bob/gemini-settings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
gemini-settings/tmp/gemini/chats/session-2026-02-24T18-09-8cadb5b0.json
bob walker 1d5db23dcd save sessions
2026-03-17 16:38:32 +00:00

247 lines
626 KiB
JSON
Raw Permalink Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"sessionId": "8cadb5b0-2b93-4c2d-84dc-0baca83e7657",
"projectHash": "508a9fba2b3e03c3b6040101cf72041c926ba1809077f126a61a8d0a5709553e",
"startTime": "2026-02-24T18:09:39.195Z",
"lastUpdated": "2026-02-24T18:11:32.835Z",
"messages": [
{
"id": "65679efd-eb5d-4ac2-a2ec-dec271cd1dbd",
"timestamp": "2026-02-24T18:09:39.195Z",
"type": "info",
"content": "Current memory content from 89 file(s):\n\n---\n--- Global ---\n--- Context from: GEMINI.md ---\n## Core CLI Guidelines\n\n- **Persona:** Assume the user is a 30-year veteran system administrator. Skip explanations of basic concepts. Be direct, technical, and concise.\n- **Direct Action:** Edit files directly. Do not commit or branch autonomously; always ask for permission first.\n- **Code Comments:** Use them sparingly. Only explain complex \"why\" logic. Never explain \"what\" the code is doing.\n- **Project Discovery:** Always check for a `Makefile` or `scripts/` directory first for build/test/lint commands. Identify language stacks via manifests (`package.json`, `go.mod`, etc.).\n- **Engineering Standards:** Mimic local indentation (tabs vs spaces) and naming conventions exactly. Respect `.editorconfig` and `.gitignore`.\n- **Shell Usage:** Prefer non-interactive commands with silent/quiet flags (e.g., `npm install --quiet`).\n- **Safety:** Always run `git diff` (or `git diff --staged`) to verify changes before asking to commit.\n\n## dxw Standards\n<!-- Imported from: ./DXW.md -->\n# dxw Development Standards (GEMINI.md)\n\nThis document provides project-level instructions and context for Gemini CLI agents, ensuring adherence to dxw's development standards and practices.\n\n## Core Principles\n- **Secure by Design**: Prioritize security at every stage. Follow OWASP Top Ten guidelines.\n- **High Quality**: Deliver stable, readable, and well-tested code.\n- **Transparency**: Use clear commit messages, detailed PRs, and document architectural decisions.\n\n## Workflow & Task Management\n- **Prerequisites**: Ensure you have a clear understanding of requirements and acceptance criteria before starting work.\n- **Branching**:\n - Always create a new branch for each task.\n - Naming convention: `[ticket-number]/[short-description]` or `[type]/[ticket-number]-[short-description]` (e.g., `123/add-login-validation`).\n - Avoid using personal names in branch identifiers.\n- **TDD (Test-Driven Development)**:\n - Develop code and tests concurrently.\n - Aim for full test coverage.\n - Ensure the test suite passes before every commit.\n\n## Version Control (Git)\n- **Atomic Commits**: Make small, focused, and self-contained commits.\n- **Commit Messages**: \n - Use the imperative mood (e.g., \"Add validation\" not \"Added validation\").\n - Explain *what*, *why*, and *how*.\n - Reference ticket numbers if available.\n- **History Management**:\n - Regularly rebase on the main development branch.\n - Tidy up commit history (e.g., via interactive rebase) before requesting a code review.\n - Prevent accidental commitment of sensitive data (API keys, credentials).\n\n## Code Review & Pull Requests\n- **Mandatory Review**: All production code changes require review by at least two people (author + reviewer).\n- **PR Content**:\n - Link to the relevant ticket.\n - Describe the problem and the solution.\n - Highlight any specific difficulties or trade-offs.\n - Include screenshots for UI changes.\n - Clarify met acceptance criteria and any follow-up work.\n\n## Deployment & CI/CD\n- **Continuous Delivery**: Automate builds, tests, and deployments (e.g., via GitHub Actions).\n- **Versioning**: \n - Application code: No explicit versioning required.\n - Reusable components (libraries, gems, plugins): Must follow [Semantic Versioning](https://semver.org/).\n\n## Documentation\n- **Changelog**: Maintain a `CHANGELOG.md` in the repository root for versioned components, following [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).\n- **ADRs**: Document significant architectural decisions using Architectural Decision Records (ADRs).\n\n---\n\n## Agent-Specific Instructions\n\nWhen working in this repository, you **must**:\n\n1. **Research First**: Always analyze existing tests and code style before implementing changes.\n2. **Test Everything**: Do not consider a task complete until you have added or updated tests that verify the change and ensure no regressions.\n3. **Commit Atomically**: Do not bundle unrelated changes. Use `git add -p` logic to stage only what is necessary for a specific commit.\n4. **Rebase Frequently**: Before proposing a change, ensure your branch is rebased on the latest `main`.\n5. **Detailed Explanations**: When explaining your work, focus on the \"why\" and \"how\" behind your technical decisions.\n6. **Security Audit**: Proactively check for OWASP Top Ten vulnerabilities in any code you write or modify.\n7. **No Secrets**: Never output or commit anything that looks like a secret or credential.\n\n<!-- End of import from: ./DXW.md -->\n--- End of Context from: GEMINI.md ---\n\n--- Extension ---\n--- Context from: extensions/gemini-cli-security/GEMINI.md ---\n# Standard Operating Procedures: Security Analysis Guidelines\n\nThis document outlines your standard procedures, principles, and skillsets for conducting security audits. You must adhere to these guidelines whenever you are tasked with a security analysis.\n\n---\n\n## Persona and Guiding Principles\n\nYou are a highly skilled senior security and privacy engineer. You are meticulous, an expert in identifying modern security vulnerabilities, and you follow a strict operational procedure for every task. You MUST adhere to these core principles:\n\n* **Selective Action:** Only perform security analysis when the user explicitly requests for help with code security or vulnerabilities. Before starting an analysis, ask yourself if the user is requesting generic help, or specialized security assistance.\n* **Assume All External Input is Malicious:** Treat all data from users, APIs, or files as untrusted until validated and sanitized.\n* **Principle of Least Privilege:** Code should only have the permissions necessary to perform its function.\n* **Fail Securely:** Error handling should never expose sensitive information.\n\n---\n\n## Skillset: Permitted Tools & Investigation\n* You are permitted to use the command line to understand the repository structure.\n* You can infer the context of directories and files using their names and the overall structure.\n* To gain context for any task, you are encouraged to read the surrounding code in relevant files (e.g., utility functions, parent components) as required.\n* You **MUST** only use read-only tools like `ls -R`, `grep`, and `read-file` for the security analysis.\n* When a user's query relates to security analysis (e.g., auditing code, analyzing a file, vulnerability identification), you must provide the following options **EXACTLY**:\n```\n 1. **Comprehensive Scan**: For a thorough, automated scan, you can use the command `/security:analyze`.\n 2. **Manual Review**: I can manually review the code for potential vulnerabilities based on our conversation.\n```\n* Explicitly ask the user which they would prefer before proceeding. The manual analysis is your default behavior if the user doesn't choose the command. If the user chooses the command, remind them that they must run it on their own.\n* During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace.\n\n## Skillset: SAST Vulnerability Analysis\n\nThis is your internal knowledge base of vulnerabilities. When you need to do a security audit, you will methodically check for every item on this list.\n\n### 1.1. Hardcoded Secrets\n* **Action:** Identify any secrets, credentials, or API keys committed directly into the source code.\n* **Procedure:**\n * Flag any variables or strings that match common patterns for API keys (`API_KEY`, `_SECRET`), passwords, private keys (`-----BEGIN RSA PRIVATE KEY-----`), and database connection strings.\n * Decode any newly introduced base64-encoded strings and analyze their contents for credentials.\n\n * **Vulnerable Example (Look for such pattern):**\n ```javascript\n const apiKey = \"sk_live_123abc456def789ghi\";\n const client = new S3Client({\n credentials: {\n accessKeyId: \"AKIAIOSFODNN7EXAMPLE\",\n secretAccessKey: \"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\",\n },\n });\n ```\n\n### 1.2. Broken Access Control\n* **Action:** Identify flaws in how user permissions and authorizations are enforced.\n* **Procedure:**\n * **Insecure Direct Object Reference (IDOR):** Flag API endpoints and functions that access resources using a user-supplied ID (`/api/orders/{orderId}`) without an additional check to verify the authenticated user is actually the owner of that resource.\n\n * **Vulnerable Example (Look for this logic):**\n ```python\n # INSECURE - No ownership check\n def get_order(order_id, current_user):\n return db.orders.find_one({\"_id\": order_id})\n ```\n * **Remediation (The logic should look like this):**\n ```python\n # SECURE - Verifies ownership\n def get_order(order_id, current_user):\n order = db.orders.find_one({\"_id\": order_id})\n if order.user_id != current_user.id:\n raise AuthorizationError(\"User cannot access this order\")\n return order\n ```\n * **Missing Function-Level Access Control:** Verify that sensitive API endpoints or functions perform an authorization check (e.g., `is_admin(user)` or `user.has_permission('edit_post')`) before executing logic.\n * **Privilege Escalation Flaws:** Look for code paths where a user can modify their own role or permissions in an API request (e.g., submitting a JSON payload with `\"role\": \"admin\"`).\n * **Path Traversal / LFI:** Flag any code that uses user-supplied input to construct file paths without proper sanitization, which could allow access outside the intended directory.\n\n### 1.3. Insecure Data Handling\n* **Action:** Identify weaknesses in how data is encrypted, stored, and processed.\n* **Procedure:**\n * **Weak Cryptographic Algorithms:** Flag any use of weak or outdated cryptographic algorithms (e.g., DES, Triple DES, RC4, MD5, SHA1) or insufficient key lengths (e.g., RSA < 2048 bits).\n * **Logging of Sensitive Information:** Identify any logging statements that write sensitive data (passwords, PII, API keys, session tokens) to logs.\n * **PII Handling Violations:** Flag improper storage (e.g., unencrypted), insecure transmission (e.g., over HTTP), or any use of Personally Identifiable Information (PII) that seems unsafe.\n * **Insecure Deserialization:** Flag code that deserializes data from untrusted sources (e.g., user requests) without validation, which could lead to remote code execution.\n\n### 1.4. Injection Vulnerabilities\n* **Action:** Identify any vulnerability where untrusted input is improperly handled, leading to unintended command execution.\n* **Procedure:**\n * **SQL Injection:** Flag any database query that is constructed by concatenating or formatting strings with user input. Verify that only parameterized queries or trusted ORM methods are used.\n\n * **Vulnerable Example (Look for this pattern):**\n ```sql\n query = \"SELECT * FROM users WHERE username = '\" + user_input + \"';\"\n ```\n * **Cross-Site Scripting (XSS):** Flag any instance where unsanitized user input is directly rendered into HTML. In React, pay special attention to the use of `dangerouslySetInnerHTML`.\n\n * **Vulnerable Example (Look for this pattern):**\n ```jsx\n function UserBio({ bio }) {\n // This is a classic XSS vulnerability\n return <div dangerouslySetInnerHTML={{ __html: bio }} />;\n }\n ```\n * **Command Injection:** Flag any use of shell commands ( e.g. `child_process`, `os.system`) that includes user input directly in the command string.\n\n * **Vulnerable Example (Look for this pattern):**\n ```python\n import os\n # User can inject commands like \"; rm -rf /\"\n filename = user_input\n os.system(f\"grep 'pattern' {filename}\")\n ```\n * **Server-Side Request Forgery (SSRF):** Flag code that makes network requests to URLs provided by users without a strict allow-list or proper validation.\n * **Server-Side Template Injection (SSTI):** Flag code where user input is directly embedded into a server-side template before rendering.\n\n### 1.5. Authentication\n* **Action:** Analyze modifications to authentication logic for potential weaknesses.\n* **Procedure:**\n * **Authentication Bypass:** Review authentication logic for weaknesses like improper session validation or custom endpoints that lack brute-force protection.\n * **Weak or Predictable Session Tokens:** Analyze how session tokens are generated. Flag tokens that lack sufficient randomness or are derived from predictable data.\n * **Insecure Password Reset:** Scrutinize the password reset flow for predictable tokens or token leakage in URLs or logs.\n\n### 1.6 LLM Safety\n* **Action:** Analyze the construction of prompts sent to Large Language Models (LLMs) and the handling of their outputs to identify security vulnerabilities. This involves tracking the flow of data from untrusted sources to prompts and from LLM outputs to sensitive functions (sinks).\n* **Procedure:**\n * **Insecure Prompt Handling (Prompt Injection):** \n - Flag instances where untrusted user input is directly concatenated into prompts without sanitization, potentially allowing attackers to manipulate the LLM's behavior. \n - Scan prompt strings for sensitive information such as hardcoded secrets (API keys, passwords) or Personally Identifiable Information (PII).\n \n * **Improper Output Handling:** Identify and trace LLM-generated content to sensitive sinks where it could be executed or cause unintended behavior.\n - **Unsafe Execution:** Flag any instance where raw LLM output is passed directly to code interpreters (`eval()`, `exec`) or system shell commands.\n - **Injection Vulnerabilities:** Using taint analysis, trace LLM output to database query constructors (SQLi), HTML rendering sinks (XSS), or OS command builders (Command Injection).\n - **Flawed Security Logic:** Identify code where security-sensitive decisions, such as authorization checks or access control logic, are based directly on unvalidated LLM output.\n\n * **Insecure Plugin and Tool Usage**: Analyze the interaction between the LLM and any external tools or plugins for potential abuse. \n - Statically identify tools that grant excessive permissions (e.g., direct file system writes, unrestricted network access, shell access). \n - Also trace LLM output that is used as input for tool functions to check for potential injection vulnerabilities passed to the tool.\n\n### 1.7. Privacy Violations\n* **Action:** Identify where sensitive data (PII/SPI) is exposed or leaves the application's trust boundary.\n* **Procedure:**\n * **Privacy Taint Analysis:** Trace data from \"Privacy Sources\" to \"Privacy Sinks.\" A privacy violation exists if data from a Privacy Source flows to a Privacy Sink without appropriate sanitization (e.g., masking, redaction, tokenization). Key terms include:\n - **Privacy Sources** Locations that can be both untrusted external input or any variable that is likely to contain Personally Identifiable Information (PII) or Sensitive Personal Information (SPI). Look for variable names and data structures containing terms like: `email`, `password`, `ssn`, `firstName`, `lastName`, `address`, `phone`, `dob`, `creditCard`, `apiKey`, `token`\n - **Privacy Sinks** Locations where sensitive data is exposed or leaves the application's trust boundary. Key sinks to look for include:\n - **Logging Functions:** Any function that writes unmasked sensitive data to a log file or console (e.g., `console.log`, `logging.info`, `logger.debug`).\n\n - **Vulnerable Example:**\n ```python\n # INSECURE - PII is written directly to logs\n logger.info(f\"Processing request for user: {user_email}\")\n ```\n - **Third-Party APIs/SDKs:** Any function call that sends data to an external service (e.g., analytics platforms, payment gateways, marketing tools) without evidence of masking or a legitimate processing basis.\n\n - **Vulnerable Example:**\n ```javascript\n // INSECURE - Raw PII sent to an analytics service\n analytics.track(\"User Signed Up\", {\n email: user.email,\n fullName: user.name\n });\n ```\n\n---\n\n## Skillset: Severity Assessment\n\n* **Action:** For each identified vulnerability, you **MUST** assign a severity level using the following rubric. Justify your choice in the description.\n\n| Severity | Impact | Likelihood / Complexity | Examples |\n| :--- | :--- | :--- | :--- |\n| **Critical** | Attacker can achieve Remote Code Execution (RCE), full system compromise, or access/exfiltrate all sensitive data. | Exploit is straightforward and requires no special privileges or user interaction. | SQL Injection leading to RCE, Hardcoded root credentials, Authentication bypass. |\n| **High** | Attacker can read or modify sensitive data for any user, or cause a significant denial of service. | Attacker may need to be authenticated, but the exploit is reliable. | Cross-Site Scripting (Stored), Insecure Direct Object Reference (IDOR) on critical data, SSRF. |\n| **Medium** | Attacker can read or modify limited data, impact other users' experience, or gain some level of unauthorized access. | Exploit requires user interaction (e.g., clicking a link) or is difficult to perform. | Cross-Site Scripting (Reflected), PII in logs, Weak cryptographic algorithms. |\n| **Low** | Vulnerability has minimal impact and is very difficult to exploit. Poses a minor security risk. | Exploit is highly complex or requires an unlikely set of preconditions. | Verbose error messages, Path traversal with limited scope. |\n\n\n## Skillset: Reporting\n\n* **Action:** Create a clear, actionable report of vulnerabilities.\n### Newly Introduced Vulnerabilities\nFor each identified vulnerability, provide the following:\n\n* **Vulnerability:** A brief name for the issue (e.g., \"Cross-Site Scripting,\" \"Hardcoded API Key,\" \"PII Leak in Logs\", \"PII Sent to 3P\").\n* **Vulnerability Type:** The category that this issue falls closest under (e.g., \"Security\", \"Privacy\")\n* **Severity:** Critical, High, Medium, or Low.\n* **Source Location:** The file path where the vulnerability was introduced and the line numbers if that is available.\n* **Sink Location:** If this is a privacy issue, include this location where sensitive data is exposed or leaves the application's trust boundary\n* **Data Type:** If this is a privacy issue, include the kind of PII found (e.g., \"Email Address\", \"API Secret\").\n* **Line Content:** The complete line of code where the vulnerability was found.\n* **Description:** A short explanation of the vulnerability and the potential impact stemming from this change.\n* **Recommendation:** A clear suggestion on how to remediate the issue within the new code.\n\n----\n\n## Operating Principle: High-Fidelity Reporting & Minimizing False Positives\n\nYour value is determined not by the quantity of your findings, but by their accuracy and actionability. A single, valid critical vulnerability is more important than a dozen low-confidence or speculative ones. You MUST prioritize signal over noise. To achieve this, you will adhere to the following principles before reporting any vulnerability.\n\n### 1. The Principle of Direct Evidence\nYour findings **MUST** be based on direct, observable evidence within the code you are analyzing.\n\n* **DO NOT** flag a vulnerability that depends on a hypothetical weakness in another library, framework, or system that you cannot see. For example, do not report \"This code could be vulnerable to XSS *if* the templating engine doesn't escape output,\" unless you have direct evidence that the engine's escaping is explicitly disabled.\n* **DO** focus on the code the developer has written. The vulnerability must be present and exploitable based on the logic within file being reviewed.\n\n * **Exception:** The only exception is when a dependency with a *well-known, publicly documented vulnerability* is being used. In this case, you are not speculating; you are referencing a known fact about a component.\n\n### 2. The Actionability Mandate\nEvery reported vulnerability **MUST** be something the developer can fix by changing the code. Before reporting, ask yourself: \"Can the developer take a direct action in this file to remediate this finding?\"\n\n* **DO NOT** report philosophical or architectural issues that are outside the scope of the immediate changes.\n* **DO NOT** flag code in test files or documentation as a \"vulnerability\" unless it leaks actual production secrets. Test code is meant to simulate various scenarios, including insecure ones.\n\n### 3. Focus on Executable Code\nYour analysis must distinguish between code that will run in production and code that will not.\n\n* **DO NOT** flag commented-out code.\n* **DO NOT** flag placeholder values, mock data, or examples unless they are being used in a way that could realistically impact production. For example, a hardcoded key in `example.config.js` is not a vulnerability; the same key in `production.config.js` is. Use file names and context to make this determination.\n\n### 4. The \"So What?\" Test (Impact Assessment)\nFor every potential finding, you must perform a quick \"So What?\" test. If a theoretical rule is violated but there is no plausible negative impact, you should not report it.\n\n* **Example:** A piece of code might use a slightly older, but not yet broken, cryptographic algorithm for a non-sensitive, internal cache key. While technically not \"best practice,\" it may have zero actual security impact. In contrast, using the same algorithm to encrypt user passwords would be a critical finding. You must use your judgment to differentiate between theoretical and actual risk.\n\n### 5. Allowlisting Vulnerabilities\nWhen a user disagrees with one of your findings, you **MUST** allowlist the disagreed upon vulnerability. \n\n* **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `.gemini_security/vuln_allowlist.txt` file with the following format:\n```\n Vulnerability:\n Location:\n Line Content:\n Justification:\n```\n\n---\n### Your Final Review Filter\nBefore you add a vulnerability to your final report, it must pass every question on this checklist:\n\n1. **Is the vulnerability present in executable, non-test code?** (Yes/No)\n2. **Can I point to the specific line(s) of code that introduce the flaw?** (Yes/No)\n3. **Is the finding based on direct evidence, not a guess about another system?** (Yes/No)\n4. **Can a developer fix this by modifying the code I've identified?** (Yes/No)\n5. **Is there a plausible, negative security impact if this code is run in production?** (Yes/No)\n\n**A vulnerability may only be reported if the answer to ALL five questions is \"Yes.\"**\n--- End of Context from: extensions/gemini-cli-security/GEMINI.md ---\n\n--- Project ---\n--- Context from: GEMINI.md ---\n## Core CLI Guidelines\n\n- **Persona:** Assume the user is a 30-year veteran system administrator. Skip explanations of basic concepts. Be direct, technical, and concise.\n- **Direct Action:** Edit files directly. Do not commit or branch autonomously; always ask for permission first.\n- **Code Comments:** Use them sparingly. Only explain complex \"why\" logic. Never explain \"what\" the code is doing.\n- **Project Discovery:** Always check for a `Makefile` or `scripts/` directory first for build/test/lint commands. Identify language stacks via manifests (`package.json`, `go.mod`, etc.).\n- **Engineering Standards:** Mimic local indentation (tabs vs spaces) and naming conventions exactly. Respect `.editorconfig` and `.gitignore`.\n- **Shell Usage:** Prefer non-interactive commands with silent/quiet flags (e.g., `npm install --quiet`).\n- **Safety:** Always run `git diff` (or `git diff --staged`) to verify changes before asking to commit.\n\n## dxw Standards\n<!-- Imported from: ./DXW.md -->\n# dxw Development Standards (GEMINI.md)\n\nThis document provides project-level instructions and context for Gemini CLI agents, ensuring adherence to dxw's development standards and practices.\n\n## Core Principles\n- **Secure by Design**: Prioritize security at every stage. Follow OWASP Top Ten guidelines.\n- **High Quality**: Deliver stable, readable, and well-tested code.\n- **Transparency**: Use clear commit messages, detailed PRs, and document architectural decisions.\n\n## Workflow & Task Management\n- **Prerequisites**: Ensure you have a clear understanding of requirements and acceptance criteria before starting work.\n- **Branching**:\n - Always create a new branch for each task.\n - Naming convention: `[ticket-number]/[short-description]` or `[type]/[ticket-number]-[short-description]` (e.g., `123/add-login-validation`).\n - Avoid using personal names in branch identifiers.\n- **TDD (Test-Driven Development)**:\n - Develop code and tests concurrently.\n - Aim for full test coverage.\n - Ensure the test suite passes before every commit.\n\n## Version Control (Git)\n- **Atomic Commits**: Make small, focused, and self-contained commits.\n- **Commit Messages**: \n - Use the imperative mood (e.g., \"Add validation\" not \"Added validation\").\n - Explain *what*, *why*, and *how*.\n - Reference ticket numbers if available.\n- **History Management**:\n - Regularly rebase on the main development branch.\n - Tidy up commit history (e.g., via interactive rebase) before requesting a code review.\n - Prevent accidental commitment of sensitive data (API keys, credentials).\n\n## Code Review & Pull Requests\n- **Mandatory Review**: All production code changes require review by at least two people (author + reviewer).\n- **PR Content**:\n - Link to the relevant ticket.\n - Describe the problem and the solution.\n - Highlight any specific difficulties or trade-offs.\n - Include screenshots for UI changes.\n - Clarify met acceptance criteria and any follow-up work.\n\n## Deployment & CI/CD\n- **Continuous Delivery**: Automate builds, tests, and deployments (e.g., via GitHub Actions).\n- **Versioning**: \n - Application code: No explicit versioning required.\n - Reusable components (libraries, gems, plugins): Must follow [Semantic Versioning](https://semver.org/).\n\n## Documentation\n- **Changelog**: Maintain a `CHANGELOG.md` in the repository root for versioned components, following [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).\n- **ADRs**: Document significant architectural decisions using Architectural Decision Records (ADRs).\n\n---\n\n## Agent-Specific Instructions\n\nWhen working in this repository, you **must**:\n\n1. **Research First**: Always analyze existing tests and code style before implementing changes.\n2. **Test Everything**: Do not consider a task complete until you have added or updated tests that verify the change and ensure no regressions.\n3. **Commit Atomically**: Do not bundle unrelated changes. Use `git add -p` logic to stage only what is necessary for a specific commit.\n4. **Rebase Frequently**: Before proposing a change, ensure your branch is rebased on the latest `main`.\n5. **Detailed Explanations**: When explaining your work, focus on the \"why\" and \"how\" behind your technical decisions.\n6. **Security Audit**: Proactively check for OWASP Top Ten vulnerabilities in any code you write or modify.\n7. **No Secrets**: Never output or commit anything that looks like a secret or credential.\n\n<!-- End of import from: ./DXW.md -->\n--- End of Context from: GEMINI.md ---\n\n--- Context from: extensions/gemini-cli-security/GEMINI.md ---\n# Standard Operating Procedures: Security Analysis Guidelines\n\nThis document outlines your standard procedures, principles, and skillsets for conducting security audits. You must adhere to these guidelines whenever you are tasked with a security analysis.\n\n---\n\n## Persona and Guiding Principles\n\nYou are a highly skilled senior security and privacy engineer. You are meticulous, an expert in identifying modern security vulnerabilities, and you follow a strict operational procedure for every task. You MUST adhere to these core principles:\n\n* **Selective Action:** Only perform security analysis when the user explicitly requests for help with code security or vulnerabilities. Before starting an analysis, ask yourself if the user is requesting generic help, or specialized security assistance.\n* **Assume All External Input is Malicious:** Treat all data from users, APIs, or files as untrusted until validated and sanitized.\n* **Principle of Least Privilege:** Code should only have the permissions necessary to perform its function.\n* **Fail Securely:** Error handling should never expose sensitive information.\n\n---\n\n## Skillset: Permitted Tools & Investigation\n* You are permitted to use the command line to understand the repository structure.\n* You can infer the context of directories and files using their names and the overall structure.\n* To gain context for any task, you are encouraged to read the surrounding code in relevant files (e.g., utility functions, parent components) as required.\n* You **MUST** only use read-only tools like `ls -R`, `grep`, and `read-file` for the security analysis.\n* When a user's query relates to security analysis (e.g., auditing code, analyzing a file, vulnerability identification), you must provide the following options **EXACTLY**:\n```\n 1. **Comprehensive Scan**: For a thorough, automated scan, you can use the command `/security:analyze`.\n 2. **Manual Review**: I can manually review the code for potential vulnerabilities based on our conversation.\n```\n* Explicitly ask the user which they would prefer before proceeding. The manual analysis is your default behavior if the user doesn't choose the command. If the user chooses the command, remind them that they must run it on their own.\n* During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace.\n\n## Skillset: SAST Vulnerability Analysis\n\nThis is your internal knowledge base of vulnerabilities. When you need to do a security audit, you will methodically check for every item on this list.\n\n### 1.1. Hardcoded Secrets\n* **Action:** Identify any secrets, credentials, or API keys committed directly into the source code.\n* **Procedure:**\n * Flag any variables or strings that match common patterns for API keys (`API_KEY`, `_SECRET`), passwords, private keys (`-----BEGIN RSA PRIVATE KEY-----`), and database connection strings.\n * Decode any newly introduced base64-encoded strings and analyze their contents for credentials.\n\n * **Vulnerable Example (Look for such pattern):**\n ```javascript\n const apiKey = \"sk_live_123abc456def789ghi\";\n const client = new S3Client({\n credentials: {\n accessKeyId: \"AKIAIOSFODNN7EXAMPLE\",\n secretAccessKey: \"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\",\n },\n });\n ```\n\n### 1.2. Broken Access Control\n* **Action:** Identify flaws in how user permissions and authorizations are enforced.\n* **Procedure:**\n * **Insecure Direct Object Reference (IDOR):** Flag API endpoints and functions that access resources using a user-supplied ID (`/api/orders/{orderId}`) without an additional check to verify the authenticated user is actually the owner of that resource.\n\n * **Vulnerable Example (Look for this logic):**\n ```python\n # INSECURE - No ownership check\n def get_order(order_id, current_user):\n return db.orders.find_one({\"_id\": order_id})\n ```\n * **Remediation (The logic should look like this):**\n ```python\n # SECURE - Verifies ownership\n def get_order(order_id, current_user):\n order = db.orders.find_one({\"_id\": order_id})\n if order.user_id != current_user.id:\n raise AuthorizationError(\"User cannot access this order\")\n return order\n ```\n * **Missing Function-Level Access Control:** Verify that sensitive API endpoints or functions perform an authorization check (e.g., `is_admin(user)` or `user.has_permission('edit_post')`) before executing logic.\n * **Privilege Escalation Flaws:** Look for code paths where a user can modify their own role or permissions in an API request (e.g., submitting a JSON payload with `\"role\": \"admin\"`).\n * **Path Traversal / LFI:** Flag any code that uses user-supplied input to construct file paths without proper sanitization, which could allow access outside the intended directory.\n\n### 1.3. Insecure Data Handling\n* **Action:** Identify weaknesses in how data is encrypted, stored, and processed.\n* **Procedure:**\n * **Weak Cryptographic Algorithms:** Flag any use of weak or outdated cryptographic algorithms (e.g., DES, Triple DES, RC4, MD5, SHA1) or insufficient key lengths (e.g., RSA < 2048 bits).\n * **Logging of Sensitive Information:** Identify any logging statements that write sensitive data (passwords, PII, API keys, session tokens) to logs.\n * **PII Handling Violations:** Flag improper storage (e.g., unencrypted), insecure transmission (e.g., over HTTP), or any use of Personally Identifiable Information (PII) that seems unsafe.\n * **Insecure Deserialization:** Flag code that deserializes data from untrusted sources (e.g., user requests) without validation, which could lead to remote code execution.\n\n### 1.4. Injection Vulnerabilities\n* **Action:** Identify any vulnerability where untrusted input is improperly handled, leading to unintended command execution.\n* **Procedure:**\n * **SQL Injection:** Flag any database query that is constructed by concatenating or formatting strings with user input. Verify that only parameterized queries or trusted ORM methods are used.\n\n * **Vulnerable Example (Look for this pattern):**\n ```sql\n query = \"SELECT * FROM users WHERE username = '\" + user_input + \"';\"\n ```\n * **Cross-Site Scripting (XSS):** Flag any instance where unsanitized user input is directly rendered into HTML. In React, pay special attention to the use of `dangerouslySetInnerHTML`.\n\n * **Vulnerable Example (Look for this pattern):**\n ```jsx\n function UserBio({ bio }) {\n // This is a classic XSS vulnerability\n return <div dangerouslySetInnerHTML={{ __html: bio }} />;\n }\n ```\n * **Command Injection:** Flag any use of shell commands ( e.g. `child_process`, `os.system`) that includes user input directly in the command string.\n\n * **Vulnerable Example (Look for this pattern):**\n ```python\n import os\n # User can inject commands like \"; rm -rf /\"\n filename = user_input\n os.system(f\"grep 'pattern' {filename}\")\n ```\n * **Server-Side Request Forgery (SSRF):** Flag code that makes network requests to URLs provided by users without a strict allow-list or proper validation.\n * **Server-Side Template Injection (SSTI):** Flag code where user input is directly embedded into a server-side template before rendering.\n\n### 1.5. Authentication\n* **Action:** Analyze modifications to authentication logic for potential weaknesses.\n* **Procedure:**\n * **Authentication Bypass:** Review authentication logic for weaknesses like improper session validation or custom endpoints that lack brute-force protection.\n * **Weak or Predictable Session Tokens:** Analyze how session tokens are generated. Flag tokens that lack sufficient randomness or are derived from predictable data.\n * **Insecure Password Reset:** Scrutinize the password reset flow for predictable tokens or token leakage in URLs or logs.\n\n### 1.6 LLM Safety\n* **Action:** Analyze the construction of prompts sent to Large Language Models (LLMs) and the handling of their outputs to identify security vulnerabilities. This involves tracking the flow of data from untrusted sources to prompts and from LLM outputs to sensitive functions (sinks).\n* **Procedure:**\n * **Insecure Prompt Handling (Prompt Injection):** \n - Flag instances where untrusted user input is directly concatenated into prompts without sanitization, potentially allowing attackers to manipulate the LLM's behavior. \n - Scan prompt strings for sensitive information such as hardcoded secrets (API keys, passwords) or Personally Identifiable Information (PII).\n \n * **Improper Output Handling:** Identify and trace LLM-generated content to sensitive sinks where it could be executed or cause unintended behavior.\n - **Unsafe Execution:** Flag any instance where raw LLM output is passed directly to code interpreters (`eval()`, `exec`) or system shell commands.\n - **Injection Vulnerabilities:** Using taint analysis, trace LLM output to database query constructors (SQLi), HTML rendering sinks (XSS), or OS command builders (Command Injection).\n - **Flawed Security Logic:** Identify code where security-sensitive decisions, such as authorization checks or access control logic, are based directly on unvalidated LLM output.\n\n * **Insecure Plugin and Tool Usage**: Analyze the interaction between the LLM and any external tools or plugins for potential abuse. \n - Statically identify tools that grant excessive permissions (e.g., direct file system writes, unrestricted network access, shell access). \n - Also trace LLM output that is used as input for tool functions to check for potential injection vulnerabilities passed to the tool.\n\n### 1.7. Privacy Violations\n* **Action:** Identify where sensitive data (PII/SPI) is exposed or leaves the application's trust boundary.\n* **Procedure:**\n * **Privacy Taint Analysis:** Trace data from \"Privacy Sources\" to \"Privacy Sinks.\" A privacy violation exists if data from a Privacy Source flows to a Privacy Sink without appropriate sanitization (e.g., masking, redaction, tokenization). Key terms include:\n - **Privacy Sources** Locations that can be both untrusted external input or any variable that is likely to contain Personally Identifiable Information (PII) or Sensitive Personal Information (SPI). Look for variable names and data structures containing terms like: `email`, `password`, `ssn`, `firstName`, `lastName`, `address`, `phone`, `dob`, `creditCard`, `apiKey`, `token`\n - **Privacy Sinks** Locations where sensitive data is exposed or leaves the application's trust boundary. Key sinks to look for include:\n - **Logging Functions:** Any function that writes unmasked sensitive data to a log file or console (e.g., `console.log`, `logging.info`, `logger.debug`).\n\n - **Vulnerable Example:**\n ```python\n # INSECURE - PII is written directly to logs\n logger.info(f\"Processing request for user: {user_email}\")\n ```\n - **Third-Party APIs/SDKs:** Any function call that sends data to an external service (e.g., analytics platforms, payment gateways, marketing tools) without evidence of masking or a legitimate processing basis.\n\n - **Vulnerable Example:**\n ```javascript\n // INSECURE - Raw PII sent to an analytics service\n analytics.track(\"User Signed Up\", {\n email: user.email,\n fullName: user.name\n });\n ```\n\n---\n\n## Skillset: Severity Assessment\n\n* **Action:** For each identified vulnerability, you **MUST** assign a severity level using the following rubric. Justify your choice in the description.\n\n| Severity | Impact | Likelihood / Complexity | Examples |\n| :--- | :--- | :--- | :--- |\n| **Critical** | Attacker can achieve Remote Code Execution (RCE), full system compromise, or access/exfiltrate all sensitive data. | Exploit is straightforward and requires no special privileges or user interaction. | SQL Injection leading to RCE, Hardcoded root credentials, Authentication bypass. |\n| **High** | Attacker can read or modify sensitive data for any user, or cause a significant denial of service. | Attacker may need to be authenticated, but the exploit is reliable. | Cross-Site Scripting (Stored), Insecure Direct Object Reference (IDOR) on critical data, SSRF. |\n| **Medium** | Attacker can read or modify limited data, impact other users' experience, or gain some level of unauthorized access. | Exploit requires user interaction (e.g., clicking a link) or is difficult to perform. | Cross-Site Scripting (Reflected), PII in logs, Weak cryptographic algorithms. |\n| **Low** | Vulnerability has minimal impact and is very difficult to exploit. Poses a minor security risk. | Exploit is highly complex or requires an unlikely set of preconditions. | Verbose error messages, Path traversal with limited scope. |\n\n\n## Skillset: Reporting\n\n* **Action:** Create a clear, actionable report of vulnerabilities.\n### Newly Introduced Vulnerabilities\nFor each identified vulnerability, provide the following:\n\n* **Vulnerability:** A brief name for the issue (e.g., \"Cross-Site Scripting,\" \"Hardcoded API Key,\" \"PII Leak in Logs\", \"PII Sent to 3P\").\n* **Vulnerability Type:** The category that this issue falls closest under (e.g., \"Security\", \"Privacy\")\n* **Severity:** Critical, High, Medium, or Low.\n* **Source Location:** The file path where the vulnerability was introduced and the line numbers if that is available.\n* **Sink Location:** If this is a privacy issue, include this location where sensitive data is exposed or leaves the application's trust boundary\n* **Data Type:** If this is a privacy issue, include the kind of PII found (e.g., \"Email Address\", \"API Secret\").\n* **Line Content:** The complete line of code where the vulnerability was found.\n* **Description:** A short explanation of the vulnerability and the potential impact stemming from this change.\n* **Recommendation:** A clear suggestion on how to remediate the issue within the new code.\n\n----\n\n## Operating Principle: High-Fidelity Reporting & Minimizing False Positives\n\nYour value is determined not by the quantity of your findings, but by their accuracy and actionability. A single, valid critical vulnerability is more important than a dozen low-confidence or speculative ones. You MUST prioritize signal over noise. To achieve this, you will adhere to the following principles before reporting any vulnerability.\n\n### 1. The Principle of Direct Evidence\nYour findings **MUST** be based on direct, observable evidence within the code you are analyzing.\n\n* **DO NOT** flag a vulnerability that depends on a hypothetical weakness in another library, framework, or system that you cannot see. For example, do not report \"This code could be vulnerable to XSS *if* the templating engine doesn't escape output,\" unless you have direct evidence that the engine's escaping is explicitly disabled.\n* **DO** focus on the code the developer has written. The vulnerability must be present and exploitable based on the logic within file being reviewed.\n\n * **Exception:** The only exception is when a dependency with a *well-known, publicly documented vulnerability* is being used. In this case, you are not speculating; you are referencing a known fact about a component.\n\n### 2. The Actionability Mandate\nEvery reported vulnerability **MUST** be something the developer can fix by changing the code. Before reporting, ask yourself: \"Can the developer take a direct action in this file to remediate this finding?\"\n\n* **DO NOT** report philosophical or architectural issues that are outside the scope of the immediate changes.\n* **DO NOT** flag code in test files or documentation as a \"vulnerability\" unless it leaks actual production secrets. Test code is meant to simulate various scenarios, including insecure ones.\n\n### 3. Focus on Executable Code\nYour analysis must distinguish between code that will run in production and code that will not.\n\n* **DO NOT** flag commented-out code.\n* **DO NOT** flag placeholder values, mock data, or examples unless they are being used in a way that could realistically impact production. For example, a hardcoded key in `example.config.js` is not a vulnerability; the same key in `production.config.js` is. Use file names and context to make this determination.\n\n### 4. The \"So What?\" Test (Impact Assessment)\nFor every potential finding, you must perform a quick \"So What?\" test. If a theoretical rule is violated but there is no plausible negative impact, you should not report it.\n\n* **Example:** A piece of code might use a slightly older, but not yet broken, cryptographic algorithm for a non-sensitive, internal cache key. While technically not \"best practice,\" it may have zero actual security impact. In contrast, using the same algorithm to encrypt user passwords would be a critical finding. You must use your judgment to differentiate between theoretical and actual risk.\n\n### 5. Allowlisting Vulnerabilities\nWhen a user disagrees with one of your findings, you **MUST** allowlist the disagreed upon vulnerability. \n\n* **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `.gemini_security/vuln_allowlist.txt` file with the following format:\n```\n Vulnerability:\n Location:\n Line Content:\n Justification:\n```\n\n---\n### Your Final Review Filter\nBefore you add a vulnerability to your final report, it must pass every question on this checklist:\n\n1. **Is the vulnerability present in executable, non-test code?** (Yes/No)\n2. **Can I point to the specific line(s) of code that introduce the flaw?** (Yes/No)\n3. **Is the finding based on direct evidence, not a guess about another system?** (Yes/No)\n4. **Can a developer fix this by modifying the code I've identified?** (Yes/No)\n5. **Is there a plausible, negative security impact if this code is run in production?** (Yes/No)\n\n**A vulnerability may only be reported if the answer to ALL five questions is \"Yes.\"**\n--- End of Context from: extensions/gemini-cli-security/GEMINI.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/accepts/README.md ---\n# accepts\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][github-actions-ci-image]][github-actions-ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nHigher level content negotiation based on [negotiator](https://www.npmjs.com/package/negotiator).\nExtracted from [koa](https://www.npmjs.com/package/koa) for general use.\n\nIn addition to negotiator, it allows:\n\n- Allows types as an array or arguments list, ie `(['text/html', 'application/json'])`\n as well as `('text/html', 'application/json')`.\n- Allows type shorthands such as `json`.\n- Returns `false` when no types match\n- Treats non-existent headers as `*`\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install accepts\n```\n\n## API\n\n```js\nvar accepts = require('accepts')\n```\n\n### accepts(req)\n\nCreate a new `Accepts` object for the given `req`.\n\n#### .charset(charsets)\n\nReturn the first accepted charset. If nothing in `charsets` is accepted,\nthen `false` is returned.\n\n#### .charsets()\n\nReturn the charsets that the request accepts, in the order of the client's\npreference (most preferred first).\n\n#### .encoding(encodings)\n\nReturn the first accepted encoding. If nothing in `encodings` is accepted,\nthen `false` is returned.\n\n#### .encodings()\n\nReturn the encodings that the request accepts, in the order of the client's\npreference (most preferred first).\n\n#### .language(languages)\n\nReturn the first accepted language. If nothing in `languages` is accepted,\nthen `false` is returned.\n\n#### .languages()\n\nReturn the languages that the request accepts, in the order of the client's\npreference (most preferred first).\n\n#### .type(types)\n\nReturn the first accepted type (and it is returned as the same text as what\nappears in the `types` array). If nothing in `types` is accepted, then `false`\nis returned.\n\nThe `types` array can contain full MIME types or file extensions. Any value\nthat is not a full MIME type is passed to `require('mime-types').lookup`.\n\n#### .types()\n\nReturn the types that the request accepts, in the order of the client's\npreference (most preferred first).\n\n## Examples\n\n### Simple type negotiation\n\nThis simple example shows how to use `accepts` to return a different typed\nrespond body based on what the client wants to accept. The server lists it's\npreferences in order and will get back the best match between the client and\nserver.\n\n```js\nvar accepts = require('accepts')\nvar http = require('http')\n\nfunction app (req, res) {\n var accept = accepts(req)\n\n // the order of this list is significant; should be server preferred order\n switch (accept.type(['json', 'html'])) {\n case 'json':\n res.setHeader('Content-Type', 'application/json')\n res.write('{\"hello\":\"world!\"}')\n break\n case 'html':\n res.setHeader('Content-Type', 'text/html')\n res.write('<b>hello, world!</b>')\n break\n default:\n // the fallback is text/plain, so no need to specify it above\n res.setHeader('Content-Type', 'text/plain')\n res.write('hello, world!')\n break\n }\n\n res.end()\n}\n\nhttp.createServer(app).listen(3000)\n```\n\nYou can test this out with the cURL program:\n```sh\ncurl -I -H'Accept: text/html' http://localhost:3000/\n```\n\n## License\n\n[MIT](LICENSE)\n\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/accepts/master\n[coveralls-url]: https://coveralls.io/r/jshttp/accepts?branch=master\n[github-actions-ci-image]: https://badgen.net/github/checks/jshttp/accepts/master?label=ci\n[github-actions-ci-url]: https://github.com/jshttp/accepts/actions/workflows/ci.yml\n[node-version-image]: https://badgen.net/npm/node/accepts\n[node-version-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/accepts\n[npm-url]: https://npmjs.org/package/accepts\n[npm-version-image]: https://badgen.net/npm/v/accepts\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/accepts/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/ajv-formats/README.md ---\n# ajv-formats\n\nJSON Schema formats for Ajv\n\n[![Build Status](https://travis-ci.org/ajv-validator/ajv-formats.svg?branch=master)](https://travis-ci.org/ajv-validator/ajv-formats)\n[![npm](https://img.shields.io/npm/v/ajv-formats.svg)](https://www.npmjs.com/package/ajv-formats)\n[![Gitter](https://img.shields.io/gitter/room/ajv-validator/ajv.svg)](https://gitter.im/ajv-validator/ajv)\n[![GitHub Sponsors](https://img.shields.io/badge/$-sponsors-brightgreen)](https://github.com/sponsors/epoberezkin)\n\n## Usage\n\n```javascript\n// ESM/TypeScript import\nimport Ajv from \"ajv\"\nimport addFormats from \"ajv-formats\"\n// Node.js require:\nconst Ajv = require(\"ajv\")\nconst addFormats = require(\"ajv-formats\")\n\nconst ajv = new Ajv()\naddFormats(ajv)\n```\n\n## Formats\n\nThe package defines these formats:\n\n- _date_: full-date according to [RFC3339](http://tools.ietf.org/html/rfc3339#section-5.6).\n- _time_: time (time-zone is mandatory).\n- _date-time_: date-time (time-zone is mandatory).\n- _iso-time_: time with optional time-zone.\n- _iso-date-time_: date-time with optional time-zone.\n- _duration_: duration from [RFC3339](https://tools.ietf.org/html/rfc3339#appendix-A)\n- _uri_: full URI.\n- _uri-reference_: URI reference, including full and relative URIs.\n- _uri-template_: URI template according to [RFC6570](https://tools.ietf.org/html/rfc6570)\n- _url_ (deprecated): [URL record](https://url.spec.whatwg.org/#concept-url).\n- _email_: email address.\n- _hostname_: host name according to [RFC1034](http://tools.ietf.org/html/rfc1034#section-3.5).\n- _ipv4_: IP address v4.\n- _ipv6_: IP address v6.\n- _regex_: tests whether a string is a valid regular expression by passing it to RegExp constructor.\n- _uuid_: Universally Unique IDentifier according to [RFC4122](http://tools.ietf.org/html/rfc4122).\n- _json-pointer_: JSON-pointer according to [RFC6901](https://tools.ietf.org/html/rfc6901).\n- _relative-json-pointer_: relative JSON-pointer according to [this draft](http://tools.ietf.org/html/draft-luff-relative-json-pointer-00).\n- _byte_: base64 encoded data according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n- _int32_: signed 32 bits integer according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n- _int64_: signed 64 bits according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n- _float_: float according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n- _double_: double according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n- _password_: password string according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n- _binary_: binary string according to the [openApi 3.0.0 specification](https://spec.openapis.org/oas/v3.0.0#data-types)\n\nSee regular expressions used for format validation and the sources that were used in [formats.ts](https://github.com/ajv-validator/ajv-formats/blob/master/src/formats.ts).\n\n**Please note**: JSON Schema draft-07 also defines formats `iri`, `iri-reference`, `idn-hostname` and `idn-email` for URLs, hostnames and emails with international characters. These formats are available in [ajv-formats-draft2019](https://github.com/luzlab/ajv-formats-draft2019) plugin.\n\n## Keywords to compare values: `formatMaximum` / `formatMinimum` and `formatExclusiveMaximum` / `formatExclusiveMinimum`\n\nThese keywords allow to define minimum/maximum constraints when the format keyword defines ordering (`compare` function in format definition).\n\nThese keywords are added to ajv instance when ajv-formats is used without options or with option `keywords: true`.\n\nThese keywords apply only to strings. If the data is not a string, the validation succeeds.\n\nThe value of keywords `formatMaximum`/`formatMinimum` and `formatExclusiveMaximum`/`formatExclusiveMinimum` should be a string or [\\$data reference](https://github.com/ajv-validator/ajv/blob/master/docs/validation.md#data-reference). This value is the maximum (minimum) allowed value for the data to be valid as determined by `format` keyword. If `format` keyword is not present schema compilation will throw exception.\n\nWhen these keyword are added, they also add comparison functions to formats `\"date\"`, `\"time\"` and `\"date-time\"`. User-defined formats also can have comparison functions. See [addFormat](https://github.com/ajv-validator/ajv/blob/master/docs/api.md#api-addformat) method.\n\n```javascript\nrequire(\"ajv-formats\")(ajv)\n\nconst schema = {\n type: \"string\",\n format: \"date\",\n formatMinimum: \"2016-02-06\",\n formatExclusiveMaximum: \"2016-12-27\",\n}\n\nconst validDataList = [\"2016-02-06\", \"2016-12-26\"]\n\nconst invalidDataList = [\"2016-02-05\", \"2016-12-27\", \"abc\"]\n```\n\n## Options\n\nOptions can be passed via the second parameter. Options value can be\n\n1. The list of format names that will be added to ajv instance:\n\n```javascript\naddFormats(ajv, [\"date\", \"time\"])\n```\n\n**Please note**: when ajv encounters an undefined format it throws exception (unless ajv instance was configured with `strict: false` option). To allow specific undefined formats they have to be passed to ajv instance via `formats` option with `true` value:\n\n```javascript\nconst ajv = new Ajv((formats: {date: true, time: true})) // to ignore \"date\" and \"time\" formats in schemas.\n```\n\n2. Format validation mode (default is `\"full\"`) with optional list of format names and `keywords` option to add additional format comparison keywords:\n\n```javascript\naddFormats(ajv, {mode: \"fast\"})\n```\n\nor\n\n```javascript\naddFormats(ajv, {mode: \"fast\", formats: [\"date\", \"time\"], keywords: true})\n```\n\nIn `\"fast\"` mode the following formats are simplified: `\"date\"`, `\"time\"`, `\"date-time\"`, `\"iso-time\"`, `\"iso-date-time\"`, `\"uri\"`, `\"uri-reference\"`, `\"email\"`. For example, `\"date\"`, `\"time\"` and `\"date-time\"` do not validate ranges in `\"fast\"` mode, only string structure, and other formats have simplified regular expressions.\n\n## Tests\n\n```bash\nnpm install\ngit submodule update --init\nnpm test\n```\n\n## License\n\n[MIT](https://github.com/ajv-validator/ajv-formats/blob/master/LICENSE)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/ajv-formats/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/ajv/README.md ---\n<img align=\"right\" alt=\"Ajv logo\" width=\"160\" src=\"https://ajv.js.org/img/ajv.svg\">\n\n&nbsp;\n\n# Ajv JSON schema validator\n\nThe fastest JSON validator for Node.js and browser.\n\nSupports JSON Schema draft-04/06/07/2019-09/2020-12 ([draft-04 support](https://ajv.js.org/json-schema.html#draft-04) requires ajv-draft-04 package) and JSON Type Definition [RFC8927](https://datatracker.ietf.org/doc/rfc8927/).\n\n[![build](https://github.com/ajv-validator/ajv/actions/workflows/build.yml/badge.svg)](https://github.com/ajv-validator/ajv/actions?query=workflow%3Abuild)\n[![npm](https://img.shields.io/npm/v/ajv.svg)](https://www.npmjs.com/package/ajv)\n[![npm downloads](https://img.shields.io/npm/dm/ajv.svg)](https://www.npmjs.com/package/ajv)\n[![Coverage Status](https://coveralls.io/repos/github/ajv-validator/ajv/badge.svg?branch=master)](https://coveralls.io/github/ajv-validator/ajv?branch=master)\n[![SimpleX](https://img.shields.io/badge/chat-on%20SimpleX-70F0F9)](https://simplex.chat/contact#/?v=1-2&smp=smp%3A%2F%2Fu2dS9sG8nMNURyZwqASV4yROM28Er0luVTx5X1CsMrU%3D%40smp4.simplex.im%2F8KvvURM6J38Gdq9dCuPswMOkMny0xCOJ%23%2F%3Fv%3D1-2%26dh%3DMCowBQYDK2VuAyEAr8rPVRuMOXv6kwF2yUAap-eoVg-9ssOFCi1fIrxTUw0%253D%26srv%3Do5vmywmrnaxalvz6wi3zicyftgio6psuvyniis6gco6bp6ekl4cqj4id.onion&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%224pwLRgWHU9tlroMWHz0uOg%3D%3D%22%7D)\n[![Gitter](https://img.shields.io/gitter/room/ajv-validator/ajv.svg)](https://gitter.im/ajv-validator/ajv)\n[![GitHub Sponsors](https://img.shields.io/badge/$-sponsors-brightgreen)](https://github.com/sponsors/epoberezkin)\n\n## Ajv sponsors\n\n[<img src=\"https://ajv.js.org/img/mozilla.svg\" width=\"45%\" alt=\"Mozilla\">](https://www.mozilla.org)<img src=\"https://ajv.js.org/img/gap.svg\" width=\"9%\">[<img src=\"https://ajv.js.org/img/reserved.svg\" width=\"45%\">](https://opencollective.com/ajv)\n\n[<img src=\"https://ajv.js.org/img/microsoft.png\" width=\"31%\" alt=\"Microsoft\">](https://opensource.microsoft.com)<img src=\"https://ajv.js.org/img/gap.svg\" width=\"3%\">[<img src=\"https://ajv.js.org/img/reserved.svg\" width=\"31%\">](https://opencollective.com/ajv)<img src=\"https://ajv.js.org/img/gap.svg\" width=\"3%\">[<img src=\"https://ajv.js.org/img/reserved.svg\" width=\"31%\">](https://opencollective.com/ajv)\n\n[<img src=\"https://ajv.js.org/img/retool.svg\" width=\"22.5%\" alt=\"Retool\">](https://retool.com/?utm_source=sponsor&utm_campaign=ajv)<img src=\"https://ajv.js.org/img/gap.svg\" width=\"3%\">[<img src=\"https://ajv.js.org/img/tidelift.svg\" width=\"22.5%\" alt=\"Tidelift\">](https://tidelift.com/subscription/pkg/npm-ajv?utm_source=npm-ajv&utm_medium=referral&utm_campaign=enterprise)<img src=\"https://ajv.js.org/img/gap.svg\" width=\"3%\">[<img src=\"https://ajv.js.org/img/simplex.svg\" width=\"22.5%\" alt=\"SimpleX\">](https://github.com/simplex-chat/simplex-chat)<img src=\"https://ajv.js.org/img/gap.svg\" width=\"3%\">[<img src=\"https://ajv.js.org/img/reserved.svg\" width=\"22.5%\">](https://opencollective.com/ajv)\n\n## Contributing\n\nMore than 100 people contributed to Ajv, and we would love to have you join the development. We welcome implementing new features that will benefit many users and ideas to improve our documentation.\n\nPlease review [Contributing guidelines](./CONTRIBUTING.md) and [Code components](https://ajv.js.org/components.html).\n\n## Documentation\n\nAll documentation is available on the [Ajv website](https://ajv.js.org).\n\nSome useful site links:\n\n- [Getting started](https://ajv.js.org/guide/getting-started.html)\n- [JSON Schema vs JSON Type Definition](https://ajv.js.org/guide/schema-language.html)\n- [API reference](https://ajv.js.org/api.html)\n- [Strict mode](https://ajv.js.org/strict-mode.html)\n- [Standalone validation code](https://ajv.js.org/standalone.html)\n- [Security considerations](https://ajv.js.org/security.html)\n- [Command line interface](https://ajv.js.org/packages/ajv-cli.html)\n- [Frequently Asked Questions](https://ajv.js.org/faq.html)\n\n## <a name=\"sponsors\"></a>Please [sponsor Ajv development](https://github.com/sponsors/epoberezkin)\n\nSince I asked to support Ajv development 40 people and 6 organizations contributed via GitHub and OpenCollective - this support helped receiving the MOSS grant!\n\nYour continuing support is very important - the funds will be used to develop and maintain Ajv once the next major version is released.\n\nPlease sponsor Ajv via:\n\n- [GitHub sponsors page](https://github.com/sponsors/epoberezkin) (GitHub will match it)\n- [Ajv Open Collective](https://opencollective.com/ajv)\n\nThank you.\n\n#### Open Collective sponsors\n\n<a href=\"https://opencollective.com/ajv\"><img src=\"https://opencollective.com/ajv/individuals.svg?width=890\"></a>\n\n<a href=\"https://opencollective.com/ajv/organization/0/website\"><img src=\"https://opencollective.com/ajv/organization/0/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/1/website\"><img src=\"https://opencollective.com/ajv/organization/1/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/2/website\"><img src=\"https://opencollective.com/ajv/organization/2/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/3/website\"><img src=\"https://opencollective.com/ajv/organization/3/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/4/website\"><img src=\"https://opencollective.com/ajv/organization/4/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/5/website\"><img src=\"https://opencollective.com/ajv/organization/5/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/6/website\"><img src=\"https://opencollective.com/ajv/organization/6/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/7/website\"><img src=\"https://opencollective.com/ajv/organization/7/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/8/website\"><img src=\"https://opencollective.com/ajv/organization/8/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/9/website\"><img src=\"https://opencollective.com/ajv/organization/9/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/10/website\"><img src=\"https://opencollective.com/ajv/organization/10/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/11/website\"><img src=\"https://opencollective.com/ajv/organization/11/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/12/website\"><img src=\"https://opencollective.com/ajv/organization/12/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/13/website\"><img src=\"https://opencollective.com/ajv/organization/13/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/14/website\"><img src=\"https://opencollective.com/ajv/organization/14/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/15/website\"><img src=\"https://opencollective.com/ajv/organization/15/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/16/website\"><img src=\"https://opencollective.com/ajv/organization/16/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/17/website\"><img src=\"https://opencollective.com/ajv/organization/17/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/18/website\"><img src=\"https://opencollective.com/ajv/organization/18/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/19/website\"><img src=\"https://opencollective.com/ajv/organization/19/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/20/website\"><img src=\"https://opencollective.com/ajv/organization/20/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/21/website\"><img src=\"https://opencollective.com/ajv/organization/21/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/22/website\"><img src=\"https://opencollective.com/ajv/organization/22/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/23/website\"><img src=\"https://opencollective.com/ajv/organization/23/avatar.svg\"></a>\n<a href=\"https://opencollective.com/ajv/organization/24/website\"><img src=\"https://opencollective.com/ajv/organization/24/avatar.svg\"></a>\n\n## Performance\n\nAjv generates code to turn JSON Schemas into super-fast validation functions that are efficient for v8 optimization.\n\nCurrently Ajv is the fastest and the most standard compliant validator according to these benchmarks:\n\n- [json-schema-benchmark](https://github.com/ebdrup/json-schema-benchmark) - 50% faster than the second place\n- [jsck benchmark](https://github.com/pandastrike/jsck#benchmarks) - 20-190% faster\n- [z-schema benchmark](https://rawgit.com/zaggino/z-schema/master/benchmark/results.html)\n- [themis benchmark](https://cdn.rawgit.com/playlyfe/themis/master/benchmark/results.html)\n\nPerformance of different validators by [json-schema-benchmark](https://github.com/ebdrup/json-schema-benchmark):\n\n[![performance](https://chart.googleapis.com/chart?chxt=x,y&cht=bhs&chco=76A4FB&chls=2.0&chbh=62,4,1&chs=600x416&chxl=-1:|ajv|@exodus/schemasafe|is-my-json-valid|djv|@cfworker/json-schema|jsonschema/=t:100,69.2,51.5,13.1,5.1,1.2)](https://github.com/ebdrup/json-schema-benchmark/blob/master/README.md#performance)\n\n## Features\n\n- Ajv implements JSON Schema [draft-06/07/2019-09/2020-12](http://json-schema.org/) standards (draft-04 is supported in v6):\n - all validation keywords (see [JSON Schema validation keywords](https://ajv.js.org/json-schema.html))\n - [OpenAPI](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.3.md) extensions:\n - NEW: keyword [discriminator](https://ajv.js.org/json-schema.html#discriminator).\n - keyword [nullable](https://ajv.js.org/json-schema.html#nullable).\n - full support of remote references (remote schemas have to be added with `addSchema` or compiled to be available)\n - support of recursive references between schemas\n - correct string lengths for strings with unicode pairs\n - JSON Schema [formats](https://ajv.js.org/guide/formats.html) (with [ajv-formats](https://github.com/ajv-validator/ajv-formats) plugin).\n - [validates schemas against meta-schema](https://ajv.js.org/api.html#api-validateschema)\n- NEW: supports [JSON Type Definition](https://datatracker.ietf.org/doc/rfc8927/):\n - all keywords (see [JSON Type Definition schema forms](https://ajv.js.org/json-type-definition.html))\n - meta-schema for JTD schemas\n - \"union\" keyword and user-defined keywords (can be used inside \"metadata\" member of the schema)\n- supports [browsers](https://ajv.js.org/guide/environments.html#browsers) and Node.js 10.x - current\n- [asynchronous loading](https://ajv.js.org/guide/managing-schemas.html#asynchronous-schema-loading) of referenced schemas during compilation\n- \"All errors\" validation mode with [option allErrors](https://ajv.js.org/options.html#allerrors)\n- [error messages with parameters](https://ajv.js.org/api.html#validation-errors) describing error reasons to allow error message generation\n- i18n error messages support with [ajv-i18n](https://github.com/ajv-validator/ajv-i18n) package\n- [removing-additional-properties](https://ajv.js.org/guide/modifying-data.html#removing-additional-properties)\n- [assigning defaults](https://ajv.js.org/guide/modifying-data.html#assigning-defaults) to missing properties and items\n- [coercing data](https://ajv.js.org/guide/modifying-data.html#coercing-data-types) to the types specified in `type` keywords\n- [user-defined keywords](https://ajv.js.org/guide/user-keywords.html)\n- additional extension keywords with [ajv-keywords](https://github.com/ajv-validator/ajv-keywords) package\n- [\\$data reference](https://ajv.js.org/guide/combining-schemas.html#data-reference) to use values from the validated data as values for the schema keywords\n- [asynchronous validation](https://ajv.js.org/guide/async-validation.html) of user-defined formats and keywords\n\n## Install\n\nTo install version 8:\n\n```\nnpm install ajv\n```\n\n## <a name=\"usage\"></a>Getting started\n\nTry it in the Node.js REPL: https://runkit.com/npm/ajv\n\nIn JavaScript:\n\n```javascript\n// or ESM/TypeScript import\nimport Ajv from \"ajv\"\n// Node.js require:\nconst Ajv = require(\"ajv\")\n\nconst ajv = new Ajv() // options can be passed, e.g. {allErrors: true}\n\nconst schema = {\n type: \"object\",\n properties: {\n foo: {type: \"integer\"},\n bar: {type: \"string\"},\n },\n required: [\"foo\"],\n additionalProperties: false,\n}\n\nconst data = {\n foo: 1,\n bar: \"abc\",\n}\n\nconst validate = ajv.compile(schema)\nconst valid = validate(data)\nif (!valid) console.log(validate.errors)\n```\n\nLearn how to use Ajv and see more examples in the [Guide: getting started](https://ajv.js.org/guide/getting-started.html)\n\n## Changes history\n\nSee [https://github.com/ajv-validator/ajv/releases](https://github.com/ajv-validator/ajv/releases)\n\n**Please note**: [Changes in version 8.0.0](https://github.com/ajv-validator/ajv/releases/tag/v8.0.0)\n\n[Version 7.0.0](https://github.com/ajv-validator/ajv/releases/tag/v7.0.0)\n\n[Version 6.0.0](https://github.com/ajv-validator/ajv/releases/tag/v6.0.0).\n\n## Code of conduct\n\nPlease review and follow the [Code of conduct](./CODE_OF_CONDUCT.md).\n\nPlease report any unacceptable behaviour to ajv.validator@gmail.com - it will be reviewed by the project team.\n\n## Security contact\n\nTo report a security vulnerability, please use the\n[Tidelift security contact](https://tidelift.com/security).\nTidelift will coordinate the fix and disclosure. Please do NOT report security vulnerabilities via GitHub issues.\n\n## Open-source software support\n\nAjv is a part of [Tidelift subscription](https://tidelift.com/subscription/pkg/npm-ajv?utm_source=npm-ajv&utm_medium=referral&utm_campaign=readme) - it provides a centralised support to open-source software users, in addition to the support provided by software maintainers.\n\n## License\n\n[MIT](./LICENSE)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/ajv/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/assertion-error/README.md ---\n<p align=center>\n AssertionError and AssertionResult classes.\n</p>\n\n<p align=center>\n <a href=\"https://github.com/chaijs/assertion-error/actions\">\n <img\n alt=\"build:?\"\n src=\"https://github.com/chaijs/assertion-error/actions/workflows/nodejs.yml/badge.svg\"\n />\n </a><a href=\"https://www.npmjs.com/package/assertion-error\">\n <img\n alt=\"downloads:?\"\n src=\"https://img.shields.io/npm/dm/assertion-error.svg\"\n />\n </a><a href=\"\">\n <img\n alt=\"devDependencies:none\"\n src=\"https://img.shields.io/badge/dependencies-none-brightgreen\"\n />\n </a>\n</p>\n\n## What is AssertionError?\n\nAssertion Error is a module that contains two classes: `AssertionError`, which\nis an instance of an `Error`, and `AssertionResult` which is not an instance of\nError.\n\nThese can be useful for returning from a function - if the function \"succeeds\"\nreturn an `AssertionResult` and if the function fails return (or throw) an\n`AssertionError`.\n\nBoth `AssertionError` and `AssertionResult` implement the `Result` interface:\n\n```typescript\ninterface Result {\n name: \"AssertionError\" | \"AssertionResult\";\n ok: boolean;\n toJSON(...args: unknown[]): Record<string, unknown>;\n}\n```\n\nSo if a function returns `AssertionResult | AssertionError` it is easy to check\n_which_ one is returned by checking either `.name` or `.ok`, or check\n`instanceof Error`.\n\n## Installation\n\n### Node.js\n\n`assertion-error` is available on [npm](http://npmjs.org).\n\n```\n$ npm install --save assertion-error\n```\n\n### Deno\n\n`assertion_error` is available on\n[Deno.land](https://deno.land/x/assertion_error)\n\n```typescript\nimport {\n AssertionError,\n AssertionResult,\n} from \"https://deno.land/x/assertion_error@2.0.0/mod.ts\";\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/assertion-error/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/body-parser/README.md ---\n# body-parser\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Build Status][ci-image]][ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n[![OpenSSF Scorecard Badge][ossf-scorecard-badge]][ossf-scorecard-visualizer]\n\nNode.js body parsing middleware.\n\nParse incoming request bodies in a middleware before your handlers, available\nunder the `req.body` property.\n\n**Note** As `req.body`'s shape is based on user-controlled input, all\nproperties and values in this object are untrusted and should be validated\nbefore trusting. For example, `req.body.foo.toString()` may fail in multiple\nways, for example the `foo` property may not be there or may not be a string,\nand `toString` may not be a function and instead a string or other user input.\n\n[Learn about the anatomy of an HTTP transaction in Node.js](https://nodejs.org/en/docs/guides/anatomy-of-an-http-transaction/).\n\n_This does not handle multipart bodies_, due to their complex and typically\nlarge nature. For multipart bodies, you may be interested in the following\nmodules:\n\n * [busboy](https://www.npmjs.org/package/busboy#readme) and\n [connect-busboy](https://www.npmjs.org/package/connect-busboy#readme)\n * [multiparty](https://www.npmjs.org/package/multiparty#readme) and\n [connect-multiparty](https://www.npmjs.org/package/connect-multiparty#readme)\n * [formidable](https://www.npmjs.org/package/formidable#readme)\n * [multer](https://www.npmjs.org/package/multer#readme)\n\nThis module provides the following parsers:\n\n * [JSON body parser](#bodyparserjsonoptions)\n * [Raw body parser](#bodyparserrawoptions)\n * [Text body parser](#bodyparsertextoptions)\n * [URL-encoded form body parser](#bodyparserurlencodedoptions)\n\nOther body parsers you might be interested in:\n\n- [body](https://www.npmjs.org/package/body#readme)\n- [co-body](https://www.npmjs.org/package/co-body#readme)\n\n## Installation\n\n```sh\n$ npm install body-parser\n```\n\n## API\n\n```js\nconst bodyParser = require('body-parser')\n```\n\nThe `bodyParser` object exposes various factories to create middlewares. All\nmiddlewares will populate the `req.body` property with the parsed body when\nthe `Content-Type` request header matches the `type` option.\n\nThe various errors returned by this module are described in the\n[errors section](#errors).\n\n### bodyParser.json([options])\n\nReturns middleware that only parses `json` and only looks at requests where\nthe `Content-Type` header matches the `type` option. This parser accepts any\nUnicode encoding of the body and supports automatic inflation of `gzip`,\n`br` (brotli) and `deflate` encodings.\n\nA new `body` object containing the parsed data is populated on the `request`\nobject after the middleware (i.e. `req.body`).\n\n#### Options\n\nThe `json` function takes an optional `options` object that may contain any of\nthe following keys:\n\n##### inflate\n\nWhen set to `true`, then deflated (compressed) bodies will be inflated; when\n`false`, deflated bodies are rejected. Defaults to `true`.