o#jcPUdZddlZddlZddlZddlZddlmZmZddlm Z e e jjdZ eGddZeGdd ZeGd d Zged d dddddddgd edddddddgdedd d!d"d#d$d%dd&' ed(d)d*dd#d+d,dd-gd. ed/d0d1d"d#d2d3d4d5ged6d7d8d"d#d9d:d;dd?d@ddAdBdCddDgdE edFdGdHd"dAdIdJdKdLgdM edNdOdPd"dAdQdRddSgdE edTdUdVd"d#dWdXdKdYgdZ ed[d\d]d"d#d^d_dd`gda edbdcddd"d#dedfddgd4dhg edidjdkd"dldmdnddogdM edpdqdrddsdtdudKdvgdM edwdxdydddzd{dd|gd} ed~ddd"dddddgd} edddddddddgd edddd"dAddddgdM edddddddddgd eddddd#ddddgd edddddAddddgd edddddAdddKdgdM eddddd#ddddgd eddddd#ddddd4dhg eddddd#ddddgd edddd"dddddgdǢ edddd"ddddKdgd΢ eddddd#dddKdgd edddddddddgdۢ edddddAddddgdE edddddAddddgdM eddddd#ddddgd edddddAddddgdM eddddd#ddddgd edddddAddddgdM edddd"d#ddddgd edddd"dAddddgdM edd d d"d#d d dKd gd edddd"dAdddKdgd edddd"ddddddg eddd dd#d!d"dd#gd ed$d%d ddAd&d"dd#gdM ed'd(d)d"d#d*d+dd,gd ed-d.d/d"d#d0d1dd2gd3 ed4d5d6dd7d8d9dd:' ed;d<d=dd7d>d?d;d@' edAdBdCd"d7dDdEddF' edGdHdIdddJdKddLddMg edNdOdPd"dQdRdSddT' edUdVdWd"dQdXdYddZ' ed[d\d]dd^d_d`ddaddMg edbdcdddd^dedfddgddMg edhdidjdd^dkdlddmddMg edndodpdd#dqdrdKdsgd edtdudvddAdwdxdKdygdM edzd{d|dd#d}d~ddgd edddddAddddgdM eddddddddd' eddddddddd' eddddddddd' eddddddddd' eddddd#dddKdgd edddddAdddKdgdM edddd"ddddKdgd edddd"dddddddg edddd"ddddd' eddddd#dĐdddƐdǐȫ edɐdʐdd"dAd̐dddά' edϐdАdd"dҐdӐddKdՐd֐ȫ edאdؐdd"dldڐdddܐdݐȫ edސdߐddd#dddKddȫ edddddҐdddKd' edddddddddgd Zedddgdgdggdeddddd#ddgeddddgddggdedddd"d#d d dKd ' ed d ddd#dddd' gedddgddggdeddddd#dddd' gedddggd gd!gd"ed#d$d%d"d&d'd(dd)' ed*d+d,ddd-d(dd.' ged/d0d1d2gd1d3gd4gdd2ggd5ed6d7d8d"dAd9d:dd;' ed<d=d>d"dAd?d@ddA' gedBdCdDggdEgdFedGdHdIddldJdKddL' gedMdNdOggdPgdFedQdRdSd"dsdTdUddV' gedWdXdYgdZggd5ed[d\d]d"ddddKd^' ged_d`gdadbggd5edcddded"dAdIdJdKdL' edfdgdhd"dAddddi' gedjdkdlgdmdnggdodpggdqdrggdsedtdudvddҐdwdxedydzd{d"dQd|d}dKd~' geddgdddgddgddgddggdeddddd#ddgedddgdgddggdedddd"ddddd' eddddd#dddd' gg Zeeed<dZdZdZdZddZddddZddddZdZdZdZdZdZ deefdZ!da"edzed<defdZ#defdZ$de%dee&e%e'ffdZ(de%dede)fdZ*de%de deefdZ+de de de,e%eeffdZ-dZ.e/dk(rej`e.yy(um Error Pattern Detector — Dynamic Bug Pattern Scanner Scans the codebase for patterns that have caused bugs before. When a new bug is fixed, add a pattern rule to the PATTERNS list so the scanner catches similar issues elsewhere. Stack-agnostic scanner engine with universal starter patterns. Add project-specific patterns to the PATTERNS list as bugs are discovered. Usage: detect_error_patterns.py # Full scan detect_error_patterns.py --staged # Staged files only detect_error_patterns.py --severity high # Filter by severity detect_error_patterns.py --json # JSON output (for CI) detect_error_patterns.py --summary # One-line summary detect_error_patterns.py --list-rules # List all pattern rules detect_error_patterns.py --analyze "error" # Reactive error analysis detect_error_patterns.py --analyze-log f.log # Analyze log file for errors detect_error_patterns.py --list-knowledge # List knowledge base entries Exit codes: 0 — No high-severity findings 1 — High-severity findings detected 2 — Script error N) dataclassfield)PathceZdZUdZeed<eed<eed<eed<eed<eed<dZeed <d Zeed <dZ eed <dZ eed <e e Z e ed<e e Ze ed<y) PatternRulez!A single error pattern to detect.idname descriptionseverity file_globpatternnegative_patternr context_linesfix_hintincidentdefault_factoryexamples exclude_pathsN)__name__ __module__ __qualname____doc__str__annotations__rrintrrrlistrr])=[=](?!=)\sz2eslint-disable|# intentional|null\s*==\s|==\s*nullzQUse === for strict equality. Exception: == null to check both null and undefined.zEP-071z!File open without context managerzNUsing open() without 'with' risks leaving file handles unclosed on exceptions.z^\s*\w+\s*=\s*open\s*\(z/# managed|# closed below|contextmanager|closingz?Use 'with open(...) as f:' to ensure the file is always closed.)r6r7rAr@zEP-072zWildcard importzY'from x import *' pollutes the namespace and makes it impossible to trace symbol origins.z^\s*from\s+\S+\s+import\s+\*z# noqa|__init__|# re-exportz:Import specific names: 'from module import ClassA, func_b')r6r7z __init__.pyrAzEP-073zIdentity check on non-singletonzSUsing 'is' to compare strings, numbers, or lists checks object identity, not value.z\bis\s+(?:["']\w|[0-9]|\[|\()z|\.)\s*(?:<\w+)(?![^>]*key\s*=)zkey=|# no key neededzRAdd a unique key prop to each element rendered in a .map(): zEP-075zDirect state mutation in ReactzUMutating state directly (push, splice, assignment) bypasses React's change detection.z**/*.{tsx,jsx,ts,js}zW(?:state\.\w+\s*=\s|state\.\w+\.push\s*\(|state\.\w+\.splice\s*\(|state\.\w+\.pop\s*\()zKuseState|useReducer|this\.setState|# immutable copy|\.slice\(\)|\.\.\.statezWUse setState/useState setter with a new object/array: setState(prev => [...prev, item])zEP-076zSELECT * in production queryzUSELECT * fetches unnecessary columns, wastes bandwidth, and breaks on schema changes.z((?:SELECT|select)\s+\*\s+(?:FROM|from)\sz<# ok|COUNT\(\*\)|count\(\*\)|test|migration|-- select|EXISTSz8List specific columns: SELECT id, name, email FROM users)r6r7 migrationalembicr:zEP-077zUnbounded query (no LIMIT)zLQueries without LIMIT can return millions of rows and crash the application.zq(?:SELECT|select)\s+(?!