][coveralls-url]\n\nExecute a callback when a HTTP request closes, finishes, or errors.\n\n## Install\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install on-finished\n```\n\n## API\n\n```js\nvar onFinished = require('on-finished')\n```\n\n### onFinished(res, listener)\n\nAttach a listener to listen for the response to finish. The listener will\nbe invoked only once when the response finished. If the response finished\nto an error, the first argument will contain the error. If the response\nhas already finished, the listener will be invoked.\n\nListening to the end of a response would be used to close things associated\nwith the response, like open files.\n\nListener is invoked as `listener(err, res)`.\n\n\n\n```js\nonFinished(res, function (err, res) {\n // clean up open fds, etc.\n // err contains the error if request error'd\n})\n```\n\n### onFinished(req, listener)\n\nAttach a listener to listen for the request to finish. The listener will\nbe invoked only once when the request finished. If the request finished\nto an error, the first argument will contain the error. If the request\nhas already finished, the listener will be invoked.\n\nListening to the end of a request would be used to know when to continue\nafter reading the data.\n\nListener is invoked as `listener(err, req)`.\n\n\n\n```js\nvar data = ''\n\nreq.setEncoding('utf8')\nreq.on('data', function (str) {\n data += str\n})\n\nonFinished(req, function (err, req) {\n // data is read unless there is err\n})\n```\n\n### onFinished.isFinished(res)\n\nDetermine if `res` is already finished. This would be useful to check and\nnot even start certain operations if the response has already finished.\n\n### onFinished.isFinished(req)\n\nDetermine if `req` is already finished. This would be useful to check and\nnot even start certain operations if the request has already finished.\n\n## Special Node.js requests\n\n### HTTP CONNECT method\n\nThe meaning of the `CONNECT` method from RFC 7231, section 4.3.6:\n\n> The CONNECT method requests that the recipient establish a tunnel to\n> the destination origin server identified by the request-target and,\n> if successful, thereafter restrict its behavior to blind forwarding\n> of packets, in both directions, until the tunnel is closed. Tunnels\n> are commonly used to create an end-to-end virtual connection, through\n> one or more proxies, which can then be secured using TLS (Transport\n> Layer Security, [RFC5246]).\n\nIn Node.js, these request objects come from the `'connect'` event on\nthe HTTP server.\n\nWhen this module is used on a HTTP `CONNECT` request, the request is\nconsidered \"finished\" immediately, **due to limitations in the Node.js\ninterface**. This means if the `CONNECT` request contains a request entity,\nthe request will be considered \"finished\" even before it has been read.\n\nThere is no such thing as a response object to a `CONNECT` request in\nNode.js, so there is no support for one.\n\n### HTTP Upgrade request\n\nThe meaning of the `Upgrade` header from RFC 7230, section 6.1:\n\n> The \"Upgrade\" header field is intended to provide a simple mechanism\n> for transitioning from HTTP/1.1 to some other protocol on the same\n> connection.\n\nIn Node.js, these request objects come from the `'upgrade'` event on\nthe HTTP server.\n\nWhen this module is used on a HTTP request with an `Upgrade` header, the\nrequest is considered \"finished\" immediately, **due to limitations in the\nNode.js interface**. This means if the `Upgrade` request contains a request\nentity, the request will be considered \"finished\" even before it has been\nread.\n\nThere is no such thing as a response object to a `Upgrade` request in\nNode.js, so there is no support for one.\n\n## Example\n\nThe following code ensures that file descriptors are always closed\nonce the response finishes.\n\n```js\nvar destroy = require('destroy')\nvar fs = require('fs')\nvar http = require('http')\nvar onFinished = require('on-finished')\n\nhttp.createServer(function onRequest (req, res) {\n var stream = fs.createReadStream('package.json')\n stream.pipe(res)\n onFinished(res, function () {\n destroy(stream)\n })\n})\n```\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/on-finished/master?label=ci\n[ci-url]: https://github.com/jshttp/on-finished/actions/workflows/ci.yml\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/on-finished/master\n[coveralls-url]: https://coveralls.io/r/jshttp/on-finished?branch=master\n[node-image]: https://badgen.net/npm/node/on-finished\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/on-finished\n[npm-url]: https://npmjs.org/package/on-finished\n[npm-version-image]: https://badgen.net/npm/v/on-finished\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/on-finished/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/once/README.md ---\n# once\n\nOnly call a function once.\n\n## usage\n\n```javascript\nvar once = require('once')\n\nfunction load (file, cb) {\n cb = once(cb)\n loader.load('file')\n loader.once('load', cb)\n loader.once('error', cb)\n}\n```\n\nOr add to the Function.prototype in a responsible way:\n\n```javascript\n// only has to be done once\nrequire('once').proto()\n\nfunction load (file, cb) {\n cb = cb.once()\n loader.load('file')\n loader.once('load', cb)\n loader.once('error', cb)\n}\n```\n\nIronically, the prototype feature makes this module twice as\ncomplicated as necessary.\n\nTo check whether you function has been called, use `fn.called`. Once the\nfunction is called for the first time the return value of the original\nfunction is saved in `fn.value` and subsequent calls will continue to\nreturn this value.\n\n```javascript\nvar once = require('once')\n\nfunction load (cb) {\n cb = once(cb)\n var stream = createStream()\n stream.once('data', cb)\n stream.once('end', function () {\n if (!cb.called) cb(new Error('not found'))\n })\n}\n```\n\n## `once.strict(func)`\n\nThrow an error if the function is called twice.\n\nSome functions are expected to be called only once. Using `once` for them would\npotentially hide logical errors.\n\nIn the example below, the `greet` function has to call the callback only once:\n\n```javascript\nfunction greet (name, cb) {\n // return is missing from the if statement\n // when no name is passed, the callback is called twice\n if (!name) cb('Hello anonymous')\n cb('Hello ' + name)\n}\n\nfunction log (msg) {\n console.log(msg)\n}\n\n// this will print 'Hello anonymous' but the logical error will be missed\ngreet(null, once(msg))\n\n// once.strict will print 'Hello anonymous' and throw an error when the callback will be called the second time\ngreet(null, once.strict(msg))\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/once/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/parseurl/README.md ---\n# parseurl\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][travis-image]][travis-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nParse a URL with memoization.\n\n## Install\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install parseurl\n```\n\n## API\n\n```js\nvar parseurl = require('parseurl')\n```\n\n### parseurl(req)\n\nParse the URL of the given request object (looks at the `req.url` property)\nand return the result. The result is the same as `url.parse` in Node.js core.\nCalling this function multiple times on the same `req` where `req.url` does\nnot change will return a cached parsed object, rather than parsing again.\n\n### parseurl.original(req)\n\nParse the original URL of the given request object and return the result.\nThis works by trying to parse `req.originalUrl` if it is a string, otherwise\nparses `req.url`. The result is the same as `url.parse` in Node.js core.\nCalling this function multiple times on the same `req` where `req.originalUrl`\ndoes not change will return a cached parsed object, rather than parsing again.\n\n## Benchmark\n\n```bash\n$ npm run-script bench\n\n> parseurl@1.3.3 bench nodejs-parseurl\n> node benchmark/index.js\n\n http_parser@2.8.0\n node@10.6.0\n v8@6.7.288.46-node.13\n uv@1.21.0\n zlib@1.2.11\n ares@1.14.0\n modules@64\n nghttp2@1.32.0\n napi@3\n openssl@1.1.0h\n icu@61.1\n unicode@10.0\n cldr@33.0\n tz@2018c\n\n> node benchmark/fullurl.js\n\n Parsing URL \"http://localhost:8888/foo/bar?user=tj&pet=fluffy\"\n\n 4 tests completed.\n\n fasturl x 2,207,842 ops/sec ±3.76% (184 runs sampled)\n nativeurl - legacy x 507,180 ops/sec ±0.82% (191 runs sampled)\n nativeurl - whatwg x 290,044 ops/sec ±1.96% (189 runs sampled)\n parseurl x 488,907 ops/sec ±2.13% (192 runs sampled)\n\n> node benchmark/pathquery.js\n\n Parsing URL \"/foo/bar?user=tj&pet=fluffy\"\n\n 4 tests completed.\n\n fasturl x 3,812,564 ops/sec ±3.15% (188 runs sampled)\n nativeurl - legacy x 2,651,631 ops/sec ±1.68% (189 runs sampled)\n nativeurl - whatwg x 161,837 ops/sec ±2.26% (189 runs sampled)\n parseurl x 4,166,338 ops/sec ±2.23% (184 runs sampled)\n\n> node benchmark/samerequest.js\n\n Parsing URL \"/foo/bar?user=tj&pet=fluffy\" on same request object\n\n 4 tests completed.\n\n fasturl x 3,821,651 ops/sec ±2.42% (185 runs sampled)\n nativeurl - legacy x 2,651,162 ops/sec ±1.90% (187 runs sampled)\n nativeurl - whatwg x 175,166 ops/sec ±1.44% (188 runs sampled)\n parseurl x 14,912,606 ops/sec ±3.59% (183 runs sampled)\n\n> node benchmark/simplepath.js\n\n Parsing URL \"/foo/bar\"\n\n 4 tests completed.\n\n fasturl x 12,421,765 ops/sec ±2.04% (191 runs sampled)\n nativeurl - legacy x 7,546,036 ops/sec ±1.41% (188 runs sampled)\n nativeurl - whatwg x 198,843 ops/sec ±1.83% (189 runs sampled)\n parseurl x 24,244,006 ops/sec ±0.51% (194 runs sampled)\n\n> node benchmark/slash.js\n\n Parsing URL \"/\"\n\n 4 tests completed.\n\n fasturl x 17,159,456 ops/sec ±3.25% (188 runs sampled)\n nativeurl - legacy x 11,635,097 ops/sec ±3.79% (184 runs sampled)\n nativeurl - whatwg x 240,693 ops/sec ±0.83% (189 runs sampled)\n parseurl x 42,279,067 ops/sec ±0.55% (190 runs sampled)\n```\n\n## License\n\n [MIT](LICENSE)\n\n[coveralls-image]: https://badgen.net/coveralls/c/github/pillarjs/parseurl/master\n[coveralls-url]: https://coveralls.io/r/pillarjs/parseurl?branch=master\n[node-image]: https://badgen.net/npm/node/parseurl\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/parseurl\n[npm-url]: https://npmjs.org/package/parseurl\n[npm-version-image]: https://badgen.net/npm/v/parseurl\n[travis-image]: https://badgen.net/travis/pillarjs/parseurl/master\n[travis-url]: https://travis-ci.org/pillarjs/parseurl\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/parseurl/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/pathe/README.md ---\n# 🛣️ pathe\n\n> Universal filesystem path utils\n\n[![version][npm-v-src]][npm-v-href]\n[![downloads][npm-d-src]][npm-d-href]\n[![size][size-src]][size-href]\n\n## ❓ Why\n\nFor [historical reasons](https://docs.microsoft.com/en-us/archive/blogs/larryosterman/why-is-the-dos-path-character), windows followed MS-DOS and used backslash for separating paths rather than slash used for macOS, Linux, and other Posix operating systems. Nowadays, [Windows](https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file?redirectedfrom=MSDN) supports both Slash and Backslash for paths. [Node.js's built-in `path` module](https://nodejs.org/api/path.html) in the default operation of the path module varies based on the operating system on which a Node.js application is running. Specifically, when running on a Windows operating system, the path module will assume that Windows-style paths are being used. **This makes inconsistent code behavior between Windows and POSIX.**\n\nCompared to popular [upath](https://github.com/anodynos/upath), pathe provides **identical exports** of Node.js with normalization on **all operations** and is written in modern **ESM/TypeScript** and has **no dependency on Node.js**!\n\nThis package is a drop-in replacement of the Node.js's [path module](https://nodejs.org/api/path.html) module and ensures paths are normalized with slash `/` and work in environments including Node.js.\n\n## 💿 Usage\n\nInstall using npm or yarn:\n\n```bash\n# npm\nnpm i pathe\n\n# yarn\nyarn add pathe\n\n# pnpm\npnpm i pathe\n```\n\nImport:\n\n```js\n// ESM / Typescript\nimport { resolve, matchesGlob } from \"pathe\";\n\n// CommonJS\nconst { resolve, matchesGlob } = require(\"pathe\");\n```\n\nRead more about path utils from [Node.js documentation](https://nodejs.org/api/path.html) and rest assured behavior is consistently like POSIX regardless of your input paths format and running platform (the only exception is `delimiter` constant export, it will be set to `;` on windows platform).\n\n### Extra utilities\n\nPathe exports some extra utilities that do not exist in standard Node.js [path module](https://nodejs.org/api/path.html).\nIn order to use them, you can import from `pathe/utils` subpath:\n\n```js\nimport {\n filename,\n normalizeAliases,\n resolveAlias,\n reverseResolveAlias,\n} from \"pathe/utils\";\n```\n\n## License\n\nMade with 💛 Published under the [MIT](./LICENSE) license.\n\nSome code was used from the Node.js project. Glob supported is powered by [zeptomatch](https://github.com/fabiospampinato/zeptomatch).\n\n\n\n[npm-v-src]: https://img.shields.io/npm/v/pathe?style=flat-square\n[npm-v-href]: https://npmjs.com/package/pathe\n[npm-d-src]: https://img.shields.io/npm/dm/pathe?style=flat-square\n[npm-d-href]: https://npmjs.com/package/pathe\n[github-actions-src]: https://img.shields.io/github/workflow/status/unjs/pathe/ci/main?style=flat-square\n[github-actions-href]: https://github.com/unjs/pathe/actions?query=workflow%3Aci\n[size-src]: https://packagephobia.now.sh/badge?p=pathe\n[size-href]: https://packagephobia.now.sh/result?p=pathe\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/pathe/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/pathval/README.md ---\n