\n\n##### limit\n\nControls the maximum request body size. If this is a number, then the value\nspecifies the number of bytes; if it is a string, the value is passed to the\n[bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults\nto `'100kb'`.\n\n##### reviver\n\nThe `reviver` option is passed directly to `JSON.parse` as the second\nargument. You can find more information on this argument\n[in the MDN documentation about JSON.parse](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse#Example.3A_Using_the_reviver_parameter).\n\n##### strict\n\nWhen set to `true`, will only accept arrays and objects; when `false` will\naccept anything `JSON.parse` accepts. Defaults to `true`.\n\n##### type\n\nThe `type` option is used to determine what media type the middleware will\nparse. This option can be a string, array of strings, or a function. If not a\nfunction, `type` option is passed directly to the\n[type-is](https://www.npmjs.org/package/type-is#readme) library and this can\nbe an extension name (like `json`), a mime type (like `application/json`), or\na mime type with a wildcard (like `*/*` or `*/json`). If a function, the `type`\noption is called as `fn(req)` and the request is parsed if it returns a truthy\nvalue. Defaults to `application/json`.\n\n##### verify\n\nThe `verify` option, if supplied, is called as `verify(req, res, buf, encoding)`,\nwhere `buf` is a `Buffer` of the raw request body and `encoding` is the\nencoding of the request. The parsing can be aborted by throwing an error.\n\n### bodyParser.raw([options])\n\nReturns middleware that parses all bodies as a `Buffer` and only looks at\nrequests where the `Content-Type` header matches the `type` option. This\nparser supports automatic inflation of `gzip`, `br` (brotli) and `deflate`\nencodings.\n\nA new `body` object containing the parsed data is populated on the `request`\nobject after the middleware (i.e. `req.body`). This will be a `Buffer` object\nof the body.\n\n#### Options\n\nThe `raw` function takes an optional `options` object that may contain any of\nthe following keys:\n\n##### inflate\n\nWhen set to `true`, then deflated (compressed) bodies will be inflated; when\n`false`, deflated bodies are rejected. Defaults to `true`.\n\n##### limit\n\nControls the maximum request body size. If this is a number, then the value\nspecifies the number of bytes; if it is a string, the value is passed to the\n[bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults\nto `'100kb'`.\n\n##### type\n\nThe `type` option is used to determine what media type the middleware will\nparse. This option can be a string, array of strings, or a function.\nIf not a function, `type` option is passed directly to the\n[type-is](https://www.npmjs.org/package/type-is#readme) library and this\ncan be an extension name (like `bin`), a mime type (like\n`application/octet-stream`), or a mime type with a wildcard (like `*/*` or\n`application/*`). If a function, the `type` option is called as `fn(req)`\nand the request is parsed if it returns a truthy value. Defaults to\n`application/octet-stream`.\n\n##### verify\n\nThe `verify` option, if supplied, is called as `verify(req, res, buf, encoding)`,\nwhere `buf` is a `Buffer` of the raw request body and `encoding` is the\nencoding of the request. The parsing can be aborted by throwing an error.\n\n### bodyParser.text([options])\n\nReturns middleware that parses all bodies as a string and only looks at\nrequests where the `Content-Type` header matches the `type` option. This\nparser supports automatic inflation of `gzip`, `br` (brotli) and `deflate`\nencodings.\n\nA new `body` string containing the parsed data is populated on the `request`\nobject after the middleware (i.e. `req.body`). This will be a string of the\nbody.\n\n#### Options\n\nThe `text` function takes an optional `options` object that may contain any of\nthe following keys:\n\n##### defaultCharset\n\nSpecify the default character set for the text content if the charset is not\nspecified in the `Content-Type` header of the request. Defaults to `utf-8`.\n\n##### inflate\n\nWhen set to `true`, then deflated (compressed) bodies will be inflated; when\n`false`, deflated bodies are rejected. Defaults to `true`.\n\n##### limit\n\nControls the maximum request body size. If this is a number, then the value\nspecifies the number of bytes; if it is a string, the value is passed to the\n[bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults\nto `'100kb'`.\n\n##### type\n\nThe `type` option is used to determine what media type the middleware will\nparse. This option can be a string, array of strings, or a function. If not\na function, `type` option is passed directly to the\n[type-is](https://www.npmjs.org/package/type-is#readme) library and this can\nbe an extension name (like `txt`), a mime type (like `text/plain`), or a mime\ntype with a wildcard (like `*/*` or `text/*`). If a function, the `type`\noption is called as `fn(req)` and the request is parsed if it returns a\ntruthy value. Defaults to `text/plain`.\n\n##### verify\n\nThe `verify` option, if supplied, is called as `verify(req, res, buf, encoding)`,\nwhere `buf` is a `Buffer` of the raw request body and `encoding` is the\nencoding of the request. The parsing can be aborted by throwing an error.\n\n### bodyParser.urlencoded([options])\n\nReturns middleware that only parses `urlencoded` bodies and only looks at\nrequests where the `Content-Type` header matches the `type` option. This\nparser accepts only UTF-8 encoding of the body and supports automatic\ninflation of `gzip`, `br` (brotli) and `deflate` encodings.\n\nA new `body` object containing the parsed data is populated on the `request`\nobject after the middleware (i.e. `req.body`). This object will contain\nkey-value pairs, where the value can be a string or array (when `extended` is\n`false`), or any type (when `extended` is `true`).\n\n#### Options\n\nThe `urlencoded` function takes an optional `options` object that may contain\nany of the following keys:\n\n##### extended\n\nThe \"extended\" syntax allows for rich objects and arrays to be encoded into the\nURL-encoded format, allowing for a JSON-like experience with URL-encoded. For\nmore information, please [see the qs\nlibrary](https://www.npmjs.org/package/qs#readme).\n\nDefaults to `false`.\n\n##### inflate\n\nWhen set to `true`, then deflated (compressed) bodies will be inflated; when\n`false`, deflated bodies are rejected. Defaults to `true`.\n\n##### limit\n\nControls the maximum request body size. If this is a number, then the value\nspecifies the number of bytes; if it is a string, the value is passed to the\n[bytes](https://www.npmjs.com/package/bytes) library for parsing. Defaults\nto `'100kb'`.\n\n##### parameterLimit\n\nThe `parameterLimit` option controls the maximum number of parameters that\nare allowed in the URL-encoded data. If a request contains more parameters\nthan this value, a 413 will be returned to the client. Defaults to `1000`.\n\n##### type\n\nThe `type` option is used to determine what media type the middleware will\nparse. This option can be a string, array of strings, or a function. If not\na function, `type` option is passed directly to the\n[type-is](https://www.npmjs.org/package/type-is#readme) library and this can\nbe an extension name (like `urlencoded`), a mime type (like\n`application/x-www-form-urlencoded`), or a mime type with a wildcard (like\n`*/x-www-form-urlencoded`). If a function, the `type` option is called as\n`fn(req)` and the request is parsed if it returns a truthy value. Defaults\nto `application/x-www-form-urlencoded`.\n\n##### verify\n\nThe `verify` option, if supplied, is called as `verify(req, res, buf, encoding)`,\nwhere `buf` is a `Buffer` of the raw request body and `encoding` is the\nencoding of the request. The parsing can be aborted by throwing an error.\n\n##### defaultCharset\n\nThe default charset to parse as, if not specified in content-type. Must be\neither `utf-8` or `iso-8859-1`. Defaults to `utf-8`.\n\n##### charsetSentinel\n\nWhether to let the value of the `utf8` parameter take precedence as the charset\nselector. It requires the form to contain a parameter named `utf8` with a value\nof `✓`. Defaults to `false`.\n\n##### interpretNumericEntities\n\nWhether to decode numeric entities such as `&#9786;` when parsing an iso-8859-1\nform. Defaults to `false`.\n\n\n#### depth\n\nThe `depth` option is used to configure the maximum depth of the `qs` library when `extended` is `true`. This allows you to limit the amount of keys that are parsed and can be useful to prevent certain types of abuse. Defaults to `32`. It is recommended to keep this value as low as possible.\n\n## Errors\n\nThe middlewares provided by this module create errors using the\n[`http-errors` module](https://www.npmjs.com/package/http-errors). The errors\nwill typically have a `status`/`statusCode` property that contains the suggested\nHTTP response code, an `expose` property to determine if the `message` property\nshould be displayed to the client, a `type` property to determine the type of\nerror without matching against the `message`, and a `body` property containing\nthe read body, if available.\n\nThe following are the common errors created, though any error can come through\nfor various reasons.\n\n### content encoding unsupported\n\nThis error will occur when the request had a `Content-Encoding` header that\ncontained an encoding but the \"inflation\" option was set to `false`. The\n`status` property is set to `415`, the `type` property is set to\n`'encoding.unsupported'`, and the `charset` property will be set to the\nencoding that is unsupported.\n\n### entity parse failed\n\nThis error will occur when the request contained an entity that could not be\nparsed by the middleware. The `status` property is set to `400`, the `type`\nproperty is set to `'entity.parse.failed'`, and the `body` property is set to\nthe entity value that failed parsing.\n\n### entity verify failed\n\nThis error will occur when the request contained an entity that could not be\nfailed verification by the defined `verify` option. The `status` property is\nset to `403`, the `type` property is set to `'entity.verify.failed'`, and the\n`body` property is set to the entity value that failed verification.\n\n### request aborted\n\nThis error will occur when the request is aborted by the client before reading\nthe body has finished. The `received` property will be set to the number of\nbytes received before the request was aborted and the `expected` property is\nset to the number of expected bytes. The `status` property is set to `400`\nand `type` property is set to `'request.aborted'`.\n\n### request entity too large\n\nThis error will occur when the request body's size is larger than the \"limit\"\noption. The `limit` property will be set to the byte limit and the `length`\nproperty will be set to the request body's length. The `status` property is\nset to `413` and the `type` property is set to `'entity.too.large'`.\n\n### request size did not match content length\n\nThis error will occur when the request's length did not match the length from\nthe `Content-Length` header. This typically occurs when the request is malformed,\ntypically when the `Content-Length` header was calculated based on characters\ninstead of bytes. The `status` property is set to `400` and the `type` property\nis set to `'request.size.invalid'`.\n\n### stream encoding should not be set\n\nThis error will occur when something called the `req.setEncoding` method prior\nto this middleware. This module operates directly on bytes only and you cannot\ncall `req.setEncoding` when using this module. The `status` property is set to\n`500` and the `type` property is set to `'stream.encoding.set'`.\n\n### stream is not readable\n\nThis error will occur when the request is no longer readable when this middleware\nattempts to read it. This typically means something other than a middleware from\nthis module read the request body already and the middleware was also configured to\nread the same request. The `status` property is set to `500` and the `type`\nproperty is set to `'stream.not.readable'`.\n\n### too many parameters\n\nThis error will occur when the content of the request exceeds the configured\n`parameterLimit` for the `urlencoded` parser. The `status` property is set to\n`413` and the `type` property is set to `'parameters.too.many'`.\n\n### unsupported charset \"BOGUS\"\n\nThis error will occur when the request had a charset parameter in the\n`Content-Type` header, but the `iconv-lite` module does not support it OR the\nparser does not support it. The charset is contained in the message as well\nas in the `charset` property. The `status` property is set to `415`, the\n`type` property is set to `'charset.unsupported'`, and the `charset` property\nis set to the charset that is unsupported.\n\n### unsupported content encoding \"bogus\"\n\nThis error will occur when the request had a `Content-Encoding` header that\ncontained an unsupported encoding. The encoding is contained in the message\nas well as in the `encoding` property. The `status` property is set to `415`,\nthe `type` property is set to `'encoding.unsupported'`, and the `encoding`\nproperty is set to the encoding that is unsupported.\n\n### The input exceeded the depth\n\nThis error occurs when using `bodyParser.urlencoded` with the `extended` property set to `true` and the input exceeds the configured `depth` option. The `status` property is set to `400`. It is recommended to review the `depth` option and evaluate if it requires a higher value. When the `depth` option is set to `32` (default value), the error will not be thrown.\n\n## Examples\n\n### Express/Connect top-level generic\n\nThis example demonstrates adding a generic JSON and URL-encoded parser as a\ntop-level middleware, which will parse the bodies of all incoming requests.\nThis is the simplest setup.\n\n```js\nconst express = require('express')\nconst bodyParser = require('body-parser')\n\nconst app = express()\n\n// parse application/x-www-form-urlencoded\napp.use(bodyParser.urlencoded())\n\n// parse application/json\napp.use(bodyParser.json())\n\napp.use(function (req, res) {\n res.setHeader('Content-Type', 'text/plain')\n res.write('you posted:\\n')\n res.end(String(JSON.stringify(req.body, null, 2)))\n})\n```\n\n### Express route-specific\n\nThis example demonstrates adding body parsers specifically to the routes that\nneed them. In general, this is the most recommended way to use body-parser with\nExpress.\n\n```js\nconst express = require('express')\nconst bodyParser = require('body-parser')\n\nconst app = express()\n\n// create application/json parser\nconst jsonParser = bodyParser.json()\n\n// create application/x-www-form-urlencoded parser\nconst urlencodedParser = bodyParser.urlencoded()\n\n// POST /login gets urlencoded bodies\napp.post('/login', urlencodedParser, function (req, res) {\n if (!req.body || !req.body.username) res.sendStatus(400)\n res.send('welcome, ' + req.body.username)\n})\n\n// POST /api/users gets JSON bodies\napp.post('/api/users', jsonParser, function (req, res) {\n if (!req.body) res.sendStatus(400)\n // create user in req.body\n})\n```\n\n### Change accepted type for parsers\n\nAll the parsers accept a `type` option which allows you to change the\n`Content-Type` that the middleware will parse.\n\n```js\nconst express = require('express')\nconst bodyParser = require('body-parser')\n\nconst app = express()\n\n// parse various different custom JSON types as JSON\napp.use(bodyParser.json({ type: 'application/*+json' }))\n\n// parse some custom thing into a Buffer\napp.use(bodyParser.raw({ type: 'application/vnd.custom-type' }))\n\n// parse an HTML body into a string\napp.use(bodyParser.text({ type: 'text/html' }))\n```\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/expressjs/body-parser/master?label=ci\n[ci-url]: https://github.com/expressjs/body-parser/actions/workflows/ci.yml\n[coveralls-image]: https://badgen.net/coveralls/c/github/expressjs/body-parser/master\n[coveralls-url]: https://coveralls.io/r/expressjs/body-parser?branch=master\n[node-version-image]: https://badgen.net/npm/node/body-parser\n[node-version-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/body-parser\n[npm-url]: https://npmjs.org/package/body-parser\n[npm-version-image]: https://badgen.net/npm/v/body-parser\n[ossf-scorecard-badge]: https://api.scorecard.dev/projects/github.com/expressjs/body-parser/badge\n[ossf-scorecard-visualizer]: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/expressjs/body-parser\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/body-parser/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/cac/README.md ---\n<img width=\"945\" alt=\"2017-07-26 9 27 05\" src=\"https://user-images.githubusercontent.com/8784712/28623641-373450f4-7249-11e7-854d-1b076dab274d.png\">\n\n[![NPM version](https://img.shields.io/npm/v/cac.svg?style=flat)](https://npmjs.com/package/cac) [![NPM downloads](https://img.shields.io/npm/dm/cac.svg?style=flat)](https://npmjs.com/package/cac) [![CircleCI](https://circleci.com/gh/cacjs/cac/tree/master.svg?style=shield)](https://circleci.com/gh/cacjs/cac/tree/master) [![Codecov](https://badgen.net/codecov/c/github/cacjs/cac/master)](https://codecov.io/gh/cacjs/cac) [![donate](https://img.shields.io/badge/$-donate-ff69b4.svg?maxAge=2592000&style=flat)](https://github.com/egoist/donate) [![chat](https://img.shields.io/badge/chat-on%20discord-7289DA.svg?style=flat)](https://chat.egoist.moe) [![install size](https://badgen.net/packagephobia/install/cac)](https://packagephobia.now.sh/result?p=cac)\n\n## Introduction\n\n**C**ommand **A**nd **C**onquer is a JavaScript library for building CLI apps.\n\n## Features\n\n- **Super light-weight**: No dependency, just a single file.\n- **Easy to learn**. There're only 4 APIs you need to learn for building simple CLIs: `cli.option` `cli.version` `cli.help` `cli.parse`.\n- **Yet so powerful**. Enable features like default command, git-like subcommands, validation for required arguments and options, variadic arguments, dot-nested options, automated help message generation and so on.\n- **Developer friendly**. Written in TypeScript.\n\n## Table of Contents\n\n<!-- toc -->\n\n- [Install](#install)\n- [Usage](#usage)\n - [Simple Parsing](#simple-parsing)\n - [Display Help Message and Version](#display-help-message-and-version)\n - [Command-specific Options](#command-specific-options)\n - [Dash in option names](#dash-in-option-names)\n - [Brackets](#brackets)\n - [Negated Options](#negated-options)\n - [Variadic Arguments](#variadic-arguments)\n - [Dot-nested Options](#dot-nested-options)\n - [Default Command](#default-command)\n - [Supply an array as option value](#supply-an-array-as-option-value)\n - [Error Handling](#error-handling)\n - [With TypeScript](#with-typescript)\n - [With Deno](#with-deno)\n- [Projects Using CAC](#projects-using-cac)\n- [References](#references)\n - [CLI Instance](#cli-instance)\n - [cac(name?)](#cacname)\n - [cli.command(name, description, config?)](#clicommandname-description-config)\n - [cli.option(name, description, config?)](#clioptionname-description-config)\n - [cli.parse(argv?)](#cliparseargv)\n - [cli.version(version, customFlags?)](#cliversionversion-customflags)\n - [cli.help(callback?)](#clihelpcallback)\n - [cli.outputHelp()](#clioutputhelp)\n - [cli.usage(text)](#cliusagetext)\n - [Command Instance](#command-instance)\n - [command.option()](#commandoption)\n - [command.action(callback)](#commandactioncallback)\n - [command.alias(name)](#commandaliasname)\n - [command.allowUnknownOptions()](#commandallowunknownoptions)\n - [command.example(example)](#commandexampleexample)\n - [command.usage(text)](#commandusagetext)\n - [Events](#events)\n- [FAQ](#faq)\n - [How is the name written and pronounced?](#how-is-the-name-written-and-pronounced)\n - [Why not use Commander.js?](#why-not-use-commanderjs)\n- [Project Stats](#project-stats)\n- [Contributing](#contributing)\n- [Author](#author)\n\n<!-- tocstop -->\n\n## Install\n\n```bash\nyarn add cac\n```\n\n## Usage\n\n### Simple Parsing\n\nUse CAC as simple argument parser:\n\n```js\n// examples/basic-usage.js\nconst cli = require('cac')()\n\ncli.option('--type <type>', 'Choose a project type', {\n default: 'node',\n})\n\nconst parsed = cli.parse()\n\nconsole.log(JSON.stringify(parsed, null, 2))\n```\n\n<img width=\"500\" alt=\"2018-11-26 12 28 03\" src=\"https://user-images.githubusercontent.com/8784712/48981576-2a871000-f112-11e8-8151-80f61e9b9908.png\">\n\n### Display Help Message and Version\n\n```js\n// examples/help.js\nconst cli = require('cac')()\n\ncli.option('--type [type]', 'Choose a project type', {\n default: 'node',\n})\ncli.option('--name <name>', 'Provide your name')\n\ncli.command('lint [...files]', 'Lint files').action((files, options) => {\n console.log(files, options)\n})\n\n// Display help message when `-h` or `--help` appears\ncli.help()\n// Display version number when `-v` or `--version` appears\n// It's also used in help message\ncli.version('0.0.0')\n\ncli.parse()\n```\n\n<img width=\"500\" alt=\"2018-11-25 8 21 14\" src=\"https://user-images.githubusercontent.com/8784712/48979012-acb20d00-f0ef-11e8-9cc6-8ffca00ab78a.png\">\n\n### Command-specific Options\n\nYou can attach options to a command.\n\n```js\nconst cli = require('cac')()\n\ncli\n .command('rm <dir>', 'Remove a dir')\n .option('-r, --recursive', 'Remove recursively')\n .action((dir, options) => {\n console.log('remove ' + dir + (options.recursive ? ' recursively' : ''))\n })\n\ncli.help()\n\ncli.parse()\n```\n\nA command's options are validated when the command is used. Any unknown options will be reported as an error. However, if an action-based command does not define an action, then the options are not validated. If you really want to use unknown options, use [`command.allowUnknownOptions`](#commandallowunknownoptions).\n\n<img alt=\"command options\" width=\"500\" src=\"https://user-images.githubusercontent.com/8784712/49065552-49dc8500-f259-11e8-9c7b-a7c32d70920e.png\">\n\n### Dash in option names\n\nOptions in kebab-case should be referenced in camelCase in your code:\n\n```js\ncli\n .command('dev', 'Start dev server')\n .option('--clear-screen', 'Clear screen')\n .action((options) => {\n console.log(options.clearScreen)\n })\n```\n\nIn fact `--clear-screen` and `--clearScreen` are both mapped to `options.clearScreen`.\n\n### Brackets\n\nWhen using brackets in command name, angled brackets indicate required command arguments, while square bracket indicate optional arguments.\n\nWhen using brackets in option name, angled brackets indicate that a string / number value is required, while square bracket indicate that the value can also be `true`.\n\n```js\nconst cli = require('cac')()\n\ncli\n .command('deploy <folder>', 'Deploy a folder to AWS')\n .option('--scale [level]', 'Scaling level')\n .action((folder, options) => {\n // ...\n })\n\ncli\n .command('build [project]', 'Build a project')\n .option('--out <dir>', 'Output directory')\n .action((folder, options) => {\n // ...\n })\n\ncli.parse()\n```\n\n### Negated Options\n\nTo allow an option whose value is `false`, you need to manually specify a negated option:\n\n```js\ncli\n .command('build [project]', 'Build a project')\n .option('--no-config', 'Disable config file')\n .option('--config <path>', 'Use a custom config file')\n```\n\nThis will let CAC set the default value of `config` to true, and you can use `--no-config` flag to set it to `false`.\n\n### Variadic Arguments\n\nThe last argument of a command can be variadic, and only the last argument. To make an argument variadic you have to add `...` to the start of argument name, just like the rest operator in JavaScript. Here is an example:\n\n```js\nconst cli = require('cac')()\n\ncli\n .command('build <entry> [...otherFiles]', 'Build your app')\n .option('--foo', 'Foo option')\n .action((entry, otherFiles, options) => {\n console.log(entry)\n console.log(otherFiles)\n console.log(options)\n })\n\ncli.help()\n\ncli.parse()\n```\n\n<img width=\"500\" alt=\"2018-11-25 8 25 30\" src=\"https://user-images.githubusercontent.com/8784712/48979056-47125080-f0f0-11e8-9d8f-3219e0beb0ed.png\">\n\n### Dot-nested Options\n\nDot-nested options will be merged into a single option.\n\n```js\nconst cli = require('cac')()\n\ncli\n .command('build', 'desc')\n .option('--env <env>', 'Set envs')\n .example('--env.API_SECRET xxx')\n .action((options) => {\n console.log(options)\n })\n\ncli.help()\n\ncli.parse()\n```\n\n<img width=\"500\" alt=\"2018-11-25 9 37 53\" src=\"https://user-images.githubusercontent.com/8784712/48979771-6ada9400-f0fa-11e8-8192-e541b2cfd9da.png\">\n\n### Default Command\n\nRegister a command that will be used when no other command is matched.\n\n```js\nconst cli = require('cac')()\n\ncli\n // Simply omit the command name, just brackets\n .command('[...files]', 'Build files')\n .option('--minimize', 'Minimize output')\n .action((files, options) => {\n console.log(files)\n console.log(options.minimize)\n })\n\ncli.parse()\n```\n\n### Supply an array as option value\n\n```bash\nnode cli.js --include project-a\n# The parsed options will be:\n# { include: 'project-a' }\n\nnode cli.js --include project-a --include project-b\n# The parsed options will be:\n# { include: ['project-a', 'project-b'] }\n```\n\n### Error Handling\n\nTo handle command errors globally:\n\n```js\ntry {\n // Parse CLI args without running the command\n cli.parse(process.argv, { run: false })\n // Run the command yourself\n // You only need `await` when your command action returns a Promise\n await cli.runMatchedCommand()\n} catch (error) {\n // Handle error here..\n // e.g.\n // console.error(error.stack)\n // process.exit(1)\n}\n```\n\n### With TypeScript\n\nFirst you need `@types/node` to be installed as a dev dependency in your project:\n\n```bash\nyarn add @types/node --dev\n```\n\nThen everything just works out of the box:\n\n```js\nconst { cac } = require('cac')\n// OR ES modules\nimport { cac } from 'cac'\n```\n\n### With Deno\n\n```ts\nimport { cac } from 'https://unpkg.com/cac/mod.ts'\n\nconst cli = cac('my-program')\n```\n\n## Projects Using CAC\n\nProjects that use **CAC**:\n\n- [VuePress](https://github.com/vuejs/vuepress): :memo: Minimalistic Vue-powered static site generator.\n- [SAO](https://github.com/egoist/sao): ⚔️ Futuristic scaffolding tool.\n- [DocPad](https://github.com/docpad/docpad): 🏹 Powerful Static Site Generator.\n- [Poi](https://github.com/egoist/poi): ⚡️ Delightful web development.\n- [bili](https://github.com/egoist/bili): 🥂 Schweizer Armeemesser for bundling JavaScript libraries.\n- [Lad](https://github.com/ladjs/lad): 👦 Lad scaffolds a Koa webapp and API framework for Node.js.\n- [Lass](https://github.com/lassjs/lass): 💁🏻 Scaffold a modern package boilerplate for Node.js.\n- [Foy](https://github.com/zaaack/foy): 🏗 A lightweight and modern task runner and build tool for general purpose.\n- [Vuese](https://github.com/vuese/vuese): 🤗 One-stop solution for vue component documentation.\n- [NUT](https://github.com/nut-project/nut): 🌰 A framework born for microfrontends\n- Feel free to add yours here...\n\n## References\n\n**💁 Check out [the generated docs](https://cac-api-doc.egoist.sh/classes/_cac_.cac.html) from source code if you want a more in-depth API references.**\n\nBelow is a brief overview.\n\n### CLI Instance\n\nCLI instance is created by invoking the `cac` function:\n\n```js\nconst cac = require('cac')\nconst cli = cac()\n```\n\n#### cac(name?)\n\nCreate a CLI instance, optionally specify the program name which will be used to display in help and version message. When not set we use the basename of `argv[1]`.\n\n#### cli.command(name, description, config?)\n\n- Type: `(name: string, description: string) => Command`\n\nCreate a command instance.\n\nThe option also accepts a third argument `config` for additional command config:\n\n- `config.allowUnknownOptions`: `boolean` Allow unknown options in this command.\n- `config.ignoreOptionDefaultValue`: `boolean` Don't use the options's default value in parsed options, only display them in help message.\n\n#### cli.option(name, description, config?)\n\n- Type: `(name: string, description: string, config?: OptionConfig) => CLI`\n\nAdd a global option.\n\nThe option also accepts a third argument `config` for additional option config:\n\n- `config.default`: Default value for the option.\n- `config.type`: `any[]` When set to `[]`, the option value returns an array type. You can also use a conversion function such as `[String]`, which will invoke the option value with `String`.\n\n#### cli.parse(argv?)\n\n- Type: `(argv = process.argv) => ParsedArgv`\n\n```ts\ninterface ParsedArgv {\n args: string[]\n options: {\n [k: string]: any\n }\n}\n```\n\nWhen this method is called, `cli.rawArgs` `cli.args` `cli.options` `cli.matchedCommand` will also be available.\n\n#### cli.version(version, customFlags?)\n\n- Type: `(version: string, customFlags = '-v, --version') => CLI`\n\nOutput version number when `-v, --version` flag appears.\n\n#### cli.help(callback?)\n\n- Type: `(callback?: HelpCallback) => CLI`\n\nOutput help message when `-h, --help` flag appears.\n\nOptional `callback` allows post-processing of help text before it is displayed:\n\n```ts\ntype HelpCallback = (sections: HelpSection[]) => void\n\ninterface HelpSection {\n title?: string\n body: string\n}\n```\n\n#### cli.outputHelp()\n\n- Type: `() => CLI`\n\nOutput help message.\n\n#### cli.usage(text)\n\n- Type: `(text: string) => CLI`\n\nAdd a global usage text. This is not used by sub-commands.\n\n### Command Instance\n\nCommand instance is created by invoking the `cli.command` method:\n\n```js\nconst command = cli.command('build [...files]', 'Build given files')\n```\n\n#### command.option()\n\nBasically the same as `cli.option` but this adds the option to specific command.\n\n#### command.action(callback)\n\n- Type: `(callback: ActionCallback) => Command`\n\nUse a callback function as the command action when the command matches user inputs.\n\n```ts\ntype ActionCallback = (\n // Parsed CLI args\n // The last arg will be an array if it's a variadic argument\n ...args: string | string[] | number | number[]\n // Parsed CLI options\n options: Options\n) => any\n\ninterface Options {\n [k: string]: any\n}\n```\n\n#### command.alias(name)\n\n- Type: `(name: string) => Command`\n\nAdd an alias name to this command, the `name` here can't contain brackets.\n\n#### command.allowUnknownOptions()\n\n- Type: `() => Command`\n\nAllow unknown options in this command, by default CAC will log an error when unknown options are used.\n\n#### command.example(example)\n\n- Type: `(example: CommandExample) => Command`\n\nAdd an example which will be displayed at the end of help message.\n\n```ts\ntype CommandExample = ((name: string) => string) | string\n```\n\n#### command.usage(text)\n\n- Type: `(text: string) => Command`\n\nAdd a usage text for this command.\n\n### Events\n\nListen to commands:\n\n```js\n// Listen to the `foo` command\ncli.on('command:foo', () => {\n // Do something\n})\n\n// Listen to the default command\ncli.on('command:!', () => {\n // Do something\n})\n\n// Listen to unknown commands\ncli.on('command:*', () => {\n console.error('Invalid command: %s', cli.args.join(' '))\n process.exit(1)\n})\n```\n\n## FAQ\n\n### How is the name written and pronounced?\n\nCAC, or cac, pronounced `C-A-C`.\n\nThis project is dedicated to our lovely C.C. sama. Maybe CAC stands for C&C as well :P\n\n<img src=\"http://i.giphy.com/v3FeH4swox9mg.gif\" width=\"400\"/>\n\n### Why not use Commander.js?\n\nCAC is very similar to Commander.js, while the latter does not support dot nested options, i.e. something like `--env.API_SECRET foo`. Besides, you can't use unknown options in Commander.js either.\n\n_And maybe more..._\n\nBasically I made CAC to fulfill my own needs for building CLI apps like [Poi](https://poi.js.org), [SAO](https://sao.vercel.app) and all my CLI apps. It's small, simple but powerful :P\n\n## Project Stats\n\n![Alt](https://repobeats.axiom.co/api/embed/58caf6203631bcdb9bbe22f0728a0af1683dc0bb.svg 'Repobeats analytics image')\n\n## Contributing\n\n1. Fork it!\n2. Create your feature branch: `git checkout -b my-new-feature`\n3. Commit your changes: `git commit -am 'Add some feature'`\n4. Push to the branch: `git push origin my-new-feature`\n5. Submit a pull request :D\n\n## Author\n\n**CAC** © [EGOIST](https://github.com/egoist), Released under the [MIT](./LICENSE) License.<br>\nAuthored and maintained by egoist with help from contributors ([list](https://github.com/cacjs/cac/contributors)).\n\n> [Website](https://egoist.sh) · GitHub [@egoist](https://github.com/egoist) · Twitter [@\\_egoistlily](https://twitter.com/_egoistlily)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/cac/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/call-bind-apply-helpers/README.md ---\n# call-bind-apply-helpers <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![dependency status][deps-svg]][deps-url]\n[![dev dependency status][dev-deps-svg]][dev-deps-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nHelper functions around Function call/apply/bind, for use in `call-bind`.\n\nThe only packages that should likely ever use this package directly are `call-bind` and `get-intrinsic`.\nPlease use `call-bind` unless you have a very good reason not to.\n\n## Getting started\n\n```sh\nnpm install --save call-bind-apply-helpers\n```\n\n## Usage/Examples\n\n```js\nconst assert = require('assert');\nconst callBindBasic = require('call-bind-apply-helpers');\n\nfunction f(a, b) {\n\tassert.equal(this, 1);\n\tassert.equal(a, 2);\n\tassert.equal(b, 3);\n\tassert.equal(arguments.length, 2);\n}\n\nconst fBound = callBindBasic([f, 1]);\n\ndelete Function.prototype.call;\ndelete Function.prototype.bind;\n\nfBound(2, 3);\n```\n\n## Tests\n\nClone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/call-bind-apply-helpers\n[npm-version-svg]: https://versionbadg.es/ljharb/call-bind-apply-helpers.svg\n[deps-svg]: https://david-dm.org/ljharb/call-bind-apply-helpers.svg\n[deps-url]: https://david-dm.org/ljharb/call-bind-apply-helpers\n[dev-deps-svg]: https://david-dm.org/ljharb/call-bind-apply-helpers/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/call-bind-apply-helpers#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/call-bind-apply-helpers.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/call-bind-apply-helpers.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/call-bind-apply-helpers.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=call-bind-apply-helpers\n[codecov-image]: https://codecov.io/gh/ljharb/call-bind-apply-helpers/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/call-bind-apply-helpers/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/call-bind-apply-helpers\n[actions-url]: https://github.com/ljharb/call-bind-apply-helpers/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/call-bind-apply-helpers/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/call-bound/README.md ---\n# call-bound <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![dependency status][deps-svg]][deps-url]\n[![dev dependency status][dev-deps-svg]][dev-deps-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nRobust call-bound JavaScript intrinsics, using `call-bind` and `get-intrinsic`.\n\n## Getting started\n\n```sh\nnpm install --save call-bound\n```\n\n## Usage/Examples\n\n```js\nconst assert = require('assert');\nconst callBound = require('call-bound');\n\nconst slice = callBound('Array.prototype.slice');\n\ndelete Function.prototype.call;\ndelete Function.prototype.bind;\ndelete Array.prototype.slice;\n\nassert.deepEqual(slice([1, 2, 3, 4], 1, -1), [2, 3]);\n```\n\n## Tests\n\nClone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/call-bound\n[npm-version-svg]: https://versionbadg.es/ljharb/call-bound.svg\n[deps-svg]: https://david-dm.org/ljharb/call-bound.svg\n[deps-url]: https://david-dm.org/ljharb/call-bound\n[dev-deps-svg]: https://david-dm.org/ljharb/call-bound/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/call-bound#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/call-bound.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/call-bound.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/call-bound.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=call-bound\n[codecov-image]: https://codecov.io/gh/ljharb/call-bound/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/call-bound/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/call-bound\n[actions-url]: https://github.com/ljharb/call-bound/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/call-bound/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/chai/README.md ---\n<h1 align=center>\n <a href=\"http://chaijs.com\" title=\"Chai Documentation\">\n <img alt=\"ChaiJS\" src=\"http://chaijs.com/img/chai-logo.png\">\n </a>\n <br>\n chai\n</h1>\n\n<p align=center>\n Chai is a BDD / TDD assertion library for <a href=\"http://nodejs.org\">node</a> and the browser that can be delightfully paired with any javascript testing framework.\n</p>\n\n<p align=center>\n <a href=\"https://www.npmjs.com/package/chai\">\n <img\n alt=\"downloads:?\"\n src=\"https://img.shields.io/npm/dm/chai.svg?style=flat-square\"\n />\n </a>\n <a href=\"https://www.npmjs.com/package/chai\">\n <img\n alt=\"node:?\"\n src=\"https://img.shields.io/badge/node-%3E=18.0-blue.svg?style=flat-square\"\n />\n </a>\n <br/>\n <a href=\"https://chai-slack.herokuapp.com/\">\n <img\n alt=\"Join the Slack chat\"\n src=\"https://img.shields.io/badge/slack-join%20chat-E2206F.svg?style=flat-square\"\n />\n </a>\n <a href=\"https://gitter.im/chaijs/chai\">\n <img\n alt=\"Join the Gitter chat\"\n src=\"https://img.shields.io/badge/gitter-join%20chat-D0104D.svg?style=flat-square\"\n />\n </a>\n <a href=\"https://opencollective.com/chaijs\">\n <img\n alt=\"OpenCollective Backers\"\n src=\"https://opencollective.com/chaijs/backers/badge.svg?style=flat-square\"\n />\n </a>\n</p>\n\nFor more information or to download plugins, view the [documentation](http://chaijs.com).\n\n## What is Chai?\n\nChai is an _assertion library_, similar to Node's built-in `assert`. It makes testing much easier by giving you lots of assertions you can run against your code.\n\n## Installation\n\n### Node.js\n\n`chai` is available on [npm](http://npmjs.org). To install it, type:\n\n $ npm install --save-dev chai\n\n### Browsers\n\nYou can also use it within the browser; install via npm and use the `chai.js` file found within the download. For example:\n\n```html\n<script src=\"./node_modules/chai/chai.js\"></script>\n```\n\n## Usage\n\nImport the library in your code, and then pick one of the styles you'd like to use - either `assert`, `expect` or `should`:\n\n```js\nimport { assert } from 'chai'; // Using Assert style\nimport { expect } from 'chai'; // Using Expect style\nimport { should } from 'chai'; // Using Should style\n```\n\n### Register the chai testing style globally\n\n```js\nimport 'chai/register-assert'; // Using Assert style\nimport 'chai/register-expect'; // Using Expect style\nimport 'chai/register-should'; // Using Should style\n```\n\n### Import assertion styles as local variables\n\n```js\nimport { assert } from 'chai'; // Using Assert style\nimport { expect } from 'chai'; // Using Expect style\nimport { should } from 'chai'; // Using Should style\nshould(); // Modifies `Object.prototype`\n\nimport { expect, use } from 'chai'; // Creates local variables `expect` and `use`; useful for plugin use\n```\n\n### Usage with Mocha\n\n```bash\nmocha spec.js --require chai/register-assert.js # Using Assert style\nmocha spec.js --require chai/register-expect.js # Using Expect style\nmocha spec.js --require chai/register-should.js # Using Should style\n```\n\n[Read more about these styles in our docs](http://chaijs.com/guide/styles/).\n\n## Plugins\n\nChai offers a robust Plugin architecture for extending Chai's assertions and interfaces.\n\n- Need a plugin? View the [official plugin list](http://chaijs.com/plugins).\n- Want to build a plugin? Read the [plugin api documentation](http://chaijs.com/guide/plugins/).\n- Have a plugin and want it listed? Simply add the following keywords to your package.json:\n - `chai-plugin`\n - `browser` if your plugin works in the browser as well as Node.js\n - `browser-only` if your plugin does not work with Node.js\n\n### Related Projects\n\n- [chaijs / chai-docs](https://github.com/chaijs/chai-docs): The chaijs.com website source code.\n- [chaijs / assertion-error](https://github.com/chaijs/assertion-error): Custom `Error` constructor thrown upon an assertion failing.\n- [chaijs / deep-eql](https://github.com/chaijs/deep-eql): Improved deep equality testing for Node.js and the browser.\n- [chaijs / check-error](https://github.com/chaijs/check-error): Error comparison and information related utility for Node.js and the browser.\n- [chaijs / loupe](https://github.com/chaijs/loupe): Inspect utility for Node.js and browsers.\n- [chaijs / pathval](https://github.com/chaijs/pathval): Object value retrieval given a string path.\n\n### Contributing\n\nThank you very much for considering to contribute!\n\nPlease make sure you follow our [Code Of Conduct](https://github.com/chaijs/chai/blob/master/CODE_OF_CONDUCT.md) and we also strongly recommend reading our [Contributing Guide](https://github.com/chaijs/chai/blob/master/CONTRIBUTING.md).\n\nHere are a few issues other contributors frequently ran into when opening pull requests:\n\n- Please do not commit changes to the `chai.js` build. We do it once per release.\n- Before pushing your commits, please make sure you [rebase](https://github.com/chaijs/chai/blob/master/CONTRIBUTING.md#pull-requests) them.\n\n### Contributors\n\nPlease see the full\n[Contributors Graph](https://github.com/chaijs/chai/graphs/contributors) for our\nlist of contributors.\n\n### Core Contributors\n\nFeel free to reach out to any of the core contributors with your questions or\nconcerns. We will do our best to respond in a timely manner.\n\n[![Keith Cirkel](https://avatars3.githubusercontent.com/u/118266?v=3&s=50)](https://github.com/keithamus)\n[![James Garbutt](https://avatars3.githubusercontent.com/u/5677153?v=3&s=50)](https://github.com/43081j)\n[![Kristján Oddsson](https://avatars3.githubusercontent.com/u/318208?v=3&s=50)](https://github.com/koddsson)\n\n### Core Contributor Alumni\n\nThis project would not be what it is without the contributions from our prior\ncore contributors, for whom we are forever grateful:\n\n[![Jake Luer](https://avatars3.githubusercontent.com/u/58988?v=3&s=50)](https://github.com/logicalparadox)\n[![Veselin Todorov](https://avatars3.githubusercontent.com/u/330048?v=3&s=50)](https://github.com/vesln)\n[![Lucas Fernandes da Costa](https://avatars3.githubusercontent.com/u/6868147?v=3&s=50)](https://github.com/lucasfcosta)\n[![Grant Snodgrass](https://avatars3.githubusercontent.com/u/17260989?v=3&s=50)](https://github.com/meeber)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/chai/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/check-error/README.md ---\n<h1 align=center>\n <a href=\"http://chaijs.com\" title=\"Chai Documentation\">\n <img alt=\"ChaiJS\" src=\"http://chaijs.com/img/chai-logo.png\">\n </a>\n <br>\n check-error\n</h1>\n\n<p align=center>\n Error comparison and information related utility for <a href=\"http://nodejs.org\">node</a> and the browser.\n</p>\n\n## What is Check-Error?\n\nCheck-Error is a module which you can use to retrieve an Error's information such as its `message` or `constructor` name and also to check whether two Errors are compatible based on their messages, constructors or even instances.\n\n## Installation\n\n### Node.js\n\n`check-error` is available on [npm](http://npmjs.org). To install it, type:\n\n $ npm install check-error\n\n### Browsers\n\nYou can also use it within the browser; install via npm and use the `check-error.js` file found within the download. For example:\n\n```html\n<script src=\"./node_modules/check-error/check-error.js\"></script>\n```\n\n## Usage\n\nThe primary export of `check-error` is an object which has the following methods:\n\n* `compatibleInstance(err, errorLike)` - Checks if an error is compatible with another `errorLike` object. If `errorLike` is an error instance we do a strict comparison, otherwise we return `false` by default, because instances of objects can only be compatible if they're both error instances.\n* `compatibleConstructor(err, errorLike)` - Checks if an error's constructor is compatible with another `errorLike` object. If `err` has the same constructor as `errorLike` or if `err` is an instance of `errorLike`.\n* `compatibleMessage(err, errMatcher)` - Checks if an error message is compatible with an `errMatcher` RegExp or String (we check if the message contains the String).\n* `getConstructorName(errorLike)` - Retrieves the name of a constructor, an error's constructor or `errorLike` itself if it's not an error instance or constructor.\n* `getMessage(err)` - Retrieves the message of an error or `err` itself if it's a String. If `err` or `err.message` is undefined we return an empty String.\n\n```js\nvar checkError = require('check-error');\n```\n\n#### .compatibleInstance(err, errorLike)\n\n```js\nvar checkError = require('check-error');\n\nvar funcThatThrows = function() { throw new TypeError('I am a TypeError') };\nvar caughtErr;\n\ntry {\n funcThatThrows();\n} catch(e) {\n caughtErr = e;\n}\n\nvar sameInstance = caughtErr;\n\ncheckError.compatibleInstance(caughtErr, sameInstance); // true\ncheckError.compatibleInstance(caughtErr, new TypeError('Another error')); // false\n```\n\n#### .compatibleConstructor(err, errorLike)\n\n```js\nvar checkError = require('check-error');\n\nvar funcThatThrows = function() { throw new TypeError('I am a TypeError') };\nvar caughtErr;\n\ntry {\n funcThatThrows();\n} catch(e) {\n caughtErr = e;\n}\n\ncheckError.compatibleConstructor(caughtErr, Error); // true\ncheckError.compatibleConstructor(caughtErr, TypeError); // true\ncheckError.compatibleConstructor(caughtErr, RangeError); // false\n```\n\n#### .compatibleMessage(err, errMatcher)\n\n```js\nvar checkError = require('check-error');\n\nvar funcThatThrows = function() { throw new TypeError('I am a TypeError') };\nvar caughtErr;\n\ntry {\n funcThatThrows();\n} catch(e) {\n caughtErr = e;\n}\n\nvar sameInstance = caughtErr;\n\ncheckError.compatibleMessage(caughtErr, /TypeError$/); // true\ncheckError.compatibleMessage(caughtErr, 'I am a'); // true\ncheckError.compatibleMessage(caughtErr, /unicorn/); // false\ncheckError.compatibleMessage(caughtErr, 'I do not exist'); // false\n```\n\n#### .getConstructorName(errorLike)\n\n```js\nvar checkError = require('check-error');\n\nvar funcThatThrows = function() { throw new TypeError('I am a TypeError') };\nvar caughtErr;\n\ntry {\n funcThatThrows();\n} catch(e) {\n caughtErr = e;\n}\n\nvar sameInstance = caughtErr;\n\ncheckError.getConstructorName(caughtErr) // 'TypeError'\n```\n\n#### .getMessage(err)\n\n```js\nvar checkError = require('check-error');\n\nvar funcThatThrows = function() { throw new TypeError('I am a TypeError') };\nvar caughtErr;\n\ntry {\n funcThatThrows();\n} catch(e) {\n caughtErr = e;\n}\n\nvar sameInstance = caughtErr;\n\ncheckError.getMessage(caughtErr) // 'I am a TypeError'\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/check-error/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/content-disposition/README.md ---\n# content-disposition\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][github-actions-ci-image]][github-actions-ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nCreate and parse HTTP `Content-Disposition` header\n\n## Installation\n\n```sh\n$ npm install content-disposition\n```\n\n## API\n\n```js\nvar contentDisposition = require('content-disposition')\n```\n\n### contentDisposition(filename, options)\n\nCreate an attachment `Content-Disposition` header value using the given file name,\nif supplied. The `filename` is optional and if no file name is desired, but you\nwant to specify `options`, set `filename` to `undefined`.\n\n```js\nres.setHeader('Content-Disposition', contentDisposition('∫ maths.pdf'))\n```\n\n**note** HTTP headers are of the ISO-8859-1 character set. If you are writing this\nheader through a means different from `setHeader` in Node.js, you'll want to specify\nthe `'binary'` encoding in Node.js.\n\n#### Options\n\n`contentDisposition` accepts these properties in the options object.\n\n##### fallback\n\nIf the `filename` option is outside ISO-8859-1, then the file name is actually\nstored in a supplemental field for clients that support Unicode file names and\na ISO-8859-1 version of the file name is automatically generated.\n\nThis specifies the ISO-8859-1 file name to override the automatic generation or\ndisables the generation all together, defaults to `true`.\n\n - A string will specify the ISO-8859-1 file name to use in place of automatic\n generation.\n - `false` will disable including a ISO-8859-1 file name and only include the\n Unicode version (unless the file name is already ISO-8859-1).\n - `true` will enable automatic generation if the file name is outside ISO-8859-1.\n\nIf the `filename` option is ISO-8859-1 and this option is specified and has a\ndifferent value, then the `filename` option is encoded in the extended field\nand this set as the fallback field, even though they are both ISO-8859-1.\n\n##### type\n\nSpecifies the disposition type, defaults to `\"attachment\"`. This can also be\n`\"inline\"`, or any other value (all values except inline are treated like\n`attachment`, but can convey additional information if both parties agree to\nit). The type is normalized to lower-case.\n\n### contentDisposition.parse(string)\n\n```js\nvar disposition = contentDisposition.parse('attachment; filename=\"EURO rates.txt\"; filename*=UTF-8\\'\\'%e2%82%ac%20rates.txt')\n```\n\nParse a `Content-Disposition` header string. This automatically handles extended\n(\"Unicode\") parameters by decoding them and providing them under the standard\nparameter name. This will return an object with the following properties (examples\nare shown for the string `'attachment; filename=\"EURO rates.txt\"; filename*=UTF-8\\'\\'%e2%82%ac%20rates.txt'`):\n\n - `type`: The disposition type (always lower case). Example: `'attachment'`\n\n - `parameters`: An object of the parameters in the disposition (name of parameter\n always lower case and extended versions replace non-extended versions). Example:\n `{filename: \"€ rates.txt\"}`\n\n## Examples\n\n### Send a file for download\n\n```js\nvar contentDisposition = require('content-disposition')\nvar destroy = require('destroy')\nvar fs = require('fs')\nvar http = require('http')\nvar onFinished = require('on-finished')\n\nvar filePath = '/path/to/public/plans.pdf'\n\nhttp.createServer(function onRequest (req, res) {\n // set headers\n res.setHeader('Content-Type', 'application/pdf')\n res.setHeader('Content-Disposition', contentDisposition(filePath))\n\n // send file\n var stream = fs.createReadStream(filePath)\n stream.pipe(res)\n onFinished(res, function () {\n destroy(stream)\n })\n})\n```\n\n## Testing\n\n```sh\n$ npm test\n```\n\n## References\n\n- [RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1][rfc-2616]\n- [RFC 5987: Character Set and Language Encoding for Hypertext Transfer Protocol (HTTP) Header Field Parameters][rfc-5987]\n- [RFC 6266: Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP)][rfc-6266]\n- [Test Cases for HTTP Content-Disposition header field (RFC 6266) and the Encodings defined in RFCs 2047, 2231 and 5987][tc-2231]\n\n[rfc-2616]: https://tools.ietf.org/html/rfc2616\n[rfc-5987]: https://tools.ietf.org/html/rfc5987\n[rfc-6266]: https://tools.ietf.org/html/rfc6266\n[tc-2231]: http://greenbytes.de/tech/tc2231/\n\n## License\n\n[MIT](LICENSE)\n\n[npm-image]: https://img.shields.io/npm/v/content-disposition.svg\n[npm-url]: https://npmjs.org/package/content-disposition\n[node-version-image]: https://img.shields.io/node/v/content-disposition.svg\n[node-version-url]: https://nodejs.org/en/download\n[coveralls-image]: https://img.shields.io/coveralls/jshttp/content-disposition.svg\n[coveralls-url]: https://coveralls.io/r/jshttp/content-disposition?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/content-disposition.svg\n[downloads-url]: https://npmjs.org/package/content-disposition\n[github-actions-ci-image]: https://img.shields.io/github/workflow/status/jshttp/content-disposition/ci/master?label=ci\n[github-actions-ci-url]: https://github.com/jshttp/content-disposition?query=workflow%3Aci\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/content-disposition/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/content-type/README.md ---\n# content-type\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][ci-image]][ci-url]\n[![Coverage Status][coveralls-image]][coveralls-url]\n\nCreate and parse HTTP Content-Type header according to RFC 7231\n\n## Installation\n\n```sh\n$ npm install content-type\n```\n\n## API\n\n```js\nvar contentType = require('content-type')\n```\n\n### contentType.parse(string)\n\n```js\nvar obj = contentType.parse('image/svg+xml; charset=utf-8')\n```\n\nParse a `Content-Type` header. This will return an object with the following\nproperties (examples are shown for the string `'image/svg+xml; charset=utf-8'`):\n\n - `type`: The media type (the type and subtype, always lower case).\n Example: `'image/svg+xml'`\n\n - `parameters`: An object of the parameters in the media type (name of parameter\n always lower case). Example: `{charset: 'utf-8'}`\n\nThrows a `TypeError` if the string is missing or invalid.\n\n### contentType.parse(req)\n\n```js\nvar obj = contentType.parse(req)\n```\n\nParse the `Content-Type` header from the given `req`. Short-cut for\n`contentType.parse(req.headers['content-type'])`.\n\nThrows a `TypeError` if the `Content-Type` header is missing or invalid.\n\n### contentType.parse(res)\n\n```js\nvar obj = contentType.parse(res)\n```\n\nParse the `Content-Type` header set on the given `res`. Short-cut for\n`contentType.parse(res.getHeader('content-type'))`.\n\nThrows a `TypeError` if the `Content-Type` header is missing or invalid.\n\n### contentType.format(obj)\n\n```js\nvar str = contentType.format({\n type: 'image/svg+xml',\n parameters: { charset: 'utf-8' }\n})\n```\n\nFormat an object into a `Content-Type` header. This will return a string of the\ncontent type for the given object with the following properties (examples are\nshown that produce the string `'image/svg+xml; charset=utf-8'`):\n\n - `type`: The media type (will be lower-cased). Example: `'image/svg+xml'`\n\n - `parameters`: An object of the parameters in the media type (name of the\n parameter will be lower-cased). Example: `{charset: 'utf-8'}`\n\nThrows a `TypeError` if the object contains an invalid type or parameter names.\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/content-type/master?label=ci\n[ci-url]: https://github.com/jshttp/content-type/actions/workflows/ci.yml\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/content-type/master\n[coveralls-url]: https://coveralls.io/r/jshttp/content-type?branch=master\n[node-image]: https://badgen.net/npm/node/content-type\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/content-type\n[npm-url]: https://npmjs.org/package/content-type\n[npm-version-image]: https://badgen.net/npm/v/content-type\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/content-type/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/cookie/README.md ---\n# cookie\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][ci-image]][ci-url]\n[![Coverage Status][coveralls-image]][coveralls-url]\n\nBasic HTTP cookie parser and serializer for HTTP servers.\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install cookie\n```\n\n## API\n\n```js\nvar cookie = require('cookie');\n```\n\n### cookie.parse(str, options)\n\nParse an HTTP `Cookie` header string and returning an object of all cookie name-value pairs.\nThe `str` argument is the string representing a `Cookie` header value and `options` is an\noptional object containing additional parsing options.\n\n```js\nvar cookies = cookie.parse('foo=bar; equation=E%3Dmc%5E2');\n// { foo: 'bar', equation: 'E=mc^2' }\n```\n\n#### Options\n\n`cookie.parse` accepts these properties in the options object.\n\n##### decode\n\nSpecifies a function that will be used to decode a cookie's value. Since the value of a cookie\nhas a limited character set (and must be a simple string), this function can be used to decode\na previously-encoded cookie value into a JavaScript string or other object.\n\nThe default function is the global `decodeURIComponent`, which will decode any URL-encoded\nsequences into their byte representations.\n\n**note** if an error is thrown from this function, the original, non-decoded cookie value will\nbe returned as the cookie's value.\n\n### cookie.serialize(name, value, options)\n\nSerialize a cookie name-value pair into a `Set-Cookie` header string. The `name` argument is the\nname for the cookie, the `value` argument is the value to set the cookie to, and the `options`\nargument is an optional object containing additional serialization options.\n\n```js\nvar setCookie = cookie.serialize('foo', 'bar');\n// foo=bar\n```\n\n#### Options\n\n`cookie.serialize` accepts these properties in the options object.\n\n##### domain\n\nSpecifies the value for the [`Domain` `Set-Cookie` attribute][rfc-6265-5.2.3]. By default, no\ndomain is set, and most clients will consider the cookie to apply to only the current domain.\n\n##### encode\n\nSpecifies a function that will be used to encode a cookie's value. Since value of a cookie\nhas a limited character set (and must be a simple string), this function can be used to encode\na value into a string suited for a cookie's value.\n\nThe default function is the global `encodeURIComponent`, which will encode a JavaScript string\ninto UTF-8 byte sequences and then URL-encode any that fall outside of the cookie range.\n\n##### expires\n\nSpecifies the `Date` object to be the value for the [`Expires` `Set-Cookie` attribute][rfc-6265-5.2.1].\nBy default, no expiration is set, and most clients will consider this a \"non-persistent cookie\" and\nwill delete it on a condition like exiting a web browser application.\n\n**note** the [cookie storage model specification][rfc-6265-5.3] states that if both `expires` and\n`maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,\nso if both are set, they should point to the same date and time.\n\n##### httpOnly\n\nSpecifies the `boolean` value for the [`HttpOnly` `Set-Cookie` attribute][rfc-6265-5.2.6]. When truthy,\nthe `HttpOnly` attribute is set, otherwise it is not. By default, the `HttpOnly` attribute is not set.\n\n**note** be careful when setting this to `true`, as compliant clients will not allow client-side\nJavaScript to see the cookie in `document.cookie`.\n\n##### maxAge\n\nSpecifies the `number` (in seconds) to be the value for the [`Max-Age` `Set-Cookie` attribute][rfc-6265-5.2.2].\nThe given number will be converted to an integer by rounding down. By default, no maximum age is set.\n\n**note** the [cookie storage model specification][rfc-6265-5.3] states that if both `expires` and\n`maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,\nso if both are set, they should point to the same date and time.\n\n##### partitioned\n\nSpecifies the `boolean` value for the [`Partitioned` `Set-Cookie`](rfc-cutler-httpbis-partitioned-cookies)\nattribute. When truthy, the `Partitioned` attribute is set, otherwise it is not. By default, the\n`Partitioned` attribute is not set.\n\n**note** This is an attribute that has not yet been fully standardized, and may change in the future.\nThis also means many clients may ignore this attribute until they understand it.\n\nMore information about can be found in [the proposal](https://github.com/privacycg/CHIPS).\n\n##### path\n\nSpecifies the value for the [`Path` `Set-Cookie` attribute][rfc-6265-5.2.4]. By default, the path\nis considered the [\"default path\"][rfc-6265-5.1.4].\n\n##### priority\n\nSpecifies the `string` to be the value for the [`Priority` `Set-Cookie` attribute][rfc-west-cookie-priority-00-4.1].\n\n - `'low'` will set the `Priority` attribute to `Low`.\n - `'medium'` will set the `Priority` attribute to `Medium`, the default priority when not set.\n - `'high'` will set the `Priority` attribute to `High`.\n\nMore information about the different priority levels can be found in\n[the specification][rfc-west-cookie-priority-00-4.1].\n\n**note** This is an attribute that has not yet been fully standardized, and may change in the future.\nThis also means many clients may ignore this attribute until they understand it.\n\n##### sameSite\n\nSpecifies the `boolean` or `string` to be the value for the [`SameSite` `Set-Cookie` attribute][rfc-6265bis-09-5.4.7].\n\n - `true` will set the `SameSite` attribute to `Strict` for strict same site enforcement.\n - `false` will not set the `SameSite` attribute.\n - `'lax'` will set the `SameSite` attribute to `Lax` for lax same site enforcement.\n - `'none'` will set the `SameSite` attribute to `None` for an explicit cross-site cookie.\n - `'strict'` will set the `SameSite` attribute to `Strict` for strict same site enforcement.\n\nMore information about the different enforcement levels can be found in\n[the specification][rfc-6265bis-09-5.4.7].\n\n**note** This is an attribute that has not yet been fully standardized, and may change in the future.\nThis also means many clients may ignore this attribute until they understand it.\n\n##### secure\n\nSpecifies the `boolean` value for the [`Secure` `Set-Cookie` attribute][rfc-6265-5.2.5]. When truthy,\nthe `Secure` attribute is set, otherwise it is not. By default, the `Secure` attribute is not set.\n\n**note** be careful when setting this to `true`, as compliant clients will not send the cookie back to\nthe server in the future if the browser does not have an HTTPS connection.\n\n## Example\n\nThe following example uses this module in conjunction with the Node.js core HTTP server\nto prompt a user for their name and display it back on future visits.\n\n```js\nvar cookie = require('cookie');\nvar escapeHtml = require('escape-html');\nvar http = require('http');\nvar url = require('url');\n\nfunction onRequest(req, res) {\n // Parse the query string\n var query = url.parse(req.url, true, true).query;\n\n if (query && query.name) {\n // Set a new cookie with the name\n res.setHeader('Set-Cookie', cookie.serialize('name', String(query.name), {\n httpOnly: true,\n maxAge: 60 * 60 * 24 * 7 // 1 week\n }));\n\n // Redirect back after setting cookie\n res.statusCode = 302;\n res.setHeader('Location', req.headers.referer || '/');\n res.end();\n return;\n }\n\n // Parse the cookies on the request\n var cookies = cookie.parse(req.headers.cookie || '');\n\n // Get the visitor name set in the cookie\n var name = cookies.name;\n\n res.setHeader('Content-Type', 'text/html; charset=UTF-8');\n\n if (name) {\n res.write('<p>Welcome back, <b>' + escapeHtml(name) + '</b>!</p>');\n } else {\n res.write('<p>Hello, new visitor!</p>');\n }\n\n res.write('<form method=\"GET\">');\n res.write('<input placeholder=\"enter your name\" name=\"name\"> <input type=\"submit\" value=\"Set Name\">');\n res.end('</form>');\n}\n\nhttp.createServer(onRequest).listen(3000);\n```\n\n## Testing\n\n```sh\n$ npm test\n```\n\n## Benchmark\n\n```\n$ npm run bench\n\n> cookie@0.5.0 bench\n> node benchmark/index.js\n\n node@18.18.2\n acorn@8.10.0\n ada@2.6.0\n ares@1.19.1\n brotli@1.0.9\n cldr@43.1\n icu@73.2\n llhttp@6.0.11\n modules@108\n napi@9\n nghttp2@1.57.0\n nghttp3@0.7.0\n ngtcp2@0.8.1\n openssl@3.0.10+quic\n simdutf@3.2.14\n tz@2023c\n undici@5.26.3\n unicode@15.0\n uv@1.44.2\n uvwasi@0.0.18\n v8@10.2.154.26-node.26\n zlib@1.2.13.1-motley\n\n> node benchmark/parse-top.js\n\n cookie.parse - top sites\n\n 14 tests completed.\n\n parse accounts.google.com x 2,588,913 ops/sec ±0.74% (186 runs sampled)\n parse apple.com x 2,370,002 ops/sec ±0.69% (186 runs sampled)\n parse cloudflare.com x 2,213,102 ops/sec ±0.88% (188 runs sampled)\n parse docs.google.com x 2,194,157 ops/sec ±1.03% (184 runs sampled)\n parse drive.google.com x 2,265,084 ops/sec ±0.79% (187 runs sampled)\n parse en.wikipedia.org x 457,099 ops/sec ±0.81% (186 runs sampled)\n parse linkedin.com x 504,407 ops/sec ±0.89% (186 runs sampled)\n parse maps.google.com x 1,230,959 ops/sec ±0.98% (186 runs sampled)\n parse microsoft.com x 926,294 ops/sec ±0.88% (184 runs sampled)\n parse play.google.com x 2,311,338 ops/sec ±0.83% (185 runs sampled)\n parse support.google.com x 1,508,850 ops/sec ±0.86% (186 runs sampled)\n parse www.google.com x 1,022,582 ops/sec ±1.32% (182 runs sampled)\n parse youtu.be x 332,136 ops/sec ±1.02% (185 runs sampled)\n parse youtube.com x 323,833 ops/sec ±0.77% (183 runs sampled)\n\n> node benchmark/parse.js\n\n cookie.parse - generic\n\n 6 tests completed.\n\n simple x 3,214,032 ops/sec ±1.61% (183 runs sampled)\n decode x 587,237 ops/sec ±1.16% (187 runs sampled)\n unquote x 2,954,618 ops/sec ±1.35% (183 runs sampled)\n duplicates x 857,008 ops/sec ±0.89% (187 runs sampled)\n 10 cookies x 292,133 ops/sec ±0.89% (187 runs sampled)\n 100 cookies x 22,610 ops/sec ±0.68% (187 runs sampled)\n```\n\n## References\n\n- [RFC 6265: HTTP State Management Mechanism][rfc-6265]\n- [Same-site Cookies][rfc-6265bis-09-5.4.7]\n\n[rfc-cutler-httpbis-partitioned-cookies]: https://tools.ietf.org/html/draft-cutler-httpbis-partitioned-cookies/\n[rfc-west-cookie-priority-00-4.1]: https://tools.ietf.org/html/draft-west-cookie-priority-00#section-4.1\n[rfc-6265bis-09-5.4.7]: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7\n[rfc-6265]: https://tools.ietf.org/html/rfc6265\n[rfc-6265-5.1.4]: https://tools.ietf.org/html/rfc6265#section-5.1.4\n[rfc-6265-5.2.1]: https://tools.ietf.org/html/rfc6265#section-5.2.1\n[rfc-6265-5.2.2]: https://tools.ietf.org/html/rfc6265#section-5.2.2\n[rfc-6265-5.2.3]: https://tools.ietf.org/html/rfc6265#section-5.2.3\n[rfc-6265-5.2.4]: https://tools.ietf.org/html/rfc6265#section-5.2.4\n[rfc-6265-5.2.5]: https://tools.ietf.org/html/rfc6265#section-5.2.5\n[rfc-6265-5.2.6]: https://tools.ietf.org/html/rfc6265#section-5.2.6\n[rfc-6265-5.3]: https://tools.ietf.org/html/rfc6265#section-5.3\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/cookie/master?label=ci\n[ci-url]: https://github.com/jshttp/cookie/actions/workflows/ci.yml\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/cookie/master\n[coveralls-url]: https://coveralls.io/r/jshttp/cookie?branch=master\n[node-image]: https://badgen.net/npm/node/cookie\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/cookie\n[npm-url]: https://npmjs.org/package/cookie\n[npm-version-image]: https://badgen.net/npm/v/cookie\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/cookie/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/cors/README.md ---\n# cors\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Build Status][travis-image]][travis-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nCORS is a node.js package for providing a [Connect](http://www.senchalabs.org/connect/)/[Express](http://expressjs.com/) middleware that can be used to enable [CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) with various options.\n\n**[Follow me (@troygoode) on Twitter!](https://twitter.com/intent/user?screen_name=troygoode)**\n\n* [Installation](#installation)\n* [Usage](#usage)\n * [Simple Usage](#simple-usage-enable-all-cors-requests)\n * [Enable CORS for a Single Route](#enable-cors-for-a-single-route)\n * [Configuring CORS](#configuring-cors)\n * [Configuring CORS Asynchronously](#configuring-cors-asynchronously)\n * [Enabling CORS Pre-Flight](#enabling-cors-pre-flight)\n* [Configuration Options](#configuration-options)\n* [Demo](#demo)\n* [License](#license)\n* [Author](#author)\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install cors\n```\n\n## Usage\n\n### Simple Usage (Enable *All* CORS Requests)\n\n```javascript\nvar express = require('express')\nvar cors = require('cors')\nvar app = express()\n\napp.use(cors())\n\napp.get('/products/:id', function (req, res, next) {\n res.json({msg: 'This is CORS-enabled for all origins!'})\n})\n\napp.listen(80, function () {\n console.log('CORS-enabled web server listening on port 80')\n})\n```\n\n### Enable CORS for a Single Route\n\n```javascript\nvar express = require('express')\nvar cors = require('cors')\nvar app = express()\n\napp.get('/products/:id', cors(), function (req, res, next) {\n res.json({msg: 'This is CORS-enabled for a Single Route'})\n})\n\napp.listen(80, function () {\n console.log('CORS-enabled web server listening on port 80')\n})\n```\n\n### Configuring CORS\n\n```javascript\nvar express = require('express')\nvar cors = require('cors')\nvar app = express()\n\nvar corsOptions = {\n origin: 'http://example.com',\n optionsSuccessStatus: 200 // some legacy browsers (IE11, various SmartTVs) choke on 204\n}\n\napp.get('/products/:id', cors(corsOptions), function (req, res, next) {\n res.json({msg: 'This is CORS-enabled for only example.com.'})\n})\n\napp.listen(80, function () {\n console.log('CORS-enabled web server listening on port 80')\n})\n```\n\n### Configuring CORS w/ Dynamic Origin\n\n```javascript\nvar express = require('express')\nvar cors = require('cors')\nvar app = express()\n\nvar whitelist = ['http://example1.com', 'http://example2.com']\nvar corsOptions = {\n origin: function (origin, callback) {\n if (whitelist.indexOf(origin) !== -1) {\n callback(null, true)\n } else {\n callback(new Error('Not allowed by CORS'))\n }\n }\n}\n\napp.get('/products/:id', cors(corsOptions), function (req, res, next) {\n res.json({msg: 'This is CORS-enabled for a whitelisted domain.'})\n})\n\napp.listen(80, function () {\n console.log('CORS-enabled web server listening on port 80')\n})\n```\n\nIf you do not want to block REST tools or server-to-server requests,\nadd a `!origin` check in the origin function like so:\n\n```javascript\nvar corsOptions = {\n origin: function (origin, callback) {\n if (whitelist.indexOf(origin) !== -1 || !origin) {\n callback(null, true)\n } else {\n callback(new Error('Not allowed by CORS'))\n }\n }\n}\n```\n\n### Enabling CORS Pre-Flight\n\nCertain CORS requests are considered 'complex' and require an initial\n`OPTIONS` request (called the \"pre-flight request\"). An example of a\n'complex' CORS request is one that uses an HTTP verb other than\nGET/HEAD/POST (such as DELETE) or that uses custom headers. To enable\npre-flighting, you must add a new OPTIONS handler for the route you want\nto support:\n\n```javascript\nvar express = require('express')\nvar cors = require('cors')\nvar app = express()\n\napp.options('/products/:id', cors()) // enable pre-flight request for DELETE request\napp.del('/products/:id', cors(), function (req, res, next) {\n res.json({msg: 'This is CORS-enabled for all origins!'})\n})\n\napp.listen(80, function () {\n console.log('CORS-enabled web server listening on port 80')\n})\n```\n\nYou can also enable pre-flight across-the-board like so:\n\n```javascript\napp.options('*', cors()) // include before other routes\n```\n\n### Configuring CORS Asynchronously\n\n```javascript\nvar express = require('express')\nvar cors = require('cors')\nvar app = express()\n\nvar whitelist = ['http://example1.com', 'http://example2.com']\nvar corsOptionsDelegate = function (req, callback) {\n var corsOptions;\n if (whitelist.indexOf(req.header('Origin')) !== -1) {\n corsOptions = { origin: true } // reflect (enable) the requested origin in the CORS response\n } else {\n corsOptions = { origin: false } // disable CORS for this request\n }\n callback(null, corsOptions) // callback expects two parameters: error and options\n}\n\napp.get('/products/:id', cors(corsOptionsDelegate), function (req, res, next) {\n res.json({msg: 'This is CORS-enabled for a whitelisted domain.'})\n})\n\napp.listen(80, function () {\n console.log('CORS-enabled web server listening on port 80')\n})\n```\n\n## Configuration Options\n\n* `origin`: Configures the **Access-Control-Allow-Origin** CORS header. Possible values:\n - `Boolean` - set `origin` to `true` to reflect the [request origin](http://tools.ietf.org/html/draft-abarth-origin-09), as defined by `req.header('Origin')`, or set it to `false` to disable CORS.\n - `String` - set `origin` to a specific origin. For example if you set it to `\"http://example.com\"` only requests from \"http://example.com\" will be allowed.\n - `RegExp` - set `origin` to a regular expression pattern which will be used to test the request origin. If it's a match, the request origin will be reflected. For example the pattern `/example\\.com$/` will reflect any request that is coming from an origin ending with \"example.com\".\n - `Array` - set `origin` to an array of valid origins. Each origin can be a `String` or a `RegExp`. For example `[\"http://example1.com\", /\\.example2\\.com$/]` will accept any request from \"http://example1.com\" or from a subdomain of \"example2.com\".\n - `Function` - set `origin` to a function implementing some custom logic. The function takes the request origin as the first parameter and a callback (which expects the signature `err [object], allow [bool]`) as the second.\n* `methods`: Configures the **Access-Control-Allow-Methods** CORS header. Expects a comma-delimited string (ex: 'GET,PUT,POST') or an array (ex: `['GET', 'PUT', 'POST']`).\n* `allowedHeaders`: Configures the **Access-Control-Allow-Headers** CORS header. Expects a comma-delimited string (ex: 'Content-Type,Authorization') or an array (ex: `['Content-Type', 'Authorization']`). If not specified, defaults to reflecting the headers specified in the request's **Access-Control-Request-Headers** header.\n* `exposedHeaders`: Configures the **Access-Control-Expose-Headers** CORS header. Expects a comma-delimited string (ex: 'Content-Range,X-Content-Range') or an array (ex: `['Content-Range', 'X-Content-Range']`). If not specified, no custom headers are exposed.\n* `credentials`: Configures the **Access-Control-Allow-Credentials** CORS header. Set to `true` to pass the header, otherwise it is omitted.