\*\s*FROM.*(?:LIMIT|limit|TOP|top|FETCH|fetch)).*(?:FROM|from)\s+\w+\s*(?:WHERE|where|;|$)zhLIMIT|limit|TOP|top|FETCH|fetch|COUNT|count|EXISTS|exists|migration|\.first\(|\.one\(|\.get\(|\.scalar\(zSAdd LIMIT clause to prevent unbounded result sets. ORM: use .limit() or pagination.zEP-078z'Hardcoded host/port in application codezRHardcoded localhost or port numbers in non-config files break across environments.z**/*.{py,ts,tsx,js,jsx}z*["'](?:localhost|127\.0\.0\.1):\d{4,5}["']zV# config|# default|os\.environ|getenv|process\.env|\.env|test|fixture|example|fallbackz?Use environment variables or config files for host/port values.)r6r7rAr:z.envconfigzEP-079z%Async function without error handlingzRAsync arrow functions in event handlers without try/catch silently swallow errors.z/(?:on\w+|addEventListener)\s*(?:=|\()\s*async\sz(try\s*\{|\.catch|# handled|ErrorBoundaryz@Wrap async event handlers in try/catch or use an error boundary.zEP-080zRegex denial of service riskzXNested quantifiers like (a+)+ or (a|a)* cause exponential backtracking on crafted input.z[(?:re\.compile|new\s+RegExp|/)\s*\(?["'/].*(?:\([^)]*[+*]\)\s*[+*]|\([^)]*\|[^)]*\)\s*[+*])z4# safe|# bounded|# validated input|atomic|possessivez[Avoid nested quantifiers. Use atomic groups or rewrite the pattern to prevent backtracking.)r6r7r:zEP-030zSQL string concatenationzRBuilding SQL queries with string concatenation or f-strings enables SQL injection.z[(?:execute|cursor\.execute|\.raw|\.extra)\s*\(\s*(?:f["']|["'].*%s|["'].*\+|["'].*\.format)z$# safe|# parameterized|noqa|sanitizezUUse parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [user_id]))r6r7rIrJzEP-031z SQL string concatenation (JS/TS)zSBuilding SQL queries with template literals or concatenation enables SQL injection.z:(?:\.query|\.execute|\.raw)\s*\(\s*(?:`[^`]*\$\{|['"].*\+)z+parameterized|prepared|placeholder|sanitizezNUse parameterized queries: db.query('SELECT * FROM t WHERE id = $1', [userId]))rCrDrEr:rIzEP-032zDangerous HTML injectionzTUsing dangerouslySetInnerHTML or innerHTML without sanitization enables XSS attacks.z+(?:dangerouslySetInnerHTML|\.innerHTML\s*=)z+sanitize|DOMPurify|purify|escape|# safe|xsszGSanitize HTML with DOMPurify before injecting: DOMPurify.sanitize(html)zEP-033zShell injection riskzFUsing shell=True with user-controlled input enables command injection.zPsubprocess\.(?:call|run|Popen|check_output|check_call)\s*\([^)]*shell\s*=\s*Truez-# safe|# trusted|# no user input|shlex\.quotezCUse shell=False with a list of args, or sanitize with shlex.quote())r6r7rAzEP-034zos.system usagezDos.system() runs commands in a shell and is vulnerable to injection.z\bos\.system\s*\(z# safe|# trustedz=Use subprocess.run() with shell=False and a list of argumentszEP-035zUnsafe deserializationzGpickle/shelve/yaml.load can execute arbitrary code from untrusted data.zu(?:pickle\.loads?\s*\(|shelve\.open\s*\(|yaml\.load\s*\([^)]*(?:Loader\s*=\s*yaml\.(?:Unsafe|Full)Loader|(?!Loader)))z$# trusted|SafeLoader|yaml\.safe_loadzMUse yaml.safe_load(), json, or a safe serialization format for untrusted datazEP-036zInsecure HTTP URLzDUsing http:// instead of https:// transmits data without encryption.zV["']http://(?!localhost|127\.0\.0\.1|0\.0\.0\.0|::1|\[::1\]|example\.com|example\.org)z:# http ok|# local|# test|redirect.*https|upgrade.*insecurez@Use https:// for all external URLs to ensure encrypted transport)r6r7r:r;r>lock CHANGELOGzEP-037z!Permissive CORS (wildcard origin)z@Allow-Origin: * with credentials exposes the API to any website.zX(?:Access-Control-Allow-Origin|allow_origins|cors_origins|CORS_ORIGIN)\s*[:=]\s*["'*]?\*z.# dev only|# local|development|localhost|DEBUGz?Restrict CORS to specific trusted origins instead of wildcard *)r6r:r;zEP-038zPath traversal riskzUJoining user input into file paths without validation enables path traversal attacks.zT(?:os\.path\.join|Path)\s*\([^)]*(?:request\.|user_|input|param|query|args\[|form\[)z?resolve\(\)|realpath|abspath|# validated|# safe|secure_filenamezSValidate paths with Path.resolve() and check they stay within the allowed directoryzEP-039zHardcoded JWT/signing secretzKJWT secrets in source code can be extracted to forge authentication tokens.zK(?:SECRET_KEY|JWT_SECRET|SIGNING_KEY|jwt_secret)\s*[:=]\s*["'][^"']{8,}["']zOexample|placeholder|test|mock|change.?me|your[_-]|TODO|os\.environ|getenv|env\(zDLoad signing secrets from environment variables or a secrets manager)r6r7r:r; .env.examplezEP-040zDynamic code execution (JS/TS)zLeval() and new Function() execute arbitrary code and are frequent RCE sinks.z\b(?:eval|new\s+Function)\s*\(z/eslint-disable|# safe|# trusted|webpack|bundlerzLRefactor to avoid dynamic code execution. Use JSON.parse() for data parsing.zEP-041zNode.js command injection sinkzMchild_process.exec() runs commands in a shell and is vulnerable to injection.z%child_process\.