@elytrasec/engine 0.3.1 → 0.3.2

package/dist/index.d.ts

@@ -218,6 +218,23 @@ declare const ReviewResultSchema: z.ZodObject<{
             deducted: number;
         }>>;
     }>>;
+    /** keyed by "${ruleId}:${filePath}:${startLine}" — only present when runPoc=true */
+    pocs: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
+        status: z.ZodEnum<["confirmed", "not-exploitable", "generated", "error"]>;
+        pocCode: z.ZodString;
+        output: z.ZodString;
+        rpcUrl: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        status: "confirmed" | "not-exploitable" | "generated" | "error";
+        pocCode: string;
+        output: string;
+        rpcUrl?: string | undefined;
+    }, {
+        status: "confirmed" | "not-exploitable" | "generated" | "error";
+        pocCode: string;
+        output: string;
+        rpcUrl?: string | undefined;
+    }>>>;
 }, "strip", z.ZodTypeAny, {
     findings: {
         severity: "critical" | "high" | "medium" | "low" | "info";
@@ -244,6 +261,12 @@ declare const ReviewResultSchema: z.ZodObject<{
             deducted: number;
         }>>;
     } | undefined;
+    pocs?: Record<string, {
+        status: "confirmed" | "not-exploitable" | "generated" | "error";
+        pocCode: string;
+        output: string;
+        rpcUrl?: string | undefined;
+    }> | undefined;
 }, {
     findings: {
         severity: "critical" | "high" | "medium" | "low" | "info";
@@ -270,6 +293,12 @@ declare const ReviewResultSchema: z.ZodObject<{
             deducted: number;
         }>>;
     } | undefined;
+    pocs?: Record<string, {
+        status: "confirmed" | "not-exploitable" | "generated" | "error";
+        pocCode: string;
+        output: string;
+        rpcUrl?: string | undefined;
+    }> | undefined;
 }>;
 type ReviewResult = z.infer<typeof ReviewResultSchema>;
 
@@ -1213,6 +1242,14 @@ interface AnalyzeParams {
     skipStatic?: boolean;
     /** AI concurrency limit. Defaults to AI_CONCURRENCY env var or 3. */
     aiConcurrency?: number;
+    /**
+     * Run agentic PoC generation on critical/high Solidity findings.
+     * Requires an AI provider. If forge is installed, attempts to confirm
+     * exploitability by running the generated test against Anvil.
+     */
+    runPoc?: boolean;
+    /** Optional RPC URL for forked Anvil PoC execution (e.g. Base/mainnet). */
+    pocRpcUrl?: string;
 }
 /**
  * Deduplicate findings by (filePath, startLine, ruleId).

package/dist/index.js

@@ -251,10 +251,18 @@ var SecurityScoreSchema = z.object({
     z.object({ count: z.number(), deducted: z.number() })
   )
 });
+var PocResultSchema = z.object({
+  status: z.enum(["confirmed", "not-exploitable", "generated", "error"]),
+  pocCode: z.string(),
+  output: z.string(),
+  rpcUrl: z.string().optional()
+});
 var ReviewResultSchema = z.object({
   findings: z.array(FindingSchema),
   summary: z.string(),
-  score: SecurityScoreSchema.optional()
+  score: SecurityScoreSchema.optional(),
+  /** keyed by "${ruleId}:${filePath}:${startLine}" — only present when runPoc=true */
+  pocs: z.record(PocResultSchema).optional()
 });
 
 // src/logger.ts
@@ -5124,6 +5132,175 @@ var patternScannerRunner = {
   }
 };
 
+// src/ai/poc-generator.ts
+import { execFile as execFile4 } from "child_process";
+import { writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { promisify as promisify4 } from "util";
+import { tmpdir } from "os";
+import { join } from "path";
+import { randomBytes } from "crypto";
+var exec4 = promisify4(execFile4);
+var SYSTEM_PROMPT = `You are an expert smart contract security researcher who writes Foundry (forge) exploit tests to demonstrate vulnerabilities.