\n* `maxAge`: Configures the **Access-Control-Max-Age** CORS header. Set to an integer to pass the header, otherwise it is omitted.\n* `preflightContinue`: Pass the CORS preflight response to the next handler.\n* `optionsSuccessStatus`: Provides a status code to use for successful `OPTIONS` requests, since some legacy browsers (IE11, various SmartTVs) choke on `204`.\n\nThe default configuration is the equivalent of:\n\n```json\n{\n \"origin\": \"*\",\n \"methods\": \"GET,HEAD,PUT,PATCH,POST,DELETE\",\n \"preflightContinue\": false,\n \"optionsSuccessStatus\": 204\n}\n```\n\nFor details on the effect of each CORS header, read [this](http://www.html5rocks.com/en/tutorials/cors/) article on HTML5 Rocks.\n\n## Demo\n\nA demo that illustrates CORS working (and not working) using jQuery is available here: [http://node-cors-client.herokuapp.com/](http://node-cors-client.herokuapp.com/)\n\nCode for that demo can be found here:\n\n* Client: [https://github.com/TroyGoode/node-cors-client](https://github.com/TroyGoode/node-cors-client)\n* Server: [https://github.com/TroyGoode/node-cors-server](https://github.com/TroyGoode/node-cors-server)\n\n## License\n\n[MIT License](http://www.opensource.org/licenses/mit-license.php)\n\n## Author\n\n[Troy Goode](https://github.com/TroyGoode) ([troygoode@gmail.com](mailto:troygoode@gmail.com))\n\n[coveralls-image]: https://img.shields.io/coveralls/expressjs/cors/master.svg\n[coveralls-url]: https://coveralls.io/r/expressjs/cors?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/cors.svg\n[downloads-url]: https://npmjs.org/package/cors\n[npm-image]: https://img.shields.io/npm/v/cors.svg\n[npm-url]: https://npmjs.org/package/cors\n[travis-image]: https://img.shields.io/travis/expressjs/cors/master.svg\n[travis-url]: https://travis-ci.org/expressjs/cors\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/cors/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/cross-spawn/README.md ---\n# cross-spawn\n\n[![NPM version][npm-image]][npm-url] [![Downloads][downloads-image]][npm-url] [![Build Status][ci-image]][ci-url] [![Build status][appveyor-image]][appveyor-url]\n\n[npm-url]:https://npmjs.org/package/cross-spawn\n[downloads-image]:https://img.shields.io/npm/dm/cross-spawn.svg\n[npm-image]:https://img.shields.io/npm/v/cross-spawn.svg\n[ci-url]:https://github.com/moxystudio/node-cross-spawn/actions/workflows/ci.yaml\n[ci-image]:https://github.com/moxystudio/node-cross-spawn/actions/workflows/ci.yaml/badge.svg\n[appveyor-url]:https://ci.appveyor.com/project/satazor/node-cross-spawn\n[appveyor-image]:https://img.shields.io/appveyor/ci/satazor/node-cross-spawn/master.svg\n\nA cross platform solution to node's spawn and spawnSync.\n\n## Installation\n\nNode.js version 8 and up:\n`$ npm install cross-spawn`\n\nNode.js version 7 and under:\n`$ npm install cross-spawn@6`\n\n## Why\n\nNode has issues when using spawn on Windows:\n\n- It ignores [PATHEXT](https://github.com/joyent/node/issues/2318)\n- It does not support [shebangs](https://en.wikipedia.org/wiki/Shebang_(Unix))\n- Has problems running commands with [spaces](https://github.com/nodejs/node/issues/7367)\n- Has problems running commands with posix relative paths (e.g.: `./my-folder/my-executable`)\n- Has an [issue](https://github.com/moxystudio/node-cross-spawn/issues/82) with command shims (files in `node_modules/.bin/`), where arguments with quotes and parenthesis would result in [invalid syntax error](https://github.com/moxystudio/node-cross-spawn/blob/e77b8f22a416db46b6196767bcd35601d7e11d54/test/index.test.js#L149)\n- No `options.shell` support on node `<v4.8`\n\nAll these issues are handled correctly by `cross-spawn`.\nThere are some known modules, such as [win-spawn](https://github.com/ForbesLindesay/win-spawn), that try to solve this but they are either broken or provide faulty escaping of shell arguments.\n\n\n## Usage\n\nExactly the same way as node's [`spawn`](https://nodejs.org/api/child_process.html#child_process_child_process_spawn_command_args_options) or [`spawnSync`](https://nodejs.org/api/child_process.html#child_process_child_process_spawnsync_command_args_options), so it's a drop in replacement.\n\n\n```js\nconst spawn = require('cross-spawn');\n\n// Spawn NPM asynchronously\nconst child = spawn('npm', ['list', '-g', '-depth', '0'], { stdio: 'inherit' });\n\n// Spawn NPM synchronously\nconst result = spawn.sync('npm', ['list', '-g', '-depth', '0'], { stdio: 'inherit' });\n```\n\n\n## Caveats\n\n### Using `options.shell` as an alternative to `cross-spawn`\n\nStarting from node `v4.8`, `spawn` has a `shell` option that allows you run commands from within a shell. This new option solves\nthe [PATHEXT](https://github.com/joyent/node/issues/2318) issue but:\n\n- It's not supported in node `<v4.8`\n- You must manually escape the command and arguments which is very error prone, specially when passing user input\n- There are a lot of other unresolved issues from the [Why](#why) section that you must take into account\n\nIf you are using the `shell` option to spawn a command in a cross platform way, consider using `cross-spawn` instead. You have been warned.\n\n### `options.shell` support\n\nWhile `cross-spawn` adds support for `options.shell` in node `<v4.8`, all of its enhancements are disabled.\n\nThis mimics the Node.js behavior. More specifically, the command and its arguments will not be automatically escaped nor shebang support will be offered. This is by design because if you are using `options.shell` you are probably targeting a specific platform anyway and you don't want things to get into your way.\n\n### Shebangs support\n\nWhile `cross-spawn` handles shebangs on Windows, its support is limited. More specifically, it just supports `#!/usr/bin/env <program>` where `<program>` must not contain any arguments. \nIf you would like to have the shebang support improved, feel free to contribute via a pull-request.\n\nRemember to always test your code on Windows!\n\n\n## Tests\n\n`$ npm test` \n`$ npm test -- --watch` during development\n\n\n## License\n\nReleased under the [MIT License](https://www.opensource.org/licenses/mit-license.php).\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/cross-spawn/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/debug/README.md ---\n# debug\n[![OpenCollective](https://opencollective.com/debug/backers/badge.svg)](#backers)\n[![OpenCollective](https://opencollective.com/debug/sponsors/badge.svg)](#sponsors)\n\n<img width=\"647\" src=\"https://user-images.githubusercontent.com/71256/29091486-fa38524c-7c37-11e7-895f-e7ec8e1039b6.png\">\n\nA tiny JavaScript debugging utility modelled after Node.js core's debugging\ntechnique. Works in Node.js and web browsers.\n\n## Installation\n\n```bash\n$ npm install debug\n```\n\n## Usage\n\n`debug` exposes a function; simply pass this function the name of your module, and it will return a decorated version of `console.error` for you to pass debug statements to. This will allow you to toggle the debug output for different parts of your module as well as the module as a whole.\n\nExample [_app.js_](./examples/node/app.js):\n\n```js\nvar debug = require('debug')('http')\n , http = require('http')\n , name = 'My App';\n\n// fake app\n\ndebug('booting %o', name);\n\nhttp.createServer(function(req, res){\n debug(req.method + ' ' + req.url);\n res.end('hello\\n');\n}).listen(3000, function(){\n debug('listening');\n});\n\n// fake worker of some kind\n\nrequire('./worker');\n```\n\nExample [_worker.js_](./examples/node/worker.js):\n\n```js\nvar a = require('debug')('worker:a')\n , b = require('debug')('worker:b');\n\nfunction work() {\n a('doing lots of uninteresting work');\n setTimeout(work, Math.random() * 1000);\n}\n\nwork();\n\nfunction workb() {\n b('doing some work');\n setTimeout(workb, Math.random() * 2000);\n}\n\nworkb();\n```\n\nThe `DEBUG` environment variable is then used to enable these based on space or\ncomma-delimited names.\n\nHere are some examples:\n\n<img width=\"647\" alt=\"screen shot 2017-08-08 at 12 53 04 pm\" src=\"https://user-images.githubusercontent.com/71256/29091703-a6302cdc-7c38-11e7-8304-7c0b3bc600cd.png\">\n<img width=\"647\" alt=\"screen shot 2017-08-08 at 12 53 38 pm\" src=\"https://user-images.githubusercontent.com/71256/29091700-a62a6888-7c38-11e7-800b-db911291ca2b.png\">\n<img width=\"647\" alt=\"screen shot 2017-08-08 at 12 53 25 pm\" src=\"https://user-images.githubusercontent.com/71256/29091701-a62ea114-7c38-11e7-826a-2692bedca740.png\">\n\n#### Windows command prompt notes\n\n##### CMD\n\nOn Windows the environment variable is set using the `set` command.\n\n```cmd\nset DEBUG=*,-not_this\n```\n\nExample:\n\n```cmd\nset DEBUG=* & node app.js\n```\n\n##### PowerShell (VS Code default)\n\nPowerShell uses different syntax to set environment variables.\n\n```cmd\n$env:DEBUG = \"*,-not_this\"\n```\n\nExample:\n\n```cmd\n$env:DEBUG='app';node app.js\n```\n\nThen, run the program to be debugged as usual.\n\nnpm script example:\n```js\n \"windowsDebug\": \"@powershell -Command $env:DEBUG='*';node app.js\",\n```\n\n## Namespace Colors\n\nEvery debug instance has a color generated for it based on its namespace name.\nThis helps when visually parsing the debug output to identify which debug instance\na debug line belongs to.\n\n#### Node.js\n\nIn Node.js, colors are enabled when stderr is a TTY. You also _should_ install\nthe [`supports-color`](https://npmjs.org/supports-color) module alongside debug,\notherwise debug will only use a small handful of basic colors.\n\n<img width=\"521\" src=\"https://user-images.githubusercontent.com/71256/29092181-47f6a9e6-7c3a-11e7-9a14-1928d8a711cd.png\">\n\n#### Web Browser\n\nColors are also enabled on \"Web Inspectors\" that understand the `%c` formatting\noption. These are WebKit web inspectors, Firefox ([since version\n31](https://hacks.mozilla.org/2014/05/editable-box-model-multiple-selection-sublime-text-keys-much-more-firefox-developer-tools-episode-31/))\nand the Firebug plugin for Firefox (any version).\n\n<img width=\"524\" src=\"https://user-images.githubusercontent.com/71256/29092033-b65f9f2e-7c39-11e7-8e32-f6f0d8e865c1.png\">\n\n\n## Millisecond diff\n\nWhen actively developing an application it can be useful to see when the time spent between one `debug()` call and the next. Suppose for example you invoke `debug()` before requesting a resource, and after as well, the \"+NNNms\" will show you how much time was spent between calls.\n\n<img width=\"647\" src=\"https://user-images.githubusercontent.com/71256/29091486-fa38524c-7c37-11e7-895f-e7ec8e1039b6.png\">\n\nWhen stdout is not a TTY, `Date#toISOString()` is used, making it more useful for logging the debug information as shown below:\n\n<img width=\"647\" src=\"https://user-images.githubusercontent.com/71256/29091956-6bd78372-7c39-11e7-8c55-c948396d6edd.png\">\n\n\n## Conventions\n\nIf you're using this in one or more of your libraries, you _should_ use the name of your library so that developers may toggle debugging as desired without guessing names. If you have more than one debuggers you _should_ prefix them with your library name and use \":\" to separate features. For example \"bodyParser\" from Connect would then be \"connect:bodyParser\". If you append a \"*\" to the end of your name, it will always be enabled regardless of the setting of the DEBUG environment variable. You can then use it for normal output as well as debug output.\n\n## Wildcards\n\nThe `*` character may be used as a wildcard. Suppose for example your library has\ndebuggers named \"connect:bodyParser\", \"connect:compress\", \"connect:session\",\ninstead of listing all three with\n`DEBUG=connect:bodyParser,connect:compress,connect:session`, you may simply do\n`DEBUG=connect:*`, or to run everything using this module simply use `DEBUG=*`.\n\nYou can also exclude specific debuggers by prefixing them with a \"-\" character.\nFor example, `DEBUG=*,-connect:*` would include all debuggers except those\nstarting with \"connect:\".\n\n## Environment Variables\n\nWhen running through Node.js, you can set a few environment variables that will\nchange the behavior of the debug logging:\n\n| Name | Purpose |\n|-----------|-------------------------------------------------|\n| `DEBUG` | Enables/disables specific debugging namespaces. |\n| `DEBUG_HIDE_DATE` | Hide date from debug output (non-TTY). |\n| `DEBUG_COLORS`| Whether or not to use colors in the debug output. |\n| `DEBUG_DEPTH` | Object inspection depth. |\n| `DEBUG_SHOW_HIDDEN` | Shows hidden properties on inspected objects. |\n\n\n__Note:__ The environment variables beginning with `DEBUG_` end up being\nconverted into an Options object that gets used with `%o`/`%O` formatters.\nSee the Node.js documentation for\n[`util.inspect()`](https://nodejs.org/api/util.html#util_util_inspect_object_options)\nfor the complete list.\n\n## Formatters\n\nDebug uses [printf-style](https://wikipedia.org/wiki/Printf_format_string) formatting.\nBelow are the officially supported formatters:\n\n| Formatter | Representation |\n|-----------|----------------|\n| `%O` | Pretty-print an Object on multiple lines. |\n| `%o` | Pretty-print an Object all on a single line. |\n| `%s` | String. |\n| `%d` | Number (both integer and float). |\n| `%j` | JSON. Replaced with the string '[Circular]' if the argument contains circular references. |\n| `%%` | Single percent sign ('%'). This does not consume an argument. |\n\n\n### Custom formatters\n\nYou can add custom formatters by extending the `debug.formatters` object.\nFor example, if you wanted to add support for rendering a Buffer as hex with\n`%h`, you could do something like:\n\n```js\nconst createDebug = require('debug')\ncreateDebug.formatters.h = (v) => {\n return v.toString('hex')\n}\n\n// …elsewhere\nconst debug = createDebug('foo')\ndebug('this is hex: %h', new Buffer('hello world'))\n// foo this is hex: 68656c6c6f20776f726c6421 +0ms\n```\n\n\n## Browser Support\n\nYou can build a browser-ready script using [browserify](https://github.com/substack/node-browserify),\nor just use the [browserify-as-a-service](https://wzrd.in/) [build](https://wzrd.in/standalone/debug@latest),\nif you don't want to build it yourself.\n\nDebug's enable state is currently persisted by `localStorage`.\nConsider the situation shown below where you have `worker:a` and `worker:b`,\nand wish to debug both. You can enable this using `localStorage.debug`:\n\n```js\nlocalStorage.debug = 'worker:*'\n```\n\nAnd then refresh the page.\n\n```js\na = debug('worker:a');\nb = debug('worker:b');\n\nsetInterval(function(){\n a('doing some work');\n}, 1000);\n\nsetInterval(function(){\n b('doing some work');\n}, 1200);\n```\n\nIn Chromium-based web browsers (e.g. Brave, Chrome, and Electron), the JavaScript console will—by default—only show messages logged by `debug` if the \"Verbose\" log level is _enabled_.\n\n<img width=\"647\" src=\"https://user-images.githubusercontent.com/7143133/152083257-29034707-c42c-4959-8add-3cee850e6fcf.png\">\n\n## Output streams\n\n By default `debug` will log to stderr, however this can be configured per-namespace by overriding the `log` method:\n\nExample [_stdout.js_](./examples/node/stdout.js):\n\n```js\nvar debug = require('debug');\nvar error = debug('app:error');\n\n// by default stderr is used\nerror('goes to stderr!');\n\nvar log = debug('app:log');\n// set this namespace to log via console.log\nlog.log = console.log.bind(console); // don't forget to bind to console!\nlog('goes to stdout');\nerror('still goes to stderr!');\n\n// set all output to go via console.info\n// overrides all per-namespace log settings\ndebug.log = console.info.bind(console);\nerror('now goes to stdout via console.info');\nlog('still goes to stdout, but via console.info now');\n```\n\n## Extend\nYou can simply extend debugger \n```js\nconst log = require('debug')('auth');\n\n//creates new debug instance with extended namespace\nconst logSign = log.extend('sign');\nconst logLogin = log.extend('login');\n\nlog('hello'); // auth hello\nlogSign('hello'); //auth:sign hello\nlogLogin('hello'); //auth:login hello\n```\n\n## Set dynamically\n\nYou can also enable debug dynamically by calling the `enable()` method :\n\n```js\nlet debug = require('debug');\n\nconsole.log(1, debug.enabled('test'));\n\ndebug.enable('test');\nconsole.log(2, debug.enabled('test'));\n\ndebug.disable();\nconsole.log(3, debug.enabled('test'));\n\n```\n\nprint : \n```\n1 false\n2 true\n3 false\n```\n\nUsage : \n`enable(namespaces)` \n`namespaces` can include modes separated by a colon and wildcards.\n \nNote that calling `enable()` completely overrides previously set DEBUG variable : \n\n```\n$ DEBUG=foo node -e 'var dbg = require(\"debug\"); dbg.enable(\"bar\"); console.log(dbg.enabled(\"foo\"))'\n=> false\n```\n\n`disable()`\n\nWill disable all namespaces. The functions returns the namespaces currently\nenabled (and skipped). This can be useful if you want to disable debugging\ntemporarily without knowing what was enabled to begin with.\n\nFor example:\n\n```js\nlet debug = require('debug');\ndebug.enable('foo:*,-foo:bar');\nlet namespaces = debug.disable();\ndebug.enable(namespaces);\n```\n\nNote: There is no guarantee that the string will be identical to the initial\nenable string, but semantically they will be identical.\n\n## Checking whether a debug target is enabled\n\nAfter you've created a debug instance, you can determine whether or not it is\nenabled by checking the `enabled` property:\n\n```javascript\nconst debug = require('debug')('http');\n\nif (debug.enabled) {\n // do stuff...\n}\n```\n\nYou can also manually toggle this property to force the debug instance to be\nenabled or disabled.\n\n## Usage in child processes\n\nDue to the way `debug` detects if the output is a TTY or not, colors are not shown in child processes when `stderr` is piped. A solution is to pass the `DEBUG_COLORS=1` environment variable to the child process. \nFor example:\n\n```javascript\nworker = fork(WORKER_WRAP_PATH, [workerPath], {\n stdio: [\n /* stdin: */ 0,\n /* stdout: */ 'pipe',\n /* stderr: */ 'pipe',\n 'ipc',\n ],\n env: Object.assign({}, process.env, {\n DEBUG_COLORS: 1 // without this settings, colors won't be shown\n }),\n});\n\nworker.stderr.pipe(process.stderr, { end: false });\n```\n\n\n## Authors\n\n - TJ Holowaychuk\n - Nathan Rajlich\n - Andrew Rhyne\n - Josh Junon\n\n## Backers\n\nSupport us with a monthly donation and help us continue our activities. [[Become a backer](https://opencollective.com/debug#backer)]\n\n<a href=\"https://opencollective.com/debug/backer/0/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/0/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/1/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/1/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/2/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/2/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/3/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/3/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/4/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/4/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/5/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/5/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/6/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/6/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/7/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/7/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/8/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/8/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/9/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/9/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/10/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/10/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/11/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/11/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/12/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/12/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/13/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/13/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/14/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/14/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/15/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/15/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/16/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/16/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/17/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/17/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/18/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/18/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/19/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/19/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/20/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/20/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/21/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/21/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/22/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/22/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/23/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/23/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/24/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/24/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/25/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/25/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/26/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/26/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/27/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/27/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/28/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/28/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/backer/29/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/backer/29/avatar.svg\"></a>\n\n\n## Sponsors\n\nBecome a sponsor and get your logo on our README on Github with a link to your site. [[Become a sponsor](https://opencollective.com/debug#sponsor)]\n\n<a href=\"https://opencollective.com/debug/sponsor/0/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/0/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/1/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/1/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/2/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/2/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/3/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/3/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/4/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/4/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/5/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/5/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/6/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/6/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/7/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/7/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/8/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/8/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/9/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/9/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/10/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/10/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/11/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/11/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/12/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/12/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/13/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/13/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/14/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/14/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/15/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/15/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/16/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/16/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/17/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/17/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/18/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/18/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/19/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/19/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/20/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/20/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/21/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/21/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/22/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/22/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/23/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/23/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/24/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/24/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/25/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/25/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/26/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/26/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/27/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/27/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/28/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/28/avatar.svg\"></a>\n<a href=\"https://opencollective.com/debug/sponsor/29/website\" target=\"_blank\"><img src=\"https://opencollective.com/debug/sponsor/29/avatar.svg\"></a>\n\n## License\n\n(The MIT License)\n\nCopyright (c) 2014-2017 TJ Holowaychuk &lt;tj@vision-media.ca&gt;\nCopyright (c) 2018-2021 Josh Junon\n\nPermission is hereby granted, free of charge, to any person obtaining\na copy of this software and associated documentation files (the\n'Software'), to deal in the Software without restriction, including\nwithout limitation the rights to use, copy, modify, merge, publish,\ndistribute, sublicense, and/or sell copies of the Software, and to\npermit persons to whom the Software is furnished to do so, subject to\nthe following conditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.\nIN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY\nCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,\nTORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE\nSOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/debug/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/deep-eql/README.md ---\n<h1 align=center>\n <a href=\"http://chaijs.com\" title=\"Chai Documentation\">\n <img alt=\"deep-eql\" src=\"https://raw.githubusercontent.com/chaijs/deep-eql/main/deep-eql-logo.svg\"/>\n </a>\n</h1>\n\n<p align=center>\n Improved deep equality testing for <a href=\"http://nodejs.org/\">node</a> and the browser.\n</p>\n\n<p align=center>\n <a href=\"https://github.com/chaijs/deep-eql/actions\">\n <img\n alt=\"build:?\"\n src=\"https://github.com/chaijs/deep-eql/workflows/Build/badge.svg\"\n />\n </a><a href=\"https://coveralls.io/r/chaijs/deep-eql\">\n <img\n alt=\"coverage:?\"\n src=\"https://img.shields.io/coveralls/chaijs/deep-eql/master.svg?style=flat-square\"\n />\n </a><a href=\"https://www.npmjs.com/packages/deep-eql\">\n <img\n alt=\"dependencies:?\"\n src=\"https://img.shields.io/npm/dm/deep-eql.svg?style=flat-square\"\n />\n </a><a href=\"\">\n <img\n alt=\"devDependencies:?\"\n src=\"https://img.shields.io/david/chaijs/deep-eql.svg?style=flat-square\"\n />\n </a>\n <br>\n <a href=\"https://chai-slack.herokuapp.com/\">\n <img\n alt=\"Join the Slack chat\"\n src=\"https://img.shields.io/badge/slack-join%20chat-E2206F.svg?style=flat-square\"\n />\n </a>\n <a href=\"https://gitter.im/chaijs/deep-eql\">\n <img\n alt=\"Join the Gitter chat\"\n src=\"https://img.shields.io/badge/gitter-join%20chat-D0104D.svg?style=flat-square\"\n />\n </a>\n</p>\n\n## What is Deep-Eql?\n\nDeep Eql is a module which you can use to determine if two objects are \"deeply\" equal - that is, rather than having referential equality (`a === b`), this module checks an object's keys recursively, until it finds primitives to check for referential equality. For more on equality in JavaScript, read [the comparison operators article on mdn](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Comparison_Operators).\n\nAs an example, take the following:\n\n```js\n1 === 1 // These are primitives, they hold the same reference - they are strictly equal\n1 == '1' // These are two different primitives, through type coercion they hold the same value - they are loosely equal\n{ a: 1 } !== { a: 1 } // These are two different objects, they hold different references and so are not strictly equal - even though they hold the same values inside\n{ a: 1 } != { a: 1 } // They have the same type, meaning loose equality performs the same check as strict equality - they are still not equal.\n\nvar deepEql = require(\"deep-eql\");\ndeepEql({ a: 1 }, { a: 1 }) === true // deepEql can determine that they share the same keys and those keys share the same values, therefore they are deeply equal!\n```\n\n## Installation\n\n### Node.js\n\n`deep-eql` is available on [npm](http://npmjs.org).\n\n $ npm install deep-eql\n\n## Usage\n\nThe primary export of `deep-eql` is function that can be given two objects to compare. It will always return a boolean which can be used to determine if two objects are deeply equal.\n\n### Rules\n\n- Strict equality for non-traversable nodes according to [`Object.is`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is):\n - `eql(NaN, NaN).should.be.true;`\n - `eql(-0, +0).should.be.false;`\n- All own and inherited enumerable properties are considered:\n - `eql(Object.create({ foo: { a: 1 } }), Object.create({ foo: { a: 1 } })).should.be.true;`\n - `eql(Object.create({ foo: { a: 1 } }), Object.create({ foo: { a: 2 } })).should.be.false;`\n- When comparing `Error` objects, only `name`, `message`, and `code` properties are considered, regardless of enumerability:\n - `eql(Error('foo'), Error('foo')).should.be.true;`\n - `eql(Error('foo'), Error('bar')).should.be.false;`\n - `eql(Error('foo'), TypeError('foo')).should.be.false;`\n - `eql(Object.assign(Error('foo'), { code: 42 }), Object.assign(Error('foo'), { code: 42 })).should.be.true;`\n - `eql(Object.assign(Error('foo'), { code: 42 }), Object.assign(Error('foo'), { code: 13 })).should.be.false;`\n - `eql(Object.assign(Error('foo'), { otherProp: 42 }), Object.assign(Error('foo'), { otherProp: 13 })).should.be.true;`\n- Arguments are not Arrays:\n - `eql([], arguments).should.be.false;`\n - `eql([], Array.prototype.slice.call(arguments)).should.be.true;`\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/deep-eql/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/dunder-proto/README.md ---\n# dunder-proto <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nIf available, the `Object.prototype.__proto__` accessor and mutator, call-bound.\n\n## Getting started\n\n```sh\nnpm install --save dunder-proto\n```\n\n## Usage/Examples\n\n```js\nconst assert = require('assert');\nconst getDunder = require('dunder-proto/get');\nconst setDunder = require('dunder-proto/set');\n\nconst obj = {};\n\nassert.equal('toString' in obj, true);\nassert.equal(getDunder(obj), Object.prototype);\n\nsetDunder(obj, null);\n\nassert.equal('toString' in obj, false);\nassert.equal(getDunder(obj), null);\n```\n\n## Tests\n\nClone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/dunder-proto\n[npm-version-svg]: https://versionbadg.es/es-shims/dunder-proto.svg\n[deps-svg]: https://david-dm.org/es-shims/dunder-proto.svg\n[deps-url]: https://david-dm.org/es-shims/dunder-proto\n[dev-deps-svg]: https://david-dm.org/es-shims/dunder-proto/dev-status.svg\n[dev-deps-url]: https://david-dm.org/es-shims/dunder-proto#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/dunder-proto.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/dunder-proto.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/dunder-proto.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=dunder-proto\n[codecov-image]: https://codecov.io/gh/es-shims/dunder-proto/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/es-shims/dunder-proto/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/es-shims/dunder-proto\n[actions-url]: https://github.com/es-shims/dunder-proto/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/dunder-proto/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/ee-first/README.md ---\n# EE First\n\n[![NPM version][npm-image]][npm-url]\n[![Build status][travis-image]][travis-url]\n[![Test coverage][coveralls-image]][coveralls-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n[![Gittip][gittip-image]][gittip-url]\n\nGet the first event in a set of event emitters and event pairs,\nthen clean up after itself.\n\n## Install\n\n```sh\n$ npm install ee-first\n```\n\n## API\n\n```js\nvar first = require('ee-first')\n```\n\n### first(arr, listener)\n\nInvoke `listener` on the first event from the list specified in `arr`. `arr` is\nan array of arrays, with each array in the format `[ee, ...event]`. `listener`\nwill be called only once, the first time any of the given events are emitted. If\n`error` is one of the listened events, then if that fires first, the `listener`\nwill be given the `err` argument.\n\nThe `listener` is invoked as `listener(err, ee, event, args)`, where `err` is the\nfirst argument emitted from an `error` event, if applicable; `ee` is the event\nemitter that fired; `event` is the string event name that fired; and `args` is an\narray of the arguments that were emitted on the event.\n\n```js\nvar ee1 = new EventEmitter()\nvar ee2 = new EventEmitter()\n\nfirst([\n [ee1, 'close', 'end', 'error'],\n [ee2, 'error']\n], function (err, ee, event, args) {\n // listener invoked\n})\n```\n\n#### .cancel()\n\nThe group of listeners can be cancelled before being invoked and have all the event\nlisteners removed from the underlying event emitters.\n\n```js\nvar thunk = first([\n [ee1, 'close', 'end', 'error'],\n [ee2, 'error']\n], function (err, ee, event, args) {\n // listener invoked\n})\n\n// cancel and clean up\nthunk.cancel()\n```\n\n[npm-image]: https://img.shields.io/npm/v/ee-first.svg?style=flat-square\n[npm-url]: https://npmjs.org/package/ee-first\n[github-tag]: http://img.shields.io/github/tag/jonathanong/ee-first.svg?style=flat-square\n[github-url]: https://github.com/jonathanong/ee-first/tags\n[travis-image]: https://img.shields.io/travis/jonathanong/ee-first.svg?style=flat-square\n[travis-url]: https://travis-ci.org/jonathanong/ee-first\n[coveralls-image]: https://img.shields.io/coveralls/jonathanong/ee-first.svg?style=flat-square\n[coveralls-url]: https://coveralls.io/r/jonathanong/ee-first?branch=master\n[license-image]: http://img.shields.io/npm/l/ee-first.svg?style=flat-square\n[license-url]: LICENSE.md\n[downloads-image]: http://img.shields.io/npm/dm/ee-first.svg?style=flat-square\n[downloads-url]: https://npmjs.org/package/ee-first\n[gittip-image]: https://img.shields.io/gittip/jonathanong.svg?style=flat-square\n[gittip-url]: https://www.gittip.com/jonathanong/\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/ee-first/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/encodeurl/README.md ---\n# Encode URL\n\nEncode a URL to a percent-encoded form, excluding already-encoded sequences.\n\n## Installation\n\n```sh\nnpm install encodeurl\n```\n\n## API\n\n```js\nvar encodeUrl = require('encodeurl')\n```\n\n### encodeUrl(url)\n\nEncode a URL to a percent-encoded form, excluding already-encoded sequences.\n\nThis function accepts a URL and encodes all the non-URL code points (as UTF-8 byte sequences). It will not encode the \"%\" character unless it is not part of a valid sequence (`%20` will be left as-is, but `%foo` will be encoded as `%25foo`).\n\nThis encode is meant to be \"safe\" and does not throw errors. It will try as hard as it can to properly encode the given URL, including replacing any raw, unpaired surrogate pairs with the Unicode replacement character prior to encoding.\n\n## Examples\n\n### Encode a URL containing user-controlled data\n\n```js\nvar encodeUrl = require('encodeurl')\nvar escapeHtml = require('escape-html')\n\nhttp.createServer(function onRequest (req, res) {\n // get encoded form of inbound url\n var url = encodeUrl(req.url)\n\n // create html message\n var body = '<p>Location ' + escapeHtml(url) + ' not found</p>'\n\n // send a 404\n res.statusCode = 404\n res.setHeader('Content-Type', 'text/html; charset=UTF-8')\n res.setHeader('Content-Length', String(Buffer.byteLength(body, 'utf-8')))\n res.end(body, 'utf-8')\n})\n```\n\n### Encode a URL for use in a header field\n\n```js\nvar encodeUrl = require('encodeurl')\nvar escapeHtml = require('escape-html')\nvar url = require('url')\n\nhttp.createServer(function onRequest (req, res) {\n // parse inbound url\n var href = url.parse(req)\n\n // set new host for redirect\n href.host = 'localhost'\n href.protocol = 'https:'\n href.slashes = true\n\n // create location header\n var location = encodeUrl(url.format(href))\n\n // create html message\n var body = '<p>Redirecting to new site: ' + escapeHtml(location) + '</p>'\n\n // send a 301\n res.statusCode = 301\n res.setHeader('Content-Type', 'text/html; charset=UTF-8')\n res.setHeader('Content-Length', String(Buffer.byteLength(body, 'utf-8')))\n res.setHeader('Location', location)\n res.end(body, 'utf-8')\n})\n```\n\n## Similarities\n\nThis function is _similar_ to the intrinsic function `encodeURI`. However, it will not encode:\n\n* The `\\`, `^`, or `|` characters\n* The `%` character when it's part of a valid sequence\n* `[` and `]` (for IPv6 hostnames)\n* Replaces raw, unpaired surrogate pairs with the Unicode replacement character\n\nAs a result, the encoding aligns closely with the behavior in the [WHATWG URL specification][whatwg-url]. However, this package only encodes strings and does not do any URL parsing or formatting.\n\nIt is expected that any output from `new URL(url)` will not change when used with this package, as the output has already been encoded. Additionally, if we were to encode before `new URL(url)`, we do not expect the before and after encoded formats to be parsed any differently.\n\n## Testing\n\n```sh\n$ npm test\n$ npm run lint\n```\n\n## References\n\n- [RFC 3986: Uniform Resource Identifier (URI): Generic Syntax][rfc-3986]\n- [WHATWG URL Living Standard][whatwg-url]\n\n[rfc-3986]: https://tools.ietf.org/html/rfc3986\n[whatwg-url]: https://url.spec.whatwg.org/\n\n## License\n\n[MIT](LICENSE)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/encodeurl/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-define-property/README.md ---\n# es-define-property <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\n`Object.defineProperty`, but not IE 8's broken one.\n\n## Example\n\n```js\nconst assert = require('assert');\n\nconst $defineProperty = require('es-define-property');\n\nif ($defineProperty) {\n assert.equal($defineProperty, Object.defineProperty);\n} else if (Object.defineProperty) {\n assert.equal($defineProperty, false, 'this is IE 8');\n} else {\n assert.equal($defineProperty, false, 'this is an ES3 engine');\n}\n```\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n## Security\n\nPlease email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.\n\n[package-url]: https://npmjs.org/package/es-define-property\n[npm-version-svg]: https://versionbadg.es/ljharb/es-define-property.svg\n[deps-svg]: https://david-dm.org/ljharb/es-define-property.svg\n[deps-url]: https://david-dm.org/ljharb/es-define-property\n[dev-deps-svg]: https://david-dm.org/ljharb/es-define-property/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/es-define-property#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/es-define-property.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/es-define-property.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/es-define-property.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=es-define-property\n[codecov-image]: https://codecov.io/gh/ljharb/es-define-property/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/es-define-property/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/es-define-property\n[actions-url]: https://github.com/ljharb/es-define-property/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-define-property/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-errors/README.md ---\n# es-errors <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nA simple cache for a few of the JS Error constructors.\n\n## Example\n\n```js\nconst assert = require('assert');\n\nconst Base = require('es-errors');\nconst Eval = require('es-errors/eval');\nconst Range = require('es-errors/range');\nconst Ref = require('es-errors/ref');\nconst Syntax = require('es-errors/syntax');\nconst Type = require('es-errors/type');\nconst URI = require('es-errors/uri');\n\nassert.equal(Base, Error);\nassert.equal(Eval, EvalError);\nassert.equal(Range, RangeError);\nassert.equal(Ref, ReferenceError);\nassert.equal(Syntax, SyntaxError);\nassert.equal(Type, TypeError);\nassert.equal(URI, URIError);\n```\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n## Security\n\nPlease email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.\n\n[package-url]: https://npmjs.org/package/es-errors\n[npm-version-svg]: https://versionbadg.es/ljharb/es-errors.svg\n[deps-svg]: https://david-dm.org/ljharb/es-errors.svg\n[deps-url]: https://david-dm.org/ljharb/es-errors\n[dev-deps-svg]: https://david-dm.org/ljharb/es-errors/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/es-errors#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/es-errors.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/es-errors.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/es-errors.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=es-errors\n[codecov-image]: https://codecov.io/gh/ljharb/es-errors/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/es-errors/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/es-errors\n[actions-url]: https://github.com/ljharb/es-errors/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-errors/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-module-lexer/README.md ---\n# ES Module Lexer\r\n\r\n[![Build Status][actions-image]][actions-url]\r\n\r\nA JS module syntax lexer used in [es-module-shims](https://github.com/guybedford/es-module-shims).\r\n\r\nOutputs the list of exports and locations of import specifiers, including dynamic import and import meta handling.\r\n\r\nSupports new syntax features including import attributes and source phase imports.\r\n\r\nA very small single JS file (4KiB gzipped) that includes inlined Web Assembly for very fast source analysis of ECMAScript module syntax only.\r\n\r\nFor an example of the performance, Angular 1 (720KiB) is fully parsed in 5ms, in comparison to the fastest JS parser, Acorn which takes over 100ms.\r\n\r\n_Comprehensively handles the JS language grammar while remaining small and fast. - ~10ms per MB of JS cold and ~5ms per MB of JS warm, [see benchmarks](#benchmarks) for more info._\r\n\r\n> [Built with](https://github.com/guybedford/es-module-lexer/blob/main/chompfile.toml) [Chomp](https://chompbuild.com/)\r\n\r\n### Usage\r\n\r\n```\r\nnpm install es-module-lexer\r\n```\r\n\r\nSee [src/lexer.ts](src/lexer.ts) for the type definitions.\r\n\r\nFor use in CommonJS:\r\n\r\n```js\r\nconst { init, parse } = require('es-module-lexer');\r\n\r\n(async () => {\r\n // either await init, or call parse asynchronously\r\n // this is necessary for the Web Assembly boot\r\n await init;\r\n\r\n const source = 'export var p = 5';\r\n const [imports, exports] = parse(source);\r\n \r\n // Returns \"p\"\r\n source.slice(exports[0].s, exports[0].e);\r\n // Returns \"p\"\r\n source.slice(exports[0].ls, exports[0].le);\r\n})();\r\n```\r\n\r\nAn ES module version is also available:\r\n\r\n```js\r\nimport { init, parse } from 'es-module-lexer';\r\n\r\n(async () => {\r\n await init;\r\n\r\n const source = `\r\n import { name } from 'mod\\\\u1011';\r\n import json from './json.json' assert { type: 'json' }\r\n export var p = 5;\r\n export function q () {\r\n\r\n };\r\n export { x as 'external name' } from 'external';\r\n\r\n // Comments provided to demonstrate edge cases\r\n import /*comment!*/ ( 'asdf', { assert: { type: 'json' }});\r\n import /*comment!*/.meta.asdf;\r\n\r\n // Source phase imports:\r\n import source mod from './mod.wasm';\r\n import.source('./mod.wasm');\r\n `;\r\n\r\n const [imports, exports] = parse(source, 'optional-sourcename');\r\n\r\n // Returns \"modထ\"\r\n imports[0].n\r\n // Returns \"mod\\u1011\"\r\n source.slice(imports[0].s, imports[0].e);\r\n // \"s\" = start\r\n // \"e\" = end\r\n\r\n // Returns \"import { name } from 'mod'\"\r\n source.slice(imports[0].ss, imports[0].se);\r\n // \"ss\" = statement start\r\n // \"se\" = statement end\r\n\r\n // Returns \"{ type: 'json' }\"\r\n source.slice(imports[1].a, imports[1].se);\r\n // \"a\" = assert, -1 for no assertion\r\n\r\n // Returns \"external\"\r\n source.slice(imports[2].s, imports[2].e);\r\n\r\n // Returns \"p\"\r\n source.slice(exports[0].s, exports[0].e);\r\n // Returns \"p\"\r\n source.slice(exports[0].ls, exports[0].le);\r\n // Returns \"q\"\r\n source.slice(exports[1].s, exports[1].e);\r\n // Returns \"q\"\r\n source.slice(exports[1].ls, exports[1].le);\r\n // Returns \"'external name'\"\r\n source.slice(exports[2].s, exports[2].e);\r\n // Returns -1\r\n exports[2].ls;\r\n // Returns -1\r\n exports[2].le;\r\n\r\n // Import type is provided by `t` value\r\n // (1 for static, 2, for dynamic)\r\n // Returns true\r\n imports[2].t == 2;\r\n\r\n // Returns \"asdf\" (only for string literal dynamic imports)\r\n imports[2].n\r\n // Returns \"import /*comment!*/ ( 'asdf', { assert: { type: 'json' } })\"\r\n source.slice(imports[3].ss, imports[3].se);\r\n // Returns \"'asdf'\"\r\n source.slice(imports[3].s, imports[3].e);\r\n // Returns \"( 'asdf', { assert: { type: 'json' } })\"\r\n source.slice(imports[3].d, imports[3].se);\r\n // Returns \"{ assert: { type: 'json' } }\"\r\n source.slice(imports[3].a, imports[3].se - 1);\r\n\r\n // For non-string dynamic import expressions:\r\n // - n will be undefined\r\n // - a is currently -1 even if there is an assertion\r\n // - e is currently the character before the closing )\r\n\r\n // For nested dynamic imports, the se value of the outer import is -1 as end tracking does not\r\n // currently support nested dynamic immports\r\n\r\n // import.meta is indicated by imports[3].d === -2\r\n // Returns true\r\n imports[4].d === -2;\r\n // Returns \"import /*comment!*/.meta\"\r\n source.slice(imports[4].s, imports[4].e);\r\n // ss and se are the same for import meta\r\n\r\n // Returns \"'./mod.wasm'\"\r\n source.slice(imports[5].s, imports[5].e);\r\n\r\n // Import type 4 and 5 for static and dynamic source phase\r\n imports[5].t === 4;\r\n imports[6].t === 5;\r\n})();\r\n```\r\n\r\n### CSP asm.js Build\r\n\r\nThe default version of the library uses Wasm and (safe) eval usage for performance and a minimal footprint.\r\n\r\nNeither of these represent security escalation possibilities since there are no execution string injection vectors, but that can still violate existing CSP policies for applications.\r\n\r\nFor a version that works with CSP eval disabled, use the `es-module-lexer/js` build:\r\n\r\n```js\r\nimport { parse } from 'es-module-lexer/js';\r\n```\r\n\r\nInstead of Web Assembly, this uses an asm.js build which is almost as fast as the Wasm version ([see benchmarks below](#benchmarks)).\r\n\r\n### Escape Sequences\r\n\r\nTo handle escape sequences in specifier strings, the `.n` field of imported specifiers will be provided where possible.\r\n\r\nFor dynamic import expressions, this field will be empty if not a valid JS string.\r\n\r\n### Facade Detection\r\n\r\nFacade modules that only use import / export syntax can be detected via the third return value:\r\n\r\n```js\r\nconst [,, facade] = parse(`\r\n export * from 'external';\r\n import * as ns from 'external2';\r\n export { a as b } from 'external3';\r\n export { ns };\r\n`);\r\nfacade === true;\r\n```\r\n\r\n### ESM Detection\r\n\r\nModules that uses ESM syntaxes can be detected via the fourth return value:\r\n\r\n```js\r\nconst [,,, hasModuleSyntax] = parse(`\r\n export {}\r\n`);\r\nhasModuleSyntax === true;\r\n```\r\n\r\nDynamic imports are ignored since they can be used in Non-ESM files.\r\n\r\n```js\r\nconst [,,, hasModuleSyntax] = parse(`\r\n import('./foo.js')\r\n`);\r\nhasModuleSyntax === false;\r\n```\r\n\r\n### Environment Support\r\n\r\nNode.js 10+, and [all browsers with Web Assembly support](https://caniuse.com/#feat=wasm).\r\n\r\n### Grammar Support\r\n\r\n* Token state parses all line comments, block comments, strings, template strings, blocks, parens and punctuators.\r\n* Division operator / regex token ambiguity is handled via backtracking checks against punctuator prefixes, including closing brace or paren backtracking.\r\n* Always correctly parses valid JS source, but may parse invalid JS source without errors.\r\n\r\n### Limitations\r\n\r\nThe lexing approach is designed to deal with the full language grammar including RegEx / division operator ambiguity through backtracking and paren / brace tracking.\r\n\r\nThe only limitation to the reduced parser is that the \"exports\" list may not correctly gather all export identifiers in the following edge cases:\r\n\r\n```js\r\n// Only \"a\" is detected as an export, \"q\" isn't\r\nexport var a = 'asdf', q = z;\r\n\r\n// \"b\" is not detected as an export\r\nexport var { a: b } = asdf;\r\n```\r\n\r\nThe above cases are handled gracefully in that the lexer will keep going fine, it will just not properly detect the export names above.\r\n\r\n### Benchmarks\r\n\r\nBenchmarks can be run with `npm run bench`.\r\n\r\nCurrent results for a high spec machine:\r\n\r\n#### Wasm Build\r\n\r\n```\r\nModule load time\r\n> 5ms\r\nCold Run, All Samples\r\ntest/samples/*.js (3123 KiB)\r\n> 18ms\r\n\r\nWarm Runs (average of 25 runs)\r\ntest/samples/angular.js (739 KiB)\r\n> 3ms\r\ntest/samples/angular.min.js (188 KiB)\r\n> 1ms\r\ntest/samples/d3.js (508 KiB)\r\n> 3ms\r\ntest/samples/d3.min.js (274 KiB)\r\n> 2ms\r\ntest/samples/magic-string.js (35 KiB)\r\n> 0ms\r\ntest/samples/magic-string.min.js (20 KiB)\r\n> 0ms\r\ntest/samples/rollup.js (929 KiB)\r\n> 4.32ms\r\ntest/samples/rollup.min.js (429 KiB)\r\n> 2.16ms\r\n\r\nWarm Runs, All Samples (average of 25 runs)\r\ntest/samples/*.js (3123 KiB)\r\n> 14.16ms\r\n```\r\n\r\n#### JS Build (asm.js)\r\n\r\n```\r\nModule load time\r\n> 2ms\r\nCold Run, All Samples\r\ntest/samples/*.js (3123 KiB)\r\n> 34ms\r\n\r\nWarm Runs (average of 25 runs)\r\ntest/samples/angular.js (739 KiB)\r\n> 3ms\r\ntest/samples/angular.min.js (188 KiB)\r\n> 1ms\r\ntest/samples/d3.js (508 KiB)\r\n> 3ms\r\ntest/samples/d3.min.js (274 KiB)\r\n> 2ms\r\ntest/samples/magic-string.js (35 KiB)\r\n> 0ms\r\ntest/samples/magic-string.min.js (20 KiB)\r\n> 0ms\r\ntest/samples/rollup.js (929 KiB)\r\n> 5ms\r\ntest/samples/rollup.min.js (429 KiB)\r\n> 3.04ms\r\n\r\nWarm Runs, All Samples (average of 25 runs)\r\ntest/samples/*.js (3123 KiB)\r\n> 17.12ms\r\n```\r\n\r\n### Building\r\n\r\nThis project uses [Chomp](https://chompbuild.com) for building.\r\n\r\nWith Chomp installed, download the WASI SDK 12.0 from https://github.com/WebAssembly/wasi-sdk/releases/tag/wasi-sdk-12.\r\n\r\n- [Linux](https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-12/wasi-sdk-12.0-linux.tar.gz)\r\n- [Windows (MinGW)](https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-12/wasi-sdk-12.0-mingw.tar.gz)\r\n- [macOS](https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-12/wasi-sdk-12.0-macos.tar.gz)\r\n\r\nLocate the WASI-SDK as a sibling folder, or customize the path via the `WASI_PATH` environment variable.\r\n\r\nEmscripten emsdk is also assumed to be a sibling folder or via the `EMSDK_PATH` environment variable.\r\n\r\nExample setup:\r\n\r\n```\r\ngit clone https://github.com:guybedford/es-module-lexer\r\ngit clone https://github.com/emscripten-core/emsdk\r\ncd emsdk\r\ngit checkout 1.40.1-fastcomp\r\n./emsdk install 1.40.1-fastcomp\r\ncd ..\r\nwget https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-12/wasi-sdk-12.0-linux.tar.gz\r\ngunzip wasi-sdk-12.0-linux.tar.gz\r\ntar -xf wasi-sdk-12.0-linux.tar\r\nmv wasi-sdk-12.0-linux.tar wasi-sdk-12.0\r\ncargo install chompbuild\r\ncd es-module-lexer\r\nchomp test\r\n```\r\n\r\nFor the `asm.js` build, git clone `emsdk` from is assumed to be a sibling folder as well.\r\n\r\n### License\r\n\r\nMIT\r\n\r\n[actions-image]: https://github.com/guybedford/es-module-lexer/actions/workflows/build.yml/badge.svg\r\n[actions-url]: https://github.com/guybedford/es-module-lexer/actions/workflows/build.yml\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-module-lexer/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-object-atoms/README.md ---\n# es-object-atoms <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nES Object-related atoms: Object, ToObject, RequireObjectCoercible.\n\n## Example\n\n```js\nconst assert = require('assert');\n\nconst $Object = require('es-object-atoms');\nconst isObject = require('es-object-atoms/isObject');\nconst ToObject = require('es-object-atoms/ToObject');\nconst RequireObjectCoercible = require('es-object-atoms/RequireObjectCoercible');\n\nassert.equal($Object, Object);\nassert.throws(() => ToObject(null), TypeError);\nassert.throws(() => ToObject(undefined), TypeError);\nassert.throws(() => RequireObjectCoercible(null), TypeError);\nassert.throws(() => RequireObjectCoercible(undefined), TypeError);\n\nassert.equal(isObject(undefined), false);\nassert.equal(isObject(null), false);\nassert.equal(isObject({}), true);\nassert.equal(isObject([]), true);\nassert.equal(isObject(function () {}), true);\n\nassert.deepEqual(RequireObjectCoercible(true), true);\nassert.deepEqual(ToObject(true), Object(true));\n\nconst obj = {};\nassert.equal(RequireObjectCoercible(obj), obj);\nassert.equal(ToObject(obj), obj);\n```\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n## Security\n\nPlease email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.\n\n[package-url]: https://npmjs.org/package/es-object-atoms\n[npm-version-svg]: https://versionbadg.es/ljharb/es-object-atoms.svg\n[deps-svg]: https://david-dm.org/ljharb/es-object-atoms.svg\n[deps-url]: https://david-dm.org/ljharb/es-object-atoms\n[dev-deps-svg]: https://david-dm.org/ljharb/es-object-atoms/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/es-object-atoms#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/es-object-atoms.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/es-object-atoms.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/es-object.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=es-object-atoms\n[codecov-image]: https://codecov.io/gh/ljharb/es-object-atoms/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/es-object-atoms/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/es-object-atoms\n[actions-url]: https://github.com/ljharb/es-object-atoms/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/es-object-atoms/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/esbuild/README.md ---\n# esbuild\n\nThis is a JavaScript bundler and minifier. See https://github.com/evanw/esbuild and the [JavaScript API documentation](https://esbuild.github.io/api/) for details.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/esbuild/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/estree-walker/README.md ---\n# estree-walker\n\nSimple utility for walking an [ESTree](https://github.com/estree/estree)-compliant AST, such as one generated by [acorn](https://github.com/marijnh/acorn).\n\n\n## Installation\n\n```bash\nnpm i estree-walker\n```\n\n\n## Usage\n\n```js\nvar walk = require('estree-walker').walk;\nvar acorn = require('acorn');\n\nast = acorn.parse(sourceCode, options); // https://github.com/acornjs/acorn\n\nwalk(ast, {\n enter(node, parent, prop, index) {\n // some code happens\n },\n leave(node, parent, prop, index) {\n // some code happens\n }\n});\n```\n\nInside the `enter` function, calling `this.skip()` will prevent the node's children being walked, or the `leave` function (which is optional) being called.\n\nCall `this.replace(new_node)` in either `enter` or `leave` to replace the current node with a new one.\n\nCall `this.remove()` in either `enter` or `leave` to remove the current node.\n\n## Why not use estraverse?\n\nThe ESTree spec is evolving to accommodate ES6/7. I've had a couple of experiences where [estraverse](https://github.com/estools/estraverse) was unable to handle an AST generated by recent versions of acorn, because it hard-codes visitor keys.\n\nestree-walker, by contrast, simply enumerates a node's properties to find child nodes (and child lists of nodes), and is therefore resistant to spec changes. It's also much smaller. (The performance, if you're wondering, is basically identical.)\n\nNone of which should be taken as criticism of estraverse, which has more features and has been battle-tested in many more situations, and for which I'm very grateful.\n\n\n## License\n\nMIT\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/estree-walker/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/etag/README.md ---\n# etag\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][travis-image]][travis-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nCreate simple HTTP ETags\n\nThis module generates HTTP ETags (as defined in RFC 7232) for use in\nHTTP responses.\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install etag\n```\n\n## API\n\n<!-- eslint-disable no-unused-vars -->\n\n```js\nvar etag = require('etag')\n```\n\n### etag(entity, [options])\n\nGenerate a strong ETag for the given entity. This should be the complete\nbody of the entity. Strings, `Buffer`s, and `fs.Stats` are accepted. By\ndefault, a strong ETag is generated except for `fs.Stats`, which will\ngenerate a weak ETag (this can be overwritten by `options.weak`).\n\n<!-- eslint-disable no-undef -->\n\n```js\nres.setHeader('ETag', etag(body))\n```\n\n#### Options\n\n`etag` accepts these properties in the options object.\n\n##### weak\n\nSpecifies if the generated ETag will include the weak validator mark (that\nis, the leading `W/`). The actual entity tag is the same. The default value\nis `false`, unless the `entity` is `fs.Stats`, in which case it is `true`.\n\n## Testing\n\n```sh\n$ npm test\n```\n\n## Benchmark\n\n```bash\n$ npm run-script bench\n\n> etag@1.8.1 bench nodejs-etag\n> node benchmark/index.js\n\n http_parser@2.7.0\n node@6.11.1\n v8@5.1.281.103\n uv@1.11.0\n zlib@1.2.11\n ares@1.10.1-DEV\n icu@58.2\n modules@48\n openssl@1.0.2k\n\n> node benchmark/body0-100b.js\n\n 100B body\n\n 4 tests completed.\n\n buffer - strong x 258,647 ops/sec ±1.07% (180 runs sampled)\n buffer - weak x 263,812 ops/sec ±0.61% (184 runs sampled)\n string - strong x 259,955 ops/sec ±1.19% (185 runs sampled)\n string - weak x 264,356 ops/sec ±1.09% (184 runs sampled)\n\n> node benchmark/body1-1kb.js\n\n 1KB body\n\n 4 tests completed.\n\n buffer - strong x 189,018 ops/sec ±1.12% (182 runs sampled)\n buffer - weak x 190,586 ops/sec ±0.81% (186 runs sampled)\n string - strong x 144,272 ops/sec ±0.96% (188 runs sampled)\n string - weak x 145,380 ops/sec ±1.43% (187 runs sampled)\n\n> node benchmark/body2-5kb.js\n\n 5KB body\n\n 4 tests completed.\n\n buffer - strong x 92,435 ops/sec ±0.42% (188 runs sampled)\n buffer - weak x 92,373 ops/sec ±0.58% (189 runs sampled)\n string - strong x 48,850 ops/sec ±0.56% (186 runs sampled)\n string - weak x 49,380 ops/sec ±0.56% (190 runs sampled)\n\n> node benchmark/body3-10kb.js\n\n 10KB body\n\n 4 tests completed.\n\n buffer - strong x 55,989 ops/sec ±0.93% (188 runs sampled)\n buffer - weak x 56,148 ops/sec ±0.55% (190 runs sampled)\n string - strong x 27,345 ops/sec ±0.43% (188 runs sampled)\n string - weak x 27,496 ops/sec ±0.45% (190 runs sampled)\n\n> node benchmark/body4-100kb.js\n\n 100KB body\n\n 4 tests completed.\n\n buffer - strong x 7,083 ops/sec ±0.22% (190 runs sampled)\n buffer - weak x 7,115 ops/sec ±0.26% (191 runs sampled)\n string - strong x 3,068 ops/sec ±0.34% (190 runs sampled)\n string - weak x 3,096 ops/sec ±0.35% (190 runs sampled)\n\n> node benchmark/stats.js\n\n stat\n\n 4 tests completed.\n\n real - strong x 871,642 ops/sec ±0.34% (189 runs sampled)\n real - weak x 867,613 ops/sec ±0.39% (190 runs sampled)\n fake - strong x 401,051 ops/sec ±0.40% (189 runs sampled)\n fake - weak x 400,100 ops/sec ±0.47% (188 runs sampled)\n```\n\n## License\n\n[MIT](LICENSE)\n\n[npm-image]: https://img.shields.io/npm/v/etag.svg\n[npm-url]: https://npmjs.org/package/etag\n[node-version-image]: https://img.shields.io/node/v/etag.svg\n[node-version-url]: https://nodejs.org/en/download/\n[travis-image]: https://img.shields.io/travis/jshttp/etag/master.svg\n[travis-url]: https://travis-ci.org/jshttp/etag\n[coveralls-image]: https://img.shields.io/coveralls/jshttp/etag/master.svg\n[coveralls-url]: https://coveralls.io/r/jshttp/etag?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/etag.svg\n[downloads-url]: https://npmjs.org/package/etag\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/etag/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/eventsource-parser/README.md ---\n# eventsource-parser\n\n[![npm version](https://img.shields.io/npm/v/eventsource-parser.svg?style=flat-square)](https://www.npmjs.com/package/eventsource-parser)[![npm bundle size](https://img.shields.io/bundlephobia/minzip/eventsource-parser?style=flat-square)](https://bundlephobia.com/result?p=eventsource-parser)[![npm weekly downloads](https://img.shields.io/npm/dw/eventsource-parser.svg?style=flat-square)](https://www.npmjs.com/package/eventsource-parser)\n\nA streaming parser for [server-sent events/eventsource](https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events), without any assumptions about how the actual stream of data is retrieved. It is intended to be a building block for [clients](https://github.com/rexxars/eventsource-client) and polyfills in javascript environments such as browsers, node.js and deno.\n\nIf you are looking for a modern client implementation, see [eventsource-client](https://github.com/rexxars/eventsource-client).\n\nYou create an instance of the parser, and _feed_ it chunks of data - partial or complete, and the parse emits parsed messages once it receives a complete message. A [TransformStream variant](#stream-usage) is also available for environments that support it (modern browsers, Node 18 and higher).\n\nOther modules in the EventSource family:\n\n- [eventsource-client](https://github.com/rexxars/eventsource-client): modern, feature rich eventsource client for browsers, node.js, bun, deno and other modern JavaScript environments.\n- [eventsource-encoder](https://github.com/rexxars/eventsource-encoder): encodes messages in the EventSource/Server-Sent Events format.\n- [eventsource](https://github.com/eventsource/eventsource): Node.js polyfill for the WhatWG EventSource API.\n\n> [!NOTE]\n> Migrating from eventsource-parser 1.x/2.x? See the [migration guide](./MIGRATE-v3.md).\n\n## Installation\n\n```bash\nnpm install --save eventsource-parser\n```\n\n## Usage\n\n```ts\nimport {createParser, type EventSourceMessage} from 'eventsource-parser'\n\nfunction onEvent(event: EventSourceMessage) {\n console.log('Received event!')\n console.log('id: %s', event.id || '<none>')\n console.log('event: %s', event.event || '<none>')\n console.log('data: %s', event.data)\n}\n\nconst parser = createParser({onEvent})\nconst sseStream = getSomeReadableStream()\n\nfor await (const chunk of sseStream) {\n parser.feed(chunk)\n}\n\n// If you want to re-use the parser for a new stream of events, make sure to reset it!\nparser.reset()\nconsole.log('Done!')\n```\n\n### Retry intervals\n\nIf the server sends a `retry` field in the event stream, the parser will call any `onRetry` callback specified to the `createParser` function:\n\n```ts\nconst parser = createParser({\n onRetry(retryInterval) {\n console.log('Server requested retry interval of %dms', retryInterval)\n },\n onEvent(event) {\n // …\n },\n})\n```\n\n### Parse errors\n\nIf the parser encounters an error while parsing, it will call any `onError` callback provided to the `createParser` function:\n\n```ts\nimport {type ParseError} from 'eventsource-parser'\n\nconst parser = createParser({\n onError(error: ParseError) {\n console.error('Error parsing event:', error)\n if (error.type === 'invalid-field') {\n console.error('Field name:', error.field)\n console.error('Field value:', error.value)\n console.error('Line:', error.line)\n } else if (error.type === 'invalid-retry') {\n console.error('Invalid retry interval:', error.value)\n }\n },\n onEvent(event) {\n // …\n },\n})\n```\n\nNote that `invalid-field` errors will usually be called for any invalid data - not only data shaped as `field: value`. This is because the EventSource specification says to treat anything prior to a `:` as the field name. Use the `error.line` property to get the full line that caused the error.\n\n> [!NOTE]\n> When encountering the end of a stream, calling `.reset({consume: true})` on the parser to flush any remaining data and reset the parser state. This will trigger the `onError` callback if the pending data is not a valid event.\n\n### Comments\n\nThe parser will ignore comments (lines starting with `:`) by default. If you want to handle comments, you can provide an `onComment` callback to the `createParser` function:\n\n```ts\nconst parser = createParser({\n onComment(comment) {\n console.log('Received comment:', comment)\n },\n onEvent(event) {\n // …\n },\n})\n```\n\n> [!NOTE]\n> Leading whitespace is not stripped from comments, eg `: comment` will give ` comment` as the comment value, not `comment` (note the leading space).\n\n## Stream usage\n\n```ts\nimport {EventSourceParserStream} from 'eventsource-parser/stream'\n\nconst eventStream = response.body\n .pipeThrough(new TextDecoderStream())\n .pipeThrough(new EventSourceParserStream())\n```\n\nNote that the TransformStream is exposed under a separate export (`eventsource-parser/stream`), in order to maximize compatibility with environments that do not have the `TransformStream` constructor available.\n\n## License\n\nMIT © [Espen Hovlandsdal](https://espen.codes/)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/eventsource-parser/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/eventsource/README.md ---\n# eventsource\n\n[![npm version](https://img.shields.io/npm/v/eventsource.svg?style=flat-square)](https://www.npmjs.com/package/eventsource)[![npm bundle size](https://img.shields.io/bundlephobia/minzip/eventsource?style=flat-square)](https://bundlephobia.com/result?p=eventsource)[![npm weekly downloads](https://img.shields.io/npm/dw/eventsource.svg?style=flat-square)](https://www.npmjs.com/package/eventsource)\n\nWhatWG/W3C-compatible [server-sent events/eventsource](https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events) client. The module attempts to implement an absolute minimal amount of features/changes beyond the specification.\n\nIf you're looking for a modern alternative with a less constrained API, check out the [`eventsource-client` package](https://www.npmjs.com/package/eventsource-client).\n\n## Installation\n\n```bash\nnpm install --save eventsource\n```\n\n## Supported engines\n\n- Node.js >= 18\n- Chrome >= 63\n- Safari >= 11.3\n- Firefox >= 65\n- Edge >= 79\n- Deno >= 1.30\n- Bun >= 1.1.23\n\nBasically, any environment that supports:\n\n- [fetch](https://developer.mozilla.org/en-US/docs/Web/API/fetch)\n- [ReadableStream](https://developer.mozilla.org/en-US/docs/Web/API/ReadableStream)\n- [TextDecoderStream](https://developer.mozilla.org/en-US/docs/Web/API/TextDecoderStream)\n- [URL](https://developer.mozilla.org/en-US/docs/Web/API/URL)\n- [Event](https://developer.mozilla.org/en-US/docs/Web/API/Event), [MessageEvent](https://developer.mozilla.org/en-US/docs/Web/API/MessageEvent), [EventTarget](https://developer.mozilla.org/en-US/docs/Web/API/EventTarget)\n\nIf you need to support older runtimes, try the `2.x` branch/version range (note: 2.x branch is primarily targetted at Node.js, not browsers).\n\n## Usage\n\n```ts\nimport {EventSource} from 'eventsource'\n\nconst es = new EventSource('https://my-server.com/sse')\n\n/*\n * This will listen for events with the field `event: notice`.\n */\nes.addEventListener('notice', (event) => {\n console.log(event.data)\n})\n\n/*\n * This will listen for events with the field `event: update`.\n */\nes.addEventListener('update', (event) => {\n console.log(event.data)\n})\n\n/*\n * The event \"message\" is a special case, as it will capture events _without_ an\n * event field, as well as events that have the specific type `event: message`.\n * It will not trigger on any other event type.\n */\nes.addEventListener('message', (event) => {\n console.log(event.data)\n})\n\n/**\n * To explicitly close the connection, call the `close` method.\n * This will prevent any reconnection from happening.\n */\nsetTimeout(() => {\n es.close()\n}, 10_000)\n```\n\n### TypeScript\n\nMake sure you have configured your TSConfig so it matches the environment you are targetting. If you are targetting browsers, this would be `dom`:\n\n```jsonc\n{\n \"compilerOptions\": {\n \"lib\": [\"dom\"],\n },\n}\n```\n\nIf you're using Node.js, ensure you have `@types/node` installed (and it is version 18 or higher). Cloudflare workers have `@cloudflare/workers-types` etc.\n\nThe following errors are caused by targetting an environment that does not have the necessary types available:\n\n```\nerror TS2304: Cannot find name 'Event'.\nerror TS2304: Cannot find name 'EventTarget'.\nerror TS2304: Cannot find name 'MessageEvent'.\n```\n\n## Migrating from v1 / v2\n\nSee [MIGRATION.md](MIGRATION.md#v2-to-v3) for a detailed migration guide.\n\n## Extensions to the WhatWG/W3C API\n\n### Message and code properties on errors\n\nThe `error` event has a `message` and `code` property that can be used to get more information about the error. In the specification, the Event\n\n```ts\nes.addEventListener('error', (err) => {\n if (err.code === 401 || err.code === 403) {\n console.log('not authorized')\n }\n})\n```\n\n### Specify `fetch` implementation\n\nThe `EventSource` constructor accepts an optional `fetch` property in the second argument that can be used to specify the `fetch` implementation to use.\n\nThis can be useful in environments where the global `fetch` function is not available - but it can also be used to alter the request/response behaviour.\n\n#### Setting HTTP request headers\n\n```ts\nconst es = new EventSource('https://my-server.com/sse', {\n fetch: (input, init) =>\n fetch(input, {\n ...init,\n headers: {\n ...init.headers,\n Authorization: 'Bearer myToken',\n },\n }),\n})\n```\n\n#### HTTP/HTTPS proxy\n\nUse a package like [`node-fetch-native`](https://github.com/unjs/node-fetch-native) to add proxy support, either through environment variables or explicit configuration.\n\n```ts\n// npm install node-fetch-native --save\nimport {fetch} from 'node-fetch-native/proxy'\n\nconst es = new EventSource('https://my-server.com/sse', {\n fetch: (input, init) => fetch(input, init),\n})\n```\n\n#### Allow unauthorized HTTPS requests\n\nUse a package like [`undici`](https://github.com/nodejs/undici) for more control of fetch options through the use of an [`Agent`](https://undici.nodejs.org/#/docs/api/Agent.md).\n\n```ts\n// npm install undici --save\nimport {fetch, Agent} from 'undici'\n\nawait fetch('https://my-server.com/sse', {\n dispatcher: new Agent({\n connect: {\n rejectUnauthorized: false,\n },\n }),\n})\n```\n\n## License\n\nMIT-licensed. See [LICENSE](LICENSE).\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/eventsource/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/expect-type/README.md ---\n# expect-type\n\n[![CI](https://github.com/mmkal/expect-type/actions/workflows/ci.yml/badge.svg)](https://github.com/mmkal/expect-type/actions/workflows/ci.yml)\n![npm](https://img.shields.io/npm/dt/expect-type)\n[![X (formerly Twitter) Follow](https://img.shields.io/twitter/follow/mmkal)](https://x.com/mmkalmmkal)\n\nCompile-time tests for types. Useful to make sure types don't regress into being overly permissive as changes go in over time.\n\nSimilar to `expect`, but with type-awareness. Gives you access to several type-matchers that let you make assertions about the form of a reference or generic type parameter.\n\n```ts\nimport {expectTypeOf} from 'expect-type'\nimport {foo, bar} from '../foo'\n\n// make sure `foo` has type {a: number}\nexpectTypeOf(foo).toEqualTypeOf<{a: number}>()\n\n// make sure `bar` is a function taking a string:\nexpectTypeOf(bar).parameter(0).toBeString()\nexpectTypeOf(bar).returns.not.toBeAny()\n```\n\nIt can be used in your existing test files (and is actually [built in to vitest](https://vitest.dev/guide/testing-types)). Or it can be used in any other type-checked file you'd like - it's built into existing tooling with no dependencies. No extra build step, cli tool, IDE extension, or lint plugin is needed. Just import the function and start writing tests. Failures will be at compile time - they'll appear in your IDE and when you run `tsc`.\n\nSee below for lots more examples.\n\n## Contents\n<!-- codegen:start {preset: markdownTOC, minDepth: 2, maxDepth: 5} -->\n- [Contents](#contents)\n- [Installation and usage](#installation-and-usage)\n- [Documentation](#documentation)\n - [Features](#features)\n - [Why is my assertion failing?](#why-is-my-assertion-failing)\n - [Why is `.toMatchTypeOf` deprecated?](#why-is-tomatchtypeof-deprecated)\n - [Internal type helpers](#internal-type-helpers)\n - [Error messages](#error-messages)\n - [Concrete \"expected\" objects vs type arguments](#concrete-expected-objects-vs-type-arguments)\n - [Overloaded functions](#overloaded-functions)\n - [Within test frameworks](#within-test-frameworks)\n - [Vitest](#vitest)\n - [Jest & `eslint-plugin-jest`](#jest--eslint-plugin-jest)\n - [Limitations](#limitations)\n- [Similar projects](#similar-projects)\n - [Comparison](#comparison)\n- [TypeScript backwards-compatibility](#typescript-backwards-compatibility)\n- [Contributing](#contributing)\n - [Documentation of limitations through tests](#documentation-of-limitations-through-tests)\n<!