(?:exec|execSync)\s*\(z)# safe|# trusted|# no user input|execFilezLUse child_process.execFile() or spawn() with an args array instead of exec()zEP-042z!JWT signature verification bypasszIDecoding JWT tokens without verifying the signature allows token forgery.z_jwt\.decode\s*\([^)]*(?:verify\s*=\s*False|options\s*=\s*\{[^}]*"verify_signature"\s*:\s*False)z'# intentional|# public claims only|testzJAlways verify JWT signatures: jwt.decode(token, key, algorithms=['HS256'])zEP-042bzJWT 'none' algorithm (JS/TS)zJAllowing the 'none' algorithm in JWT verification permits unsigned tokens.z%algorithms\s*:\s*\[[^\]]*['"]none['"]z# intentional|testzRNever allow the 'none' algorithm in JWT verification. Specify explicit algorithms.zEP-043z%TLS certificate verification disabledzLDisabling TLS verification exposes connections to man-in-the-middle attacks.z;(?:verify\s*=\s*False|CERT_NONE|check_hostname\s*=\s*False)z,# dev only|# localhost|# self-signed ok|testzFNever disable TLS verification in production. Use proper certificates.zEP-043bz!TLS verification disabled (JS/TS)zM(?:rejectUnauthorized\s*:\s*false|NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['\"]?0)zEP-049z"Weak cryptographic hash (MD5/SHA1)zHMD5 and SHA1 are broken for security purposes (collisions demonstrated).zhashlib\.(?:md5|sha1)\s*\(z?# non-security|# checksum only|# fingerprint|# cache key|# etagzIUse hashlib.sha256() or hashlib.sha3_256() for security-sensitive hashing)r6r7rIzEP-049bzWeak cryptographic hash (JS/TS)z&createHash\s*\(\s*['"](?:md5|sha1)['"]z7Use createHash('sha256') for security-sensitive hashingzEP-050z$Insecure randomness for security usezPUsing Math.random() or Python's random module for tokens/secrets is predictable.z7random\.(?:random|randint|choice|randrange|sample)\s*\(z?# non-security|# game|# shuffle|# display|# ui|# test|secrets\.zTUse secrets.token_hex() or secrets.token_urlsafe() for security-sensitive randomness)r6r7rAseedr9zEP-050bz,Insecure randomness for security use (JS/TS)zNMath.random() is not cryptographically secure and produces predictable values.zMath\.random\s*\(\s*\)z@# non-security|# game|# animation|# ui|# display|# test|crypto\.zUUse crypto.randomUUID() or crypto.getRandomValues() for security-sensitive randomness)rCrDrEr:rFzEP-060zUnpinned dependency versionzaUsing '*' or 'latest' for dependency versions enables supply chain attacks via malicious updates.z**/package.jsonz#["']\s*:\s*["'](?:\*|latest|>=)["']z*peerDependencies|devDependencies.*optionalzBPin dependency versions exactly (e.g., '1.2.3') or use a lock filer:zEP-061z"Sensitive data in error/log outputz[Logging passwords, tokens, or keys in error messages can leak credentials (OWASP A10:2025).zl(?:print|logger?\.\w+|logging\.\w+)\s*\([^)]*(?:password|passwd|secret|token|api_key|private_key|credential)z2# safe|mask|redact|\*\*\*|sanitize|test|debug onlyzFNever log sensitive values. Redact or mask credentials before logging.zEP-061bz*Sensitive data in error/log output (JS/TS)zd(?:console\.\w+|logger?\.\w+)\s*\([^)]*(?:password|passwd|secret|token|apiKey|privateKey|credential)zEP-062z"Swallowed exception (except: pass)zVCatching exceptions and doing nothing hides bugs and security issues (OWASP A10:2025).z%except\s*(?:\w+\s*)?:\s*\n\s*pass\s*$z&# intentional|# best effort|# optionalzLAt minimum log the exception. Silent failures hide security-relevant errors.zEP-063z!Debug mode / stack trace exposurezURunning in debug mode in production exposes stack traces, config, and internal paths.zM(?:DEBUG\s*=\s*True|app\.run\([^)]*debug\s*=\s*True|FLASK_DEBUG\s*=\s*["']?1)z<# dev only|# local|# test|if.*development|os\.environ|getenvzEUse environment variables for debug flags. Never hardcode DEBUG=True.)r6r7rOzEP-090z&GitHub Action not pinned to commit SHAzZUsing tags like @v4 instead of full SHA lets attackers hijack the action via tag mutation.z**/.github/workflows/*.ymlz"uses:\s*[^@\s]+@(?![a-f0-9]{40}\b)z)actions/checkout@|actions/setup-|# pinnedzJPin actions to full commit SHA: uses: owner/action@abc123... (40-char hex)zEP-091z.Dangerous pull_request_target with PR checkoutzWChecking out PR head in pull_request_target runs untrusted code with write permissions.pull_request_targetz-# safe|# reviewed|ref:\s*\$\{\{\s*github\.shaz]Never checkout PR head code in pull_request_target workflows. Use pull_request event instead.zEP-092z)Overprivileged GitHub Actions permissionsuQwrite-all grants the GITHUB_TOKEN full write access — violates least privilege.zpermissions:\s*write-allz# required|# release workflowzZDeclare minimal permissions per job: permissions: { contents: read, pull-requests: write }zEP-093z(Remote script execution (curl pipe bash)z?Piping curl/wget output to bash executes untrusted remote code.z9(?:curl\s+[^|\n]+|wget\s+-qO-\s+\S+)\s*\|\s*(?:bash|sh)\bz)# trusted|# official installer|# verifiedz@Download the script first, verify its checksum, then execute it.r;zEP-094z$Docker FROM uses mutable :latest tagz^Using :latest in Dockerfile means builds are not reproducible and may pull compromised images.z**/Dockerfile*z^\s*FROM\s+\S+:latest(?:\s|$)z# ok|# dev only|AS\s+builderzIPin to a specific version and digest: FROM python:3.12-slim@sha256:abc...zEP-095zDocker container runs as rootzORunning as root inside containers exposes the host to container escape attacks.z^\s*USER\s+root\bz)# build stage|# install only|AS\s+builderzBAdd 'USER nonroot' or 'USER 1000' before the final CMD/ENTRYPOINT.zEP-096zKubernetes privileged containeruMPrivileged containers have full host access — effectively root on the node.z**/*.