@elytrasec/engine 0.3.1 → 0.4.0

package/dist/index.d.ts

@@ -218,6 +218,23 @@ declare const ReviewResultSchema: z.ZodObject<{
             deducted: number;
         }>>;
     }>>;
+    /** keyed by "${ruleId}:${filePath}:${startLine}" — only present when runPoc=true */
+    pocs: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
+        status: z.ZodEnum<["confirmed", "not-exploitable", "generated", "error"]>;
+        pocCode: z.ZodString;
+        output: z.ZodString;
+        rpcUrl: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        status: "confirmed" | "not-exploitable" | "generated" | "error";
+        pocCode: string;
+        output: string;
+        rpcUrl?: string | undefined;
+    }, {
+        status: "confirmed" | "not-exploitable" | "generated" | "error";
+        pocCode: string;
+        output: string;
+        rpcUrl?: string | undefined;
+    }>>>;
 }, "strip", z.ZodTypeAny, {
     findings: {
         severity: "critical" | "high" | "medium" | "low" | "info";
@@ -244,6 +261,12 @@ declare const ReviewResultSchema: z.ZodObject<{
             deducted: number;
         }>>;
     } | undefined;
+    pocs?: Record<string, {
+        status: "confirmed" | "not-exploitable" | "generated" | "error";
+        pocCode: string;
+        output: string;
+        rpcUrl?: string | undefined;
+    }> | undefined;
 }, {
     findings: {
         severity: "critical" | "high" | "medium" | "low" | "info";
@@ -270,6 +293,12 @@ declare const ReviewResultSchema: z.ZodObject<{
             deducted: number;
         }>>;
     } | undefined;
+    pocs?: Record<string, {
+        status: "confirmed" | "not-exploitable" | "generated" | "error";
+        pocCode: string;
+        output: string;
+        rpcUrl?: string | undefined;
+    }> | undefined;
 }>;
 type ReviewResult = z.infer<typeof ReviewResultSchema>;
 
@@ -1213,6 +1242,14 @@ interface AnalyzeParams {
     skipStatic?: boolean;
     /** AI concurrency limit. Defaults to AI_CONCURRENCY env var or 3. */
     aiConcurrency?: number;
+    /**
+     * Run agentic PoC generation on critical/high Solidity findings.
+     * Requires an AI provider. If forge is installed, attempts to confirm
+     * exploitability by running the generated test against Anvil.
+     */
+    runPoc?: boolean;
+    /** Optional RPC URL for forked Anvil PoC execution (e.g. Base/mainnet). */
+    pocRpcUrl?: string;
 }
 /**
  * Deduplicate findings by (filePath, startLine, ruleId).

package/dist/index.js

@@ -251,10 +251,18 @@ var SecurityScoreSchema = z.object({
     z.object({ count: z.number(), deducted: z.number() })
   )
 });
+var PocResultSchema = z.object({
+  status: z.enum(["confirmed", "not-exploitable", "generated", "error"]),
+  pocCode: z.string(),
+  output: z.string(),
+  rpcUrl: z.string().optional()
+});
 var ReviewResultSchema = z.object({
   findings: z.array(FindingSchema),
   summary: z.string(),
-  score: SecurityScoreSchema.optional()
+  score: SecurityScoreSchema.optional(),
+  /** keyed by "${ruleId}:${filePath}:${startLine}" — only present when runPoc=true */
+  pocs: z.record(PocResultSchema).optional()
 });
 
 // src/logger.ts
@@ -2949,12 +2957,43 @@ var securityRules = [
     title: "Hardcoded secret or credential",
     description: "A string that looks like a password, API key, or token is hardcoded in source code.",
     suggestion: "Move the secret to an environment variable or a secrets manager. Rotate the exposed credential immediately.",
-    pattern: /(?:password|secret|api_key|apikey|api_secret|token|auth_token|private_key|client_secret)\s*[:=]\s*["'](?!changeme|password|your-|<|TODO|xxx|test|example|placeholder|REPLACE)[^"']{8,}["']/i,
+    // `token` removed from the keyword list — too ambiguous in crypto context (tokenAddress,
+    // token0, token1, tokenContract, tokenFactory all match and are public addresses, not secrets).
+    // `auth_token`, `accessToken`, `bearerToken`, `jwt_token` etc. remain via specific patterns below.
+    pattern: /(?:password|secret|apikey|api_key|api_secret|auth[_-]?token|access[_-]?token|bearer[_-]?token|jwt[_-]?secret|private[_-]?key|client_secret)\s*[:=]\s*["'](?!changeme|password|your-|<|TODO|xxx|test|example|placeholder|REPLACE|0x[0-9a-fA-F]{40}["'])[^"']{8,}["']/i,
     severity: "critical",
     category: "security",
     confidence: "medium",
     languages: ALL
   },
+  {
+    // Crypto-native: a raw 32-byte (64-hex) value assigned to a *private*-key-shaped name.
+    // Wallet/contract addresses (40 hex) are public — never flag those.
+    // Hashes / UIDs / merkle roots (64 hex) on a `*Hash`, `*Uid`, `*Root` LHS are public — don't flag.
+    // Only flag when the LHS specifically suggests a SIGNING KEY.
+    id: "cp-sec-private-key-hex",
+    title: "Hardcoded EVM private key",
+    description: "A 64-character hex value is assigned to a variable whose name implies it's a signing key. If real, this is a wallet private key \u2014 anyone who reads the source can drain the wallet.",
+    suggestion: "Move to an environment variable, KMS, or hardware wallet immediately. Rotate the key (transfer all assets to a new wallet and never use this key again).",
+    pattern: /\b(?:private[_-]?key|signing[_-]?key|wallet[_-]?key|signer[_-]?key|deployer[_-]?key|mnemonic[_-]?seed|raw[_-]?key|eas_private_key|x402_wallet_key)\s*[:=]\s*["']?0x[0-9a-fA-F]{64}["']?/i,
+    severity: "critical",
+    category: "security",
+    confidence: "high",
+    languages: ALL
+  },
+  {
+    // BIP-39 seed phrase — 12 or 24 lowercase English words in a row.
+    // Any leak of these = full wallet compromise. Targets the common assignment pattern.