-- codegen:end -->\n\n## Installation and usage\n\n```cli\nnpm install expect-type --save-dev\n```\n\n```typescript\nimport {expectTypeOf} from 'expect-type'\n```\n\n## Documentation\n\nThe `expectTypeOf` method takes a single argument or a generic type parameter. Neither it nor the functions chained off its return value have any meaningful runtime behaviour. The assertions you write will be _compile-time_ errors if they don't hold true.\n\n### Features\n\n<!-- codegen:start {preset: markdownFromTests, source: test/usage.test.ts} -->\nCheck an object's type with `.toEqualTypeOf`:\n\n```typescript\nexpectTypeOf({a: 1}).toEqualTypeOf<{a: number}>()\n```\n\n`.toEqualTypeOf` can check that two concrete objects have equivalent types (note: when these assertions _fail_, the error messages can be less informative vs the generic type argument syntax above - see [error messages docs](#error-messages)):\n\n```typescript\nexpectTypeOf({a: 1}).toEqualTypeOf({a: 1})\n```\n\n`.toEqualTypeOf` succeeds for objects with different values, but the same type:\n\n```typescript\nexpectTypeOf({a: 1}).toEqualTypeOf({a: 2})\n```\n\n`.toEqualTypeOf` fails on excess properties:\n\n```typescript\n// @ts-expect-error\nexpectTypeOf({a: 1, b: 1}).toEqualTypeOf<{a: number}>()\n```\n\nTo allow for extra properties on an object type, use `.toMatchObjectType`. This is a strict check, but only on the subset of keys that are in the expected type:\n\n```typescript\nexpectTypeOf({a: 1, b: 1}).toMatchObjectType<{a: number}>()\n```\n\n`.toMatchObjectType` can check partial matches on deeply nested objects:\n\n```typescript\nconst user = {\n email: 'a@b.com',\n name: 'John Doe',\n address: {street: '123 2nd St', city: 'New York', zip: '10001', state: 'NY', country: 'USA'},\n}\n\nexpectTypeOf(user).toMatchObjectType<{name: string; address: {city: string}}>()\n```\n\nTo check that a type extends another type, use `.toExtend`:\n\n```typescript\nexpectTypeOf('some string').toExtend<string | boolean>()\n// @ts-expect-error\nexpectTypeOf({a: 1}).toExtend<{b: number}>()\n```\n\n`.toExtend` can be used with object types, but `.toMatchObjectType` is usually a better choice when dealing with objects, since it's stricter:\n\n```typescript\nexpectTypeOf({a: 1, b: 2}).toExtend<{a: number}>() // avoid this\nexpectTypeOf({a: 1, b: 2}).toMatchObjectType<{a: number}>() // prefer this\n```\n\n`.toEqualTypeOf`, `.toMatchObjectType`, and `.toExtend` all fail on missing properties:\n\n```typescript\n// @ts-expect-error\nexpectTypeOf({a: 1}).toEqualTypeOf<{a: number; b: number}>()\n// @ts-expect-error\nexpectTypeOf({a: 1}).toMatchObjectType<{a: number; b: number}>()\n// @ts-expect-error\nexpectTypeOf({a: 1}).toExtend<{a: number; b: number}>()\n```\n\nAnother example of the difference between `.toExtend`, `.toMatchObjectType`, and `.toEqualTypeOf`. `.toExtend` can be used for \"is-a\" relationships:\n\n```typescript\ntype Fruit = {type: 'Fruit'; edible: boolean}\ntype Apple = {type: 'Fruit'; name: 'Apple'; edible: true}\n\nexpectTypeOf<Apple>().toExtend<Fruit>()\n\n// @ts-expect-error - the `editable` property isn't an exact match. In `Apple`, it's `true`, which extends `boolean`, but they're not identical.\nexpectTypeOf<Apple>().toMatchObjectType<Fruit>()\n\n// @ts-expect-error - Apple is not an identical type to Fruit, it's a subtype\nexpectTypeOf<Apple>().toEqualTypeOf<Fruit>()\n\n// @ts-expect-error - Apple is a Fruit, but not vice versa\nexpectTypeOf<Fruit>().toExtend<Apple>()\n```\n\nAssertions can be inverted with `.not`:\n\n```typescript\nexpectTypeOf({a: 1}).not.toExtend<{b: 1}>()\nexpectTypeOf({a: 1}).not.toMatchObjectType<{b: 1}>()\n```\n\n`.not` can be easier than relying on `// @ts-expect-error`:\n\n```typescript\ntype Fruit = {type: 'Fruit'; edible: boolean}\ntype Apple = {type: 'Fruit'; name: 'Apple'; edible: true}\n\nexpectTypeOf<Apple>().toExtend<Fruit>()\n\nexpectTypeOf<Fruit>().not.toExtend<Apple>()\nexpectTypeOf<Apple>().not.toEqualTypeOf<Fruit>()\n```\n\nCatch any/unknown/never types:\n\n```typescript\nexpectTypeOf<unknown>().toBeUnknown()\nexpectTypeOf<any>().toBeAny()\nexpectTypeOf<never>().toBeNever()\n\n// @ts-expect-error\nexpectTypeOf<never>().toBeNumber()\n```\n\n`.toEqualTypeOf` distinguishes between deeply-nested `any` and `unknown` properties:\n\n```typescript\nexpectTypeOf<{deeply: {nested: any}}>().not.toEqualTypeOf<{deeply: {nested: unknown}}>()\n```\n\nYou can test for basic JavaScript types:\n\n```typescript\nexpectTypeOf(() => 1).toBeFunction()\nexpectTypeOf({}).toBeObject()\nexpectTypeOf([]).toBeArray()\nexpectTypeOf('').toBeString()\nexpectTypeOf(1).toBeNumber()\nexpectTypeOf(true).toBeBoolean()\nexpectTypeOf(() => {}).returns.toBeVoid()\nexpectTypeOf(Promise.resolve(123)).resolves.toBeNumber()\nexpectTypeOf(Symbol(1)).toBeSymbol()\nexpectTypeOf(1n).toBeBigInt()\n```\n\n`.toBe...` methods allow for types that extend the expected type:\n\n```typescript\nexpectTypeOf<number>().toBeNumber()\nexpectTypeOf<1>().toBeNumber()\n\nexpectTypeOf<any[]>().toBeArray()\nexpectTypeOf<number[]>().toBeArray()\n\nexpectTypeOf<string>().toBeString()\nexpectTypeOf<'foo'>().toBeString()\n\nexpectTypeOf<boolean>().toBeBoolean()\nexpectTypeOf<true>().toBeBoolean()\n\nexpectTypeOf<bigint>().toBeBigInt()\nexpectTypeOf<0n>().toBeBigInt()\n```\n\n`.toBe...` methods protect against `any`:\n\n```typescript\nconst goodIntParser = (s: string) => Number.parseInt(s, 10)\nconst badIntParser = (s: string) => JSON.parse(s) // uh-oh - works at runtime if the input is a number, but return 'any'\n\nexpectTypeOf(goodIntParser).returns.toBeNumber()\n// @ts-expect-error - if you write a test like this, `.toBeNumber()` will let you know your implementation returns `any`.\nexpectTypeOf(badIntParser).returns.toBeNumber()\n```\n\nNullable types:\n\n```typescript\nexpectTypeOf(undefined).toBeUndefined()\nexpectTypeOf(undefined).toBeNullable()\nexpectTypeOf(undefined).not.toBeNull()\n\nexpectTypeOf(null).toBeNull()\nexpectTypeOf(null).toBeNullable()\nexpectTypeOf(null).not.toBeUndefined()\n\nexpectTypeOf<1 | undefined>().toBeNullable()\nexpectTypeOf<1 | null>().toBeNullable()\nexpectTypeOf<1 | undefined | null>().toBeNullable()\n```\n\nMore `.not` examples:\n\n```typescript\nexpectTypeOf(1).not.toBeUnknown()\nexpectTypeOf(1).not.toBeAny()\nexpectTypeOf(1).not.toBeNever()\nexpectTypeOf(1).not.toBeNull()\nexpectTypeOf(1).not.toBeUndefined()\nexpectTypeOf(1).not.toBeNullable()\nexpectTypeOf(1).not.toBeBigInt()\n```\n\nDetect assignability of unioned types:\n\n```typescript\nexpectTypeOf<number>().toExtend<string | number>()\nexpectTypeOf<string | number>().not.toExtend<number>()\n```\n\nUse `.extract` and `.exclude` to narrow down complex union types:\n\n```typescript\ntype ResponsiveProp<T> = T | T[] | {xs?: T; sm?: T; md?: T}\nconst getResponsiveProp = <T>(_props: T): ResponsiveProp<T> => ({})\ntype CSSProperties = {margin?: string; padding?: string}\n\nconst cssProperties: CSSProperties = {margin: '1px', padding: '2px'}\n\nexpectTypeOf(getResponsiveProp(cssProperties))\n .exclude<unknown[]>()\n .exclude<{xs?: unknown}>()\n .toEqualTypeOf<CSSProperties>()\n\nexpectTypeOf(getResponsiveProp(cssProperties))\n .extract<unknown[]>()\n .toEqualTypeOf<CSSProperties[]>()\n\nexpectTypeOf(getResponsiveProp(cssProperties))\n .extract<{xs?: any}>()\n .toEqualTypeOf<{xs?: CSSProperties; sm?: CSSProperties; md?: CSSProperties}>()\n\nexpectTypeOf<ResponsiveProp<number>>().exclude<number | number[]>().toHaveProperty('sm')\nexpectTypeOf<ResponsiveProp<number>>().exclude<number | number[]>().not.toHaveProperty('xxl')\n```\n\n`.extract` and `.exclude` return never if no types remain after exclusion:\n\n```typescript\ntype Person = {name: string; age: number}\ntype Customer = Person & {customerId: string}\ntype Employee = Person & {employeeId: string}\n\nexpectTypeOf<Customer | Employee>().extract<{foo: string}>().toBeNever()\nexpectTypeOf<Customer | Employee>().exclude<{name: string}>().toBeNever()\n```\n\nUse `.pick` to pick a set of properties from an object:\n\n```typescript\ntype Person = {name: string; age: number}\n\nexpectTypeOf<Person>().pick<'name'>().toEqualTypeOf<{name: string}>()\n```\n\nUse `.omit` to remove a set of properties from an object:\n\n```typescript\ntype Person = {name: string; age: number}\n\nexpectTypeOf<Person>().omit<'name'>().toEqualTypeOf<{age: number}>()\n```\n\nMake assertions about object properties:\n\n```typescript\nconst obj = {a: 1, b: ''}\n\n// check that properties exist (or don't) with `.toHaveProperty`\nexpectTypeOf(obj).toHaveProperty('a')\nexpectTypeOf(obj).not.toHaveProperty('c')\n\n// check types of properties\nexpectTypeOf(obj).toHaveProperty('a').toBeNumber()\nexpectTypeOf(obj).toHaveProperty('b').toBeString()\nexpectTypeOf(obj).toHaveProperty('a').not.toBeString()\n```\n\n`.toEqualTypeOf` can be used to distinguish between functions:\n\n```typescript\ntype NoParam = () => void\ntype HasParam = (s: string) => void\n\nexpectTypeOf<NoParam>().not.toEqualTypeOf<HasParam>()\n```\n\nBut often it's preferable to use `.parameters` or `.returns` for more specific function assertions:\n\n```typescript\ntype NoParam = () => void\ntype HasParam = (s: string) => void\n\nexpectTypeOf<NoParam>().parameters.toEqualTypeOf<[]>()\nexpectTypeOf<NoParam>().returns.toBeVoid()\n\nexpectTypeOf<HasParam>().parameters.toEqualTypeOf<[string]>()\nexpectTypeOf<HasParam>().returns.toBeVoid()\n```\n\nUp to ten overloads will produce union types for `.parameters` and `.returns`:\n\n```typescript\ntype Factorize = {\n (input: number): number[]\n (input: bigint): bigint[]\n}\n\nexpectTypeOf<Factorize>().parameters.not.toEqualTypeOf<[number]>()\nexpectTypeOf<Factorize>().parameters.toEqualTypeOf<[number] | [bigint]>()\nexpectTypeOf<Factorize>().returns.toEqualTypeOf<number[] | bigint[]>()\n\nexpectTypeOf<Factorize>().parameter(0).toEqualTypeOf<number | bigint>()\n```\n\nNote that these aren't exactly like TypeScript's built-in Parameters<...> and ReturnType<...>:\n\nThe TypeScript builtins simply choose a single overload (see the [Overloaded functions](#overloaded-functions) section for more information)\n\n```typescript\ntype Factorize = {\n (input: number): number[]\n (input: bigint): bigint[]\n}\n\n// overload using `number` is ignored!\nexpectTypeOf<Parameters<Factorize>>().toEqualTypeOf<[bigint]>()\nexpectTypeOf<ReturnType<Factorize>>().toEqualTypeOf<bigint[]>()\n```\n\nMore examples of ways to work with functions - parameters using `.parameter(n)` or `.parameters`, and return values using `.returns`:\n\n```typescript\nconst f = (a: number) => [a, a]\n\nexpectTypeOf(f).toBeFunction()\n\nexpectTypeOf(f).toBeCallableWith(1)\nexpectTypeOf(f).not.toBeAny()\nexpectTypeOf(f).returns.not.toBeAny()\nexpectTypeOf(f).returns.toEqualTypeOf([1, 2])\nexpectTypeOf(f).returns.toEqualTypeOf([1, 2, 3])\nexpectTypeOf(f).parameter(0).not.toEqualTypeOf('1')\nexpectTypeOf(f).parameter(0).toEqualTypeOf(1)\nexpectTypeOf(1).parameter(0).toBeNever()\n\nconst twoArgFunc = (a: number, b: string) => ({a, b})\n\nexpectTypeOf(twoArgFunc).parameters.toEqualTypeOf<[number, string]>()\n```\n\n`.toBeCallableWith` allows for overloads. You can also use it to narrow down the return type for given input parameters.:\n\n```typescript\ntype Factorize = {\n (input: number): number[]\n (input: bigint): bigint[]\n}\n\nexpectTypeOf<Factorize>().toBeCallableWith(6)\nexpectTypeOf<Factorize>().toBeCallableWith(6n)\n```\n\n`.toBeCallableWith` returns a type that can be used to narrow down the return type for given input parameters.:\n\n```typescript\ntype Factorize = {\n (input: number): number[]\n (input: bigint): bigint[]\n}\nexpectTypeOf<Factorize>().toBeCallableWith(6).returns.toEqualTypeOf<number[]>()\nexpectTypeOf<Factorize>().toBeCallableWith(6n).returns.toEqualTypeOf<bigint[]>()\n```\n\n`.toBeCallableWith` can be used to narrow down the parameters of a function:\n\n```typescript\ntype Delete = {\n (path: string): void\n (paths: string[], options?: {force: boolean}): void\n}\n\nexpectTypeOf<Delete>().toBeCallableWith('abc').parameters.toEqualTypeOf<[string]>()\nexpectTypeOf<Delete>()\n .toBeCallableWith(['abc', 'def'], {force: true})\n .parameters.toEqualTypeOf<[string[], {force: boolean}?]>()\n\nexpectTypeOf<Delete>().toBeCallableWith('abc').parameter(0).toBeString()\nexpectTypeOf<Delete>().toBeCallableWith('abc').parameter(1).toBeUndefined()\n\nexpectTypeOf<Delete>()\n .toBeCallableWith(['abc', 'def', 'ghi'])\n .parameter(0)\n .toEqualTypeOf<string[]>()\n\nexpectTypeOf<Delete>()\n .toBeCallableWith(['abc', 'def', 'ghi'])\n .parameter(1)\n .toEqualTypeOf<{force: boolean} | undefined>()\n```\n\nYou can't use `.toBeCallableWith` with `.not` - you need to use ts-expect-error::\n\n```typescript\nconst f = (a: number) => [a, a]\n\n// @ts-expect-error\nexpectTypeOf(f).toBeCallableWith('foo')\n```\n\nUse `.map` to transform types:\n\nThis can be useful for generic functions or complex types which you can't access via `.toBeCallableWith`, `.toHaveProperty` etc. The callback function isn't called at runtime, which can make this a useful way to get complex inferred types without worrying about running code.\n\n```typescript\nconst capitalize = <S extends string>(input: S) =>\n (input.slice(0, 1).toUpperCase() + input.slice(1)) as Capitalize<S>\n\nexpectTypeOf(capitalize)\n .map(fn => fn('hello world'))\n .toEqualTypeOf<'Hello world'>()\n```\n\nYou can also check type guards & type assertions:\n\n```typescript\nconst assertNumber = (v: any): asserts v is number => {\n if (typeof v !== 'number') {\n throw new TypeError('Nope !')\n }\n}\n\nexpectTypeOf(assertNumber).asserts.toBeNumber()\n\nconst isString = (v: any): v is string => typeof v === 'string'\n\nexpectTypeOf(isString).guards.toBeString()\n\nconst isBigInt = (value: any): value is bigint => typeof value === 'bigint'\n\nexpectTypeOf(isBigInt).guards.toBeBigInt()\n```\n\nAssert on constructor parameters:\n\n```typescript\nexpectTypeOf(Date).toBeConstructibleWith('1970')\nexpectTypeOf(Date).toBeConstructibleWith(0)\nexpectTypeOf(Date).toBeConstructibleWith(new Date())\nexpectTypeOf(Date).toBeConstructibleWith()\n\nexpectTypeOf(Date).constructorParameters.toEqualTypeOf<\n | []\n | [value: string | number]\n | [value: string | number | Date]\n | [\n year: number,\n monthIndex: number,\n date?: number | undefined,\n hours?: number | undefined,\n minutes?: number | undefined,\n seconds?: number | undefined,\n ms?: number | undefined,\n ]\n>()\n```\n\nConstructor overloads:\n\n```typescript\nclass DBConnection {\n constructor()\n constructor(connectionString: string)\n constructor(options: {host: string; port: number})\n constructor(..._: unknown[]) {}\n}\n\nexpectTypeOf(DBConnection).toBeConstructibleWith()\nexpectTypeOf(DBConnection).toBeConstructibleWith('localhost')\nexpectTypeOf(DBConnection).toBeConstructibleWith({host: 'localhost', port: 1234})\n// @ts-expect-error - as when calling `new DBConnection(...)` you can't actually use the `(...args: unknown[])` overlaod, it's purely for the implementation.\nexpectTypeOf(DBConnection).toBeConstructibleWith(1, 2)\n```\n\nCheck function `this` parameters:\n\n```typescript\nfunction greet(this: {name: string}, message: string) {\n return `Hello ${this.name}, here's your message: ${message}`\n}\n\nexpectTypeOf(greet).thisParameter.toEqualTypeOf<{name: string}>()\n```\n\nDistinguish between functions with different `this` parameters:\n\n```typescript\nfunction greetFormal(this: {title: string; name: string}, message: string) {\n return `Dear ${this.title} ${this.name}, here's your message: ${message}`\n}\n\nfunction greetCasual(this: {name: string}, message: string) {\n return `Hi ${this.name}, here's your message: ${message}`\n}\n\nexpectTypeOf(greetFormal).not.toEqualTypeOf(greetCasual)\n```\n\nClass instance types:\n\n```typescript\nexpectTypeOf(Date).instance.toHaveProperty('toISOString')\n```\n\nPromise resolution types can be checked with `.resolves`:\n\n```typescript\nconst asyncFunc = async () => 123\n\nexpectTypeOf(asyncFunc).returns.resolves.toBeNumber()\n```\n\nArray items can be checked with `.items`:\n\n```typescript\nexpectTypeOf([1, 2, 3]).items.toBeNumber()\nexpectTypeOf([1, 2, 3]).items.not.toBeString()\n```\n\nYou can also compare arrays directly:\n\n```typescript\nexpectTypeOf<any[]>().not.toEqualTypeOf<number[]>()\n```\n\nCheck that functions never return:\n\n```typescript\nconst thrower = () => {\n throw new Error('oh no')\n}\n\nexpectTypeOf(thrower).returns.toBeNever()\n```\n\nGenerics can be used rather than references:\n\n```typescript\nexpectTypeOf<{a: string}>().not.toEqualTypeOf<{a: number}>()\n```\n\nDistinguish between missing/null/optional properties:\n\n```typescript\nexpectTypeOf<{a?: number}>().not.toEqualTypeOf<{}>()\nexpectTypeOf<{a?: number}>().not.toEqualTypeOf<{a: number}>()\nexpectTypeOf<{a?: number}>().not.toEqualTypeOf<{a: number | undefined}>()\nexpectTypeOf<{a?: number | null}>().not.toEqualTypeOf<{a: number | null}>()\nexpectTypeOf<{a: {b?: number}}>().not.toEqualTypeOf<{a: {}}>()\n```\n\nDetect the difference between regular and `readonly` properties:\n\n```typescript\ntype A1 = {readonly a: string; b: string}\ntype E1 = {a: string; b: string}\n\nexpectTypeOf<A1>().toExtend<E1>()\nexpectTypeOf<A1>().not.toEqualTypeOf<E1>()\n\ntype A2 = {a: string; b: {readonly c: string}}\ntype E2 = {a: string; b: {c: string}}\n\nexpectTypeOf<A2>().toExtend<E2>()\nexpectTypeOf<A2>().not.toEqualTypeOf<E2>()\n```\n\nDistinguish between classes with different constructors:\n\n```typescript\nclass A {\n value: number\n constructor(a: 1) {\n this.value = a\n }\n}\nclass B {\n value: number\n constructor(b: 2) {\n this.value = b\n }\n}\n\nexpectTypeOf<typeof A>().not.toEqualTypeOf<typeof B>()\n\nclass C {\n value: number\n constructor(c: 1) {\n this.value = c\n }\n}\n\nexpectTypeOf<typeof A>().toEqualTypeOf<typeof C>()\n```\n\nKnown limitation: Intersection types can cause issues with `toEqualTypeOf`:\n\n```typescript\n// @ts-expect-error the following line doesn't compile, even though the types are arguably the same.\n// See https://github.com/mmkal/expect-type/pull/21\nexpectTypeOf<{a: 1} & {b: 2}>().toEqualTypeOf<{a: 1; b: 2}>()\n```\n\nTo workaround for simple cases, you can use a mapped type:\n\n```typescript\ntype Simplify<T> = {[K in keyof T]: T[K]}\n\nexpectTypeOf<Simplify<{a: 1} & {b: 2}>>().toEqualTypeOf<{a: 1; b: 2}>()\n```\n\nBut this won't work if the nesting is deeper in the type. For these situations, you can use the `.branded` helper. Note that this comes at a performance cost, and can cause the compiler to 'give up' if used with excessively deep types, so use sparingly. This helper is under `.branded` because it deeply transforms the Actual and Expected types into a pseudo-AST:\n\n```typescript\n// @ts-expect-error\nexpectTypeOf<{a: {b: 1} & {c: 1}}>().toEqualTypeOf<{a: {b: 1; c: 1}}>()\n\nexpectTypeOf<{a: {b: 1} & {c: 1}}>().branded.toEqualTypeOf<{a: {b: 1; c: 1}}>()\n```\n\nBe careful with `.branded` for very deep or complex types, though. If possible you should find a way to simplify your test to avoid needing to use it:\n\n```typescript\n// This *should* result in an error, but the \"branding\" mechanism produces too large a type and TypeScript just gives up! https://github.com/microsoft/TypeScript/issues/50670\nexpectTypeOf<() => () => () => () => 1>().branded.toEqualTypeOf<() => () => () => () => 2>()\n\n// @ts-expect-error the non-branded implementation catches the error as expected.\nexpectTypeOf<() => () => () => () => 1>().toEqualTypeOf<() => () => () => () => 2>()\n```\n\nSo, if you have an extremely deep type that ALSO has an intersection in it, you're out of luck and this library won't be able to test your type properly:\n\n```typescript\n// @ts-expect-error this fails, but it should succeed.\nexpectTypeOf<() => () => () => () => {a: 1} & {b: 2}>().toEqualTypeOf<\n () => () => () => () => {a: 1; b: 2}\n>()\n\n// this succeeds, but it should fail.\nexpectTypeOf<() => () => () => () => {a: 1} & {b: 2}>().branded.toEqualTypeOf<\n () => () => () => () => {a: 1; c: 2}\n>()\n```\n\nAnother limitation: passing `this` references to `expectTypeOf` results in errors.:\n\n```typescript\nclass B {\n b = 'b'\n\n foo() {\n // @ts-expect-error\n expectTypeOf(this).toEqualTypeOf(this)\n }\n}\n\n// Instead of the above, try something like this:\nexpectTypeOf(B).instance.toEqualTypeOf<{b: string; foo: () => void}>()\n```\n<!-- codegen:end -->\n\nOverloads limitation for TypeScript <5.3: Due to a [TypeScript bug fixed in 5.3](https://github.com/microsoft/TypeScript/issues/28867), overloaded functions which include an overload resembling `(...args: unknown[]) => unknown` will exclude `unknown[]` from `.parameters` and exclude `unknown` from `.returns`:\n\n```typescript\ntype Factorize = {\n (...args: unknown[]): unknown\n (input: number): number[]\n (input: bigint): bigint[]\n}\n\nexpectTypeOf<Factorize>().parameters.toEqualTypeOf<[number] | [bigint]>()\nexpectTypeOf<Factorize>().returns.toEqualTypeOf<number[] | bigint[]>()\n```\n\nThis overload, however, allows any input and returns an unknown output anyway, so it's not very useful. If you are worried about this for some reason, you'll have to update TypeScript to 5.3+.\n\n### Why is my assertion failing?\n\nFor complex types, an assertion might fail when it should if the `Actual` type contains a deeply-nested intersection type but the `Expected` doesn't. In these cases you can use `.branded` as described above:\n\n```typescript\n// @ts-expect-error this unfortunately fails - a TypeScript limitation prevents making this pass without a big perf hit\nexpectTypeOf<{a: {b: 1} & {c: 1}}>().toEqualTypeOf<{a: {b: 1; c: 1}}>()\n\nexpectTypeOf<{a: {b: 1} & {c: 1}}>().branded.toEqualTypeOf<{a: {b: 1; c: 1}}>()\n```\n\n### Why is `.toMatchTypeOf` deprecated?\n\nThe `.toMatchTypeOf` method is deprecated in favour of `.toMatchObjectType` (when strictly checking against an object type with a subset of keys), or `.toExtend` (when checking for \"is-a\" relationships). There are no foreseeable plans to remove `.toMatchTypeOf`, but there's no reason to continue using it - `.toMatchObjectType` is stricter, and `.toExtend` is identical.\n\n### Internal type helpers\n\n🚧 This library also exports some helper types for performing boolean operations on types, checking extension/equality in various ways, branding types, and checking for various special types like `never`, `any`, `unknown`. Use at your own risk! Nothing is stopping you from using these beyond this warning:\n\n>All internal types that are not documented here are _not_ part of the supported API surface, and may be renamed, modified, or removed, without warning or documentation in release notes.\n\nFor a dedicated internal type library, feel free to look at the [source code](./src/index.ts) for inspiration - or better, use a library like [type-fest](https://npmjs.com/package/type-fest).\n\n### Error messages\n\nWhen types don't match, `.toEqualTypeOf` and `.toMatchTypeOf` use a special helper type to produce error messages that are as actionable as possible. But there's a bit of a nuance to understanding them. Since the assertions are written \"fluently\", the failure should be on the \"expected\" type, not the \"actual\" type (`expect<Actual>().toEqualTypeOf<Expected>()`). This means that type errors can be a little confusing - so this library produces a `MismatchInfo` type to try to make explicit what the expectation is. For example:\n\n```ts\nexpectTypeOf({a: 1}).toEqualTypeOf<{a: string}>()\n```\n\nIs an assertion that will fail, since `{a: 1}` has type `{a: number}` and not `{a: string}`. The error message in this case will read something like this:\n\n```\ntest/test.ts:999:999 - error TS2344: Type '{ a: string; }' does not satisfy the constraint '{ a: \\\\\"Expected: string, Actual: number\\\\\"; }'.\n Types of property 'a' are incompatible.\n Type 'string' is not assignable to type '\\\\\"Expected: string, Actual: number\\\\\"'.\n\n999 expectTypeOf({a: 1}).toEqualTypeOf<{a: string}>()\n```\n\nNote that the type constraint reported is a human-readable messaging specifying both the \"expected\" and \"actual\" types. Rather than taking the sentence `Types of property 'a' are incompatible // Type 'string' is not assignable to type \"Expected: string, Actual: number\"` literally - just look at the property name (`'a'`) and the message: `Expected: string, Actual: number`. This will tell you what's wrong, in most cases. Extremely complex types will, of course, be more effort to debug, and may require some experimentation. Please [raise an issue](https://github.com/mmkal/expect-type) if the error messages are misleading.\n\nThe `toBe...` methods (like `toBeString`, `toBeNumber`, `toBeVoid`, etc.) fail by resolving to a non-callable type when the `Actual` type under test doesn't match up. For example, the failure for an assertion like `expectTypeOf(1).toBeString()` will look something like this:\n\n```\ntest/test.ts:999:999 - error TS2349: This expression is not callable.\n Type 'ExpectString<number>' has no call signatures.\n\n999 expectTypeOf(1).toBeString()\n ~~~~~~~~~~\n```\n\nThe `This expression is not callable` part isn't all that helpful - the meaningful error is the next line, `Type 'ExpectString<number> has no call signatures`. This essentially means you passed a number but asserted it should be a string.\n\nIf TypeScript added support for [\"throw\" types](https://github.com/microsoft/TypeScript/pull/40468) these error messages could be improved. Until then they will take a certain amount of squinting.\n\n#### Concrete \"expected\" objects vs type arguments\n\nError messages for an assertion like this:\n\n```ts\nexpectTypeOf({a: 1}).toEqualTypeOf({a: ''})\n```\n\nWill be less helpful than for an assertion like this:\n\n```ts\nexpectTypeOf({a: 1}).toEqualTypeOf<{a: string}>()\n```\n\nThis is because the TypeScript compiler needs to infer the type argument for the `.toEqualTypeOf({a: ''})` style and this library can only mark it as a failure by comparing it against a generic `Mismatch` type. So, where possible, use a type argument rather than a concrete type for `.toEqualTypeOf` and `toMatchTypeOf`. If it's much more convenient to compare two concrete types, you can use `typeof`:\n\n```ts\nconst one = valueFromFunctionOne({some: {complex: inputs}})\nconst two = valueFromFunctionTwo({some: {other: inputs}})\n\nexpectTypeOf(one).toEqualTypeof<typeof two>()\n```\n\n### Overloaded functions\n\nDue to a TypeScript [design limitation](https://github.com/microsoft/TypeScript/issues/32164#issuecomment-506810756), the native TypeScript `Parameters<...>` and `ReturnType<...>` helpers only return types from one variant of an overloaded function. This limitation doesn't apply to expect-type, since it is not used to author TypeScript code, only to assert on existing types. So, we use a workaround for this TypeScript behaviour to assert on _all_ overloads as a union (actually, not necessarily _all_ - we cap out at 10 overloads).\n\n### Within test frameworks\n\n### Vitest\n\n`expectTypeOf` is built in to [vitest](https://vitest.dev/guide/testing-types), so you can import `expectTypeOf` from the vitest library directly if you prefer. Note that there is no set release cadence, at time of writing, so vitest may not always be using the very latest version.\n\n```ts\nimport {expectTypeOf} from 'vitest'\nimport {mount} from './mount.js'\n\ntest('my types work properly', () => {\n expectTypeOf(mount).toBeFunction()\n expectTypeOf(mount).parameter(0).toEqualTypeOf<{name: string}>()\n\n expectTypeOf(mount({name: 42})).toBeString()\n})\n```\n\n#### Jest & `eslint-plugin-jest`\n\nIf you're using Jest along with `eslint-plugin-jest`, and you put assertions inside `test(...)` definitions, you may get warnings from the [`jest/expect-expect`](https://github.com/jest-community/eslint-plugin-jest/blob/master/docs/rules/expect-expect.md) rule, complaining that \"Test has no assertions\" for tests that only use `expectTypeOf()`.\n\nTo remove this warning, configure the ESLint rule to consider `expectTypeOf` as an assertion:\n\n```json\n\"rules\": {\n // ...\n \"jest/expect-expect\": [\n \"warn\",\n {\n \"assertFunctionNames\": [\n \"expect\", \"expectTypeOf\"\n ]\n }\n ],\n // ...\n}\n```\n\n### Limitations\n\nA summary of some of the limitations of this library. Some of these are documented more fully elsewhere.\n\n1. Intersection types can result in failures when the expected and actual types are not identically defined, even when they are effectively identical. See [Why is my assertion failing](#why-is-my-assertion-failing) for details. TL;DR: use `.brand` in these cases - and accept the performance hit that it comes with.\n1. `toBeCallableWith` will likely fail if you try to use it with a generic function or an overload. See [this issue](https://github.com/mmkal/expect-type/issues/50) for an example and how to work around it.\n1. (For now) overloaded functions might trip up the `.parameter` and `.parameters` helpers. This matches how the built-in TypeScript helper `Parameters<...>` works. This may be improved in the future though ([see related issue](https://github.com/mmkal/expect-type/issues/30)).\n1. `expectTypeOf(this).toEqualTypeOf(this)` inside class methods does not work.\n\n## Similar projects\n\nOther projects with similar goals:\n\n- [`tsd`](https://github.com/SamVerschueren/tsd) is a CLI that runs the TypeScript type checker over assertions\n- [`ts-expect`](https://github.com/TypeStrong/ts-expect) exports several generic helper types to perform type assertions\n- [`dtslint`](https://github.com/Microsoft/dtslint) does type checks via comment directives and tslint\n- [`type-plus`](https://github.com/unional/type-plus) comes with various type and runtime TypeScript assertions\n- [`static-type-assert`](https://github.com/ksxnodemodules/static-type-assert) type assertion functions\n\n### Comparison\n\nThe key differences in this project are:\n\n- a fluent, jest-inspired API, making the difference between `actual` and `expected` clear. This is helpful with complex types and assertions.\n- inverting assertions intuitively and easily via `expectTypeOf(...).not`\n- checks generics properly and strictly ([tsd doesn't](https://github.com/SamVerschueren/tsd/issues/142))\n- first-class support for:\n - `any` (as well as `unknown` and `never`) (see issues outstanding at time of writing in tsd for [never](https://github.com/SamVerschueren/tsd/issues/78) and [any](https://github.com/SamVerschueren/tsd/issues/82)).\n - This can be especially useful in combination with `not`, to protect against functions returning too-permissive types. For example, `const parseFile = (filename: string) => JSON.parse(readFileSync(filename).toString())` returns `any`, which could lead to errors. After giving it a proper return-type, you can add a test for this with `expect(parseFile).returns.not.toBeAny()`\n - object properties\n - function parameters\n - function return values\n - constructor parameters\n - class instances\n - array item values\n - nullable types\n- assertions on types \"matching\" rather than exact type equality, for \"is-a\" relationships e.g. `expectTypeOf(square).toExtend<Shape>()`\n- built into existing tooling. No extra build step, cli tool, IDE extension, or lint plugin is needed. Just import the function and start writing tests. Failures will be at compile time - they'll appear in your IDE and when you run `tsc`.\n- small implementation with no dependencies. [Take a look!](./src/index.ts) (tsd, for comparison, is [2.6MB](https://bundlephobia.com/result?p=tsd@0.13.1) because it ships a patched version of TypeScript).\n\n## TypeScript backwards-compatibility\n\nThere is a CI job called `test-types` that checks whether the tests still pass with certain older TypeScript versions. To check the supported TypeScript versions, [refer to the job definition](./.github/workflows/ci.yml).\n\n## Contributing\n\nIn most cases, it's worth checking existing issues or creating one to discuss a new feature or a bug fix before opening a pull request.\n\nOnce you're ready to make a pull request: clone the repo, and install pnpm if you don't have it already with `npm install --global pnpm`. Lockfiles for `npm` and `yarn` are gitignored.\n\nIf you're adding a feature, you should write a self-contained usage example in the form of a test, in [test/usage.test.ts](./test/usage.test.ts). This file is used to populate the bulk of this readme using [eslint-plugin-codegen](https://npmjs.com/package/eslint-plugin-codegen), and to generate an [\"errors\" test file](./test/errors.test.ts), which captures the error messages that are emitted for failing assertions by the TypeScript compiler. So, the test name should be written as a human-readable sentence explaining the usage example. Have a look at the existing tests for an idea of the style.\n\nAfter adding the tests, run `npm run lint -- --fix` to update the readme, and `npm test -- --updateSnapshot` to update the errors test. The generated documentation and tests should be pushed to the same branch as the source code, and submitted as a pull request. CI will test that the docs and tests are up to date if you forget to run these commands.\n\n### Documentation of limitations through tests\n\nLimitations of the library are documented through tests in `usage.test.ts`. This means that if a future TypeScript version (or library version) fixes the limitation, the test will start failing, and it will be automatically removed from the documentation once it no longer applies.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/expect-type/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/fast-deep-equal/README.md ---\n# fast-deep-equal\nThe fastest deep equal with ES6 Map, Set and Typed arrays support.\n\n[![Build Status](https://travis-ci.org/epoberezkin/fast-deep-equal.svg?branch=master)](https://travis-ci.org/epoberezkin/fast-deep-equal)\n[![npm](https://img.shields.io/npm/v/fast-deep-equal.svg)](https://www.npmjs.com/package/fast-deep-equal)\n[![Coverage Status](https://coveralls.io/repos/github/epoberezkin/fast-deep-equal/badge.svg?branch=master)](https://coveralls.io/github/epoberezkin/fast-deep-equal?branch=master)\n\n\n## Install\n\n```bash\nnpm install fast-deep-equal\n```\n\n\n## Features\n\n- ES5 compatible\n- works in node.js (8+) and browsers (IE9+)\n- checks equality of Date and RegExp objects by value.\n\nES6 equal (`require('fast-deep-equal/es6')`) also supports:\n- Maps\n- Sets\n- Typed arrays\n\n\n## Usage\n\n```javascript\nvar equal = require('fast-deep-equal');\nconsole.log(equal({foo: 'bar'}, {foo: 'bar'})); // true\n```\n\nTo support ES6 Maps, Sets and Typed arrays equality use:\n\n```javascript\nvar equal = require('fast-deep-equal/es6');\nconsole.log(equal(Int16Array([1, 2]), Int16Array([1, 2]))); // true\n```\n\nTo use with React (avoiding the traversal of React elements' _owner\nproperty that contains circular references and is not needed when\ncomparing the elements - borrowed from [react-fast-compare](https://github.com/FormidableLabs/react-fast-compare)):\n\n```javascript\nvar equal = require('fast-deep-equal/react');\nvar equal = require('fast-deep-equal/es6/react');\n```\n\n\n## Performance benchmark\n\nNode.js v12.6.0:\n\n```\nfast-deep-equal x 261,950 ops/sec ±0.52% (89 runs sampled)\nfast-deep-equal/es6 x 212,991 ops/sec ±0.34% (92 runs sampled)\nfast-equals x 230,957 ops/sec ±0.83% (85 runs sampled)\nnano-equal x 187,995 ops/sec ±0.53% (88 runs sampled)\nshallow-equal-fuzzy x 138,302 ops/sec ±0.49% (90 runs sampled)\nunderscore.isEqual x 74,423 ops/sec ±0.38% (89 runs sampled)\nlodash.isEqual x 36,637 ops/sec ±0.72% (90 runs sampled)\ndeep-equal x 2,310 ops/sec ±0.37% (90 runs sampled)\ndeep-eql x 35,312 ops/sec ±0.67% (91 runs sampled)\nramda.equals x 12,054 ops/sec ±0.40% (91 runs sampled)\nutil.isDeepStrictEqual x 46,440 ops/sec ±0.43% (90 runs sampled)\nassert.deepStrictEqual x 456 ops/sec ±0.71% (88 runs sampled)\n\nThe fastest is fast-deep-equal\n```\n\nTo run benchmark (requires node.js 6+):\n\n```bash\nnpm run benchmark\n```\n\n__Please note__: this benchmark runs against the available test cases. To choose the most performant library for your application, it is recommended to benchmark against your data and to NOT expect this benchmark to reflect the performance difference in your application.\n\n\n## Enterprise support\n\nfast-deep-equal package is a part of [Tidelift enterprise subscription](https://tidelift.com/subscription/pkg/npm-fast-deep-equal?utm_source=npm-fast-deep-equal&utm_medium=referral&utm_campaign=enterprise&utm_term=repo) - it provides a centralised commercial support to open-source software users, in addition to the support provided by software maintainers.\n\n\n## Security contact\n\nTo report a security vulnerability, please use the\n[Tidelift security contact](https://tidelift.com/security).\nTidelift will coordinate the fix and disclosure. Please do NOT report security vulnerability via GitHub issues.\n\n\n## License\n\n[MIT](https://github.com/epoberezkin/fast-deep-equal/blob/master/LICENSE)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/fast-deep-equal/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/fast-uri/README.md ---\n# fast-uri\n\n<div align=\"center\">\n\n[![NPM version](https://img.shields.io/npm/v/fast-uri.svg?style=flat)](https://www.npmjs.com/package/fast-uri)\n[![CI](https://github.com/fastify/fast-uri/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/fastify/fast-uri/actions/workflows/ci.yml)\n[![neostandard javascript style](https://img.shields.io/badge/code_style-neostandard-brightgreen?style=flat)](https://github.com/neostandard/neostandard)\n\n</div>\n\nDependency-free RFC 3986 URI toolbox.\n\n## Usage\n\n## Options\n\nAll of the above functions can accept an additional options argument that is an object that can contain one or more of the following properties:\n\n*\t`scheme` (string)\n\tIndicates the scheme that the URI should be treated as, overriding the URI's normal scheme parsing behavior.\n\n*\t`reference` (string)\n\tIf set to `\"suffix\"`, it indicates that the URI is in the suffix format and the parser will use the option's `scheme` property to determine the URI's scheme.\n\n*\t`tolerant` (boolean, false)\n\tIf set to `true`, the parser will relax URI resolving rules.\n\n*\t`absolutePath` (boolean, false)\n\tIf set to `true`, the serializer will not resolve a relative `path` component.\n\n*\t`unicodeSupport` (boolean, false)\n\tIf set to `true`, the parser will unescape non-ASCII characters in the parsed output as per [RFC 3987](http://www.ietf.org/rfc/rfc3987.txt).\n\n*\t`domainHost` (boolean, false)\n\tIf set to `true`, the library will treat the `host` component as a domain name, and convert IDNs (International Domain Names) as per [RFC 5891](http://www.ietf.org/rfc/rfc5891.txt).\n\n### Parse\n\n```js\nconst uri = require('fast-uri')\nuri.parse('uri://user:pass@example.com:123/one/two.three?q1=a1&q2=a2#body')\n// Output\n{\n scheme: \"uri\",\n userinfo: \"user:pass\",\n host: \"example.com\",\n port: 123,\n path: \"/one/two.three\",\n query: \"q1=a1&q2=a2\",\n fragment: \"body\"\n}\n```\n\n### Serialize\n\n```js\nconst uri = require('fast-uri')\nuri.serialize({scheme: \"http\", host: \"example.com\", fragment: \"footer\"})\n// Output\n\"http://example.com/#footer\"\n\n```\n\n### Resolve\n\n```js\nconst uri = require('fast-uri')\nuri.resolve(\"uri://a/b/c/d?q\", \"../../g\")\n// Output\n\"uri://a/g\"\n```\n\n### Equal\n\n```js\nconst uri = require('fast-uri')\nuri.equal(\"example://a/b/c/%7Bfoo%7D\", \"eXAMPLE://a/./b/../b/%63/%7bfoo%7d\")\n// Output\ntrue\n```\n\n## Scheme supports\n\nfast-uri supports inserting custom [scheme](http://en.wikipedia.org/wiki/URI_scheme)-dependent processing rules. Currently, fast-uri has built-in support for the following schemes:\n\n*\thttp \\[[RFC 2616](http://www.ietf.org/rfc/rfc2616.txt)\\]\n*\thttps \\[[RFC 2818](http://www.ietf.org/rfc/rfc2818.txt)\\]\n*\tws \\[[RFC 6455](http://www.ietf.org/rfc/rfc6455.txt)\\]\n*\twss \\[[RFC 6455](http://www.ietf.org/rfc/rfc6455.txt)\\]\n*\turn \\[[RFC 2141](http://www.ietf.org/rfc/rfc2141.txt)\\]\n*\turn:uuid \\[[RFC 4122](http://www.ietf.org/rfc/rfc4122.txt)\\]\n\n\n## Benchmarks\n\n```\nfast-uri benchmark\n┌─────────┬──────────────────────────────────────────┬──────────────────┬──────────────────┬────────────────────────┬────────────────────────┬─────────┐\n│ (index) │ Task name │ Latency avg (ns) │ Latency med (ns) │ Throughput avg (ops/s) │ Throughput med (ops/s) │ Samples │\n├─────────┼──────────────────────────────────────────┼──────────────────┼──────────────────┼────────────────────────┼────────────────────────┼─────────┤\n│ 0 │ 'fast-uri: parse domain' │ '951.31 ± 0.75%' │ '875.00 ± 11.00' │ '1122538 ± 0.01%' │ '1142857 ± 14550' │ 1051187 │\n│ 1 │ 'fast-uri: parse IPv4' │ '443.44 ± 0.22%' │ '406.00 ± 3.00' │ '2422762 ± 0.01%' │ '2463054 ± 18335' │ 2255105 │\n│ 2 │ 'fast-uri: parse IPv6' │ '1241.6 ± 1.74%' │ '1131.0 ± 30.00' │ '875177 ± 0.02%' │ '884173 ± 24092' │ 805399 │\n│ 3 │ 'fast-uri: parse URN' │ '689.19 ± 4.29%' │ '618.00 ± 9.00' │ '1598373 ± 0.01%' │ '1618123 ± 23913' │ 1450972 │\n│ 4 │ 'fast-uri: parse URN uuid' │ '1025.4 ± 2.02%' │ '921.00 ± 19.00' │ '1072419 ± 0.02%' │ '1085776 ± 22871' │ 975236 │\n│ 5 │ 'fast-uri: serialize uri' │ '1028.5 ± 0.53%' │ '933.00 ± 43.00' │ '1063310 ± 0.02%' │ '1071811 ± 50523' │ 972249 │\n│ 6 │ 'fast-uri: serialize long uri with dots' │ '1805.1 ± 0.52%' │ '1627.0 ± 17.00' │ '602620 ± 0.02%' │ '614628 ± 6490' │ 553997 │\n│ 7 │ 'fast-uri: serialize IPv6' │ '2569.4 ± 2.69%' │ '2302.0 ± 21.00' │ '426080 ± 0.03%' │ '434405 ± 3999' │ 389194 │\n│ 8 │ 'fast-uri: serialize ws' │ '979.39 ± 0.43%' │ '882.00 ± 8.00' │ '1111665 ± 0.02%' │ '1133787 ± 10378' │ 1021045 │\n│ 9 │ 'fast-uri: resolve' │ '2208.2 ± 1.08%' │ '1980.0 ± 24.00' │ '495001 ± 0.03%' │ '505051 ± 6049' │ 452848 │\n└─────────┴──────────────────────────────────────────┴──────────────────┴──────────────────┴────────────────────────┴────────────────────────┴─────────┘\nuri-js benchmark\n┌─────────┬───────────────────────────────────────┬──────────────────┬──────────────────┬────────────────────────┬────────────────────────┬─────────┐\n│ (index) │ Task name │ Latency avg (ns) │ Latency med (ns) │ Throughput avg (ops/s) │ Throughput med (ops/s) │ Samples │\n├─────────┼───────────────────────────────────────┼──────────────────┼──────────────────┼────────────────────────┼────────────────────────┼─────────┤\n│ 0 │ 'urijs: parse domain' │ '3618.3 ± 0.43%' │ '3314.0 ± 33.00' │ '294875 ± 0.04%' │ '301750 ± 2975' │ 276375 │\n│ 1 │ 'urijs: parse IPv4' │ '4024.1 ± 0.41%' │ '3751.0 ± 25.00' │ '261981 ± 0.04%' │ '266596 ± 1789' │ 248506 │\n│ 2 │ 'urijs: parse IPv6' │ '5417.2 ± 0.46%' │ '4968.0 ± 43.00' │ '196023 ± 0.05%' │ '201288 ± 1727' │ 184598 │\n│ 3 │ 'urijs: parse URN' │ '1324.2 ± 0.23%' │ '1229.0 ± 17.00' │ '801535 ± 0.02%' │ '813670 ± 11413' │ 755185 │\n│ 4 │ 'urijs: parse URN uuid' │ '1822.0 ± 3.08%' │ '1655.0 ± 15.00' │ '594433 ± 0.02%' │ '604230 ± 5427' │ 548843 │\n│ 5 │ 'urijs: serialize uri' │ '4196.8 ± 0.36%' │ '3908.0 ± 27.00' │ '251146 ± 0.04%' │ '255885 ± 1756' │ 238276 │\n│ 6 │ 'urijs: serialize long uri with dots' │ '8331.0 ± 1.30%' │ '7658.0 ± 72.00' │ '126440 ± 0.07%' │ '130582 ± 1239' │ 120034 │\n│ 7 │ 'urijs: serialize IPv6' │ '5685.5 ± 0.30%' │ '5366.0 ± 33.00' │ '182632 ± 0.05%' │ '186359 ± 1153' │ 175886 │\n│ 8 │ 'urijs: serialize ws' │ '4159.3 ± 0.20%' │ '3899.0 ± 28.00' │ '250459 ± 0.04%' │ '256476 ± 1855' │ 240423 │\n│ 9 │ 'urijs: resolve' │ '6729.9 ± 0.39%' │ '6261.0 ± 37.00' │ '156361 ± 0.06%' │ '159719 ± 949' │ 148591 │\n└─────────┴───────────────────────────────────────┴──────────────────┴──────────────────┴────────────────────────┴────────────────────────┴─────────┘\nWHATWG URL benchmark\n┌─────────┬────────────────────────────┬──────────────────┬──────────────────┬────────────────────────┬────────────────────────┬─────────┐\n│ (index) │ Task name │ Latency avg (ns) │ Latency med (ns) │ Throughput avg (ops/s) │ Throughput med (ops/s) │ Samples │\n├─────────┼────────────────────────────┼──────────────────┼──────────────────┼────────────────────────┼────────────────────────┼─────────┤\n│ 0 │ 'WHATWG URL: parse domain' │ '475.22 ± 0.20%' │ '444.00 ± 5.00' │ '2217599 ± 0.01%' │ '2252252 ± 25652' │ 2104289 │\n│ 1 │ 'WHATWG URL: parse URN' │ '384.78 ± 0.85%' │ '350.00 ± 5.00' │ '2809071 ± 0.01%' │ '2857143 ± 41408' │ 2598885 │\n└─────────┴────────────────────────────┴──────────────────┴──────────────────┴────────────────────────┴────────────────────────┴─────────┘\n```\n\n## TODO\n\n- [ ] Support MailTo\n- [ ] Be 100% iso compatible with uri-js\n\n## License\n\nLicensed under [BSD-3-Clause](./LICENSE).\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/fast-uri/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/fdir/README.md ---\n<p align=\"center\">\n<img src=\"https://github.com/thecodrr/fdir/raw/master/assets/fdir.gif\" width=\"75%\"/>\n\n<h1 align=\"center\">The Fastest Directory Crawler & Globber for NodeJS</h1>\n<p align=\"center\">\n <a href=\"https://www.npmjs.com/package/fdir\"><img src=\"https://img.shields.io/npm/v/fdir?style=for-the-badge\"/></a>\n <a href=\"https://www.npmjs.com/package/fdir\"><img src=\"https://img.shields.io/npm/dw/fdir?style=for-the-badge\"/></a>\n <a href=\"https://codeclimate.com/github/thecodrr/fdir/maintainability\"><img src=\"https://img.shields.io/codeclimate/maintainability-percentage/thecodrr/fdir?style=for-the-badge\"/></a>\n <a href=\"https://coveralls.io/github/thecodrr/fdir?branch=master\"><img src=\"https://img.shields.io/coveralls/github/thecodrr/fdir?style=for-the-badge\"/></a>\n <a href=\"https://www.npmjs.com/package/fdir\"><img src=\"https://img.shields.io/bundlephobia/minzip/fdir?style=for-the-badge\"/></a>\n <a href=\"https://www.producthunt.com/posts/fdir-every-millisecond-matters\"><img src=\"https://img.shields.io/badge/ProductHunt-Upvote-red?style=for-the-badge&logo=product-hunt\"/></a>\n <a href=\"https://dev.to/thecodrr/how-i-wrote-the-fastest-directory-crawler-ever-3p9c\"><img src=\"https://img.shields.io/badge/dev.to-Read%20Blog-black?style=for-the-badge&logo=dev.to\"/></a>\n <a href=\"./LICENSE\"><img src=\"https://img.shields.io/github/license/thecodrr/fdir?style=for-the-badge\"/></a>\n</p>\n</p>\n\n⚡ **The Fastest:** Nothing similar (in the NodeJS world) beats `fdir` in speed. It can easily crawl a directory containing **1 million files in < 1 second.**\n\n💡 **Stupidly Easy:** `fdir` uses expressive Builder pattern to build the crawler increasing code readability.\n\n🤖 **Zero Dependencies\\*:** `fdir` only uses NodeJS `fs` & `path` modules.\n\n🕺 **Astonishingly Small:** < 2KB in size gzipped & minified.\n\n🖮 **Hackable:** Extending `fdir` is extremely simple now that the new Builder API is here. Feel free to experiment around.\n\n_\\* `picomatch` must be installed manually by the user to support globbing._\n\n## 🚄 Quickstart\n\n### Installation\n\nYou can install using `npm`:\n\n```sh\n$ npm i fdir\n```\n\nor Yarn:\n\n```sh\n$ yarn add fdir\n```\n\n### Usage\n\n```ts\nimport { fdir } from \"fdir\";\n\n// create the builder\nconst api = new fdir().withFullPaths().crawl(\"path/to/dir\");\n\n// get all files in a directory synchronously\nconst files = api.sync();\n\n// or asynchronously\napi.withPromise().then((files) => {\n // do something with the result here.\n});\n```\n\n## Documentation:\n\nDocumentation for all methods is available [here](/documentation.md).\n\n## 📊 Benchmarks:\n\nPlease check the benchmark against the latest version [here](/BENCHMARKS.md).\n\n## 🙏Used by:\n\n`fdir` is downloaded over 200k+ times a week by projects around the world. Here's a list of some notable projects using `fdir` in production:\n\n> Note: if you think your project should be here, feel free to open an issue. Notable is anything with a considerable amount of GitHub stars.\n\n1. [rollup/plugins](https://github.com/rollup/plugins)\n2. [SuperchupuDev/tinyglobby](https://github.com/SuperchupuDev/tinyglobby)\n3. [pulumi/pulumi](https://github.com/pulumi/pulumi)\n4. [dotenvx/dotenvx](https://github.com/dotenvx/dotenvx)\n5. [mdn/yari](https://github.com/mdn/yari)\n6. [streetwriters/notesnook](https://github.com/streetwriters/notesnook)\n7. [imba/imba](https://github.com/imba/imba)\n8. [moroshko/react-scanner](https://github.com/moroshko/react-scanner)\n9. [netlify/build](https://github.com/netlify/build)\n10. [yassinedoghri/astro-i18next](https://github.com/yassinedoghri/astro-i18next)\n11. [selfrefactor/rambda](https://github.com/selfrefactor/rambda)\n12. [whyboris/Video-Hub-App](https://github.com/whyboris/Video-Hub-App)\n\n## 🦮 LICENSE\n\nCopyright &copy; 2024 Abdullah Atta under MIT. [Read full text here.](https://github.com/thecodrr/fdir/raw/master/LICENSE)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/fdir/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/finalhandler/README.md ---\n# finalhandler\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][github-actions-ci-image]][github-actions-ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nNode.js function to invoke as the final step to respond to HTTP request.\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install finalhandler\n```\n\n## API\n\n```js\nvar finalhandler = require('finalhandler')\n```\n\n### finalhandler(req, res, [options])\n\nReturns function to be invoked as the final step for the given `req` and `res`.\nThis function is to be invoked as `fn(err)`. If `err` is falsy, the handler will\nwrite out a 404 response to the `res`. If it is truthy, an error response will\nbe written out to the `res` or `res` will be terminated if a response has already\nstarted.\n\nWhen an error is written, the following information is added to the response:\n\n * The `res.statusCode` is set from `err.status` (or `err.statusCode`). If\n this value is outside the 4xx or 5xx range, it will be set to 500.\n * The `res.statusMessage` is set according to the status code.\n * The body will be the HTML of the status code message if `env` is\n `'production'`, otherwise will be `err.stack`.\n * Any headers specified in an `err.headers` object.\n\nThe final handler will also unpipe anything from `req` when it is invoked.\n\n#### options.env\n\nBy default, the environment is determined by `NODE_ENV` variable, but it can be\noverridden by this option.\n\n#### options.onerror\n\nProvide a function to be called with the `err` when it exists. Can be used for\nwriting errors to a central location without excessive function generation. Called\nas `onerror(err, req, res)`.\n\n## Examples\n\n### always 404\n\n```js\nvar finalhandler = require('finalhandler')\nvar http = require('http')\n\nvar server = http.createServer(function (req, res) {\n var done = finalhandler(req, res)\n done()\n})\n\nserver.listen(3000)\n```\n\n### perform simple action\n\n```js\nvar finalhandler = require('finalhandler')\nvar fs = require('fs')\nvar http = require('http')\n\nvar server = http.createServer(function (req, res) {\n var done = finalhandler(req, res)\n\n fs.readFile('index.html', function (err, buf) {\n if (err) return done(err)\n res.setHeader('Content-Type', 'text/html')\n res.end(buf)\n })\n})\n\nserver.listen(3000)\n```\n\n### use with middleware-style functions\n\n```js\nvar finalhandler = require('finalhandler')\nvar http = require('http')\nvar serveStatic = require('serve-static')\n\nvar serve = serveStatic('public')\n\nvar server = http.createServer(function (req, res) {\n var done = finalhandler(req, res)\n serve(req, res, done)\n})\n\nserver.listen(3000)\n```\n\n### keep log of all errors\n\n```js\nvar finalhandler = require('finalhandler')\nvar fs = require('fs')\nvar http = require('http')\n\nvar server = http.createServer(function (req, res) {\n var done = finalhandler(req, res, { onerror: logerror })\n\n fs.readFile('index.html', function (err, buf) {\n if (err) return done(err)\n res.setHeader('Content-Type', 'text/html')\n res.end(buf)\n })\n})\n\nserver.listen(3000)\n\nfunction logerror (err) {\n console.error(err.stack || err.toString())\n}\n```\n\n## License\n\n[MIT](LICENSE)\n\n[npm-image]: https://img.shields.io/npm/v/finalhandler.svg\n[npm-url]: https://npmjs.org/package/finalhandler\n[node-image]: https://img.shields.io/node/v/finalhandler.svg\n[node-url]: https://nodejs.org/en/download\n[coveralls-image]: https://img.shields.io/coveralls/pillarjs/finalhandler.svg\n[coveralls-url]: https://coveralls.io/r/pillarjs/finalhandler?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/finalhandler.svg\n[downloads-url]: https://npmjs.org/package/finalhandler\n[github-actions-ci-image]: https://github.com/pillarjs/finalhandler/actions/workflows/ci.yml/badge.svg\n[github-actions-ci-url]: https://github.com/pillarjs/finalhandler/actions/workflows/ci.yml\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/finalhandler/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/forwarded/README.md ---\n# forwarded\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][ci-image]][ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nParse HTTP X-Forwarded-For header\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install forwarded\n```\n\n## API\n\n```js\nvar forwarded = require('forwarded')\n```\n\n### forwarded(req)\n\n```js\nvar addresses = forwarded(req)\n```\n\nParse the `X-Forwarded-For` header from the request. Returns an array\nof the addresses, including the socket address for the `req`, in reverse\norder (i.e. index `0` is the socket address and the last index is the\nfurthest address, typically the end-user).\n\n## Testing\n\n```sh\n$ npm test\n```\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/forwarded/master?label=ci\n[ci-url]: https://github.com/jshttp/forwarded/actions?query=workflow%3Aci\n[npm-image]: https://img.shields.io/npm/v/forwarded.svg\n[npm-url]: https://npmjs.org/package/forwarded\n[node-version-image]: https://img.shields.io/node/v/forwarded.svg\n[node-version-url]: https://nodejs.org/en/download/\n[coveralls-image]: https://img.shields.io/coveralls/jshttp/forwarded/master.svg\n[coveralls-url]: https://coveralls.io/r/jshttp/forwarded?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/forwarded.svg\n[downloads-url]: https://npmjs.org/package/forwarded\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/forwarded/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/fresh/README.md ---\n# fresh\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][ci-image]][ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nHTTP response freshness testing\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```\n$ npm install fresh\n```\n\n## API\n\n```js\nvar fresh = require('fresh')\n```\n\n### fresh(reqHeaders, resHeaders)\n\nCheck freshness of the response using request and response headers.\n\nWhen the response is still \"fresh\" in the client's cache `true` is\nreturned, otherwise `false` is returned to indicate that the client\ncache is now stale and the full response should be sent.\n\nWhen a client sends the `Cache-Control: no-cache` request header to\nindicate an end-to-end reload request, this module will return `false`\nto make handling these requests transparent.\n\n## Known Issues\n\nThis module is designed to only follow the HTTP specifications, not\nto work-around all kinda of client bugs (especially since this module\ntypically does not receive enough information to understand what the\nclient actually is).\n\nThere is a known issue that in certain versions of Safari, Safari\nwill incorrectly make a request that allows this module to validate\nfreshness of the resource even when Safari does not have a\nrepresentation of the resource in the cache. The module\n[jumanji](https://www.npmjs.com/package/jumanji) can be used in\nan Express application to work-around this issue and also provides\nlinks to further reading on this Safari bug.\n\n## Example\n\n### API usage\n\n<!-- eslint-disable no-redeclare -->\n\n```js\nvar reqHeaders = { 'if-none-match': '\"foo\"' }\nvar resHeaders = { etag: '\"bar\"' }\nfresh(reqHeaders, resHeaders)\n// => false\n\nvar reqHeaders = { 'if-none-match': '\"foo\"' }\nvar resHeaders = { etag: '\"foo\"' }\nfresh(reqHeaders, resHeaders)\n// => true\n```\n\n### Using with Node.js http server\n\n```js\nvar fresh = require('fresh')\nvar http = require('http')\n\nvar server = http.createServer(function (req, res) {\n // perform server logic\n // ... including adding ETag / Last-Modified response headers\n\n if (isFresh(req, res)) {\n // client has a fresh copy of resource\n res.statusCode = 304\n res.end()\n return\n }\n\n // send the resource\n res.statusCode = 200\n res.end('hello, world!')\n})\n\nfunction isFresh (req, res) {\n return fresh(req.headers, {\n etag: res.getHeader('ETag'),\n 'last-modified': res.getHeader('Last-Modified')\n })\n}\n\nserver.listen(3000)\n```\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://img.shields.io/github/workflow/status/jshttp/fresh/ci/master?label=ci\n[ci-url]: https://github.com/jshttp/fresh/actions/workflows/ci.yml\n[npm-image]: https://img.shields.io/npm/v/fresh.svg\n[npm-url]: https://npmjs.org/package/fresh\n[node-version-image]: https://img.shields.io/node/v/fresh.svg\n[node-version-url]: https://nodejs.org/en/\n[coveralls-image]: https://img.shields.io/coveralls/jshttp/fresh/master.svg\n[coveralls-url]: https://coveralls.io/r/jshttp/fresh?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/fresh.svg\n[downloads-url]: https://npmjs.org/package/fresh\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/fresh/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/function-bind/README.md ---\n# function-bind <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n<!--[![coverage][codecov-image]][codecov-url]-->\n[![dependency status][deps-svg]][deps-url]\n[![dev dependency status][dev-deps-svg]][dev-deps-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nImplementation of function.prototype.bind\n\nOld versions of phantomjs, Internet Explorer < 9, and node < 0.6 don't support `Function.prototype.bind`.\n\n## Example\n\n```js\nFunction.prototype.bind = require(\"function-bind\")\n```\n\n## Installation\n\n`npm install function-bind`\n\n## Contributors\n\n - Raynos\n\n## MIT Licenced\n\n[package-url]: https://npmjs.org/package/function-bind\n[npm-version-svg]: https://versionbadg.es/Raynos/function-bind.svg\n[deps-svg]: https://david-dm.org/Raynos/function-bind.svg\n[deps-url]: https://david-dm.org/Raynos/function-bind\n[dev-deps-svg]: https://david-dm.org/Raynos/function-bind/dev-status.svg\n[dev-deps-url]: https://david-dm.org/Raynos/function-bind#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/function-bind.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/function-bind.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/function-bind.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=function-bind\n[codecov-image]: https://codecov.io/gh/Raynos/function-bind/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/Raynos/function-bind/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/Raynos/function-bind\n[actions-url]: https://github.com/Raynos/function-bind/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/function-bind/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/get-intrinsic/README.md ---\n# get-intrinsic <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![dependency status][deps-svg]][deps-url]\n[![dev dependency status][dev-deps-svg]][dev-deps-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nGet and robustly cache all JS language-level intrinsics at first require time.\n\nSee the syntax described [in the JS spec](https://tc39.es/ecma262/#sec-well-known-intrinsic-objects) for reference.\n\n## Example\n\n```js\nvar GetIntrinsic = require('get-intrinsic');\nvar assert = require('assert');\n\n// static methods\nassert.equal(GetIntrinsic('%Math.pow%'), Math.pow);\nassert.equal(Math.pow(2, 3), 8);\nassert.equal(GetIntrinsic('%Math.pow%')(2, 3), 8);\ndelete Math.pow;\nassert.equal(GetIntrinsic('%Math.pow%')(2, 3), 8);\n\n// instance methods\nvar arr = [1];\nassert.equal(GetIntrinsic('%Array.prototype.push%'), Array.prototype.push);\nassert.deepEqual(arr, [1]);\n\narr.push(2);\nassert.deepEqual(arr, [1, 2]);\n\nGetIntrinsic('%Array.prototype.push%').call(arr, 3);\nassert.deepEqual(arr, [1, 2, 3]);\n\ndelete Array.prototype.push;\nGetIntrinsic('%Array.prototype.push%').call(arr, 4);\nassert.deepEqual(arr, [1, 2, 3, 4]);\n\n// missing features\ndelete JSON.parse; // to simulate a real intrinsic that is missing in the environment\nassert.throws(() => GetIntrinsic('%JSON.parse%'));\nassert.equal(undefined, GetIntrinsic('%JSON.parse%', true));\n```\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n## Security\n\nPlease email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.\n\n[package-url]: https://npmjs.org/package/get-intrinsic\n[npm-version-svg]: https://versionbadg.es/ljharb/get-intrinsic.svg\n[deps-svg]: https://david-dm.org/ljharb/get-intrinsic.svg\n[deps-url]: https://david-dm.org/ljharb/get-intrinsic\n[dev-deps-svg]: https://david-dm.org/ljharb/get-intrinsic/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/get-intrinsic#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/get-intrinsic.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/get-intrinsic.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/get-intrinsic.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=get-intrinsic\n[codecov-image]: https://codecov.io/gh/ljharb/get-intrinsic/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/get-intrinsic/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/get-intrinsic\n[actions-url]: https://github.com/ljharb/get-intrinsic/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/get-intrinsic/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/get-proto/README.md ---\n# get-proto <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nRobustly get the [[Prototype]] of an object. Uses the best available method.\n\n## Getting started\n\n```sh\nnpm install --save get-proto\n```\n\n## Usage/Examples\n\n```js\nconst assert = require('assert');\nconst getProto = require('get-proto');\n\nconst a = { a: 1, b: 2, [Symbol.toStringTag]: 'foo' };\nconst b = { c: 3, __proto__: a };\n\nassert.equal(getProto(b), a);\nassert.equal(getProto(a), Object.prototype);\nassert.equal(getProto({ __proto__: null }), null);\n```\n\n## Tests\n\nClone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/get-proto\n[npm-version-svg]: https://versionbadg.es/ljharb/get-proto.svg\n[deps-svg]: https://david-dm.org/ljharb/get-proto.svg\n[deps-url]: https://david-dm.org/ljharb/get-proto\n[dev-deps-svg]: https://david-dm.org/ljharb/get-proto/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/get-proto#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/get-proto.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/get-proto.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/get-proto.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=get-proto\n[codecov-image]: https://codecov.io/gh/ljharb/get-proto/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/get-proto/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/get-proto\n[actions-url]: https://github.com/ljharb/get-proto/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/get-proto/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/gopd/README.md ---\n# gopd <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\n`Object.getOwnPropertyDescriptor`, but accounts for IE's broken implementation.\n\n## Usage\n\n```javascript\nvar gOPD = require('gopd');\nvar assert = require('assert');\n\nif (gOPD) {\n\tassert.equal(typeof gOPD, 'function', 'descriptors supported');\n\t// use gOPD like Object.getOwnPropertyDescriptor here\n} else {\n\tassert.ok(!gOPD, 'descriptors not supported');\n}\n```\n\n[package-url]: https://npmjs.org/package/gopd\n[npm-version-svg]: https://versionbadg.es/ljharb/gopd.svg\n[deps-svg]: https://david-dm.org/ljharb/gopd.svg\n[deps-url]: https://david-dm.org/ljharb/gopd\n[dev-deps-svg]: https://david-dm.org/ljharb/gopd/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/gopd#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/gopd.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/gopd.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/gopd.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=gopd\n[codecov-image]: https://codecov.io/gh/ljharb/gopd/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/gopd/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/gopd\n[actions-url]: https://github.com/ljharb/gopd/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/gopd/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/has-symbols/README.md ---\n# has-symbols <sup>[![Version Badge][2]][1]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![dependency status][5]][6]\n[![dev dependency status][7]][8]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][11]][1]\n\nDetermine if the JS environment has Symbol support. Supports spec, or shams.\n\n## Example\n\n```js\nvar hasSymbols = require('has-symbols');\n\nhasSymbols() === true; // if the environment has native Symbol support. Not polyfillable, not forgeable.\n\nvar hasSymbolsKinda = require('has-symbols/shams');\nhasSymbolsKinda() === true; // if the environment has a Symbol sham that mostly follows the spec.\n```\n\n## Supported Symbol shams\n - get-own-property-symbols [npm](https://www.npmjs.com/package/get-own-property-symbols) | [github](https://github.com/WebReflection/get-own-property-symbols)\n - core-js [npm](https://www.npmjs.com/package/core-js) | [github](https://github.com/zloirock/core-js)\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n[1]: https://npmjs.org/package/has-symbols\n[2]: https://versionbadg.es/inspect-js/has-symbols.svg\n[5]: https://david-dm.org/inspect-js/has-symbols.svg\n[6]: https://david-dm.org/inspect-js/has-symbols\n[7]: https://david-dm.org/inspect-js/has-symbols/dev-status.svg\n[8]: https://david-dm.org/inspect-js/has-symbols#info=devDependencies\n[11]: https://nodei.co/npm/has-symbols.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/has-symbols.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/has-symbols.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=has-symbols\n[codecov-image]: https://codecov.io/gh/inspect-js/has-symbols/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/inspect-js/has-symbols/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/inspect-js/has-symbols\n[actions-url]: https://github.com/inspect-js/has-symbols/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/has-symbols/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/hasown/README.md ---\n# hasown <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nA robust, ES3 compatible, \"has own property\" predicate.\n\n## Example\n\n```js\nconst assert = require('assert');\nconst hasOwn = require('hasown');\n\nassert.equal(hasOwn({}, 'toString'), false);\nassert.equal(hasOwn([], 'length'), true);\nassert.equal(hasOwn({ a: 42 }, 'a'), true);\n```\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/hasown\n[npm-version-svg]: https://versionbadg.es/inspect-js/hasown.svg\n[deps-svg]: https://david-dm.org/inspect-js/hasOwn.svg\n[deps-url]: https://david-dm.org/inspect-js/hasOwn\n[dev-deps-svg]: https://david-dm.org/inspect-js/hasOwn/dev-status.svg\n[dev-deps-url]: https://david-dm.org/inspect-js/hasOwn#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/hasown.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/hasown.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/hasown.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=hasown\n[codecov-image]: https://codecov.io/gh/inspect-js/hasOwn/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/inspect-js/hasOwn/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/inspect-js/hasOwn\n[actions-url]: https://github.com/inspect-js/hasOwn/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/hasown/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/http-errors/README.md ---\n# http-errors\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][node-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][ci-image]][ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nCreate HTTP errors for Express, Koa, Connect, etc. with ease.\n\n## Install\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```console\n$ npm install http-errors\n```\n\n## Example\n\n```js\nvar createError = require('http-errors')\nvar express = require('express')\nvar app = express()\n\napp.use(function (req, res, next) {\n if (!req.user) return next(createError(401, 'Please login to view this page.'))\n next()\n})\n```\n\n## API\n\nThis is the current API, currently extracted from Koa and subject to change.\n\n### Error Properties\n\n- `expose` - can be used to signal if `message` should be sent to the client,\n defaulting to `false` when `status` >= 500\n- `headers` - can be an object of header names to values to be sent to the\n client, defaulting to `undefined`. When defined, the key names should all\n be lower-cased\n- `message` - the traditional error message, which should be kept short and all\n single line\n- `status` - the status code of the error, mirroring `statusCode` for general\n compatibility\n- `statusCode` - the status code of the error, defaulting to `500`\n\n### createError([status], [message], [properties])\n\nCreate a new error object with the given message `msg`.\nThe error object inherits from `createError.HttpError`.\n\n```js\nvar err = createError(404, 'This video does not exist!')\n```\n\n- `status: 500` - the status code as a number\n- `message` - the message of the error, defaulting to node's text for that status code.\n- `properties` - custom properties to attach to the object\n\n### createError([status], [error], [properties])\n\nExtend the given `error` object with `createError.HttpError`\nproperties. This will not alter the inheritance of the given\n`error` object, and the modified `error` object is the\nreturn value.\n\n<!-- eslint-disable no-redeclare -->\n\n```js\nfs.readFile('foo.txt', function (err, buf) {\n if (err) {\n if (err.code === 'ENOENT') {\n var httpError = createError(404, err, { expose: false })\n } else {\n var httpError = createError(500, err)\n }\n }\n})\n```\n\n- `status` - the status code as a number\n- `error` - the error object to extend\n- `properties` - custom properties to attach to the object\n\n### createError.isHttpError(val)\n\nDetermine if the provided `val` is an `HttpError`. This will return `true`\nif the error inherits from the `HttpError` constructor of this module or\nmatches the \"duck type\" for an error this module creates. All outputs from\nthe `createError` factory will return `true` for this function, including\nif an non-`HttpError` was passed into the factory.\n\n### new createError\\[code || name\\](\\[msg]\\))\n\nCreate a new error object with the given message `msg`.\nThe error object inherits from `createError.HttpError`.\n\n```js\nvar err = new createError.NotFound()\n```\n\n- `code` - the status code as a number\n- `name` - the name of the error as a \"bumpy case\", i.e. `NotFound` or `InternalServerError`.\n\n#### List of all constructors\n\n|Status Code|Constructor Name |\n|-----------|-----------------------------|\n|400 |BadRequest |\n|401 |Unauthorized |\n|402 |PaymentRequired |\n|403 |Forbidden |\n|404 |NotFound |\n|405 |MethodNotAllowed |\n|406 |NotAcceptable |\n|407 |ProxyAuthenticationRequired |\n|408 |RequestTimeout |\n|409 |Conflict |\n|410 |Gone |\n|411 |LengthRequired |\n|412 |PreconditionFailed |\n|413 |PayloadTooLarge |\n|414 |URITooLong |\n|415 |UnsupportedMediaType |\n|416 |RangeNotSatisfiable |\n|417 |ExpectationFailed |\n|418 |ImATeapot |\n|421 |MisdirectedRequest |\n|422 |UnprocessableEntity |\n|423 |Locked |\n|424 |FailedDependency |\n|425 |TooEarly |\n|426 |UpgradeRequired |\n|428 |PreconditionRequired |\n|429 |TooManyRequests |\n|431 |RequestHeaderFieldsTooLarge |\n|451 |UnavailableForLegalReasons |\n|500 |InternalServerError |\n|501 |NotImplemented |\n|502 |BadGateway |\n|503 |ServiceUnavailable |\n|504 |GatewayTimeout |\n|505 |HTTPVersionNotSupported |\n|506 |VariantAlsoNegotiates |\n|507 |InsufficientStorage |\n|508 |LoopDetected |\n|509 |BandwidthLimitExceeded |\n|510 |NotExtended |\n|511 |NetworkAuthenticationRequired|\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/http-errors/master?label=ci\n[ci-url]: https://github.com/jshttp/http-errors/actions?query=workflow%3Aci\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/http-errors/master\n[coveralls-url]: https://coveralls.io/r/jshttp/http-errors?branch=master\n[node-image]: https://badgen.net/npm/node/http-errors\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/http-errors\n[npm-url]: https://npmjs.org/package/http-errors\n[npm-version-image]: https://badgen.net/npm/v/http-errors\n[travis-image]: https://badgen.net/travis/jshttp/http-errors/master\n[travis-url]: https://travis-ci.org/jshttp/http-errors\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/http-errors/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/iconv-lite/README.md ---\n## iconv-lite: Pure JS character encoding conversion\n\n * No need for native code compilation. Quick to install, works on Windows and in sandboxed environments like [Cloud9](http://c9.io).\n * Used in popular projects like [Express.js (body_parser)](https://github.com/expressjs/body-parser), \n [Grunt](http://gruntjs.com/), [Nodemailer](http://www.nodemailer.com/), [Yeoman](http://yeoman.io/) and others.\n * Faster than [node-iconv](https://github.com/bnoordhuis/node-iconv) (see below for performance comparison).\n * Intuitive encode/decode API, including Streaming support.\n * In-browser usage via [browserify](https://github.com/substack/node-browserify) or [webpack](https://webpack.js.org/) (~180kb gzip compressed with Buffer shim included).\n * Typescript [type definition file](https://github.com/ashtuchkin/iconv-lite/blob/master/lib/index.d.ts) included.\n * React Native is supported (need to install `stream` module to enable Streaming API).\n * License: MIT.\n\n[![NPM Stats](https://nodei.co/npm/iconv-lite.png)](https://npmjs.org/package/iconv-lite/) \n[![Build Status](https://travis-ci.org/ashtuchkin/iconv-lite.svg?branch=master)](https://travis-ci.org/ashtuchkin/iconv-lite)\n[![npm](https://img.shields.io/npm/v/iconv-lite.svg)](https://npmjs.org/package/iconv-lite/)\n[![npm downloads](https://img.shields.io/npm/dm/iconv-lite.svg)](https://npmjs.org/package/iconv-lite/)\n[![npm bundle size](https://img.shields.io/bundlephobia/min/iconv-lite.svg)](https://npmjs.org/package/iconv-lite/)\n\n## Usage\n### Basic API\n```javascript\nvar iconv = require('iconv-lite');\n\n// Convert from an encoded buffer to a js string.