+
+Given a security finding and the vulnerable contract source code, write a minimal Foundry test that:
+1. Deploys the vulnerable contract (or a minimal reproduction of the vulnerable pattern)
+2. Demonstrates the exploit in a test function named test_exploit()
+3. Uses vm.expectRevert() or assertions to show the vulnerability is real
+4. Includes a brief comment explaining the attack vector
+
+Rules:
+- Use Solidity ^0.8.20 and Foundry's Test base
+- Import only from forge-std (available: Test, console, Vm, StdCheats)
+- If the contract needs an RPC fork (e.g. for on-chain state), emit a // @fork-required comment on line 1
+- Keep it minimal \u2014 prove the bug, nothing else
+- Return ONLY valid Solidity, no markdown fences, no explanation outside comments
+
+Format:
+\`\`\`solidity
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.20;
+
+import "forge-std/Test.sol";
+
+contract ExploitTest is Test {
+    // ...setup...
+
+    function test_exploit() public {
+        // ...exploit...
+    }
+}
+\`\`\``;
+function buildUserMessage(finding, contractSource) {
+  return `## Vulnerability Finding
+
+Rule ID: ${finding.ruleId}
+Title: ${finding.title}
+Severity: ${finding.severity}
+File: ${finding.filePath} (lines ${finding.startLine}\u2013${finding.endLine})
+Description: ${finding.description}
+
+Vulnerable code snippet:
+\`\`\`solidity
+${finding.codeSnippet}
+\`\`\`
+
+Fix suggestion: ${finding.suggestion}
+
+## Full Contract Source
+
+\`\`\`solidity
+${contractSource}
+\`\`\`
+
+Write the Foundry exploit test now.`;
+}
+function extractSolidity(text) {
+  const fenceMatch = text.match(/```(?:solidity)?\s*([\s\S]*?)```/);
+  if (fenceMatch) return fenceMatch[1].trim();
+  return text.trim();
+}
+async function forgeAvailable() {
+  try {
+    await exec4("forge", ["--version"], { timeout: 5e3 });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function runForgeTest(pocCode, rpcUrl) {
+  const id = randomBytes(6).toString("hex");
+  const dir = join(tmpdir(), `elytra-poc-${id}`);
+  const srcDir = join(dir, "src");
+  const testDir = join(dir, "test");
+  const libDir = join(dir, "lib");
+  try {
+    await mkdir2(srcDir, { recursive: true });
+    await mkdir2(testDir, { recursive: true });
+    await mkdir2(libDir, { recursive: true });
+    await writeFile2(
+      join(dir, "foundry.toml"),
+      `[profile.default]
+src = "src"
+out = "out"
+libs = ["lib"]
+`
+    );
+    const testFile = join(testDir, "Exploit.t.sol");
+    await writeFile2(testFile, pocCode);
+    const args = ["test", "--match-contract", "ExploitTest", "--no-match-coverage", "-vv"];
+    if (rpcUrl) {
+      args.push("--fork-url", rpcUrl);
+    }
+    const { stdout, stderr } = await exec4("forge", args, {
+      cwd: dir,
+      timeout: 6e4,
+      env: { ...process.env, FOUNDRY_PROFILE: "default" }
+    });
+    const output = [stdout, stderr].filter(Boolean).join("\n");
+    const passed = output.includes("PASS") || output.includes("ok");
+    return { success: passed, output };
+  } catch (err) {
+    const output = err.stdout ?? err.stderr ?? String(err);
+    return { success: false, output };
+  } finally {
+    exec4("rm", ["-rf", dir]).catch(() => {
+    });
+  }
+}
+var PocGenerator = class {
+  provider;
+  constructor(provider) {
+    this.provider = provider;
+  }
+  async generate(finding, contractSource, rpcUrl) {
+    if (finding.category !== "solidity" && !finding.ruleId.startsWith("cp-sol")) {
+      return {
+        status: "error",
+        pocCode: "",
+        output: "PoC generation only supported for Solidity findings"
+      };
+    }
+    let pocCode = "";
+    try {
+      const response = await this.provider.complete({
+        messages: [