\n \n \"ChaiJS\"\n \n
\n pathval\n

\n\n

\n Tool for Object value retrieval given a string path for node and the browser.\n

\n\n

\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
\n \n \n \n
\n \n \n \n \n \n \n

\n\n## What is pathval?\n\nPathval is a module which you can use to retrieve or set an Object's property for a given `String` path.\n\n## Installation\n\n### Node.js\n\n`pathval` is available on [npm](http://npmjs.org). To install it, type:\n\n $ npm install pathval\n\n### Browsers\n\nYou can also use it within the browser; install via npm and use the `pathval.js` file found within the download. For example:\n\n```html\n\n```\n\n## Usage\n\nThe primary export of `pathval` is an object which has the following methods:\n\n* `hasProperty(object, name)` - Checks whether an `object` has `name`d property or numeric array index.\n* `getPathInfo(object, path)` - Returns an object with info indicating the value of the `parent` of that path, the `name ` of the property we're retrieving and its `value`.\n* `getPathValue(object, path)` - Retrieves the value of a property at a given `path` inside an `object`'.\n* `setPathValue(object, path, value)` - Sets the `value` of a property at a given `path` inside an `object` and returns the object in which the property has been set.\n\n```js\nvar pathval = require('pathval');\n```\n\n#### .hasProperty(object, name)\n\n```js\nvar pathval = require('pathval');\n\nvar obj = { prop: 'a value' };\npathval.hasProperty(obj, 'prop'); // true\n```\n\n#### .getPathInfo(object, path)\n\n```js\nvar pathval = require('pathval');\n\nvar obj = { earth: { country: 'Brazil' } };\npathval.getPathInfo(obj, 'earth.country'); // { parent: { country: 'Brazil' }, name: 'country', value: 'Brazil', exists: true }\n```\n\n#### .getPathValue(object, path)\n\n```js\nvar pathval = require('pathval');\n\nvar obj = { earth: { country: 'Brazil' } };\npathval.getPathValue(obj, 'earth.country'); // 'Brazil'\n```\n\n#### .setPathValue(object, path, value)\n\n```js\nvar pathval = require('pathval');\n\nvar obj = { earth: { country: 'Brazil' } };\npathval.setPathValue(obj, 'earth.country', 'USA');\n\nobj.earth.country; // 'USA'\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/pathval/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/picocolors/README.md ---\n# picocolors\n\nThe tiniest and the fastest library for terminal output formatting with ANSI colors.\n\n```javascript\nimport pc from \"picocolors\"\n\nconsole.log(\n pc.green(`How are ${pc.italic(`you`)} doing?`)\n)\n```\n\n- **No dependencies.**\n- **14 times** smaller and **2 times** faster than chalk.\n- Used by popular tools like PostCSS, SVGO, Stylelint, and Browserslist.\n- Node.js v6+ & browsers support. Support for both CJS and ESM projects.\n- TypeScript type declarations included.\n- [`NO_COLOR`](https://no-color.org/) friendly.\n\n## Docs\nRead **[full docs](https://github.com/alexeyraspopov/picocolors#readme)** on GitHub.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/picocolors/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/picomatch/README.md ---\n

Picomatch

\n\n

\n\n\"version\"\n\n\n\"test\n\n\n\"coverage\n\n\n\"downloads\"\n\n

\n\n
\n
\n\n

\nBlazing fast and accurate glob matcher written in JavaScript.
\nNo dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.\n