{yml,yaml}z^\s*privileged:\s*true\bz(# required|# debug only|# init containerz^Remove privileged: true. Use specific capabilities instead: capabilities: { add: [NET_ADMIN] }zEP-097z+Kubernetes allowPrivilegeEscalation enabledzPAllows processes inside the container to gain more privileges than their parent.z&^\s*allowPrivilegeEscalation:\s*true\bz# required|# init containerz7Set allowPrivilegeEscalation: false in securityContext.zEP-098z Kubernetes hostPath volume mountu`hostPath volumes expose host filesystem to the container — path traversal and data theft risk.z ^\s*hostPath:z*# required|# /dev/|# socket|type:\s*Socketz:Use PersistentVolumeClaim or emptyDir instead of hostPath.zEP-099z/Potential SSRF (user-controlled URL in request)z_Passing user input directly as a URL to HTTP clients enables SSRF attacks on internal services.zV(?:requests|httpx|urllib)\.\w+\s*\([^)]*(?:request\.\w+|params\[|args\[|user_|input\()z2# validated|# allowlisted|urlparse|validators\.urlz^Validate and allowlist URLs before fetching. Block internal IPs (169.254.x.x, 10.x.x.x, etc.).zEP-099bzPotential SSRF (JS/TS)zIPassing user input directly as a URL to fetch/axios enables SSRF attacks.zH(?:fetch|axios\.\w+)\s*\([^)]*(?:req\.(?:query|body|params)|user_|input)z,# validated|# allowlisted|new URL|url\.parsezNValidate and allowlist URLs before fetching. Block internal/private IP ranges.zEP-100z)Mass assignment (unfiltered request body)zePassing the full request body to ORM create/update allows attackers to set any field (e.g., isAdmin).zP(?:\.create|\.update|\.filter)\s*\(\s*\*\*(?:request\.data|request\.json|kwargs)z0# validated|serializer|schema|form\.cleaned_datazJExplicitly list allowed fields. Use serializers/schemas to validate input.zEP-100bzMass assignment (JS/TS)zQPassing req.body directly to ORM create/update allows attackers to set any field.z1(?:\.create|\.update|\.insert)\s*\(\s*req\.body\bz(# validated|schema|validator|zod|joi|yupzADestructure only allowed fields: const { name, email } = req.bodyzEP-101z/Insecure .NET deserialization (BinaryFormatter)zXBinaryFormatter can execute arbitrary code from untrusted data. Deprecated by Microsoft.z**/*.csz\bBinaryFormatter\bz# trusted|# legacy ok|obsoletezQUse System.Text.Json or JsonSerializer. BinaryFormatter is officially deprecated.zEP-102z1Insecure Java deserialization (ObjectInputStream)zRJava native deserialization can execute arbitrary code via crafted object streams.z **/*.javaz-(?:new\s+ObjectInputStream|\.readObject\s*\()z7# trusted|ObjectInputFilter|ValidatingObjectInputStreamzSUse JSON/Protocol Buffers instead, or add ObjectInputFilter for class allowlisting.zEP-103zInsecure PHP deserializationzOPHP unserialize() can trigger __wakeup/__destruct for arbitrary code execution.z**/*.phpz\bunserialize\s*\(z%# trusted|allowed_classes\s*=>|# safezkUse json_decode() instead, or pass allowed_classes option: unserialize($data, ['allowed_classes' => false])zEP-104zInsecure Ruby deserializationzOMarshal.load and YAML.load can execute arbitrary Ruby code from untrusted data.z**/*.rbz3\b(?:Marshal\.load|YAML\.load|Psych\.unsafe_load)\bz%# trusted|safe_load|permitted_classesz4Use YAML.safe_load or JSON.parse for untrusted data.zEP-105z#LLM output passed to code executionzUExecuting LLM/model output as code or shell commands enables prompt injection to RCE.zo(?:subprocess|os\.system|exec|eval)\s*\([^)]*(?:response|completion|output|result|message|content|answer|reply)z(# sandboxed|# validated|# safe|test|mockz]Never execute LLM output directly. Validate, sandbox, or use structured tool calling instead.zEP-105bz+LLM output passed to code execution (JS/TS)zw(?:eval|new\s+Function|child_process\.exec)\s*\([^)]*(?:response|completion|output|result|message|content|answer|reply)zEP-106z$Untrusted input in LLM system promptzJInjecting user input into system prompts enables prompt injection attacks.zV(?:system|instructions?)\s*[:=].*(?:f["']|\.format\s*\(|%s|user_input|request\.|req\.)z5# sanitized|# validated|# escaped|xml_escape|templatezYIsolate user input in user messages with XML tags. Never interpolate into system prompts.)r6r7r:rDzEP-110zGo unsafe package usagezJThe unsafe package bypasses Go's type safety and memory safety guarantees.z**/*.goz'import\s+["']unsafe["']|unsafe\.Pointerz// cgo|// required|// ffizWAvoid unsafe unless interfacing with C code. Use encoding/binary for byte manipulation.r>rCzEP-111zGo open redirectzIUsing user input directly in http.Redirect enables open redirect attacks.z4http\.Redirect\s*\([^)]*r\.(URL|FormValue|Form\.Get)z// validated|// allowlistedz=Validate redirect URLs against an allowlist of trusted hosts.zEP-120z)dict.get() default bypassed by None valueudict.get('key', '').strip() crashes when key exists with None value — .get() only returns the default when the key is ABSENT, not when it's None.z}\.get\(\s*["'][^"']+["']\s*,\s*["'][^"']*["']\s*\)\s*\.