+          { role: "system", content: SYSTEM_PROMPT },
+          { role: "user", content: buildUserMessage(finding, contractSource) }
+        ],
+        maxTokens: 4096
+      });
+      pocCode = extractSolidity(response.text);
+      if (!pocCode) {
+        return { status: "error", pocCode: "", output: "AI returned empty response" };
+      }
+    } catch (err) {
+      logger.error(`PocGenerator: AI call failed: ${err}`);
+      return { status: "error", pocCode: "", output: String(err) };
+    }
+    const hasForge = await forgeAvailable();
+    if (!hasForge) {
+      logger.info("PocGenerator: forge not available, returning generated code only");
+      return {
+        status: "generated",
+        pocCode,
+        output: "forge not installed \u2014 PoC generated but not executed",
+        rpcUrl
+      };
+    }
+    const forkRequired = pocCode.includes("@fork-required");
+    const { success, output } = await runForgeTest(
+      pocCode,
+      forkRequired ? rpcUrl : void 0
+    );
+    return {
+      status: success ? "confirmed" : "not-exploitable",
+      pocCode,
+      output,
+      rpcUrl: forkRequired ? rpcUrl : void 0
+    };
+  }
+};
+
 // src/analyzer.ts
 var SEVERITY_ORDER2 = {
   critical: 0,
@@ -5228,7 +5405,9 @@ async function analyze(params) {
     repoPath,
     staticOnly = false,
     skipStatic = false,
-    aiConcurrency
+    aiConcurrency,
+    runPoc = false,
+    pocRpcUrl
   } = params;
   const parsed = parseDiff(diff);
   if (parsed.files.length === 0) {
@@ -5346,7 +5525,38 @@ async function analyze(params) {
   const enriched = enrichFindings(sorted);
   const score = computeScore(enriched, parsed.files.length);
   const summary = buildSummary(enriched, parsed.files.length, staticResult?.toolsRan);
-  return { findings: enriched, summary, score };
+  let pocs;
+  if (runPoc && (provider || apiKey)) {
+    const pocProvider = provider ?? {
+      name: "anthropic-poc",
+      async complete(p) {
+        const { AnthropicProvider: AnthropicProvider2 } = await import("./anthropic-PRRF4E3I.js");
+        return new AnthropicProvider2(apiKey).complete(p);
+      }
+    };
+    const pocGen = new PocGenerator(pocProvider);
+    const solFindings = enriched.filter(
+      (f) => (f.severity === "critical" || f.severity === "high") && (f.category === "solidity" || f.ruleId.startsWith("cp-sol"))
+    );
+    const fileContents = /* @__PURE__ */ new Map();
+    for (const file of parsed.files) {
+      fileContents.set(file.path, reconstructContent(file));
+    }
+    pocs = {};
+    await Promise.all(
+      solFindings.map(async (finding) => {
+        const src = fileContents.get(finding.filePath) ?? finding.codeSnippet;
+        const key = `${finding.ruleId}:${finding.filePath}:${finding.startLine}`;
+        try {
+          pocs[key] = await pocGen.generate(finding, src, pocRpcUrl);
+        } catch (err) {
+          logger.error(`[analyzer] PoC generation failed for ${key}: ${err}`);
+          pocs[key] = { status: "error", pocCode: "", output: String(err) };
+        }
+      })
+    );
+  }
+  return { findings: enriched, summary, score, ...pocs ? { pocs } : {} };
 }
 function enrichFindings(findings) {
   return findings.map((f) => {
@@ -5482,12 +5692,12 @@ function formatStaticFindingsForAI(rawFindings) {
 import { rm as rm2 } from "fs/promises";
 
 // src/upgrade/ingest.ts
-import { execFile as execFile4 } from "child_process";
-import { promisify as promisify4 } from "util";
+import { execFile as execFile5 } from "child_process";
+import { promisify as promisify5 } from "util";
 import { readdir, stat, readFile as readFile2, mkdtemp } from "fs/promises";
 import path4 from "path";
 import os2 from "os";
-var exec4 = promisify4(execFile4);