+    id: "cp-sec-mnemonic-phrase",
+    title: "Hardcoded BIP-39 mnemonic / seed phrase",
+    description: "A string with 12 or 24 lowercase words looks like a BIP-39 mnemonic. A leaked seed phrase compromises the entire HD wallet and every account derived from it.",
+    suggestion: "Never store mnemonics in source. Use a secure secret manager. If exposed, immediately transfer all assets out of every derived account, never reuse the seed.",
+    pattern: /(?:mnemonic|seed[_-]?phrase|secret[_-]?phrase|backup[_-]?phrase)\s*[:=]\s*["'](?:[a-z]{3,8}\s+){11,23}[a-z]{3,8}["']/i,
+    severity: "critical",
+    category: "security",
+    confidence: "high",
+    languages: ALL
+  },
   {
     id: "cp-sec-hardcoded-ip",
     title: "Hardcoded IP address",
@@ -3301,13 +3340,13 @@ var securityRules = [
 var solidityRules2 = [
   {
     id: "cp-sol-reentrancy",
-    title: "Potential reentrancy \u2014 external call before state update",
-    description: "An external call (call, send, transfer) appears before a state variable assignment. An attacker contract can re-enter before state is updated.",
-    suggestion: "Follow the checks-effects-interactions pattern: update state before making external calls. Consider using ReentrancyGuard.",
-    pattern: /\.(?:call|send|transfer)\s*[\({]/,
-    severity: "critical",
+    title: "Potential reentrancy \u2014 review external call sequencing",
+    description: "An external call via `.call{value:...}` is present. The classic reentrancy pattern requires the call to occur BEFORE a state update \u2014 a same-line regex can't verify the order across multiple lines, so this is flagged for manual or AI review. `.send` and `.transfer` are intentionally not flagged because their 2300-gas stipend prevents reentrancy except in pathological cases (post-EIP-1884 gas changes).",
+    suggestion: "Follow checks-effects-interactions: update state before external calls. Or use OpenZeppelin's ReentrancyGuard. Confirm by reading the surrounding function or running AI deep-review.",
+    pattern: /\.call\s*\{(?:[^}]*value[^}]*)?\}/,
+    severity: "high",
     category: "security",
-    confidence: "medium",
+    confidence: "low",
     languages: SOL
   },
   {
@@ -3391,12 +3430,12 @@ var solidityRules2 = [
   {
     id: "cp-sol-assembly",
     title: "Inline assembly usage",
-    description: "Inline assembly bypasses Solidity's safety checks (overflow, type-safety). Bugs are easy to introduce and hard to audit.",
-    suggestion: "Use Solidity builtins where possible. If assembly is required, document it thoroughly and add extensive tests.",
+    description: "Inline assembly bypasses Solidity's safety checks. Routine in production DeFi for gas optimization (transient storage, packed structs, math) \u2014 flagged informationally so reviewers can verify the assembly block is justified.",
+    suggestion: "Confirm the assembly block is necessary and audited. Document the storage slots / opcodes used.",
     pattern: /\bassembly\s*\{/,
-    severity: "medium",
-    category: "security",
-    confidence: "high",
+    severity: "info",
+    category: "solidity",
+    confidence: "low",
     languages: SOL
   },
   {
@@ -3413,11 +3452,11 @@ var solidityRules2 = [
   {
     id: "cp-sol-unchecked-math",
     title: "Unchecked arithmetic block",
-    description: "The `unchecked` block disables overflow/underflow checks. This is dangerous unless you have proven the values cannot overflow.",
-    suggestion: "Only use unchecked blocks when overflow is mathematically impossible. Add comments explaining the safety invariant.",
+    description: "`unchecked` disables Solidity 0.8+ overflow checks. Usually intentional for gas savings on loop counters and proven-safe math, but worth confirming each block has a documented invariant.",
+    suggestion: "Add a comment explaining why overflow is impossible in this block. Consider whether the gas savings justify the risk.",
     pattern: /unchecked\s*\{/,
-    severity: "medium",
-    category: "security",
+    severity: "low",
+    category: "solidity",
     confidence: "low",
     languages: SOL
   },
@@ -3447,25 +3486,25 @@ var solidityRules2 = [
   {
     id: "cp-sol-storage-collision",
     title: "delegatecall with state variables \u2014 storage collision risk",
-    description: "Using delegatecall in a contract with state variables can cause storage layout collisions with the implementation contract.",
+    description: "Using delegatecall in a contract with state variables can cause storage layout collisions with the implementation contract. Common in proxy patterns where it's intentional \u2014 verify EIP-1967 storage slots are used. High false-positive rate on standard proxy implementations.",
     suggestion: "Use EIP-1967 proxy pattern with standardized storage slots, or ensure identical storage layouts.",
     pattern: /delegatecall\s*\(/,
     multilinePattern: /(?:uint|int|address|mapping|bytes|string|bool)\s+(?:public|private|internal)?\s*\w+[\s\S]{0,2000}delegatecall\s*\(/g,
-    severity: "high",
+    severity: "medium",
     category: "security",
-    confidence: "medium",
+    confidence: "low",
     languages: SOL
   },
   {
     id: "cp-sol-missing-event",
     title: "State change without event emission",
-    description: "State-changing functions should emit events for off-chain indexing and transparency.",
-    suggestion: "Add an event emission after state changes for important variables.",
+    description: "State-changing functions should emit events for off-chain indexing. Best practice for indexers and UI, not a security vulnerability \u2014 flagged informationally.",
+    suggestion: "Add an event emission after state changes if downstream indexers / UI need to track them.",
     pattern: /(?!)/,
     // never matches per-line; use multiline only
     multilinePattern: /function\s+\w+\s*\([^)]*\)\s*(?:external|public)[^{]*\{(?:(?!emit\s)[\s\S]){1,500}\w+\s*=[^=]/g,
-    severity: "medium",
-    category: "security",
+    severity: "info",
+    category: "quality",
     confidence: "low",
     languages: SOL
   }
@@ -4607,12 +4646,12 @@ var eip7702Rules = [
   {
     id: "cp-sol-7702-unguarded-init",
     title: "EIP-7702 delegation: unguarded initializer",