\s*(?:strip|lower|upper|split|replace|startswith|endswith|format)\s*\(z,\bor\s+[\"']|if\s+\w+\s+is\s+not\s+None|noqauUse (d.get('key') or '').strip() instead of d.get('key', '').strip() — the 'or' pattern handles both missing keys AND None valuesu^dict.get('matrix_article', '').strip() → AttributeError: 'NoneType' has no attribute 'strip') r r r r r rrrrrzEP-120bz2Object property default bypassed by null/undefinedzRobj.key || '' does not protect against null when using .trim()/.toLowerCase() etc.zq\.\w+\s*\|\|\s*["'][^"']*["']\s*\)\s*\.\s*(?:trim|toLowerCase|toUpperCase|split|replace|startsWith|endsWith)\s*\(z\?\?|noqa|// safezPUse nullish coalescing: (obj.key ?? '').trim() instead of (obj.key || '').trim()zEP-121z)Docker container memory limit below 512MBzContainers with mem_limit under 512MB may OOM-kill dev servers (Next.js Turbopack, webpack-dev-server, etc.) silently with exit code 0 and no traceback.z**/docker-compose*.{yml,yaml}z1mem_limit:\s*(?:12[0-8]m|192m|25[0-6]m|[1-9]\d?m)z3# production|# optimized|redis|postgres|minio|nginxuSet mem_limit >= 512m for app containers, >= 2g for Node.js dev servers with Turbopack/webpack. Silent OOM kills show as exit code 0 with restart loops — check 'docker inspect' for OOMKilled.zVNext.js 16 Turbopack dev server OOM-killed at 256MB, crash-looped with no error outputzEP-122z/React state not included in API request payloadzState variable set via onChange/setState but never referenced in the fetch/post payload. The UI collects user input but silently discards it on submit.z-set\w+\s*\(\s*(?:\([^)]*\)\s*=>|prev\s*=>|\{)znoqa|// UI only|// display onlyzVerify every state variable populated by user input is included in the API request body. Search for the setter name and confirm its getter appears in the fetch/post call.zZcertidaoAssignments state collected from dropdown but never sent in finalize-multi payloadzEP-123z-HTTP 404 for optional resource instead of 204zReturning 404 for optional resources (thumbnails, avatars, previews) causes console errors and error tracking noise. Use 204 No Content for 'valid endpoint, no content available'.z(?:raise\s+HTTPException|return\s+JSONResponse)\s*\([^)]*(?:404|status_code\s*=\s*404)[^)]*(?:thumbnail|preview|avatar|icon|image)z# required|# must exist|noqazReturn 204 No Content instead of 404 for optional resources. Update frontend to handle: .then(r => r.ok && r.status !== 204 ? r.blob() : null)z]Thumbnail 404s flooding console after rolled-back transactions left ghost document referenceszEP-124z+Docker memswap_limit not matching mem_limitzWhen memswap_limit equals mem_limit, swap is effectively disabled. When memswap_limit is less than mem_limit, the container may behave unpredictably.zmemswap_limit:\s*(\S+)z# intentional|# no swap okzSet memswap_limit = 2x mem_limit to allow swap headroom, or omit to allow unlimited swap. Setting memswap_limit == mem_limit disables swap entirely, making OOM kills more likely.zEP-200zRCapacity bound multiplies count by unit instead of bounding the count (off-by-one)u~A size guard of the form `count * UNIT > MAX_BYTES` rejects the final partial unit: an input of exactly MAX_BYTES needs ceil(MAX_BYTES/UNIT) units, so count*UNIT exceeds MAX_BYTES and the guard wrongly rejects a legitimate max-size object. Bound the count directly against ceil(MAX_BYTES/UNIT). Surfaced by mutation testing in media::decrypt_media — the symmetric form is the fix.z**/*.rsz7\w*count\w*\s+as\s+u64\s*\*\s*\w+\s+as\s+u64\s*>\s*MAX_z1div_ceil|# off-by-one ok|bound the count directlyuBound the count directly: `count > MAX_BYTES.div_ceil(UNIT)` — keeps encrypt/decrypt size limits symmetric so a legitimately-encrypted max-size object still decrypts.)r6r7z/tests/zEK-001zImport/Module not foundmodulenotfounderror importerrorzno module namedpythonz EK-001-R1z"Missing dependency in requirementszIModule referenced in code but may be missing from requirements/pyproject.z^\s*(?:from|import)\s+(\w+)zOEnsure the module is installed and listed in requirements.txt or pyproject.toml)r r r r r rr)r r r,r-r.r/zEK-002zAttribute/Type error on Noneattributeerrornonetype typeerrornonez EK-002-R1z*Missing None guard before attribute accesszHAccessing attributes on a value that may be None without checking first.z"(?:\.get\([^)]*\)|= None).*\.\w+\(z$if\s+\w+\s+is\s+not\s+None|if\s+\w+:zNAdd a None check before accessing attributes: if obj is not None: obj.method()z EK-002-R2z"Function returning None implicitlyz?Functions without explicit return may return None unexpectedly.zFdef\s+\w+\s*\([^)]*\)\s*(?:->.*)?:\s*\n(?:(?:\s+.*\n)*?)(?=\ndef\s|\Z)zreturn\s+\S|->.*NonezPEnsure all code paths return a value, or add explicit '-> None' return type hintzEK-003z,SQLAlchemy async lazy-load (MissingGreenlet)missinggreenletz lazy loadasyncz EK-003-R1z6Missing selectinload/joinedload for async relationshipzQAccessing lazy-loaded relationships in async SQLAlchemy triggers MissingGreenlet.z](?:\.query|select)\s*\([^)]*\)(?!.