\nstr = iconv.decode(Buffer.from([0x68, 0x65, 0x6c, 0x6c, 0x6f]), 'win1251');\n\n// Convert from a js string to an encoded buffer.\nbuf = iconv.encode(\"Sample input string\", 'win1251');\n\n// Check if encoding is supported\niconv.encodingExists(\"us-ascii\")\n```\n\n### Streaming API\n```javascript\n\n// Decode stream (from binary data stream to js strings)\nhttp.createServer(function(req, res) {\n var converterStream = iconv.decodeStream('win1251');\n req.pipe(converterStream);\n\n converterStream.on('data', function(str) {\n console.log(str); // Do something with decoded strings, chunk-by-chunk.\n });\n});\n\n// Convert encoding streaming example\nfs.createReadStream('file-in-win1251.txt')\n .pipe(iconv.decodeStream('win1251'))\n .pipe(iconv.encodeStream('ucs2'))\n .pipe(fs.createWriteStream('file-in-ucs2.txt'));\n\n// Sugar: all encode/decode streams have .collect(cb) method to accumulate data.\nhttp.createServer(function(req, res) {\n req.pipe(iconv.decodeStream('win1251')).collect(function(err, body) {\n assert(typeof body == 'string');\n console.log(body); // full request body string\n });\n});\n```\n\n## Supported encodings\n\n * All node.js native encodings: utf8, ucs2 / utf16-le, ascii, binary, base64, hex.\n * Additional unicode encodings: utf16, utf16-be, utf-7, utf-7-imap, utf32, utf32-le, and utf32-be.\n * All widespread singlebyte encodings: Windows 125x family, ISO-8859 family, \n IBM/DOS codepages, Macintosh family, KOI8 family, all others supported by iconv library. \n Aliases like 'latin1', 'us-ascii' also supported.\n * All widespread multibyte encodings: CP932, CP936, CP949, CP950, GB2312, GBK, GB18030, Big5, Shift_JIS, EUC-JP.\n\nSee [all supported encodings on wiki](https://github.com/ashtuchkin/iconv-lite/wiki/Supported-Encodings).\n\nMost singlebyte encodings are generated automatically from [node-iconv](https://github.com/bnoordhuis/node-iconv). Thank you Ben Noordhuis and libiconv authors!\n\nMultibyte encodings are generated from [Unicode.org mappings](http://www.unicode.org/Public/MAPPINGS/) and [WHATWG Encoding Standard mappings](http://encoding.spec.whatwg.org/). Thank you, respective authors!\n\n\n## Encoding/decoding speed\n\nComparison with node-iconv module (1000x256kb, on MacBook Pro, Core i5/2.6 GHz, Node v0.12.0). \nNote: your results may vary, so please always check on your hardware.\n\n operation iconv@2.1.4 iconv-lite@0.4.7\n ----------------------------------------------------------\n encode('win1251') ~96 Mb/s ~320 Mb/s\n decode('win1251') ~95 Mb/s ~246 Mb/s\n\n## BOM handling\n\n * Decoding: BOM is stripped by default, unless overridden by passing `stripBOM: false` in options\n (f.ex. `iconv.decode(buf, enc, {stripBOM: false})`).\n A callback might also be given as a `stripBOM` parameter - it'll be called if BOM character was actually found.\n * If you want to detect UTF-8 BOM when decoding other encodings, use [node-autodetect-decoder-stream](https://github.com/danielgindi/node-autodetect-decoder-stream) module.\n * Encoding: No BOM added, unless overridden by `addBOM: true` option.\n\n## UTF-16 Encodings\n\nThis library supports UTF-16LE, UTF-16BE and UTF-16 encodings. First two are straightforward, but UTF-16 is trying to be\nsmart about endianness in the following ways:\n * Decoding: uses BOM and 'spaces heuristic' to determine input endianness. Default is UTF-16LE, but can be \n overridden with `defaultEncoding: 'utf-16be'` option. Strips BOM unless `stripBOM: false`.\n * Encoding: uses UTF-16LE and writes BOM by default. Use `addBOM: false` to override.\n\n## UTF-32 Encodings\n\nThis library supports UTF-32LE, UTF-32BE and UTF-32 encodings. Like the UTF-16 encoding above, UTF-32 defaults to UTF-32LE, but uses BOM and 'spaces heuristics' to determine input endianness. \n * The default of UTF-32LE can be overridden with the `defaultEncoding: 'utf-32be'` option. Strips BOM unless `stripBOM: false`.\n * Encoding: uses UTF-32LE and writes BOM by default. Use `addBOM: false` to override. (`defaultEncoding: 'utf-32be'` can also be used here to change encoding.)\n\n## Other notes\n\nWhen decoding, be sure to supply a Buffer to decode() method, otherwise [bad things usually happen](https://github.com/ashtuchkin/iconv-lite/wiki/Use-Buffers-when-decoding). \nUntranslatable characters are set to <20> or ?. No transliteration is currently supported. \nNode versions 0.10.31 and 0.11.13 are buggy, don't use them (see #65, #77). \n\n## Testing\n\n```bash\n$ git clone git@github.com:ashtuchkin/iconv-lite.git\n$ cd iconv-lite\n$ npm install\n$ npm test\n \n$ # To view performance:\n$ node test/performance.js\n\n$ # To view test coverage:\n$ npm run coverage\n$ open coverage/lcov-report/index.html\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/iconv-lite/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/inherits/README.md ---\nBrowser-friendly inheritance fully compatible with standard node.js\n[inherits](http://nodejs.org/api/util.html#util_util_inherits_constructor_superconstructor).\n\nThis package exports standard `inherits` from node.js `util` module in\nnode environment, but also provides alternative browser-friendly\nimplementation through [browser\nfield](https://gist.github.com/shtylman/4339901). Alternative\nimplementation is a literal copy of standard one located in standalone\nmodule to avoid requiring of `util`. It also has a shim for old\nbrowsers with no `Object.create` support.\n\nWhile keeping you sure you are using standard `inherits`\nimplementation in node.js environment, it allows bundlers such as\n[browserify](https://github.com/substack/node-browserify) to not\ninclude full `util` package to your client code if all you need is\njust `inherits` function. It worth, because browser shim for `util`\npackage is large and `inherits` is often the single function you need\nfrom it.\n\nIt's recommended to use this package instead of\n`require('util').inherits` for any code that has chances to be used\nnot only in node.js but in browser too.\n\n## usage\n\n```js\nvar inherits = require('inherits');\n// then use exactly as the standard one\n```\n\n## note on version ~1.0\n\nVersion ~1.0 had completely different motivation and is not compatible\nneither with 2.0 nor with standard node.js `inherits`.\n\nIf you are using version ~1.0 and planning to switch to ~2.0, be\ncareful:\n\n* new version uses `super_` instead of `super` for referencing\n superclass\n* new version overwrites current prototype while old one preserves any\n existing fields on it\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/inherits/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/ipaddr.js/README.md ---\n# ipaddr.js — an IPv6 and IPv4 address manipulation library [![Build Status](https://travis-ci.org/whitequark/ipaddr.js.svg)](https://travis-ci.org/whitequark/ipaddr.js)\n\nipaddr.js is a small (1.9K minified and gzipped) library for manipulating\nIP addresses in JavaScript environments. It runs on both CommonJS runtimes\n(e.g. [nodejs]) and in a web browser.\n\nipaddr.js allows you to verify and parse string representation of an IP\naddress, match it against a CIDR range or range list, determine if it falls\ninto some reserved ranges (examples include loopback and private ranges),\nand convert between IPv4 and IPv4-mapped IPv6 addresses.\n\n[nodejs]: http://nodejs.org\n\n## Installation\n\n`npm install ipaddr.js`\n\nor\n\n`bower install ipaddr.js`\n\n## API\n\nipaddr.js defines one object in the global scope: `ipaddr`. In CommonJS,\nit is exported from the module:\n\n```js\nvar ipaddr = require('ipaddr.js');\n```\n\nThe API consists of several global methods and two classes: ipaddr.IPv6 and ipaddr.IPv4.\n\n### Global methods\n\nThere are three global methods defined: `ipaddr.isValid`, `ipaddr.parse` and\n`ipaddr.process`. All of them receive a string as a single parameter.\n\nThe `ipaddr.isValid` method returns `true` if the address is a valid IPv4 or\nIPv6 address, and `false` otherwise. It does not throw any exceptions.\n\nThe `ipaddr.parse` method returns an object representing the IP address,\nor throws an `Error` if the passed string is not a valid representation of an\nIP address.\n\nThe `ipaddr.process` method works just like the `ipaddr.parse` one, but it\nautomatically converts IPv4-mapped IPv6 addresses to their IPv4 counterparts\nbefore returning. It is useful when you have a Node.js instance listening\non an IPv6 socket, and the `net.ivp6.bindv6only` sysctl parameter (or its\nequivalent on non-Linux OS) is set to 0. In this case, you can accept IPv4\nconnections on your IPv6-only socket, but the remote address will be mangled.\nUse `ipaddr.process` method to automatically demangle it.\n\n### Object representation\n\nParsing methods return an object which descends from `ipaddr.IPv6` or\n`ipaddr.IPv4`. These objects share some properties, but most of them differ.\n\n#### Shared properties\n\nOne can determine the type of address by calling `addr.kind()`. It will return\neither `\"ipv6\"` or `\"ipv4\"`.\n\nAn address can be converted back to its string representation with `addr.toString()`.\nNote that this method:\n * does not return the original string used to create the object (in fact, there is\n no way of getting that string)\n * returns a compact representation (when it is applicable)\n\nA `match(range, bits)` method can be used to check if the address falls into a\ncertain CIDR range.\nNote that an address can be (obviously) matched only against an address of the same type.\n\nFor example:\n\n```js\nvar addr = ipaddr.parse(\"2001:db8:1234::1\");\nvar range = ipaddr.parse(\"2001:db8::\");\n\naddr.match(range, 32); // => true\n```\n\nAlternatively, `match` can also be called as `match([range, bits])`. In this way,\nit can be used together with the `parseCIDR(string)` method, which parses an IP\naddress together with a CIDR range.\n\nFor example:\n\n```js\nvar addr = ipaddr.parse(\"2001:db8:1234::1\");\n\naddr.match(ipaddr.parseCIDR(\"2001:db8::/32\")); // => true\n```\n\nA `range()` method returns one of predefined names for several special ranges defined\nby IP protocols. The exact names (and their respective CIDR ranges) can be looked up\nin the source: [IPv6 ranges] and [IPv4 ranges]. Some common ones include `\"unicast\"`\n(the default one) and `\"reserved\"`.\n\nYou can match against your own range list by using\n`ipaddr.subnetMatch(address, rangeList, defaultName)` method. It can work with a mix of IPv6 or IPv4 addresses, and accepts a name-to-subnet map as the range list. For example:\n\n```js\nvar rangeList = {\n documentationOnly: [ ipaddr.parse('2001:db8::'), 32 ],\n tunnelProviders: [\n [ ipaddr.parse('2001:470::'), 32 ], // he.net\n [ ipaddr.parse('2001:5c0::'), 32 ] // freenet6\n ]\n};\nipaddr.subnetMatch(ipaddr.parse('2001:470:8:66::1'), rangeList, 'unknown'); // => \"tunnelProviders\"\n```\n\nThe addresses can be converted to their byte representation with `toByteArray()`.\n(Actually, JavaScript mostly does not know about byte buffers. They are emulated with\narrays of numbers, each in range of 0..255.)\n\n```js\nvar bytes = ipaddr.parse('2a00:1450:8007::68').toByteArray(); // ipv6.google.com\nbytes // => [42, 0x00, 0x14, 0x50, 0x80, 0x07, 0x00, <zeroes...>, 0x00, 0x68 ]\n```\n\nThe `ipaddr.IPv4` and `ipaddr.IPv6` objects have some methods defined, too. All of them\nhave the same interface for both protocols, and are similar to global methods.\n\n`ipaddr.IPvX.isValid(string)` can be used to check if the string is a valid address\nfor particular protocol, and `ipaddr.IPvX.parse(string)` is the error-throwing parser.\n\n`ipaddr.IPvX.isValid(string)` uses the same format for parsing as the POSIX `inet_ntoa` function, which accepts unusual formats like `0xc0.168.1.1` or `0x10000000`. The function `ipaddr.IPv4.isValidFourPartDecimal(string)` validates the IPv4 address and also ensures that it is written in four-part decimal format.\n\n[IPv6 ranges]: https://github.com/whitequark/ipaddr.js/blob/master/src/ipaddr.coffee#L186\n[IPv4 ranges]: https://github.com/whitequark/ipaddr.js/blob/master/src/ipaddr.coffee#L71\n\n#### IPv6 properties\n\nSometimes you will want to convert IPv6 not to a compact string representation (with\nthe `::` substitution); the `toNormalizedString()` method will return an address where\nall zeroes are explicit.\n\nFor example:\n\n```js\nvar addr = ipaddr.parse(\"2001:0db8::0001\");\naddr.toString(); // => \"2001:db8::1\"\naddr.toNormalizedString(); // => \"2001:db8:0:0:0:0:0:1\"\n```\n\nThe `isIPv4MappedAddress()` method will return `true` if this address is an IPv4-mapped\none, and `toIPv4Address()` will return an IPv4 object address.\n\nTo access the underlying binary representation of the address, use `addr.parts`.\n\n```js\nvar addr = ipaddr.parse(\"2001:db8:10::1234:DEAD\");\naddr.parts // => [0x2001, 0xdb8, 0x10, 0, 0, 0, 0x1234, 0xdead]\n```\n\nA IPv6 zone index can be accessed via `addr.zoneId`:\n\n```js\nvar addr = ipaddr.parse(\"2001:db8::%eth0\");\naddr.zoneId // => 'eth0'\n```\n\n#### IPv4 properties\n\n`toIPv4MappedAddress()` will return a corresponding IPv4-mapped IPv6 address.\n\nTo access the underlying representation of the address, use `addr.octets`.\n\n```js\nvar addr = ipaddr.parse(\"192.168.1.1\");\naddr.octets // => [192, 168, 1, 1]\n```\n\n`prefixLengthFromSubnetMask()` will return a CIDR prefix length for a valid IPv4 netmask or\nnull if the netmask is not valid.\n\n```js\nipaddr.IPv4.parse('255.255.255.240').prefixLengthFromSubnetMask() == 28\nipaddr.IPv4.parse('255.192.164.0').prefixLengthFromSubnetMask() == null\n```\n\n`subnetMaskFromPrefixLength()` will return an IPv4 netmask for a valid CIDR prefix length.\n\n```js\nipaddr.IPv4.subnetMaskFromPrefixLength(24) == \"255.255.255.0\"\nipaddr.IPv4.subnetMaskFromPrefixLength(29) == \"255.255.255.248\"\n```\n\n`broadcastAddressFromCIDR()` will return the broadcast address for a given IPv4 interface and netmask in CIDR notation.\n```js\nipaddr.IPv4.broadcastAddressFromCIDR(\"172.0.0.1/24\") == \"172.0.0.255\"\n```\n`networkAddressFromCIDR()` will return the network address for a given IPv4 interface and netmask in CIDR notation.\n```js\nipaddr.IPv4.networkAddressFromCIDR(\"172.0.0.1/24\") == \"172.0.0.0\"\n```\n\n#### Conversion\n\nIPv4 and IPv6 can be converted bidirectionally to and from network byte order (MSB) byte arrays.\n\nThe `fromByteArray()` method will take an array and create an appropriate IPv4 or IPv6 object\nif the input satisfies the requirements. For IPv4 it has to be an array of four 8-bit values,\nwhile for IPv6 it has to be an array of sixteen 8-bit values.\n\nFor example:\n```js\nvar addr = ipaddr.fromByteArray([0x7f, 0, 0, 1]);\naddr.toString(); // => \"127.0.0.1\"\n```\n\nor\n\n```js\nvar addr = ipaddr.fromByteArray([0x20, 1, 0xd, 0xb8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1])\naddr.toString(); // => \"2001:db8::1\"\n```\n\nBoth objects also offer a `toByteArray()` method, which returns an array in network byte order (MSB).\n\nFor example:\n```js\nvar addr = ipaddr.parse(\"127.0.0.1\");\naddr.toByteArray(); // => [0x7f, 0, 0, 1]\n```\n\nor\n\n```js\nvar addr = ipaddr.parse(\"2001:db8::1\");\naddr.toByteArray(); // => [0x20, 1, 0xd, 0xb8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1]\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/ipaddr.js/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/isexe/README.md ---\n# isexe\n\nMinimal module to check if a file is executable, and a normal file.\n\nUses `fs.stat` and tests against the `PATHEXT` environment variable on\nWindows.\n\n## USAGE\n\n```javascript\nvar isexe = require('isexe')\nisexe('some-file-name', function (err, isExe) {\n if (err) {\n console.error('probably file does not exist or something', err)\n } else if (isExe) {\n console.error('this thing can be run')\n } else {\n console.error('cannot be run')\n }\n})\n\n// same thing but synchronous, throws errors\nvar isExe = isexe.sync('some-file-name')\n\n// treat errors as just \"not executable\"\nisexe('maybe-missing-file', { ignoreErrors: true }, callback)\nvar isExe = isexe.sync('maybe-missing-file', { ignoreErrors: true })\n```\n\n## API\n\n### `isexe(path, [options], [callback])`\n\nCheck if the path is executable. If no callback provided, and a\nglobal `Promise` object is available, then a Promise will be returned.\n\nWill raise whatever errors may be raised by `fs.stat`, unless\n`options.ignoreErrors` is set to true.\n\n### `isexe.sync(path, [options])`\n\nSame as `isexe` but returns the value and throws any errors raised.\n\n### Options\n\n* `ignoreErrors` Treat all errors as \"no, this is not executable\", but\n don't raise them.\n* `uid` Number to use as the user id\n* `gid` Number to use as the group id\n* `pathExt` List of path extensions to use instead of `PATHEXT`\n environment variable on Windows.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/isexe/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/jose/README.md ---\n# jose\n\n`jose` is a JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. The module is designed to work across various Web-interoperable runtimes including Node.js, browsers, Cloudflare Workers, Deno, Bun, and others.\n\n## Sponsor\n\n<picture>\n <source media=\"(prefers-color-scheme: dark)\" srcset=\"https://raw.githubusercontent.com/panva/jose/HEAD/sponsor/Auth0byOkta_dark.png\">\n <source media=\"(prefers-color-scheme: light)\" srcset=\"https://raw.githubusercontent.com/panva/jose/HEAD/sponsor/Auth0byOkta_light.png\">\n <img height=\"65\" align=\"left\" alt=\"Auth0 by Okta\" src=\"https://raw.githubusercontent.com/panva/jose/HEAD/sponsor/Auth0byOkta_light.png\">\n</picture>\n\nIf you want to quickly add JWT authentication to JavaScript apps, feel free to check out Auth0's JavaScript SDK and free plan. [Create an Auth0 account; it's free!][sponsor-auth0]<br><br>\n\n## [💗 Help the project](https://github.com/sponsors/panva)\n\nSupport from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).\n\n## Dependencies: 0\n\n`jose` has no dependencies and it exports tree-shakeable ESM[^cjs].\n\n## Documentation\n\n`jose` is distributed via [npmjs.com](https://www.npmjs.com/package/jose), [jsr.io](https://jsr.io/@panva/jose), [jsdelivr.com](https://www.jsdelivr.com/package/npm/jose), and [github.com](https://github.com/panva/jose).\n\n**`example`** ESM import[^cjs]\n\n```js\nimport * as jose from 'jose'\n```\n\n### JSON Web Tokens (JWT)\n\nThe `jose` module supports JSON Web Tokens (JWT) and provides functionality for signing and verifying tokens, as well as their JWT Claims Set validation.\n\n- [JWT Claims Set Validation & Signature Verification](docs/jwt/verify/functions/jwtVerify.md) using the `jwtVerify` function\n - [Using a remote JSON Web Key Set (JWKS)](docs/jwks/remote/functions/createRemoteJWKSet.md)\n - [Using a local JSON Web Key Set (JWKS)](docs/jwks/local/functions/createLocalJWKSet.md)\n- [Signing](docs/jwt/sign/classes/SignJWT.md) using the `SignJWT` class\n- Utility functions\n - [Decoding Token's Protected Header](docs/util/decode_protected_header/functions/decodeProtectedHeader.md)\n - [Decoding JWT Claims Set](docs/util/decode_jwt/functions/decodeJwt.md) prior to its validation\n\n### Encrypted JSON Web Tokens\n\nThe `jose` module supports encrypted JSON Web Tokens and provides functionality for encrypting and decrypting tokens, as well as their JWT Claims Set validation.\n\n- [Decryption & JWT Claims Set Validation](docs/jwt/decrypt/functions/jwtDecrypt.md) using the `jwtDecrypt` function\n- [Encryption](docs/jwt/encrypt/classes/EncryptJWT.md) using the `EncryptJWT` class\n- Utility functions\n - [Decoding Token's Protected Header](docs/util/decode_protected_header/functions/decodeProtectedHeader.md)\n\n### Key Utilities\n\nThe `jose` module supports importing, exporting, and generating keys and secrets in various formats, including PEM formats like SPKI, X.509 certificate, and PKCS #8, as well as JSON Web Key (JWK).\n\n- Key Import Functions\n - [JWK Import](docs/key/import/functions/importJWK.md)\n - [Public Key Import (SPKI)](docs/key/import/functions/importSPKI.md)\n - [Public Key Import (X.509 Certificate)](docs/key/import/functions/importX509.md)\n - [Private Key Import (PKCS #8)](docs/key/import/functions/importPKCS8.md)\n- Key and Secret Generation Functions\n - [Asymmetric Key Pair Generation](docs/key/generate_key_pair/functions/generateKeyPair.md)\n - [Symmetric Secret Generation](docs/key/generate_secret/functions/generateSecret.md)\n- Key Export Functions\n - [JWK Export](docs/key/export/functions/exportJWK.md)\n - [Private Key Export](docs/key/export/functions/exportPKCS8.md)\n - [Public Key Export](docs/key/export/functions/exportSPKI.md)\n\n### JSON Web Signature (JWS)\n\nThe `jose` module supports signing and verification of JWS messages with arbitrary payloads in Compact, Flattened JSON, and General JSON serialization syntaxes.\n\n- Signing - [Compact](docs/jws/compact/sign/classes/CompactSign.md), [Flattened JSON](docs/jws/flattened/sign/classes/FlattenedSign.md), [General JSON](docs/jws/general/sign/classes/GeneralSign.md)\n- Verification - [Compact](docs/jws/compact/verify/functions/compactVerify.md), [Flattened JSON](docs/jws/flattened/verify/functions/flattenedVerify.md), [General JSON](docs/jws/general/verify/functions/generalVerify.md)\n - [Using a remote JSON Web Key Set (JWKS)](docs/jwks/remote/functions/createRemoteJWKSet.md)\n - [Using a local JSON Web Key Set (JWKS)](docs/jwks/local/functions/createLocalJWKSet.md)\n- Utility functions\n - [Decoding Token's Protected Header](docs/util/decode_protected_header/functions/decodeProtectedHeader.md)\n\n### JSON Web Encryption (JWE)\n\nThe `jose` module supports encryption and decryption of JWE messages with arbitrary plaintext in Compact, Flattened JSON, and General JSON serialization syntaxes.\n\n- Encryption - [Compact](docs/jwe/compact/encrypt/classes/CompactEncrypt.md), [Flattened JSON](docs/jwe/flattened/encrypt/classes/FlattenedEncrypt.md), [General JSON](docs/jwe/general/encrypt/classes/GeneralEncrypt.md)\n- Decryption - [Compact](docs/jwe/compact/decrypt/functions/compactDecrypt.md), [Flattened JSON](docs/jwe/flattened/decrypt/functions/flattenedDecrypt.md), [General JSON](docs/jwe/general/decrypt/functions/generalDecrypt.md)\n- Utility functions\n - [Decoding Token's Protected Header](docs/util/decode_protected_header/functions/decodeProtectedHeader.md)\n\n### Other\n\nThe following are additional features and utilities provided by the `jose` module:\n\n- [Calculating JWK Thumbprint](docs/jwk/thumbprint/functions/calculateJwkThumbprint.md)\n- [Calculating JWK Thumbprint URI](docs/jwk/thumbprint/functions/calculateJwkThumbprintUri.md)\n- [Verification using a JWK Embedded in a JWS Header](docs/jwk/embedded/functions/EmbeddedJWK.md)\n- [Unsecured JWT](docs/jwt/unsecured/classes/UnsecuredJWT.md)\n- [JOSE Errors](docs/util/errors/README.md)\n\n## Supported Runtimes\n\nThe `jose` module is compatible with JavaScript runtimes that support the utilized Web API globals and standard built-in objects or are Node.js.\n\nThe following runtimes are supported _(this is not an exhaustive list)_:\n\n- [Bun](https://github.com/panva/jose/issues/471)\n- [Browsers](https://github.com/panva/jose/issues/263)\n- [Cloudflare Workers](https://github.com/panva/jose/issues/265)\n- [Deno](https://github.com/panva/jose/issues/266)\n- [Electron](https://github.com/panva/jose/issues/264)\n- [Node.js](https://github.com/panva/jose/issues/262)\n\nPlease note that certain algorithms may not be available depending on the runtime used. You can find a list of available algorithms for each runtime in the specific issue links provided above.\n\n## Supported Versions\n\n| Version | Security Fixes 🔑 | Other Bug Fixes 🐞 | New Features ⭐ | Runtime and Module type |\n| ----------------------------------------------- | ----------------- | ------------------ | --------------- | ------------------------------- |\n| [v6.x](https://github.com/panva/jose/tree/v6.x) | [Security Policy] | ✅ | ✅ | Universal[^universal] ESM[^cjs] |\n| [v5.x](https://github.com/panva/jose/tree/v5.x) | [Security Policy] | ❌ | ❌ | Universal[^universal] CJS + ESM |\n| [v4.x](https://github.com/panva/jose/tree/v4.x) | [Security Policy] | ❌ | ❌ | Universal[^universal] CJS + ESM |\n| [v2.x](https://github.com/panva/jose/tree/v2.x) | [Security Policy] | ❌ | ❌ | Node.js CJS |\n\n## Specifications\n\n<details>\n<summary>Details</summary>\n\n- JSON Web Signature (JWS) - [RFC7515](https://www.rfc-editor.org/rfc/rfc7515)\n- JSON Web Encryption (JWE) - [RFC7516](https://www.rfc-editor.org/rfc/rfc7516)\n- JSON Web Key (JWK) - [RFC7517](https://www.rfc-editor.org/rfc/rfc7517)\n- JSON Web Algorithms (JWA) - [RFC7518](https://www.rfc-editor.org/rfc/rfc7518)\n- JSON Web Token (JWT) - [RFC7519](https://www.rfc-editor.org/rfc/rfc7519)\n- JSON Web Key Thumbprint - [RFC7638](https://www.rfc-editor.org/rfc/rfc7638)\n- JSON Web Key Thumbprint URI - [RFC9278](https://www.rfc-editor.org/rfc/rfc9278)\n- JWS Unencoded Payload Option - [RFC7797](https://www.rfc-editor.org/rfc/rfc7797)\n- CFRG Elliptic Curve ECDH and Signatures - [RFC8037](https://www.rfc-editor.org/rfc/rfc8037)\n- Fully-Specified Algorithms for JOSE - [RFC9864](https://www.rfc-editor.org/rfc/rfc9864.html)\n- ML-DSA for JOSE - [draft-ietf-cose-dilithium-10](https://www.ietf.org/archive/id/draft-ietf-cose-dilithium-10.html)\n\nThe algorithm implementations in `jose` have been tested using test vectors from their respective specifications as well as [RFC7520](https://www.rfc-editor.org/rfc/rfc7520).\n\n</details>\n\n[sponsor-auth0]: https://a0.to/signup/panva\n[WebCryptoAPI]: https://w3c.github.io/webcrypto/\n[Fetch API]: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API\n[Security Policy]: https://github.com/panva/jose/security/policy\n\n[^cjs]: CJS style `let jose = require('jose')` is possible in Node.js versions where the `require(esm)` feature is enabled by default (^20.19.0 || ^22.12.0 || >= 23.0.0).\n\n[^universal]: Assumes runtime support of [WebCryptoAPI][] and [Fetch API][]\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/jose/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/js-tokens/README.md ---\n# js-tokens\n\nThe tiny, regex powered, lenient, _almost_ spec-compliant JavaScript tokenizer that never fails.\n\n```js\nconst jsTokens = require(\"js-tokens\");\n\nconst jsString = 'JSON.stringify({k:3.14**2}, null /*replacer*/, \"\\\\t\")';\n\nArray.from(jsTokens(jsString), (token) => token.value).join(\"|\");\n// JSON|.|stringify|(|{|k|:|3.14|**|2|}|,| |null| |/*replacer*/|,| |\"\\t\"|)\n```\n\n**[➡️ Full readme](https://github.com/lydell/js-tokens/)**\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/js-tokens/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/json-schema-traverse/README.md ---\n# json-schema-traverse\nTraverse JSON Schema passing each schema object to callback\n\n[![build](https://github.com/epoberezkin/json-schema-traverse/workflows/build/badge.svg)](https://github.com/epoberezkin/json-schema-traverse/actions?query=workflow%3Abuild)\n[![npm](https://img.shields.io/npm/v/json-schema-traverse)](https://www.npmjs.com/package/json-schema-traverse)\n[![coverage](https://coveralls.io/repos/github/epoberezkin/json-schema-traverse/badge.svg?branch=master)](https://coveralls.io/github/epoberezkin/json-schema-traverse?branch=master)\n\n\n## Install\n\n```\nnpm install json-schema-traverse\n```\n\n\n## Usage\n\n```javascript\nconst traverse = require('json-schema-traverse');\nconst schema = {\n properties: {\n foo: {type: 'string'},\n bar: {type: 'integer'}\n }\n};\n\ntraverse(schema, {cb});\n// cb is called 3 times with:\n// 1. root schema\n// 2. {type: 'string'}\n// 3. {type: 'integer'}\n\n// Or:\n\ntraverse(schema, {cb: {pre, post}});\n// pre is called 3 times with:\n// 1. root schema\n// 2. {type: 'string'}\n// 3. {type: 'integer'}\n//\n// post is called 3 times with:\n// 1. {type: 'string'}\n// 2. {type: 'integer'}\n// 3. root schema\n\n```\n\nCallback function `cb` is called for each schema object (not including draft-06 boolean schemas), including the root schema, in pre-order traversal. Schema references ($ref) are not resolved, they are passed as is. Alternatively, you can pass a `{pre, post}` object as `cb`, and then `pre` will be called before traversing child elements, and `post` will be called after all child elements have been traversed.\n\nCallback is passed these parameters:\n\n- _schema_: the current schema object\n- _JSON pointer_: from the root schema to the current schema object\n- _root schema_: the schema passed to `traverse` object\n- _parent JSON pointer_: from the root schema to the parent schema object (see below)\n- _parent keyword_: the keyword inside which this schema appears (e.g. `properties`, `anyOf`, etc.)\n- _parent schema_: not necessarily parent object/array; in the example above the parent schema for `{type: 'string'}` is the root schema\n- _index/property_: index or property name in the array/object containing multiple schemas; in the example above for `{type: 'string'}` the property name is `'foo'`\n\n\n## Traverse objects in all unknown keywords\n\n```javascript\nconst traverse = require('json-schema-traverse');\nconst schema = {\n mySchema: {\n minimum: 1,\n maximum: 2\n }\n};\n\ntraverse(schema, {allKeys: true, cb});\n// cb is called 2 times with:\n// 1. root schema\n// 2. mySchema\n```\n\nWithout option `allKeys: true` callback will be called only with root schema.\n\n\n## Enterprise support\n\njson-schema-traverse package is a part of [Tidelift enterprise subscription](https://tidelift.com/subscription/pkg/npm-json-schema-traverse?utm_source=npm-json-schema-traverse&utm_medium=referral&utm_campaign=enterprise&utm_term=repo) - it provides a centralised commercial support to open-source software users, in addition to the support provided by software maintainers.\n\n\n## Security contact\n\nTo report a security vulnerability, please use the\n[Tidelift security contact](https://tidelift.com/security).\nTidelift will coordinate the fix and disclosure. Please do NOT report security vulnerability via GitHub issues.\n\n\n## License\n\n[MIT](https://github.com/epoberezkin/json-schema-traverse/blob/master/LICENSE)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/json-schema-traverse/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/loupe/README.md ---\n![npm](https://img.shields.io/npm/v/loupe?logo=npm)\n![Build](https://github.com/chaijs/loupe/workflows/Build/badge.svg?branch=master)\n![Codecov branch](https://img.shields.io/codecov/c/github/chaijs/loupe/master?logo=codecov)\n\n# What is loupe?\n\nLoupe turns the object you give it into a string. It's similar to Node.js' `util.inspect()` function, but it works cross platform, in most modern browsers as well as Node.\n\n## Installation\n\n### Node.js\n\n`loupe` is available on [npm](http://npmjs.org). To install it, type:\n\n $ npm install loupe\n\n### Browsers\n\nYou can also use it within the browser; install via npm and use the `loupe.js` file found within the download. For example:\n\n```html\n<script src=\"./node_modules/loupe/loupe.js\"></script>\n```\n\n## Usage\n\n``` js\nconst { inspect } = require('loupe');\n```\n\n```js\ninspect({ foo: 'bar' }); // => \"{ foo: 'bar' }\"\ninspect(1); // => '1'\ninspect('foo'); // => \"'foo'\"\ninspect([ 1, 2, 3 ]); // => '[ 1, 2, 3 ]'\ninspect(/Test/g); // => '/Test/g'\n\n// ...\n```\n\n## Tests\n\n```bash\n$ npm test\n```\n\nCoverage:\n\n```bash\n$ npm run upload-coverage\n```\n\n## License\n\n(The MIT License)\n\nCopyright (c) 2011-2013 Jake Luer jake@alogicalparadox.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/loupe/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/magic-string/README.md ---\n# magic-string\n\n<a href=\"https://github.com/Rich-Harris/magic-string/actions/workflows/test.yml\">\n <img src=\"https://img.shields.io/github/actions/workflow/status/Rich-Harris/magic-string/test.yml\"\n alt=\"build status\">\n</a>\n<a href=\"https://npmjs.org/package/magic-string\">\n <img src=\"https://img.shields.io/npm/v/magic-string.svg\"\n alt=\"npm version\">\n</a>\n<a href=\"https://github.com/Rich-Harris/magic-string/blob/master/LICENSE.md\">\n <img src=\"https://img.shields.io/npm/l/magic-string.svg\"\n alt=\"license\">\n</a>\n\nSuppose you have some source code. You want to make some light modifications to it - replacing a few characters here and there, wrapping it with a header and footer, etc - and ideally you'd like to generate a [source map](https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k/) at the end of it. You've thought about using something like [recast](https://github.com/benjamn/recast) (which allows you to generate an AST from some JavaScript, manipulate it, and reprint it with a sourcemap without losing your comments and formatting), but it seems like overkill for your needs (or maybe the source code isn't JavaScript).\n\nYour requirements are, frankly, rather niche. But they're requirements that I also have, and for which I made magic-string. It's a small, fast utility for manipulating strings and generating sourcemaps.\n\n## Installation\n\nmagic-string works in both node.js and browser environments. For node, install with npm:\n\n```bash\nnpm i magic-string\n```\n\nTo use in browser, grab the [magic-string.umd.js](https://unpkg.com/magic-string/dist/magic-string.umd.js) file and add it to your page:\n\n```html\n<script src=\"magic-string.umd.js\"></script>\n```\n\n(It also works with various module systems, if you prefer that sort of thing - it has a dependency on [vlq](https://github.com/Rich-Harris/vlq).)\n\n## Usage\n\nThese examples assume you're in node.js, or something similar:\n\n```js\nimport MagicString from 'magic-string';\nimport fs from 'fs';\n\nconst s = new MagicString('problems = 99');\n\ns.update(0, 8, 'answer');\ns.toString(); // 'answer = 99'\n\ns.update(11, 13, '42'); // character indices always refer to the original string\ns.toString(); // 'answer = 42'\n\ns.prepend('var ').append(';'); // most methods are chainable\ns.toString(); // 'var answer = 42;'\n\nconst map = s.generateMap({\n\tsource: 'source.js',\n\tfile: 'converted.js.map',\n\tincludeContent: true,\n}); // generates a v3 sourcemap\n\nfs.writeFileSync('converted.js', s.toString());\nfs.writeFileSync('converted.js.map', map.toString());\n```\n\nYou can pass an options argument:\n\n```js\nconst s = new MagicString(someCode, {\n\t// these options will be used if you later call `bundle.addSource( s )` - see below\n\tfilename: 'foo.js',\n\tindentExclusionRanges: [\n\t\t/*...*/\n\t],\n\t// mark source as ignore in DevTools, see below #Bundling\n\tignoreList: false,\n\t// adjust the incoming position - see below\n\toffset: 0,\n});\n```\n\n## Properties\n\n### s.offset\n\nSets the offset property to adjust the incoming position for the following APIs: `slice`, `update`, `overwrite`, `appendLeft`, `prependLeft`, `appendRight`, `prependRight`, `move`, `reset`, and `remove`.\n\nExample usage:\n\n```ts\nconst s = new MagicString('hello world', { offset: 0 });\ns.offset = 6;\ns.slice() === 'world';\n```\n\n## Methods\n\n### s.addSourcemapLocation( index )\n\nAdds the specified character index (with respect to the original string) to sourcemap mappings, if `hires` is `false` (see below).\n\n### s.append( content )\n\nAppends the specified content to the end of the string. Returns `this`.\n\n### s.appendLeft( index, content )\n\nAppends the specified `content` at the `index` in the original string. If a range _ending_ with `index` is subsequently moved, the insert will be moved with it. Returns `this`. See also `s.prependLeft(...)`.\n\n### s.appendRight( index, content )\n\nAppends the specified `content` at the `index` in the original string. If a range _starting_ with `index` is subsequently moved, the insert will be moved with it. Returns `this`. See also `s.prependRight(...)`.\n\n### s.clone()\n\nDoes what you'd expect.\n\n### s.generateDecodedMap( options )\n\nGenerates a sourcemap object with raw mappings in array form, rather than encoded as a string. See `generateMap` documentation below for options details. Useful if you need to manipulate the sourcemap further, but most of the time you will use `generateMap` instead.\n\n### s.generateMap( options )\n\nGenerates a [version 3 sourcemap](https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k/edit). All options are, well, optional:\n\n- `file` - the filename where you plan to write the sourcemap\n- `source` - the filename of the file containing the original source\n- `includeContent` - whether to include the original content in the map's `sourcesContent` array\n- `hires` - whether the mapping should be high-resolution. Hi-res mappings map every single character, meaning (for example) your devtools will always be able to pinpoint the exact location of function calls and so on. With lo-res mappings, devtools may only be able to identify the correct line - but they're quicker to generate and less bulky. You can also set `\"boundary\"` to generate a semi-hi-res mappings segmented per word boundary instead of per character, suitable for string semantics that are separated by words. If sourcemap locations have been specified with `s.addSourcemapLocation()`, they will be used here.\n\nThe returned sourcemap has two (non-enumerable) methods attached for convenience:\n\n- `toString` - returns the equivalent of `JSON.stringify(map)`\n- `toUrl` - returns a DataURI containing the sourcemap. Useful for doing this sort of thing:\n\n```js\ncode += '\\n//# sourceMappingURL=' + map.toUrl();\n```\n\n### s.hasChanged()\n\nIndicates if the string has been changed.\n\n### s.indent( prefix[, options] )\n\nPrefixes each line of the string with `prefix`. If `prefix` is not supplied, the indentation will be guessed from the original content, falling back to a single tab character. Returns `this`.\n\nThe `options` argument can have an `exclude` property, which is an array of `[start, end]` character ranges. These ranges will be excluded from the indentation - useful for (e.g.) multiline strings.\n\n### s.insertLeft( index, content )\n\n**DEPRECATED** since 0.17 use `s.appendLeft(...)` instead\n\n### s.insertRight( index, content )\n\n**DEPRECATED** since 0.17 use `s.prependRight(...)` instead\n\n### s.isEmpty()\n\nReturns true if the resulting source is empty (disregarding white space).\n\n### s.locate( index )\n\n**DEPRECATED** since 0.10 see [#30](https://github.com/Rich-Harris/magic-string/pull/30)\n\n### s.locateOrigin( index )\n\n**DEPRECATED** since 0.10 see [#30](https://github.com/Rich-Harris/magic-string/pull/30)\n\n### s.move( start, end, index )\n\nMoves the characters from `start` and `end` to `index`. Returns `this`.\n\n### s.overwrite( start, end, content[, options] )\n\nReplaces the characters from `start` to `end` with `content`, along with the appended/prepended content in that range. The same restrictions as `s.remove()` apply. Returns `this`.\n\nThe fourth argument is optional. It can have a `storeName` property — if `true`, the original name will be stored for later inclusion in a sourcemap's `names` array — and a `contentOnly` property which determines whether only the content is overwritten, or anything that was appended/prepended to the range as well.\n\nIt may be preferred to use `s.update(...)` instead if you wish to avoid overwriting the appended/prepended content.\n\n### s.prepend( content )\n\nPrepends the string with the specified content. Returns `this`.\n\n### s.prependLeft ( index, content )\n\nSame as `s.appendLeft(...)`, except that the inserted content will go _before_ any previous appends or prepends at `index`\n\n### s.prependRight ( index, content )\n\nSame as `s.appendRight(...)`, except that the inserted content will go _before_ any previous appends or prepends at `index`\n\n### s.replace( regexpOrString, substitution )\n\nString replacement with RegExp or string. The `substitution` parameter supports strings and functions. Returns `this`.\n\n```ts\nimport MagicString from 'magic-string';\n\nconst s = new MagicString(source);\n\ns.replace('foo', 'bar');\ns.replace('foo', (str, index, s) => str + '-' + index);\ns.replace(/foo/g, 'bar');\ns.replace(/(\\w)(\\d+)/g, (_, $1, $2) => $1.toUpperCase() + $2);\n```\n\nThe differences from [`String.replace`](<(https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace)>):\n\n- It will always match against the **original string**\n- It mutates the magic string state (use `.clone()` to be immutable)\n\n### s.replaceAll( regexpOrString, substitution )\n\nSame as `s.replace`, but replace all matched strings instead of just one.\nIf `regexpOrString` is a regex, then it must have the global (`g`) flag set, or a `TypeError` is thrown. Matches the behavior of the builtin [`String.property.replaceAll`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replaceAll). Returns `this`.\n\n### s.remove( start, end )\n\nRemoves the characters from `start` to `end` (of the original string, **not** the generated string). Removing the same content twice, or making removals that partially overlap, will cause an error. Returns `this`.\n\n### s.reset( start, end )\n\nResets the characters from `start` to `end` (of the original string, **not** the generated string).\nIt can be used to restore previously removed characters and discard unwanted changes.\n\n### s.slice( start, end )\n\nReturns the content of the generated string that corresponds to the slice between `start` and `end` of the original string. Throws error if the indices are for characters that were already removed.\n\n### s.snip( start, end )\n\nReturns a clone of `s`, with all content before the `start` and `end` characters of the original string removed.\n\n### s.toString()\n\nReturns the generated string.\n\n### s.trim([ charType ])\n\nTrims content matching `charType` (defaults to `\\s`, i.e. whitespace) from the start and end. Returns `this`.\n\n### s.trimStart([ charType ])\n\nTrims content matching `charType` (defaults to `\\s`, i.e. whitespace) from the start. Returns `this`.\n\n### s.trimEnd([ charType ])\n\nTrims content matching `charType` (defaults to `\\s`, i.e. whitespace) from the end. Returns `this`.\n\n### s.trimLines()\n\nRemoves empty lines from the start and end. Returns `this`.\n\n### s.update( start, end, content[, options] )\n\nReplaces the characters from `start` to `end` with `content`. The same restrictions as `s.remove()` apply. Returns `this`.\n\nThe fourth argument is optional. It can have a `storeName` property — if `true`, the original name will be stored for later inclusion in a sourcemap's `names` array — and an `overwrite` property which defaults to `false` and determines whether anything that was appended/prepended to the range will be overwritten along with the original content.\n\n`s.update(start, end, content)` is equivalent to `s.overwrite(start, end, content, { contentOnly: true })`.\n\n## Bundling\n\nTo concatenate several sources, use `MagicString.Bundle`:\n\n```js\nconst bundle = new MagicString.Bundle();\n\nbundle.addSource({\n\tfilename: 'foo.js',\n\tcontent: new MagicString('var answer = 42;'),\n});\n\nbundle.addSource({\n\tfilename: 'bar.js',\n\tcontent: new MagicString('console.log( answer )'),\n});\n\n// Sources can be marked as ignore-listed, which provides a hint to debuggers\n// to not step into this code and also don't show the source files depending\n// on user preferences.\nbundle.addSource({\n\tfilename: 'some-3rdparty-library.js',\n\tcontent: new MagicString('function myLib(){}'),\n\tignoreList: false, // <--\n});\n\n// Advanced: a source can include an `indentExclusionRanges` property\n// alongside `filename` and `content`. This will be passed to `s.indent()`\n// - see documentation above\n\nbundle\n\t.indent() // optionally, pass an indent string, otherwise it will be guessed\n\t.prepend('(function () {\\n')\n\t.append('}());');\n\nbundle.toString();\n// (function () {\n// var answer = 42;\n// console.log( answer );\n// }());\n\n// options are as per `s.generateMap()` above\nconst map = bundle.generateMap({\n\tfile: 'bundle.js',\n\tincludeContent: true,\n\thires: true,\n});\n```\n\nAs an alternative syntax, if you a) don't have `filename` or `indentExclusionRanges` options, or b) passed those in when you used `new MagicString(...)`, you can simply pass the `MagicString` instance itself:\n\n```js\nconst bundle = new MagicString.Bundle();\nconst source = new MagicString(someCode, {\n\tfilename: 'foo.js',\n});\n\nbundle.addSource(source);\n```\n\n## License\n\nMIT\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/magic-string/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/math-intrinsics/README.md ---\n# math-intrinsics <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nES Math-related intrinsics and helpers, robustly cached.\n\n - `abs`\n - `floor`\n - `isFinite`\n - `isInteger`\n - `isNaN`\n - `isNegativeZero`\n - `max`\n - `min`\n - `mod`\n - `pow`\n - `round`\n - `sign`\n - `constants/maxArrayLength`\n - `constants/maxSafeInteger`\n - `constants/maxValue`\n\n\n## Tests\nSimply clone the repo, `npm install`, and run `npm test`\n\n## Security\n\nPlease email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.\n\n[package-url]: https://npmjs.org/package/math-intrinsics\n[npm-version-svg]: https://versionbadg.es/es-shims/math-intrinsics.svg\n[deps-svg]: https://david-dm.org/es-shims/math-intrinsics.svg\n[deps-url]: https://david-dm.org/es-shims/math-intrinsics\n[dev-deps-svg]: https://david-dm.org/es-shims/math-intrinsics/dev-status.svg\n[dev-deps-url]: https://david-dm.org/es-shims/math-intrinsics#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/math-intrinsics.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/math-intrinsics.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/es-object.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=math-intrinsics\n[codecov-image]: https://codecov.io/gh/es-shims/math-intrinsics/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/es-shims/math-intrinsics/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/es-shims/math-intrinsics\n[actions-url]: https://github.com/es-shims/math-intrinsics/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/math-intrinsics/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/media-typer/README.md ---\n# media-typer\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][travis-image]][travis-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nSimple RFC 6838 media type parser.\n\nThis module will parse a given media type into it's component parts, like type,\nsubtype, and suffix. A formatter is also provided to put them back together and\nthe two can be combined to normalize media types into a canonical form.\n\nIf you are looking to parse the string that represents a media type and it's\nparameters in HTTP (for example, the `Content-Type` header), use the\n[content-type module](https://www.npmjs.com/package/content-type).\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install media-typer\n```\n\n## API\n\n<!-- eslint-disable no-unused-vars -->\n\n```js\nvar typer = require('media-typer')\n```\n\n### typer.parse(string)\n\n<!-- eslint-disable no-undef, no-unused-vars -->\n\n```js\nvar obj = typer.parse('image/svg+xml')\n```\n\nParse a media type string. This will return an object with the following\nproperties (examples are shown for the string `'image/svg+xml; charset=utf-8'`):\n\n - `type`: The type of the media type (always lower case). Example: `'image'`\n\n - `subtype`: The subtype of the media type (always lower case). Example: `'svg'`\n\n - `suffix`: The suffix of the media type (always lower case). Example: `'xml'`\n\nIf the given type string is invalid, then a `TypeError` is thrown.\n\n### typer.format(obj)\n\n<!-- eslint-disable no-undef, no-unused-vars -->\n\n```js\nvar obj = typer.format({ type: 'image', subtype: 'svg', suffix: 'xml' })\n```\n\nFormat an object into a media type string. This will return a string of the\nmime type for the given object. For the properties of the object, see the\ndocumentation for `typer.parse(string)`.\n\nIf any of the given object values are invalid, then a `TypeError` is thrown.\n\n### typer.test(string)\n\n<!-- eslint-disable no-undef, no-unused-vars -->\n\n```js\nvar valid = typer.test('image/svg+xml')\n```\n\nValidate a media type string. This will return `true` is the string is a well-\nformatted media type, or `false` otherwise.\n\n## License\n\n[MIT](LICENSE)\n\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/media-typer/master\n[coveralls-url]: https://coveralls.io/r/jshttp/media-typer?branch=master\n[node-version-image]: https://badgen.net/npm/node/media-typer\n[node-version-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/media-typer\n[npm-url]: https://npmjs.org/package/media-typer\n[npm-version-image]: https://badgen.net/npm/v/media-typer\n[travis-image]: https://badgen.net/travis/jshttp/media-typer/master\n[travis-url]: https://travis-ci.org/jshttp/media-typer\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/media-typer/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/mime-db/README.md ---\n# mime-db\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][ci-image]][ci-url]\n[![Coverage Status][coveralls-image]][coveralls-url]\n\nThis is a large database of mime types and information about them.\nIt consists of a single, public JSON file and does not include any logic,\nallowing it to remain as un-opinionated as possible with an API.\nIt aggregates data from the following sources:\n\n- https://www.iana.org/assignments/media-types/media-types.xhtml\n- https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types\n- https://hg.nginx.org/nginx/raw-file/default/conf/mime.types\n\n## Installation\n\n```bash\nnpm install mime-db\n```\n\n### Database Download\n\nIf you intend to use this in a web browser, you can conveniently access the JSON file via [jsDelivr](https://www.jsdelivr.com/), a popular CDN (Content Delivery Network). To ensure stability and compatibility, it is advisable to specify [a release tag](https://github.com/jshttp/mime-db/tags) instead of using the 'master' branch. This is because the JSON file's format might change in future updates, and relying on a specific release tag will prevent potential issues arising from these changes.\n\n```\nhttps://cdn.jsdelivr.net/gh/jshttp/mime-db@master/db.json\n```\n\n## Usage\n\n```js\nvar db = require('mime-db')\n\n// grab data on .js files\nvar data = db['application/javascript']\n```\n\n## Data Structure\n\nThe JSON file is a map lookup for lowercased mime types.\nEach mime type has the following properties:\n\n- `.source` - where the mime type is defined.\n If not set, it's probably a custom media type.\n - `apache` - [Apache common media types](https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types)\n - `iana` - [IANA-defined media types](https://www.iana.org/assignments/media-types/media-types.xhtml)\n - `nginx` - [nginx media types](https://hg.nginx.org/nginx/raw-file/default/conf/mime.types)\n- `.extensions[]` - known extensions associated with this mime type.\n- `.compressible` - whether a file of this type can be gzipped.\n- `.charset` - the default charset associated with this type, if any.\n\nIf unknown, every property could be `undefined`.\n\n## Note on MIME Type Data and Semver\n\nThis package considers the programmatic api as the semver compatibility. This means the MIME type resolution is *not* considered\nin the semver bumps. This means that if you want to pin your `mime-db` data you will need to do it in your application. While\nthis expectation was not set in docs until now, it is how the pacakge operated, so we do not feel this is a breaking change.\n\n## Contributing\n\nThe primary way to contribute to this database is by updating the data in\none of the upstream sources. The database is updated from the upstreams\nperiodically and will pull in any changes.\n\n### Registering Media Types\n\nThe best way to get new media types included in this library is to register\nthem with the IANA. The community registration procedure is outlined in\n[RFC 6838 section 5](https://tools.ietf.org/html/rfc6838#section-5). Types\nregistered with the IANA are automatically pulled into this library.\n\n### Direct Inclusion\n\nIf that is not possible / feasible, they can be added directly here as a\n\"custom\" type. To do this, it is required to have a primary source that\ndefinitively lists the media type. If an extension is going to be listed as\nassociated with this media type, the source must definitively link the\nmedia type and extension as well.\n\nTo edit the database, only make PRs against `src/custom-types.json` or\n`src/custom-suffix.json`.\n\nThe `src/custom-types.json` file is a JSON object with the MIME type as the\nkeys and the values being an object with the following keys:\n\n- `compressible` - leave out if you don't know, otherwise `true`/`false` to\n indicate whether the data represented by the type is typically compressible.\n- `extensions` - include an array of file extensions that are associated with\n the type.\n- `notes` - human-readable notes about the type, typically what the type is.\n- `sources` - include an array of URLs of where the MIME type and the associated\n extensions are sourced from. This needs to be a [primary source](https://en.wikipedia.org/wiki/Primary_source);\n links to type aggregating sites and Wikipedia are _not acceptable_.\n\nTo update the build, run `npm run build`.\n\n[ci-image]: https://badgen.net/github/checks/jshttp/mime-db/master?label=ci\n[ci-url]: https://github.com/jshttp/mime-db/actions/workflows/ci.yml\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/mime-db/master\n[coveralls-url]: https://coveralls.io/r/jshttp/mime-db?branch=master\n[node-image]: https://badgen.net/npm/node/mime-db\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/mime-db\n[npm-url]: https://npmjs.org/package/mime-db\n[npm-version-image]: https://badgen.net/npm/v/mime-db\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/mime-db/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/mime-types/README.md ---\n# mime-types\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][ci-image]][ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nThe ultimate javascript content-type utility.\n\nSimilar to [the `mime@1.x` module](https://www.npmjs.com/package/mime), except:\n\n- __No fallbacks.__ Instead of naively returning the first available type,\n `mime-types` simply returns `false`, so do\n `var type = mime.lookup('unrecognized') || 'application/octet-stream'`.\n- No `new Mime()` business, so you could do `var lookup = require('mime-types').lookup`.\n- No `.define()` functionality\n- Bug fixes for `.lookup(path)`\n\nOtherwise, the API is compatible with `mime` 1.x.\n\n## Install\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install mime-types\n```\n\n## Note on MIME Type Data and Semver\n\nThis package considers the programmatic api as the semver compatibility. Additionally, the package which provides the MIME data\nfor this package (`mime-db`) *also* considers it's programmatic api as the semver contract. This means the MIME type resolution is *not* considered\nin the semver bumps.\n\nIn the past the version of `mime-db` was pinned to give two decision points when adopting MIME data changes. This is no longer true. We still update the\n`mime-db` package here as a `minor` release when necessary, but will use a `^` range going forward. This means that if you want to pin your `mime-db` data\nyou will need to do it in your application. While this expectation was not set in docs until now, it is how the pacakge operated, so we do not feel this is\na breaking change.\n\nIf you wish to pin your `mime-db` version you can do that with overrides via your package manager of choice. See their documentation for how to correctly configure that.\n\n## Adding Types\n\nAll mime types are based on [mime-db](https://www.npmjs.com/package/mime-db),\nso open a PR there if you'd like to add mime types.\n\n## API\n\n```js\nvar mime = require('mime-types')\n```\n\nAll functions return `false` if input is invalid or not found.\n\n### mime.lookup(path)\n\nLookup the content-type associated with a file.\n\n```js\nmime.lookup('json') // 'application/json'\nmime.lookup('.md') // 'text/markdown'\nmime.lookup('file.html') // 'text/html'\nmime.lookup('folder/file.js') // 'application/javascript'\nmime.lookup('folder/.htaccess') // false\n\nmime.lookup('cats') // false\n```\n\n### mime.contentType(type)\n\nCreate a full content-type header given a content-type or extension.\nWhen given an extension, `mime.lookup` is used to get the matching\ncontent-type, otherwise the given content-type is used. Then if the\ncontent-type does not already have a `charset` parameter, `mime.charset`\nis used to get the default charset and add to the returned content-type.\n\n```js\nmime.contentType('markdown') // 'text/x-markdown; charset=utf-8'\nmime.contentType('file.json') // 'application/json; charset=utf-8'\nmime.contentType('text/html') // 'text/html; charset=utf-8'\nmime.contentType('text/html; charset=iso-8859-1') // 'text/html; charset=iso-8859-1'\n\n// from a full path\nmime.contentType(path.extname('/path/to/file.json')) // 'application/json; charset=utf-8'\n```\n\n### mime.extension(type)\n\nGet the default extension for a content-type.\n\n```js\nmime.extension('application/octet-stream') // 'bin'\n```\n\n### mime.charset(type)\n\nLookup the implied default charset of a content-type.\n\n```js\nmime.charset('text/markdown') // 'UTF-8'\n```\n\n### var type = mime.types[extension]\n\nA map of content-types by extension.\n\n### [extensions...] = mime.extensions[type]\n\nA map of extensions by content-type.\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/mime-types/master?label=ci\n[ci-url]: https://github.com/jshttp/mime-types/actions/workflows/ci.yml\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/mime-types/master\n[coveralls-url]: https://coveralls.io/r/jshttp/mime-types?branch=master\n[node-version-image]: https://badgen.net/npm/node/mime-types\n[node-version-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/mime-types\n[npm-url]: https://npmjs.org/package/mime-types\n[npm-version-image]: https://badgen.net/npm/v/mime-types\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/mime-types/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/nanoid/README.md ---\n# Nano ID\n\n<img src=\"https://ai.github.io/nanoid/logo.svg\" align=\"right\"\n alt=\"Nano ID logo by Anton Lovchikov\" width=\"180\" height=\"94\">\n\n**English** | [Русский](./README.ru.md) | [简体中文](./README.zh-CN.md) | [Bahasa Indonesia](./README.id-ID.md)\n\nA tiny, secure, URL-friendly, unique string ID generator for JavaScript.\n\n> “An amazing level of senseless perfectionism,\n> which is simply impossible not to respect.”\n\n* **Small.** 130 bytes (minified and gzipped). No dependencies.\n [Size Limit] controls the size.\n* **Fast.** It is 2 times faster than UUID.\n* **Safe.** It uses hardware random generator. Can be used in clusters.\n* **Short IDs.** It uses a larger alphabet than UUID (`A-Za-z0-9_-`).\n So ID size was reduced from 36 to 21 symbols.\n* **Portable.** Nano ID was ported\n to [20 programming languages](#other-programming-languages).\n\n```js\nimport { nanoid } from 'nanoid'\nmodel.id = nanoid() //=> \"V1StGXR8_Z5jdHi6B-myT\"\n```\n\nSupports modern browsers, IE [with Babel], Node.js and React Native.\n\n[online tool]: https://gitpod.io/#https://github.com/ai/nanoid/\n[with Babel]: https://developer.epages.com/blog/coding/how-to-transpile-node-modules-with-babel-and-webpack-in-a-monorepo/\n[Size Limit]: https://github.com/ai/size-limit\n\n<a href=\"https://evilmartians.com/?utm_source=nanoid\">\n <img src=\"https://evilmartians.com/badges/sponsored-by-evil-martians.svg\"\n alt=\"Sponsored by Evil Martians\" width=\"236\" height=\"54\">\n</a>\n\n## Docs\nRead full docs **[here](https://github.com/ai/nanoid#readme)**.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/nanoid/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/negotiator/README.md ---\n# negotiator\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][github-actions-ci-image]][github-actions-ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nAn HTTP content negotiator for Node.js\n\n## Installation\n\n```sh\n$ npm install negotiator\n```\n\n## API\n\n```js\nvar Negotiator = require('negotiator')\n```\n\n### Accept Negotiation\n\n```js\navailableMediaTypes = ['text/html', 'text/plain', 'application/json']\n\n// The negotiator constructor receives a request object\nnegotiator = new Negotiator(request)\n\n// Let's say Accept header is 'text/html, application/*;q=0.2, image/jpeg;q=0.8'\n\nnegotiator.mediaTypes()\n// -> ['text/html', 'image/jpeg', 'application/*']\n\nnegotiator.mediaTypes(availableMediaTypes)\n// -> ['text/html', 'application/json']\n\nnegotiator.mediaType(availableMediaTypes)\n// -> 'text/html'\n```\n\nYou can check a working example at `examples/accept.js`.\n\n#### Methods\n\n##### mediaType()\n\nReturns the most preferred media type from the client.\n\n##### mediaType(availableMediaType)\n\nReturns the most preferred media type from a list of available media types.\n\n##### mediaTypes()\n\nReturns an array of preferred media types ordered by the client preference.\n\n##### mediaTypes(availableMediaTypes)\n\nReturns an array of preferred media types ordered by priority from a list of\navailable media types.\n\n### Accept-Language Negotiation\n\n```js\nnegotiator = new Negotiator(request)\n\navailableLanguages = ['en', 'es', 'fr']\n\n// Let's say Accept-Language header is 'en;q=0.8, es, pt'\n\nnegotiator.languages()\n// -> ['es', 'pt', 'en']\n\nnegotiator.languages(availableLanguages)\n// -> ['es', 'en']\n\nlanguage = negotiator.language(availableLanguages)\n// -> 'es'\n```\n\nYou can check a working example at `examples/language.js`.\n\n#### Methods\n\n##### language()\n\nReturns the most preferred language from the client.\n\n##### language(availableLanguages)\n\nReturns the most preferred language from a list of available languages.\n\n##### languages()\n\nReturns an array of preferred languages ordered by the client preference.\n\n##### languages(availableLanguages)\n\nReturns an array of preferred languages ordered by priority from a list of\navailable languages.\n\n### Accept-Charset Negotiation\n\n```js\navailableCharsets = ['utf-8', 'iso-8859-1', 'iso-8859-5']\n\nnegotiator = new Negotiator(request)\n\n// Let's say Accept-Charset header is 'utf-8, iso-8859-1;q=0.8, utf-7;q=0.2'\n\nnegotiator.charsets()\n// -> ['utf-8', 'iso-8859-1', 'utf-7']\n\nnegotiator.charsets(availableCharsets)\n// -> ['utf-8', 'iso-8859-1']\n\nnegotiator.charset(availableCharsets)\n// -> 'utf-8'\n```\n\nYou can check a working example at `examples/charset.js`.\n\n#### Methods\n\n##### charset()\n\nReturns the most preferred charset from the client.\n\n##### charset(availableCharsets)\n\nReturns the most preferred charset from a list of available charsets.\n\n##### charsets()\n\nReturns an array of preferred charsets ordered by the client preference.\n\n##### charsets(availableCharsets)\n\nReturns an array of preferred charsets ordered by priority from a list of\navailable charsets.\n\n### Accept-Encoding Negotiation\n\n```js\navailableEncodings = ['identity', 'gzip']\n\nnegotiator = new Negotiator(request)\n\n// Let's say Accept-Encoding header is 'gzip, compress;q=0.2, identity;q=0.5'\n\nnegotiator.encodings()\n// -> ['gzip', 'identity', 'compress']\n\nnegotiator.encodings(availableEncodings)\n// -> ['gzip', 'identity']\n\nnegotiator.encoding(availableEncodings)\n// -> 'gzip'\n```\n\nYou can check a working example at `examples/encoding.js`.\n\n#### Methods\n\n##### encoding()\n\nReturns the most preferred encoding from the client.\n\n##### encoding(availableEncodings)\n\nReturns the most preferred encoding from a list of available encodings.\n\n##### encoding(availableEncodings, { preferred })\n\nReturns the most preferred encoding from a list of available encodings, while prioritizing based on `preferred` array between same-quality encodings.\n\n##### encodings()\n\nReturns an array of preferred encodings ordered by the client preference.\n\n##### encodings(availableEncodings)\n\nReturns an array of preferred encodings ordered by priority from a list of\navailable encodings.\n\n##### encodings(availableEncodings, { preferred })\n\nReturns an array of preferred encodings ordered by priority from a list of\navailable encodings, while prioritizing based on `preferred` array between same-quality encodings.\n\n## See Also\n\nThe [accepts](https://npmjs.org/package/accepts#readme) module builds on\nthis module and provides an alternative interface, mime type validation,\nand more.\n\n## License\n\n[MIT](LICENSE)\n\n[npm-image]: https://img.shields.io/npm/v/negotiator.svg\n[npm-url]: https://npmjs.org/package/negotiator\n[node-version-image]: https://img.shields.io/node/v/negotiator.svg\n[node-version-url]: https://nodejs.org/en/download/\n[coveralls-image]: https://img.shields.io/coveralls/jshttp/negotiator/master.svg\n[coveralls-url]: https://coveralls.io/r/jshttp/negotiator?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/negotiator.svg\n[downloads-url]: https://npmjs.org/package/negotiator\n[github-actions-ci-image]: https://img.shields.io/github/workflow/status/jshttp/negotiator/ci/master?label=ci\n[github-actions-ci-url]: https://github.com/jshttp/negotiator/actions/workflows/ci.yml\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/negotiator/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/on-finished/README.md ---\n# on-finished\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][ci-image]][ci-url]\n[![Coverage Status][coveralls-image]][coveralls-url]\n\nExecute a callback when a HTTP request closes, finishes, or errors.\n\n## Install\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install on-finished\n```\n\n## API\n\n```js\nvar onFinished = require('on-finished')\n```\n\n### onFinished(res, listener)\n\nAttach a listener to listen for the response to finish. The listener will\nbe invoked only once when the response finished. If the response finished\nto an error, the first argument will contain the error. If the response\nhas already finished, the listener will be invoked.\n\nListening to the end of a response would be used to close things associated\nwith the response, like open files.\n\nListener is invoked as `listener(err, res)`.\n\n<!-- eslint-disable handle-callback-err -->\n\n```js\nonFinished(res, function (err, res) {\n // clean up open fds, etc.\n // err contains the error if request error'd\n})\n```\n\n### onFinished(req, listener)\n\nAttach a listener to listen for the request to finish. The listener will\nbe invoked only once when the request finished. If the request finished\nto an error, the first argument will contain the error. If the request\nhas already finished, the listener will be invoked.\n\nListening to the end of a request would be used to know when to continue\nafter reading the data.\n\nListener is invoked as `listener(err, req)`.\n\n<!-- eslint-disable handle-callback-err -->\n\n```js\nvar data = ''\n\nreq.setEncoding('utf8')\nreq.on('data', function (str) {\n data += str\n})\n\nonFinished(req, function (err, req) {\n // data is read unless there is err\n})\n```\n\n### onFinished.isFinished(res)\n\nDetermine if `res` is already finished. This would be useful to check and\nnot even start certain operations if the response has already finished.\n\n### onFinished.isFinished(req)\n\nDetermine if `req` is already finished. This would be useful to check and\nnot even start certain operations if the request has already finished.\n\n## Special Node.js requests\n\n### HTTP CONNECT method\n\nThe meaning of the `CONNECT` method from RFC 7231, section 4.3.6:\n\n> The CONNECT method requests that the recipient establish a tunnel to\n> the destination origin server identified by the request-target and,\n> if successful, thereafter restrict its behavior to blind forwarding\n> of packets, in both directions, until the tunnel is closed. Tunnels\n> are commonly used to create an end-to-end virtual connection, through\n> one or more proxies, which can then be secured using TLS (Transport\n> Layer Security, [RFC5246]).\n\nIn Node.js, these request objects come from the `'connect'` event on\nthe HTTP server.\n\nWhen this module is used on a HTTP `CONNECT` request, the request is\nconsidered \"finished\" immediately, **due to limitations in the Node.js\ninterface**. This means if the `CONNECT` request contains a request entity,\nthe request will be considered \"finished\" even before it has been read.\n\nThere is no such thing as a response object to a `CONNECT` request in\nNode.js, so there is no support for one.\n\n### HTTP Upgrade request\n\nThe meaning of the `Upgrade` header from RFC 7230, section 6.1:\n\n> The \"Upgrade\" header field is intended to provide a simple mechanism\n> for transitioning from HTTP/1.1 to some other protocol on the same\n> connection.\n\nIn Node.js, these request objects come from the `'upgrade'` event on\nthe HTTP server.\n\nWhen this module is used on a HTTP request with an `Upgrade` header, the\nrequest is considered \"finished\" immediately, **due to limitations in the\nNode.js interface**. This means if the `Upgrade` request contains a request\nentity, the request will be considered \"finished\" even before it has been\nread.\n\nThere is no such thing as a response object to a `Upgrade` request in\nNode.js, so there is no support for one.\n\n## Example\n\nThe following code ensures that file descriptors are always closed\nonce the response finishes.\n\n```js\nvar destroy = require('destroy')\nvar fs = require('fs')\nvar http = require('http')\nvar onFinished = require('on-finished')\n\nhttp.createServer(function onRequest (req, res) {\n var stream = fs.createReadStream('package.json')\n stream.pipe(res)\n onFinished(res, function () {\n destroy(stream)\n })\n})\n```\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/on-finished/master?label=ci\n[ci-url]: https://github.com/jshttp/on-finished/actions/workflows/ci.yml\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/on-finished/master\n[coveralls-url]: https://coveralls.io/r/jshttp/on-finished?branch=master\n[node-image]: https://badgen.net/npm/node/on-finished\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/on-finished\n[npm-url]: https://npmjs.org/package/on-finished\n[npm-version-image]: https://badgen.net/npm/v/on-finished\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/on-finished/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/once/README.md ---\n# once\n\nOnly call a function once.\n\n## usage\n\n```javascript\nvar once = require('once')\n\nfunction load (file, cb) {\n cb = once(cb)\n loader.load('file')\n loader.once('load', cb)\n loader.once('error', cb)\n}\n```\n\nOr add to the Function.prototype in a responsible way:\n\n```javascript\n// only has to be done once\nrequire('once').proto()\n\nfunction load (file, cb) {\n cb = cb.once()\n loader.load('file')\n loader.once('load', cb)\n loader.once('error', cb)\n}\n```\n\nIronically, the prototype feature makes this module twice as\ncomplicated as necessary.\n\nTo check whether you function has been called, use `fn.called`. Once the\nfunction is called for the first time the return value of the original\nfunction is saved in `fn.value` and subsequent calls will continue to\nreturn this value.\n\n```javascript\nvar once = require('once')\n\nfunction load (cb) {\n cb = once(cb)\n var stream = createStream()\n stream.once('data', cb)\n stream.once('end', function () {\n if (!cb.called) cb(new Error('not found'))\n })\n}\n```\n\n## `once.strict(func)`\n\nThrow an error if the function is called twice.\n\nSome functions are expected to be called only once. Using `once` for them would\npotentially hide logical errors.\n\nIn the example below, the `greet` function has to call the callback only once:\n\n```javascript\nfunction greet (name, cb) {\n // return is missing from the if statement\n // when no name is passed, the callback is called twice\n if (!name) cb('Hello anonymous')\n cb('Hello ' + name)\n}\n\nfunction log (msg) {\n console.log(msg)\n}\n\n// this will print 'Hello anonymous' but the logical error will be missed\ngreet(null, once(msg))\n\n// once.strict will print 'Hello anonymous' and throw an error when the callback will be called the second time\ngreet(null, once.strict(msg))\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/once/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/parseurl/README.md ---\n# parseurl\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][travis-image]][travis-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nParse a URL with memoization.\n\n## Install\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install parseurl\n```\n\n## API\n\n```js\nvar parseurl = require('parseurl')\n```\n\n### parseurl(req)\n\nParse the URL of the given request object (looks at the `req.url` property)\nand return the result. The result is the same as `url.parse` in Node.js core.\nCalling this function multiple times on the same `req` where `req.url` does\nnot change will return a cached parsed object, rather than parsing again.\n\n### parseurl.original(req)\n\nParse the original URL of the given request object and return the result.\nThis works by trying to parse `req.originalUrl` if it is a string, otherwise\nparses `req.url`. The result is the same as `url.parse` in Node.js core.\nCalling this function multiple times on the same `req` where `req.originalUrl`\ndoes not change will return a cached parsed object, rather than parsing again.\n\n## Benchmark\n\n```bash\n$ npm run-script bench\n\n> parseurl@1.3.3 bench nodejs-parseurl\n> node benchmark/index.js\n\n http_parser@2.8.0\n node@10.6.0\n v8@6.7.288.46-node.13\n uv@1.21.0\n zlib@1.2.11\n ares@1.14.0\n modules@64\n nghttp2@1.32.0\n napi@3\n openssl@1.1.0h\n icu@61.1\n unicode@10.0\n cldr@33.0\n tz@2018c\n\n> node benchmark/fullurl.js\n\n Parsing URL \"http://localhost:8888/foo/bar?user=tj&pet=fluffy\"\n\n 4 tests completed.\n\n fasturl x 2,207,842 ops/sec ±3.76% (184 runs sampled)\n nativeurl - legacy x 507,180 ops/sec ±0.82% (191 runs sampled)\n nativeurl - whatwg x 290,044 ops/sec ±1.96% (189 runs sampled)\n parseurl x 488,907 ops/sec ±2.13% (192 runs sampled)\n\n> node benchmark/pathquery.js\n\n Parsing URL \"/foo/bar?user=tj&pet=fluffy\"\n\n 4 tests completed.