-    description: "Contracts used as EIP-7702 delegation targets must guard initializers \u2014 constructors don't run on delegated EOAs. An unguarded `initialize()` can be front-run, letting an attacker take ownership of the delegated account.",
-    suggestion: "Add an `initializer` modifier (OpenZeppelin) or an `initialized` flag checked at the top of every init function. Ensure no init path is callable twice.",
+    description: "Contracts intended as EIP-7702 delegation targets must guard initializers \u2014 constructors don't run on delegated EOAs. An unguarded `initialize()` can be front-run, letting an attacker take ownership. The pattern also matches generic proxy initializers, which usually ARE guarded (just not by an `initializer` keyword on the same line), so confirm whether this contract is actually a 7702 target before treating as critical.",
+    suggestion: "If this is a 7702 delegation target: add `initializer` modifier (OpenZeppelin) or a boolean guard. For regular proxies, confirm the initializer is gated by the proxy factory.",
     pattern: /function\s+initialize\s*\([^)]*\)\s*(?:external|public)(?!\s+\w*[Ii]nitializer)/,
-    severity: "critical",
+    severity: "high",
     category: "solidity",
-    confidence: "medium",
+    confidence: "low",
     languages: SOL
   },
   {
@@ -4709,9 +4748,337 @@ var uniswapV4Rules = [
     languages: SOL
   }
 ];
+var hackReplayRules = [
+  /* ── Curve Finance ($73M, July 2023) ────────────────────────── */
+  /*  Root cause: Vyper compiler versions 0.2.15, 0.2.16, 0.3.0    */
+  /*  generated broken reentrancy locks — the malloc-style storage  */
+  /*  slot for the lock was not reused correctly across functions. */
+  {
+    id: "cp-hack-curve-vyper-version",
+    title: "Curve hack pattern \u2014 Vyper compiler version with broken reentrancy lock",
+    description: "This file declares Vyper 0.2.15, 0.2.16, or 0.3.0 \u2014 the exact compiler versions that mis-generated reentrancy locks and enabled the July 2023 Curve Finance exploit ($73M across multiple pools). The bug is in the compiler, not your source code: any @nonreentrant guard in these versions is silently bypassable.",
+    suggestion: "Upgrade to Vyper >= 0.3.1 (lock fix landed in 0.3.1) and redeploy any affected pools. If you cannot redeploy, pause all reentrancy-sensitive functions and migrate liquidity.",
+    pattern: /#\s*@version\s+0\.(?:2\.1[56]|3\.0)(?:\s|$)/,
+    severity: "critical",
+    category: "hack-replay",
+    confidence: "high",
+    languages: [".vy"]
+  },
+  /* ── Euler Finance ($197M, March 2023) ──────────────────────── */
+  /*  Root cause: donateToReserves() allowed an attacker to push    */
+  /*  their own account into an artificially unhealthy state,       */
+  /*  then self-liquidate at a discount via the liquidation flow.   */
+  {
+    id: "cp-hack-euler-donate-self-liquidation",
+    title: "Euler hack pattern \u2014 donate function reachable from liquidation path",
+    description: "A donate/donateTo* function in a lending or vault context can be weaponized to artificially worsen the caller's health factor, then trigger self-liquidation at a profit. This is the exact vector that drained $197M from Euler Finance in March 2023.",
+    suggestion: "Either remove the donate function, or (a) require donations to come from accounts with no active borrows, (b) recompute health AFTER the donation as if the donated assets remained the donor's, and (c) prevent same-block liquidation of the donor.",
+    pattern: /function\s+donate[A-Za-z]*\s*\(/,
+    severity: "high",
+    category: "hack-replay",
+    confidence: "medium",
+    languages: SOL
+  },
+  /* ── Radiant Capital ($53M, October 2024) ───────────────────── */
+  /*  Root cause: 3-of-11 multisig members signed a malicious      */
+  /*  transferOwnership tx (their UI was tampered by malware).      */
+  /*  A two-step transferOwnership + timelock would have given the */
+  /*  team a chance to notice and abort.                            */
+  {
+    id: "cp-hack-radiant-immediate-ownership-transfer",
+    title: "Radiant hack pattern \u2014 single-step ownership transfer (no Ownable2Step)",
+    description: "transferOwnership is implemented as a single-call function \u2014 the new owner takes effect immediately. This is the same pattern the Radiant Capital ($53M, Oct 2024) attackers exploited after compromising a multisig signer's UI: ownership flipped before anyone could react. A two-step or timelocked pattern would have created a defensive window.",
+    suggestion: "Inherit from OpenZeppelin Ownable2Step (requires acceptOwnership from the new owner) AND gate it behind a timelock for production deployments. Never let a single signature transfer ownership atomically.",
+    pattern: /function\s+transferOwnership\s*\(\s*address\s+\w+\s*\)\s*(?:public|external)(?![\s\S]{0,400}?(?:pendingOwner|_pendingOwner|acceptOwnership|Ownable2Step|timelock|Timelock|TimelockController))/,
+    severity: "high",
+    category: "hack-replay",
+    confidence: "medium",
+    languages: SOL
+  },
+  /* ── zkSync Airdrop ($5M, April 2025) ───────────────────────── */
+  /*  Root cause: sweepUnclaimed() admin-only function with no      */
+  /*  timelock or multisig gate — when the admin key was            */
+  /*  compromised, attacker minted 111M ZK in a single tx.          */
+  /*  Pattern targets the unambiguous red-flag names. We do NOT     */
+  /*  flag plain `mint` since regular token contracts use it with   */
+  /*  proper guards — single-line regex can't verify a timelock     */
+  /*  check on the next line, so we stay conservative.              */
+  {
+    id: "cp-hack-zksync-admin-sweep-no-timelock",
+    title: "zkSync hack pattern \u2014 admin-only sweep/drain/rescue function",
+    description: "An admin-gated function with a name like sweep*, drain*, rescue*, emergencyWithdraw*, forceMint*, adminMint* is the exact category of function the zkSync airdrop attacker exploited (April 2025, $5M loss). Even with a timelock check inside, these functions are high-value targets \u2014 a compromised admin key bypasses everything. The pattern is reviewed manually because a same-line regex cannot verify whether a timelock guard is enforced.",