*(?:selectinload|joinedload|subqueryload|lazyload|options))zAselectinload|joinedload|subqueryload|raiseload|lazy=['\"]selectinzNUse .options(selectinload(Model.relation)) for eager loading in async sessionszEK-004zDatabase connection refusedzconnection refused) connectionrefused5432)r[r\3306databasez EK-004-R1zHardcoded database host or portzPDatabase connection parameters hardcoded instead of using environment variables.z **/*.{py,ts,tsx,js,jsx,yml,yaml}zD(?:host|HOST)\s*[:=]\s*["'](?:localhost|127\.0\.0\.1|0\.0\.0\.0)["']zGos\.environ|getenv|process\.env|\.env|# default|# fallback|test|examplezRUse environment variables for database host/port to support different environmentsz EK-004-R2zHardcoded database portz0Database port hardcoded instead of configurable.z1(?:port|PORT)\s*[:=]\s*(?:5432|3306|27017|6379)\bz9Use environment variables for database port configurationzEK-005zNull/undefined property accesszcannot read propertiesnull undefinedzis not a functionbrowserz EK-005-R1zMissing optional chainingzNProperty access chains without optional chaining (?.) crash on null/undefined.z\w+\.\w+\.\w+(?!\s*[?])z4\?\.|&&|!=\s*null|!==\s*null|!==\s*undefined|if\s*\(zCUse optional chaining: obj?.prop?.nested instead of obj.prop.nestedz EK-005-R2z%Missing null guard before method callzBCalling methods on potentially null values without checking first.z=(?:getElementById|querySelector|find|get)\s*\([^)]*\)\s*\.\w+z\?\.|if\s*\(|&&|!==?\s*nullzRAdd null check or use optional chaining: element?.method() or if (element) { ... }zEK-006zReact hooks order violationzrendered fewer hooks)hooksorderzprevious renderreactz EK-006-R1zConditional hook callzRHooks called inside if/else, loops, or after early returns violate Rules of Hooks.z(?:if\s*\([^)]*\)\s*\{[^}]*(?:useState|useEffect|useMemo|useCallback|useRef|useContext)|return\s+[^;]*;\s*\n\s*(?:const|let)\s+\[?\w+[,\]]?\s*=\s*use\w+)z# conditional ok|eslint-disablezPMove all hooks to the top level of the component, before any conditional returnszEK-007zReact hydration mismatch hydration)serverclientmismatchz EK-007-R1zBrowser-only API in render pathzJUsing window/document/localStorage during SSR causes hydration mismatches.zx(?:window\.|document\.|localStorage\.|sessionStorage\.|navigator\.)(?!.*(?:useEffect|componentDidMount|typeof\s+window))zFuseEffect|componentDidMount|typeof\s+window|'use client'|# client onlyzSWrap browser APIs in useEffect or check typeof window !== 'undefined' before accesszEK-008zCORS policy violationcorszaccess-control-allow-originz EK-008-R1z(Permissive or missing CORS configurationzJWildcard CORS or missing CORS headers cause cross-origin request failures.zJConfigure CORS with specific allowed origins matching your frontend domainzEK-009zUnhandled promise rejection) unhandledpromise rejectionunhandledrejectionz EK-009-R1zAsync call without catch/awaitzNPromise-returning calls without .catch() or try/await silently swallow errors.z EK-009-R2z%Async event handler without try/catchzTAsync functions in event handlers without error handling cause unhandled rejections.z-Wrap async event handlers in try/catch blockszEK-011z!Container OOM kill (silent crash) oomkilledz exit code137)killedsignal9z out of memory)restartloop containerzempty reply from serverdockerz EK-011-R1z%Docker container memory limit too lowzNContainer mem_limit may be too low for the workload, causing silent OOM kills.zmem_limit:\s*\S+zCheck 'docker inspect --format {{.State.OOMKilled}}' to confirm. Bump mem_limit (2g+ for Node.js dev, 1g+ for Python APIs). Also run 'docker stats' to see peak memory usage.z EK-011-R2zNode.js heap limit not setzGNode.js may exceed container memory limit without --max-old-space-size.z/(?:node|next|npm|pnpm|yarn)\s+(?:dev|start|run)zmax-old-space-size|NODE_OPTIONSzXSet NODE_OPTIONS='--max-old-space-size=1536' to cap Node.js heap within container limitszEK-012z&dict.get() None value bypasses default)rUrVstripzhas no attributeloweruppersplitz EK-012-R1z7dict.get() with string default chained to string methodztd.get('key', '').strip() fails when key exists with None value. dict.get() only uses the default when key is ABSENT.zb\.get\(\s*["'][^"']+["']\s*,\s*["'][^"']*["']\s*\)\s*\.\s*(?:strip|lower|upper|split|replace)\s*\(uZUse (d.get('key') or '').strip() — the 'or' pattern handles both missing AND None valueszEK-010zPermission denied / EACCESeacceszpermission deniederrno13systemz EK-010-R1z+Hardcoded file path in restricted directoryzFWriting to system directories or paths requiring elevated permissions.z**/*.{py,ts,tsx,js,jsx,sh}zB(?:open|write|mkdir|chmod)\s*\([^)]*["']/(?:etc|usr|var|opt|root)/z)# root ok|# system|sudo|test|example|mockzZUse user-writable directories (e.g., /tmp, ~/.config, or $HOME) or check permissions firstz EK-010-R2z,Missing directory creation before file writezMWriting files without ensuring parent directories exist causes EACCES/ENOENT.z$(?:open|write_text|write_bytes)\s*\(zCmkdir|makedirs|exist_ok|Path.*parent.