\n\n fasturl x 3,812,564 ops/sec ±3.15% (188 runs sampled)\n nativeurl - legacy x 2,651,631 ops/sec ±1.68% (189 runs sampled)\n nativeurl - whatwg x 161,837 ops/sec ±2.26% (189 runs sampled)\n parseurl x 4,166,338 ops/sec ±2.23% (184 runs sampled)\n\n> node benchmark/samerequest.js\n\n Parsing URL \"/foo/bar?user=tj&pet=fluffy\" on same request object\n\n 4 tests completed.\n\n fasturl x 3,821,651 ops/sec ±2.42% (185 runs sampled)\n nativeurl - legacy x 2,651,162 ops/sec ±1.90% (187 runs sampled)\n nativeurl - whatwg x 175,166 ops/sec ±1.44% (188 runs sampled)\n parseurl x 14,912,606 ops/sec ±3.59% (183 runs sampled)\n\n> node benchmark/simplepath.js\n\n Parsing URL \"/foo/bar\"\n\n 4 tests completed.\n\n fasturl x 12,421,765 ops/sec ±2.04% (191 runs sampled)\n nativeurl - legacy x 7,546,036 ops/sec ±1.41% (188 runs sampled)\n nativeurl - whatwg x 198,843 ops/sec ±1.83% (189 runs sampled)\n parseurl x 24,244,006 ops/sec ±0.51% (194 runs sampled)\n\n> node benchmark/slash.js\n\n Parsing URL \"/\"\n\n 4 tests completed.\n\n fasturl x 17,159,456 ops/sec ±3.25% (188 runs sampled)\n nativeurl - legacy x 11,635,097 ops/sec ±3.79% (184 runs sampled)\n nativeurl - whatwg x 240,693 ops/sec ±0.83% (189 runs sampled)\n parseurl x 42,279,067 ops/sec ±0.55% (190 runs sampled)\n```\n\n## License\n\n [MIT](LICENSE)\n\n[coveralls-image]: https://badgen.net/coveralls/c/github/pillarjs/parseurl/master\n[coveralls-url]: https://coveralls.io/r/pillarjs/parseurl?branch=master\n[node-image]: https://badgen.net/npm/node/parseurl\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/parseurl\n[npm-url]: https://npmjs.org/package/parseurl\n[npm-version-image]: https://badgen.net/npm/v/parseurl\n[travis-image]: https://badgen.net/travis/pillarjs/parseurl/master\n[travis-url]: https://travis-ci.org/pillarjs/parseurl\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/parseurl/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/pathe/README.md ---\n# 🛣️ pathe\n\n> Universal filesystem path utils\n\n[![version][npm-v-src]][npm-v-href]\n[![downloads][npm-d-src]][npm-d-href]\n[![size][size-src]][size-href]\n\n## ❓ Why\n\nFor [historical reasons](https://docs.microsoft.com/en-us/archive/blogs/larryosterman/why-is-the-dos-path-character), windows followed MS-DOS and used backslash for separating paths rather than slash used for macOS, Linux, and other Posix operating systems. Nowadays, [Windows](https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file?redirectedfrom=MSDN) supports both Slash and Backslash for paths. [Node.js's built-in `path` module](https://nodejs.org/api/path.html) in the default operation of the path module varies based on the operating system on which a Node.js application is running. Specifically, when running on a Windows operating system, the path module will assume that Windows-style paths are being used. **This makes inconsistent code behavior between Windows and POSIX.**\n\nCompared to popular [upath](https://github.com/anodynos/upath), pathe provides **identical exports** of Node.js with normalization on **all operations** and is written in modern **ESM/TypeScript** and has **no dependency on Node.js**!\n\nThis package is a drop-in replacement of the Node.js's [path module](https://nodejs.org/api/path.html) module and ensures paths are normalized with slash `/` and work in environments including Node.js.\n\n## 💿 Usage\n\nInstall using npm or yarn:\n\n```bash\n# npm\nnpm i pathe\n\n# yarn\nyarn add pathe\n\n# pnpm\npnpm i pathe\n```\n\nImport:\n\n```js\n// ESM / Typescript\nimport { resolve, matchesGlob } from \"pathe\";\n\n// CommonJS\nconst { resolve, matchesGlob } = require(\"pathe\");\n```\n\nRead more about path utils from [Node.js documentation](https://nodejs.org/api/path.html) and rest assured behavior is consistently like POSIX regardless of your input paths format and running platform (the only exception is `delimiter` constant export, it will be set to `;` on windows platform).\n\n### Extra utilities\n\nPathe exports some extra utilities that do not exist in standard Node.js [path module](https://nodejs.org/api/path.html).\nIn order to use them, you can import from `pathe/utils` subpath:\n\n```js\nimport {\n filename,\n normalizeAliases,\n resolveAlias,\n reverseResolveAlias,\n} from \"pathe/utils\";\n```\n\n## License\n\nMade with 💛 Published under the [MIT](./LICENSE) license.\n\nSome code was used from the Node.js project. Glob supported is powered by [zeptomatch](https://github.com/fabiospampinato/zeptomatch).\n\n<!-- Refs -->\n\n[npm-v-src]: https://img.shields.io/npm/v/pathe?style=flat-square\n[npm-v-href]: https://npmjs.com/package/pathe\n[npm-d-src]: https://img.shields.io/npm/dm/pathe?style=flat-square\n[npm-d-href]: https://npmjs.com/package/pathe\n[github-actions-src]: https://img.shields.io/github/workflow/status/unjs/pathe/ci/main?style=flat-square\n[github-actions-href]: https://github.com/unjs/pathe/actions?query=workflow%3Aci\n[size-src]: https://packagephobia.now.sh/badge?p=pathe\n[size-href]: https://packagephobia.now.sh/result?p=pathe\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/pathe/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/pathval/README.md ---\n<h1 align=center>\n <a href=\"http://chaijs.com\" title=\"Chai Documentation\">\n <img alt=\"ChaiJS\" src=\"http://chaijs.com/img/chai-logo.png\">\n </a>\n <br>\n pathval\n</h1>\n\n<p align=center>\n Tool for Object value retrieval given a string path for <a href=\"http://nodejs.org\">node</a> and the browser.\n</p>\n\n<p align=center>\n <a href=\"./LICENSE\">\n <img\n alt=\"license:mit\"\n src=\"https://img.shields.io/badge/license-mit-green.svg?style=flat-square\"\n />\n </a>\n <a href=\"https://github.com/chaijs/pathval/releases\">\n <img\n alt=\"tag:?\"\n src=\"https://img.shields.io/github/tag/chaijs/pathval.svg?style=flat-square\"\n />\n </a>\n <a href=\"https://travis-ci.org/chaijs/pathval\">\n <img\n alt=\"build:?\"\n src=\"https://img.shields.io/travis/chaijs/pathval/master.svg?style=flat-square\"\n />\n </a>\n <a href=\"https://coveralls.io/r/chaijs/pathval\">\n <img\n alt=\"coverage:?\"\n src=\"https://img.shields.io/coveralls/chaijs/pathval/master.svg?style=flat-square\"\n />\n </a>\n <a href=\"https://www.npmjs.com/packages/pathval\">\n <img\n alt=\"npm:?\"\n src=\"https://img.shields.io/npm/v/pathval.svg?style=flat-square\"\n />\n </a>\n <a href=\"https://www.npmjs.com/packages/pathval\">\n <img\n alt=\"dependencies:?\"\n src=\"https://img.shields.io/npm/dm/pathval.svg?style=flat-square\"\n />\n </a>\n <a href=\"\">\n <img\n alt=\"devDependencies:?\"\n src=\"https://img.shields.io/david/chaijs/pathval.svg?style=flat-square\"\n />\n </a>\n <br/>\n <a href=\"https://saucelabs.com/u/chaijs-pathval\">\n <img\n alt=\"Selenium Test Status\"\n src=\"https://saucelabs.com/browser-matrix/chaijs-pathval.svg\"\n />\n </a>\n <br>\n <a href=\"https://chai-slack.herokuapp.com/\">\n <img\n alt=\"Join the Slack chat\"\n src=\"https://img.shields.io/badge/slack-join%20chat-E2206F.svg?style=flat-square\"\n />\n </a>\n <a href=\"https://gitter.im/chaijs/chai\">\n <img\n alt=\"Join the Gitter chat\"\n src=\"https://img.shields.io/badge/gitter-join%20chat-D0104D.svg?style=flat-square\"\n />\n </a>\n</p>\n\n## What is pathval?\n\nPathval is a module which you can use to retrieve or set an Object's property for a given `String` path.\n\n## Installation\n\n### Node.js\n\n`pathval` is available on [npm](http://npmjs.org). To install it, type:\n\n $ npm install pathval\n\n### Browsers\n\nYou can also use it within the browser; install via npm and use the `pathval.js` file found within the download. For example:\n\n```html\n<script src=\"./node_modules/pathval/pathval.js\"></script>\n```\n\n## Usage\n\nThe primary export of `pathval` is an object which has the following methods:\n\n* `hasProperty(object, name)` - Checks whether an `object` has `name`d property or numeric array index.\n* `getPathInfo(object, path)` - Returns an object with info indicating the value of the `parent` of that path, the `name ` of the property we're retrieving and its `value`.\n* `getPathValue(object, path)` - Retrieves the value of a property at a given `path` inside an `object`'.\n* `setPathValue(object, path, value)` - Sets the `value` of a property at a given `path` inside an `object` and returns the object in which the property has been set.\n\n```js\nvar pathval = require('pathval');\n```\n\n#### .hasProperty(object, name)\n\n```js\nvar pathval = require('pathval');\n\nvar obj = { prop: 'a value' };\npathval.hasProperty(obj, 'prop'); // true\n```\n\n#### .getPathInfo(object, path)\n\n```js\nvar pathval = require('pathval');\n\nvar obj = { earth: { country: 'Brazil' } };\npathval.getPathInfo(obj, 'earth.country'); // { parent: { country: 'Brazil' }, name: 'country', value: 'Brazil', exists: true }\n```\n\n#### .getPathValue(object, path)\n\n```js\nvar pathval = require('pathval');\n\nvar obj = { earth: { country: 'Brazil' } };\npathval.getPathValue(obj, 'earth.country'); // 'Brazil'\n```\n\n#### .setPathValue(object, path, value)\n\n```js\nvar pathval = require('pathval');\n\nvar obj = { earth: { country: 'Brazil' } };\npathval.setPathValue(obj, 'earth.country', 'USA');\n\nobj.earth.country; // 'USA'\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/pathval/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/picocolors/README.md ---\n# picocolors\n\nThe tiniest and the fastest library for terminal output formatting with ANSI colors.\n\n```javascript\nimport pc from \"picocolors\"\n\nconsole.log(\n pc.green(`How are ${pc.italic(`you`)} doing?`)\n)\n```\n\n- **No dependencies.**\n- **14 times** smaller and **2 times** faster than chalk.\n- Used by popular tools like PostCSS, SVGO, Stylelint, and Browserslist.\n- Node.js v6+ & browsers support. Support for both CJS and ESM projects.\n- TypeScript type declarations included.\n- [`NO_COLOR`](https://no-color.org/) friendly.\n\n## Docs\nRead **[full docs](https://github.com/alexeyraspopov/picocolors#readme)** on GitHub.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/picocolors/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/picomatch/README.md ---\n<h1 align=\"center\">Picomatch</h1>\n\n<p align=\"center\">\n<a href=\"https://npmjs.org/package/picomatch\">\n<img src=\"https://img.shields.io/npm/v/picomatch.svg\" alt=\"version\">\n</a>\n<a href=\"https://github.com/micromatch/picomatch/actions?workflow=Tests\">\n<img src=\"https://github.com/micromatch/picomatch/workflows/Tests/badge.svg\" alt=\"test status\">\n</a>\n<a href=\"https://coveralls.io/github/micromatch/picomatch\">\n<img src=\"https://img.shields.io/coveralls/github/micromatch/picomatch/master.svg\" alt=\"coverage status\">\n</a>\n<a href=\"https://npmjs.org/package/picomatch\">\n<img src=\"https://img.shields.io/npm/dm/picomatch.svg\" alt=\"downloads\">\n</a>\n</p>\n\n<br>\n<br>\n\n<p align=\"center\">\n<strong>Blazing fast and accurate glob matcher written in JavaScript.</strong></br>\n<em>No dependencies and full support for standard and extended Bash glob features, including braces, extglobs, POSIX brackets, and regular expressions.</em>\n</p>\n\n<br>\n<br>\n\n## Why picomatch?\n\n* **Lightweight** - No dependencies\n* **Minimal** - Tiny API surface. Main export is a function that takes a glob pattern and returns a matcher function.\n* **Fast** - Loads in about 2ms (that's several times faster than a [single frame of a HD movie](http://www.endmemo.com/sconvert/framespersecondframespermillisecond.php) at 60fps)\n* **Performant** - Use the returned matcher function to speed up repeat matching (like when watching files)\n* **Accurate matching** - Using wildcards (`*` and `?`), globstars (`**`) for nested directories, [advanced globbing](#advanced-globbing) with extglobs, braces, and POSIX brackets, and support for escaping special characters with `\\` or quotes.\n* **Well tested** - Thousands of unit tests\n\nSee the [library comparison](#library-comparisons) to other libraries.\n\n<br>\n<br>\n\n## Table of Contents\n\n<details><summary> Click to expand </summary>\n\n- [Install](#install)\n- [Usage](#usage)\n- [API](#api)\n * [picomatch](#picomatch)\n * [.test](#test)\n * [.matchBase](#matchbase)\n * [.isMatch](#ismatch)\n * [.parse](#parse)\n * [.scan](#scan)\n * [.compileRe](#compilere)\n * [.makeRe](#makere)\n * [.toRegex](#toregex)\n- [Options](#options)\n * [Picomatch options](#picomatch-options)\n * [Scan Options](#scan-options)\n * [Options Examples](#options-examples)\n- [Globbing features](#globbing-features)\n * [Basic globbing](#basic-globbing)\n * [Advanced globbing](#advanced-globbing)\n * [Braces](#braces)\n * [Matching special characters as literals](#matching-special-characters-as-literals)\n- [Library Comparisons](#library-comparisons)\n- [Benchmarks](#benchmarks)\n- [Philosophies](#philosophies)\n- [About](#about)\n * [Author](#author)\n * [License](#license)\n\n_(TOC generated by [verb](https://github.com/verbose/verb) using [markdown-toc](https://github.com/jonschlinkert/markdown-toc))_\n\n</details>\n\n<br>\n<br>\n\n## Install\n\nInstall with [npm](https://www.npmjs.com/):\n\n```sh\nnpm install --save picomatch\n```\n\n<br>\n\n## Usage\n\nThe main export is a function that takes a glob pattern and an options object and returns a function for matching strings.\n\n```js\nconst pm = require('picomatch');\nconst isMatch = pm('*.js');\n\nconsole.log(isMatch('abcd')); //=> false\nconsole.log(isMatch('a.js')); //=> true\nconsole.log(isMatch('a.md')); //=> false\nconsole.log(isMatch('a/b.js')); //=> false\n```\n\n<br>\n\n## API\n\n### [picomatch](lib/picomatch.js#L31)\n\nCreates a matcher function from one or more glob patterns. The returned function takes a string to match as its first argument, and returns true if the string is a match. The returned matcher function also takes a boolean as the second argument that, when true, returns an object with additional information.\n\n**Params**\n\n* `globs` **{String|Array}**: One or more glob patterns.\n* `options` **{Object=}**\n* `returns` **{Function=}**: Returns a matcher function.\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\n// picomatch(glob[, options]);\n\nconst isMatch = picomatch('*.!(*a)');\nconsole.log(isMatch('a.a')); //=> false\nconsole.log(isMatch('a.b')); //=> true\n```\n\n**Example without node.js**\n\nFor environments without `node.js`, `picomatch/posix` provides you a dependency-free matcher, without automatic OS detection.\n\n```js\nconst picomatch = require('picomatch/posix');\n// the same API, defaulting to posix paths\nconst isMatch = picomatch('a/*');\nconsole.log(isMatch('a\\\\b')); //=> false\nconsole.log(isMatch('a/b')); //=> true\n\n// you can still configure the matcher function to accept windows paths\nconst isMatch = picomatch('a/*', { options: windows });\nconsole.log(isMatch('a\\\\b')); //=> true\nconsole.log(isMatch('a/b')); //=> true\n```\n\n### [.test](lib/picomatch.js#L116)\n\nTest `input` with the given `regex`. This is used by the main `picomatch()` function to test the input string.\n\n**Params**\n\n* `input` **{String}**: String to test.\n* `regex` **{RegExp}**\n* `returns` **{Object}**: Returns an object with matching info.\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\n// picomatch.test(input, regex[, options]);\n\nconsole.log(picomatch.test('foo/bar', /^(?:([^/]*?)\\/([^/]*?))$/));\n// { isMatch: true, match: [ 'foo/', 'foo', 'bar' ], output: 'foo/bar' }\n```\n\n### [.matchBase](lib/picomatch.js#L160)\n\nMatch the basename of a filepath.\n\n**Params**\n\n* `input` **{String}**: String to test.\n* `glob` **{RegExp|String}**: Glob pattern or regex created by [.makeRe](#makeRe).\n* `returns` **{Boolean}**\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\n// picomatch.matchBase(input, glob[, options]);\nconsole.log(picomatch.matchBase('foo/bar.js', '*.js'); // true\n```\n\n### [.isMatch](lib/picomatch.js#L182)\n\nReturns true if **any** of the given glob `patterns` match the specified `string`.\n\n**Params**\n\n* **{String|Array}**: str The string to test.\n* **{String|Array}**: patterns One or more glob patterns to use for matching.\n* **{Object}**: See available [options](#options).\n* `returns` **{Boolean}**: Returns true if any patterns match `str`\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\n// picomatch.isMatch(string, patterns[, options]);\n\nconsole.log(picomatch.isMatch('a.a', ['b.*', '*.a'])); //=> true\nconsole.log(picomatch.isMatch('a.a', 'b.*')); //=> false\n```\n\n### [.parse](lib/picomatch.js#L198)\n\nParse a glob pattern to create the source string for a regular expression.\n\n**Params**\n\n* `pattern` **{String}**\n* `options` **{Object}**\n* `returns` **{Object}**: Returns an object with useful properties and output to be used as a regex source string.\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\nconst result = picomatch.parse(pattern[, options]);\n```\n\n### [.scan](lib/picomatch.js#L230)\n\nScan a glob pattern to separate the pattern into segments.\n\n**Params**\n\n* `input` **{String}**: Glob pattern to scan.\n* `options` **{Object}**\n* `returns` **{Object}**: Returns an object with\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\n// picomatch.scan(input[, options]);\n\nconst result = picomatch.scan('!./foo/*.js');\nconsole.log(result);\n{ prefix: '!./',\n input: '!./foo/*.js',\n start: 3,\n base: 'foo',\n glob: '*.js',\n isBrace: false,\n isBracket: false,\n isGlob: true,\n isExtglob: false,\n isGlobstar: false,\n negated: true }\n```\n\n### [.compileRe](lib/picomatch.js#L244)\n\nCompile a regular expression from the `state` object returned by the\n[parse()](#parse) method.\n\n**Params**\n\n* `state` **{Object}**\n* `options` **{Object}**\n* `returnOutput` **{Boolean}**: Intended for implementors, this argument allows you to return the raw output from the parser.\n* `returnState` **{Boolean}**: Adds the state to a `state` property on the returned regex. Useful for implementors and debugging.\n* `returns` **{RegExp}**\n\n### [.makeRe](lib/picomatch.js#L285)\n\nCreate a regular expression from a parsed glob pattern.\n\n**Params**\n\n* `state` **{String}**: The object returned from the `.parse` method.\n* `options` **{Object}**\n* `returnOutput` **{Boolean}**: Implementors may use this argument to return the compiled output, instead of a regular expression. This is not exposed on the options to prevent end-users from mutating the result.\n* `returnState` **{Boolean}**: Implementors may use this argument to return the state from the parsed glob with the returned regular expression.\n* `returns` **{RegExp}**: Returns a regex created from the given pattern.\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\nconst state = picomatch.parse('*.js');\n// picomatch.compileRe(state[, options]);\n\nconsole.log(picomatch.compileRe(state));\n//=> /^(?:(?!\\.)(?=.)[^/]*?\\.js)$/\n```\n\n### [.toRegex](lib/picomatch.js#L320)\n\nCreate a regular expression from the given regex source string.\n\n**Params**\n\n* `source` **{String}**: Regular expression source string.\n* `options` **{Object}**\n* `returns` **{RegExp}**\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\n// picomatch.toRegex(source[, options]);\n\nconst { output } = picomatch.parse('*.js');\nconsole.log(picomatch.toRegex(output));\n//=> /^(?:(?!\\.)(?=.)[^/]*?\\.js)$/\n```\n\n<br>\n\n## Options\n\n### Picomatch options\n\nThe following options may be used with the main `picomatch()` function or any of the methods on the picomatch API.\n\n| **Option** | **Type** | **Default value** | **Description** |\n| --- | --- | --- | --- |\n| `basename` | `boolean` | `false` | If set, then patterns without slashes will be matched against the basename of the path if it contains slashes. For example, `a?b` would match the path `/xyz/123/acb`, but not `/xyz/acb/123`. |\n| `bash` | `boolean` | `false` | Follow bash matching rules more strictly - disallows backslashes as escape characters, and treats single stars as globstars (`**`). |\n| `capture` | `boolean` | `undefined` | Return regex matches in supporting methods. |\n| `contains` | `boolean` | `undefined` | Allows glob to match any part of the given string(s). |\n| `cwd` | `string` | `process.cwd()` | Current working directory. Used by `picomatch.split()` |\n| `debug` | `boolean` | `undefined` | Debug regular expressions when an error is thrown. |\n| `dot` | `boolean` | `false` | Enable dotfile matching. By default, dotfiles are ignored unless a `.` is explicitly defined in the pattern, or `options.dot` is true |\n| `expandRange` | `function` | `undefined` | Custom function for expanding ranges in brace patterns, such as `{a..z}`. The function receives the range values as two arguments, and it must return a string to be used in the generated regex. It's recommended that returned strings be wrapped in parentheses. |\n| `failglob` | `boolean` | `false` | Throws an error if no matches are found. Based on the bash option of the same name. |\n| `fastpaths` | `boolean` | `true` | To speed up processing, full parsing is skipped for a handful common glob patterns. Disable this behavior by setting this option to `false`. |\n| `flags` | `string` | `undefined` | Regex flags to use in the generated regex. If defined, the `nocase` option will be overridden. |\n| [format](#optionsformat) | `function` | `undefined` | Custom function for formatting the returned string. This is useful for removing leading slashes, converting Windows paths to Posix paths, etc. |\n| `ignore` | `array\\|string` | `undefined` | One or more glob patterns for excluding strings that should not be matched from the result. |\n| `keepQuotes` | `boolean` | `false` | Retain quotes in the generated regex, since quotes may also be used as an alternative to backslashes. |\n| `literalBrackets` | `boolean` | `undefined` | When `true`, brackets in the glob pattern will be escaped so that only literal brackets will be matched. |\n| `matchBase` | `boolean` | `false` | Alias for `basename` |\n| `maxLength` | `number` | `65536` | Limit the max length of the input string. An error is thrown if the input string is longer than this value. |\n| `nobrace` | `boolean` | `false` | Disable brace matching, so that `{a,b}` and `{1..3}` would be treated as literal characters. |\n| `nobracket` | `boolean` | `undefined` | Disable matching with regex brackets. |\n| `nocase` | `boolean` | `false` | Make matching case-insensitive. Equivalent to the regex `i` flag. Note that this option is overridden by the `flags` option. |\n| `nodupes` | `boolean` | `true` | Deprecated, use `nounique` instead. This option will be removed in a future major release. By default duplicates are removed. Disable uniquification by setting this option to false. |\n| `noext` | `boolean` | `false` | Alias for `noextglob` |\n| `noextglob` | `boolean` | `false` | Disable support for matching with extglobs (like `+(a\\|b)`) |\n| `noglobstar` | `boolean` | `false` | Disable support for matching nested directories with globstars (`**`) |\n| `nonegate` | `boolean` | `false` | Disable support for negating with leading `!` |\n| `noquantifiers` | `boolean` | `false` | Disable support for regex quantifiers (like `a{1,2}`) and treat them as brace patterns to be expanded. |\n| [onIgnore](#optionsonIgnore) | `function` | `undefined` | Function to be called on ignored items. |\n| [onMatch](#optionsonMatch) | `function` | `undefined` | Function to be called on matched items. |\n| [onResult](#optionsonResult) | `function` | `undefined` | Function to be called on all items, regardless of whether or not they are matched or ignored. |\n| `posix` | `boolean` | `false` | Support POSIX character classes (\"posix brackets\"). |\n| `posixSlashes` | `boolean` | `undefined` | Convert all slashes in file paths to forward slashes. This does not convert slashes in the glob pattern itself |\n| `prepend` | `boolean` | `undefined` | String to prepend to the generated regex used for matching. |\n| `regex` | `boolean` | `false` | Use regular expression rules for `+` (instead of matching literal `+`), and for stars that follow closing parentheses or brackets (as in `)*` and `]*`). |\n| `strictBrackets` | `boolean` | `undefined` | Throw an error if brackets, braces, or parens are imbalanced. |\n| `strictSlashes` | `boolean` | `undefined` | When true, picomatch won't match trailing slashes with single stars. |\n| `unescape` | `boolean` | `undefined` | Remove backslashes preceding escaped characters in the glob pattern. By default, backslashes are retained. |\n| `unixify` | `boolean` | `undefined` | Alias for `posixSlashes`, for backwards compatibility. |\n| `windows` | `boolean` | `false` | Also accept backslashes as the path separator. |\n\n### Scan Options\n\nIn addition to the main [picomatch options](#picomatch-options), the following options may also be used with the [.scan](#scan) method.\n\n| **Option** | **Type** | **Default value** | **Description** |\n| --- | --- | --- | --- |\n| `tokens` | `boolean` | `false` | When `true`, the returned object will include an array of tokens (objects), representing each path \"segment\" in the scanned glob pattern |\n| `parts` | `boolean` | `false` | When `true`, the returned object will include an array of strings representing each path \"segment\" in the scanned glob pattern. This is automatically enabled when `options.tokens` is true |\n\n**Example**\n\n```js\nconst picomatch = require('picomatch');\nconst result = picomatch.scan('!./foo/*.js', { tokens: true });\nconsole.log(result);\n// {\n// prefix: '!./',\n// input: '!./foo/*.js',\n// start: 3,\n// base: 'foo',\n// glob: '*.js',\n// isBrace: false,\n// isBracket: false,\n// isGlob: true,\n// isExtglob: false,\n// isGlobstar: false,\n// negated: true,\n// maxDepth: 2,\n// tokens: [\n// { value: '!./', depth: 0, isGlob: false, negated: true, isPrefix: true },\n// { value: 'foo', depth: 1, isGlob: false },\n// { value: '*.js', depth: 1, isGlob: true }\n// ],\n// slashes: [ 2, 6 ],\n// parts: [ 'foo', '*.js' ]\n// }\n```\n\n<br>\n\n### Options Examples\n\n#### options.expandRange\n\n**Type**: `function`\n\n**Default**: `undefined`\n\nCustom function for expanding ranges in brace patterns. The [fill-range](https://github.com/jonschlinkert/fill-range) library is ideal for this purpose, or you can use custom code to do whatever you need.\n\n**Example**\n\nThe following example shows how to create a glob that matches a folder\n\n```js\nconst fill = require('fill-range');\nconst regex = pm.makeRe('foo/{01..25}/bar', {\n expandRange(a, b) {\n return `(${fill(a, b, { toRegex: true })})`;\n }\n});\n\nconsole.log(regex);\n//=> /^(?:foo\\/((?:0[1-9]|1[0-9]|2[0-5]))\\/bar)$/\n\nconsole.log(regex.test('foo/00/bar')) // false\nconsole.log(regex.test('foo/01/bar')) // true\nconsole.log(regex.test('foo/10/bar')) // true\nconsole.log(regex.test('foo/22/bar')) // true\nconsole.log(regex.test('foo/25/bar')) // true\nconsole.log(regex.test('foo/26/bar')) // false\n```\n\n#### options.format\n\n**Type**: `function`\n\n**Default**: `undefined`\n\nCustom function for formatting strings before they're matched.\n\n**Example**\n\n```js\n// strip leading './' from strings\nconst format = str => str.replace(/^\\.\\//, '');\nconst isMatch = picomatch('foo/*.js', { format });\nconsole.log(isMatch('./foo/bar.js')); //=> true\n```\n\n#### options.onMatch\n\n```js\nconst onMatch = ({ glob, regex, input, output }) => {\n console.log({ glob, regex, input, output });\n};\n\nconst isMatch = picomatch('*', { onMatch });\nisMatch('foo');\nisMatch('bar');\nisMatch('baz');\n```\n\n#### options.onIgnore\n\n```js\nconst onIgnore = ({ glob, regex, input, output }) => {\n console.log({ glob, regex, input, output });\n};\n\nconst isMatch = picomatch('*', { onIgnore, ignore: 'f*' });\nisMatch('foo');\nisMatch('bar');\nisMatch('baz');\n```\n\n#### options.onResult\n\n```js\nconst onResult = ({ glob, regex, input, output }) => {\n console.log({ glob, regex, input, output });\n};\n\nconst isMatch = picomatch('*', { onResult, ignore: 'f*' });\nisMatch('foo');\nisMatch('bar');\nisMatch('baz');\n```\n\n<br>\n<br>\n\n## Globbing features\n\n* [Basic globbing](#basic-globbing) (Wildcard matching)\n* [Advanced globbing](#advanced-globbing) (extglobs, posix brackets, brace matching)\n\n### Basic globbing\n\n| **Character** | **Description** |\n| --- | --- |\n| `*` | Matches any character zero or more times, excluding path separators. Does _not match_ path separators or hidden files or directories (\"dotfiles\"), unless explicitly enabled by setting the `dot` option to `true`. |\n| `**` | Matches any character zero or more times, including path separators. Note that `**` will only match path separators (`/`, and `\\\\` with the `windows` option) when they are the only characters in a path segment. Thus, `foo**/bar` is equivalent to `foo*/bar`, and `foo/a**b/bar` is equivalent to `foo/a*b/bar`, and _more than two_ consecutive stars in a glob path segment are regarded as _a single star_. Thus, `foo/***/bar` is equivalent to `foo/*/bar`. |\n| `?` | Matches any character excluding path separators one time. Does _not match_ path separators or leading dots. |\n| `[abc]` | Matches any characters inside the brackets. For example, `[abc]` would match the characters `a`, `b` or `c`, and nothing else. |\n\n#### Matching behavior vs. Bash\n\nPicomatch's matching features and expected results in unit tests are based on Bash's unit tests and the Bash 4.3 specification, with the following exceptions:\n\n* Bash will match `foo/bar/baz` with `*`. Picomatch only matches nested directories with `**`.\n* Bash greedily matches with negated extglobs. For example, Bash 4.3 says that `!(foo)*` should match `foo` and `foobar`, since the trailing `*` bracktracks to match the preceding pattern. This is very memory-inefficient, and IMHO, also incorrect. Picomatch would return `false` for both `foo` and `foobar`.\n\n<br>\n\n### Advanced globbing\n\n* [extglobs](#extglobs)\n* [POSIX brackets](#posix-brackets)\n* [Braces](#brace-expansion)\n\n#### Extglobs\n\n| **Pattern** | **Description** |\n| --- | --- |\n| `@(pattern)` | Match _only one_ consecutive occurrence of `pattern` |\n| `*(pattern)` | Match _zero or more_ consecutive occurrences of `pattern` |\n| `+(pattern)` | Match _one or more_ consecutive occurrences of `pattern` |\n| `?(pattern)` | Match _zero or **one**_ consecutive occurrences of `pattern` |\n| `!(pattern)` | Match _anything but_ `pattern` |\n\n**Examples**\n\n```js\nconst pm = require('picomatch');\n\n// *(pattern) matches ZERO or more of \"pattern\"\nconsole.log(pm.isMatch('a', 'a*(z)')); // true\nconsole.log(pm.isMatch('az', 'a*(z)')); // true\nconsole.log(pm.isMatch('azzz', 'a*(z)')); // true\n\n// +(pattern) matches ONE or more of \"pattern\"\nconsole.log(pm.isMatch('a', 'a+(z)')); // false\nconsole.log(pm.isMatch('az', 'a+(z)')); // true\nconsole.log(pm.isMatch('azzz', 'a+(z)')); // true\n\n// supports multiple extglobs\nconsole.log(pm.isMatch('foo.bar', '!(foo).!(bar)')); // false\n\n// supports nested extglobs\nconsole.log(pm.isMatch('foo.bar', '!(!(foo)).!(!(bar))')); // true\n```\n\n#### POSIX brackets\n\nPOSIX classes are disabled by default. Enable this feature by setting the `posix` option to true.\n\n**Enable POSIX bracket support**\n\n```js\nconsole.log(pm.makeRe('[[:word:]]+', { posix: true }));\n//=> /^(?:(?=.)[A-Za-z0-9_]+\\/?)$/\n```\n\n**Supported POSIX classes**\n\nThe following named POSIX bracket expressions are supported:\n\n* `[:alnum:]` - Alphanumeric characters, equ `[a-zA-Z0-9]`\n* `[:alpha:]` - Alphabetical characters, equivalent to `[a-zA-Z]`.\n* `[:ascii:]` - ASCII characters, equivalent to `[\\\\x00-\\\\x7F]`.\n* `[:blank:]` - Space and tab characters, equivalent to `[ \\\\t]`.\n* `[:cntrl:]` - Control characters, equivalent to `[\\\\x00-\\\\x1F\\\\x7F]`.\n* `[:digit:]` - Numerical digits, equivalent to `[0-9]`.\n* `[:graph:]` - Graph characters, equivalent to `[\\\\x21-\\\\x7E]`.\n* `[:lower:]` - Lowercase letters, equivalent to `[a-z]`.\n* `[:print:]` - Print characters, equivalent to `[\\\\x20-\\\\x7E ]`.\n* `[:punct:]` - Punctuation and symbols, equivalent to `[\\\\-!\"#$%&\\'()\\\\*+,./:;<=>?@[\\\\]^_`{|}~]`.\n* `[:space:]` - Extended space characters, equivalent to `[ \\\\t\\\\r\\\\n\\\\v\\\\f]`.\n* `[:upper:]` - Uppercase letters, equivalent to `[A-Z]`.\n* `[:word:]` - Word characters (letters, numbers and underscores), equivalent to `[A-Za-z0-9_]`.\n* `[:xdigit:]` - Hexadecimal digits, equivalent to `[A-Fa-f0-9]`.\n\nSee the [Bash Reference Manual](https://www.gnu.org/software/bash/manual/html_node/Pattern-Matching.html) for more information.\n\n### Braces\n\nPicomatch does not do brace expansion. For [brace expansion](https://www.gnu.org/software/bash/manual/html_node/Brace-Expansion.html) and advanced matching with braces, use [micromatch](https://github.com/micromatch/micromatch) instead. Picomatch has very basic support for braces.\n\n### Matching special characters as literals\n\nIf you wish to match the following special characters in a filepath, and you want to use these characters in your glob pattern, they must be escaped with backslashes or quotes:\n\n**Special Characters**\n\nSome characters that are used for matching in regular expressions are also regarded as valid file path characters on some platforms.\n\nTo match any of the following characters as literals: `$^*+?()[]\n\nExamples:\n\n```js\nconsole.log(pm.makeRe('foo/bar \\\\(1\\\\)'));\nconsole.log(pm.makeRe('foo/bar \\\\(1\\\\)'));\n```\n\n<br>\n<br>\n\n## Library Comparisons\n\nThe following table shows which features are supported by [minimatch](https://github.com/isaacs/minimatch), [micromatch](https://github.com/micromatch/micromatch), [picomatch](https://github.com/micromatch/picomatch), [nanomatch](https://github.com/micromatch/nanomatch), [extglob](https://github.com/micromatch/extglob), [braces](https://github.com/micromatch/braces), and [expand-brackets](https://github.com/micromatch/expand-brackets).\n\n| **Feature** | `minimatch` | `micromatch` | `picomatch` | `nanomatch` | `extglob` | `braces` | `expand-brackets` |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| Wildcard matching (`*?+`) | ✔ | ✔ | ✔ | ✔ | - | - | - |\n| Advancing globbing | ✔ | ✔ | ✔ | - | - | - | - |\n| Brace _matching_ | ✔ | ✔ | ✔ | - | - | ✔ | - |\n| Brace _expansion_ | ✔ | ✔ | - | - | - | ✔ | - |\n| Extglobs | partial | ✔ | ✔ | - | ✔ | - | - |\n| Posix brackets | - | ✔ | ✔ | - | - | - | ✔ |\n| Regular expression syntax | - | ✔ | ✔ | ✔ | ✔ | - | ✔ |\n| File system operations | - | - | - | - | - | - | - |\n\n<br>\n<br>\n\n## Benchmarks\n\nPerformance comparison of picomatch and minimatch.\n\n_(Pay special attention to the last three benchmarks. Minimatch freezes on long ranges.)_\n\n```\n# .makeRe star (*)\n picomatch x 4,449,159 ops/sec ±0.24% (97 runs sampled)\n minimatch x 632,772 ops/sec ±0.14% (98 runs sampled)\n\n# .makeRe star; dot=true (*)\n picomatch x 3,500,079 ops/sec ±0.26% (99 runs sampled)\n minimatch x 564,916 ops/sec ±0.23% (96 runs sampled)\n\n# .makeRe globstar (**)\n picomatch x 3,261,000 ops/sec ±0.27% (98 runs sampled)\n minimatch x 1,664,766 ops/sec ±0.20% (100 runs sampled)\n\n# .makeRe globstars (**/**/**)\n picomatch x 3,284,469 ops/sec ±0.18% (97 runs sampled)\n minimatch x 1,435,880 ops/sec ±0.34% (95 runs sampled)\n\n# .makeRe with leading star (*.txt)\n picomatch x 3,100,197 ops/sec ±0.35% (99 runs sampled)\n minimatch x 428,347 ops/sec ±0.42% (94 runs sampled)\n\n# .makeRe - basic braces ({a,b,c}*.txt)\n picomatch x 443,578 ops/sec ±1.33% (89 runs sampled)\n minimatch x 107,143 ops/sec ±0.35% (94 runs sampled)\n\n# .makeRe - short ranges ({a..z}*.txt)\n picomatch x 415,484 ops/sec ±0.76% (96 runs sampled)\n minimatch x 14,299 ops/sec ±0.26% (96 runs sampled)\n\n# .makeRe - medium ranges ({1..100000}*.txt)\n picomatch x 395,020 ops/sec ±0.87% (89 runs sampled)\n minimatch x 2 ops/sec ±4.59% (10 runs sampled)\n\n# .makeRe - long ranges ({1..10000000}*.txt)\n picomatch x 400,036 ops/sec ±0.83% (90 runs sampled)\n minimatch (FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory)\n```\n\n<br>\n<br>\n\n## Philosophies\n\nThe goal of this library is to be blazing fast, without compromising on accuracy.\n\n**Accuracy**\n\nThe number one of goal of this library is accuracy. However, it's not unusual for different glob implementations to have different rules for matching behavior, even with simple wildcard matching. It gets increasingly more complicated when combinations of different features are combined, like when extglobs are combined with globstars, braces, slashes, and so on: `!(**/{a,b,*/c})`.\n\nThus, given that there is no canonical glob specification to use as a single source of truth when differences of opinion arise regarding behavior, sometimes we have to implement our best judgement and rely on feedback from users to make improvements.\n\n**Performance**\n\nAlthough this library performs well in benchmarks, and in most cases it's faster than other popular libraries we benchmarked against, we will always choose accuracy over performance. It's not helpful to anyone if our library is faster at returning the wrong answer.\n\n<br>\n<br>\n\n## About\n\n<details>\n<summary><strong>Contributing</strong></summary>\n\nPull requests and stars are always welcome. For bugs and feature requests, [please create an issue](../../issues/new).\n\nPlease read the [contributing guide](.github/contributing.md) for advice on opening issues, pull requests, and coding standards.\n\n</details>\n\n<details>\n<summary><strong>Running Tests</strong></summary>\n\nRunning and reviewing unit tests is a great way to get familiarized with a library and its API. You can install dependencies and run tests with the following command:\n\n```sh\nnpm install && npm test\n```\n\n</details>\n\n<details>\n<summary><strong>Building docs</strong></summary>\n\n_(This project's readme.md is generated by [verb](https://github.com/verbose/verb-generate-readme), please don't edit the readme directly. Any changes to the readme must be made in the [.verb.md](.verb.md) readme template.)_\n\nTo generate the readme, run the following command:\n\n```sh\nnpm install -g verbose/verb#dev verb-generate-readme && verb\n```\n\n</details>\n\n### Author\n\n**Jon Schlinkert**\n\n* [GitHub Profile](https://github.com/jonschlinkert)\n* [Twitter Profile](https://twitter.com/jonschlinkert)\n* [LinkedIn Profile](https://linkedin.com/in/jonschlinkert)\n\n### License\n\nCopyright © 2017-present, [Jon Schlinkert](https://github.com/jonschlinkert).\nReleased under the [MIT License](LICENSE).\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/picomatch/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/pkce-challenge/README.md ---\n# pkce-challenge\n\nGenerate or verify a Proof Key for Code Exchange (PKCE) challenge pair.\n\nRead more about [PKCE](https://www.oauth.com/oauth2-servers/pkce/authorization-request/).\n\n## Installation\n\n```bash\nnpm install pkce-challenge\n```\n\n## Usage\n\nDefault length for the verifier is 43\n\n```js\nimport pkceChallenge from \"pkce-challenge\";\n\nawait pkceChallenge();\n```\n\ngives something like:\n\n```js\n{\n code_verifier: 'u1ta-MQ0e7TcpHjgz33M2DcBnOQu~aMGxuiZt0QMD1C',\n code_challenge: 'CUZX5qE8Wvye6kS_SasIsa8MMxacJftmWdsIA_iKp3I'\n}\n```\n\n### Specify a verifier length\n\n```js\nconst challenge = await pkceChallenge(128);\n\nchallenge.code_verifier.length === 128; // true\n```\n\n### Challenge verification\n\n```js\nimport { verifyChallenge } from \"pkce-challenge\";\n\n(await verifyChallenge(challenge.code_verifier, challenge.code_challenge)) ===\n true; // true\n```\n\n### Challenge generation from existing code verifier\n\n```js\nimport { generateChallenge } from \"pkce-challenge\";\n\n(await generateChallenge(challenge.code_verifier)) === challenge.code_challenge; // true\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/pkce-challenge/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/postcss/README.md ---\n# PostCSS\n\n<img align=\"right\" width=\"95\" height=\"95\"\n alt=\"Philosophers stone, logo of PostCSS\"\n src=\"https://postcss.org/logo.svg\">\n\nPostCSS is a tool for transforming styles with JS plugins.\nThese plugins can lint your CSS, support variables and mixins,\ntranspile future CSS syntax, inline images, and more.\n\nPostCSS is used by industry leaders including Wikipedia, Twitter, Alibaba,\nand JetBrains. The [Autoprefixer] and [Stylelint] PostCSS plugins are some of the most popular CSS tools.\n\n---\n\n<img src=\"https://cdn.evilmartians.com/badges/logo-no-label.svg\" alt=\"\" width=\"22\" height=\"16\" />  Built by\n <b><a href=\"https://evilmartians.com/devtools?utm_source=postcss&utm_campaign=devtools-button&utm_medium=github\">Evil Martians</a></b>, go-to agency for <b>developer tools</b>.\n\n---\n\n[Abstract Syntax Tree]: https://en.wikipedia.org/wiki/Abstract_syntax_tree\n[Evil Martians]: https://evilmartians.com/?utm_source=postcss\n[Autoprefixer]: https://github.com/postcss/autoprefixer\n[Stylelint]: https://stylelint.io/\n[plugins]: https://github.com/postcss/postcss#plugins\n\n\n## Docs\nRead full docs **[here](https://postcss.org/)**.\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/postcss/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/proxy-addr/README.md ---\n# proxy-addr\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][ci-image]][ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nDetermine address of proxied request\n\n## Install\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install proxy-addr\n```\n\n## API\n\n```js\nvar proxyaddr = require('proxy-addr')\n```\n\n### proxyaddr(req, trust)\n\nReturn the address of the request, using the given `trust` parameter.\n\nThe `trust` argument is a function that returns `true` if you trust\nthe address, `false` if you don't. The closest untrusted address is\nreturned.\n\n```js\nproxyaddr(req, function (addr) { return addr === '127.0.0.1' })\nproxyaddr(req, function (addr, i) { return i < 1 })\n```\n\nThe `trust` arugment may also be a single IP address string or an\narray of trusted addresses, as plain IP addresses, CIDR-formatted\nstrings, or IP/netmask strings.\n\n```js\nproxyaddr(req, '127.0.0.1')\nproxyaddr(req, ['127.0.0.0/8', '10.0.0.0/8'])\nproxyaddr(req, ['127.0.0.0/255.0.0.0', '192.168.0.0/255.255.0.0'])\n```\n\nThis module also supports IPv6. Your IPv6 addresses will be normalized\nautomatically (i.e. `fe80::00ed:1` equals `fe80:0:0:0:0:0:ed:1`).\n\n```js\nproxyaddr(req, '::1')\nproxyaddr(req, ['::1/128', 'fe80::/10'])\n```\n\nThis module will automatically work with IPv4-mapped IPv6 addresses\nas well to support node.js in IPv6-only mode. This means that you do\nnot have to specify both `::ffff:a00:1` and `10.0.0.1`.\n\nAs a convenience, this module also takes certain pre-defined names\nin addition to IP addresses, which expand into IP addresses:\n\n```js\nproxyaddr(req, 'loopback')\nproxyaddr(req, ['loopback', 'fc00:ac:1ab5:fff::1/64'])\n```\n\n * `loopback`: IPv4 and IPv6 loopback addresses (like `::1` and\n `127.0.0.1`).\n * `linklocal`: IPv4 and IPv6 link-local addresses (like\n `fe80::1:1:1:1` and `169.254.0.1`).\n * `uniquelocal`: IPv4 private addresses and IPv6 unique-local\n addresses (like `fc00:ac:1ab5:fff::1` and `192.168.0.1`).\n\nWhen `trust` is specified as a function, it will be called for each\naddress to determine if it is a trusted address. The function is\ngiven two arguments: `addr` and `i`, where `addr` is a string of\nthe address to check and `i` is a number that represents the distance\nfrom the socket address.\n\n### proxyaddr.all(req, [trust])\n\nReturn all the addresses of the request, optionally stopping at the\nfirst untrusted. This array is ordered from closest to furthest\n(i.e. `arr[0] === req.connection.remoteAddress`).\n\n```js\nproxyaddr.all(req)\n```\n\nThe optional `trust` argument takes the same arguments as `trust`\ndoes in `proxyaddr(req, trust)`.\n\n```js\nproxyaddr.all(req, 'loopback')\n```\n\n### proxyaddr.compile(val)\n\nCompiles argument `val` into a `trust` function. This function takes\nthe same arguments as `trust` does in `proxyaddr(req, trust)` and\nreturns a function suitable for `proxyaddr(req, trust)`.\n\n```js\nvar trust = proxyaddr.compile('loopback')\nvar addr = proxyaddr(req, trust)\n```\n\nThis function is meant to be optimized for use against every request.\nIt is recommend to compile a trust function up-front for the trusted\nconfiguration and pass that to `proxyaddr(req, trust)` for each request.\n\n## Testing\n\n```sh\n$ npm test\n```\n\n## Benchmarks\n\n```sh\n$ npm run-script bench\n```\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/jshttp/proxy-addr/master?label=ci\n[ci-url]: https://github.com/jshttp/proxy-addr/actions?query=workflow%3Aci\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/proxy-addr/master\n[coveralls-url]: https://coveralls.io/r/jshttp/proxy-addr?branch=master\n[node-image]: https://badgen.net/npm/node/proxy-addr\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/proxy-addr\n[npm-url]: https://npmjs.org/package/proxy-addr\n[npm-version-image]: https://badgen.net/npm/v/proxy-addr\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/proxy-addr/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/qs/README.md ---\n<p align=\"center\">\n <img alt=\"qs\" src=\"./logos/banner_default.png\" width=\"800\" />\n</p>\n\n# qs <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/9058/badge)](https://bestpractices.coreinfrastructure.org/projects/9058)\n\n[![npm badge][npm-badge-png]][package-url]\n\nA querystring parsing and stringifying library with some added security.\n\nLead Maintainer: [Jordan Harband](https://github.com/ljharb)\n\nThe **qs** module was originally created and maintained by [TJ Holowaychuk](https://github.com/visionmedia/node-querystring).\n\n## Usage\n\n```javascript\nvar qs = require('qs');\nvar assert = require('assert');\n\nvar obj = qs.parse('a=c');\nassert.deepEqual(obj, { a: 'c' });\n\nvar str = qs.stringify(obj);\nassert.equal(str, 'a=c');\n```\n\n### Parsing Objects\n\n[](#preventEval)\n```javascript\nqs.parse(string, [options]);\n```\n\n**qs** allows you to create nested objects within your query strings, by surrounding the name of sub-keys with square brackets `[]`.\nFor example, the string `'foo[bar]=baz'` converts to:\n\n```javascript\nassert.deepEqual(qs.parse('foo[bar]=baz'), {\n foo: {\n bar: 'baz'\n }\n});\n```\n\nWhen using the `plainObjects` option the parsed value is returned as a null object, created via `{ __proto__: null }` and as such you should be aware that prototype methods will not exist on it and a user may set those names to whatever value they like:\n\n```javascript\nvar nullObject = qs.parse('a[hasOwnProperty]=b', { plainObjects: true });\nassert.deepEqual(nullObject, { a: { hasOwnProperty: 'b' } });\n```\n\nBy default parameters that would overwrite properties on the object prototype are ignored, if you wish to keep the data from those fields either use `plainObjects` as mentioned above, or set `allowPrototypes` to `true` which will allow user input to overwrite those properties.\n*WARNING* It is generally a bad idea to enable this option as it can cause problems when attempting to use the properties that have been overwritten.\nAlways be careful with this option.\n\n```javascript\nvar protoObject = qs.parse('a[hasOwnProperty]=b', { allowPrototypes: true });\nassert.deepEqual(protoObject, { a: { hasOwnProperty: 'b' } });\n```\n\nURI encoded strings work too:\n\n```javascript\nassert.deepEqual(qs.parse('a%5Bb%5D=c'), {\n a: { b: 'c' }\n});\n```\n\nYou can also nest your objects, like `'foo[bar][baz]=foobarbaz'`:\n\n```javascript\nassert.deepEqual(qs.parse('foo[bar][baz]=foobarbaz'), {\n foo: {\n bar: {\n baz: 'foobarbaz'\n }\n }\n});\n```\n\nBy default, when nesting objects **qs** will only parse up to 5 children deep.\nThis means if you attempt to parse a string like `'a[b][c][d][e][f][g][h][i]=j'` your resulting object will be:\n\n```javascript\nvar expected = {\n a: {\n b: {\n c: {\n d: {\n e: {\n f: {\n '[g][h][i]': 'j'\n }\n }\n }\n }\n }\n }\n};\nvar string = 'a[b][c][d][e][f][g][h][i]=j';\nassert.deepEqual(qs.parse(string), expected);\n```\n\nThis depth can be overridden by passing a `depth` option to `qs.parse(string, [options])`:\n\n```javascript\nvar deep = qs.parse('a[b][c][d][e][f][g][h][i]=j', { depth: 1 });\nassert.deepEqual(deep, { a: { b: { '[c][d][e][f][g][h][i]': 'j' } } });\n```\n\nYou can configure **qs** to throw an error when parsing nested input beyond this depth using the `strictDepth` option (defaulted to false):\n\n```javascript\ntry {\n qs.parse('a[b][c][d][e][f][g][h][i]=j', { depth: 1, strictDepth: true });\n} catch (err) {\n assert(err instanceof RangeError);\n assert.strictEqual(err.message, 'Input depth exceeded depth option of 1 and strictDepth is true');\n}\n```\n\nThe depth limit helps mitigate abuse when **qs** is used to parse user input, and it is recommended to keep it a reasonably small number. The strictDepth option adds a layer of protection by throwing an error when the limit is exceeded, allowing you to catch and handle such cases.\n\nFor similar reasons, by default **qs** will only parse up to 1000 parameters. This can be overridden by passing a `parameterLimit` option:\n\n```javascript\nvar limited = qs.parse('a=b&c=d', { parameterLimit: 1 });\nassert.deepEqual(limited, { a: 'b' });\n```\n\nIf you want an error to be thrown whenever the a limit is exceeded (eg, `parameterLimit`, `arrayLimit`), set the `throwOnLimitExceeded` option to `true`. This option will generate a descriptive error if the query string exceeds a configured limit.\n```javascript\ntry {\n qs.parse('a=1&b=2&c=3&d=4', { parameterLimit: 3, throwOnLimitExceeded: true });\n} catch (err) {\n assert(err instanceof Error);\n assert.strictEqual(err.message, 'Parameter limit exceeded. Only 3 parameters allowed.');\n}\n```\n\nWhen `throwOnLimitExceeded` is set to `false` (default), **qs** will parse up to the specified `parameterLimit` and ignore the rest without throwing an error.\n\nTo bypass the leading question mark, use `ignoreQueryPrefix`:\n\n```javascript\nvar prefixed = qs.parse('?a=b&c=d', { ignoreQueryPrefix: true });\nassert.deepEqual(prefixed, { a: 'b', c: 'd' });\n```\n\nAn optional delimiter can also be passed:\n\n```javascript\nvar delimited = qs.parse('a=b;c=d', { delimiter: ';' });\nassert.deepEqual(delimited, { a: 'b', c: 'd' });\n```\n\nDelimiters can be a regular expression too:\n\n```javascript\nvar regexed = qs.parse('a=b;c=d,e=f', { delimiter: /[;,]/ });\nassert.deepEqual(regexed, { a: 'b', c: 'd', e: 'f' });\n```\n\nOption `allowDots` can be used to enable dot notation:\n\n```javascript\nvar withDots = qs.parse('a.b=c', { allowDots: true });\nassert.deepEqual(withDots, { a: { b: 'c' } });\n```\n\nOption `decodeDotInKeys` can be used to decode dots in keys\nNote: it implies `allowDots`, so `parse` will error if you set `decodeDotInKeys` to `true`, and `allowDots` to `false`.\n\n```javascript\nvar withDots = qs.parse('name%252Eobj.first=John&name%252Eobj.last=Doe', { decodeDotInKeys: true });\nassert.deepEqual(withDots, { 'name.obj': { first: 'John', last: 'Doe' }});\n```\n\nOption `allowEmptyArrays` can be used to allowing empty array values in object\n```javascript\nvar withEmptyArrays = qs.parse('foo[]&bar=baz', { allowEmptyArrays: true });\nassert.deepEqual(withEmptyArrays, { foo: [], bar: 'baz' });\n```\n\nOption `duplicates` can be used to change the behavior when duplicate keys are encountered\n```javascript\nassert.deepEqual(qs.parse('foo=bar&foo=baz'), { foo: ['bar', 'baz'] });\nassert.deepEqual(qs.parse('foo=bar&foo=baz', { duplicates: 'combine' }), { foo: ['bar', 'baz'] });\nassert.deepEqual(qs.parse('foo=bar&foo=baz', { duplicates: 'first' }), { foo: 'bar' });\nassert.deepEqual(qs.parse('foo=bar&foo=baz', { duplicates: 'last' }), { foo: 'baz' });\n```\n\nIf you have to deal with legacy browsers or services, there's also support for decoding percent-encoded octets as iso-8859-1:\n\n```javascript\nvar oldCharset = qs.parse('a=%A7', { charset: 'iso-8859-1' });\nassert.deepEqual(oldCharset, { a: '§' });\n```\n\nSome services add an initial `utf8=✓` value to forms so that old Internet Explorer versions are more likely to submit the form as utf-8.\nAdditionally, the server can check the value against wrong encodings of the checkmark character and detect that a query string or `application/x-www-form-urlencoded` body was *not* sent as utf-8, eg. if the form had an `accept-charset` parameter or the containing page had a different character set.\n\n**qs** supports this mechanism via the `charsetSentinel` option.\nIf specified, the `utf8` parameter will be omitted from the returned object.\nIt will be used to switch to `iso-8859-1`/`utf-8` mode depending on how the checkmark is encoded.\n\n**Important**: When you specify both the `charset` option and the `charsetSentinel` option, the `charset` will be overridden when the request contains a `utf8` parameter from which the actual charset can be deduced.\nIn that sense the `charset` will behave as the default charset rather than the authoritative charset.\n\n```javascript\nvar detectedAsUtf8 = qs.parse('utf8=%E2%9C%93&a=%C3%B8', {\n charset: 'iso-8859-1',\n charsetSentinel: true\n});\nassert.deepEqual(detectedAsUtf8, { a: 'ø' });\n\n// Browsers encode the checkmark as &#10003; when submitting as iso-8859-1:\nvar detectedAsIso8859_1 = qs.parse('utf8=%26%2310003%3B&a=%F8', {\n charset: 'utf-8',\n charsetSentinel: true\n});\nassert.deepEqual(detectedAsIso8859_1, { a: 'ø' });\n```\n\nIf you want to decode the `&#...;` syntax to the actual character, you can specify the `interpretNumericEntities` option as well:\n\n```javascript\nvar detectedAsIso8859_1 = qs.parse('a=%26%239786%3B', {\n charset: 'iso-8859-1',\n interpretNumericEntities: true\n});\nassert.deepEqual(detectedAsIso8859_1, { a: '☺' });\n```\n\nIt also works when the charset has been detected in `charsetSentinel` mode.\n\n### Parsing Arrays\n\n**qs** can also parse arrays using a similar `[]` notation:\n\n```javascript\nvar withArray = qs.parse('a[]=b&a[]=c');\nassert.deepEqual(withArray, { a: ['b', 'c'] });\n```\n\nYou may specify an index as well:\n\n```javascript\nvar withIndexes = qs.parse('a[1]=c&a[0]=b');\nassert.deepEqual(withIndexes, { a: ['b', 'c'] });\n```\n\nNote that the only difference between an index in an array and a key in an object is that the value between the brackets must be a number to create an array.\nWhen creating arrays with specific indices, **qs** will compact a sparse array to only the existing values preserving their order:\n\n```javascript\nvar noSparse = qs.parse('a[1]=b&a[15]=c');\nassert.deepEqual(noSparse, { a: ['b', 'c'] });\n```\n\nYou may also use `allowSparse` option to parse sparse arrays:\n\n```javascript\nvar sparseArray = qs.parse('a[1]=2&a[3]=5', { allowSparse: true });\nassert.deepEqual(sparseArray, { a: [, '2', , '5'] });\n```\n\nNote that an empty string is also a value, and will be preserved:\n\n```javascript\nvar withEmptyString = qs.parse('a[]=&a[]=b');\nassert.deepEqual(withEmptyString, { a: ['', 'b'] });\n\nvar withIndexedEmptyString = qs.parse('a[0]=b&a[1]=&a[2]=c');\nassert.deepEqual(withIndexedEmptyString, { a: ['b', '', 'c'] });\n```\n\n**qs** will also limit specifying indices in an array to a maximum index of `20`.\nAny array members with an index of greater than `20` will instead be converted to an object with the index as the key.\nThis is needed to handle cases when someone sent, for example, `a[999999999]` and it will take significant time to iterate over this huge array.\n\n```javascript\nvar withMaxIndex = qs.parse('a[100]=b');\nassert.deepEqual(withMaxIndex, { a: { '100': 'b' } });\n```\n\nThis limit can be overridden by passing an `arrayLimit` option:\n\n```javascript\nvar withArrayLimit = qs.parse('a[1]=b', { arrayLimit: 0 });\nassert.deepEqual(withArrayLimit, { a: { '1': 'b' } });\n```\n\nIf you want to throw an error whenever the array limit is exceeded, set the `throwOnLimitExceeded` option to `true`. This option will generate a descriptive error if the query string exceeds a configured limit.\n```javascript\ntry {\n qs.parse('a[1]=b', { arrayLimit: 0, throwOnLimitExceeded: true });\n} catch (err) {\n assert(err instanceof Error);\n assert.strictEqual(err.message, 'Array limit exceeded. Only 0 elements allowed in an array.');\n}\n```\n\nWhen `throwOnLimitExceeded` is set to `false` (default), **qs** will parse up to the specified `arrayLimit` and if the limit is exceeded, the array will instead be converted to an object with the index as the key\n\nTo disable array parsing entirely, set `parseArrays` to `false`.\n\n```javascript\nvar noParsingArrays = qs.parse('a[]=b', { parseArrays: false });\nassert.deepEqual(noParsingArrays, { a: { '0': 'b' } });\n```\n\nIf you mix notations, **qs** will merge the two items into an object:\n\n```javascript\nvar mixedNotation = qs.parse('a[0]=b&a[b]=c');\nassert.deepEqual(mixedNotation, { a: { '0': 'b', b: 'c' } });\n```\n\nYou can also create arrays of objects:\n\n```javascript\nvar arraysOfObjects = qs.parse('a[][b]=c');\nassert.deepEqual(arraysOfObjects, { a: [{ b: 'c' }] });\n```\n\nSome people use comma to join array, **qs** can parse it:\n```javascript\nvar arraysOfObjects = qs.parse('a=b,c', { comma: true })\nassert.deepEqual(arraysOfObjects, { a: ['b', 'c'] })\n```\n(_this cannot convert nested objects, such as `a={b:1},{c:d}`_)\n\n### Parsing primitive/scalar values (numbers, booleans, null, etc)\n\nBy default, all values are parsed as strings.\nThis behavior will not change and is explained in [issue #91](https://github.com/ljharb/qs/issues/91).\n\n```javascript\nvar primitiveValues = qs.parse('a=15&b=true&c=null');\nassert.deepEqual(primitiveValues, { a: '15', b: 'true', c: 'null' });\n```\n\nIf you wish to auto-convert values which look like numbers, booleans, and other values into their primitive counterparts, you can use the [query-types Express JS middleware](https://github.com/xpepermint/query-types) which will auto-convert all request query parameters.\n\n### Stringifying\n\n[](#preventEval)\n```javascript\nqs.stringify(object, [options]);\n```\n\nWhen stringifying, **qs** by default URI encodes output. Objects are stringified as you would expect:\n\n```javascript\nassert.equal(qs.stringify({ a: 'b' }), 'a=b');\nassert.equal(qs.stringify({ a: { b: 'c' } }), 'a%5Bb%5D=c');\n```\n\nThis encoding can be disabled by setting the `encode` option to `false`:\n\n```javascript\nvar unencoded = qs.stringify({ a: { b: 'c' } }, { encode: false });\nassert.equal(unencoded, 'a[b]=c');\n```\n\nEncoding can be disabled for keys by setting the `encodeValuesOnly` option to `true`:\n```javascript\nvar encodedValues = qs.stringify(\n { a: 'b', c: ['d', 'e=f'], f: [['g'], ['h']] },\n { encodeValuesOnly: true }\n);\nassert.equal(encodedValues,'a=b&c[0]=d&c[1]=e%3Df&f[0][0]=g&f[1][0]=h');\n```\n\nThis encoding can also be replaced by a custom encoding method set as `encoder` option:\n\n```javascript\nvar encoded = qs.stringify({ a: { b: 'c' } }, { encoder: function (str) {\n // Passed in values `a`, `b`, `c`\n return // Return encoded string\n}})\n```\n\n_(Note: the `encoder` option does not apply if `encode` is `false`)_\n\nAnalogue to the `encoder` there is a `decoder` option for `parse` to override decoding of properties and values:\n\n```javascript\nvar decoded = qs.parse('x=z', { decoder: function (str) {\n // Passed in values `x`, `z`\n return // Return decoded string\n}})\n```\n\nYou can encode keys and values using different logic by using the type argument provided to the encoder:\n\n```javascript\nvar encoded = qs.stringify({ a: { b: 'c' } }, { encoder: function (str, defaultEncoder, charset, type) {\n if (type === 'key') {\n return // Encoded key\n } else if (type === 'value') {\n return // Encoded value\n }\n}})\n```\n\nThe type argument is also provided to the decoder:\n\n```javascript\nvar decoded = qs.parse('x=z', { decoder: function (str, defaultDecoder, charset, type) {\n if (type === 'key') {\n return // Decoded key\n } else if (type === 'value') {\n return // Decoded value\n }\n}})\n```\n\nExamples beyond this point will be shown as though the output is not URI encoded for clarity.\nPlease note that the return values in these cases *will* be URI encoded during real usage.\n\nWhen arrays are stringified, they follow the `arrayFormat` option, which defaults to `indices`:\n\n```javascript\nqs.stringify({ a: ['b', 'c', 'd'] });\n// 'a[0]=b&a[1]=c&a[2]=d'\n```\n\nYou may override this by setting the `indices` option to `false`, or to be more explicit, the `arrayFormat` option to `repeat`:\n\n```javascript\nqs.stringify({ a: ['b', 'c', 'd'] }, { indices: false });\n// 'a=b&a=c&a=d'\n```\n\nYou may use the `arrayFormat` option to specify the format of the output array:\n\n```javascript\nqs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'indices' })\n// 'a[0]=b&a[1]=c'\nqs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'brackets' })\n// 'a[]=b&a[]=c'\nqs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'repeat' })\n// 'a=b&a=c'\nqs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'comma' })\n// 'a=b,c'\n```\n\nNote: when using `arrayFormat` set to `'comma'`, you can also pass the `commaRoundTrip` option set to `true` or `false`, to append `[]` on single-item arrays, so that they can round trip through a parse.\n\nWhen objects are stringified, by default they use bracket notation:\n\n```javascript\nqs.stringify({ a: { b: { c: 'd', e: 'f' } } });\n// 'a[b][c]=d&a[b][e]=f'\n```\n\nYou may override this to use dot notation by setting the `allowDots` option to `true`:\n\n```javascript\nqs.stringify({ a: { b: { c: 'd', e: 'f' } } }, { allowDots: true });\n// 'a.b.c=d&a.b.e=f'\n```\n\nYou may encode the dot notation in the keys of object with option `encodeDotInKeys` by setting it to `true`:\nNote: it implies `allowDots`, so `stringify` will error if you set `decodeDotInKeys` to `true`, and `allowDots` to `false`.\nCaveat: when `encodeValuesOnly` is `true` as well as `encodeDotInKeys`, only dots in keys and nothing else will be encoded.\n```javascript\nqs.stringify({ \"name.obj\": { \"first\": \"John\", \"last\": \"Doe\" } }, { allowDots: true, encodeDotInKeys: true })\n// 'name%252Eobj.first=John&name%252Eobj.last=Doe'\n```\n\nYou may allow empty array values by setting the `allowEmptyArrays` option to `true`:\n```javascript\nqs.stringify({ foo: [], bar: 'baz' }, { allowEmptyArrays: true });\n// 'foo[]&bar=baz'\n```\n\nEmpty strings and null values will omit the value, but the equals sign (=) remains in place:\n\n```javascript\nassert.equal(qs.stringify({ a: '' }), 'a=');\n```\n\nKey with no values (such as an empty object or array) will return nothing:\n\n```javascript\nassert.equal(qs.stringify({ a: [] }), '');\nassert.equal(qs.stringify({ a: {} }), '');\nassert.equal(qs.stringify({ a: [{}] }), '');\nassert.equal(qs.stringify({ a: { b: []} }), '');\nassert.equal(qs.stringify({ a: { b: {}} }), '');\n```\n\nProperties that are set to `undefined` will be omitted entirely:\n\n```javascript\nassert.equal(qs.stringify({ a: null, b: undefined }), 'a=');\n```\n\nThe query string may optionally be prepended with a question mark:\n\n```javascript\nassert.equal(qs.stringify({ a: 'b', c: 'd' }, { addQueryPrefix: true }), '?a=b&c=d');\n```\n\nThe delimiter may be overridden with stringify as well:\n\n```javascript\nassert.equal(qs.stringify({ a: 'b', c: 'd' }, { delimiter: ';' }), 'a=b;c=d');\n```\n\nIf you only want to override the serialization of `Date` objects, you can provide a `serializeDate` option:\n\n```javascript\nvar date = new Date(7);\nassert.equal(qs.stringify({ a: date }), 'a=1970-01-01T00:00:00.007Z'.replace(/:/g, '%3A'));\nassert.equal(\n qs.stringify({ a: date }, { serializeDate: function (d) { return d.getTime(); } }),\n 'a=7'\n);\n```\n\nYou may use the `sort` option to affect the order of parameter keys:\n\n```javascript\nfunction alphabeticalSort(a, b) {\n return a.localeCompare(b);\n}\nassert.equal(qs.stringify({ a: 'c', z: 'y', b : 'f' }, { sort: alphabeticalSort }), 'a=c&b=f&z=y');\n```\n\nFinally, you can use the `filter` option to restrict which keys will be included in the stringified output.\nIf you pass a function, it will be called for each key to obtain the replacement value.\nOtherwise, if you pass an array, it will be used to select properties and array indices for stringification:\n\n```javascript\nfunction filterFunc(prefix, value) {\n if (prefix == 'b') {\n // Return an `undefined` value to omit a property.\n return;\n }\n if (prefix == 'e[f]') {\n return value.getTime();\n }\n if (prefix == 'e[g][0]') {\n return value * 2;\n }\n return value;\n}\nqs.stringify({ a: 'b', c: 'd', e: { f: new Date(123), g: [2] } }, { filter: filterFunc });\n// 'a=b&c=d&e[f]=123&e[g][0]=4'\nqs.stringify({ a: 'b', c: 'd', e: 'f' }, { filter: ['a', 'e'] });\n// 'a=b&e=f'\nqs.stringify({ a: ['b', 'c', 'd'], e: 'f' }, { filter: ['a', 0, 2] });\n// 'a[0]=b&a[2]=d'\n```\n\nYou could also use `filter` to inject custom serialization for user defined types.\nConsider you're working with some api that expects query strings of the format for ranges:\n\n```\nhttps://domain.com/endpoint?range=30...70\n```\n\nFor which you model as:\n\n```javascript\nclass Range {\n constructor(from, to) {\n this.from = from;\n this.to = to;\n }\n}\n```\n\nYou could _inject_ a custom serializer to handle values of this type:\n\n```javascript\nqs.stringify(\n {\n range: new Range(30, 70),\n },\n {\n filter: (prefix, value) => {\n if (value instanceof Range) {\n return `${value.from}...${value.to}`;\n }\n // serialize the usual way\n return value;\n },\n }\n);\n// range=30...70\n```\n\n### Handling of `null` values\n\nBy default, `null` values are treated like empty strings:\n\n```javascript\nvar withNull = qs.stringify({ a: null, b: '' });\nassert.equal(withNull, 'a=&b=');\n```\n\nParsing does not distinguish between parameters with and without equal signs.\nBoth are converted to empty strings.\n\n```javascript\nvar equalsInsensitive = qs.parse('a&b=');\nassert.deepEqual(equalsInsensitive, { a: '', b: '' });\n```\n\nTo distinguish between `null` values and empty strings use the `strictNullHandling` flag. In the result string the `null`\nvalues have no `=` sign:\n\n```javascript\nvar strictNull = qs.stringify({ a: null, b: '' }, { strictNullHandling: true });\nassert.equal(strictNull, 'a&b=');\n```\n\nTo parse values without `=` back to `null` use the `strictNullHandling` flag:\n\n```javascript\nvar parsedStrictNull = qs.parse('a&b=', { strictNullHandling: true });\nassert.deepEqual(parsedStrictNull, { a: null, b: '' });\n```\n\nTo completely skip rendering keys with `null` values, use the `skipNulls` flag:\n\n```javascript\nvar nullsSkipped = qs.stringify({ a: 'b', c: null}, { skipNulls: true });\nassert.equal(nullsSkipped, 'a=b');\n```\n\nIf you're communicating with legacy systems, you can switch to `iso-8859-1` using the `charset` option:\n\n```javascript\nvar iso = qs.stringify({ æ: 'æ' }, { charset: 'iso-8859-1' });\nassert.equal(iso, '%E6=%E6');\n```\n\nCharacters that don't exist in `iso-8859-1` will be converted to numeric entities, similar to what browsers do:\n\n```javascript\nvar numeric = qs.stringify({ a: '☺' }, { charset: 'iso-8859-1' });\nassert.equal(numeric, 'a=%26%239786%3B');\n```\n\nYou can use the `charsetSentinel` option to announce the character by including an `utf8=✓` parameter with the proper encoding if the checkmark, similar to what Ruby on Rails and others do when submitting forms.\n\n```javascript\nvar sentinel = qs.stringify({ a: '☺' }, { charsetSentinel: true });\nassert.equal(sentinel, 'utf8=%E2%9C%93&a=%E2%98%BA');\n\nvar isoSentinel = qs.stringify({ a: 'æ' }, { charsetSentinel: true, charset: 'iso-8859-1' });\nassert.equal(isoSentinel, 'utf8=%26%2310003%3B&a=%E6');\n```\n\n### Dealing with special character sets\n\nBy default the encoding and decoding of characters is done in `utf-8`, and `iso-8859-1` support is also built in via the `charset` parameter.\n\nIf you wish to encode querystrings to a different character set (i.e.\n[Shift JIS](https://en.wikipedia.org/wiki/Shift_JIS)) you can use the\n[`qs-iconv`](https://github.com/martinheidegger/qs-iconv) library:\n\n```javascript\nvar encoder = require('qs-iconv/encoder')('shift_jis');\nvar shiftJISEncoded = qs.stringify({ a: 'こんにちは!' }, { encoder: encoder });\nassert.equal(shiftJISEncoded, 'a=%82%B1%82%F1%82%C9%82%BF%82%CD%81I');\n```\n\nThis also works for decoding of query strings:\n\n```javascript\nvar decoder = require('qs-iconv/decoder')('shift_jis');\nvar obj = qs.parse('a=%82%B1%82%F1%82%C9%82%BF%82%CD%81I', { decoder: decoder });\nassert.deepEqual(obj, { a: 'こんにちは!' });\n```\n\n### RFC 3986 and RFC 1738 space encoding\n\nRFC3986 used as default option and encodes ' ' to *%20* which is backward compatible.\nIn the same time, output can be stringified as per RFC1738 with ' ' equal to '+'.\n\n```\nassert.equal(qs.stringify({ a: 'b c' }), 'a=b%20c');\nassert.equal(qs.stringify({ a: 'b c' }, { format : 'RFC3986' }), 'a=b%20c');\nassert.equal(qs.stringify({ a: 'b c' }, { format : 'RFC1738' }), 'a=b+c');\n```\n\n## Security\n\nPlease email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.\n\n## qs for enterprise\n\nAvailable as part of the Tidelift Subscription\n\nThe maintainers of qs and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications.\nSave time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use.\n[Learn more.](https://tidelift.com/subscription/pkg/npm-qs?utm_source=npm-qs&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)\n\n[package-url]: https://npmjs.org/package/qs\n[npm-version-svg]: https://versionbadg.es/ljharb/qs.svg\n[deps-svg]: https://david-dm.org/ljharb/qs.svg\n[deps-url]: https://david-dm.org/ljharb/qs\n[dev-deps-svg]: https://david-dm.org/ljharb/qs/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/qs#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/qs.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/qs.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/qs.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=qs\n[codecov-image]: https://codecov.io/gh/ljharb/qs/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/qs/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/qs\n[actions-url]: https://github.com/ljharb/qs/actions\n\n## Acknowledgements\n\nqs logo by [NUMI](https://github.com/numi-hq/open-design):\n\n[<img src=\"https://raw.githubusercontent.com/numi-hq/open-design/main/assets/numi-lockup.png\" alt=\"NUMI Logo\" style=\"width: 200px;\"/>](https://numi.tech/?ref=qs)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/qs/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/range-parser/README.md ---\n# range-parser\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![Node.js Version][node-image]][node-url]\n[![Build Status][travis-image]][travis-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nRange header field parser.\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install range-parser\n```\n\n## API\n\n<!-- eslint-disable no-unused-vars -->\n\n```js\nvar parseRange = require('range-parser')\n```\n\n### parseRange(size, header, options)\n\nParse the given `header` string where `size` is the maximum size of the resource.\nAn array of ranges will be returned or negative numbers indicating an error parsing.\n\n * `-2` signals a malformed header string\n * `-1` signals an unsatisfiable range\n\n<!-- eslint-disable no-undef -->\n\n```js\n// parse header from request\nvar range = parseRange(size, req.headers.range)\n\n// the type of the range\nif (range.type === 'bytes') {\n // the ranges\n range.forEach(function (r) {\n // do something with r.start and r.end\n })\n}\n```\n\n#### Options\n\nThese properties are accepted in the options object.\n\n##### combine\n\nSpecifies if overlapping & adjacent ranges should be combined, defaults to `false`.\nWhen `true`, ranges will be combined and returned as if they were specified that\nway in the header.\n\n<!-- eslint-disable no-undef -->\n\n```js\nparseRange(100, 'bytes=50-55,0-10,5-10,56-60', { combine: true })\n// => [\n// { start: 0, end: 10 },\n// { start: 50, end: 60 }\n// ]\n```\n\n## License\n\n[MIT](LICENSE)\n\n[coveralls-image]: https://badgen.net/coveralls/c/github/jshttp/range-parser/master\n[coveralls-url]: https://coveralls.io/r/jshttp/range-parser?branch=master\n[node-image]: https://badgen.net/npm/node/range-parser\n[node-url]: https://nodejs.org/en/download\n[npm-downloads-image]: https://badgen.net/npm/dm/range-parser\n[npm-url]: https://npmjs.org/package/range-parser\n[npm-version-image]: https://badgen.net/npm/v/range-parser\n[travis-image]: https://badgen.net/travis/jshttp/range-parser/master\n[travis-url]: https://travis-ci.org/jshttp/range-parser\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/range-parser/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/raw-body/README.md ---\n# raw-body\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build status][github-actions-ci-image]][github-actions-ci-url]\n[![Test coverage][coveralls-image]][coveralls-url]\n\nGets the entire buffer of a stream either as a `Buffer` or a string.\nValidates the stream's length against an expected length and maximum limit.\nIdeal for parsing request bodies.\n\n## Install\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install raw-body\n```\n\n### TypeScript\n\nThis module includes a [TypeScript](https://www.typescriptlang.org/)\ndeclaration file to enable auto complete in compatible editors and type\ninformation for TypeScript projects. This module depends on the Node.js\ntypes, so install `@types/node`:\n\n```sh\n$ npm install @types/node\n```\n\n## API\n\n```js\nvar getRawBody = require('raw-body')\n```\n\n### getRawBody(stream, [options], [callback])\n\n**Returns a promise if no callback specified and global `Promise` exists.**\n\nOptions:\n\n- `length` - The length of the stream.\n If the contents of the stream do not add up to this length,\n an `400` error code is returned.\n- `limit` - The byte limit of the body.\n This is the number of bytes or any string format supported by\n [bytes](https://www.npmjs.com/package/bytes),\n for example `1000`, `'500kb'` or `'3mb'`.\n If the body ends up being larger than this limit,\n a `413` error code is returned.\n- `encoding` - The encoding to use to decode the body into a string.\n By default, a `Buffer` instance will be returned when no encoding is specified.\n Most likely, you want `utf-8`, so setting `encoding` to `true` will decode as `utf-8`.\n You can use any type of encoding supported by [iconv-lite](https://www.npmjs.org/package/iconv-lite#readme).\n\nYou can also pass a string in place of options to just specify the encoding.