\n\n
\n
\n\n## Why picomatch?\n\n* **Lightweight** - No dependencies\n* **Minimal** - Tiny API surface. Main export is a function that takes a glob pattern and returns a matcher function.\n* **Fast** - Loads in about 2ms (that's several times faster than a [single frame of a HD movie](http://www.endmemo.com/sconvert/framespersecondframespermillisecond.php) at 60fps)\n* **Performant** - Use the returned matcher function to speed up repeat matching (like when watching files)\n* **Accurate matching** - Using wildcards (`*` and `?`), globstars (`**`) for nested directories, [advanced globbing](#advanced-globbing) with extglobs, braces, and POSIX brackets, and support for escaping special characters with `\\` or quotes.\n* **Well tested** - Thousands of unit tests\n\nSee the [library comparison](#library-comparisons) to other libraries.\n\n
\n
\n\n## Table of Contents\n\n
Click to expand \n\n- [Install](#install)\n- [Usage](#usage)\n- [API](#api)\n * [picomatch](#picomatch)\n * [.test](#test)\n * [.matchBase](#matchbase)\n * [.isMatch](#ismatch)\n * [.parse](#parse)\n * [.scan](#scan)\n * [.compileRe](#compilere)\n * [.makeRe](#makere)\n * [.toRegex](#toregex)\n- [Options](#options)\n * [Picomatch options](#picomatch-options)\n * [Scan Options](#scan-options)\n * [Options Examples](#options-examples)\n- [Globbing features](#globbing-features)\n * [Basic globbing](#basic-globbing)\n * [Advanced globbing](#advanced-globbing)\n * [Braces](#braces)\n * [Matching special characters as literals](#matching-special-characters-as-literals)\n- [Library Comparisons](#library-comparisons)\n- [Benchmarks](#benchmarks)\n- [Philosophies](#philosophies)\n- [About](#about)\n * [Author](#author)\n * [License](#license)\n\n_(TOC generated by [verb](https://github.com/verbose/verb) using [markdown-toc](https://github.com/jonschlinkert/markdown-toc))_\n\n
\n\n
\n
\n\n## Install\n\nInstall with [npm](https://www.npmjs.com/):\n\n```sh\nnpm install --save picomatch\n```\n\n
\n\n## Usage\n\nThe main export is a function that takes a glob pattern and an options object and returns a function for matching strings.\n\n```js\nconst pm = require('picomatch');\nconst isMatch = pm('*.js');\n\nconsole.log(isMatch('abcd')); //=> false\nconsole.log(isMatch('a.js')); //=> true\nconsole.log(isMatch('a.md')); //=> false\nconsole.log(isMatch('a/b.js')); //=> false\n```\n\n
\n\n## API\n\n### [picomatch](lib/picomatch.js#L31)\n\nCreates a matcher function from one or more glob patterns. The returned function takes a string to match as its first argument, and returns true if the string is a match. The returned matcher function also takes a boolean as the second argument that, when true, returns an object with additional information.\n\n**Params**\n\n* `globs` **{String|Array}**: One or more glob patterns.\n* `options` **{Object=}**\n* `returns` **{Function=}**: Returns a matcher function.\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\n// picomatch(glob[, options]);\n\nconst isMatch = picomatch('*.!(*a)');\nconsole.log(isMatch('a.a')); //=> false\nconsole.log(isMatch('a.b')); //=> true\n```\n\n**Example without node.js**\n\nFor environments without `node.js`, `picomatch/posix` provides you a dependency-free matcher, without automatic OS detection.\n\n```js\nconst picomatch = require('picomatch/posix');\n// the same API, defaulting to posix paths\nconst isMatch = picomatch('a/*');\nconsole.log(isMatch('a\\\\b')); //=> false\nconsole.log(isMatch('a/b')); //=> true\n\n// you can still configure the matcher function to accept windows paths\nconst isMatch = picomatch('a/*', { options: windows });\nconsole.log(isMatch('a\\\\b')); //=> true\nconsole.log(isMatch('a/b')); //=> true\n```\n\n### [.test](lib/picomatch.js#L116)\n\nTest `input` with the given `regex`. This is used by the main `picomatch()` function to test the input string.\n\n**Params**\n\n* `input` **{String}**: String to test.\n* `regex` **{RegExp}**\n* `returns` **{Object}**: Returns an object with matching info.\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\n// picomatch.test(input, regex[, options]);\n\nconsole.log(picomatch.test('foo/bar', /^(?:([^/]*?)\\/([^/]*?))$/));\n// { isMatch: true, match: [ 'foo/', 'foo', 'bar' ], output: 'foo/bar' }\n```\n\n### [.matchBase](lib/picomatch.js#L160)\n\nMatch the basename of a filepath.\n\n**Params**\n\n* `input` **{String}**: String to test.\n* `glob` **{RegExp|String}**: Glob pattern or regex created by [.makeRe](#makeRe).\n* `returns` **{Boolean}**\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\n// picomatch.matchBase(input, glob[, options]);\nconsole.log(picomatch.matchBase('foo/bar.js', '*.js'); // true\n```\n\n### [.isMatch](lib/picomatch.js#L182)\n\nReturns true if **any** of the given glob `patterns` match the specified `string`.\n\n**Params**\n\n* **{String|Array}**: str The string to test.\n* **{String|Array}**: patterns One or more glob patterns to use for matching.\n* **{Object}**: See available [options](#options).\n* `returns` **{Boolean}**: Returns true if any patterns match `str`\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\n// picomatch.isMatch(string, patterns[, options]);\n\nconsole.log(picomatch.isMatch('a.a', ['b.*', '*.a'])); //=> true\nconsole.log(picomatch.isMatch('a.a', 'b.*')); //=> false\n```\n\n### [.parse](lib/picomatch.js#L198)\n\nParse a glob pattern to create the source string for a regular expression.\n\n**Params**\n\n* `pattern` **{String}**\n* `options` **{Object}**\n* `returns` **{Object}**: Returns an object with useful properties and output to be used as a regex source string.\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\nconst result = picomatch.parse(pattern[, options]);\n```\n\n### [.scan](lib/picomatch.js#L230)\n\nScan a glob pattern to separate the pattern into segments.\n\n**Params**\n\n* `input` **{String}**: Glob pattern to scan.\n* `options` **{Object}**\n* `returns` **{Object}**: Returns an object with\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\n// picomatch.scan(input[, options]);\n\nconst result = picomatch.scan('!./foo/*.js');\nconsole.log(result);\n{ prefix: '!./',\n input: '!./foo/*.js',\n start: 3,\n base: 'foo',\n glob: '*.js',\n isBrace: false,\n isBracket: false,\n isGlob: true,\n isExtglob: false,\n isGlobstar: false,\n negated: true }\n```\n\n### [.compileRe](lib/picomatch.js#L244)\n\nCompile a regular expression from the `state` object returned by the\n[parse()](#parse) method.\n\n**Params**\n\n* `state` **{Object}**\n* `options` **{Object}**\n* `returnOutput` **{Boolean}**: Intended for implementors, this argument allows you to return the raw output from the parser.\n* `returnState` **{Boolean}**: Adds the state to a `state` property on the returned regex. Useful for implementors and debugging.\n* `returns` **{RegExp}**\n\n### [.makeRe](lib/picomatch.js#L285)\n\nCreate a regular expression from a parsed glob pattern.\n\n**Params**\n\n* `state` **{String}**: The object returned from the `.parse` method.\n* `options` **{Object}**\n* `returnOutput` **{Boolean}**: Implementors may use this argument to return the compiled output, instead of a regular expression. This is not exposed on the options to prevent end-users from mutating the result.\n* `returnState` **{Boolean}**: Implementors may use this argument to return the state from the parsed glob with the returned regular expression.\n* `returns` **{RegExp}**: Returns a regex created from the given pattern.\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\nconst state = picomatch.parse('*.js');\n// picomatch.compileRe(state[, options]);\n\nconsole.log(picomatch.compileRe(state));\n//=> /^(?:(?!\\.)(?=.)[^/]*?\\.js)$/\n```\n\n### [.toRegex](lib/picomatch.js#L320)\n\nCreate a regular expression from the given regex source string.\n\n**Params**\n\n* `source` **{String}**: Regular expression source string.\n* `options` **{Object}**\n* `returns` **{RegExp}**\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\n// picomatch.toRegex(source[, options]);\n\nconst { output } = picomatch.parse('*.js');\nconsole.log(picomatch.toRegex(output));\n//=> /^(?:(?!\\.)(?=.)[^/]*?\\.js)$/\n```\n\n
\n\n## Options\n\n### Picomatch options\n\nThe following options may be used with the main `picomatch()` function or any of the methods on the picomatch API.\n\n| **Option** | **Type** | **Default value** | **Description** |\n| --- | --- | --- | --- |\n| `basename` | `boolean` | `false` | If set, then patterns without slashes will be matched against the basename of the path if it contains slashes. For example, `a?b` would match the path `/xyz/123/acb`, but not `/xyz/acb/123`. |\n| `bash` | `boolean` | `false` | Follow bash matching rules more strictly - disallows backslashes as escape characters, and treats single stars as globstars (`**`). |\n| `capture` | `boolean` | `undefined` | Return regex matches in supporting methods. |\n| `contains` | `boolean` | `undefined` | Allows glob to match any part of the given string(s). |\n| `cwd` | `string` | `process.cwd()` | Current working directory. Used by `picomatch.split()` |\n| `debug` | `boolean` | `undefined` | Debug regular expressions when an error is thrown. |\n| `dot` | `boolean` | `false` | Enable dotfile matching. By default, dotfiles are ignored unless a `.` is explicitly defined in the pattern, or `options.dot` is true |\n| `expandRange` | `function` | `undefined` | Custom function for expanding ranges in brace patterns, such as `{a..z}`. The function receives the range values as two arguments, and it must return a string to be used in the generated regex. It's recommended that returned strings be wrapped in parentheses. |\n| `failglob` | `boolean` | `false` | Throws an error if no matches are found. Based on the bash option of the same name. |\n| `fastpaths` | `boolean` | `true` | To speed up processing, full parsing is skipped for a handful common glob patterns. Disable this behavior by setting this option to `false`. |\n| `flags` | `string` | `undefined` | Regex flags to use in the generated regex. If defined, the `nocase` option will be overridden. |\n| [format](#optionsformat) | `function` | `undefined` | Custom function for formatting the returned string. This is useful for removing leading slashes, converting Windows paths to Posix paths, etc. |\n| `ignore` | `array\\|string` | `undefined` | One or more glob patterns for excluding strings that should not be matched from the result. |\n| `keepQuotes` | `boolean` | `false` | Retain quotes in the generated regex, since quotes may also be used as an alternative to backslashes. |\n| `literalBrackets` | `boolean` | `undefined` | When `true`, brackets in the glob pattern will be escaped so that only literal brackets will be matched. |\n| `matchBase` | `boolean` | `false` | Alias for `basename` |\n| `maxLength` | `number` | `65536` | Limit the max length of the input string. An error is thrown if the input string is longer than this value. |\n| `nobrace` | `boolean` | `false` | Disable brace matching, so that `{a,b}` and `{1..3}` would be treated as literal characters. |\n| `nobracket` | `boolean` | `undefined` | Disable matching with regex brackets. |\n| `nocase` | `boolean` | `false` | Make matching case-insensitive. Equivalent to the regex `i` flag. Note that this option is overridden by the `flags` option. |\n| `nodupes` | `boolean` | `true` | Deprecated, use `nounique` instead. This option will be removed in a future major release. By default duplicates are removed. Disable uniquification by setting this option to false. |\n| `noext` | `boolean` | `false` | Alias for `noextglob` |\n| `noextglob` | `boolean` | `false` | Disable support for matching with extglobs (like `+(a\\|b)`) |\n| `noglobstar` | `boolean` | `false` | Disable support for matching nested directories with globstars (`**`) |\n| `nonegate` | `boolean` | `false` | Disable support for negating with leading `!` |\n| `noquantifiers` | `boolean` | `false` | Disable support for regex quantifiers (like `a{1,2}`) and treat them as brace patterns to be expanded. |\n| [onIgnore](#optionsonIgnore) | `function` | `undefined` | Function to be called on ignored items. |\n| [onMatch](#optionsonMatch) | `function` | `undefined` | Function to be called on matched items. |\n| [onResult](#optionsonResult) | `function` | `undefined` | Function to be called on all items, regardless of whether or not they are matched or ignored. |\n| `posix` | `boolean` | `false` | Support POSIX character classes (\"posix brackets\"). |\n| `posixSlashes` | `boolean` | `undefined` | Convert all slashes in file paths to forward slashes. This does not convert slashes in the glob pattern itself |\n| `prepend` | `boolean` | `undefined` | String to prepend to the generated regex used for matching. |\n| `regex` | `boolean` | `false` | Use regular expression rules for `+` (instead of matching literal `+`), and for stars that follow closing parentheses or brackets (as in `)*` and `]*`). |\n| `strictBrackets` | `boolean` | `undefined` | Throw an error if brackets, braces, or parens are imbalanced. |\n| `strictSlashes` | `boolean` | `undefined` | When true, picomatch won't match trailing slashes with single stars. |\n| `unescape` | `boolean` | `undefined` | Remove backslashes preceding escaped characters in the glob pattern. By default, backslashes are retained. |\n| `unixify` | `boolean` | `undefined` | Alias for `posixSlashes`, for backwards compatibility. |\n| `windows` | `boolean` | `false` | Also accept backslashes as the path separator. |\n\n### Scan Options\n\nIn addition to the main [picomatch options](#picomatch-options), the following options may also be used with the [.scan](#scan) method.\n\n| **Option** | **Type** | **Default value** | **Description** |\n| --- | --- | --- | --- |\n| `tokens` | `boolean` | `false` | When `true`, the returned object will include an array of tokens (objects), representing each path \"segment\" in the scanned glob pattern |\n| `parts` | `boolean` | `false` | When `true`, the returned object will include an array of strings representing each path \"segment\" in the scanned glob pattern. This is automatically enabled when `options.tokens` is true |\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\nconst result = picomatch.scan('!./foo/*.js', { tokens: true });\nconsole.log(result);\n// {\n// prefix: '!./',\n// input: '!./foo/*.js',\n// start: 3,\n// base: 'foo',\n// glob: '*.js',\n// isBrace: false,\n// isBracket: false,\n// isGlob: true,\n// isExtglob: false,\n// isGlobstar: false,\n// negated: true,\n// maxDepth: 2,\n// tokens: [\n// { value: '!./', depth: 0, isGlob: false, negated: true, isPrefix: true },\n// { value: 'foo', depth: 1, isGlob: false },\n// { value: '*.js', depth: 1, isGlob: true }\n// ],\n// slashes: [ 2, 6 ],\n// parts: [ 'foo', '*.js' ]\n// }\n```\n\n
\n\n### Options Examples\n\n#### options.expandRange\n\n**Type**: `function`\n\n**Default**: `undefined`\n\nCustom function for expanding ranges in brace patterns. The [fill-range](https://github.com/jonschlinkert/fill-range) library is ideal for this purpose, or you can use custom code to do whatever you need.\n\n**Example**\n\nThe following example shows how to create a glob that matches a folder\n\n```js\nconst fill = require('fill-range');\nconst regex = pm.makeRe('foo/{01..25}/bar', {\n expandRange(a, b) {\n return `(${fill(a, b, { toRegex: true })})`;\n }\n});\n\nconsole.log(regex);\n//=> /^(?:foo\\/((?:0[1-9]|1[0-9]|2[0-5]))\\/bar)$/\n\nconsole.log(regex.test('foo/00/bar')) // false\nconsole.log(regex.test('foo/01/bar')) // true\nconsole.log(regex.test('foo/10/bar')) // true\nconsole.log(regex.test('foo/22/bar')) // true\nconsole.log(regex.test('foo/25/bar')) // true\nconsole.log(regex.test('foo/26/bar')) // false\n```\n\n#### options.format\n\n**Type**: `function`\n\n**Default**: `undefined`\n\nCustom function for formatting strings before they're matched.\n\n**Example**\n\n```js\n// strip leading './' from strings\nconst format = str => str.replace(/^\\.\\//, '');\nconst isMatch = picomatch('foo/*.js', { format });\nconsole.log(isMatch('./foo/bar.js')); //=> true\n```\n\n#### options.onMatch\n\n```js\nconst onMatch = ({ glob, regex, input, output }) => {\n console.log({ glob, regex, input, output });\n};\n\nconst isMatch = picomatch('*', { onMatch });\nisMatch('foo');\nisMatch('bar');\nisMatch('baz');\n```\n\n#### options.onIgnore\n\n```js\nconst onIgnore = ({ glob, regex, input, output }) => {\n console.log({ glob, regex, input, output });\n};\n\nconst isMatch = picomatch('*', { onIgnore, ignore: 'f*' });\nisMatch('foo');\nisMatch('bar');\nisMatch('baz');\n```\n\n#### options.onResult\n\n```js\nconst onResult = ({ glob, regex, input, output }) => {\n console.log({ glob, regex, input, output });\n};\n\nconst isMatch = picomatch('*', { onResult, ignore: 'f*' });\nisMatch('foo');\nisMatch('bar');\nisMatch('baz');\n```\n\n