*mkdir|os\.path\.exists|ensurez^Call os.makedirs(dir, exist_ok=True) or Path.mkdir(parents=True, exist_ok=True) before writing KNOWLEDGEctjgdddt}|jj j dDcgc]*}|j st|j z ,c}Scc}w)N)gitdiffz--cachedz --name-onlyz--diff-filter=ACMRT)capture_outputtextcwd ) subprocessrunROOTstdoutrxr{)resultfs r"get_staged_filesrs[ ^^H$DF'-mm&9&9&;&A&A$&G U1779D1779  UU Us A=!A=c6t|j|Sr1)sortedrglob) glob_patternbases r" find_filesrs $**\* ++r!cn |jt}|j|S#t$rYywxYw)NF) relative_tor ValueErrormatch)filepathrrels r" matches_globrs<""4( 99\ "" s ( 44c t|}|jr|jD] }||vsgcS |jdd}g}|j d}t j |j}t|D]4\}} |j| sd|j| vsd| vr/|jrstd||jz } tt|||jzdz} dj!|| | } t j|j| r t|j#t$} |j)t+|j|j,|j.| |dz| j1dd |j2|j4 7|S#t$rgcYSwxYw#t&$rt|} YwxYw) Nutf-8replaceencodingerrorsrznoqa: z noqa: allrr5xr%r&r r'r(r)rr)rr read_textOSErrorr{recompiler enumeratesearchr rmaxrminlenjoinrrrappendr$r r rxrr)rrule filepath_strexclcontentfindingslinesregexir(startendcontextrel_paths r" scan_filersx=L && D|#  $$gi$HH MM$ E JJt|| $EU#4 << y!T)[D-@$$Aq4#5#556#e*a$*<*<&)rr rr rrgroupr{rrextendrrrr) r/ staged_onlyseverity_filter all_findingsfilesrr rule_filesrextexpandedrs r" scan_codebasersL "; t}}?   %*Nl1dnn.M!NJNJdnn$ .$..A${{1~33C8F#'>>.5;;=#AC#G$..Y^YbYbYdYeJf#f"))*Xt*DEF!!*T^^T"BC%  A."#a&03q6)3q6)3q6)CF*SV+ J # ;H    (D 9 : ;3;8 1O sG G6A$Gz!!!z!!!r4r?r<zzzzc 8|sygggd}|D] }||jj|"dt|ddg}dD]E}||}|s t|}t|}|jd|d|j dt|dt |jd |D]}|jd ||t d |jd|j|jd |jd |j|jd|j|jd|j|jr|jd|j|jdHdj|S)NzNo error patterns detected.ruERROR PATTERN DETECTOR — finding(s)<============================================================r[z] (----------------------------------------z z [z File: :z Code: z Fix: z Ref: r)r rrSEVERITY_ICONSSEVERITY_COLORSrzRESETr%r&r'r(r)rrr)r by_severityrrsevriconcolors r" format_textrBs ,B7K *AJJ&&q)* &c(m_K@ E)C  c"$ r%#))+bU KwOP X A LL2eWTF5'AII;b N O LL:affXQqvvh7 8 LL:affX. / LL:ajj\2 3zz z!**67 LL   99U r!ctj|Dcgc]]}|j|j|j|j |j |j|j|jd_c}dScc}w)Nrrindent) jsondumpsr%r&r r'r(r)rr)rrs r" format_jsonr_sq :: 99[[JJJJJJ    sA"A?c td|D}td|D}td|D}d|d|d|dt|d S) Nc3@K|]}|jdk(sdyw)r4r5Nr .0rs r" z!format_summary..ss;QajjF&:q;c3@K|]}|jdk(sdyw)r?r5Nrrs r"rz!format_summary..ts .us 9AQZZ5%8a 9rz Patterns: z high, z medium, z low (z total))sumr)rr4medr<s r"format_summaryrrsW ;(; ;D < < >99"7<<.17D nn55d; '',7l" # # ;GLL>C5Qzz # # #s1A9D3 M4!@ 3GLL>AYZzz #  & '!) Or!c$ttzS)zEBuilt-in PATTERNS + project-specific PROACTIVE_PATTERNS from plugins.)PATTERNSrr r!r"get_all_patternsrs -/ //r! error_textcg}t}tjd|D]X}|jdt |jd}}||f}||vs7|j ||j |Ztjd|D]o}|jd}t |jd}tjdd|}||f}||vsN|j ||j |qtjd|D]X}|jdt |jd}}||f}||vs7|j ||j |Ztjd|tjD]X}|jdt |jd}}||f}||vs7|j ||j |Z|S) zExtract file:line pairs from common stack trace formats. Supports: Python tracebacks, Node.js stack traces, browser console errors. Returns list of (filepath, line_number) tuples. z File\s+"([^"]+)",\s+line\s+(\d+)r5rz at\s+\S+\s+\(([^)]+):(\d+):\d+\)z^webpack:///\./rz(at\s+(/[^:]+|[a-zA-Z]:\\[^:]+):(\d+):\d+zF(?:^|\s)((?:/[\w._-]+)+\.(?:py|js|ts|tsx|jsx|go|rb|java|cs|php)):(\d+)) setrfinditerrraddrsub MULTILINE)rresultsseenrrlinenokeys r"parse_stack_tracer!s G 5D@*M  ;;q>3u{{1~+>&  d? HHSM NN3   @*M ;;q>U[[^$66,b(;  d? HHSM NN3  H*U  ;;q>3u{{1~+>&  d? HHSM NN3   QBLL !;;q>3u{{1~+>&  d? HHSM NN3   Nr! error_lowerentryctfd|jDry|jD]}tfd|Dsyy)zECheck if an error message matches an ErrorKnowledge entry's keywords.c3&K|]}|v ywr1r rkwr"s r"rz"_match_keywords..s 62  6Tc3&K|]}|v ywr1r r&s r"rz"_match_keywords..s3Rr[ 3r(F)allr,r-)r"r#alt_sets` r"_match_keywordsr,sE 6u~~ 66%% 373 3 r!rootcg}t}|j}t}g}|D] }t||s|j |"t |}|D]+}|j D]} |r|D]\} } t| js|| z n t| } | js@t| | jsWt| | D]L} | j| j| jf}||vs+|j!||j | Nt#| g}|D]L} | j| j| jf}||vs+|j!||j | N.|sg}t%j&d|D]"}|j |j)d$t%j&d|D]"}|j |j)d$t+}|r|D]\} } t| js|| z n t| } | js@|D]t} t| | jst| | D]L} | j| j| jf}||vs+|j!||j | Nv|ddD]N} t-j.dddd d d d |t1|g d d d}|j2j5j7dD]}|j5st|j5} | jr|D]} t| | jrjt| | D][} | j| j| jf}||vr"|j!||j | t9|dk\s[nt9|dk\snt9|dk\snt9|dk\sOn|ddS#t,j:t<f$rYswxYw)ajReactive error analysis. Feed an error message, get code pattern matches. 1. Match error against knowledge base keywords 2. If KB match: run associated scanning rules 3. Extract file:line from stack traces, check those files first 4. If no KB match: extract identifiers/quoted strings, grep codebase 5. Deduplicate and cap at 50 results z['"]([^'"]{3,60})['"]r5z2\b([A-Z][a-zA-Z0-9]+(?:Error|Exception|Warning))\bNrLgrepz-rnlz--include=*.pyz--include=*.tsz--include=*.tsxz--include=*.jsz--include=*.jsxTrB)rrtimeoutr2)rryr r,rr!r/r is_absoluteexistsrr rr'r(r%rrrrrrrrrrrxr{rTimeoutExpiredr)rr-r seen_keysr" knowledgematched_entriesr# stack_filesrr_linenorfindingr broader identifiersr all_patternsidentrr(s r" analyze_errorr?s.#%L+.5I""$K%&I-/O* ; .  " "5 )* $J/K!1KK 1D-8=)L':>|:L:X:X:Ztl2`deq`rH(\(DNN-S'04'@=G#*<<w"OC")3 ) c 2 , 3 3G < ==$TF+G" 1||W\\7??Ci'MM#& ''0  1 11, !# [[!=zJ /E   u{{1~ . /[[!VXbc /E   u{{1~ . /() )4 A% g6:<6H6T6T6V4,.\`am\n??$ ,A'$..A+4Xt+DA'.||W\\7??&S#&i#7$-MM#$6$0$7$7$@ AA A!!_ E #V%57G&(8:KCI'$(dB  #MM//177="Dzz|#' #5#??,(4 *#/$..#I3,8,?,?,H+.|+<+B,1 %2$'|#4#:$) *|,2!!"