+var exec5 = promisify5(execFile5);
 var EXT_TO_LANG = {
   ".ts": "typescript",
   ".tsx": "typescript",
@@ -5708,7 +5918,7 @@ async function ingestRepo(repoUrl, branch) {
   if (branch) {
     cloneArgs.splice(2, 0, "--branch", branch);
   }
-  await exec4("git", cloneArgs, {
+  await exec5("git", cloneArgs, {
     timeout: 12e4,
     maxBuffer: 200 * 1024 * 1024
   });
@@ -5770,11 +5980,11 @@ async function readRepoFiles(repoPath, filePaths, maxTotalSize = 5e5) {
 }
 
 // src/upgrade/deps.ts
-import { execFile as execFile5 } from "child_process";
-import { promisify as promisify5 } from "util";
+import { execFile as execFile6 } from "child_process";
+import { promisify as promisify6 } from "util";
 import { readFile as readFile3, access } from "fs/promises";
 import path5 from "path";
-var exec5 = promisify5(execFile5);
+var exec6 = promisify6(execFile6);
 var DEPRECATED_REPLACEMENTS = {
   "moment": "dayjs or date-fns",
   "request": "node-fetch or axios or undici",
@@ -5828,7 +6038,7 @@ async function analyzeNodeDeps(repoPath) {
   let vulnerableCount = 0;
   let auditResults = {};
   try {
-    const { stdout } = await exec5("npm", ["audit", "--json"], {
+    const { stdout } = await exec6("npm", ["audit", "--json"], {
       cwd: repoPath,
       timeout: 6e4,
       maxBuffer: 20 * 1024 * 1024
@@ -5853,7 +6063,7 @@ async function analyzeNodeDeps(repoPath) {
   }
   let outdatedResults = {};
   try {
-    const { stdout } = await exec5("npm", ["outdated", "--json"], {
+    const { stdout } = await exec6("npm", ["outdated", "--json"], {
       cwd: repoPath,
       timeout: 3e4,
       maxBuffer: 10 * 1024 * 1024
@@ -5913,7 +6123,7 @@ async function analyzeRustDeps(repoPath) {
   const deps = [];
   let vulnerableCount = 0;
   try {
-    const { stdout } = await exec5("cargo", ["audit", "--json"], {
+    const { stdout } = await exec6("cargo", ["audit", "--json"], {
       cwd: repoPath,
       timeout: 6e4,
       maxBuffer: 20 * 1024 * 1024
@@ -5971,7 +6181,7 @@ async function analyzePythonDeps(repoPath) {
   const deps = [];
   let vulnerableCount = 0;
   try {
-    const { stdout } = await exec5(
+    const { stdout } = await exec6(
       "pip-audit",
       ["-r", path5.join(repoPath, "requirements.txt"), "--format", "json"],
       { cwd: repoPath, timeout: 6e4, maxBuffer: 20 * 1024 * 1024 }
@@ -6053,10 +6263,10 @@ async function analyzeDependencies(repoPath, ecosystems) {
 }
 
 // src/upgrade/audit.ts
-import { execFile as execFile6 } from "child_process";
-import { promisify as promisify6 } from "util";
+import { execFile as execFile7 } from "child_process";
+import { promisify as promisify7 } from "util";
 import path6 from "path";
-var exec6 = promisify6(execFile6);
+var exec7 = promisify7(execFile7);
 async function runSlitherFullScan(repoPath, solFiles) {
   if (solFiles.length === 0) return [];
   const IMPACT_MAP2 = {
@@ -6069,7 +6279,7 @@ async function runSlitherFullScan(repoPath, solFiles) {
   try {
     let stdout;
     try {
-      const result = await exec6("slither", [repoPath, "--json", "-", "--no-fail"], {
+      const result = await exec7("slither", [repoPath, "--json", "-", "--no-fail"], {
         timeout: 18e4,
         maxBuffer: 50 * 1024 * 1024,
         cwd: repoPath
@@ -6110,7 +6320,7 @@ async function runSemgrepFullScan(repoPath) {
   try {
     let stdout;
     try {
-      const result = await exec6(
+      const result = await exec7(
         "semgrep",
         ["--config", "p/security-audit", "--json", "--timeout", "30", repoPath],
         { timeout: 18e4, maxBuffer: 50 * 1024 * 1024, cwd: repoPath }
@@ -6141,7 +6351,7 @@ async function runGitleaksFullScan(repoPath) {
   try {
     let stdout;
     try {
-      const result = await exec6(