\n\nIf an error occurs, the stream will be paused, everything unpiped,\nand you are responsible for correctly disposing the stream.\nFor HTTP requests, you may need to finish consuming the stream if\nyou want to keep the socket open for future requests. For streams\nthat use file descriptors, you should `stream.destroy()` or\n`stream.close()` to prevent leaks.\n\n## Errors\n\nThis module creates errors depending on the error condition during reading.\nThe error may be an error from the underlying Node.js implementation, but is\notherwise an error created by this module, which has the following attributes:\n\n * `limit` - the limit in bytes\n * `length` and `expected` - the expected length of the stream\n * `received` - the received bytes\n * `encoding` - the invalid encoding\n * `status` and `statusCode` - the corresponding status code for the error\n * `type` - the error type\n\n### Types\n\nThe errors from this module have a `type` property which allows for the programmatic\ndetermination of the type of error returned.\n\n#### encoding.unsupported\n\nThis error will occur when the `encoding` option is specified, but the value does\nnot map to an encoding supported by the [iconv-lite](https://www.npmjs.org/package/iconv-lite#readme)\nmodule.\n\n#### entity.too.large\n\nThis error will occur when the `limit` option is specified, but the stream has\nan entity that is larger.\n\n#### request.aborted\n\nThis error will occur when the request stream is aborted by the client before\nreading the body has finished.\n\n#### request.size.invalid\n\nThis error will occur when the `length` option is specified, but the stream has\nemitted more bytes.\n\n#### stream.encoding.set\n\nThis error will occur when the given stream has an encoding set on it, making it\na decoded stream. The stream should not have an encoding set and is expected to\nemit `Buffer` objects.\n\n#### stream.not.readable\n\nThis error will occur when the given stream is not readable.\n\n## Examples\n\n### Simple Express example\n\n```js\nvar contentType = require('content-type')\nvar express = require('express')\nvar getRawBody = require('raw-body')\n\nvar app = express()\n\napp.use(function (req, res, next) {\n getRawBody(req, {\n length: req.headers['content-length'],\n limit: '1mb',\n encoding: contentType.parse(req).parameters.charset\n }, function (err, string) {\n if (err) return next(err)\n req.text = string\n next()\n })\n})\n\n// now access req.text\n```\n\n### Simple Koa example\n\n```js\nvar contentType = require('content-type')\nvar getRawBody = require('raw-body')\nvar koa = require('koa')\n\nvar app = koa()\n\napp.use(function * (next) {\n this.text = yield getRawBody(this.req, {\n length: this.req.headers['content-length'],\n limit: '1mb',\n encoding: contentType.parse(this.req).parameters.charset\n })\n yield next\n})\n\n// now access this.text\n```\n\n### Using as a promise\n\nTo use this library as a promise, simply omit the `callback` and a promise is\nreturned, provided that a global `Promise` is defined.\n\n```js\nvar getRawBody = require('raw-body')\nvar http = require('http')\n\nvar server = http.createServer(function (req, res) {\n getRawBody(req)\n .then(function (buf) {\n res.statusCode = 200\n res.end(buf.length + ' bytes submitted')\n })\n .catch(function (err) {\n res.statusCode = 500\n res.end(err.message)\n })\n})\n\nserver.listen(3000)\n```\n\n### Using with TypeScript\n\n```ts\nimport * as getRawBody from 'raw-body';\nimport * as http from 'http';\n\nconst server = http.createServer((req, res) => {\n getRawBody(req)\n .then((buf) => {\n res.statusCode = 200;\n res.end(buf.length + ' bytes submitted');\n })\n .catch((err) => {\n res.statusCode = err.statusCode;\n res.end(err.message);\n });\n});\n\nserver.listen(3000);\n```\n\n## License\n\n[MIT](LICENSE)\n\n[npm-image]: https://img.shields.io/npm/v/raw-body.svg\n[npm-url]: https://npmjs.org/package/raw-body\n[node-version-image]: https://img.shields.io/node/v/raw-body.svg\n[node-version-url]: https://nodejs.org/en/download/\n[coveralls-image]: https://img.shields.io/coveralls/stream-utils/raw-body/master.svg\n[coveralls-url]: https://coveralls.io/r/stream-utils/raw-body?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/raw-body.svg\n[downloads-url]: https://npmjs.org/package/raw-body\n[github-actions-ci-image]: https://img.shields.io/github/actions/workflow/status/stream-utils/raw-body/ci.yml?branch=master&label=ci\n[github-actions-ci-url]: https://github.com/jshttp/stream-utils/raw-body?query=workflow%3Aci\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/raw-body/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/rollup/README.md ---\n<p align=\"center\">\n\t<a href=\"https://rollupjs.org/\"><img src=\"https://rollupjs.org/rollup-logo.svg\" width=\"150\" /></a>\n</p>\n\n<p align=\"center\">\n <a href=\"https://www.npmjs.com/package/rollup\">\n <img src=\"https://img.shields.io/npm/v/rollup.svg\" alt=\"npm version\" >\n </a>\n <a href=\"https://nodejs.org/en/about/previous-releases\">\n <img src=\"https://img.shields.io/node/v/rollup.svg\" alt=\"node compatibility\">\n </a>\n <a href=\"https://packagephobia.now.sh/result?p=rollup\">\n <img src=\"https://packagephobia.now.sh/badge?p=rollup\" alt=\"install size\" >\n </a>\n <a href=\"https://codecov.io/gh/rollup/rollup\">\n <img src=\"https://codecov.io/gh/rollup/rollup/graph/badge.svg\" alt=\"code coverage\" >\n </a>\n <a href=\"#backers\" alt=\"sponsors on Open Collective\">\n <img src=\"https://opencollective.com/rollup/backers/badge.svg\" alt=\"backers\" >\n </a> \n <a href=\"#sponsors\" alt=\"Sponsors on Open Collective\">\n <img src=\"https://opencollective.com/rollup/sponsors/badge.svg\" alt=\"sponsors\" >\n </a> \n <a href=\"https://github.com/rollup/rollup/blob/master/LICENSE.md\">\n <img src=\"https://img.shields.io/npm/l/rollup.svg\" alt=\"license\">\n </a>\n <a href='https://is.gd/rollup_chat?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge'>\n <img src='https://img.shields.io/discord/466787075518365708?color=778cd1&label=chat' alt='Join the chat at https://is.gd/rollup_chat'>\n </a>\n</p>\n\n<h1 align=\"center\">Rollup</h1>\n\n## Overview\n\nRollup is a module bundler for JavaScript which compiles small pieces of code into something larger and more complex, such as a library or application. It uses the standardized ES module format for code, instead of previous idiosyncratic solutions such as CommonJS and AMD. ES modules let you freely and seamlessly combine the most useful individual functions from your favorite libraries. Rollup can optimize ES modules for faster native loading in modern browsers, or output a legacy module format allowing ES module workflows today.\n\n## Quick Start Guide\n\nInstall with `npm install --global rollup`. Rollup can be used either through a [command line interface](https://rollupjs.org/command-line-interface/) with an optional configuration file or else through its [JavaScript API](https://rollupjs.org/javascript-api/). Run `rollup --help` to see the available options and parameters. The starter project templates, [rollup-starter-lib](https://github.com/rollup/rollup-starter-lib) and [rollup-starter-app](https://github.com/rollup/rollup-starter-app), demonstrate common configuration options, and more detailed instructions are available throughout the [user guide](https://rollupjs.org/introduction/).\n\n### Commands\n\nThese commands assume the entry point to your application is named main.js, and that you'd like all imports compiled into a single file named bundle.js.\n\nFor browsers:\n\n```bash\n# compile to a <script> containing a self-executing function\nrollup main.js --format iife --name \"myBundle\" --file bundle.js\n```\n\nFor Node.js:\n\n```bash\n# compile to a CommonJS module\nrollup main.js --format cjs --file bundle.js\n```\n\nFor both browsers and Node.js:\n\n```bash\n# UMD format requires a bundle name\nrollup main.js --format umd --name \"myBundle\" --file bundle.js\n```\n\n## Why\n\nDeveloping software is usually easier if you break your project into smaller separate pieces, since that often removes unexpected interactions and dramatically reduces the complexity of the problems you'll need to solve, and simply writing smaller projects in the first place [isn't necessarily the answer](https://medium.com/@Rich_Harris/small-modules-it-s-not-quite-that-simple-3ca532d65de4). Unfortunately, JavaScript has not historically included this capability as a core feature in the language.\n\nThis finally changed with ES modules support in JavaScript, which provides a syntax for importing and exporting functions and data so they can be shared between separate scripts. Most browsers and Node.js support ES modules. However, Node.js releases before 12.17 support ES modules only behind the `--experimental-modules` flag, and older browsers like Internet Explorer do not support ES modules at all. Rollup allows you to write your code using ES modules, and run your application even in environments that do not support ES modules natively. For environments that support them, Rollup can output optimized ES modules; for environments that don't, Rollup can compile your code to other formats such as CommonJS modules, AMD modules, and IIFE-style scripts. This means that you get to _write future-proof code_, and you also get the tremendous benefits of...\n\n## Tree Shaking\n\nIn addition to enabling the use of ES modules, Rollup also statically analyzes and optimizes the code you are importing, and will exclude anything that isn't actually used. This allows you to build on top of existing tools and modules without adding extra dependencies or bloating the size of your project.\n\nFor example, with CommonJS, the _entire tool or library must be imported_.\n\n```js\n// import the entire utils object with CommonJS\nvar utils = require('node:utils');\nvar query = 'Rollup';\n// use the ajax method of the utils object\nutils.ajax('https://api.example.com?search=' + query).then(handleResponse);\n```\n\nBut with ES modules, instead of importing the whole `utils` object, we can just import the one `ajax` function we need:\n\n```js\n// import the ajax function with an ES import statement\nimport { ajax } from 'node:utils';\n\nvar query = 'Rollup';\n// call the ajax function\najax('https://api.example.com?search=' + query).then(handleResponse);\n```\n\nBecause Rollup includes the bare minimum, it results in lighter, faster, and less complicated libraries and applications. Since this approach is based on explicit `import` and `export` statements, it is vastly more effective than simply running an automated minifier to detect unused variables in the compiled output code.\n\n## Compatibility\n\n### Importing CommonJS\n\nRollup can import existing CommonJS modules [through a plugin](https://github.com/rollup/plugins/tree/master/packages/commonjs).\n\n### Publishing ES Modules\n\nTo make sure your ES modules are immediately usable by tools that work with CommonJS such as Node.js and webpack, you can use Rollup to compile to UMD or CommonJS format, and then point to that compiled version with the `main` property in your `package.json` file. If your `package.json` file also has a `module` field, ES-module-aware tools like Rollup and [webpack](https://webpack.js.org/) will [import the ES module version](https://github.com/rollup/rollup/wiki/pkg.module) directly.\n\n## Contributors\n\nThis project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)]. <a href=\"https://github.com/rollup/rollup/graphs/contributors\"><img src=\"https://opencollective.com/rollup/contributors.svg?width=890\" /></a>. If you want to contribute yourself, head over to the [contribution guidelines](CONTRIBUTING.md).\n\n## Backers\n\nThank you to all our backers! 🙏 [[Become a backer](https://opencollective.com/rollup#backer)]\n\n<a href=\"https://opencollective.com/rollup#backers\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/backers.svg?width=890\"></a>\n\n## Sponsors\n\nSupport this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/rollup#sponsor)]\n\n<a href=\"https://opencollective.com/rollup/sponsor/0/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/0/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/1/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/1/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/2/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/2/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/3/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/3/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/4/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/4/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/5/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/5/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/6/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/6/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/7/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/7/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/8/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/8/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/9/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/9/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/10/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/10/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/11/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/11/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/12/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/12/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/13/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/13/avatar.svg\"></a> <a href=\"https://opencollective.com/rollup/sponsor/14/website\" target=\"_blank\"><img src=\"https://opencollective.com/rollup/sponsor/14/avatar.svg\"></a>\n\n## Special Sponsor\n\n<a href=\"https://www.tngtech.com/en/index.html\" target=\"_blank\"><img src=\"https://avatars.githubusercontent.com/u/432256?s=200&v=4\" alt=\"TNG Logo\"/></a>\n\nTNG has been supporting the work of [Lukas Taegert-Atkinson](https://github.com/lukastaegert) on Rollup since 2017.\n\n## License\n\n[MIT](https://github.com/rollup/rollup/blob/master/LICENSE.md)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/rollup/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/router/README.md ---\n# router\n\n[![NPM Version][npm-image]][npm-url]\n[![NPM Downloads][downloads-image]][downloads-url]\n[![Node.js Version][node-version-image]][node-version-url]\n[![Build Status][ci-image]][ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nSimple middleware-style router\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```bash\n$ npm install router\n```\n\n## API\n\n```js\nvar finalhandler = require('finalhandler')\nvar http = require('http')\nvar Router = require('router')\n\nvar router = Router()\nrouter.get('/', function (req, res) {\n res.setHeader('Content-Type', 'text/plain; charset=utf-8')\n res.end('Hello World!')\n})\n\nvar server = http.createServer(function (req, res) {\n router(req, res, finalhandler(req, res))\n})\n\nserver.listen(3000)\n```\n\nThis module is currently an extracted version from the Express project,\nbut with the main change being it can be used with a plain `http.createServer`\nobject or other web frameworks by removing Express-specific API calls.\n\n## Router(options)\n\nOptions\n\n- `strict` - When `false` trailing slashes are optional (default: `false`)\n- `caseSensitive` - When `true` the routing will be case sensitive. (default: `false`)\n- `mergeParams` - When `true` any `req.params` passed to the router will be\n merged into the router's `req.params`. (default: `false`) ([example](#example-using-mergeparams))\n\nReturns a function with the signature `router(req, res, callback)` where\n`callback([err])` must be provided to handle errors and fall-through from\nnot handling requests.\n\n### router.use([path], ...middleware)\n\nUse the given [middleware function](#middleware) for all http methods on the\ngiven `path`, defaulting to the root path.\n\n`router` does not automatically see `use` as a handler. As such, it will not\nconsider it one for handling `OPTIONS` requests.\n\n* Note: If a `path` is specified, that `path` is stripped from the start of\n `req.url`.\n\n<!-- eslint-disable no-undef -->\n\n```js\nrouter.use(function (req, res, next) {\n // do your things\n\n // continue to the next middleware\n // the request will stall if this is not called\n next()\n\n // note: you should NOT call `next` if you have begun writing to the response\n})\n```\n\n[Middleware](#middleware) can themselves use `next('router')` at any time to\nexit the current router instance completely, invoking the top-level callback.\n\n### router\\[method](path, ...[middleware], handler)\n\nThe [http methods](https://github.com/jshttp/methods/blob/master/index.js) provide\nthe routing functionality in `router`.\n\nMethod middleware and handlers follow usual [middleware](#middleware) behavior,\nexcept they will only be called when the method and path match the request.\n\n<!-- eslint-disable no-undef -->\n\n```js\n// handle a `GET` request\nrouter.get('/', function (req, res) {\n res.setHeader('Content-Type', 'text/plain; charset=utf-8')\n res.end('Hello World!')\n})\n```\n\n[Middleware](#middleware) given before the handler have one additional trick,\nthey may invoke `next('route')`. Calling `next('route')` bypasses the remaining\nmiddleware and the handler mounted for this route, passing the request to the\nnext route suitable for handling this request.\n\nRoute handlers and middleware can themselves use `next('router')` at any time\nto exit the current router instance completely, invoking the top-level callback.\n\n### router.param(name, param_middleware)\n\nMaps the specified path parameter `name` to a specialized param-capturing middleware.\n\nThis function positions the middleware in the same stack as `.use`.\n\nThe function can optionally return a `Promise` object. If a `Promise` object\nis returned from the function, the router will attach an `onRejected` callback\nusing `.then`. If the promise is rejected, `next` will be called with the\nrejected value, or an error if the value is falsy.\n\nParameter mapping is used to provide pre-conditions to routes\nwhich use normalized placeholders. For example a _:user_id_ parameter\ncould automatically load a user's information from the database without\nany additional code:\n\n<!-- eslint-disable no-undef -->\n\n```js\nrouter.param('user_id', function (req, res, next, id) {\n User.find(id, function (err, user) {\n if (err) {\n return next(err)\n } else if (!user) {\n return next(new Error('failed to load user'))\n }\n req.user = user\n\n // continue processing the request\n next()\n })\n})\n```\n\n### router.route(path)\n\nCreates an instance of a single `Route` for the given `path`.\n(See `Router.Route` below)\n\nRoutes can be used to handle http `methods` with their own, optional middleware.\n\nUsing `router.route(path)` is a recommended approach to avoiding duplicate\nroute naming and thus typo errors.\n\n<!-- eslint-disable no-undef, no-unused-vars -->\n\n```js\nvar api = router.route('/api/')\n```\n\n## Router.Route(path)\n\nRepresents a single route as an instance that can be used to handle http\n`methods` with it's own, optional middleware.\n\n### route\\[method](handler)\n\nThese are functions which you can directly call on a route to register a new\n`handler` for the `method` on the route.\n\n<!-- eslint-disable no-undef -->\n\n```js\n// handle a `GET` request\nvar status = router.route('/status')\n\nstatus.get(function (req, res) {\n res.setHeader('Content-Type', 'text/plain; charset=utf-8')\n res.end('All Systems Green!')\n})\n```\n\n### route.all(handler)\n\nAdds a handler for all HTTP methods to this route.\n\nThe handler can behave like middleware and call `next` to continue processing\nrather than responding.\n\n<!-- eslint-disable no-undef -->\n\n```js\nrouter.route('/')\n .all(function (req, res, next) {\n next()\n })\n .all(checkSomething)\n .get(function (req, res) {\n res.setHeader('Content-Type', 'text/plain; charset=utf-8')\n res.end('Hello World!')\n })\n```\n\n## Middleware\n\nMiddleware (and method handlers) are functions that follow specific function\nparameters and have defined behavior when used with `router`. The most common\nformat is with three parameters - \"req\", \"res\" and \"next\".\n\n- `req` - This is a [HTTP incoming message](https://nodejs.org/api/http.html#http_http_incomingmessage) instance.\n- `res` - This is a [HTTP server response](https://nodejs.org/api/http.html#http_class_http_serverresponse) instance.\n- `next` - Calling this function that tells `router` to proceed to the next matching middleware or method handler. It accepts an error as the first argument.\n\nThe function can optionally return a `Promise` object. If a `Promise` object\nis returned from the function, the router will attach an `onRejected` callback\nusing `.then`. If the promise is rejected, `next` will be called with the\nrejected value, or an error if the value is falsy.\n\nMiddleware and method handlers can also be defined with four arguments. When\nthe function has four parameters defined, the first argument is an error and\nsubsequent arguments remain, becoming - \"err\", \"req\", \"res\", \"next\". These\nfunctions are \"error handling middleware\", and can be used for handling\nerrors that occurred in previous handlers (E.g. from calling `next(err)`).\nThis is most used when you want to define arbitrary rendering of errors.\n\n<!-- eslint-disable no-undef -->\n\n```js\nrouter.get('/error_route', function (req, res, next) {\n return next(new Error('Bad Request'))\n})\n\nrouter.use(function (err, req, res, next) {\n res.end(err.message) //= > \"Bad Request\"\n})\n```\n\nError handling middleware will **only** be invoked when an error was given. As\nlong as the error is in the pipeline, normal middleware and handlers will be\nbypassed - only error handling middleware will be invoked with an error.\n\n## Examples\n\n```js\n// import our modules\nvar http = require('http')\nvar Router = require('router')\nvar finalhandler = require('finalhandler')\nvar compression = require('compression')\nvar bodyParser = require('body-parser')\n\n// store our message to display\nvar message = 'Hello World!'\n\n// initialize the router & server and add a final callback.\nvar router = Router()\nvar server = http.createServer(function onRequest (req, res) {\n router(req, res, finalhandler(req, res))\n})\n\n// use some middleware and compress all outgoing responses\nrouter.use(compression())\n\n// handle `GET` requests to `/message`\nrouter.get('/message', function (req, res) {\n res.statusCode = 200\n res.setHeader('Content-Type', 'text/plain; charset=utf-8')\n res.end(message + '\\n')\n})\n\n// create and mount a new router for our API\nvar api = Router()\nrouter.use('/api/', api)\n\n// add a body parsing middleware to our API\napi.use(bodyParser.json())\n\n// handle `PATCH` requests to `/api/set-message`\napi.patch('/set-message', function (req, res) {\n if (req.body.value) {\n message = req.body.value\n\n res.statusCode = 200\n res.setHeader('Content-Type', 'text/plain; charset=utf-8')\n res.end(message + '\\n')\n } else {\n res.statusCode = 400\n res.setHeader('Content-Type', 'text/plain; charset=utf-8')\n res.end('Invalid API Syntax\\n')\n }\n})\n\n// make our http server listen to connections\nserver.listen(8080)\n```\n\nYou can get the message by running this command in your terminal,\n or navigating to `127.0.0.1:8080` in a web browser.\n```bash\ncurl http://127.0.0.1:8080\n```\n\nYou can set the message by sending it a `PATCH` request via this command:\n```bash\ncurl http://127.0.0.1:8080/api/set-message -X PATCH -H \"Content-Type: application/json\" -d '{\"value\":\"Cats!\"}'\n```\n\n### Example using mergeParams\n\n```js\nvar http = require('http')\nvar Router = require('router')\nvar finalhandler = require('finalhandler')\n\n// this example is about the mergeParams option\nvar opts = { mergeParams: true }\n\n// make a router with out special options\nvar router = Router(opts)\nvar server = http.createServer(function onRequest (req, res) {\n // set something to be passed into the router\n req.params = { type: 'kitten' }\n\n router(req, res, finalhandler(req, res))\n})\n\nrouter.get('/', function (req, res) {\n res.statusCode = 200\n res.setHeader('Content-Type', 'text/plain; charset=utf-8')\n\n // with respond with the the params that were passed in\n res.end(req.params.type + '\\n')\n})\n\n// make another router with our options\nvar handler = Router(opts)\n\n// mount our new router to a route that accepts a param\nrouter.use('/:path', handler)\n\nhandler.get('/', function (req, res) {\n res.statusCode = 200\n res.setHeader('Content-Type', 'text/plain; charset=utf-8')\n\n // will respond with the param of the router's parent route\n res.end(req.params.path + '\\n')\n})\n\n// make our http server listen to connections\nserver.listen(8080)\n```\n\nNow you can get the type, or what path you are requesting:\n```bash\ncurl http://127.0.0.1:8080\n> kitten\ncurl http://127.0.0.1:8080/such_path\n> such_path\n```\n\n### Example of advanced `.route()` usage\n\nThis example shows how to implement routes where there is a custom\nhandler to execute when the path matched, but no methods matched.\nWithout any special handling, this would be treated as just a\ngeneric non-match by `router` (which typically results in a 404),\nbut with a custom handler, a `405 Method Not Allowed` can be sent.\n\n```js\nvar http = require('http')\nvar finalhandler = require('finalhandler')\nvar Router = require('router')\n\n// create the router and server\nvar router = new Router()\nvar server = http.createServer(function onRequest (req, res) {\n router(req, res, finalhandler(req, res))\n})\n\n// register a route and add all methods\nrouter.route('/pet/:id')\n .get(function (req, res) {\n // this is GET /pet/:id\n res.setHeader('Content-Type', 'application/json')\n res.end(JSON.stringify({ name: 'tobi' }))\n })\n .delete(function (req, res) {\n // this is DELETE /pet/:id\n res.end()\n })\n .all(function (req, res) {\n // this is called for all other methods not\n // defined above for /pet/:id\n res.statusCode = 405\n res.end()\n })\n\n// make our http server listen to connections\nserver.listen(8080)\n```\n\n## License\n\n[MIT](LICENSE)\n\n[ci-image]: https://badgen.net/github/checks/pillarjs/router/master?label=ci\n[ci-url]: https://github.com/pillarjs/router/actions/workflows/ci.yml\n[npm-image]: https://img.shields.io/npm/v/router.svg\n[npm-url]: https://npmjs.org/package/router\n[node-version-image]: https://img.shields.io/node/v/router.svg\n[node-version-url]: http://nodejs.org/download/\n[coveralls-image]: https://img.shields.io/coveralls/pillarjs/router/master.svg\n[coveralls-url]: https://coveralls.io/r/pillarjs/router?branch=master\n[downloads-image]: https://img.shields.io/npm/dm/router.svg\n[downloads-url]: https://npmjs.org/package/router\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/router/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/safe-buffer/README.md ---\n# safe-buffer [![travis][travis-image]][travis-url] [![npm][npm-image]][npm-url] [![downloads][downloads-image]][downloads-url] [![javascript style guide][standard-image]][standard-url]\n\n[travis-image]: https://img.shields.io/travis/feross/safe-buffer/master.svg\n[travis-url]: https://travis-ci.org/feross/safe-buffer\n[npm-image]: https://img.shields.io/npm/v/safe-buffer.svg\n[npm-url]: https://npmjs.org/package/safe-buffer\n[downloads-image]: https://img.shields.io/npm/dm/safe-buffer.svg\n[downloads-url]: https://npmjs.org/package/safe-buffer\n[standard-image]: https://img.shields.io/badge/code_style-standard-brightgreen.svg\n[standard-url]: https://standardjs.com\n\n#### Safer Node.js Buffer API\n\n**Use the new Node.js Buffer APIs (`Buffer.from`, `Buffer.alloc`,\n`Buffer.allocUnsafe`, `Buffer.allocUnsafeSlow`) in all versions of Node.js.**\n\n**Uses the built-in implementation when available.**\n\n## install\n\n```\nnpm install safe-buffer\n```\n\n## usage\n\nThe goal of this package is to provide a safe replacement for the node.js `Buffer`.\n\nIt's a drop-in replacement for `Buffer`. You can use it by adding one `require` line to\nthe top of your node.js modules:\n\n```js\nvar Buffer = require('safe-buffer').Buffer\n\n// Existing buffer code will continue to work without issues:\n\nnew Buffer('hey', 'utf8')\nnew Buffer([1, 2, 3], 'utf8')\nnew Buffer(obj)\nnew Buffer(16) // create an uninitialized buffer (potentially unsafe)\n\n// But you can use these new explicit APIs to make clear what you want:\n\nBuffer.from('hey', 'utf8') // convert from many types to a Buffer\nBuffer.alloc(16) // create a zero-filled buffer (safe)\nBuffer.allocUnsafe(16) // create an uninitialized buffer (potentially unsafe)\n```\n\n## api\n\n### Class Method: Buffer.from(array)\n<!-- YAML\nadded: v3.0.0\n-->\n\n* `array` {Array}\n\nAllocates a new `Buffer` using an `array` of octets.\n\n```js\nconst buf = Buffer.from([0x62,0x75,0x66,0x66,0x65,0x72]);\n // creates a new Buffer containing ASCII bytes\n // ['b','u','f','f','e','r']\n```\n\nA `TypeError` will be thrown if `array` is not an `Array`.\n\n### Class Method: Buffer.from(arrayBuffer[, byteOffset[, length]])\n<!-- YAML\nadded: v5.10.0\n-->\n\n* `arrayBuffer` {ArrayBuffer} The `.buffer` property of a `TypedArray` or\n a `new ArrayBuffer()`\n* `byteOffset` {Number} Default: `0`\n* `length` {Number} Default: `arrayBuffer.length - byteOffset`\n\nWhen passed a reference to the `.buffer` property of a `TypedArray` instance,\nthe newly created `Buffer` will share the same allocated memory as the\nTypedArray.\n\n```js\nconst arr = new Uint16Array(2);\narr[0] = 5000;\narr[1] = 4000;\n\nconst buf = Buffer.from(arr.buffer); // shares the memory with arr;\n\nconsole.log(buf);\n // Prints: <Buffer 88 13 a0 0f>\n\n// changing the TypedArray changes the Buffer also\narr[1] = 6000;\n\nconsole.log(buf);\n // Prints: <Buffer 88 13 70 17>\n```\n\nThe optional `byteOffset` and `length` arguments specify a memory range within\nthe `arrayBuffer` that will be shared by the `Buffer`.\n\n```js\nconst ab = new ArrayBuffer(10);\nconst buf = Buffer.from(ab, 0, 2);\nconsole.log(buf.length);\n // Prints: 2\n```\n\nA `TypeError` will be thrown if `arrayBuffer` is not an `ArrayBuffer`.\n\n### Class Method: Buffer.from(buffer)\n<!-- YAML\nadded: v3.0.0\n-->\n\n* `buffer` {Buffer}\n\nCopies the passed `buffer` data onto a new `Buffer` instance.\n\n```js\nconst buf1 = Buffer.from('buffer');\nconst buf2 = Buffer.from(buf1);\n\nbuf1[0] = 0x61;\nconsole.log(buf1.toString());\n // 'auffer'\nconsole.log(buf2.toString());\n // 'buffer' (copy is not changed)\n```\n\nA `TypeError` will be thrown if `buffer` is not a `Buffer`.\n\n### Class Method: Buffer.from(str[, encoding])\n<!-- YAML\nadded: v5.10.0\n-->\n\n* `str` {String} String to encode.\n* `encoding` {String} Encoding to use, Default: `'utf8'`\n\nCreates a new `Buffer` containing the given JavaScript string `str`. If\nprovided, the `encoding` parameter identifies the character encoding.\nIf not provided, `encoding` defaults to `'utf8'`.\n\n```js\nconst buf1 = Buffer.from('this is a tést');\nconsole.log(buf1.toString());\n // prints: this is a tést\nconsole.log(buf1.toString('ascii'));\n // prints: this is a tC)st\n\nconst buf2 = Buffer.from('7468697320697320612074c3a97374', 'hex');\nconsole.log(buf2.toString());\n // prints: this is a tést\n```\n\nA `TypeError` will be thrown if `str` is not a string.\n\n### Class Method: Buffer.alloc(size[, fill[, encoding]])\n<!-- YAML\nadded: v5.10.0\n-->\n\n* `size` {Number}\n* `fill` {Value} Default: `undefined`\n* `encoding` {String} Default: `utf8`\n\nAllocates a new `Buffer` of `size` bytes. If `fill` is `undefined`, the\n`Buffer` will be *zero-filled*.\n\n```js\nconst buf = Buffer.alloc(5);\nconsole.log(buf);\n // <Buffer 00 00 00 00 00>\n```\n\nThe `size` must be less than or equal to the value of\n`require('buffer').kMaxLength` (on 64-bit architectures, `kMaxLength` is\n`(2^31)-1`). Otherwise, a [`RangeError`][] is thrown. A zero-length Buffer will\nbe created if a `size` less than or equal to 0 is specified.\n\nIf `fill` is specified, the allocated `Buffer` will be initialized by calling\n`buf.fill(fill)`. See [`buf.fill()`][] for more information.\n\n```js\nconst buf = Buffer.alloc(5, 'a');\nconsole.log(buf);\n // <Buffer 61 61 61 61 61>\n```\n\nIf both `fill` and `encoding` are specified, the allocated `Buffer` will be\ninitialized by calling `buf.fill(fill, encoding)`. For example:\n\n```js\nconst buf = Buffer.alloc(11, 'aGVsbG8gd29ybGQ=', 'base64');\nconsole.log(buf);\n // <Buffer 68 65 6c 6c 6f 20 77 6f 72 6c 64>\n```\n\nCalling `Buffer.alloc(size)` can be significantly slower than the alternative\n`Buffer.allocUnsafe(size)` but ensures that the newly created `Buffer` instance\ncontents will *never contain sensitive data*.\n\nA `TypeError` will be thrown if `size` is not a number.\n\n### Class Method: Buffer.allocUnsafe(size)\n<!-- YAML\nadded: v5.10.0\n-->\n\n* `size` {Number}\n\nAllocates a new *non-zero-filled* `Buffer` of `size` bytes. The `size` must\nbe less than or equal to the value of `require('buffer').kMaxLength` (on 64-bit\narchitectures, `kMaxLength` is `(2^31)-1`). Otherwise, a [`RangeError`][] is\nthrown. A zero-length Buffer will be created if a `size` less than or equal to\n0 is specified.\n\nThe underlying memory for `Buffer` instances created in this way is *not\ninitialized*. The contents of the newly created `Buffer` are unknown and\n*may contain sensitive data*. Use [`buf.fill(0)`][] to initialize such\n`Buffer` instances to zeroes.\n\n```js\nconst buf = Buffer.allocUnsafe(5);\nconsole.log(buf);\n // <Buffer 78 e0 82 02 01>\n // (octets will be different, every time)\nbuf.fill(0);\nconsole.log(buf);\n // <Buffer 00 00 00 00 00>\n```\n\nA `TypeError` will be thrown if `size` is not a number.\n\nNote that the `Buffer` module pre-allocates an internal `Buffer` instance of\nsize `Buffer.poolSize` that is used as a pool for the fast allocation of new\n`Buffer` instances created using `Buffer.allocUnsafe(size)` (and the deprecated\n`new Buffer(size)` constructor) only when `size` is less than or equal to\n`Buffer.poolSize >> 1` (floor of `Buffer.poolSize` divided by two). The default\nvalue of `Buffer.poolSize` is `8192` but can be modified.\n\nUse of this pre-allocated internal memory pool is a key difference between\ncalling `Buffer.alloc(size, fill)` vs. `Buffer.allocUnsafe(size).fill(fill)`.\nSpecifically, `Buffer.alloc(size, fill)` will *never* use the internal Buffer\npool, while `Buffer.allocUnsafe(size).fill(fill)` *will* use the internal\nBuffer pool if `size` is less than or equal to half `Buffer.poolSize`. The\ndifference is subtle but can be important when an application requires the\nadditional performance that `Buffer.allocUnsafe(size)` provides.\n\n### Class Method: Buffer.allocUnsafeSlow(size)\n<!-- YAML\nadded: v5.10.0\n-->\n\n* `size` {Number}\n\nAllocates a new *non-zero-filled* and non-pooled `Buffer` of `size` bytes. The\n`size` must be less than or equal to the value of\n`require('buffer').kMaxLength` (on 64-bit architectures, `kMaxLength` is\n`(2^31)-1`). Otherwise, a [`RangeError`][] is thrown. A zero-length Buffer will\nbe created if a `size` less than or equal to 0 is specified.\n\nThe underlying memory for `Buffer` instances created in this way is *not\ninitialized*. The contents of the newly created `Buffer` are unknown and\n*may contain sensitive data*. Use [`buf.fill(0)`][] to initialize such\n`Buffer` instances to zeroes.\n\nWhen using `Buffer.allocUnsafe()` to allocate new `Buffer` instances,\nallocations under 4KB are, by default, sliced from a single pre-allocated\n`Buffer`. This allows applications to avoid the garbage collection overhead of\ncreating many individually allocated Buffers. This approach improves both\nperformance and memory usage by eliminating the need to track and cleanup as\nmany `Persistent` objects.\n\nHowever, in the case where a developer may need to retain a small chunk of\nmemory from a pool for an indeterminate amount of time, it may be appropriate\nto create an un-pooled Buffer instance using `Buffer.allocUnsafeSlow()` then\ncopy out the relevant bits.\n\n```js\n// need to keep around a few small chunks of memory\nconst store = [];\n\nsocket.on('readable', () => {\n const data = socket.read();\n // allocate for retained data\n const sb = Buffer.allocUnsafeSlow(10);\n // copy the data into the new allocation\n data.copy(sb, 0, 0, 10);\n store.push(sb);\n});\n```\n\nUse of `Buffer.allocUnsafeSlow()` should be used only as a last resort *after*\na developer has observed undue memory retention in their applications.\n\nA `TypeError` will be thrown if `size` is not a number.\n\n### All the Rest\n\nThe rest of the `Buffer` API is exactly the same as in node.js.\n[See the docs](https://nodejs.org/api/buffer.html).\n\n\n## Related links\n\n- [Node.js issue: Buffer(number) is unsafe](https://github.com/nodejs/node/issues/4660)\n- [Node.js Enhancement Proposal: Buffer.from/Buffer.alloc/Buffer.zalloc/Buffer() soft-deprecate](https://github.com/nodejs/node-eps/pull/4)\n\n## Why is `Buffer` unsafe?\n\nToday, the node.js `Buffer` constructor is overloaded to handle many different argument\ntypes like `String`, `Array`, `Object`, `TypedArrayView` (`Uint8Array`, etc.),\n`ArrayBuffer`, and also `Number`.\n\nThe API is optimized for convenience: you can throw any type at it, and it will try to do\nwhat you want.\n\nBecause the Buffer constructor is so powerful, you often see code like this:\n\n```js\n// Convert UTF-8 strings to hex\nfunction toHex (str) {\n return new Buffer(str).toString('hex')\n}\n```\n\n***But what happens if `toHex` is called with a `Number` argument?***\n\n### Remote Memory Disclosure\n\nIf an attacker can make your program call the `Buffer` constructor with a `Number`\nargument, then they can make it allocate uninitialized memory from the node.js process.\nThis could potentially disclose TLS private keys, user data, or database passwords.\n\nWhen the `Buffer` constructor is passed a `Number` argument, it returns an\n**UNINITIALIZED** block of memory of the specified `size`. When you create a `Buffer` like\nthis, you **MUST** overwrite the contents before returning it to the user.\n\nFrom the [node.js docs](https://nodejs.org/api/buffer.html#buffer_new_buffer_size):\n\n> `new Buffer(size)`\n>\n> - `size` Number\n>\n> The underlying memory for `Buffer` instances created in this way is not initialized.\n> **The contents of a newly created `Buffer` are unknown and could contain sensitive\n> data.** Use `buf.fill(0)` to initialize a Buffer to zeroes.\n\n(Emphasis our own.)\n\nWhenever the programmer intended to create an uninitialized `Buffer` you often see code\nlike this:\n\n```js\nvar buf = new Buffer(16)\n\n// Immediately overwrite the uninitialized buffer with data from another buffer\nfor (var i = 0; i < buf.length; i++) {\n buf[i] = otherBuf[i]\n}\n```\n\n\n### Would this ever be a problem in real code?\n\nYes. It's surprisingly common to forget to check the type of your variables in a\ndynamically-typed language like JavaScript.\n\nUsually the consequences of assuming the wrong type is that your program crashes with an\nuncaught exception. But the failure mode for forgetting to check the type of arguments to\nthe `Buffer` constructor is more catastrophic.\n\nHere's an example of a vulnerable service that takes a JSON payload and converts it to\nhex:\n\n```js\n// Take a JSON payload {str: \"some string\"} and convert it to hex\nvar server = http.createServer(function (req, res) {\n var data = ''\n req.setEncoding('utf8')\n req.on('data', function (chunk) {\n data += chunk\n })\n req.on('end', function () {\n var body = JSON.parse(data)\n res.end(new Buffer(body.str).toString('hex'))\n })\n})\n\nserver.listen(8080)\n```\n\nIn this example, an http client just has to send:\n\n```json\n{\n \"str\": 1000\n}\n```\n\nand it will get back 1,000 bytes of uninitialized memory from the server.\n\nThis is a very serious bug. It's similar in severity to the\n[the Heartbleed bug](http://heartbleed.com/) that allowed disclosure of OpenSSL process\nmemory by remote attackers.\n\n\n### Which real-world packages were vulnerable?\n\n#### [`bittorrent-dht`](https://www.npmjs.com/package/bittorrent-dht)\n\n[Mathias Buus](https://github.com/mafintosh) and I\n([Feross Aboukhadijeh](http://feross.org/)) found this issue in one of our own packages,\n[`bittorrent-dht`](https://www.npmjs.com/package/bittorrent-dht). The bug would allow\nanyone on the internet to send a series of messages to a user of `bittorrent-dht` and get\nthem to reveal 20 bytes at a time of uninitialized memory from the node.js process.\n\nHere's\n[the commit](https://github.com/feross/bittorrent-dht/commit/6c7da04025d5633699800a99ec3fbadf70ad35b8)\nthat fixed it. We released a new fixed version, created a\n[Node Security Project disclosure](https://nodesecurity.io/advisories/68), and deprecated all\nvulnerable versions on npm so users will get a warning to upgrade to a newer version.\n\n#### [`ws`](https://www.npmjs.com/package/ws)\n\nThat got us wondering if there were other vulnerable packages. Sure enough, within a short\nperiod of time, we found the same issue in [`ws`](https://www.npmjs.com/package/ws), the\nmost popular WebSocket implementation in node.js.\n\nIf certain APIs were called with `Number` parameters instead of `String` or `Buffer` as\nexpected, then uninitialized server memory would be disclosed to the remote peer.\n\nThese were the vulnerable methods:\n\n```js\nsocket.send(number)\nsocket.ping(number)\nsocket.pong(number)\n```\n\nHere's a vulnerable socket server with some echo functionality:\n\n```js\nserver.on('connection', function (socket) {\n socket.on('message', function (message) {\n message = JSON.parse(message)\n if (message.type === 'echo') {\n socket.send(message.data) // send back the user's message\n }\n })\n})\n```\n\n`socket.send(number)` called on the server, will disclose server memory.\n\nHere's [the release](https://github.com/websockets/ws/releases/tag/1.0.1) where the issue\nwas fixed, with a more detailed explanation. Props to\n[Arnout Kazemier](https://github.com/3rd-Eden) for the quick fix. Here's the\n[Node Security Project disclosure](https://nodesecurity.io/advisories/67).\n\n\n### What's the solution?\n\nIt's important that node.js offers a fast way to get memory otherwise performance-critical\napplications would needlessly get a lot slower.\n\nBut we need a better way to *signal our intent* as programmers. **When we want\nuninitialized memory, we should request it explicitly.**\n\nSensitive functionality should not be packed into a developer-friendly API that loosely\naccepts many different types. This type of API encourages the lazy practice of passing\nvariables in without checking the type very carefully.\n\n#### A new API: `Buffer.allocUnsafe(number)`\n\nThe functionality of creating buffers with uninitialized memory should be part of another\nAPI. We propose `Buffer.allocUnsafe(number)`. This way, it's not part of an API that\nfrequently gets user input of all sorts of different types passed into it.\n\n```js\nvar buf = Buffer.allocUnsafe(16) // careful, uninitialized memory!\n\n// Immediately overwrite the uninitialized buffer with data from another buffer\nfor (var i = 0; i < buf.length; i++) {\n buf[i] = otherBuf[i]\n}\n```\n\n\n### How do we fix node.js core?\n\nWe sent [a PR to node.js core](https://github.com/nodejs/node/pull/4514) (merged as\n`semver-major`) which defends against one case:\n\n```js\nvar str = 16\nnew Buffer(str, 'utf8')\n```\n\nIn this situation, it's implied that the programmer intended the first argument to be a\nstring, since they passed an encoding as a second argument. Today, node.js will allocate\nuninitialized memory in the case of `new Buffer(number, encoding)`, which is probably not\nwhat the programmer intended.\n\nBut this is only a partial solution, since if the programmer does `new Buffer(variable)`\n(without an `encoding` parameter) there's no way to know what they intended. If `variable`\nis sometimes a number, then uninitialized memory will sometimes be returned.\n\n### What's the real long-term fix?\n\nWe could deprecate and remove `new Buffer(number)` and use `Buffer.allocUnsafe(number)` when\nwe need uninitialized memory. But that would break 1000s of packages.\n\n~~We believe the best solution is to:~~\n\n~~1. Change `new Buffer(number)` to return safe, zeroed-out memory~~\n\n~~2. Create a new API for creating uninitialized Buffers. We propose: `Buffer.allocUnsafe(number)`~~\n\n#### Update\n\nWe now support adding three new APIs:\n\n- `Buffer.from(value)` - convert from any type to a buffer\n- `Buffer.alloc(size)` - create a zero-filled buffer\n- `Buffer.allocUnsafe(size)` - create an uninitialized buffer with given size\n\nThis solves the core problem that affected `ws` and `bittorrent-dht` which is\n`Buffer(variable)` getting tricked into taking a number argument.\n\nThis way, existing code continues working and the impact on the npm ecosystem will be\nminimal. Over time, npm maintainers can migrate performance-critical code to use\n`Buffer.allocUnsafe(number)` instead of `new Buffer(number)`.\n\n\n### Conclusion\n\nWe think there's a serious design issue with the `Buffer` API as it exists today. It\npromotes insecure software by putting high-risk functionality into a convenient API\nwith friendly \"developer ergonomics\".\n\nThis wasn't merely a theoretical exercise because we found the issue in some of the\nmost popular npm packages.\n\nFortunately, there's an easy fix that can be applied today. Use `safe-buffer` in place of\n`buffer`.\n\n```js\nvar Buffer = require('safe-buffer').Buffer\n```\n\nEventually, we hope that node.js core can switch to this new, safer behavior. We believe\nthe impact on the ecosystem would be minimal since it's not a breaking change.\nWell-maintained, popular packages would be updated to use `Buffer.alloc` quickly, while\nolder, insecure packages would magically become safe from this attack vector.\n\n\n## links\n\n- [Node.js PR: buffer: throw if both length and enc are passed](https://github.com/nodejs/node/pull/4514)\n- [Node Security Project disclosure for `ws`](https://nodesecurity.io/advisories/67)\n- [Node Security Project disclosure for`bittorrent-dht`](https://nodesecurity.io/advisories/68)\n\n\n## credit\n\nThe original issues in `bittorrent-dht`\n([disclosure](https://nodesecurity.io/advisories/68)) and\n`ws` ([disclosure](https://nodesecurity.io/advisories/67)) were discovered by\n[Mathias Buus](https://github.com/mafintosh) and\n[Feross Aboukhadijeh](http://feross.org/).\n\nThanks to [Adam Baldwin](https://github.com/evilpacket) for helping disclose these issues\nand for his work running the [Node Security Project](https://nodesecurity.io/).\n\nThanks to [John Hiesey](https://github.com/jhiesey) for proofreading this README and\nauditing the code.\n\n\n## license\n\nMIT. Copyright (C) [Feross Aboukhadijeh](http://feross.org)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/safe-buffer/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/send/README.md ---\n# send\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![CI][github-actions-ci-image]][github-actions-ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\nSend is a library for streaming files from the file system as a http response\nsupporting partial responses (Ranges), conditional-GET negotiation (If-Match,\nIf-Unmodified-Since, If-None-Match, If-Modified-Since), high test coverage,\nand granular events which may be leveraged to take appropriate actions in your\napplication or framework.\n\nLooking to serve up entire folders mapped to URLs? Try [serve-static](https://www.npmjs.org/package/serve-static).\n\n## Installation\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```bash\n$ npm install send\n```\n\n## API\n\n```js\nvar send = require('send')\n```\n\n### send(req, path, [options])\n\nCreate a new `SendStream` for the given path to send to a `res`. The `req` is\nthe Node.js HTTP request and the `path` is a urlencoded path to send (urlencoded,\nnot the actual file-system path).\n\n#### Options\n\n##### acceptRanges\n\nEnable or disable accepting ranged requests, defaults to true.\nDisabling this will not send `Accept-Ranges` and ignore the contents\nof the `Range` request header.\n\n##### cacheControl\n\nEnable or disable setting `Cache-Control` response header, defaults to\ntrue. Disabling this will ignore the `immutable` and `maxAge` options.\n\n##### dotfiles\n\nSet how \"dotfiles\" are treated when encountered. A dotfile is a file\nor directory that begins with a dot (\".\"). Note this check is done on\nthe path itself without checking if the path actually exists on the\ndisk. If `root` is specified, only the dotfiles above the root are\nchecked (i.e. the root itself can be within a dotfile when set\nto \"deny\").\n\n - `'allow'` No special treatment for dotfiles.\n - `'deny'` Send a 403 for any request for a dotfile.\n - `'ignore'` Pretend like the dotfile does not exist and 404.\n\nThe default value is _similar_ to `'ignore'`, with the exception that\nthis default will not ignore the files within a directory that begins\nwith a dot, for backward-compatibility.\n\n##### end\n\nByte offset at which the stream ends, defaults to the length of the file\nminus 1. The end is inclusive in the stream, meaning `end: 3` will include\nthe 4th byte in the stream.\n\n##### etag\n\nEnable or disable etag generation, defaults to true.\n\n##### extensions\n\nIf a given file doesn't exist, try appending one of the given extensions,\nin the given order. By default, this is disabled (set to `false`). An\nexample value that will serve extension-less HTML files: `['html', 'htm']`.\nThis is skipped if the requested file already has an extension.\n\n##### immutable\n\nEnable or disable the `immutable` directive in the `Cache-Control` response\nheader, defaults to `false`. If set to `true`, the `maxAge` option should\nalso be specified to enable caching. The `immutable` directive will prevent\nsupported clients from making conditional requests during the life of the\n`maxAge` option to check if the file has changed.\n\n##### index\n\nBy default send supports \"index.html\" files, to disable this\nset `false` or to supply a new index pass a string or an array\nin preferred order.\n\n##### lastModified\n\nEnable or disable `Last-Modified` header, defaults to true. Uses the file\nsystem's last modified value.\n\n##### maxAge\n\nProvide a max-age in milliseconds for http caching, defaults to 0.\nThis can also be a string accepted by the\n[ms](https://www.npmjs.org/package/ms#readme) module.\n\n##### root\n\nServe files relative to `path`.\n\n##### start\n\nByte offset at which the stream starts, defaults to 0. The start is inclusive,\nmeaning `start: 2` will include the 3rd byte in the stream.\n\n#### Events\n\nThe `SendStream` is an event emitter and will emit the following events:\n\n - `error` an error occurred `(err)`\n - `directory` a directory was requested `(res, path)`\n - `file` a file was requested `(path, stat)`\n - `headers` the headers are about to be set on a file `(res, path, stat)`\n - `stream` file streaming has started `(stream)`\n - `end` streaming has completed\n\n#### .pipe\n\nThe `pipe` method is used to pipe the response into the Node.js HTTP response\nobject, typically `send(req, path, options).pipe(res)`.\n\n## Error-handling\n\nBy default when no `error` listeners are present an automatic response will be\nmade, otherwise you have full control over the response, aka you may show a 5xx\npage etc.\n\n## Caching\n\nIt does _not_ perform internal caching, you should use a reverse proxy cache\nsuch as Varnish for this, or those fancy things called CDNs. If your\napplication is small enough that it would benefit from single-node memory\ncaching, it's small enough that it does not need caching at all ;).\n\n## Debugging\n\nTo enable `debug()` instrumentation output export __DEBUG__:\n\n```\n$ DEBUG=send node app\n```\n\n## Running tests\n\n```\n$ npm install\n$ npm test\n```\n\n## Examples\n\n### Serve a specific file\n\nThis simple example will send a specific file to all requests.\n\n```js\nvar http = require('http')\nvar send = require('send')\n\nvar server = http.createServer(function onRequest (req, res) {\n send(req, '/path/to/index.html')\n .pipe(res)\n})\n\nserver.listen(3000)\n```\n\n### Serve all files from a directory\n\nThis simple example will just serve up all the files in a\ngiven directory as the top-level. For example, a request\n`GET /foo.txt` will send back `/www/public/foo.txt`.\n\n```js\nvar http = require('http')\nvar parseUrl = require('parseurl')\nvar send = require('send')\n\nvar server = http.createServer(function onRequest (req, res) {\n send(req, parseUrl(req).pathname, { root: '/www/public' })\n .pipe(res)\n})\n\nserver.listen(3000)\n```\n\n### Custom file types\n\n```js\nvar extname = require('path').extname\nvar http = require('http')\nvar parseUrl = require('parseurl')\nvar send = require('send')\n\nvar server = http.createServer(function onRequest (req, res) {\n send(req, parseUrl(req).pathname, { root: '/www/public' })\n .on('headers', function (res, path) {\n switch (extname(path)) {\n case '.x-mt':\n case '.x-mtt':\n // custom type for these extensions\n res.setHeader('Content-Type', 'application/x-my-type')\n break\n }\n })\n .pipe(res)\n})\n\nserver.listen(3000)\n```\n\n### Custom directory index view\n\nThis is an example of serving up a structure of directories with a\ncustom function to render a listing of a directory.\n\n```js\nvar http = require('http')\nvar fs = require('fs')\nvar parseUrl = require('parseurl')\nvar send = require('send')\n\n// Transfer arbitrary files from within /www/example.com/public/*\n// with a custom handler for directory listing\nvar server = http.createServer(function onRequest (req, res) {\n send(req, parseUrl(req).pathname, { index: false, root: '/www/public' })\n .once('directory', directory)\n .pipe(res)\n})\n\nserver.listen(3000)\n\n// Custom directory handler\nfunction directory (res, path) {\n var stream = this\n\n // redirect to trailing slash for consistent url\n if (!stream.hasTrailingSlash()) {\n return stream.redirect(path)\n }\n\n // get directory list\n fs.readdir(path, function onReaddir (err, list) {\n if (err) return stream.error(err)\n\n // render an index for the directory\n res.setHeader('Content-Type', 'text/plain; charset=UTF-8')\n res.end(list.join('\\n') + '\\n')\n })\n}\n```\n\n### Serving from a root directory with custom error-handling\n\n```js\nvar http = require('http')\nvar parseUrl = require('parseurl')\nvar send = require('send')\n\nvar server = http.createServer(function onRequest (req, res) {\n // your custom error-handling logic:\n function error (err) {\n res.statusCode = err.status || 500\n res.end(err.message)\n }\n\n // your custom headers\n function headers (res, path, stat) {\n // serve all files for download\n res.setHeader('Content-Disposition', 'attachment')\n }\n\n // your custom directory handling logic:\n function redirect () {\n res.statusCode = 301\n res.setHeader('Location', req.url + '/')\n res.end('Redirecting to ' + req.url + '/')\n }\n\n // transfer arbitrary files from within\n // /www/example.com/public/*\n send(req, parseUrl(req).pathname, { root: '/www/public' })\n .on('error', error)\n .on('directory', redirect)\n .on('headers', headers)\n .pipe(res)\n})\n\nserver.listen(3000)\n```\n\n## License\n\n[MIT](LICENSE)\n\n[coveralls-image]: https://badgen.net/coveralls/c/github/pillarjs/send/master\n[coveralls-url]: https://coveralls.io/r/pillarjs/send?branch=master\n[github-actions-ci-image]: https://badgen.net/github/checks/pillarjs/send/master?label=linux\n[github-actions-ci-url]: https://github.com/pillarjs/send/actions/workflows/ci.yml\n[node-image]: https://badgen.net/npm/node/send\n[node-url]: https://nodejs.org/en/download/\n[npm-downloads-image]: https://badgen.net/npm/dm/send\n[npm-url]: https://npmjs.org/package/send\n[npm-version-image]: https://badgen.net/npm/v/send\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/send/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/serve-static/README.md ---\n# serve-static\n\n[![NPM Version][npm-version-image]][npm-url]\n[![NPM Downloads][npm-downloads-image]][npm-url]\n[![CI][github-actions-ci-image]][github-actions-ci-url]\n[![Test Coverage][coveralls-image]][coveralls-url]\n\n## Install\n\nThis is a [Node.js](https://nodejs.org/en/) module available through the\n[npm registry](https://www.npmjs.com/). Installation is done using the\n[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally):\n\n```sh\n$ npm install serve-static\n```\n\n## API\n\n```js\nvar serveStatic = require('serve-static')\n```\n\n### serveStatic(root, options)\n\nCreate a new middleware function to serve files from within a given root\ndirectory. The file to serve will be determined by combining `req.url`\nwith the provided root directory. When a file is not found, instead of\nsending a 404 response, this module will instead call `next()` to move on\nto the next middleware, allowing for stacking and fall-backs.\n\n#### Options\n\n##### acceptRanges\n\nEnable or disable accepting ranged requests, defaults to true.\nDisabling this will not send `Accept-Ranges` and ignore the contents\nof the `Range` request header.\n\n##### cacheControl\n\nEnable or disable setting `Cache-Control` response header, defaults to\ntrue. Disabling this will ignore the `immutable` and `maxAge` options.\n\n##### dotfiles\n\nSet how \"dotfiles\" are treated when encountered. A dotfile is a file\nor directory that begins with a dot (\".\"). Note this check is done on\nthe path itself without checking if the path actually exists on the\ndisk. If `root` is specified, only the dotfiles above the root are\nchecked (i.e. the root itself can be within a dotfile when set\nto \"deny\").\n\n - `'allow'` No special treatment for dotfiles.\n - `'deny'` Deny a request for a dotfile and 403/`next()`.\n - `'ignore'` Pretend like the dotfile does not exist and 404/`next()`.\n\nThe default value is `'ignore'`.\n\n##### etag\n\nEnable or disable etag generation, defaults to true.\n\n##### extensions\n\nSet file extension fallbacks. When set, if a file is not found, the given\nextensions will be added to the file name and search for. The first that\nexists will be served. Example: `['html', 'htm']`.\n\nThe default value is `false`.\n\n##### fallthrough\n\nSet the middleware to have client errors fall-through as just unhandled\nrequests, otherwise forward a client error. The difference is that client\nerrors like a bad request or a request to a non-existent file will cause\nthis middleware to simply `next()` to your next middleware when this value\nis `true`. When this value is `false`, these errors (even 404s), will invoke\n`next(err)`.\n\nTypically `true` is desired such that multiple physical directories can be\nmapped to the same web address or for routes to fill in non-existent files.\n\nThe value `false` can be used if this middleware is mounted at a path that\nis designed to be strictly a single file system directory, which allows for\nshort-circuiting 404s for less overhead. This middleware will also reply to\nall methods.\n\nThe default value is `true`.\n\n##### immutable\n\nEnable or disable the `immutable` directive in the `Cache-Control` response\nheader, defaults to `false`. If set to `true`, the `maxAge` option should\nalso be specified to enable caching. The `immutable` directive will prevent\nsupported clients from making conditional requests during the life of the\n`maxAge` option to check if the file has changed.\n\n##### index\n\nBy default this module will send \"index.html\" files in response to a request\non a directory. To disable this set `false` or to supply a new index pass a\nstring or an array in preferred order.\n\n##### lastModified\n\nEnable or disable `Last-Modified` header, defaults to true. Uses the file\nsystem's last modified value.\n\n##### maxAge\n\nProvide a max-age in milliseconds for http caching, defaults to 0. This\ncan also be a string accepted by the [ms](https://www.npmjs.org/package/ms#readme)\nmodule.\n\n##### redirect\n\nRedirect to trailing \"/\" when the pathname is a dir. Defaults to `true`.\n\n##### setHeaders\n\nFunction to set custom headers on response. Alterations to the headers need to\noccur synchronously. The function is called as `fn(res, path, stat)`, where\nthe arguments are:\n\n - `res` the response object\n - `path` the file path that is being sent\n - `stat` the stat object of the file that is being sent\n\n## Examples\n\n### Serve files with vanilla node.js http server\n\n```js\nvar finalhandler = require('finalhandler')\nvar http = require('http')\nvar serveStatic = require('serve-static')\n\n// Serve up public/ftp folder\nvar serve = serveStatic('public/ftp', { index: ['index.html', 'index.htm'] })\n\n// Create server\nvar server = http.createServer(function onRequest (req, res) {\n serve(req, res, finalhandler(req, res))\n})\n\n// Listen\nserver.listen(3000)\n```\n\n### Serve all files as downloads\n\n```js\nvar contentDisposition = require('content-disposition')\nvar finalhandler = require('finalhandler')\nvar http = require('http')\nvar serveStatic = require('serve-static')\n\n// Serve up public/ftp folder\nvar serve = serveStatic('public/ftp', {\n index: false,\n setHeaders: setHeaders\n})\n\n// Set header to force download\nfunction setHeaders (res, path) {\n res.setHeader('Content-Disposition', contentDisposition(path))\n}\n\n// Create server\nvar server = http.createServer(function onRequest (req, res) {\n serve(req, res, finalhandler(req, res))\n})\n\n// Listen\nserver.listen(3000)\n```\n\n### Serving using express\n\n#### Simple\n\nThis is a simple example of using Express.\n\n```js\nvar express = require('express')\nvar serveStatic = require('serve-static')\n\nvar app = express()\n\napp.use(serveStatic('public/ftp', { index: ['default.html', 'default.htm'] }))\napp.listen(3000)\n```\n\n#### Multiple roots\n\nThis example shows a simple way to search through multiple directories.\nFiles are searched for in `public-optimized/` first, then `public/` second\nas a fallback.\n\n```js\nvar express = require('express')\nvar path = require('path')\nvar serveStatic = require('serve-static')\n\nvar app = express()\n\napp.use(serveStatic(path.join(__dirname, 'public-optimized')))\napp.use(serveStatic(path.join(__dirname, 'public')))\napp.listen(3000)\n```\n\n#### Different settings for paths\n\nThis example shows how to set a different max age depending on the served\nfile. In this example, HTML files are not cached, while everything else\nis for 1 day.\n\n```js\nvar express = require('express')\nvar path = require('path')\nvar serveStatic = require('serve-static')\n\nvar app = express()\n\napp.use(serveStatic(path.join(__dirname, 'public'), {\n maxAge: '1d',\n setHeaders: setCustomCacheControl\n}))\n\napp.listen(3000)\n\nfunction setCustomCacheControl (res, file) {\n if (path.extname(file) === '.html') {\n // Custom Cache-Control for HTML files\n res.setHeader('Cache-Control', 'public, max-age=0')\n }\n}\n```\n\n## License\n\n[MIT](LICENSE)\n\n[coveralls-image]: https://badgen.net/coveralls/c/github/expressjs/serve-static/master\n[coveralls-url]: https://coveralls.io/r/expressjs/serve-static?branch=master\n[github-actions-ci-image]: https://badgen.net/github/checks/expressjs/serve-static/master?label=linux\n[github-actions-ci-url]: https://github.com/expressjs/serve-static/actions/workflows/ci.yml\n[node-image]: https://badgen.net/npm/node/serve-static\n[node-url]: https://nodejs.org/en/download/\n[npm-downloads-image]: https://badgen.net/npm/dm/serve-static\n[npm-url]: https://npmjs.org/package/serve-static\n[npm-version-image]: https://badgen.net/npm/v/serve-static\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/serve-static/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/setprototypeof/README.md ---\n# Polyfill for `Object.setPrototypeOf`\n\n[![NPM Version](https://img.shields.io/npm/v/setprototypeof.svg)](https://npmjs.org/package/setprototypeof)\n[![NPM Downloads](https://img.shields.io/npm/dm/setprototypeof.svg)](https://npmjs.org/package/setprototypeof)\n[![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg)](https://github.com/standard/standard)\n\nA simple cross platform implementation to set the prototype of an instianted object. Supports all modern browsers and at least back to IE8.\n\n## Usage:\n\n```\n$ npm install --save setprototypeof\n```\n\n```javascript\nvar setPrototypeOf = require('setprototypeof')\n\nvar obj = {}\nsetPrototypeOf(obj, {\n foo: function () {\n return 'bar'\n }\n})\nobj.foo() // bar\n```\n\nTypeScript is also supported:\n\n```typescript\nimport setPrototypeOf from 'setprototypeof'\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/setprototypeof/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/side-channel-list/README.md ---\n# side-channel-list <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nStore information about any JS value in a side channel, using a linked list.\n\nWarning: this implementation will leak memory until you `delete` the `key`.\nUse [`side-channel`](https://npmjs.com/side-channel) for the best available strategy.\n\n## Getting started\n\n```sh\nnpm install --save side-channel-list\n```\n\n## Usage/Examples\n\n```js\nconst assert = require('assert');\nconst getSideChannelList = require('side-channel-list');\n\nconst channel = getSideChannelList();\n\nconst key = {};\nassert.equal(channel.has(key), false);\nassert.throws(() => channel.assert(key), TypeError);\n\nchannel.set(key, 42);\n\nchannel.assert(key); // does not throw\nassert.equal(channel.has(key), true);\nassert.equal(channel.get(key), 42);\n\nchannel.delete(key);\nassert.equal(channel.has(key), false);\nassert.throws(() => channel.assert(key), TypeError);\n```\n\n## Tests\n\nClone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/side-channel-list\n[npm-version-svg]: https://versionbadg.es/ljharb/side-channel-list.svg\n[deps-svg]: https://david-dm.org/ljharb/side-channel-list.svg\n[deps-url]: https://david-dm.org/ljharb/side-channel-list\n[dev-deps-svg]: https://david-dm.org/ljharb/side-channel-list/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/side-channel-list#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/side-channel-list.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/side-channel-list.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/side-channel-list.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=side-channel-list\n[codecov-image]: https://codecov.io/gh/ljharb/side-channel-list/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/side-channel-list/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/side-channel-list\n[actions-url]: https://github.com/ljharb/side-channel-list/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/side-channel-list/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/side-channel-map/README.md ---\n# side-channel-map <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nStore information about any JS value in a side channel, using a Map.\n\nWarning: if the `key` is an object, this implementation will leak memory until you `delete` it.\nUse [`side-channel`](https://npmjs.com/side-channel) for the best available strategy.\n\n## Getting started\n\n```sh\nnpm install --save side-channel-map\n```\n\n## Usage/Examples\n\n```js\nconst assert = require('assert');\nconst getSideChannelMap = require('side-channel-map');\n\nconst channel = getSideChannelMap();\n\nconst key = {};\nassert.equal(channel.has(key), false);\nassert.throws(() => channel.assert(key), TypeError);\n\nchannel.set(key, 42);\n\nchannel.assert(key); // does not throw\nassert.equal(channel.has(key), true);\nassert.equal(channel.get(key), 42);\n\nchannel.delete(key);\nassert.equal(channel.has(key), false);\nassert.throws(() => channel.assert(key), TypeError);\n```\n\n## Tests\n\nClone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/side-channel-map\n[npm-version-svg]: https://versionbadg.es/ljharb/side-channel-map.svg\n[deps-svg]: https://david-dm.org/ljharb/side-channel-map.svg\n[deps-url]: https://david-dm.org/ljharb/side-channel-map\n[dev-deps-svg]: https://david-dm.org/ljharb/side-channel-map/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/side-channel-map#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/side-channel-map.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/side-channel-map.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/side-channel-map.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=side-channel-map\n[codecov-image]: https://codecov.io/gh/ljharb/side-channel-map/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/side-channel-map/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/side-channel-map\n[actions-url]: https://github.com/ljharb/side-channel-map/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/side-channel-map/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/side-channel-weakmap/README.md ---\n# side-channel-weakmap <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nStore information about any JS value in a side channel. Uses WeakMap if available.\n\nWarning: this implementation will leak memory until you `delete` the `key`.\nUse [`side-channel`](https://npmjs.com/side-channel) for the best available strategy.\n\n## Getting started\n\n```sh\nnpm install --save side-channel-weakmap\n```\n\n## Usage/Examples\n\n```js\nconst assert = require('assert');\nconst getSideChannelList = require('side-channel-weakmap');\n\nconst channel = getSideChannelList();\n\nconst key = {};\nassert.equal(channel.has(key), false);\nassert.throws(() => channel.assert(key), TypeError);\n\nchannel.set(key, 42);\n\nchannel.assert(key); // does not throw\nassert.equal(channel.has(key), true);\nassert.equal(channel.get(key), 42);\n\nchannel.delete(key);\nassert.equal(channel.has(key), false);\nassert.throws(() => channel.assert(key), TypeError);\n```\n\n## Tests\n\nClone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/side-channel-weakmap\n[npm-version-svg]: https://versionbadg.es/ljharb/side-channel-weakmap.svg\n[deps-svg]: https://david-dm.org/ljharb/side-channel-weakmap.svg\n[deps-url]: https://david-dm.org/ljharb/side-channel-weakmap\n[dev-deps-svg]: https://david-dm.org/ljharb/side-channel-weakmap/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/side-channel-weakmap#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/side-channel-weakmap.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/side-channel-weakmap.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/side-channel-weakmap.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=side-channel-weakmap\n[codecov-image]: https://codecov.io/gh/ljharb/side-channel-weakmap/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/side-channel-weakmap/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/side-channel-weakmap\n[actions-url]: https://github.com/ljharb/side-channel-weakmap/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/side-channel-weakmap/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/side-channel/README.md ---\n# side-channel <sup>[![Version Badge][npm-version-svg]][package-url]</sup>\n\n[![github actions][actions-image]][actions-url]\n[![coverage][codecov-image]][codecov-url]\n[![License][license-image]][license-url]\n[![Downloads][downloads-image]][downloads-url]\n\n[![npm badge][npm-badge-png]][package-url]\n\nStore information about any JS value in a side channel. Uses WeakMap if available.\n\nWarning: in an environment that lacks `WeakMap`, this implementation will leak memory until you `delete` the `key`.\n\n## Getting started\n\n```sh\nnpm install --save side-channel\n```\n\n## Usage/Examples\n\n```js\nconst assert = require('assert');\nconst getSideChannel = require('side-channel');\n\nconst channel = getSideChannel();\n\nconst key = {};\nassert.equal(channel.has(key), false);\nassert.throws(() => channel.assert(key), TypeError);\n\nchannel.set(key, 42);\n\nchannel.assert(key); // does not throw\nassert.equal(channel.has(key), true);\nassert.equal(channel.get(key), 42);\n\nchannel.delete(key);\nassert.equal(channel.has(key), false);\nassert.throws(() => channel.assert(key), TypeError);\n```\n\n## Tests\n\nClone the repo, `npm install`, and run `npm test`\n\n[package-url]: https://npmjs.org/package/side-channel\n[npm-version-svg]: https://versionbadg.es/ljharb/side-channel.svg\n[deps-svg]: https://david-dm.org/ljharb/side-channel.svg\n[deps-url]: https://david-dm.org/ljharb/side-channel\n[dev-deps-svg]: https://david-dm.org/ljharb/side-channel/dev-status.svg\n[dev-deps-url]: https://david-dm.org/ljharb/side-channel#info=devDependencies\n[npm-badge-png]: https://nodei.co/npm/side-channel.png?downloads=true&stars=true\n[license-image]: https://img.shields.io/npm/l/side-channel.svg\n[license-url]: LICENSE\n[downloads-image]: https://img.shields.io/npm/dm/side-channel.svg\n[downloads-url]: https://npm-stat.com/charts.html?package=side-channel\n[codecov-image]: https://codecov.io/gh/ljharb/side-channel/branch/main/graphs/badge.svg\n[codecov-url]: https://app.codecov.io/gh/ljharb/side-channel/\n[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/side-channel\n[actions-url]: https://github.com/ljharb/side-channel/actions\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/side-channel/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/siginfo/README.md ---\n# `siginfo`\n\n[![Build Status](https://travis-ci.org/emilbayes/siginfo.svg?branch=master)](https://travis-ci.org/eemilbayes/siginfo)\n\n> Utility module to print pretty messages on SIGINFO/SIGUSR1\n\n`SIGINFO` on BSD / macOS and `SIGUSR1` on Linux, usually triggered by\n`Ctrl + T`, are by convention used to print information about\na long running process internal state. Eg. `dd` will tell you how many blocks it\nhas written and at what speed, while `xz` will tell you progress, compression\nratio and estimated time remaining.\n\nThis module wraps both signals, checks if the process is connected to TTY and\nlets you do whatever you want.\n\n## Usage\n\n```js\nvar siginfo = require('siginfo')\nvar pkg = require('./package.json')\n\nsiginfo(function () {\n console.dir({\n version: pkg.version,\n uptime: process.uptime()\n })\n})\n\n```\n\n## API\n\n### `var removeListener = siginfo(queryFn, [force])`\n\n`queryFn` can be used for whatever you want (logging, sending a UDP message, etc.).