\n
\n\n## Globbing features\n\n* [Basic globbing](#basic-globbing) (Wildcard matching)\n* [Advanced globbing](#advanced-globbing) (extglobs, posix brackets, brace matching)\n\n### Basic globbing\n\n| **Character** | **Description** |\n| --- | --- |\n| `*` | Matches any character zero or more times, excluding path separators. Does _not match_ path separators or hidden files or directories (\"dotfiles\"), unless explicitly enabled by setting the `dot` option to `true`. |\n| `**` | Matches any character zero or more times, including path separators. Note that `**` will only match path separators (`/`, and `\\\\` with the `windows` option) when they are the only characters in a path segment. Thus, `foo**/bar` is equivalent to `foo*/bar`, and `foo/a**b/bar` is equivalent to `foo/a*b/bar`, and _more than two_ consecutive stars in a glob path segment are regarded as _a single star_. Thus, `foo/***/bar` is equivalent to `foo/*/bar`. |\n| `?` | Matches any character excluding path separators one time. Does _not match_ path separators or leading dots. |\n| `[abc]` | Matches any characters inside the brackets. For example, `[abc]` would match the characters `a`, `b` or `c`, and nothing else. |\n\n#### Matching behavior vs. Bash\n\nPicomatch's matching features and expected results in unit tests are based on Bash's unit tests and the Bash 4.3 specification, with the following exceptions:\n\n* Bash will match `foo/bar/baz` with `*`. Picomatch only matches nested directories with `**`.\n* Bash greedily matches with negated extglobs. For example, Bash 4.3 says that `!(foo)*` should match `foo` and `foobar`, since the trailing `*` bracktracks to match the preceding pattern. This is very memory-inefficient, and IMHO, also incorrect. Picomatch would return `false` for both `foo` and `foobar`.\n\n
\n\n### Advanced globbing\n\n* [extglobs](#extglobs)\n* [POSIX brackets](#posix-brackets)\n* [Braces](#brace-expansion)\n\n#### Extglobs\n\n| **Pattern** | **Description** |\n| --- | --- |\n| `@(pattern)` | Match _only one_ consecutive occurrence of `pattern` |\n| `*(pattern)` | Match _zero or more_ consecutive occurrences of `pattern` |\n| `+(pattern)` | Match _one or more_ consecutive occurrences of `pattern` |\n| `?(pattern)` | Match _zero or **one**_ consecutive occurrences of `pattern` |\n| `!(pattern)` | Match _anything but_ `pattern` |\n\n**Examples**\n\n```js\nconst pm = require('picomatch');\n\n// *(pattern) matches ZERO or more of \"pattern\"\nconsole.log(pm.isMatch('a', 'a*(z)')); // true\nconsole.log(pm.isMatch('az', 'a*(z)')); // true\nconsole.log(pm.isMatch('azzz', 'a*(z)')); // true\n\n// +(pattern) matches ONE or more of \"pattern\"\nconsole.log(pm.isMatch('a', 'a+(z)')); // false\nconsole.log(pm.isMatch('az', 'a+(z)')); // true\nconsole.log(pm.isMatch('azzz', 'a+(z)')); // true\n\n// supports multiple extglobs\nconsole.log(pm.isMatch('foo.bar', '!(foo).!(bar)')); // false\n\n// supports nested extglobs\nconsole.log(pm.isMatch('foo.bar', '!(!(foo)).!(!(bar))')); // true\n```\n\n#### POSIX brackets\n\nPOSIX classes are disabled by default. Enable this feature by setting the `posix` option to true.\n\n**Enable POSIX bracket support**\n\n```js\nconsole.log(pm.makeRe('[[:word:]]+', { posix: true }));\n//=> /^(?:(?=.)[A-Za-z0-9_]+\\/?)$/\n```\n\n**Supported POSIX classes**\n\nThe following named POSIX bracket expressions are supported:\n\n* `[:alnum:]` - Alphanumeric characters, equ `[a-zA-Z0-9]`\n* `[:alpha:]` - Alphabetical characters, equivalent to `[a-zA-Z]`.\n* `[:ascii:]` - ASCII characters, equivalent to `[\\\\x00-\\\\x7F]`.\n* `[:blank:]` - Space and tab characters, equivalent to `[ \\\\t]`.\n* `[:cntrl:]` - Control characters, equivalent to `[\\\\x00-\\\\x1F\\\\x7F]`.\n* `[:digit:]` - Numerical digits, equivalent to `[0-9]`.\n* `[:graph:]` - Graph characters, equivalent to `[\\\\x21-\\\\x7E]`.\n* `[:lower:]` - Lowercase letters, equivalent to `[a-z]`.\n* `[:print:]` - Print characters, equivalent to `[\\\\x20-\\\\x7E ]`.\n* `[:punct:]` - Punctuation and symbols, equivalent to `[\\\\-!\"#$%&\\'()\\\\*+,./:;<=>?@[\\\\]^_`{|}~]`.\n* `[:space:]` - Extended space characters, equivalent to `[ \\\\t\\\\r\\\\n\\\\v\\\\f]`.\n* `[:upper:]` - Uppercase letters, equivalent to `[A-Z]`.\n* `[:word:]` - Word characters (letters, numbers and underscores), equivalent to `[A-Za-z0-9_]`.\n* `[:xdigit:]` - Hexadecimal digits, equivalent to `[A-Fa-f0-9]`.\n\nSee the [Bash Reference Manual](https://www.gnu.org/software/bash/manual/html_node/Pattern-Matching.html) for more information.\n\n### Braces\n\nPicomatch does not do brace expansion. For [brace expansion](https://www.gnu.org/software/bash/manual/html_node/Brace-Expansion.html) and advanced matching with braces, use [micromatch](https://github.com/micromatch/micromatch) instead. Picomatch has very basic support for braces.\n\n### Matching special characters as literals\n\nIf you wish to match the following special characters in a filepath, and you want to use these characters in your glob pattern, they must be escaped with backslashes or quotes:\n\n**Special Characters**\n\nSome characters that are used for matching in regular expressions are also regarded as valid file path characters on some platforms.\n\nTo match any of the following characters as literals: `$^*+?()[]\n\nExamples:\n\n```js\nconsole.log(pm.makeRe('foo/bar \\\\(1\\\\)'));\nconsole.log(pm.makeRe('foo/bar \\\\(1\\\\)'));\n```\n\n
\n
\n\n## Library Comparisons\n\nThe following table shows which features are supported by [minimatch](https://github.com/isaacs/minimatch), [micromatch](https://github.com/micromatch/micromatch), [picomatch](https://github.com/micromatch/picomatch), [nanomatch](https://github.com/micromatch/nanomatch), [extglob](https://github.com/micromatch/extglob), [braces](https://github.com/micromatch/braces), and [expand-brackets](https://github.com/micromatch/expand-brackets).\n\n| **Feature** | `minimatch` | `micromatch` | `picomatch` | `nanomatch` | `extglob` | `braces` | `expand-brackets` |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| Wildcard matching (`*?+`) | ✔ | ✔ | ✔ | ✔ | - | - | - |\n| Advancing globbing | ✔ | ✔ | ✔ | - | - | - | - |\n| Brace _matching_ | ✔ | ✔ | ✔ | - | - | ✔ | - |\n| Brace _expansion_ | ✔ | ✔ | - | - | - | ✔ | - |\n| Extglobs | partial | ✔ | ✔ | - | ✔ | - | - |\n| Posix brackets | - | ✔ | ✔ | - | - | - | ✔ |\n| Regular expression syntax | - | ✔ | ✔ | ✔ | ✔ | - | ✔ |\n| File system operations | - | - | - | - | - | - | - |\n\n
\n
\n\n## Benchmarks\n\nPerformance comparison of picomatch and minimatch.\n\n_(Pay special attention to the last three benchmarks. Minimatch freezes on long ranges.)_\n\n```\n# .makeRe star (*)\n picomatch x 4,449,159 ops/sec ±0.24% (97 runs sampled)\n minimatch x 632,772 ops/sec ±0.14% (98 runs sampled)\n\n# .makeRe star; dot=true (*)\n picomatch x 3,500,079 ops/sec ±0.26% (99 runs sampled)\n minimatch x 564,916 ops/sec ±0.23% (96 runs sampled)\n\n# .makeRe globstar (**)\n picomatch x 3,261,000 ops/sec ±0.27% (98 runs sampled)\n minimatch x 1,664,766 ops/sec ±0.20% (100 runs sampled)\n\n# .makeRe globstars (**/**/**)\n picomatch x 3,284,469 ops/sec ±0.18% (97 runs sampled)\n minimatch x 1,435,880 ops/sec ±0.34% (95 runs sampled)\n\n# .makeRe with leading star (*.txt)\n picomatch x 3,100,197 ops/sec ±0.35% (99 runs sampled)\n minimatch x 428,347 ops/sec ±0.42% (94 runs sampled)\n\n# .makeRe - basic braces ({a,b,c}*.txt)\n picomatch x 443,578 ops/sec ±1.33% (89 runs sampled)\n minimatch x 107,143 ops/sec ±0.35% (94 runs sampled)\n\n# .makeRe - short ranges ({a..z}*.txt)\n picomatch x 415,484 ops/sec ±0.76% (96 runs sampled)\n minimatch x 14,299 ops/sec ±0.26% (96 runs sampled)\n\n# .makeRe - medium ranges ({1..100000}*.txt)\n picomatch x 395,020 ops/sec ±0.87% (89 runs sampled)\n minimatch x 2 ops/sec ±4.59% (10 runs sampled)\n\n# .makeRe - long ranges ({1..10000000}*.txt)\n picomatch x 400,036 ops/sec ±0.83% (90 runs sampled)\n minimatch (FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory)\n```\n\n
\n
\n\n## Philosophies\n\nThe goal of this library is to be blazing fast, without compromising on accuracy.\n\n**Accuracy**\n\nThe number one of goal of this library is accuracy. However, it's not unusual for different glob implementations to have different rules for matching behavior, even with simple wildcard matching. It gets increasingly more complicated when combinations of different features are combined, like when extglobs are combined with globstars, braces, slashes, and so on: `!(**/{a,b,*/c})`.\n\nThus, given that there is no canonical glob specification to use as a single source of truth when differences of opinion arise regarding behavior, sometimes we have to implement our best judgement and rely on feedback from users to make improvements.\n\n**Performance**\n\nAlthough this library performs well in benchmarks, and in most cases it's faster than other popular libraries we benchmarked against, we will always choose accuracy over performance. It's not helpful to anyone if our library is faster at returning the wrong answer.\n\n
\n
\n\n## About\n\n
\nContributing\n\nPull requests and stars are always welcome. For bugs and feature requests, [please create an issue](../../issues/new).\n\nPlease read the [contributing guide](.github/contributing.md) for advice on opening issues, pull requests, and coding standards.\n\n
\n\n
\nRunning Tests\n\nRunning and reviewing unit tests is a great way to get familiarized with a library and its API. You can install dependencies and run tests with the following command:\n\n```sh\nnpm install && npm test\n```\n\n
\n\n
\nBuilding docs\n\n_(This project's readme.md is generated by [verb](https://github.com/verbose/verb-generate-readme), please don't edit the readme directly. Any changes to the readme must be made in the [.verb.md](.verb.md) readme template.)_\n\nTo generate the readme, run the following command:\n\n```sh\nnpm install -g verbose/verb#dev verb-generate-readme && verb\n```\n\n
\n\n### Author\n\n**Jon Schlinkert**\n\n* [GitHub Profile](https://github.com/jonschlinkert)\n* [Twitter Profile](https://twitter.com/jonschlinkert)\n* [LinkedIn Profile](https://linkedin.com/in/jonschlinkert)\n\n### License\n\nCopyright © 2017-present, [Jon Schlinkert](https://github.com/jonschlinkert).\nReleased under the [MIT License](LICENSE).\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/picomatch/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/pkce-challenge/README.md ---\n# pkce-challenge\n\nGenerate or verify a Proof Key for Code Exchange (PKCE) challenge pair.\n\nRead more about [PKCE](https://www.oauth.com/oauth2-servers/pkce/authorization-request/).\n\n## Installation\n\n```bash\nnpm install pkce-challenge\n```\n\n## Usage\n\nDefault length for the verifier is 43\n\n```js\nimport pkceChallenge from \"pkce-challenge\";\n\nawait pkceChallenge();\n```\n\ngives something like:\n\n```js\n{\n code_verifier: 'u1ta-MQ0e7TcpHjgz33M2DcBnOQu~aMGxuiZt0QMD1C',\n code_challenge: 'CUZX5qE8Wvye6kS_SasIsa8MMxacJftmWdsIA_iKp3I'\n}\n```\n\n### Specify a verifier length\n\n```js\nconst challenge = await pkceChallenge(128);\n\nchallenge.code_verifier.length === 128; // true\n```\n\n### Challenge verification\n\n```js\nimport { verifyChallenge } from \"pkce-challenge\";\n\n(await verifyChallenge(challenge.code_verifier, challenge.code_challenge)) ===\n true; // true\n```\n\n### Challenge generation from existing code verifier\n\n```js\nimport { generateChallenge } from \"pkce-challenge\";\n\n(await generateChallenge(challenge.code_verifier)) === challenge.code_challenge; // true\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/pkce-challenge/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/postcss/README.md ---\n# PostCSS\n\n\"Philosopher’s\n\nPostCSS is a tool for transforming styles with JS plugins.\nThese plugins can lint your CSS, support variables and mixins,\ntranspile future CSS syntax, inline images, and more.\n\nPostCSS is used by industry leaders including Wikipedia, Twitter, Alibaba,\nand JetBrains. The [Autoprefixer] and [Stylelint] PostCSS plugins are some of the most popular CSS tools.\n\n---\n\n\"\"  Built by\n Evil Martians, go-to agency for developer tools.\n\n---\n\n[Abstract Syntax Tree]: https://en.wikipedia.org/wiki/Abstract_syntax_tree\n[Evil Martians]: https://evilmartians.com/?utm_source=postcss\n[Autoprefixer]: https://github.com/postcss/autoprefixer\n[Stylelint]: https://stylelint.io/\n[plugins]: https://github.com/postcss/postcss#plugins\n\n\n## Docs\nRead full docs **[here](https://postcss.org/)**.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/postcss/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/proxy-addr/README.md ---\n# proxy-addr\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][ci-image]][ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nDetermine address of proxied request\n\n## Install\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install proxy-addr\n```\n\n## API\n\n```js\nvar proxyaddr = require('proxy-addr')\n```\n\n### proxyaddr(req, trust)\n\nReturn the address of the request, using the given `trust` parameter.\n\nThe `trust` argument is a function that returns `true` if you trust\nthe address, `false` if you don't. The closest untrusted address is\nreturned.\n\n```js\nproxyaddr(req, function (addr) { return addr === '127.0.0.1' })\nproxyaddr(req, function (addr, i) { return i < 1 })\n```\n\nThe `trust` arugment may also be a single IP address string or an\narray of trusted addresses, as plain IP addresses, CIDR-formatted\nstrings, or IP/netmask strings.\n\n```js\nproxyaddr(req, '127.0.0.1')\nproxyaddr(req, ['127.0.0.0/8', '10.0.0.0/8'])\nproxyaddr(req, ['127.0.0.0/255.0.0.0', '192.168.0.0/255.255.0.0'])\n```\n\nThis module also supports IPv6. Your IPv6 addresses will be normalized\nautomatically (i.e. `fe80::00ed:1` equals `fe80:0:0:0:0:0:ed:1`).\n\n```js\nproxyaddr(req, '::1')\nproxyaddr(req, ['::1/128', 'fe80::/10'])\n```\n\nThis module will automatically work with IPv4-mapped IPv6 addresses\nas well to support node.js in IPv6-only mode. This means that you do\nnot have to specify both `::ffff:a00:1` and `10.0.0.1`.\n\nAs a convenience, this module also takes certain pre-defined names\nin addition to IP addresses, which expand into IP addresses:\n\n```js\nproxyaddr(req, 'loopback')\nproxyaddr(req, ['loopback', 'fc00:ac:1ab5:fff::1/64'])\n```\n\n * `loopback`: IPv4 and IPv6 loopback addresses (like `::1` and\n `127.0.0.1`).\n * `linklocal`: IPv4 and IPv6 link-local addresses (like\n `fe80::1:1:1:1` and `169.254.0.1`).\n * `uniquelocal`: IPv4 private addresses and IPv6 unique-local\n addresses (like `fc00:ac:1ab5:fff::1` and `192.168.0.1`).\n\nWhen `trust` is specified as a function, it will be called for each\naddress to determine if it is a trusted address. The function is\ngiven two arguments: `addr` and `i`, where `addr` is a string of\nthe address to check and `i` is a number that represents the distance\nfrom the socket address.\n\n### proxyaddr.all(req, [trust])\n\nReturn all the addresses of the request, optionally stopping at the\nfirst untrusted. This array is ordered from closest to furthest\n(i.e. `arr[0] === req.connection.remoteAddress`).\n\n```js\nproxyaddr.all(req)\n```\n\nThe optional `trust` argument takes the same arguments as `trust`\ndoes in `proxyaddr(req, trust)`.\n\n```js\nproxyaddr.all(req, 'loopback')\n```\n\n### proxyaddr.compile(val)\n\nCompiles argument `val` into a `trust` function. This function takes\nthe same arguments as `trust` does in `proxyaddr(req, trust)` and\nreturns a function suitable for `proxyaddr(req, trust)`.\n\n```js\nvar trust = proxyaddr.compile('loopback')\nvar addr = proxyaddr(req, trust)\n```\n\nThis function is meant to be optimized for use against every request.\nIt is recommend to compile a trust function up-front for the trusted\nconfiguration and pass that to `proxyaddr(req, trust)` for each request.\n\n## Testing\n\n```sh\n$ npm test\n```\n\n## Benchmarks\n\n```sh\n$ npm run-script bench\n```\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/proxy-addr/master?label=ci\n[ci-url]: https://github.com/jshttp/proxy-addr/actions?query=workflow%3Aci\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/proxy-addr/master\n[coveralls-url]: https://coveralls.io/r/jshttp/proxy-addr?branch=master\n[node-image]: https://badgen.net/npm/node/proxy-addr\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/proxy-addr\n[npm-url]: https://npmjs.org/package/proxy-addr\n[npm-version-image]: https://badgen.net/npm/v/proxy-addr\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/proxy-addr/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/qs/README.md ---\n