+      const result = await exec7(
         "gitleaks",
         ["detect", "--source", repoPath, "--report-format", "json", "--report-path", "/dev/stdout", "--no-git", "--no-banner"],
         { timeout: 6e4, maxBuffer: 20 * 1024 * 1024, cwd: repoPath }
@@ -6967,7 +7177,7 @@ async function rewriteFiles(params) {
 
 // src/config.ts
 import { readFileSync, existsSync } from "fs";
-import { resolve, join } from "path";
+import { resolve, join as join2 } from "path";
 import yaml from "js-yaml";
 import { z as z3 } from "zod";
 var DEFAULT_CONFIG = {
@@ -7010,7 +7220,7 @@ function levenshtein(a, b) {
   return dp[m][n];
 }
 function loadConfig(dir) {
-  const configPath = resolve(join(dir, ".elytra.yml"));
+  const configPath = resolve(join2(dir, ".elytra.yml"));
   if (!existsSync(configPath)) return null;
   let raw;
   try {
@@ -7105,7 +7315,7 @@ function filterByConfig(findings, config) {
 
 // src/harden/harden.ts
 import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync2, readdirSync, statSync } from "fs";
-import { join as join2, relative } from "path";
+import { join as join3, relative } from "path";
 function readJson(filePath) {
   try {
     return JSON.parse(readFileSync2(filePath, "utf-8"));
@@ -7124,7 +7334,7 @@ function walkFiles(dir, exts, maxDepth = 6, depth = 0) {
   }
   for (const entry of entries) {
     if (entry === "node_modules" || entry === ".git" || entry === "dist" || entry === ".next") continue;
-    const full = join2(dir, entry);
+    const full = join3(dir, entry);
     let stat2;
     try {
       stat2 = statSync(full);
@@ -7171,7 +7381,7 @@ function checkHelmet(projectPath, sourceFiles, frameworks) {
   if (!frameworks.includes("express")) return null;
   const helmetFile = anyFileContains(sourceFiles, /\bhelmet\s*\(/);
   if (helmetFile) return null;
-  const pkgJson = readJson(join2(projectPath, "package.json"));
+  const pkgJson = readJson(join3(projectPath, "package.json"));
   const deps = {
     ...pkgJson?.dependencies ?? {},
     ...pkgJson?.devDependencies ?? {}
@@ -7312,9 +7522,9 @@ app.use(cors({
   return null;
 }
 function checkEnvLeakage(projectPath) {
-  const gitignorePath = join2(projectPath, ".gitignore");
+  const gitignorePath = join3(projectPath, ".gitignore");
   if (!existsSync2(gitignorePath)) {
-    const hasEnvFile = existsSync2(join2(projectPath, ".env")) || existsSync2(join2(projectPath, ".env.local"));
+    const hasEnvFile = existsSync2(join3(projectPath, ".env")) || existsSync2(join3(projectPath, ".env.local"));
     if (!hasEnvFile) return null;
     return {
       id: "harden-env-no-gitignore",
@@ -7333,7 +7543,7 @@ function checkEnvLeakage(projectPath) {
     const gitignore = readFileSync2(gitignorePath, "utf-8");
     const hasEnvRule = /^\.env$/m.test(gitignore) || /^\.env\.\*$/m.test(gitignore) || /^\.env\*$/m.test(gitignore) || /^\.env\.local$/m.test(gitignore);
     if (hasEnvRule) return null;
-    const hasEnvFile = existsSync2(join2(projectPath, ".env")) || existsSync2(join2(projectPath, ".env.local")) || existsSync2(join2(projectPath, ".env.production"));
+    const hasEnvFile = existsSync2(join3(projectPath, ".env")) || existsSync2(join3(projectPath, ".env.local")) || existsSync2(join3(projectPath, ".env.production"));
     if (!hasEnvFile) return null;
     return {
       id: "harden-env-not-gitignored",
@@ -7441,7 +7651,7 @@ res.cookie("token", value, {
   };
 }
 function checkTsStrict(projectPath) {
-  const tsconfigPath = join2(projectPath, "tsconfig.json");
+  const tsconfigPath = join3(projectPath, "tsconfig.json");
   if (!existsSync2(tsconfigPath)) return null;
   const tsconfig = readJson(tsconfigPath);
   if (!tsconfig) return null;
@@ -7461,7 +7671,7 @@ function checkTsStrict(projectPath) {