+    suggestion: "Audit this function carefully: (a) is it gated by a TimelockController contract address check, not just an onlyOwner modifier? (b) is the action bounded (max amount per call, per epoch)? (c) is there an N-of-M multisig requirement at the modifier level? If any answer is no, add it before mainnet.",
+    pattern: /function\s+(?:sweep[A-Za-z]*|drain[A-Za-z]*|rescue[A-Za-z]*|emergencyWithdraw[A-Za-z]*|forceMint[A-Za-z]*|adminMint[A-Za-z]*)\s*\([^)]*\)\s*(?:external|public)/,
+    severity: "high",
+    category: "hack-replay",
+    confidence: "medium",
+    languages: SOL
+  },
+  /* ── Bybit ($1.46B, February 2025) ──────────────────────────── */
+  /*  Root cause: Safe{Wallet}'s frontend bundle on S3 was modified */
+  /*  to display a legit tx while signing a malicious one to        */
+  /*  hardware wallets. This is a CI/CD + frontend integrity issue. */
+  {
+    id: "cp-hack-bybit-unpinned-action-checkout",
+    title: "Bybit hack pattern \u2014 unpinned GitHub Action handling deploy/release",
+    description: "A workflow that deploys frontend bundles or release artifacts uses a third-party action pinned to a mutable ref (@main, @master, or a version tag instead of a commit SHA). This is the supply-chain vector behind the $1.46B Bybit hack (Feb 2025): the deploy pipeline trusts a moving target. An attacker that compromises the action's repo can swap your build output.",
+    suggestion: "Pin every third-party action to a full 40-char commit SHA (e.g. `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`). Use Dependabot or Renovate to keep SHAs up to date with review.",
+    pattern: /uses:\s+(?!actions\/)[^\s]+@(?:main|master|v\d+(?:\.\d+)*)\s*$/m,
+    severity: "high",
+    category: "hack-replay",
+    confidence: "medium",
+    languages: [],
+    pathPattern: /\.github\/workflows\/.*\.ya?ml$/
+  },
+  /* ── Beanstalk ($182M, April 2022) ──────────────────────────── */
+  /*  Root cause: governance proposal could call arbitrary code in   */
+  /*  the same transaction it was submitted/voted-on, with voting   */
+  /*  power based on token balance at proposal time. Attacker flash- */
+  /*  loaned BEAN, voted YES on a self-draining proposal, executed  */
+  /*  immediately. No timelock between vote and execution.          */
+  {
+    id: "cp-hack-beanstalk-instant-governance",
+    title: "Beanstalk hack pattern \u2014 governance execute() with no timelock between vote and call",
+    description: "A governance contract exposes an execute() / executeProposal() / propose() function callable in the same block as voting. This is the exact $182M Beanstalk vector (April 2022): an attacker flash-loaned the governance token, voted yes on a self-draining proposal, and called execute() in the same transaction. A timelock between successful vote and execution would have made the flash-loan economically pointless.",
+    suggestion: "Add a queue/execute split: successful proposals enter a TimelockController with a minimum delay (24-48h is standard). Require execute() to verify block.timestamp >= queuedAt + delay. Never let voting power, proposal acceptance, and code execution happen atomically.",
+    pattern: /function\s+(?:execute(?:Proposal)?|propose(?:AndExecute)?)\s*\([^)]*\)\s*(?:external|public)(?:\s+payable)?(?:\s+returns)?[^{]*\{(?![\s\S]{0,600}?(?:timelock|Timelock|TimelockController|queued|block\.timestamp\s*[><]=?\s*\w+\s*\+))/,
+    severity: "critical",
+    category: "hack-replay",
+    confidence: "low",
+    languages: SOL
+  },
+  /* ── Multichain ($126M, July 2023) ──────────────────────────── */
+  /*  Root cause: bridge admin private keys controlled by a single  */
+  /*  person (CEO). When that person was detained, funds were       */
+  /*  withdrawn from MPC-controlled addresses. Single key controls  */
+  /*  bridge withdraw / unlock = single point of failure.            */
+  {
+    id: "cp-hack-multichain-single-admin-bridge",
+    title: "Multichain hack pattern \u2014 bridge withdraw/unlock gated by single owner role",
+    description: "A bridge function (withdraw, unlock, releaseTo, claim, mintBridged) is gated only by onlyOwner or a single-address admin check. This was the structural failure behind the $126M Multichain collapse (July 2023): the CEO's MPC key controlled bridge outflows, and when he was detained, attackers (or insiders) drained the bridge. Bridge withdraw functions are the highest-value attack surface in crypto and must be multi-party.",
+    suggestion: "Require a multi-sig (Safe / Gnosis), a multi-party MPC (TSS), or an N-of-M validator set before any bridge outflow. Never let a single private key sign a withdraw of bridged assets. Add per-asset and per-block outflow caps as a defense-in-depth limit.",
+    pattern: /function\s+(?:withdraw|unlock|releaseTo|releaseFor|claim|mintBridged|bridgeOut|relayOut)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin|onlyMPC)(?![\s\S]{0,200}?(?:multisig|Multisig|threshold|N_OF_M|validators|attestors))/,
+    severity: "critical",
+    category: "hack-replay",
+    confidence: "medium",
+    languages: SOL
+  },
+  /* ── Ronin Bridge ($625M, March 2022) ───────────────────────── */
+  /*  Root cause: 5-of-9 validator set with 4 validators run by    */
+  /*  Sky Mavis + 1 by Axie DAO. Attacker compromised the 4 Sky    */
+  /*  Mavis keys and the Axie DAO had previously granted Sky Mavis */
+  /*  signing rights "temporarily" but never revoked → 5/9 reached. */
+  /*  Detection: low signature threshold relative to validator set. */
+  {
+    id: "cp-hack-ronin-low-validator-threshold",
+    title: "Ronin hack pattern \u2014 bridge validator threshold \u2264 5/9 or hardcoded low quorum",
+    description: "A bridge contract uses a hardcoded signature threshold of 4, 5, or 6 \u2014 the same range that allowed the $625M Ronin bridge hack (March 2022). Sky Mavis ran 4 of 9 validators; combined with one improperly-revoked delegated key, the attacker hit the 5/9 threshold from a single team's compromise. A higher threshold (7-of-9, 8-of-11) makes single-team compromise insufficient.",
+    suggestion: "Audit your validator threshold against the social/operational concentration of validator operators. Aim for \u2265 70% threshold (e.g. 7-of-9, 11-of-15). Periodically rotate delegated signing rights and verify revocations actually happen. Set up monitoring for validator-set changes.",