\n \"qs\"\n

\n\n# qs [![Version Badge][npm-version-svg]][package-url]\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/9058/badge)](https://bestpractices.coreinfrastructure.org/projects/9058)\n\n[![npm badge][npm-badge-png]][package-url]\n\nA querystring parsing and stringifying library with some added security.\n\nLead Maintainer: [Jordan Harband](https://github.com/ljharb)\n\nThe **qs** module was originally created and maintained by [TJ Holowaychuk](https://github.com/visionmedia/node-querystring).\n\n## Usage\n\n```javascript\nvar qs = require('qs');\nvar assert = require('assert');\n\nvar obj = qs.parse('a=c');\nassert.deepEqual(obj, { a: 'c' });\n\nvar str = qs.stringify(obj);\nassert.equal(str, 'a=c');\n```\n\n### Parsing Objects\n\n[](#preventEval)\n```javascript\nqs.parse(string, [options]);\n```\n\n**qs** allows you to create nested objects within your query strings, by surrounding the name of sub-keys with square brackets `[]`.\nFor example, the string `'foo[bar]=baz'` converts to:\n\n```javascript\nassert.deepEqual(qs.parse('foo[bar]=baz'), {\n foo: {\n bar: 'baz'\n }\n});\n```\n\nWhen using the `plainObjects` option the parsed value is returned as a null object, created via `{ __proto__: null }` and as such you should be aware that prototype methods will not exist on it and a user may set those names to whatever value they like:\n\n```javascript\nvar nullObject = qs.parse('a[hasOwnProperty]=b', { plainObjects: true });\nassert.deepEqual(nullObject, { a: { hasOwnProperty: 'b' } });\n```\n\nBy default parameters that would overwrite properties on the object prototype are ignored, if you wish to keep the data from those fields either use `plainObjects` as mentioned above, or set `allowPrototypes` to `true` which will allow user input to overwrite those properties.\n*WARNING* It is generally a bad idea to enable this option as it can cause problems when attempting to use the properties that have been overwritten.\nAlways be careful with this option.\n\n```javascript\nvar protoObject = qs.parse('a[hasOwnProperty]=b', { allowPrototypes: true });\nassert.deepEqual(protoObject, { a: { hasOwnProperty: 'b' } });\n```\n\nURI encoded strings work too:\n\n```javascript\nassert.deepEqual(qs.parse('a%5Bb%5D=c'), {\n a: { b: 'c' }\n});\n```\n\nYou can also nest your objects, like `'foo[bar][baz]=foobarbaz'`:\n\n```javascript\nassert.deepEqual(qs.parse('foo[bar][baz]=foobarbaz'), {\n foo: {\n bar: {\n baz: 'foobarbaz'\n }\n }\n});\n```\n\nBy default, when nesting objects **qs** will only parse up to 5 children deep.\nThis means if you attempt to parse a string like `'a[b][c][d][e][f][g][h][i]=j'` your resulting object will be:\n\n```javascript\nvar expected = {\n a: {\n b: {\n c: {\n d: {\n e: {\n f: {\n '[g][h][i]': 'j'\n }\n }\n }\n }\n }\n }\n};\nvar string = 'a[b][c][d][e][f][g][h][i]=j';\nassert.deepEqual(qs.parse(string), expected);\n```\n\nThis depth can be overridden by passing a `depth` option to `qs.parse(string, [options])`:\n\n```javascript\nvar deep = qs.parse('a[b][c][d][e][f][g][h][i]=j', { depth: 1 });\nassert.deepEqual(deep, { a: { b: { '[c][d][e][f][g][h][i]': 'j' } } });\n```\n\nYou can configure **qs** to throw an error when parsing nested input beyond this depth using the `strictDepth` option (defaulted to false):\n\n```javascript\ntry {\n qs.parse('a[b][c][d][e][f][g][h][i]=j', { depth: 1, strictDepth: true });\n} catch (err) {\n assert(err instanceof RangeError);\n assert.strictEqual(err.message, 'Input depth exceeded depth option of 1 and strictDepth is true');\n}\n```\n\nThe depth limit helps mitigate abuse when **qs** is used to parse user input, and it is recommended to keep it a reasonably small number. The strictDepth option adds a layer of protection by throwing an error when the limit is exceeded, allowing you to catch and handle such cases.\n\nFor similar reasons, by default **qs** will only parse up to 1000 parameters. This can be overridden by passing a `parameterLimit` option:\n\n```javascript\nvar limited = qs.parse('a=b&c=d', { parameterLimit: 1 });\nassert.deepEqual(limited, { a: 'b' });\n```\n\nIf you want an error to be thrown whenever the a limit is exceeded (eg, `parameterLimit`, `arrayLimit`), set the `throwOnLimitExceeded` option to `true`. This option will generate a descriptive error if the query string exceeds a configured limit.\n```javascript\ntry {\n qs.parse('a=1&b=2&c=3&d=4', { parameterLimit: 3, throwOnLimitExceeded: true });\n} catch (err) {\n assert(err instanceof Error);\n assert.strictEqual(err.message, 'Parameter limit exceeded. Only 3 parameters allowed.');\n}\n```\n\nWhen `throwOnLimitExceeded` is set to `false` (default), **qs** will parse up to the specified `parameterLimit` and ignore the rest without throwing an error.\n\nTo bypass the leading question mark, use `ignoreQueryPrefix`:\n\n```javascript\nvar prefixed = qs.parse('?a=b&c=d', { ignoreQueryPrefix: true });\nassert.deepEqual(prefixed, { a: 'b', c: 'd' });\n```\n\nAn optional delimiter can also be passed:\n\n```javascript\nvar delimited = qs.parse('a=b;c=d', { delimiter: ';' });\nassert.deepEqual(delimited, { a: 'b', c: 'd' });\n```\n\nDelimiters can be a regular expression too:\n\n```javascript\nvar regexed = qs.parse('a=b;c=d,e=f', { delimiter: /[;,]/ });\nassert.deepEqual(regexed, { a: 'b', c: 'd', e: 'f' });\n```\n\nOption `allowDots` can be used to enable dot notation:\n\n```javascript\nvar withDots = qs.parse('a.b=c', { allowDots: true });\nassert.deepEqual(withDots, { a: { b: 'c' } });\n```\n\nOption `decodeDotInKeys` can be used to decode dots in keys\nNote: it implies `allowDots`, so `parse` will error if you set `decodeDotInKeys` to `true`, and `allowDots` to `false`.\n\n```javascript\nvar withDots = qs.parse('name%252Eobj.first=John&name%252Eobj.last=Doe', { decodeDotInKeys: true });\nassert.deepEqual(withDots, { 'name.obj': { first: 'John', last: 'Doe' }});\n```\n\nOption `allowEmptyArrays` can be used to allowing empty array values in object\n```javascript\nvar withEmptyArrays = qs.parse('foo[]&bar=baz', { allowEmptyArrays: true });\nassert.deepEqual(withEmptyArrays, { foo: [], bar: 'baz' });\n```\n\nOption `duplicates` can be used to change the behavior when duplicate keys are encountered\n```javascript\nassert.deepEqual(qs.parse('foo=bar&foo=baz'), { foo: ['bar', 'baz'] });\nassert.deepEqual(qs.parse('foo=bar&foo=baz', { duplicates: 'combine' }), { foo: ['bar', 'baz'] });\nassert.deepEqual(qs.parse('foo=bar&foo=baz', { duplicates: 'first' }), { foo: 'bar' });\nassert.deepEqual(qs.parse('foo=bar&foo=baz', { duplicates: 'last' }), { foo: 'baz' });\n```\n\nIf you have to deal with legacy browsers or services, there's also support for decoding percent-encoded octets as iso-8859-1:\n\n```javascript\nvar oldCharset = qs.parse('a=%A7', { charset: 'iso-8859-1' });\nassert.deepEqual(oldCharset, { a: '§' });\n```\n\nSome services add an initial `utf8=✓` value to forms so that old Internet Explorer versions are more likely to submit the form as utf-8.\nAdditionally, the server can check the value against wrong encodings of the checkmark character and detect that a query string or `application/x-www-form-urlencoded` body was *not* sent as utf-8, eg. if the form had an `accept-charset` parameter or the containing page had a different character set.\n\n**qs** supports this mechanism via the `charsetSentinel` option.\nIf specified, the `utf8` parameter will be omitted from the returned object.\nIt will be used to switch to `iso-8859-1`/`utf-8` mode depending on how the checkmark is encoded.\n\n**Important**: When you specify both the `charset` option and the `charsetSentinel` option, the `charset` will be overridden when the request contains a `utf8` parameter from which the actual charset can be deduced.\nIn that sense the `charset` will behave as the default charset rather than the authoritative charset.\n\n```javascript\nvar detectedAsUtf8 = qs.parse('utf8=%E2%9C%93&a=%C3%B8', {\n charset: 'iso-8859-1',\n charsetSentinel: true\n});\nassert.deepEqual(detectedAsUtf8, { a: 'ø' });\n\n// Browsers encode the checkmark as ✓ when submitting as iso-8859-1:\nvar detectedAsIso8859_1 = qs.parse('utf8=%26%2310003%3B&a=%F8', {\n charset: 'utf-8',\n charsetSentinel: true\n});\nassert.deepEqual(detectedAsIso8859_1, { a: 'ø' });\n```\n\nIf you want to decode the `&#...;` syntax to the actual character, you can specify the `interpretNumericEntities` option as well:\n\n```javascript\nvar detectedAsIso8859_1 = qs.parse('a=%26%239786%3B', {\n charset: 'iso-8859-1',\n interpretNumericEntities: true\n});\nassert.deepEqual(detectedAsIso8859_1, { a: '☺' });\n```\n\nIt also works when the charset has been detected in `charsetSentinel` mode.\n\n### Parsing Arrays\n\n**qs** can also parse arrays using a similar `[]` notation:\n\n```javascript\nvar withArray = qs.parse('a[]=b&a[]=c');\nassert.deepEqual(withArray, { a: ['b', 'c'] });\n```\n\nYou may specify an index as well:\n\n```javascript\nvar withIndexes = qs.parse('a[1]=c&a[0]=b');\nassert.deepEqual(withIndexes, { a: ['b', 'c'] });\n```\n\nNote that the only difference between an index in an array and a key in an object is that the value between the brackets must be a number to create an array.\nWhen creating arrays with specific indices, **qs** will compact a sparse array to only the existing values preserving their order:\n\n```javascript\nvar noSparse = qs.parse('a[1]=b&a[15]=c');\nassert.deepEqual(noSparse, { a: ['b', 'c'] });\n```\n\nYou may also use `allowSparse` option to parse sparse arrays:\n\n```javascript\nvar sparseArray = qs.parse('a[1]=2&a[3]=5', { allowSparse: true });\nassert.deepEqual(sparseArray, { a: [, '2', , '5'] });\n```\n\nNote that an empty string is also a value, and will be preserved:\n\n```javascript\nvar withEmptyString = qs.parse('a[]=&a[]=b');\nassert.deepEqual(withEmptyString, { a: ['', 'b'] });\n\nvar withIndexedEmptyString = qs.parse('a[0]=b&a[1]=&a[2]=c');\nassert.deepEqual(withIndexedEmptyString, { a: ['b', '', 'c'] });\n```\n\n**qs** will also limit specifying indices in an array to a maximum index of `20`.\nAny array members with an index of greater than `20` will instead be converted to an object with the index as the key.\nThis is needed to handle cases when someone sent, for example, `a[999999999]` and it will take significant time to iterate over this huge array.\n\n```javascript\nvar withMaxIndex = qs.parse('a[100]=b');\nassert.deepEqual(withMaxIndex, { a: { '100': 'b' } });\n```\n\nThis limit can be overridden by passing an `arrayLimit` option:\n\n```javascript\nvar withArrayLimit = qs.parse('a[1]=b', { arrayLimit: 0 });\nassert.deepEqual(withArrayLimit, { a: { '1': 'b' } });\n```\n\nIf you want to throw an error whenever the array limit is exceeded, set the `throwOnLimitExceeded` option to `true`. This option will generate a descriptive error if the query string exceeds a configured limit.\n```javascript\ntry {\n qs.parse('a[1]=b', { arrayLimit: 0, throwOnLimitExceeded: true });\n} catch (err) {\n assert(err instanceof Error);\n assert.strictEqual(err.message, 'Array limit exceeded. Only 0 elements allowed in an array.');\n}\n```\n\nWhen `throwOnLimitExceeded` is set to `false` (default), **qs** will parse up to the specified `arrayLimit` and if the limit is exceeded, the array will instead be converted to an object with the index as the key\n\nTo disable array parsing entirely, set `parseArrays` to `false`.