&< B&9 >   --w7  s,A'P*B*P*+P*=P*P**QQlog_pathc |jdd}t j dt j}g}|j|Dcgc]}|j}}|s|g}n^t|D]P\}} |dzt|kr||dzn t|} || | j} | s@|j| Rt j d t j} i} |D]h} | j| st j d d | }t j d d |}t j dd|}|dd}|| vsd| | |<ji}| j#D]0\}} t%| |}|s| j'dddd}|||<2|S#t$r*}td|tjicYd}~Sd}~wwxYwcc}w)zParse a log file for errors, deduplicate, analyze each unique one. Splits on common error boundaries (timestamps, 'ERROR', 'Traceback', etc.) Returns {error_signature: [findings]} rrrzError reading log file: rNz[^(?:\d{4}[-/]\d{2}[-/]\d{2}[\sT]\d{2}:\d{2}|(?:ERROR|CRITICAL|FATAL|Exception|Traceback)\b)r5z3(?:error|exception|traceback|failed|fatal|critical)z0x[0-9a-fA-F]+0xHEXz \b\d{4,}\bNUMzline \d+zline Nrrr)rrrrrrrrrrrrrxr IGNORECASErritemsr?r{)r@r-rr boundary_reblocksm positionsrposrblockerror_keywordsseen_signaturessigsig_keyrr display_keys r"analyze_log_filerRqs $$gi$H** ; K F$/$8$8$ABqBIB  * %FAs&'!ec)n&<)AE"#g,CC$**,E e$  %ZZ> N')O -$$U+ ff&7ff]E3/ff[(C0ds) / )',OG $ -)+G%++-, U - ++d+A.t4K#+GK , Nk  (.SZZ@ Cs#F%G% G.G GGc ddl}|jd}|jddd|jdgd d |jd dd |jddd|jddd|jdtdd|jdtdd|jddd|j }|j rt }t}tddddddd td!|D]5}t|jdd|jdd|j7td"t|d#ttd$t|d%y|jrt}tdddd&d'dd d(dd)td*|D]T}d+j!|j"}t|jdd|j$d'd|jd(d|Vtd"t|d,y|j&rt)|j&t*} |j,rtt/| n|j0rtt3| n}| rptd-t| d.td/|j&dd0t|j&d0kDrd1nd2d3td4tt5| n td5t7d6| Drd7SdS|j8rt;|j8} | j=std8| t>j@9y:tC| t*} |j,r| jED cic]o\} } | | D cgc]]} | jF| jH| j| jJ| jL| jN| jP| jRd;_c} q}} } } tt-jT|d:<n|j0rt| d?|d@n| rtWdA| jYD}tdBt| dC|dDtd4| jED]2\} } tdE| tdFtt5| 4n tdGt7dH| jYD}|rd7SdSt[t |j\|jI} |j,rtt/| n5|j0rtt3| ntt5| t7dJ| Drd7SdScc} wcc} } } w)KNrz&Scan codebase for known error patterns)r z--staged store_truezOnly scan staged files)actionhelpz --severityrzFilter by severity)choicesrVz--jsonz JSON outputz --summaryzOne-line summary onlyz --list-ruleszList all pattern rulesz --analyze ERROR_MSGzDReactive analysis: match an error message against the knowledge base)typemetavarrVz --analyze-logLOG_PATHz7Parse a log file for errors and analyze each unique onez--list-knowledgez>List all ErrorKnowledge entries (id, name, category, keywords)IDz<8 Sevz<7Namez<------------------------------------------------------------rz pattern rules registered (z built-in + z from error_knowledge/ plugins).Categoryz<12z<45Keywordszd----------------------------------------------------------------------------------------------------z, z knowledge entries loaded.uREACTIVE ANALYSIS — z finding(s) for error:z "dz...r"rz0No code patterns matched for this error message.c3:K|]}|jdk(ywr4Nrrs r"rzmain..s? f,?r5zError: Log file not found: rrrrc32K|]}t|ywr1rrfss r"rzmain..s;BB;zLog analysis: z unique errors, z total findingsc32K|]}t|ywr1rhris r"rzmain..s?CG?rkuLOG ANALYSIS — z unique error(s), rz Error: rz)No actionable patterns found in log file.c3HK|]}|D]}|jdk(ywrer)rrjrs r"rzmain.. s0 %'R @AAJJ&   s ")rrc3:K|]}|jdk(ywrerrs r"rzmain..s;QAJJ&(;rf)/argparseArgumentParser add_argumentr parse_args list_rulesrrrr r r rrlist_knowledger rr,r.analyzer?rrrsummaryrrany analyze_logrr3rrrRrFr%r&r'r(r)rrrrvaluesrstaged)roparserargs all_rules proactiverr6ekkw_strrr@rrOrjson_outtotalhas_highs r"mainrsU  $ $1Y $ ZF  <>VW  .GNbc MJ  L?VW |BZ[  #{ce c:VX *<]_    D $& +-  b 5*AfX./ h 9A QTT"IQqzz"oQqvvh7 8 9 3y>"#h- S^,<<\^ _ (*  b :c*!F3""<=> || t4 99 +h' ( \\ .* +.s8}o=STUT\\$3/0#dll:Kc:QWY0ZZ\]^hk(+,HI?h??qFQF (() /z: L"8T2 99&-]]_  "C &   $%991;;$%JJ !AJJAJJ H  $**Xa0 1 \\;'..*:;;E N3w<.0@W X?gnn.>??)#g,7I%P[\]h%,]]_1MCIcU+,(O+h/01 AB +2>>+;  q#!#-/T[[Z^ZgZghH yy k(#$  nX&' k(#$;(;;1BBO s* W%7A"W W% W%__main__)FN)1rrrrr dataclassesrrpathlibrrrparentsrrr$r+rrrrrrrrrrrrrrrrr r rrrtuplerr!boolr,r?dictrRrrexitr r!r"rse4  ( H~''*  6 6  6        # #  #&R   )Npecg R    -NKHH !R 8  !g!/G 9R R  %^'1g: SR n  'le] . oR F  )_`HnI GR b  -b(89^U cR ~  4c([9IC R d  1e()NdU eR @  0d*KRD AR \  o/7MG ]R x  .i4Xk) yR T  *f"K0eC UR p  -k(jgjC qR L  +k?XKQ MR h  )bIEfQ iR D  6h+ArRZ ER `  4h(BDSC aR |  +nrPn9 }R `  'hr@hA aR x  /i(QGaP yR T   'j(>GZC U R p   #\cIV8 q R H   Z$,P) I R d   %]I@`8 e R @   ZmVSa A R \   0VoJR7 ] R x   "kk[f8 y R T   +abkWQ U R p   -b(1K_U q R L   -c(8E_C M R h   0_vC]8 i R @  +`(<.eC AR \  4bNHY8 ]R t  0b(`HYC uR P  1^-[\6 QR h  .^(=[JC iR D  3fJ[gK ER \  ;d()\hL ]R B  *w#:FU%& CR ^  1qDNY8 _R v  9q({NYC wR R  1l8B_8 SR n  0kdXX9 oR R  5p.5E] SR l  =m.&Ip mR F  8g.+9m GR `  7ULES%v. aR D  3t"08\ ER ^  ,e"$EU _R x  .c#+Dq%v. yR T  :f#97J%v. UR p  /v# FM%v. qR T  >umNq8 UR l  %_(_HaC mR H  8{gL]6 IR `  &g(HDTC aR D  >n&:d ER ^  @h@Sf _R x  +e%A~ yR R  ,eFAG SR t  2kGDp8 uR L  :k(ODpC MR h  3`mQlA iR D  &`>5j &) ER `  _G7P aR z  8bUHNq {R Z  Ah(I-c [R t  8\1DOui uR T  >U"@;em UR t  <oV8ep uR T  :V1)6l UR z  aN JMe4{R x   &'($o(9':; 9g#6j   (  +"J/"F+, Af!#=!Hi  9]#a!8k  B  ;#$"G,- Mo#x!ei   ,  *&'79Z[ 6n!<c!km  .N3P!kT  B  -*F3 %{ 3 ! & !  0l!02!X^  <`!0X!?m  "J  *();< ,p*u!Ck   ,  '67 6h!0T!jn   ,  $456 ?h!3w!Re   ,  *6+,- 5l!0c!AQ  <r!0J!LH  B  0 % %   , & '   <l9+M  1e!*J!Cs  $N  58 + ,  !  !  !   NS#Bu   4  )*+gt_= Bd!6a!Mu  Ck#?!gy  o V# 4 Vz V,#(V$V 4<%JO:&U#6 d>2 *.4$;-80$0 /#/$uS#X*?/d  ^  fcff$w-fR=t=4=Dd7m9K4L=HdCN z CHHTVr!