+    pattern: /(?:signatureThreshold|requiredSignatures|threshold|quorum|VALIDATOR_THRESHOLD)\s*[=:]\s*(?:uint(?:8|16|32|256)\s*\(\s*)?[4-6]\b/i,
+    severity: "high",
+    category: "hack-replay",
+    confidence: "low",
+    languages: SOL
+  },
+  /* ── Cream Finance ($130M, October 2021) ────────────────────── */
+  /*  Root cause: oracle manipulated via flash-loaned yUSD vault    */
+  /*  shares. Collateral price computed from spot share supply,     */
+  /*  inflatable via flash loan → borrow against inflated value →   */
+  /*  drain. Detection: spot-balance arithmetic in pricing without  */
+  /*  TWAP / Chainlink fallback.                                    */
+  {
+    id: "cp-hack-cream-spot-share-pricing",
+    title: "Cream hack pattern \u2014 collateral price computed from spot vault share supply",
+    description: "A function computes a token/share price by dividing total assets by spot totalSupply (or balanceOf this). The $130M Cream hack (Oct 2021) exploited exactly this on yUSDVault: flash-loan inflated the share supply during a single tx, the price oracle read the manipulated value, and the attacker borrowed massively against fictitious collateral. Spot supply/balance ratios are flash-loan-attackable.",
+    suggestion: "Use Chainlink price feeds with staleness checks, a TWAP from a deep Uniswap V3 pool, or external collateral-pricing oracles. Never compute price from same-block totalSupply or balanceOf.",
+    pattern: /(?:totalSupply|balanceOf)\s*\([^)]*\)\s*[*/]\s*\w+|\w+\s*[*/]\s*(?:totalSupply|balanceOf)\s*\(/,
+    severity: "high",
+    category: "hack-replay",
+    confidence: "low",
+    languages: SOL
+  },
+  /* ── Wormhole ($325M, February 2022) ────────────────────────── */
+  /*  Root cause: signature verification path used a stub guardian  */
+  /*  set lookup that didn't validate the set hash. Attacker forged */
+  /*  a guardian signature against an empty set, which the contract */
+  /*  accepted because the set comparison was wrong. Detection:     */
+  /*  ecrecover or signature-set membership without strict hash      */
+  /*  equality of the validator set.                                */
+  {
+    id: "cp-hack-wormhole-unchecked-signature-set",
+    title: "Wormhole hack pattern \u2014 guardian/validator signature accepted without strict set verification",
+    description: "A function verifies a signature against a validator/guardian set but does not strictly check that the set hash matches the expected current set (or compares against a default/empty value). The $325M Wormhole hack (Feb 2022) exploited a stub `verify_signatures` path that accepted forged signatures because the validator set comparison was missing/insecure. ecrecover-based signature schemes need every validator set rotation tracked by an explicit hash check.",
+    suggestion: "Verify the signed message includes a strict hash of the current validator set. Reject signatures where the recovered signer is not in the active set. Never use `default!()` or zero-initialized guardian arrays in signature paths.",
+    pattern: /(?:ecrecover|recover)\s*\([\s\S]{0,400}?\)(?![\s\S]{0,300}?(?:guardianSet|validatorSet|currentSetHash|setHash|require\s*\([^)]*==\s*expected))/,
+    severity: "critical",
+    category: "hack-replay",
+    confidence: "low",
+    languages: SOL
+  },
+  /* ── Nomad Bridge ($190M, August 2022) ──────────────────────── */
+  /*  Root cause: an upgrade initialized the trusted-root mapping   */
+  /*  with 0x00. Any message with a 0-bytes proof became 'proven'. */
+  /*  Anyone could replay arbitrary messages against the bridge.    */
+  /*  Detection: trusted-root / merkle-root mapping reads or writes */
+  /*  that don't reject zero values.                                */
+  {
+    id: "cp-hack-nomad-zero-root-acceptance",
+    title: "Nomad hack pattern \u2014 trusted/merkle root lookup accepts zero hash as valid",
+    description: "A function reads a value from a merkle-root or trusted-root mapping and treats any non-revert response as valid, including the zero default. The $190M Nomad bridge hack (Aug 2022) was caused by an upgrade that initialized the root mapping to zero \u2014 every message proof of zero became 'valid', and the entire bridge was drained by 300+ copy-paste attackers within hours.",
+    suggestion: "Always `require(root != bytes32(0))` before treating a stored root/hash as a valid proof anchor. Apply the same check to any zero-value default in upgrade-initialized storage.",
+    pattern: /(?:roots|messages|acceptableRoot|trustedRoot|merkleRoot)\s*\[[^\]]+\]\s*(?:==\s*(?:true|0x01)|!=\s*0x00\b)(?!\s*&&\s*\w+\s*!=\s*(?:bytes32\(0\)|0x0+))/,
+    severity: "critical",
+    category: "hack-replay",
+    confidence: "low",
+    languages: SOL
+  },
+  /* ── Mango Markets ($114M, October 2022) ────────────────────── */
+  /*  Root cause: oracle was a thinly-traded spot AMM price.        */
+  /*  Attacker pumped MNGO token via CEX wash trades, then borrowed */
+  /*  $114M against inflated collateral. Detection: pricing pulled  */
+  /*  from a single low-liquidity source with no sanity bounds.     */
+  {
+    id: "cp-hack-mango-single-source-oracle",
+    title: "Mango hack pattern \u2014 oracle uses single price source without bounds",
+    description: "A pricing function reads from a single oracle source (one Uniswap pool, one CEX feed, one Chainlink aggregator) without sanity bounds or a secondary source. The $114M Mango Markets hack (Oct 2022) was a textbook oracle-manipulation attack: the attacker pumped MNGO price ~10\xD7 via CEX trades, the oracle dutifully reported it, and Mango let them borrow $114M against the now-inflated collateral.",
+    suggestion: "Use at least two independent oracle sources for any collateral pricing. Apply a circuit breaker (max % change per block, deviation from TWAP). For long-tail tokens, cap borrowable collateral or require multi-source confirmation.",
+    // Tightened: require the call to appear in a function whose name implies
+    // lending / collateral / liquidation context (the actual hack surface).
+    // Plain DEX pool internals like Uniswap getReserves are not at risk.