\n\n```javascript\nvar noParsingArrays = qs.parse('a[]=b', { parseArrays: false });\nassert.deepEqual(noParsingArrays, { a: { '0': 'b' } });\n```\n\nIf you mix notations, **qs** will merge the two items into an object:\n\n```javascript\nvar mixedNotation = qs.parse('a[0]=b&a[b]=c');\nassert.deepEqual(mixedNotation, { a: { '0': 'b', b: 'c' } });\n```\n\nYou can also create arrays of objects:\n\n```javascript\nvar arraysOfObjects = qs.parse('a[][b]=c');\nassert.deepEqual(arraysOfObjects, { a: [{ b: 'c' }] });\n```\n\nSome people use comma to join array, **qs** can parse it:\n```javascript\nvar arraysOfObjects = qs.parse('a=b,c', { comma: true })\nassert.deepEqual(arraysOfObjects, { a: ['b', 'c'] })\n```\n(_this cannot convert nested objects, such as `a={b:1},{c:d}`_)\n\n### Parsing primitive/scalar values (numbers, booleans, null, etc)\n\nBy default, all values are parsed as strings.\nThis behavior will not change and is explained in [issue #91](https://github.com/ljharb/qs/issues/91).\n\n```javascript\nvar primitiveValues = qs.parse('a=15&b=true&c=null');\nassert.deepEqual(primitiveValues, { a: '15', b: 'true', c: 'null' });\n```\n\nIf you wish to auto-convert values which look like numbers, booleans, and other values into their primitive counterparts, you can use the [query-types Express JS middleware](https://github.com/xpepermint/query-types) which will auto-convert all request query parameters.\n\n### Stringifying\n\n[](#preventEval)\n```javascript\nqs.stringify(object, [options]);\n```\n\nWhen stringifying, **qs** by default URI encodes output. Objects are stringified as you would expect:\n\n```javascript\nassert.equal(qs.stringify({ a: 'b' }), 'a=b');\nassert.equal(qs.stringify({ a: { b: 'c' } }), 'a%5Bb%5D=c');\n```\n\nThis encoding can be disabled by setting the `encode` option to `false`:\n\n```javascript\nvar unencoded = qs.stringify({ a: { b: 'c' } }, { encode: false });\nassert.equal(unencoded, 'a[b]=c');\n```\n\nEncoding can be disabled for keys by setting the `encodeValuesOnly` option to `true`:\n```javascript\nvar encodedValues = qs.stringify(\n { a: 'b', c: ['d', 'e=f'], f: [['g'], ['h']] },\n { encodeValuesOnly: true }\n);\nassert.equal(encodedValues,'a=b&c[0]=d&c[1]=e%3Df&f[0][0]=g&f[1][0]=h');\n```\n\nThis encoding can also be replaced by a custom encoding method set as `encoder` option:\n\n```javascript\nvar encoded = qs.stringify({ a: { b: 'c' } }, { encoder: function (str) {\n // Passed in values `a`, `b`, `c`\n return // Return encoded string\n}})\n```\n\n_(Note: the `encoder` option does not apply if `encode` is `false`)_\n\nAnalogue to the `encoder` there is a `decoder` option for `parse` to override decoding of properties and values:\n\n```javascript\nvar decoded = qs.parse('x=z', { decoder: function (str) {\n // Passed in values `x`, `z`\n return // Return decoded string\n}})\n```\n\nYou can encode keys and values using different logic by using the type argument provided to the encoder:\n\n```javascript\nvar encoded = qs.stringify({ a: { b: 'c' } }, { encoder: function (str, defaultEncoder, charset, type) {\n if (type === 'key') {\n return // Encoded key\n } else if (type === 'value') {\n return // Encoded value\n }\n}})\n```\n\nThe type argument is also provided to the decoder:\n\n```javascript\nvar decoded = qs.parse('x=z', { decoder: function (str, defaultDecoder, charset, type) {\n if (type === 'key') {\n return // Decoded key\n } else if (type === 'value') {\n return // Decoded value\n }\n}})\n```\n\nExamples beyond this point will be shown as though the output is not URI encoded for clarity.\nPlease note that the return values in these cases *will* be URI encoded during real usage.\n\nWhen arrays are stringified, they follow the `arrayFormat` option, which defaults to `indices`:\n\n```javascript\nqs.stringify({ a: ['b', 'c', 'd'] });\n// 'a[0]=b&a[1]=c&a[2]=d'\n```\n\nYou may override this by setting the `indices` option to `false`, or to be more explicit, the `arrayFormat` option to `repeat`:\n\n```javascript\nqs.stringify({ a: ['b', 'c', 'd'] }, { indices: false });\n// 'a=b&a=c&a=d'\n```\n\nYou may use the `arrayFormat` option to specify the format of the output array:\n\n```javascript\nqs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'indices' })\n// 'a[0]=b&a[1]=c'\nqs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'brackets' })\n// 'a[]=b&a[]=c'\nqs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'repeat' })\n// 'a=b&a=c'\nqs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'comma' })\n// 'a=b,c'\n```\n\nNote: when using `arrayFormat` set to `'comma'`, you can also pass the `commaRoundTrip` option set to `true` or `false`, to append `[]` on single-item arrays, so that they can round trip through a parse.\n\nWhen objects are stringified, by default they use bracket notation:\n\n```javascript\nqs.stringify({ a: { b: { c: 'd', e: 'f' } } });\n// 'a[b][c]=d&a[b][e]=f'\n```\n\nYou may override this to use dot notation by setting the `allowDots` option to `true`:\n\n```javascript\nqs.stringify({ a: { b: { c: 'd', e: 'f' } } }, { allowDots: true });\n// 'a.b.c=d&a.b.e=f'\n```\n\nYou may encode the dot notation in the keys of object with option `encodeDotInKeys` by setting it to `true`:\nNote: it implies `allowDots`, so `stringify` will error if you set `decodeDotInKeys` to `true`, and `allowDots` to `false`.\nCaveat: when `encodeValuesOnly` is `true` as well as `encodeDotInKeys`, only dots in keys and nothing else will be encoded.\n```javascript\nqs.stringify({ \"name.obj\": { \"first\": \"John\", \"last\": \"Doe\" } }, { allowDots: true, encodeDotInKeys: true })\n// 'name%252Eobj.first=John&name%252Eobj.last=Doe'\n```\n\nYou may allow empty array values by setting the `allowEmptyArrays` option to `true`:\n```javascript\nqs.stringify({ foo: [], bar: 'baz' }, { allowEmptyArrays: true });\n// 'foo[]&bar=baz'\n```\n\nEmpty strings and null values will omit the value, but the equals sign (=) remains in place:\n\n```javascript\nassert.equal(qs.stringify({ a: '' }), 'a=');\n```\n\nKey with no values (such as an empty object or array) will return nothing:\n\n```javascript\nassert.equal(qs.stringify({ a: [] }), '');\nassert.equal(qs.stringify({ a: {} }), '');\nassert.equal(qs.stringify({ a: [{}] }), '');\nassert.equal(qs.stringify({ a: { b: []} }), '');\nassert.equal(qs.stringify({ a: { b: {}} }), '');\n```\n\nProperties that are set to `undefined` will be omitted entirely:\n\n```javascript\nassert.equal(qs.stringify({ a: null, b: undefined }), 'a=');\n```\n\nThe query string may optionally be prepended with a question mark:\n\n```javascript\nassert.equal(qs.stringify({ a: 'b', c: 'd' }, { addQueryPrefix: true }), '?a=b&c=d');\n```\n\nThe delimiter may be overridden with stringify as well:\n\n```javascript\nassert.equal(qs.stringify({ a: 'b', c: 'd' }, { delimiter: ';' }), 'a=b;c=d');\n```\n\nIf you only want to override the serialization of `Date` objects, you can provide a `serializeDate` option:\n\n```javascript\nvar date = new Date(7);\nassert.equal(qs.stringify({ a: date }), 'a=1970-01-01T00:00:00.007Z'.replace(/:/g, '%3A'));\nassert.equal(\n qs.stringify({ a: date }, { serializeDate: function (d) { return d.getTime(); } }),\n 'a=7'\n);\n```\n\nYou may use the `sort` option to affect the order of parameter keys:\n\n```javascript\nfunction alphabeticalSort(a, b) {\n return a.localeCompare(b);\n}\nassert.equal(qs.stringify({ a: 'c', z: 'y', b : 'f' }, { sort: alphabeticalSort }), 'a=c&b=f&z=y');\n```\n\nFinally, you can use the `filter` option to restrict which keys will be included in the stringified output.\nIf you pass a function, it will be called for each key to obtain the replacement value.\nOtherwise, if you pass an array, it will be used to select properties and array indices for stringification:\n\n```javascript\nfunction filterFunc(prefix, value) {\n if (prefix == 'b') {\n // Return an `undefined` value to omit a property.\n return;\n }\n if (prefix == 'e[f]') {\n return value.getTime();\n }\n if (prefix == 'e[g][0]') {\n return value * 2;\n }\n return value;\n}\nqs.stringify({ a: 'b', c: 'd', e: { f: new Date(123), g: [2] } }, { filter: filterFunc });\n// 'a=b&c=d&e[f]=123&e[g][0]=4'\nqs.stringify({ a: 'b', c: 'd', e: 'f' }, { filter: ['a', 'e'] });\n// 'a=b&e=f'\nqs.stringify({ a: ['b', 'c', 'd'], e: 'f' }, { filter: ['a', 0, 2] });\n// 'a[0]=b&a[2]=d'\n```\n\nYou could also use `filter` to inject custom serialization for user defined types.\nConsider you're working with some api that expects query strings of the format for ranges:\n\n```\nhttps://domain.com/endpoint?range=30...70\n```\n\nFor which you model as:\n\n```javascript\nclass Range {\n constructor(from, to) {\n this.from = from;\n this.to = to;\n }\n}\n```\n\nYou could _inject_ a custom serializer to handle values of this type:\n\n```javascript\nqs.stringify(\n {\n range: new Range(30, 70),\n },\n {\n filter: (prefix, value) => {\n if (value instanceof Range) {\n return `${value.from}...${value.to}`;\n }\n // serialize the usual way\n return value;\n },\n }\n);\n// range=30...70\n```\n\n### Handling of `null` values\n\nBy default, `null` values are treated like empty strings:\n\n```javascript\nvar withNull = qs.stringify({ a: null, b: '' });\nassert.equal(withNull, 'a=&b=');\n```\n\nParsing does not distinguish between parameters with and without equal signs.\nBoth are converted to empty strings.\n\n```javascript\nvar equalsInsensitive = qs.parse('a&b=');\nassert.deepEqual(equalsInsensitive, { a: '', b: '' });\n```\n\nTo distinguish between `null` values and empty strings use the `strictNullHandling` flag. In the result string the `null`\nvalues have no `=` sign:\n\n```javascript\nvar strictNull = qs.stringify({ a: null, b: '' }, { strictNullHandling: true });\nassert.equal(strictNull, 'a&b=');\n```\n\nTo parse values without `=` back to `null` use the `strictNullHandling` flag:\n\n```javascript\nvar parsedStrictNull = qs.parse('a&b=', { strictNullHandling: true });\nassert.deepEqual(parsedStrictNull, { a: null, b: '' });\n```\n\nTo completely skip rendering keys with `null` values, use the `skipNulls` flag:\n\n```javascript\nvar nullsSkipped = qs.stringify({ a: 'b', c: null}, { skipNulls: true });\nassert.equal(nullsSkipped, 'a=b');\n```\n\nIf you're communicating with legacy systems, you can switch to `iso-8859-1` using the `charset` option:\n\n```javascript\nvar iso = qs.stringify({ æ: 'æ' }, { charset: 'iso-8859-1' });\nassert.equal(iso, '%E6=%E6');\n```\n\nCharacters that don't exist in `iso-8859-1` will be converted to numeric entities, similar to what browsers do:\n\n```javascript\nvar numeric = qs.stringify({ a: '☺' }, { charset: 'iso-8859-1' });\nassert.equal(numeric, 'a=%26%239786%3B');\n```\n\nYou can use the `charsetSentinel` option to announce the character by including an `utf8=✓` parameter with the proper encoding if the checkmark, similar to what Ruby on Rails and others do when submitting forms.\n\n```javascript\nvar sentinel = qs.stringify({ a: '☺' }, { charsetSentinel: true });\nassert.equal(sentinel, 'utf8=%E2%9C%93&a=%E2%98%BA');\n\nvar isoSentinel = qs.stringify({ a: 'æ' }, { charsetSentinel: true, charset: 'iso-8859-1' });\nassert.equal(isoSentinel, 'utf8=%26%2310003%3B&a=%E6');\n```\n\n### Dealing with special character sets\n\nBy default the encoding and decoding of characters is done in `utf-8`, and `iso-8859-1` support is also built in via the `charset` parameter.