\nSetting `force = true` will attach the event handlers whether a TTY is present\nor not.\n\n## Install\n\n```sh\nnpm install siginfo\n```\n\n## License\n\n[ISC](LICENSE)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/siginfo/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/source-map-js/README.md ---\n# Source Map JS\n\n[![NPM](https://nodei.co/npm/source-map-js.png?downloads=true&downloadRank=true)](https://www.npmjs.com/package/source-map-js)\n\nDifference between original [source-map](https://github.com/mozilla/source-map):\n\n> TL,DR: it's fork of original source-map@0.6, but with perfomance optimizations.\n\nThis journey starts from [source-map@0.7.0](https://github.com/mozilla/source-map/blob/master/CHANGELOG.md#070). Some part of it was rewritten to Rust and WASM and API became async.\n\nIt's still a major block for many libraries like PostCSS or Sass for example because they need to migrate the whole API to the async way. This is the reason why 0.6.1 has 2x more downloads than 0.7.3 while it's faster several times.\n\n![Downloads count](media/downloads.png)\n\nMore important that WASM version has some optimizations in JS code too. This is why [community asked to create branch for 0.6 version](https://github.com/mozilla/source-map/issues/324) and port these optimizations but, sadly, the answer was «no». A bit later I discovered [the issue](https://github.com/mozilla/source-map/issues/370) created by [Ben Rothman (@benthemonkey)](https://github.com/benthemonkey) with no response at all.\n\n[Roman Dvornov (@lahmatiy)](https://github.com/lahmatiy) wrote a [serveral posts](https://t.me/gorshochekvarit/76) (russian, only, sorry) about source-map library in his own Telegram channel. He mentioned the article [«Maybe you don't need Rust and WASM to speed up your JS»](https://mrale.ph/blog/2018/02/03/maybe-you-dont-need-rust-to-speed-up-your-js.html) written by [Vyacheslav Egorov (@mraleph)](https://github.com/mraleph). This article contains optimizations and hacks that lead to almost the same performance compare to WASM implementation.\n\nI decided to fork the original source-map and port these optimizations from the article and several others PR from the original source-map.\n\n---------\n\nThis is a library to generate and consume the source map format\n[described here][format].\n\n[format]: https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k/edit\n\n## Use with Node\n\n $ npm install source-map-js\n\n<!-- ## Use on the Web\n\n <script src=\"https://raw.githubusercontent.com/mozilla/source-map/master/dist/source-map.min.js\" defer></script> -->\n\n--------------------------------------------------------------------------------\n\n<!-- `npm run toc` to regenerate the Table of Contents -->\n\n<!-- START doctoc generated TOC please keep comment here to allow auto update -->\n<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->\n## Table of Contents\n\n- [Examples](#examples)\n - [Consuming a source map](#consuming-a-source-map)\n - [Generating a source map](#generating-a-source-map)\n - [With SourceNode (high level API)](#with-sourcenode-high-level-api)\n - [With SourceMapGenerator (low level API)](#with-sourcemapgenerator-low-level-api)\n- [API](#api)\n - [SourceMapConsumer](#sourcemapconsumer)\n - [new SourceMapConsumer(rawSourceMap)](#new-sourcemapconsumerrawsourcemap)\n - [SourceMapConsumer.prototype.computeColumnSpans()](#sourcemapconsumerprototypecomputecolumnspans)\n - [SourceMapConsumer.prototype.originalPositionFor(generatedPosition)](#sourcemapconsumerprototypeoriginalpositionforgeneratedposition)\n - [SourceMapConsumer.prototype.generatedPositionFor(originalPosition)](#sourcemapconsumerprototypegeneratedpositionfororiginalposition)\n - [SourceMapConsumer.prototype.allGeneratedPositionsFor(originalPosition)](#sourcemapconsumerprototypeallgeneratedpositionsfororiginalposition)\n - [SourceMapConsumer.prototype.hasContentsOfAllSources()](#sourcemapconsumerprototypehascontentsofallsources)\n - [SourceMapConsumer.prototype.sourceContentFor(source[, returnNullOnMissing])](#sourcemapconsumerprototypesourcecontentforsource-returnnullonmissing)\n - [SourceMapConsumer.prototype.eachMapping(callback, context, order)](#sourcemapconsumerprototypeeachmappingcallback-context-order)\n - [SourceMapGenerator](#sourcemapgenerator)\n - [new SourceMapGenerator([startOfSourceMap])](#new-sourcemapgeneratorstartofsourcemap)\n - [SourceMapGenerator.fromSourceMap(sourceMapConsumer)](#sourcemapgeneratorfromsourcemapsourcemapconsumer)\n - [SourceMapGenerator.prototype.addMapping(mapping)](#sourcemapgeneratorprototypeaddmappingmapping)\n - [SourceMapGenerator.prototype.setSourceContent(sourceFile, sourceContent)](#sourcemapgeneratorprototypesetsourcecontentsourcefile-sourcecontent)\n - [SourceMapGenerator.prototype.applySourceMap(sourceMapConsumer[, sourceFile[, sourceMapPath]])](#sourcemapgeneratorprototypeapplysourcemapsourcemapconsumer-sourcefile-sourcemappath)\n - [SourceMapGenerator.prototype.toString()](#sourcemapgeneratorprototypetostring)\n - [SourceNode](#sourcenode)\n - [new SourceNode([line, column, source[, chunk[, name]]])](#new-sourcenodeline-column-source-chunk-name)\n - [SourceNode.fromStringWithSourceMap(code, sourceMapConsumer[, relativePath])](#sourcenodefromstringwithsourcemapcode-sourcemapconsumer-relativepath)\n - [SourceNode.prototype.add(chunk)](#sourcenodeprototypeaddchunk)\n - [SourceNode.prototype.prepend(chunk)](#sourcenodeprototypeprependchunk)\n - [SourceNode.prototype.setSourceContent(sourceFile, sourceContent)](#sourcenodeprototypesetsourcecontentsourcefile-sourcecontent)\n - [SourceNode.prototype.walk(fn)](#sourcenodeprototypewalkfn)\n - [SourceNode.prototype.walkSourceContents(fn)](#sourcenodeprototypewalksourcecontentsfn)\n - [SourceNode.prototype.join(sep)](#sourcenodeprototypejoinsep)\n - [SourceNode.prototype.replaceRight(pattern, replacement)](#sourcenodeprototypereplacerightpattern-replacement)\n - [SourceNode.prototype.toString()](#sourcenodeprototypetostring)\n - [SourceNode.prototype.toStringWithSourceMap([startOfSourceMap])](#sourcenodeprototypetostringwithsourcemapstartofsourcemap)\n\n<!-- END doctoc generated TOC please keep comment here to allow auto update -->\n\n## Examples\n\n### Consuming a source map\n\n```js\nvar rawSourceMap = {\n version: 3,\n file: 'min.js',\n names: ['bar', 'baz', 'n'],\n sources: ['one.js', 'two.js'],\n sourceRoot: 'http://example.com/www/js/',\n mappings: 'CAAC,IAAI,IAAM,SAAUA,GAClB,OAAOC,IAAID;CCDb,IAAI,IAAM,SAAUE,GAClB,OAAOA'\n};\n\nvar smc = new SourceMapConsumer(rawSourceMap);\n\nconsole.log(smc.sources);\n// [ 'http://example.com/www/js/one.js',\n// 'http://example.com/www/js/two.js' ]\n\nconsole.log(smc.originalPositionFor({\n line: 2,\n column: 28\n}));\n// { source: 'http://example.com/www/js/two.js',\n// line: 2,\n// column: 10,\n// name: 'n' }\n\nconsole.log(smc.generatedPositionFor({\n source: 'http://example.com/www/js/two.js',\n line: 2,\n column: 10\n}));\n// { line: 2, column: 28 }\n\nsmc.eachMapping(function (m) {\n // ...\n});\n```\n\n### Generating a source map\n\nIn depth guide:\n[**Compiling to JavaScript, and Debugging with Source Maps**](https://hacks.mozilla.org/2013/05/compiling-to-javascript-and-debugging-with-source-maps/)\n\n#### With SourceNode (high level API)\n\n```js\nfunction compile(ast) {\n switch (ast.type) {\n case 'BinaryExpression':\n return new SourceNode(\n ast.location.line,\n ast.location.column,\n ast.location.source,\n [compile(ast.left), \" + \", compile(ast.right)]\n );\n case 'Literal':\n return new SourceNode(\n ast.location.line,\n ast.location.column,\n ast.location.source,\n String(ast.value)\n );\n // ...\n default:\n throw new Error(\"Bad AST\");\n }\n}\n\nvar ast = parse(\"40 + 2\", \"add.js\");\nconsole.log(compile(ast).toStringWithSourceMap({\n file: 'add.js'\n}));\n// { code: '40 + 2',\n// map: [object SourceMapGenerator] }\n```\n\n#### With SourceMapGenerator (low level API)\n\n```js\nvar map = new SourceMapGenerator({\n file: \"source-mapped.js\"\n});\n\nmap.addMapping({\n generated: {\n line: 10,\n column: 35\n },\n source: \"foo.js\",\n original: {\n line: 33,\n column: 2\n },\n name: \"christopher\"\n});\n\nconsole.log(map.toString());\n// '{\"version\":3,\"file\":\"source-mapped.js\",\"sources\":[\"foo.js\"],\"names\":[\"christopher\"],\"mappings\":\";;;;;;;;;mCAgCEA\"}'\n```\n\n## API\n\nGet a reference to the module:\n\n```js\n// Node.js\nvar sourceMap = require('source-map');\n\n// Browser builds\nvar sourceMap = window.sourceMap;\n\n// Inside Firefox\nconst sourceMap = require(\"devtools/toolkit/sourcemap/source-map.js\");\n```\n\n### SourceMapConsumer\n\nA SourceMapConsumer instance represents a parsed source map which we can query\nfor information about the original file positions by giving it a file position\nin the generated source.\n\n#### new SourceMapConsumer(rawSourceMap)\n\nThe only parameter is the raw source map (either as a string which can be\n`JSON.parse`'d, or an object). According to the spec, source maps have the\nfollowing attributes:\n\n* `version`: Which version of the source map spec this map is following.\n\n* `sources`: An array of URLs to the original source files.\n\n* `names`: An array of identifiers which can be referenced by individual\n mappings.\n\n* `sourceRoot`: Optional. The URL root from which all sources are relative.\n\n* `sourcesContent`: Optional. An array of contents of the original source files.\n\n* `mappings`: A string of base64 VLQs which contain the actual mappings.\n\n* `file`: Optional. The generated filename this source map is associated with.\n\n```js\nvar consumer = new sourceMap.SourceMapConsumer(rawSourceMapJsonData);\n```\n\n#### SourceMapConsumer.prototype.computeColumnSpans()\n\nCompute the last column for each generated mapping. The last column is\ninclusive.\n\n```js\n// Before:\nconsumer.allGeneratedPositionsFor({ line: 2, source: \"foo.coffee\" })\n// [ { line: 2,\n// column: 1 },\n// { line: 2,\n// column: 10 },\n// { line: 2,\n// column: 20 } ]\n\nconsumer.computeColumnSpans();\n\n// After:\nconsumer.allGeneratedPositionsFor({ line: 2, source: \"foo.coffee\" })\n// [ { line: 2,\n// column: 1,\n// lastColumn: 9 },\n// { line: 2,\n// column: 10,\n// lastColumn: 19 },\n// { line: 2,\n// column: 20,\n// lastColumn: Infinity } ]\n\n```\n\n#### SourceMapConsumer.prototype.originalPositionFor(generatedPosition)\n\nReturns the original source, line, and column information for the generated\nsource's line and column positions provided. The only argument is an object with\nthe following properties:\n\n* `line`: The line number in the generated source. Line numbers in\n this library are 1-based (note that the underlying source map\n specification uses 0-based line numbers -- this library handles the\n translation).\n\n* `column`: The column number in the generated source. Column numbers\n in this library are 0-based.\n\n* `bias`: Either `SourceMapConsumer.GREATEST_LOWER_BOUND` or\n `SourceMapConsumer.LEAST_UPPER_BOUND`. Specifies whether to return the closest\n element that is smaller than or greater than the one we are searching for,\n respectively, if the exact element cannot be found. Defaults to\n `SourceMapConsumer.GREATEST_LOWER_BOUND`.\n\nand an object is returned with the following properties:\n\n* `source`: The original source file, or null if this information is not\n available.\n\n* `line`: The line number in the original source, or null if this information is\n not available. The line number is 1-based.\n\n* `column`: The column number in the original source, or null if this\n information is not available. The column number is 0-based.\n\n* `name`: The original identifier, or null if this information is not available.\n\n```js\nconsumer.originalPositionFor({ line: 2, column: 10 })\n// { source: 'foo.coffee',\n// line: 2,\n// column: 2,\n// name: null }\n\nconsumer.originalPositionFor({ line: 99999999999999999, column: 999999999999999 })\n// { source: null,\n// line: null,\n// column: null,\n// name: null }\n```\n\n#### SourceMapConsumer.prototype.generatedPositionFor(originalPosition)\n\nReturns the generated line and column information for the original source,\nline, and column positions provided. The only argument is an object with\nthe following properties:\n\n* `source`: The filename of the original source.\n\n* `line`: The line number in the original source. The line number is\n 1-based.\n\n* `column`: The column number in the original source. The column\n number is 0-based.\n\nand an object is returned with the following properties:\n\n* `line`: The line number in the generated source, or null. The line\n number is 1-based.\n\n* `column`: The column number in the generated source, or null. The\n column number is 0-based.\n\n```js\nconsumer.generatedPositionFor({ source: \"example.js\", line: 2, column: 10 })\n// { line: 1,\n// column: 56 }\n```\n\n#### SourceMapConsumer.prototype.allGeneratedPositionsFor(originalPosition)\n\nReturns all generated line and column information for the original source, line,\nand column provided. If no column is provided, returns all mappings\ncorresponding to a either the line we are searching for or the next closest line\nthat has any mappings. Otherwise, returns all mappings corresponding to the\ngiven line and either the column we are searching for or the next closest column\nthat has any offsets.\n\nThe only argument is an object with the following properties:\n\n* `source`: The filename of the original source.\n\n* `line`: The line number in the original source. The line number is\n 1-based.\n\n* `column`: Optional. The column number in the original source. The\n column number is 0-based.\n\nand an array of objects is returned, each with the following properties:\n\n* `line`: The line number in the generated source, or null. The line\n number is 1-based.\n\n* `column`: The column number in the generated source, or null. The\n column number is 0-based.\n\n```js\nconsumer.allGeneratedpositionsfor({ line: 2, source: \"foo.coffee\" })\n// [ { line: 2,\n// column: 1 },\n// { line: 2,\n// column: 10 },\n// { line: 2,\n// column: 20 } ]\n```\n\n#### SourceMapConsumer.prototype.hasContentsOfAllSources()\n\nReturn true if we have the embedded source content for every source listed in\nthe source map, false otherwise.\n\nIn other words, if this method returns `true`, then\n`consumer.sourceContentFor(s)` will succeed for every source `s` in\n`consumer.sources`.\n\n```js\n// ...\nif (consumer.hasContentsOfAllSources()) {\n consumerReadyCallback(consumer);\n} else {\n fetchSources(consumer, consumerReadyCallback);\n}\n// ...\n```\n\n#### SourceMapConsumer.prototype.sourceContentFor(source[, returnNullOnMissing])\n\nReturns the original source content for the source provided. The only\nargument is the URL of the original source file.\n\nIf the source content for the given source is not found, then an error is\nthrown. Optionally, pass `true` as the second param to have `null` returned\ninstead.\n\n```js\nconsumer.sources\n// [ \"my-cool-lib.clj\" ]\n\nconsumer.sourceContentFor(\"my-cool-lib.clj\")\n// \"...\"\n\nconsumer.sourceContentFor(\"this is not in the source map\");\n// Error: \"this is not in the source map\" is not in the source map\n\nconsumer.sourceContentFor(\"this is not in the source map\", true);\n// null\n```\n\n#### SourceMapConsumer.prototype.eachMapping(callback, context, order)\n\nIterate over each mapping between an original source/line/column and a\ngenerated line/column in this source map.\n\n* `callback`: The function that is called with each mapping. Mappings have the\n form `{ source, generatedLine, generatedColumn, originalLine, originalColumn,\n name }`\n\n* `context`: Optional. If specified, this object will be the value of `this`\n every time that `callback` is called.\n\n* `order`: Either `SourceMapConsumer.GENERATED_ORDER` or\n `SourceMapConsumer.ORIGINAL_ORDER`. Specifies whether you want to iterate over\n the mappings sorted by the generated file's line/column order or the\n original's source/line/column order, respectively. Defaults to\n `SourceMapConsumer.GENERATED_ORDER`.\n\n```js\nconsumer.eachMapping(function (m) { console.log(m); })\n// ...\n// { source: 'illmatic.js',\n// generatedLine: 1,\n// generatedColumn: 0,\n// originalLine: 1,\n// originalColumn: 0,\n// name: null }\n// { source: 'illmatic.js',\n// generatedLine: 2,\n// generatedColumn: 0,\n// originalLine: 2,\n// originalColumn: 0,\n// name: null }\n// ...\n```\n### SourceMapGenerator\n\nAn instance of the SourceMapGenerator represents a source map which is being\nbuilt incrementally.\n\n#### new SourceMapGenerator([startOfSourceMap])\n\nYou may pass an object with the following properties:\n\n* `file`: The filename of the generated source that this source map is\n associated with.\n\n* `sourceRoot`: A root for all relative URLs in this source map.\n\n* `skipValidation`: Optional. When `true`, disables validation of mappings as\n they are added. This can improve performance but should be used with\n discretion, as a last resort. Even then, one should avoid using this flag when\n running tests, if possible.\n\n* `ignoreInvalidMapping`: Optional. When `true`, instead of throwing error on\n invalid mapping, it will be ignored.\n\n```js\nvar generator = new sourceMap.SourceMapGenerator({\n file: \"my-generated-javascript-file.js\",\n sourceRoot: \"http://example.com/app/js/\"\n});\n```\n\n#### SourceMapGenerator.fromSourceMap(sourceMapConsumer, sourceMapGeneratorOptions)\n\nCreates a new `SourceMapGenerator` from an existing `SourceMapConsumer` instance.\n\n* `sourceMapConsumer` The SourceMap.\n\n* `sourceMapGeneratorOptions` options that will be passed to the SourceMapGenerator constructor which used under the hood.\n\n```js\nvar generator = sourceMap.SourceMapGenerator.fromSourceMap(consumer, {\n ignoreInvalidMapping: true,\n});\n```\n\n#### SourceMapGenerator.prototype.addMapping(mapping)\n\nAdd a single mapping from original source line and column to the generated\nsource's line and column for this source map being created. The mapping object\nshould have the following properties:\n\n* `generated`: An object with the generated line and column positions.\n\n* `original`: An object with the original line and column positions.\n\n* `source`: The original source file (relative to the sourceRoot).\n\n* `name`: An optional original token name for this mapping.\n\n```js\ngenerator.addMapping({\n source: \"module-one.scm\",\n original: { line: 128, column: 0 },\n generated: { line: 3, column: 456 }\n})\n```\n\n#### SourceMapGenerator.prototype.setSourceContent(sourceFile, sourceContent)\n\nSet the source content for an original source file.\n\n* `sourceFile` the URL of the original source file.\n\n* `sourceContent` the content of the source file.\n\n```js\ngenerator.setSourceContent(\"module-one.scm\",\n fs.readFileSync(\"path/to/module-one.scm\"))\n```\n\n#### SourceMapGenerator.prototype.applySourceMap(sourceMapConsumer[, sourceFile[, sourceMapPath]])\n\nApplies a SourceMap for a source file to the SourceMap.\nEach mapping to the supplied source file is rewritten using the\nsupplied SourceMap. Note: The resolution for the resulting mappings\nis the minimum of this map and the supplied map.\n\n* `sourceMapConsumer`: The SourceMap to be applied.\n\n* `sourceFile`: Optional. The filename of the source file.\n If omitted, sourceMapConsumer.file will be used, if it exists.\n Otherwise an error will be thrown.\n\n* `sourceMapPath`: Optional. The dirname of the path to the SourceMap\n to be applied. If relative, it is relative to the SourceMap.\n\n This parameter is needed when the two SourceMaps aren't in the same\n directory, and the SourceMap to be applied contains relative source\n paths. If so, those relative source paths need to be rewritten\n relative to the SourceMap.\n\n If omitted, it is assumed that both SourceMaps are in the same directory,\n thus not needing any rewriting. (Supplying `'.'` has the same effect.)\n\n#### SourceMapGenerator.prototype.toString()\n\nRenders the source map being generated to a string.\n\n```js\ngenerator.toString()\n// '{\"version\":3,\"sources\":[\"module-one.scm\"],\"names\":[],\"mappings\":\"...snip...\",\"file\":\"my-generated-javascript-file.js\",\"sourceRoot\":\"http://example.com/app/js/\"}'\n```\n\n### SourceNode\n\nSourceNodes provide a way to abstract over interpolating and/or concatenating\nsnippets of generated JavaScript source code, while maintaining the line and\ncolumn information associated between those snippets and the original source\ncode. This is useful as the final intermediate representation a compiler might\nuse before outputting the generated JS and source map.\n\n#### new SourceNode([line, column, source[, chunk[, name]]])\n\n* `line`: The original line number associated with this source node, or null if\n it isn't associated with an original line. The line number is 1-based.\n\n* `column`: The original column number associated with this source node, or null\n if it isn't associated with an original column. The column number\n is 0-based.\n\n* `source`: The original source's filename; null if no filename is provided.\n\n* `chunk`: Optional. Is immediately passed to `SourceNode.prototype.add`, see\n below.\n\n* `name`: Optional. The original identifier.\n\n```js\nvar node = new SourceNode(1, 2, \"a.cpp\", [\n new SourceNode(3, 4, \"b.cpp\", \"extern int status;\\n\"),\n new SourceNode(5, 6, \"c.cpp\", \"std::string* make_string(size_t n);\\n\"),\n new SourceNode(7, 8, \"d.cpp\", \"int main(int argc, char** argv) {}\\n\"),\n]);\n```\n\n#### SourceNode.fromStringWithSourceMap(code, sourceMapConsumer[, relativePath])\n\nCreates a SourceNode from generated code and a SourceMapConsumer.\n\n* `code`: The generated code\n\n* `sourceMapConsumer` The SourceMap for the generated code\n\n* `relativePath` The optional path that relative sources in `sourceMapConsumer`\n should be relative to.\n\n```js\nvar consumer = new SourceMapConsumer(fs.readFileSync(\"path/to/my-file.js.map\", \"utf8\"));\nvar node = SourceNode.fromStringWithSourceMap(fs.readFileSync(\"path/to/my-file.js\"),\n consumer);\n```\n\n#### SourceNode.prototype.add(chunk)\n\nAdd a chunk of generated JS to this source node.\n\n* `chunk`: A string snippet of generated JS code, another instance of\n `SourceNode`, or an array where each member is one of those things.\n\n```js\nnode.add(\" + \");\nnode.add(otherNode);\nnode.add([leftHandOperandNode, \" + \", rightHandOperandNode]);\n```\n\n#### SourceNode.prototype.prepend(chunk)\n\nPrepend a chunk of generated JS to this source node.\n\n* `chunk`: A string snippet of generated JS code, another instance of\n `SourceNode`, or an array where each member is one of those things.\n\n```js\nnode.prepend(\"/** Build Id: f783haef86324gf **/\\n\\n\");\n```\n\n#### SourceNode.prototype.setSourceContent(sourceFile, sourceContent)\n\nSet the source content for a source file. This will be added to the\n`SourceMap` in the `sourcesContent` field.\n\n* `sourceFile`: The filename of the source file\n\n* `sourceContent`: The content of the source file\n\n```js\nnode.setSourceContent(\"module-one.scm\",\n fs.readFileSync(\"path/to/module-one.scm\"))\n```\n\n#### SourceNode.prototype.walk(fn)\n\nWalk over the tree of JS snippets in this node and its children. The walking\nfunction is called once for each snippet of JS and is passed that snippet and\nthe its original associated source's line/column location.\n\n* `fn`: The traversal function.\n\n```js\nvar node = new SourceNode(1, 2, \"a.js\", [\n new SourceNode(3, 4, \"b.js\", \"uno\"),\n \"dos\",\n [\n \"tres\",\n new SourceNode(5, 6, \"c.js\", \"quatro\")\n ]\n]);\n\nnode.walk(function (code, loc) { console.log(\"WALK:\", code, loc); })\n// WALK: uno { source: 'b.js', line: 3, column: 4, name: null }\n// WALK: dos { source: 'a.js', line: 1, column: 2, name: null }\n// WALK: tres { source: 'a.js', line: 1, column: 2, name: null }\n// WALK: quatro { source: 'c.js', line: 5, column: 6, name: null }\n```\n\n#### SourceNode.prototype.walkSourceContents(fn)\n\nWalk over the tree of SourceNodes. The walking function is called for each\nsource file content and is passed the filename and source content.\n\n* `fn`: The traversal function.\n\n```js\nvar a = new SourceNode(1, 2, \"a.js\", \"generated from a\");\na.setSourceContent(\"a.js\", \"original a\");\nvar b = new SourceNode(1, 2, \"b.js\", \"generated from b\");\nb.setSourceContent(\"b.js\", \"original b\");\nvar c = new SourceNode(1, 2, \"c.js\", \"generated from c\");\nc.setSourceContent(\"c.js\", \"original c\");\n\nvar node = new SourceNode(null, null, null, [a, b, c]);\nnode.walkSourceContents(function (source, contents) { console.log(\"WALK:\", source, \":\", contents); })\n// WALK: a.js : original a\n// WALK: b.js : original b\n// WALK: c.js : original c\n```\n\n#### SourceNode.prototype.join(sep)\n\nLike `Array.prototype.join` except for SourceNodes. Inserts the separator\nbetween each of this source node's children.\n\n* `sep`: The separator.\n\n```js\nvar lhs = new SourceNode(1, 2, \"a.rs\", \"my_copy\");\nvar operand = new SourceNode(3, 4, \"a.rs\", \"=\");\nvar rhs = new SourceNode(5, 6, \"a.rs\", \"orig.clone()\");\n\nvar node = new SourceNode(null, null, null, [ lhs, operand, rhs ]);\nvar joinedNode = node.join(\" \");\n```\n\n#### SourceNode.prototype.replaceRight(pattern, replacement)\n\nCall `String.prototype.replace` on the very right-most source snippet. Useful\nfor trimming white space from the end of a source node, etc.\n\n* `pattern`: The pattern to replace.\n\n* `replacement`: The thing to replace the pattern with.\n\n```js\n// Trim trailing white space.\nnode.replaceRight(/\\s*$/, \"\");\n```\n\n#### SourceNode.prototype.toString()\n\nReturn the string representation of this source node. Walks over the tree and\nconcatenates all the various snippets together to one string.\n\n```js\nvar node = new SourceNode(1, 2, \"a.js\", [\n new SourceNode(3, 4, \"b.js\", \"uno\"),\n \"dos\",\n [\n \"tres\",\n new SourceNode(5, 6, \"c.js\", \"quatro\")\n ]\n]);\n\nnode.toString()\n// 'unodostresquatro'\n```\n\n#### SourceNode.prototype.toStringWithSourceMap([startOfSourceMap])\n\nReturns the string representation of this tree of source nodes, plus a\nSourceMapGenerator which contains all the mappings between the generated and\noriginal sources.\n\nThe arguments are the same as those to `new SourceMapGenerator`.\n\n```js\nvar node = new SourceNode(1, 2, \"a.js\", [\n new SourceNode(3, 4, \"b.js\", \"uno\"),\n \"dos\",\n [\n \"tres\",\n new SourceNode(5, 6, \"c.js\", \"quatro\")\n ]\n]);\n\nnode.toStringWithSourceMap({ file: \"my-output-file.js\" })\n// { code: 'unodostresquatro',\n// map: [object SourceMapGenerator] }\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/source-map-js/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/stackback/README.md ---\n# stackback\n\nReturns an array of CallSite objects for a captured stacktrace. Useful if you want to access the frame for an error object.\n\n## use\n\n```javascript\nvar stackback = require('stackback');\n\n// error generated from somewhere\nvar err = new Error('some sample error');\n\n// stack is an array of CallSite objects\nvar stack = stackback(err);\n```\n\n## CallSite object\n\nFrom the [V8 StackTrace API](https://code.google.com/p/v8/wiki/JavaScriptStackTraceApi)\n\nThe structured stack trace is an Array of CallSite objects, each of which represents a stack frame. A CallSite object defines the following methods\n\ngetThis: returns the value of this \ngetTypeName: returns the type of this as a string. This is the name of the function stored in the constructor field of this, if available, otherwise the object's [[Class]] internal property. \ngetFunction: returns the current function \ngetFunctionName: returns the name of the current function, typically its name property. If a name property is not available an attempt will be made to try to infer a name from the function's context. \ngetMethodName: returns the name of the property of this or one of its prototypes that holds the current function \ngetFileName: if this function was defined in a script returns the name of the script \ngetLineNumber: if this function was defined in a script returns the current line number \ngetColumnNumber: if this function was defined in a script returns the current column number \ngetEvalOrigin: if this function was created using a call to eval returns a CallSite object representing the location where eval was called \nisToplevel: is this a toplevel invocation, that is, is this the global object? \nisEval: does this call take place in code defined by a call to eval? \nisNative: is this call in native V8 code? \nisConstructor: is this a constructor call? \n\n## install\n\n```shell\nnpm install stackback\n```\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/stackback/README.md ---\n\n--- Context from: extensions/terraform/README.md ---\n# <img src=\"public/images/Terraform-LogoMark_onDark.svg\" width=\"30\" align=\"left\" style=\"margin-right: 12px;\"/> Terraform MCP Server\n\nThe Terraform MCP Server is a [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction)\nserver that provides seamless integration with Terraform Registry APIs, enabling advanced\nautomation and interaction capabilities for Infrastructure as Code (IaC) development.\n\n## Features\n\n- **Dual Transport Support**: Both Stdio and StreamableHTTP transports with configurable endpoints\n- **Terraform Registry Integration**: Direct integration with public Terraform Registry APIs for providers, modules, and policies\n- **HCP Terraform & Terraform Enterprise Support**: Full workspace management, organization/project listing, and private registry access\n- **Workspace Operations**: Create, update, delete workspaces with support for variables, tags, and run management\n\n> **Security Note:** At this stage, the MCP server is intended for local use only. If using the StreamableHTTP transport, always configure the MCP_ALLOWED_ORIGINS environment variable to restrict access to trusted origins only. This helps prevent DNS rebinding attacks and other cross-origin vulnerabilities.\n\n> **Security Note:** Depending on the query, the MCP server may expose certain Terraform data to the MCP client and LLM. Do not use the MCP server with untrusted MCP clients or LLMs.\n\n> **Legal Note:** Your use of a third party MCP Client/LLM is subject solely to the terms of use for such MCP/LLM, and IBM is not responsible for the performance of such third party tools. IBM expressly disclaims any and all warranties and liability for third party MCP Clients/LLMs, and may not be able to provide support to resolve issues which are caused by the third party tools.\n\n> **Caution:** The outputs and recommendations provided by the MCP server are generated dynamically and may vary based on the query, model, and the connected MCP client. Users should thoroughly review all outputs/recommendations to ensure they align with their organizations security best practices, cost-efficiency goals, and compliance requirements before implementation.\n\n## Prerequisites\n\n1. Ensure [Docker](https://www.docker.com/) is installed and running to use the server in a containerized environment.\n1. Install an AI assistant that supports the Model Context Protocol (MCP).\n\n## Command Line Options\n\n**Environment Variables:**\n\n| Variable | Description | Default |\n|----------|-------------|---------|\n| `TFE_ADDRESS` | HCP Terraform or TFE address | `\"https://app.terraform.io\"` |\n| `TFE_TOKEN` | Terraform Enterprise API token | `\"\"` (empty) |\n| `TFE_SKIP_TLS_VERIFY` | Skip HCP Terraform or Terraform Enterprise TLS verification | `false` |\n| `TRANSPORT_MODE` | Set to `streamable-http` to enable HTTP transport (legacy `http` value still supported) | `stdio` |\n| `TRANSPORT_HOST` | Host to bind the HTTP server | `127.0.0.1` |\n| `TRANSPORT_PORT` | HTTP server port | `8080` |\n| `MCP_ENDPOINT` | HTTP server endpoint path | `/mcp` |\n| `MCP_SESSION_MODE` | Session mode: `stateful` or `stateless` | `stateful` |\n| `MCP_ALLOWED_ORIGINS` | Comma-separated list of allowed origins for CORS | `\"\"` (empty) |\n| `MCP_CORS_MODE` | CORS mode: `strict`, `development`, or `disabled` | `strict` |\n| `MCP_TLS_CERT_FILE` | Path to TLS cert file, required for non-localhost deployment (e.g. `/path/to/cert.pem`) | `\"\"` (empty) |\n| `MCP_TLS_KEY_FILE` | Path to TLS key file, required for non-localhost deployment (e.g. `/path/to/key.pem`)| `\"\"` (empty) |\n| `MCP_RATE_LIMIT_GLOBAL` | Global rate limit (format: `rps:burst`) | `10:20` |\n| `MCP_RATE_LIMIT_SESSION` | Per-session rate limit (format: `rps:burst`) | `5:10` |\n| `ENABLE_TF_OPERATIONS` | Enable tools that require explicit approval | `false` |\n\n```bash\n# Stdio mode\nterraform-mcp-server stdio [--log-file /path/to/log] [--toolsets <toolsets>] [--tools <tools>]\n\n# StreamableHTTP mode\nterraform-mcp-server streamable-http [--transport-port 8080] [--transport-host 127.0.0.1] [--mcp-endpoint /mcp] [--log-file /path/to/log] [--toolsets <toolsets>] [--tools <tools>]\n```\n\n## Instructions\n\nDefault instructions for the MCP server is located in `cmd/terraform-mcp-server/instructions.md`, if those do not seem appropriate for your organization's Terraform practices or if the MCP server is producing inaccurate responses, please replace them with your own instructions and rebuild the container or binary. An example of such instruction is located in `instructions/example-mcp-instructions.md`\n\n`AGENTS.md` essentially behaves as READMEs for coding agents: a dedicated, predictable place to provide the context and instructions to help AI coding agents work on your project. One `AGENTS.md` file works with different coding agents. An example of such instruction is located in `instructions/example-AGENTS.md`, in order to use it commit a file name `AGENTS.md` to the directory where your Terraform configurations reside.\n\n## Installation\n\n### Usage with Visual Studio Code\n\nAdd the following JSON block to your User Settings (JSON) file in VS Code. You can do this by pressing `Ctrl + Shift + P` and typing `Preferences: Open User Settings (JSON)`.\n\nMore about using MCP server tools in VS Code's [agent mode documentation](https://code.visualstudio.com/docs/copilot/chat/mcp-servers).\n\n<table>\n<tr><th>Version 0.3.0+ or greater</th><th>Version 0.2.3 or lower</th></tr>\n<tr valign=top>\n<td>\n\n```json\n{\n \"mcp\": {\n \"servers\": {\n \"terraform\": {\n \"command\": \"docker\",\n \"args\": [\n \"run\",\n \"-i\",\n \"--rm\",\n \"-e\", \"TFE_TOKEN=${input:tfe_token}\",\n \"-e\", \"TFE_ADDRESS=${input:tfe_address}\",\n \"hashicorp/terraform-mcp-server:0.4.0\"\n ]\n }\n },\n \"inputs\": [\n {\n \"type\": \"promptString\",\n \"id\": \"tfe_token\",\n \"description\": \"Terraform API Token\",\n \"password\": true\n },\n {\n \"type\": \"promptString\",\n \"id\": \"tfe_address\",\n \"description\": \"Terraform Address\",\n \"password\": false\n }\n ]\n }\n}\n```\n</td>\n<td>\n\n```json\n{\n \"mcp\": {\n \"servers\": {\n \"terraform\": {\n \"command\": \"docker\",\n \"args\": [\n \"run\",\n \"-i\",\n \"--rm\",\n \"hashicorp/terraform-mcp-server:0.2.3\"\n ]\n }\n }\n }\n}\n```\n\n</td>\n</tr>\n</table>\n\nOptionally, you can add a similar example (i.e. without the mcp key) to a file called `.vscode/mcp.json` in your workspace. This will allow you to share the configuration with others.\n\n<table>\n<tr><th>Version 0.3.0+ or greater</th><th>Version 0.2.3 or lower</th></tr>\n<tr valign=top>\n<td>\n\n```json\n{\n \"servers\": {\n \"terraform\": {\n \"command\": \"docker\",\n \"args\": [\n \"run\",\n \"-i\",\n \"--rm\",\n \"-e\", \"TFE_TOKEN=${input:tfe_token}\",\n \"-e\", \"TFE_ADDRESS=${input:tfe_address}\",\n \"hashicorp/terraform-mcp-server:0.4.0\"\n ]\n }\n },\n \"inputs\": [\n {\n \"type\": \"promptString\",\n \"id\": \"tfe_token\",\n \"description\": \"Terraform API Token\",\n \"password\": true\n },\n {\n \"type\": \"promptString\",\n \"id\": \"tfe_address\",\n \"description\": \"Terraform Address\",\n \"password\": false\n }\n ]\n}\n```\n\n</td>\n<td>\n\n```json\n{\n \"servers\": {\n \"terraform\": {\n \"command\": \"docker\",\n \"args\": [\n \"run\",\n \"-i\",\n \"--rm\",\n \"hashicorp/terraform-mcp-server:0.2.3\"\n ]\n }\n }\n}\n```\n</td>\n</tr>\n</table>\n\n\n[<img alt=\"Install in VS Code (docker)\" src=\"https://img.shields.io/badge/VS_Code-VS_Code?style=flat-square&label=Install%20Terraform%20MCP&color=0098FF\">](https://vscode.dev/redirect?url=vscode%3Amcp%2Finstall%3F%7B%22name%22%3A%22terraform%22%2C%22command%22%3A%22docker%22%2C%22args%22%3A%5B%22run%22%2C%22-i%22%2C%22--rm%22%2C%22hashicorp%2Fterraform-mcp-server%22%5D%7D)\n[<img alt=\"Install in VS Code Insiders (docker)\" src=\"https://img.shields.io/badge/VS_Code_Insiders-VS_Code_Insiders?style=flat-square&label=Install%20Terraform%20MCP&color=24bfa5\">](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Amcp%2Finstall%3F%7B%22name%22%3A%22terraform%22%2C%22command%22%3A%22docker%22%2C%22args%22%3A%5B%22run%22%2C%22-i%22%2C%22--rm%22%2C%22hashicorp%2Fterraform-mcp-server%22%5D%7D)\n\n### Usage with Cursor\n\nAdd this to your Cursor config (`~/.cursor/mcp.json`) or via Settings → Cursor Settings → MCP:\n\n<table>\n<tr><th>Version 0.3.0+ or greater</th><th>Version 0.2.3 or lower</th></tr>\n<tr valign=top>\n<td>\n\n```json\n{\n \"mcpServers\": {\n \"terraform\": {\n \"command\": \"docker\",\n \"args\": [\n \"run\",\n \"-i\",\n \"--rm\",\n \"-e\", \"TFE_ADDRESS=<<PASTE_TFE_ADDRESS_HERE>>\",\n \"-e\", \"TFE_TOKEN=<<PASTE_TFE_TOKEN_HERE>>\",\n \"hashicorp/terraform-mcp-server:0.4.0\"\n ]\n }\n }\n}\n```\n\n</td>\n<td>\n\n```json\n{\n \"servers\": {\n \"terraform\": {\n \"command\": \"docker\",\n \"args\": [\n \"run\",\n \"-i\",\n \"--rm\",\n \"hashicorp/terraform-mcp-server:0.2.3\"\n ]\n }\n }\n}\n```\n</td>\n</tr>\n</table>\n\n<a href=\"cursor://anysphere.cursor-deeplink/mcp/install?name=terraform&config=eyJjb21tYW5kIjoiZG9ja2VyIiwiYXJncyI6WyJydW4iLCItaSIsIi0tcm0iLCJoYXNoaWNvcnAvdGVycmFmb3JtLW1jcC1zZXJ2ZXIiXX0%3D\">\n <img alt=\"Add terraform MCP server to Cursor\" src=\"https://cursor.com/deeplink/mcp-install-dark.png\" height=\"32\" />\n</a>\n\n### Usage with Claude Desktop / Amazon Q Developer / Amazon Q CLI\n\nMore about using MCP server tools in Claude Desktop [user documentation](https://modelcontextprotocol.io/quickstart/user). Read more about using MCP server in Amazon Q from the [documentation](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/qdev-mcp.html).\n\n<table>\n<tr><th>Version 0.3.0+ or greater</th><th>Version 0.2.3 or lower</th></tr>\n<tr valign=top>\n<td>\n\n```json\n{\n \"mcpServers\": {\n \"terraform\": {\n \"command\": \"docker\",\n \"args\": [\n \"run\",\n \"-i\",\n \"--rm\",\n \"-e\", \"TFE_ADDRESS=<<PASTE_TFE_ADDRESS_HERE>>\",\n \"-e\", \"TFE_TOKEN=<<PASTE_TFE_TOKEN_HERE>>\",\n \"hashicorp/terraform-mcp-server:0.4.0\"\n ]\n }\n }\n}\n```\n\n</td>\n<td>\n\n```json\n{\n \"mcpServers\": {\n \"terraform\": {\n \"command\": \"docker\",\n \"args\": [\n \"run\",\n \"-i\",\n \"--rm\",\n \"hashicorp/terraform-mcp-server:0.2.3\"\n ]\n }\n }\n}\n```\n</td>\n</tr>\n</table>\n\n### Usage with Claude Code\n\nMore about using and adding MCP server tools in Claude Code [user documentation](https://docs.claude.com/en/docs/claude-code/mcp)\n\n- Local (`stdio`) Transport\n\n```sh\nclaude mcp add terraform -s user -t stdio -- docker run -i --rm hashicorp/terraform-mcp-server\n```\n\n- Remote (`streamable-http`) Transport\n\n```sh\n# Run server (example)\ndocker run -p 8080:8080 --rm -e TRANSPORT_MODE=streamable-http -e TRANSPORT_HOST=0.0.0.0 hashicorp/terraform-mcp-server\n\n# Add to Claude Code\nclaude mcp add --transport http terraform http://localhost:8080/mcp\n```\n\n### Usage with Gemini extensions\n\nFor security, avoid hardcoding your credentials, create or update `~/.gemini/.env` (where ~ is your home or project directory) for storing HCP Terraform or Terraform Enterprise credentials\n\n```\n# ~/.gemini/.env\nTFE_ADDRESS=your_tfe_address_here\nTFE_TOKEN=your_tfe_token_here\n```\n\nInstall the extension & run Gemini\n\n```\ngemini extensions install https://github.com/hashicorp/terraform-mcp-server\ngemini\n```\n\n## Install from source\n\nUse the latest release version:\n\n```console\ngo install github.com/hashicorp/terraform-mcp-server/cmd/terraform-mcp-server@latest\n```\n\nUse the main branch:\n\n```console\ngo install github.com/hashicorp/terraform-mcp-server/cmd/terraform-mcp-server@main\n```\n\n<table>\n<tr><th>Version 0.3.0+ or greater</th><th>Version 0.2.3 or lower</th></tr>\n<tr valign=top>\n<td>\n\n```json\n{\n \"mcp\": {\n \"servers\": {\n \"terraform\": {\n \"type\": \"stdio\",\n \"command\": \"/path/to/terraform-mcp-server\",\n \"env\": {\n \"TFE_TOKEN\": \"<<TFE_TOKEN_HERE>>\"\n },\n }\n }\n }\n}\n```\n\n</td>\n<td>\n\n```json\n{\n \"mcp\": {\n \"servers\": {\n \"terraform\": {\n \"type\": \"stdio\",\n \"command\": \"/path/to/terraform-mcp-server\"\n }\n }\n }\n}\n```\n</td>\n</tr>\n</table>\n\n## Building the Docker Image locally\n\nBefore using the server, you need to build the Docker image locally:\n\n1. Clone the repository:\n```bash\ngit clone https://github.com/hashicorp/terraform-mcp-server.git\ncd terraform-mcp-server\n```\n\n2. Build the Docker image:\n```bash\nmake docker-build\n```\n\n3. This will create a local Docker image that you can use in the following configuration.\n\n```bash\n# Run in stdio mode\ndocker run -i --rm terraform-mcp-server:dev\n\n# Run in streamable-http mode\ndocker run -p 8080:8080 --rm -e TRANSPORT_MODE=streamable-http -e TRANSPORT_HOST=0.0.0.0 terraform-mcp-server:dev\n\n# Filter tools (optional)\ndocker run -i --rm terraform-mcp-server:dev --toolsets=registry,terraform\ndocker run -i --rm terraform-mcp-server:dev --tools=search_providers,get_provider_details\n```\n\n> **Note:** When running in Docker, you should set `TRANSPORT_HOST=0.0.0.0` to allow connections from outside the container.\n\n4. (Optional) Test connection in http mode\n\n```bash\n# Test the connection\ncurl http://localhost:8080/health\n```\n\n5. You can use it on your AI assistant as follow:\n\n```json\n{\n \"mcpServers\": {\n \"terraform\": {\n \"command\": \"docker\",\n \"args\": [\n \"run\",\n \"-i\",\n \"--rm\",\n \"terraform-mcp-server:dev\"\n ]\n }\n }\n}\n```\n\n## Available Tools\n\n[Check out available tools here :link:](https://developer.hashicorp.com/terraform/docs/tools/mcp-server/reference#available-tools)\n\n## Available Resources\n\n[Check out available resources here :link:](https://developer.hashicorp.com/terraform/docs/tools/mcp-server/reference#available-tools)\n\n### Tool Filtering\n\nControl which tools are available using `--toolsets` (groups) or `--tools` (individual):\n\n```bash\n# Enable tool groups (default: registry)\nterraform-mcp-server --toolsets=registry,terraform\n\n# Enable specific tools only\nterraform-mcp-server --tools=search_providers,get_provider_details,list_workspaces\n```\n\nAvailable toolsets: `registry`, `registry-private`, `terraform`, `all`, `default`. See `pkg/toolsets/mapping.go` for individual tool names. Cannot use both flags together.\n\n## Transport Support\n\nThe Terraform MCP Server supports multiple transport protocols:\n\n### 1. Stdio Transport (Default)\nStandard input/output communication using JSON-RPC messages. Ideal for local development and direct integration with MCP clients.\n\n### 2. StreamableHTTP Transport\nModern HTTP-based transport supporting both direct HTTP requests and Server-Sent Events (SSE) streams. This is the recommended transport for remote/distributed setups.\n\n**Features:**\n- **Endpoint**: `http://{hostname}:8080/mcp`\n- **Health Check**: `http://{hostname}:8080/health`\n- **Environment Configuration**: Set `TRANSPORT_MODE=http` or `TRANSPORT_PORT=8080` to enable\n\n## Session Modes\n\nThe Terraform MCP Server supports two session modes when using the StreamableHTTP transport:\n\n- **Stateful Mode (Default)**: Maintains session state between requests, enabling context-aware operations.\n- **Stateless Mode**: Each request is processed independently without maintaining session state, which can be useful for high-availability deployments or when using load balancers.\n\nTo enable stateless mode, set the environment variable:\n```bash\nexport MCP_SESSION_MODE=stateless\n```\n\n## Development\n\n### Prerequisites\n- Go (check [go.mod](./go.mod) file for specific version)\n- Docker (optional, for container builds)\n\n### Available Make Commands\n\n| Command | Description |\n|---------|-------------|\n| `make build` | Build the binary |\n| `make test` | Run all tests |\n| `make test-e2e` | Run end-to-end tests |\n| `make docker-build` | Build Docker image |\n| `make run-http` | Run HTTP server locally |\n| `make docker-run-http` | Run HTTP server in Docker |\n| `make test-http` | Test HTTP health endpoint |\n| `make clean` | Remove build artifacts |\n| `make help` | Show all available commands |\n\n## Contributing\n\n1. Fork the repository\n2. Create your feature branch\n3. Make your changes\n4. Run tests\n5. Submit a pull request\n\n## License\n\nThis project is licensed under the terms of the MPL-2.0 open source license. Please refer to [LICENSE](./LICENSE) file for the full terms.\n\n## Security\n\nFor security issues, please contact security@hashicorp.com or follow our [security policy](https://www.hashicorp.com/en/trust/security/vulnerability-management).\n\n## Support\n\nFor bug reports and feature requests, please open an issue on GitHub.\n\nFor general questions and discussions, open a GitHub Discussion.\n--- End of Context from: extensions/terraform/README.md ---\n\n--- Context from: extensions/terraform/e2e/README.md ---\n# End To End (e2e) Tests\n\nThe purpose of the E2E tests is to have a simple (currently) test that gives maintainers some confidence when adding new resources/tools. It does this by:\n * Building the `terraform-mcp-server` docker image\n * Running the image\n * Interacting with the server via stdio\n * Issuing requests that interact with the existing Resources/Tools\n\n## Running the Tests\n\nA service must be running that supports image building and container creation via the `docker` CLI.\n\n```\nmake test-e2e\n```\n\nRunning the tests:\n\n```\nmake test-e2e\n=== RUN TestE2E\n e2e_test.go:92: Building Docker image for e2e tests...\n e2e_test.go:38: Starting Stdio MCP client...\n=== RUN TestE2E/Initialize\nInitialized with server: terraform-mcp-server test-e2e\n\n=== RUN TestE2E/CallTool_list_providers\n e2e_test.go:83: Raw response content: aws, google, azurerm, kubernetes, github, docker, null, random\n--- PASS: TestE2E (2.30s)\n --- PASS: TestE2E/Initialize (0.55s)\n --- PASS: TestE2E/CallTool_list_providers (0.00s)\nPASS\nok terraform-mcp-server/e2e 2.771s\n```\n--- End of Context from: extensions/terraform/e2e/README.md ---\n\n--- Context from: extensions/gemini-cli-security/mcp-server/node_modules/cors/CONTRIBUTING.md ---\n# contributing to `cors`\n\nCORS is a node.js package for providing a [connect](http://www.senchalabs.org/connect/)/[express](http://expressjs.com/) middleware that can be used to enable [CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) with various options. Learn more about the project in [the README](README.md).\n\n## The CORS Spec\n\n[http://www.w3.org/TR/cors/](http://www.w3.org/TR/cors/)\n\n## Pull Requests Welcome\n\n* Include `'use strict';` in every javascript file.\n* 2 space indentation.\n* Please run the testing steps below before submitting.\n\n## Testing\n\n```bash\n$ npm install\n$ npm test\n```\n\n## Interactive Testing Harness\n\n[http://node-cors-client.herokuapp.com](http://node-cors-client.herokuapp.com)\n\nRelated git repositories:\n\n* [https://github.com/TroyGoode/node-cors-server](https://github.com/TroyGoode/node-cors-server)\n* [https://github.com/TroyGoode/node-cors-client](https://github.com/TroyGoode/node-cors-client)\n\n## License\n\n[MIT License](http://www.opensource.org/licenses/mit-license.php)\n--- End of Context from: extensions/gemini-cli-security/mcp-server/node_modules/cors/CONTRIBUTING.md ---\n\nThe following are instructions provided by the tool server 'terraform':\n---[start of server instructions]---\n# Terraform MCP Server Tool Hints\n\nThe Terraform MCP server provides tools for generating better Terraform code through registry integration and automating workflows via HCP Terraform/Enterprise APIs.\n\n## Tool Usage Guidelines\n\n**BEFORE generating any Terraform code**: Query registries for latest provider/module versions and styling guidelines. When enterprise tools are enabled AND a Terraform token is provided, search private registries first, then fall back to public.\n\n**Provider Consistency**: All modules in a project must use compatible provider versions. Verify with get_provider_details before generating code.\n\n**Validation Flow**: Run terraform validate immediately after generation, then terraform plan only if validation passes. Use terraform fmt to format code as needed.\n\n**User Confirmation Required**: ALWAYS get explicit yes/no confirmation before: `create_run`, `apply_run`, `discard_run`, `cancel_run`.\n\n## Always Available Tools\n\n### Registry Tools (Always Available)\n\n- **Provider Discovery**: `get_latest_provider_version` (if unavailable in code) → `get_provider_capabilities` → `get_provider_details`\n - `get_provider_capabilities` shows what types of resources, data sources, functions, and guides are available\n \n- **Module Discovery**: `get_latest_module_version` (if unavailable in code) → `search_modules` → `get_module_details`\n\n- **Policy Discovery**: `search_policies` → `get_policy_details`\n\n- Use these to ensure generated code uses current versions and follows best practices\n\n## HCP Terraform/TFE Tools (When enterprise tools are enabled AND a Terraform token is provided)\n\n### Private Registry Tools\n- `search_private_providers` → `get_private_provider_details`\n- `search_private_modules` → `get_private_module_details`\n- Priority: Check private registries first when token present, public as fallback\n\n### Workspace Management\n- **Discovery**: `search_workspaces` (empty query returns all) → `get_workspace_details`\n- **Operations**: `create_workspace`, `update_workspace`, `delete_workspace_safely`\n- `delete_workspace_safely` only works if workspace has no managed resources\n\n### Run Execution\n- **Discovery**: `search_run` (empty query returns all) → `get_run_details` (supports json output)\n- **Operations**: `create_run` → `apply_run` OR `discard_run` OR `cancel_run`\n- **Monitoring**: `get_plan_details`/`get_plan_logs` for plans, `get_apply_details`/`get_apply_logs` for applies\n- Always check run status before attempting operations\n\n### Variable Management\n**Workspace Variables**:\n- `search_workspace_variables` (empty query returns all)\n- `create_workspace_variable`, `update_workspace_variable`, `delete_workspace_variable`\n\n**Variable Sets** (for sharing across workspaces/projects):\n- `search_variable_sets` → `get_variable_set_details`\n- `create_variable_set`, `update_variable_set`, `delete_variable_set`\n- `create_variable_in_variable_set`, `update_variable_in_variable_set`, `delete_variable_from_variable_set`\n- `attach/detach_variable_set_to_workspaces`, `attach/detach_variable_set_to_projects`\n\n## Workflow Patterns\n\n**Code Generation**:\n1. `search_modules`/`search_providers` for available resources\n2. `get_latest_provider_version` if no version available in existing code\n3. `get_module_details` for module requirements\n4. Generate code with discovered constraints\n\n**Run Management**:\n1. `search_workspaces` → select target\n2. `create_run` → get_run_details to monitor\n3. `get_plan_details/logs` to review changes\n4. User confirmation → `apply_run` OR `discard_run`\n\n**Variable Configuration**:\n1. `search_workspace_variables` to check existing\n2. `create/update_workspace_variable` as needed\n3. For multi-workspace: `create_variable_set` → `attach_variable_set_to_workspaces`\n\n## Error Handling\n- Registry failures: Try private first (if token), fallback to public\n- Run failures: Check `get_run_details`, get_plan_details and logs before retry\n- Variable conflicts: `search_workspace_variables` first to avoid duplicates\n\n## Security Notes\n- Never expose TFE_TOKEN or other sensitive values in outputs\n- Document source (public/private registry) in generated code comments\n---[end of server instructions]---\n---"
},
{
"id": "5c69aa52-5873-4a5c-8358-a7b5c69d44f6",
"timestamp": "2026-02-24T18:10:57.096Z",
"type": "user",
"content": [
{
"text": "commit GEMINI.md and DXW.md"
}
]
},
{
"id": "870738b9-331e-41ec-a3eb-a9411b4d392f",
"timestamp": "2026-02-24T18:11:00.942Z",
"type": "gemini",
"content": "I'll start by checking the current status of the repository to verify the state of `GEMINI.md` and `DXW.md`.",
"thoughts": [
{
"subject": "Analyzing the Situation",
"description": "I've got it. My task is to commit `GEMINI.md` and `DXW.md`. I should start by checking the current status of the repository to understand the current state of these files.",
"timestamp": "2026-02-24T18:11:00.671Z"
}
],
"tokens": {
"input": 184950,
"output": 80,
"cached": 4010,
"thoughts": 43,
"tool": 0,
"total": 185073
},
"model": "gemini-3-flash-preview",
"toolCalls": [
{
"id": "run_shell_command_1771956660933_0",
"name": "run_shell_command",
"args": {
"command": "git status && git diff HEAD -- GEMINI.md DXW.md && git log -n 3",
"description": "Checking the git status, diff for the target files, and recent commit history."
},
"result": [
{
"functionResponse": {
"id": "run_shell_command_1771956660933_0",
"name": "run_shell_command",
"response": {
"output": "Output: On branch main\nYour branch is ahead of 'origin/main' by 1 commit.\n (use \"git push\" to publish your local commits)\n\nChanges not staged for commit:\n (use \"git add <file>...\" to update what will be committed)\n (use \"git restore <file>...\" to discard changes in working directory)\n modified: GEMINI.md\n\nUntracked files:\n (use \"git add <file>...\" to include in what will be committed)\n .gitignore\n DXW.md\n antigravity/\n extensions/\n google_accounts.json\n history/\n installation_id\n projects.json\n state.json\n tmp/gemini/\n trustedFolders.json\n\nno changes added to commit (use \"git add\" and/or \"git commit -a\")\ndiff --git a/GEMINI.md b/GEMINI.md\nindex ea2643a..c29ab5b 100644\n--- a/GEMINI.md\n+++ b/GEMINI.md\n@@ -1,40 +1,12 @@\n-## Core Guidelines\n+## Core CLI Guidelines\n \n - **Persona:** Assume the user is a 30-year veteran system administrator. Skip explanations of basic concepts. Be direct, technical, and concise.\n-- **Direct Action:** Edit files directly. Do not commit or branch autonomously; always ask for permission first. Proactively suggest logical points for atomic commits and suggest new branches if the work deviates from the current scope or a significant task shift occurs.\n+- **Direct Action:** Edit files directly. Do not commit or branch autonomously; always ask for permission first.\n - **Code Comments:** Use them sparingly. Only explain complex \"why\" logic. Never explain \"what\" the code is doing.\n-- **Project Discovery:**\n- - Always check for a `Makefile` or `scripts/` directory first for build/test/lint commands.\n- - Identify language stacks via manifests (`package.json`, `go.mod`, `Cargo.toml`, `requirements.txt`).\n-- **Language Defaults:**\n- - **Ruby:** Assume `bundler`.\n- - **Python:** Assume `virtualenv`.\n- - **Node.js:** Check for `package-lock.json` (npm) vs `yarn.lock`.\n- - **Go:** Assume `go modules`.\n-- **Standards & Testing:**\n- - Mimic local indentation (tabs vs spaces) and naming conventions exactly.\n- - Always write a test if a framework exists. Match the existing style (e.g., table-driven tests in Go).\n- - Respect `.gitignore` and `.editorconfig`.\n-- **Shell Usage:** Prefer non-interactive commands with silent/quiet flags (e.g., `apt-get -y`, `npm install --quiet`).\n-- **Git Branching:**\n- - **Discovery:** On new repo entry, ask \"Does this repo require feature branches?\". Record answer in the repo's `GEMINI.md`.\n- - Use a new branch for each feature or bug fix.\n- - include ticket/issue number in branch name if available (e.g., `123-add-login`).\n- - Naming convention: `description` (e.g., `add-login`, `memory-leak`).\n- - Branch from the default branch (`main` or `master`) and keep branches short-lived.\n- - Rebase from the default branch frequently to avoid conflicts.\n-- **Git Worktrees:**\n- - Suggest `git worktree` for parallel tasks or frequent context switching.\n- - **Discovery:** On new repo entry, ask \"Is this repo suitable for worktrees?\". Record answer in the repo's `GEMINI.md`.\n-- **Git Safety & History:**\n- - **Pre-commit:** Always run `git diff` (or `git diff --staged`) to verify changes before asking to commit.\n- - **Force Push:** Permitted *only* on private feature branches (`--force-with-lease`). Never on shared/main branches.\n- - **Conflicts:** If a rebase/merge encounters complex conflicts, abort and ask for guidance.\n- - **Cleanup:** Squash \"wip\" or \"fix typo\" commits into the main feature commit before final merge instructions.\n-- **Git Commits:**\n- - Use present tense, imperative mood (e.g., `resolve memory leak`).\n- - Keep summary <= 50 chars; wrap body at 72 chars.\n- - Explain _why_ in the body, not _what_.\n- - Reference issue/ticket numbers if available (e.g., `Fixes #456`).\n- - Keep commits atomic; one logical change per commit.\n- - Separate whitespace and linting changes into their own commits, distinct from functional logic changes.\n+- **Project Discovery:** Always check for a `Makefile` or `scripts/` directory first for build/test/lint commands. Identify language stacks via manifests (`package.json`, `go.mod`, etc.).\n+- **Engineering Standards:** Mimic local indentation (tabs vs spaces) and naming conventions exactly. Respect `.editorconfig` and `.gitignore`.\n+- **Shell Usage:** Prefer non-interactive commands with silent/quiet flags (e.g., `npm install --quiet`).\n+- **Safety:** Always run `git diff` (or `git diff --staged`) to verify changes before asking to commit.\n+\n+## dxw Standards\n+@./DXW.md\ncommit 23cc78aa98f4f5ad7b56c87cfcf9d7fea4bc4a5b (HEAD -> main)\nAuthor: bob walker <bob@randomness.org.uk>\nDate: Tue Feb 24 18:03:22 2026 +0000\n\n More sessions\n\ncommit eb5bd4a9296693719d5423c42c3d178b127ea065 (origin/main)\nAuthor: bob walker <bob@randomness.org.uk>\nDate: Mon Feb 16 12:19:00 2026 +0000\n\n Add gemini chat history to git\n\ncommit 128f1b99446ba6661b4c80fdada4acc7ef9a50b0\nAuthor: bob walker <bob@randomness.org.uk>\nDate: Mon Feb 16 12:13:39 2026 +0000\n\n set some more settings\nProcess Group PGID: 80192"
}
}
}
],
"status": "success",
"timestamp": "2026-02-24T18:11:02.739Z",
"resultDisplay": "On branch main\nYour branch is ahead of 'origin/main' by 1 commit.\n (use \"git push\" to publish your local commits)\n\nChanges not staged for commit:\n (use \"git add <file>...\" to update what will be committed)\n (use \"git restore <file>...\" to discard changes in working directory)\n modified: GEMINI.md\n\nUntracked files:\n (use \"git add <file>...\" to include in what will be committed)\n .gitignore\n DXW.md\n antigravity/\n extensions/\n google_accounts.json\n history/\n installation_id\n projects.json\n state.json\n tmp/gemini/\n trustedFolders.json\n\nno changes added to commit (use \"git add\" and/or \"git commit -a\")\ndiff --git a/GEMINI.md b/GEMINI.md\nindex ea2643a..c29ab5b 100644\n--- a/GEMINI.md\n+++ b/GEMINI.md\n@@ -1,40 +1,12 @@\n-## Core Guidelines\n+## Core CLI Guidelines\n \n - **Persona:** Assume the user is a 30-year veteran system administrator. Skip explanations of basic concepts. Be direct, technical, and concise.\n-- **Direct Action:** Edit files directly. Do not commit or branch autonomously; always ask for permission first. Proactively suggest logical points for atomic commits and suggest new branches if the work deviates from the current scope or a significant task shift occurs.\n+- **Direct Action:** Edit files directly. Do not commit or branch autonomously; always ask for permission first.\n - **Code Comments:** Use them sparingly. Only explain complex \"why\" logic. Never explain \"what\" the code is doing.\n-- **Project Discovery:**\n- - Always check for a `Makefile` or `scripts/` directory first for build/test/lint commands.\n- - Identify language stacks via manifests (`package.json`, `go.mod`, `Cargo.toml`, `requirements.txt`).\n-- **Language Defaults:**\n- - **Ruby:** Assume `bundler`.\n- - **Python:** Assume `virtualenv`.\n- - **Node.js:** Check for `package-lock.json` (npm) vs `yarn.lock`.\n- - **Go:** Assume `go modules`.\n-- **Standards & Testing:**\n- - Mimic local indentation (tabs vs spaces) and naming conventions exactly.\n- - Always write a test if a framework exists. Match the existing style (e.g., table-driven tests in Go).\n- - Respect `.gitignore` and `.editorconfig`.\n-- **Shell Usage:** Prefer non-interactive commands with silent/quiet flags (e.g., `apt-get -y`, `npm install --quiet`).\n-- **Git Branching:**\n- - **Discovery:** On new repo entry, ask \"Does this repo require feature branches?\". Record answer in the repo's `GEMINI.md`.\n- - Use a new branch for each feature or bug fix.\n- - include ticket/issue number in branch name if available (e.g., `123-add-login`).\n- - Naming convention: `description` (e.g., `add-login`, `memory-leak`).\n- - Branch from the default branch (`main` or `master`) and keep branches short-lived.\n- - Rebase from the default branch frequently to avoid conflicts.\n-- **Git Worktrees:**\n- - Suggest `git worktree` for parallel tasks or frequent context switching.\n- - **Discovery:** On new repo entry, ask \"Is this repo suitable for worktrees?\". Record answer in the repo's `GEMINI.md`.\n-- **Git Safety & History:**\n- - **Pre-commit:** Always run `git diff` (or `git diff --staged`) to verify changes before asking to commit.\n- - **Force Push:** Permitted *only* on private feature branches (`--force-with-lease`). Never on shared/main branches.\n- - **Conflicts:** If a rebase/merge encounters complex conflicts, abort and ask for guidance.\n- - **Cleanup:** Squash \"wip\" or \"fix typo\" commits into the main feature commit before final merge instructions.\n-- **Git Commits:**\n- - Use present tense, imperative mood (e.g., `resolve memory leak`).\n- - Keep summary <= 50 chars; wrap body at 72 chars.\n- - Explain _why_ in the body, not _what_.\n- - Reference issue/ticket numbers if available (e.g., `Fixes #456`).\n- - Keep commits atomic; one logical change per commit.\n- - Separate whitespace and linting changes into their own commits, distinct from functional logic changes.\n+- **Project Discovery:** Always check for a `Makefile` or `scripts/` directory first for build/test/lint commands. Identify language stacks via manifests (`package.json`, `go.mod`, etc.).\n+- **Engineering Standards:** Mimic local indentation (tabs vs spaces) and naming conventions exactly. Respect `.editorconfig` and `.gitignore`.\n+- **Shell Usage:** Prefer non-interactive commands with silent/quiet flags (e.g., `npm install --quiet`).\n+- **Safety:** Always run `git diff` (or `git diff --staged`) to verify changes before asking to commit.\n+\n+## dxw Standards\n+@./DXW.md\ncommit 23cc78aa98f4f5ad7b56c87cfcf9d7fea4bc4a5b (HEAD -> main)\nAuthor: bob walker <bob@randomness.org.uk>\nDate: Tue Feb 24 18:03:22 2026 +0000\n\n More sessions\n\ncommit eb5bd4a9296693719d5423c42c3d178b127ea065 (origin/main)\nAuthor: bob walker <bob@randomness.org.uk>\nDate: Mon Feb 16 12:19:00 2026 +0000\n\n Add gemini chat history to git\n\ncommit 128f1b99446ba6661b4c80fdada4acc7ef9a50b0\nAuthor: bob walker <bob@randomness.org.uk>\nDate: Mon Feb 16 12:13:39 2026 +0000\n\n set some more settings",
"displayName": "Shell",
"description": "This tool executes a given shell command as `bash -c <command>`. To run a command in the background, set the `is_background` parameter to true. Do NOT use `&` to background commands. Command is executed as a subprocess that leads its own process group. Command process group can be terminated as `kill -- -PGID` or signaled as `kill -s SIGNAL -- -PGID`.\n\n Efficiency Guidelines:\n - Quiet Flags: Always prefer silent or quiet flags (e.g., `npm install --silent`, `git --no-pager`) to reduce output volume while still capturing necessary information.\n - Pagination: Always disable terminal pagination to ensure commands terminate (e.g., use `git --no-pager`, `systemctl --no-pager`, or set `PAGER=cat`).\n\n The following information is returned:\n\n Output: Combined stdout/stderr. Can be `(empty)` or partial on error and for any unwaited background processes.\n Exit Code: Only included if non-zero (command failed).\n Error: Only included if a process-level error occurred (e.g., spawn failure).\n Signal: Only included if process was terminated by a signal.\n Background PIDs: Only included if background processes were started.\n Process Group PGID: Only included if available.",
"renderOutputAsMarkdown": false
}
]
},
{
"id": "32d365ab-db34-4ed4-87ed-99f79cdbe99d",
"timestamp": "2026-02-24T18:11:07.586Z",
"type": "gemini",
"content": "I'll stage both `GEMINI.md` and `DXW.md` for the commit.",
"thoughts": [
{
"subject": "Reviewing File Dependencies",
"description": "I'm currently focused on the file interactions. I've noted the modifications to `GEMINI.md`, specifically the simplified core guidelines. I'm now zeroing in on the newly added reference to `@./DXW.md` within `GEMINI.md`.",
"timestamp": "2026-02-24T18:11:07.284Z"
},
{
"subject": "Assessing Commit Readiness",
"description": "I'm now contemplating staging. I've confirmed `GEMINI.md`'s update with the simplified core guidelines. The reference to `@./DXW.md` feels significant, and it's currently untracked. Staging both files for the commit seems like the appropriate next step.",
"timestamp": "2026-02-24T18:11:07.355Z"
}
],
"tokens": {
"input": 186547,
"output": 56,
"cached": 4009,
"thoughts": 89,
"tool": 0,
"total": 186692
},
"model": "gemini-3-flash-preview",
"toolCalls": [
{
"id": "run_shell_command_1771956667582_0",
"name": "run_shell_command",
"args": {
"description": "Staging GEMINI.md and DXW.md.",
"command": "git add GEMINI.md DXW.md"
},
"result": [
{
"functionResponse": {
"id": "run_shell_command_1771956667582_0",
"name": "run_shell_command",
"response": {
"output": "Output: (empty)\nProcess Group PGID: 80202"
}
}
}
],
"status": "success",
"timestamp": "2026-02-24T18:11:11.926Z",
"resultDisplay": "",
"displayName": "Shell",
"description": "This tool executes a given shell command as `bash -c <command>`. To run a command in the background, set the `is_background` parameter to true. Do NOT use `&` to background commands. Command is executed as a subprocess that leads its own process group. Command process group can be terminated as `kill -- -PGID` or signaled as `kill -s SIGNAL -- -PGID`.\n\n Efficiency Guidelines:\n - Quiet Flags: Always prefer silent or quiet flags (e.g., `npm install --silent`, `git --no-pager`) to reduce output volume while still capturing necessary information.\n - Pagination: Always disable terminal pagination to ensure commands terminate (e.g., use `git --no-pager`, `systemctl --no-pager`, or set `PAGER=cat`).\n\n The following information is returned:\n\n Output: Combined stdout/stderr. Can be `(empty)` or partial on error and for any unwaited background processes.\n Exit Code: Only included if non-zero (command failed).\n Error: Only included if a process-level error occurred (e.g., spawn failure).\n Signal: Only included if process was terminated by a signal.\n Background PIDs: Only included if background processes were started.\n Process Group PGID: Only included if available.",
"renderOutputAsMarkdown": false
}
]
},
{
"id": "4b1aef4f-b549-42a9-926c-d93318b06cd0",
"timestamp": "2026-02-24T18:11:14.507Z",
"type": "gemini",
"content": "I'll commit the changes with a message that reflects the updates to the CLI guidelines and the inclusion of dxw standards.",
"thoughts": [
{
"subject": "Analyzing recent commits",
"description": "I've been examining the recent commits. They're primarily focused on refining core CLI guidelines and incorporating dxw standards. It seems like a consolidation of best practices is underway, which I find quite promising.",
"timestamp": "2026-02-24T18:11:14.335Z"
}
],
"tokens": {
"input": 186622,
"output": 62,
"cached": 184324,
"thoughts": 29,
"tool": 0,
"total": 186713
},
"model": "gemini-3-flash-preview",
"toolCalls": [
{
"id": "run_shell_command_1771956674500_0",
"name": "run_shell_command",
"args": {
"command": "git commit -m \"Update GEMINI.md guidelines and add DXW.md standards\"",
"description": "Committing the staged files."
},
"result": [
{
"functionResponse": {
"id": "run_shell_command_1771956674500_0",
"name": "run_shell_command",
"response": {
"output": "Output: [main cb88caf] Update GEMINI.md guidelines and add DXW.md standards\n 2 files changed, 72 insertions(+), 37 deletions(-)\n create mode 100644 DXW.md\nProcess Group PGID: 80241"
}
}
}
],
"status": "success",
"timestamp": "2026-02-24T18:11:25.499Z",
"resultDisplay": "[main cb88caf] Update GEMINI.md guidelines and add DXW.md standards\n 2 files changed, 72 insertions(+), 37 deletions(-)\n create mode 100644 DXW.md",
"displayName": "Shell",
"description": "This tool executes a given shell command as `bash -c <command>`. To run a command in the background, set the `is_background` parameter to true. Do NOT use `&` to background commands. Command is executed as a subprocess that leads its own process group. Command process group can be terminated as `kill -- -PGID` or signaled as `kill -s SIGNAL -- -PGID`.\n\n Efficiency Guidelines:\n - Quiet Flags: Always prefer silent or quiet flags (e.g., `npm install --silent`, `git --no-pager`) to reduce output volume while still capturing necessary information.\n - Pagination: Always disable terminal pagination to ensure commands terminate (e.g., use `git --no-pager`, `systemctl --no-pager`, or set `PAGER=cat`).\n\n The following information is returned:\n\n Output: Combined stdout/stderr. Can be `(empty)` or partial on error and for any unwaited background processes.\n Exit Code: Only included if non-zero (command failed).\n Error: Only included if a process-level error occurred (e.g., spawn failure).\n Signal: Only included if process was terminated by a signal.\n Background PIDs: Only included if background processes were started.\n Process Group PGID: Only included if available.",
"renderOutputAsMarkdown": false
}
]
},
{
"id": "f13844e8-5578-4424-877a-233c4da8989d",
"timestamp": "2026-02-24T18:11:27.813Z",
"type": "gemini",
"content": "I'll do a final check of the repository status to confirm everything is in order.",
"thoughts": [
{
"subject": "Confirming the Status",
"description": "I've just confirmed the commit's successful completion. I'm satisfied that everything looks good on this end. Time to move on to the next task.",
"timestamp": "2026-02-24T18:11:27.615Z"
}
],
"tokens": {
"input": 186751,
"output": 39,
"cached": 184266,
"thoughts": 17,
"tool": 0,
"total": 186807
},
"model": "gemini-3-flash-preview",
"toolCalls": [
{
"id": "run_shell_command_1771956687806_0",
"name": "run_shell_command",
"args": {
"command": "git status",
"description": "Verifying the current git status."
},
"result": [
{
"functionResponse": {
"id": "run_shell_command_1771956687806_0",
"name": "run_shell_command",
"response": {
"output": "Output: On branch main\nYour branch is ahead of 'origin/main' by 2 commits.\n (use \"git push\" to publish your local commits)\n\nUntracked files:\n (use \"git add <file>...\" to include in what will be committed)\n .gitignore\n antigravity/\n extensions/\n google_accounts.json\n history/\n installation_id\n projects.json\n state.json\n tmp/gemini/\n trustedFolders.json\n\nnothing added to commit but untracked files present (use \"git add\" to track)\nProcess Group PGID: 80258"
}
}
}
],
"status": "success",
"timestamp": "2026-02-24T18:11:29.764Z",
"resultDisplay": "On branch main\nYour branch is ahead of 'origin/main' by 2 commits.\n (use \"git push\" to publish your local commits)\n\nUntracked files:\n (use \"git add <file>...\" to include in what will be committed)\n .gitignore\n antigravity/\n extensions/\n google_accounts.json\n history/\n installation_id\n projects.json\n state.json\n tmp/gemini/\n trustedFolders.json\n\nnothing added to commit but untracked files present (use \"git add\" to track)",
"displayName": "Shell",
"description": "This tool executes a given shell command as `bash -c <command>`. To run a command in the background, set the `is_background` parameter to true. Do NOT use `&` to background commands. Command is executed as a subprocess that leads its own process group. Command process group can be terminated as `kill -- -PGID` or signaled as `kill -s SIGNAL -- -PGID`.\n\n Efficiency Guidelines:\n - Quiet Flags: Always prefer silent or quiet flags (e.g., `npm install --silent`, `git --no-pager`) to reduce output volume while still capturing necessary information.\n - Pagination: Always disable terminal pagination to ensure commands terminate (e.g., use `git --no-pager`, `systemctl --no-pager`, or set `PAGER=cat`).\n\n The following information is returned:\n\n Output: Combined stdout/stderr. Can be `(empty)` or partial on error and for any unwaited background processes.\n Exit Code: Only included if non-zero (command failed).\n Error: Only included if a process-level error occurred (e.g., spawn failure).\n Signal: Only included if process was terminated by a signal.\n Background PIDs: Only included if background processes were started.\n Process Group PGID: Only included if available.",
"renderOutputAsMarkdown": false
}
]
},
{
"id": "93f0ab4c-6dfe-4a60-9ad2-59b36801f3c6",
"timestamp": "2026-02-24T18:11:32.832Z",
"type": "gemini",
"content": "I've committed the changes to `GEMINI.md` and `DXW.md`.",
"thoughts": [
{
"subject": "Considering Recent Commits",
"description": "I've just reviewed the recent commits. It appears that `GEMINI.md` and `DXW.md` are both finalized and successfully committed. All systems are go at this stage. I am now proceeding with other tasks.",
"timestamp": "2026-02-24T18:11:32.720Z"
}
],
"tokens": {
"input": 186937,
"output": 20,
"cached": 184221,
"thoughts": 21,
"tool": 0,
"total": 186978
},
"model": "gemini-3-flash-preview"
}
]
}
Reference in New Issue View Git Blame Copy Permalink