+    pattern: /function\s+(?:borrow\w*|liquidat\w*|isHealthy|collateralValue|getAccountHealth|maxBorrow|withdrawCollateral|getBorrowable)[\s\S]{0,600}?\b(?:getPrice|latestAnswer|peek|read)\s*\((?![\s\S]{0,400}?(?:twap|TWAP|deviation|maxDeviation|stalenessThreshold|secondaryPrice|sanity))/,
+    severity: "medium",
+    category: "hack-replay",
+    confidence: "low",
+    languages: SOL
+  }
+];
+var rugSurfaceRules = [
+  {
+    id: "cp-rug-owner-can-mint",
+    title: "Owner can mint tokens",
+    description: "A mint function is gated by onlyOwner (or similar single-address modifier). Owner can dilute holders at will. Verify whether this is intentional (e.g. emissions schedule) or unrestricted.",
+    suggestion: "Hard-cap max supply, route mints through a timelock + multisig, or renounce ownership after initial mint.",
+    pattern: /function\s+(?:_?mint|mintTo|airdrop)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin|onlyMinter)/,
+    severity: "high",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-owner-can-pause",
+    title: "Owner can pause transfers",
+    description: "Owner can call _pause() or set a paused flag \u2014 halting all transfers. Useful for emergencies, dangerous if the owner is an EOA without timelock.",
+    suggestion: "Move pause behind multisig + timelock. Document expected pause scenarios. Consider auto-unpause after N blocks.",
+    pattern: /function\s+(?:pause|setPaused|_pause|emergencyPause)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin)/,
+    severity: "medium",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-owner-can-blacklist",
+    title: "Owner can blacklist addresses",
+    description: "Owner can prevent specific addresses from transferring. Honeypot pattern when combined with no transfer-tax limit or a hidden blacklist mapping.",
+    suggestion: "Either remove the blacklist entirely (rely on protocol-level sanctions), or gate it behind a multisig + timelock with public allowlist process.",
+    pattern: /(?:blacklist|denylist|isBlocked|blocked)\s*\[\s*\w+\s*\]\s*=\s*(?:true|1)|function\s+(?:blacklist|setBlacklist|addToBlacklist|block(?:Address|User|Account))\s*\(/i,
+    severity: "high",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-owner-can-change-fees",
+    title: "Owner can change transfer fees",
+    description: "A setFee / updateFee / setTax function gated by onlyOwner. Owner can spike fees to 99% effectively stopping trading.",
+    suggestion: "Cap maximum fee in the contract (e.g. require new fee <= 10%). Combine with a timelock so changes are observable in advance.",
+    pattern: /function\s+(?:setFee|setTax|setBuyFee|setSellFee|setTransferFee|updateFee|updateTax|setFees)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin)/i,
+    severity: "high",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-owner-can-change-router",
+    title: "Owner can swap router or pair",
+    description: "A setRouter / setPair / setSwapRouter function gated by onlyOwner. Owner can redirect liquidity to an attacker-controlled router and drain trades.",
+    suggestion: "Make router / pair immutable. If upgrades are needed, gate behind multisig + 7-day timelock with clear public announcement.",
+    pattern: /function\s+(?:setRouter|setPair|setSwapRouter|updateRouter|setUniswapRouter|setSwapPair)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin)/i,
+    severity: "high",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-owner-can-sweep",
+    title: "Owner can sweep ETH or ERC20 from contract",
+    description: 'Owner can call a sweep / rescue / withdraw / recover function that drains arbitrary tokens or ETH from the contract. Often labelled "rescue stuck funds" \u2014 but the same path drains user-owned balances.',
+    suggestion: "Restrict to specific tokens that should never be in the contract. Exclude the protocol's own LP token / treasury. Behind multisig + timelock.",
+    pattern: /function\s+(?:rescueTokens|rescueERC20|sweepTokens|sweep|sweepERC20|recoverTokens|recoverERC20|withdrawStuck|withdrawTokens|emergencyWithdraw|emergencyRescue)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin)/i,
+    severity: "critical",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-owner-can-upgrade",
+    title: "Proxy upgrade gated by single owner",
+    description: "An _upgradeTo / upgradeTo function is callable by onlyOwner (UUPS pattern). The implementation contract can be swapped to attacker code unilaterally.",
+    suggestion: "Route upgrades through a TimelockController owned by a multisig. Publish the new implementation address before the timelock expires.",
+    pattern: /function\s+(?:_upgradeTo|upgradeTo|upgradeToAndCall|_authorizeUpgrade)\s*\([^)]*\)\s*(?:external|public|internal|virtual\s+override)?(?:[^{]*?)(?:onlyOwner|onlyAdmin)/,
+    severity: "high",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-role-self-grant",
+    title: "Role admin can grant itself any role",
+    description: "DEFAULT_ADMIN_ROLE or a self-managed role can call grantRole() on itself or on other privileged roles. Single admin compromise = full takeover.",
+    suggestion: "Use AccessControlEnumerable + revoke admin's ability to manage its own role. Move sensitive roles to a separate multisig.",
+    pattern: /_setupRole\s*\(\s*DEFAULT_ADMIN_ROLE|_grantRole\s*\(\s*DEFAULT_ADMIN_ROLE|grantRole\s*\([^,]+,\s*msg\.sender\s*\)/,
+    severity: "high",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-no-renounce-evidence",
+    title: "Renounceable ownership without evidence of renunciation",
+    description: "Contract inherits Ownable / OwnableUpgradeable but the constructor / initializer doesn't transfer ownership to a known-safe address (zero, multisig, timelock). Owner power may still be active.",
+    suggestion: "Either renounce ownership in the constructor (acceptably for fully-immutable contracts), or transfer to a multisig. Document this explicitly.",
+    pattern: /(?:contract|abstract\s+contract)\s+\w+[\s\S]{0,500}?\bis\s+[\w,\s]*?Ownable(?:Upgradeable)?\b(?![\s\S]{0,2000}?(?:renounceOwnership\s*\(\)|transferOwnership\s*\(\s*address\(0x|TimelockController|Safe\s*\())/,
+    severity: "medium",
+    category: "rug-surface",
+    confidence: "low",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-max-wallet-or-tx",
+    title: "Trading restrictions (max wallet / max tx)",
+    description: "Contract enforces maxWallet, maxTransactionAmount, or similar caps. Common in memecoin templates \u2014 verify the cap can't be set to 0 or 1 wei (effectively halting trading).",