\n\nIf you wish to encode querystrings to a different character set (i.e.\n[Shift JIS](https://en.wikipedia.org/wiki/Shift_JIS)) you can use the\n[`qs-iconv`](https://github.com/martinheidegger/qs-iconv) library:\n\n```javascript\nvar encoder = require('qs-iconv/encoder')('shift_jis');\nvar shiftJISEncoded = qs.stringify({ a: 'こんにちは!' }, { encoder: encoder });\nassert.equal(shiftJISEncoded, 'a=%82%B1%82%F1%82%C9%82%BF%82%CD%81I');\n```\n\nThis also works for decoding of query strings:\n\n```javascript\nvar decoder = require('qs-iconv/decoder')('shift_jis');\nvar obj = qs.parse('a=%82%B1%82%F1%82%C9%82%BF%82%CD%81I', { decoder: decoder });\nassert.deepEqual(obj, { a: 'こんにちは!' });\n```\n\n### RFC 3986 and RFC 1738 space encoding\n\nRFC3986 used as default option and encodes ' ' to *%20* which is backward compatible.\nIn the same time, output can be stringified as per RFC1738 with ' ' equal to '+'.\n\n```\nassert.equal(qs.stringify({ a: 'b c' }), 'a=b%20c');\nassert.equal(qs.stringify({ a: 'b c' }, { format : 'RFC3986' }), 'a=b%20c');\nassert.equal(qs.stringify({ a: 'b c' }, { format : 'RFC1738' }), 'a=b+c');\n```\n\n## Security\n\nPlease email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.\n\n## qs for enterprise\n\nAvailable as part of the Tidelift Subscription\n\nThe maintainers of qs and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications.\nSave time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use.\n[Learn more.](https://tidelift.com/subscription/pkg/npm-qs?utm_source=npm-qs&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)\n\n[package-url]: https://npmjs.org/package/qs\n[npm-version-svg]: https://versionbadg.es/ljharb/qs.svg\n[deps-svg]: https://david-dm.org/ljharb/qs.svg\n[deps-url]: https://david-dm.org/ljharb/qs\n[dev-deps-svg]: https://david-dm.org/ljharb/qs/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/qs#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/qs.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/qs.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/qs.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=qs\n[codecov-image]: https://codecov.io/gh/ljharb/qs/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/qs/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/qs\n[actions-url]: https://github.com/ljharb/qs/actions\n\n## Acknowledgements\n\nqs logo by [NUMI](https://github.com/numi-hq/open-design):\n\n[\"NUMI](https://numi.tech/?ref=qs)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/qs/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/range-parser/README.md ---\n# range-parser\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][travis-image]][travis-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nRange header field parser.\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install range-parser\n```\n\n## API\n\n\n\n```js\nvar parseRange = require('range-parser')\n```\n\n### parseRange(size, header, options)\n\nParse the given `header` string where `size` is the maximum size of the resource.\nAn array of ranges will be returned or negative numbers indicating an error parsing.\n\n * `-2` signals a malformed header string\n * `-1` signals an unsatisfiable range\n\n\n\n```js\n// parse header from request\nvar range = parseRange(size, req.headers.range)\n\n// the type of the range\nif (range.type === 'bytes') {\n // the ranges\n range.forEach(function (r) {\n // do something with r.start and r.end\n })\n}\n```\n\n#### Options\n\nThese properties are accepted in the options object.\n\n##### combine\n\nSpecifies if overlapping & adjacent ranges should be combined, defaults to `false`.\nWhen `true`, ranges will be combined and returned as if they were specified that\nway in the header.\n\n\n\n```js\nparseRange(100, 'bytes=50-55,0-10,5-10,56-60', { combine: true })\n// => [\n// { start: 0, end: 10 },\n// { start: 50, end: 60 }\n// ]\n```\n\n## License\n\n[MIT](LICENSE)\n\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/range-parser/master\n[coveralls-url]: https://coveralls.io/r/jshttp/range-parser?branch=master\n[node-image]: https://badgen.net/npm/node/range-parser\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/range-parser\n[npm-url]: https://npmjs.org/package/range-parser\n[npm-version-image]: https://badgen.net/npm/v/range-parser\n[travis-image]: https://badgen.net/travis/jshttp/range-parser/master\n[travis-url]: https://travis-ci.org/jshttp/range-parser\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/range-parser/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/raw-body/README.md ---\n# raw-body\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build status][github-actions-ci-image]][github-actions-ci-url]\n[![Test coverage][coveralls-image]][coveralls-url]\n\nGets the entire buffer of a stream either as a `Buffer` or a string.\nValidates the stream's length against an expected length and maximum limit.\nIdeal for parsing request bodies.\n\n## Install\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install raw-body\n```\n\n### TypeScript\n\nThis module includes a [TypeScript](https://www.typescriptlang.org/)\ndeclaration file to enable auto complete in compatible editors and type\ninformation for TypeScript projects. This module depends on the Node.js\ntypes, so install `@types/node`:\n\n```sh\n$ npm install @types/node\n```\n\n## API\n\n```js\nvar getRawBody = require('raw-body')\n```\n\n### getRawBody(stream, [options], [callback])\n\n**Returns a promise if no callback specified and global `Promise` exists.**\n\nOptions:\n\n- `length` - The length of the stream.\n If the contents of the stream do not add up to this length,\n an `400` error code is returned.\n- `limit` - The byte limit of the body.\n This is the number of bytes or any string format supported by\n [bytes](https://www.npmjs.com/package/bytes),\n for example `1000`, `'500kb'` or `'3mb'`.\n If the body ends up being larger than this limit,\n a `413` error code is returned.\n- `encoding` - The encoding to use to decode the body into a string.\n By default, a `Buffer` instance will be returned when no encoding is specified.\n Most likely, you want `utf-8`, so setting `encoding` to `true` will decode as `utf-8`.\n You can use any type of encoding supported by [iconv-lite](https://www.npmjs.org/package/iconv-lite#readme).\n\nYou can also pass a string in place of options to just specify the encoding.\n\nIf an error occurs, the stream will be paused, everything unpiped,\nand you are responsible for correctly disposing the stream.\nFor HTTP requests, you may need to finish consuming the stream if\nyou want to keep the socket open for future requests. For streams\nthat use file descriptors, you should `stream.destroy()` or\n`stream.close()` to prevent leaks.\n\n## Errors\n\nThis module creates errors depending on the error condition during reading.\nThe error may be an error from the underlying Node.js implementation, but is\notherwise an error created by this module, which has the following attributes:\n\n * `limit` - the limit in bytes\n * `length` and `expected` - the expected length of the stream\n * `received` - the received bytes\n * `encoding` - the invalid encoding\n * `status` and `statusCode` - the corresponding status code for the error\n * `type` - the error type\n\n### Types\n\nThe errors from this module have a `type` property which allows for the programmatic\ndetermination of the type of error returned.\n\n#### encoding.unsupported\n\nThis error will occur when the `encoding` option is specified, but the value does\nnot map to an encoding supported by the [iconv-lite](https://www.npmjs.org/package/iconv-lite#readme)\nmodule.\n\n#### entity.too.large\n\nThis error will occur when the `limit` option is specified, but the stream has\nan entity that is larger.\n\n#### request.aborted\n\nThis error will occur when the request stream is aborted by the client before\nreading the body has finished.\n\n#### request.size.invalid\n\nThis error will occur when the `length` option is specified, but the stream has\nemitted more bytes.\n\n#### stream.encoding.set\n\nThis error will occur when the given stream has an encoding set on it, making it\na decoded stream. The stream should not have an encoding set and is expected to\nemit `Buffer` objects.\n\n#### stream.not.readable\n\nThis error will occur when the given stream is not readable.\n\n## Examples\n\n### Simple Express example\n\n```js\nvar contentType = require('content-type')\nvar express = require('express')\nvar getRawBody = require('raw-body')\n\nvar app = express()\n\napp.use(function (req, res, next) {\n getRawBody(req, {\n length: req.headers['content-length'],\n limit: '1mb',\n encoding: contentType.parse(req).parameters.charset\n }, function (err, string) {\n if (err) return next(err)\n req.text = string\n next()\n })\n})\n\n// now access req.text\n```\n\n### Simple Koa example\n\n```js\nvar contentType = require('content-type')\nvar getRawBody = require('raw-body')\nvar koa = require('koa')\n\nvar app = koa()\n\napp.use(function * (next) {\n this.text = yield getRawBody(this.req, {\n length: this.req.headers['content-length'],\n limit: '1mb',\n encoding: contentType.parse(this.req).parameters.charset\n })\n yield next\n})\n\n// now access this.text\n```\n\n### Using as a promise\n\nTo use this library as a promise, simply omit the `callback` and a promise is\nreturned, provided that a global `Promise` is defined.\n\n```js\nvar getRawBody = require('raw-body')\nvar http = require('http')\n\nvar server = http.createServer(function (req, res) {\n getRawBody(req)\n .then(function (buf) {\n res.statusCode = 200\n res.end(buf.length + ' bytes submitted')\n })\n .catch(function (err) {\n res.statusCode = 500\n res.end(err.message)\n })\n})\n\nserver.listen(3000)\n```\n\n### Using with TypeScript\n\n```ts\nimport * as getRawBody from 'raw-body';\nimport * as http from 'http';\n\nconst server = http.createServer((req, res) => {\n getRawBody(req)\n .then((buf) => {\n res.statusCode = 200;\n res.end(buf.length + ' bytes submitted');\n })\n .catch((err) => {\n res.statusCode = err.statusCode;\n res.end(err.message);\n });\n});\n\nserver.listen(3000);\n```\n\n## License\n\n[MIT](LICENSE)\n\n[npm-image]: https://img.shields.io/npm/v/raw-body.svg\n[npm-url]: https://npmjs.org/package/raw-body\n[node-version-image]: https://img.shields.io/node/v/raw-body.svg\n[node-version-url]: https://nodejs.org/en/download/\n[coveralls-image]: https://img.shields.io/coveralls/stream-utils/raw-body/master.svg\n[coveralls-url]: https://coveralls.io/r/stream-utils/raw-body?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/raw-body.svg\n[downloads-url]: https://npmjs.org/package/raw-body\n[github-actions-ci-image]: https://img.shields.io/github/actions/workflow/status/stream-utils/raw-body/ci.yml?branch=master&label=ci\n[github-actions-ci-url]: https://github.com/jshttp/stream-utils/raw-body?query=workflow%3Aci\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/raw-body/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/rollup/README.md ---\n

