1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
//! Parsing for the `WEVT_TEMPLATE` resource payload (CRIM/WEVT/...).
//!
//! This module is a Rust port of the libyal/libfwevt "Windows Event manifest binary format"
//! documentation and aligns with the reference C implementation.
//!
//! Primary references:
//! - libfwevt: `documentation/Windows Event manifest binary format.asciidoc`
//! - MS-EVEN6: BinXml name hashing/layout and token grammar
//!
//! Design goals:
//! - Deterministic parsing (no signature scanning).
//! - Strict bounds/sanity checks; offsets are validated relative to the CRIM blob.
//! - Preserve unknown fields as raw integers/bytes (do not guess semantics).
//! - Provide stable join keys: provider GUID + event (id/version/...) + template offset.
//!
//! Note: libfwevt's map parsing is marked TODO; we parse VMAP per spec and keep unknown map
//! types as raw bytes.
//!
//! This module is split into:
//! - `types`: a typed view of the manifest structures (kept stable for downstream join/render code)
//! - `parse`: spec-backed parsing and bounds validation
//! - `error`: a small error enum that makes failures actionable in tests/tooling
//!
//! References:
//! - `docs/wevt_templates.md` (project notes + curated links)
//! - libfwevt manifest spec doc (CRIM/WEVT/EVNT/TTBL/TEMP)
//! - MS-EVEN6 (BinXml grammar notes used by template rendering)
pub use WevtManifestError;
pub use *;