+    suggestion: "Ensure max-cap setters have a minimum floor (e.g. 0.1% of supply). Combine with timelock for changes after launch.",
+    pattern: /(?:maxWallet|maxTransactionAmount|maxTx|maxWalletAmount|_maxWallet|_maxTx)\s*[:=]/i,
+    severity: "low",
+    category: "rug-surface",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-rug-hidden-modifier",
+    title: "Privileged modifier without visible role check in body",
+    description: "A modifier name doesn't suggest privilege (e.g. `lock`, `safe`, `nonReentrant`-shaped names) but its body restricts access. Auditors miss these; users assume the function is open.",
+    suggestion: "Rename modifier to make privilege explicit (e.g. `onlyOperator`). Or move check inline so reviewers see it in the function body.",
+    pattern: /modifier\s+(?!onlyOwner|onlyAdmin|onlyRole|nonReentrant|whenNotPaused|whenPaused|initializer|reinitializer)(\w+)\s*\(\s*\)\s*\{[\s\S]{0,200}?require\s*\(\s*msg\.sender\s*==\s*\w+/,
+    severity: "medium",
+    category: "rug-surface",
+    confidence: "low",
+    languages: SOL
+  }
+];
 var ALL_RULES2 = [
   ...securityRules,
   ...solidityRules2,
+  ...rugSurfaceRules,
   ...javaRules,
   ...rubyRules,
   ...phpRules,
@@ -4722,7 +5089,8 @@ var ALL_RULES2 = [
   ...iacRules,
   ...eip7702Rules,
   ...tstoreRules,
-  ...uniswapV4Rules
+  ...uniswapV4Rules,
+  ...hackReplayRules
 ];
 
 // src/static/pattern-scanner.ts
@@ -4774,9 +5142,13 @@ function isJsxFile(filePath) {
 function isScriptDir(filePath) {
   return /(?:^|\/)(?:scripts|build|tools|infra)\//i.test(filePath);
 }
+function isVendorFile(filePath) {
+  return /(?:^|\/)(?:node_modules|@openzeppelin|@uniswap|@aave|@chainlink|solmate|solady|lib|vendor|dependencies|forge-std|ds-test)(?:\/|@)/i.test(filePath);
+}
 function isFalsePositive(ctx) {
   if (isDocsFile(ctx.filePath)) return true;
-  if (ctx.rule.id !== "cp-qual-todo-fixme" && isCommentLine(ctx.line)) return true;
+  if (isVendorFile(ctx.filePath)) return true;
+  if (ctx.rule.id !== "cp-qual-todo-fixme" && ctx.rule.category !== "hack-replay" && isCommentLine(ctx.line)) return true;
   if (isImportLine(ctx.line) && /(?:http-no-tls|hardcoded-ip|hardcoded-secret)/.test(ctx.rule.id)) return true;
   if (isConfigFile(ctx.filePath) && ctx.rule.category === "security") return true;
   const trimmed = ctx.line.trim();
@@ -4794,6 +5166,11 @@ function isFalsePositive(ctx) {
       if (/process\.env\b/.test(ctx.line)) return true;
     }
   }
+  if (ctx.rule.id === "cp-sec-hardcoded-secret") {
+    if (/=\s*["']?0x[0-9a-fA-F]{40}["']?/.test(ctx.line)) return true;
+    if (/\b(?:address|token0?|token1|tokenAddress|contractAddress|pool|router|factory|vault|recipient|payTo|treasury|owner|admin|operator|signer|delegate|merkleRoot|root|domain|salt|chainId|deadline|attestation|uid|schema)\b\s*[:=]/i.test(ctx.line)) return true;
+    if (/\b(?:hash|sha|keccak|merkle|root|uid|tx|proof|signature|sig|domain|salt|nonce|attestation|commitment)\w*\s*[:=]\s*["']?0x[0-9a-fA-F]{64}/i.test(ctx.line)) return true;
+  }
   return false;
 }
 function adjustSeverityForContext(severity, filePath) {
@@ -4931,7 +5308,7 @@ ${lines[i]}`,
       }
     }
   }
-  if (lines.length > 8) {
+  if (lines.length > 8 && !SOL2.includes(ext)) {
     const WINDOW = 4;
     const blockMap = /* @__PURE__ */ new Map();
     for (let i = 0; i <= lines.length - WINDOW; i++) {
@@ -5124,6 +5501,175 @@ var patternScannerRunner = {
   }
 };
 
+// src/ai/poc-generator.ts
+import { execFile as execFile4 } from "child_process";
+import { writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { promisify as promisify4 } from "util";
+import { tmpdir } from "os";
+import { join } from "path";
+import { randomBytes } from "crypto";
+var exec4 = promisify4(execFile4);
+var SYSTEM_PROMPT = `You are an expert smart contract security researcher who writes Foundry (forge) exploit tests to demonstrate vulnerabilities.
+
+Given a security finding and the vulnerable contract source code, write a minimal Foundry test that:
+1. Deploys the vulnerable contract (or a minimal reproduction of the vulnerable pattern)
+2. Demonstrates the exploit in a test function named test_exploit()
+3. Uses vm.expectRevert() or assertions to show the vulnerability is real
+4. Includes a brief comment explaining the attack vector
+
+Rules:
+- Use Solidity ^0.8.20 and Foundry's Test base
+- Import only from forge-std (available: Test, console, Vm, StdCheats)
+- If the contract needs an RPC fork (e.g. for on-chain state), emit a // @fork-required comment on line 1
+- Keep it minimal \u2014 prove the bug, nothing else
+- Return ONLY valid Solidity, no markdown fences, no explanation outside comments
+
+Format:
+\`\`\`solidity
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.20;
+
+import "forge-std/Test.sol";
+
+contract ExploitTest is Test {
+    // ...setup...
+
+    function test_exploit() public {
+        // ...exploit...
+    }
+}
+\`\`\``;
+function buildUserMessage(finding, contractSource) {
+  return `## Vulnerability Finding
+
+Rule ID: ${finding.ruleId}
+Title: ${finding.title}
+Severity: ${finding.severity}
+File: ${finding.filePath} (lines ${finding.startLine}\u2013${finding.endLine})
+Description: ${finding.description}
+
+Vulnerable code snippet:
+\`\`\`solidity
+${finding.codeSnippet}
+\`\`\`
+
+Fix suggestion: ${finding.suggestion}
+
+## Full Contract Source
+
+\`\`\`solidity
+${contractSource}
+\`\`\`
+
+Write the Foundry exploit test now.`;
+}
+function extractSolidity(text) {
+  const fenceMatch = text.match(/```(?:solidity)?\s*([\s\S]*?)```/);
+  if (fenceMatch) return fenceMatch[1].trim();
+  return text.trim();
+}
+async function forgeAvailable() {
+  try {
+    await exec4("forge", ["--version"], { timeout: 5e3 });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function runForgeTest(pocCode, rpcUrl) {
+  const id = randomBytes(6).toString("hex");
+  const dir = join(tmpdir(), `elytra-poc-${id}`);
+  const srcDir = join(dir, "src");
+  const testDir = join(dir, "test");
+  const libDir = join(dir, "lib");
+  try {
+    await mkdir2(srcDir, { recursive: true });
+    await mkdir2(testDir, { recursive: true });
+    await mkdir2(libDir, { recursive: true });
+    await writeFile2(
+      join(dir, "foundry.toml"),
+      `[profile.default]
+src = "src"
+out = "out"
+libs = ["lib"]
+`
+    );
+    const testFile = join(testDir, "Exploit.t.sol");
+    await writeFile2(testFile, pocCode);
+    const args = ["test", "--match-contract", "ExploitTest", "--no-match-coverage", "-vv"];