\n\t\n

\n\n

\n \n \"npm\n \n \n \"node\n \n \n \"install\n \n \n \"code\n \n \n \"backers\"\n \n \n \"sponsors\"\n \n \n \"license\"\n \n \n Join the chat at https://is.gd/rollup_chat\n \n

\n\n

Rollup

\n\n## Overview\n\nRollup is a module bundler for JavaScript which compiles small pieces of code into something larger and more complex, such as a library or application. It uses the standardized ES module format for code, instead of previous idiosyncratic solutions such as CommonJS and AMD. ES modules let you freely and seamlessly combine the most useful individual functions from your favorite libraries. Rollup can optimize ES modules for faster native loading in modern browsers, or output a legacy module format allowing ES module workflows today.\n\n## Quick Start Guide\n\nInstall with `npm install --global rollup`. Rollup can be used either through a [command line interface](https://rollupjs.org/command-line-interface/) with an optional configuration file or else through its [JavaScript API](https://rollupjs.org/javascript-api/). Run `rollup --help` to see the available options and parameters. The starter project templates, [rollup-starter-lib](https://github.com/rollup/rollup-starter-lib) and [rollup-starter-app](https://github.com/rollup/rollup-starter-app), demonstrate common configuration options, and more detailed instructions are available throughout the [user guide](https://rollupjs.org/introduction/).\n\n### Commands\n\nThese commands assume the entry point to your application is named main.js, and that you'd like all imports compiled into a single file named bundle.js.\n\nFor browsers:\n\n```bash\n# compile to a