 function applyHardenFix(projectPath, suggestion) {
   if (!suggestion.autoFixable) return false;
   if (suggestion.id === "harden-ts-no-strict") {
-    const tsconfigPath = join2(projectPath, "tsconfig.json");
+    const tsconfigPath = join3(projectPath, "tsconfig.json");
     const tsconfig = readJson(tsconfigPath);
     if (!tsconfig) return false;
     const compilerOptions = tsconfig.compilerOptions ?? {};
@@ -7477,7 +7687,7 @@ function applyHardenFix(projectPath, suggestion) {
   return false;
 }
 function runHarden(projectPath) {
-  const pkgJsonPath = join2(projectPath, "package.json");
+  const pkgJsonPath = join3(projectPath, "package.json");
   const pkgJson = readJson(pkgJsonPath);
   if (!pkgJson) {
     return { suggestions: [], projectPath, frameworksDetected: [] };
@@ -7588,7 +7798,7 @@ Respond with a valid JSON object:
 // src/full-scan-discovery.ts
 import { execSync } from "child_process";
 import { readdirSync as readdirSync2, statSync as statSync2 } from "fs";
-import { join as join3, relative as relative2, extname } from "path";
+import { join as join4, relative as relative2, extname } from "path";
 var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([
   ".ts",
   ".tsx",
@@ -7717,7 +7927,7 @@ function discoverViaGit(targetPath, maxFileSizeKB) {
   for (const line of raw.split("\n")) {
     const rel = line.trim();
     if (!rel || !isSourceFile(rel)) continue;
-    const abs = join3(targetPath, rel);
+    const abs = join4(targetPath, rel);
     try {
       const stat2 = statSync2(abs);
       if (!stat2.isFile()) continue;
@@ -7749,9 +7959,9 @@ function discoverViaWalk(targetPath, maxFileSizeKB) {
       if (entry.isDirectory()) {
         if (SKIP_DIRS.has(entry.name)) continue;
         if (entry.name.startsWith(".") && !ALLOWED_HIDDEN_DIRS.has(entry.name)) continue;
-        walk(join3(dir, entry.name));
+        walk(join4(dir, entry.name));
       } else if (entry.isFile()) {
-        const abs = join3(dir, entry.name);
+        const abs = join4(dir, entry.name);
         const rel = relative2(targetPath, abs);
         if (!isSourceFile(rel)) continue;
         try {
@@ -8023,175 +8233,6 @@ function buildSummary2(findings, fileCount, toolsRan) {
   }
   return summary;
 }
-
-// src/ai/poc-generator.ts
-import { execFile as execFile7 } from "child_process";
-import { writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { promisify as promisify7 } from "util";
-import { tmpdir } from "os";
-import { join as join4 } from "path";
-import { randomBytes } from "crypto";
-var exec7 = promisify7(execFile7);
-var SYSTEM_PROMPT = `You are an expert smart contract security researcher who writes Foundry (forge) exploit tests to demonstrate vulnerabilities.
-
-Given a security finding and the vulnerable contract source code, write a minimal Foundry test that:
-1. Deploys the vulnerable contract (or a minimal reproduction of the vulnerable pattern)
-2. Demonstrates the exploit in a test function named test_exploit()
-3. Uses vm.expectRevert() or assertions to show the vulnerability is real
-4. Includes a brief comment explaining the attack vector
-
-Rules:
-- Use Solidity ^0.8.20 and Foundry's Test base
-- Import only from forge-std (available: Test, console, Vm, StdCheats)
-- If the contract needs an RPC fork (e.g. for on-chain state), emit a // @fork-required comment on line 1
-- Keep it minimal \u2014 prove the bug, nothing else
-- Return ONLY valid Solidity, no markdown fences, no explanation outside comments
-
-Format:
-\`\`\`solidity
-// SPDX-License-Identifier: MIT
-pragma solidity ^0.8.20;
-
-import "forge-std/Test.sol";
-
-contract ExploitTest is Test {
-    // ...setup...
-
-    function test_exploit() public {
-        // ...exploit...
-    }
-}
-\`\`\``;
-function buildUserMessage(finding, contractSource) {
-  return `## Vulnerability Finding
-
-Rule ID: ${finding.ruleId}
-Title: ${finding.title}
-Severity: ${finding.severity}
-File: ${finding.filePath} (lines ${finding.startLine}\u2013${finding.endLine})
-Description: ${finding.description}
-
-Vulnerable code snippet:
-\`\`\`solidity
-${finding.codeSnippet}
-\`\`\`
-
-Fix suggestion: ${finding.suggestion}
-
-## Full Contract Source
-
-\`\`\`solidity
-${contractSource}
-\`\`\`
-
-Write the Foundry exploit test now.`;
-}
-function extractSolidity(text) {
-  const fenceMatch = text.match(/```(?:solidity)?\s*([\s\S]*?)```/);
-  if (fenceMatch) return fenceMatch[1].trim();
-  return text.trim();
-}
-async function forgeAvailable() {
-  try {
-    await exec7("forge", ["--version"], { timeout: 5e3 });
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function runForgeTest(pocCode, rpcUrl) {
-  const id = randomBytes(6).toString("hex");
-  const dir = join4(tmpdir(), `elytra-poc-${id}`);
-  const srcDir = join4(dir, "src");
-  const testDir = join4(dir, "test");
-  const libDir = join4(dir, "lib");
-  try {
-    await mkdir2(srcDir, { recursive: true });
-    await mkdir2(testDir, { recursive: true });
-    await mkdir2(libDir, { recursive: true });
-    await writeFile2(
-      join4(dir, "foundry.toml"),
-      `[profile.default]
-src = "src"
-out = "out"
-libs = ["lib"]
-`
-    );
-    const testFile = join4(testDir, "Exploit.t.sol");
-    await writeFile2(testFile, pocCode);
-    const args = ["test", "--match-contract", "ExploitTest", "--no-match-coverage", "-vv"];
-    if (rpcUrl) {
-      args.push("--fork-url", rpcUrl);
-    }
-    const { stdout, stderr } = await exec7("forge", args, {
-      cwd: dir,
-      timeout: 6e4,
-      env: { ...process.env, FOUNDRY_PROFILE: "default" }
-    });
-    const output = [stdout, stderr].filter(Boolean).join("\n");
-    const passed = output.includes("PASS") || output.includes("ok");
-    return { success: passed, output };
-  } catch (err) {
-    const output = err.stdout ?? err.stderr ?? String(err);
-    return { success: false, output };
-  } finally {
-    exec7("rm", ["-rf", dir]).catch(() => {
-    });
-  }
-}
-var PocGenerator = class {
-  provider;
-  constructor(provider) {
-    this.provider = provider;
-  }
-  async generate(finding, contractSource, rpcUrl) {
-    if (finding.category !== "solidity" && !finding.ruleId.startsWith("cp-sol")) {
-      return {
-        status: "error",
-        pocCode: "",
-        output: "PoC generation only supported for Solidity findings"
-      };
-    }
-    let pocCode = "";
-    try {
-      const response = await this.provider.complete({
-        messages: [
-          { role: "system", content: SYSTEM_PROMPT },
-          { role: "user", content: buildUserMessage(finding, contractSource) }
-        ],
-        maxTokens: 4096
-      });
-      pocCode = extractSolidity(response.text);
-      if (!pocCode) {
-        return { status: "error", pocCode: "", output: "AI returned empty response" };
-      }
-    } catch (err) {
-      logger.error(`PocGenerator: AI call failed: ${err}`);
-      return { status: "error", pocCode: "", output: String(err) };
-    }
-    const hasForge = await forgeAvailable();
-    if (!hasForge) {
-      logger.info("PocGenerator: forge not available, returning generated code only");
-      return {
-        status: "generated",
-        pocCode,
-        output: "forge not installed \u2014 PoC generated but not executed",
-        rpcUrl
-      };
-    }
-    const forkRequired = pocCode.includes("@fork-required");
-    const { success, output } = await runForgeTest(
-      pocCode,
-      forkRequired ? rpcUrl : void 0
-    );
-    return {
-      status: success ? "confirmed" : "not-exploitable",
-      pocCode,
-      output,
-      rpcUrl: forkRequired ? rpcUrl : void 0
-    };
-  }
-};
 export {
   AIClient,
   AnthropicProvider,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elytrasec/engine",
-  "version": "0.3.1",
+  "version": "0.3.2",
   "description": "Core analysis engine for Elytra — 120+ detection rules, static + AI scanning, scoring",
   "license": "MIT",
   "author": "ElytraSec <hello@elytrasec.io>",