+    if (rpcUrl) {
+      args.push("--fork-url", rpcUrl);
+    }
+    const { stdout, stderr } = await exec4("forge", args, {
+      cwd: dir,
+      timeout: 6e4,
+      env: { ...process.env, FOUNDRY_PROFILE: "default" }
+    });
+    const output = [stdout, stderr].filter(Boolean).join("\n");
+    const passed = output.includes("PASS") || output.includes("ok");
+    return { success: passed, output };
+  } catch (err) {
+    const output = err.stdout ?? err.stderr ?? String(err);
+    return { success: false, output };
+  } finally {
+    exec4("rm", ["-rf", dir]).catch(() => {
+    });
+  }
+}
+var PocGenerator = class {
+  provider;
+  constructor(provider) {
+    this.provider = provider;
+  }
+  async generate(finding, contractSource, rpcUrl) {
+    if (finding.category !== "solidity" && !finding.ruleId.startsWith("cp-sol")) {
+      return {
+        status: "error",
+        pocCode: "",
+        output: "PoC generation only supported for Solidity findings"
+      };
+    }
+    let pocCode = "";
+    try {
+      const response = await this.provider.complete({
+        messages: [
+          { role: "system", content: SYSTEM_PROMPT },
+          { role: "user", content: buildUserMessage(finding, contractSource) }
+        ],
+        maxTokens: 4096
+      });
+      pocCode = extractSolidity(response.text);
+      if (!pocCode) {
+        return { status: "error", pocCode: "", output: "AI returned empty response" };
+      }
+    } catch (err) {
+      logger.error(`PocGenerator: AI call failed: ${err}`);
+      return { status: "error", pocCode: "", output: String(err) };
+    }
+    const hasForge = await forgeAvailable();
+    if (!hasForge) {
+      logger.info("PocGenerator: forge not available, returning generated code only");
+      return {
+        status: "generated",
+        pocCode,
+        output: "forge not installed \u2014 PoC generated but not executed",
+        rpcUrl
+      };
+    }
+    const forkRequired = pocCode.includes("@fork-required");
+    const { success, output } = await runForgeTest(
+      pocCode,
+      forkRequired ? rpcUrl : void 0
+    );
+    return {
+      status: success ? "confirmed" : "not-exploitable",
+      pocCode,
+      output,
+      rpcUrl: forkRequired ? rpcUrl : void 0
+    };
+  }
+};
+
 // src/analyzer.ts
 var SEVERITY_ORDER2 = {
   critical: 0,
@@ -5228,7 +5774,9 @@ async function analyze(params) {
     repoPath,
     staticOnly = false,
     skipStatic = false,
-    aiConcurrency
+    aiConcurrency,
+    runPoc = false,
+    pocRpcUrl
   } = params;
   const parsed = parseDiff(diff);
   if (parsed.files.length === 0) {
@@ -5346,7 +5894,38 @@ async function analyze(params) {
   const enriched = enrichFindings(sorted);
   const score = computeScore(enriched, parsed.files.length);
   const summary = buildSummary(enriched, parsed.files.length, staticResult?.toolsRan);
-  return { findings: enriched, summary, score };
+  let pocs;
+  if (runPoc && (provider || apiKey)) {
+    const pocProvider = provider ?? {
+      name: "anthropic-poc",
+      async complete(p) {
+        const { AnthropicProvider: AnthropicProvider2 } = await import("./anthropic-PRRF4E3I.js");
+        return new AnthropicProvider2(apiKey).complete(p);
+      }
+    };
+    const pocGen = new PocGenerator(pocProvider);
+    const solFindings = enriched.filter(
+      (f) => (f.severity === "critical" || f.severity === "high") && (f.category === "solidity" || f.ruleId.startsWith("cp-sol"))
+    );
+    const fileContents = /* @__PURE__ */ new Map();
+    for (const file of parsed.files) {
+      fileContents.set(file.path, reconstructContent(file));
+    }
+    pocs = {};
+    await Promise.all(
+      solFindings.map(async (finding) => {
+        const src = fileContents.get(finding.filePath) ?? finding.codeSnippet;
+        const key = `${finding.ruleId}:${finding.filePath}:${finding.startLine}`;
+        try {
+          pocs[key] = await pocGen.generate(finding, src, pocRpcUrl);
+        } catch (err) {
+          logger.error(`[analyzer] PoC generation failed for ${key}: ${err}`);
+          pocs[key] = { status: "error", pocCode: "", output: String(err) };
+        }
+      })
+    );
+  }
+  return { findings: enriched, summary, score, ...pocs ? { pocs } : {} };
 }
 function enrichFindings(findings) {
   return findings.map((f) => {
@@ -5482,12 +6061,12 @@ function formatStaticFindingsForAI(rawFindings) {
 import { rm as rm2 } from "fs/promises";
 
 // src/upgrade/ingest.ts
-import { execFile as execFile4 } from "child_process";
-import { promisify as promisify4 } from "util";
+import { execFile as execFile5 } from "child_process";
+import { promisify as promisify5 } from "util";
 import { readdir, stat, readFile as readFile2, mkdtemp } from "fs/promises";
 import path4 from "path";
 import os2 from "os";
-var exec4 = promisify4(execFile4);
+var exec5 = promisify5(execFile5);
 var EXT_TO_LANG = {
   ".ts": "typescript",
   ".tsx": "typescript",
@@ -5708,7 +6287,7 @@ async function ingestRepo(repoUrl, branch) {
   if (branch) {
     cloneArgs.splice(2, 0, "--branch", branch);
   }
-  await exec4("git", cloneArgs, {
+  await exec5("git", cloneArgs, {
     timeout: 12e4,
     maxBuffer: 200 * 1024 * 1024
   });
@@ -5770,11 +6349,11 @@ async function readRepoFiles(repoPath, filePaths, maxTotalSize = 5e5) {
 }
 
 // src/upgrade/deps.ts
-import { execFile as execFile5 } from "child_process";
-import { promisify as promisify5 } from "util";
+import { execFile as execFile6 } from "child_process";
+import { promisify as promisify6 } from "util";
 import { readFile as readFile3, access } from "fs/promises";
 import path5 from "path";
-var exec5 = promisify5(execFile5);
+var exec6 = promisify6(execFile6);
 var DEPRECATED_REPLACEMENTS = {
   "moment": "dayjs or date-fns",
   "request": "node-fetch or axios or undici",
@@ -5828,7 +6407,7 @@ async function analyzeNodeDeps(repoPath) {
   let vulnerableCount = 0;
   let auditResults = {};
   try {
-    const { stdout } = await exec5("npm", ["audit", "--json"], {
+    const { stdout } = await exec6("npm", ["audit", "--json"], {
       cwd: repoPath,
       timeout: 6e4,
       maxBuffer: 20 * 1024 * 1024
@@ -5853,7 +6432,7 @@ async function analyzeNodeDeps(repoPath) {
   }
   let outdatedResults = {};
   try {
-    const { stdout } = await exec5("npm", ["outdated", "--json"], {
+    const { stdout } = await exec6("npm", ["outdated", "--json"], {
       cwd: repoPath,
       timeout: 3e4,
       maxBuffer: 10 * 1024 * 1024
@@ -5913,7 +6492,7 @@ async function analyzeRustDeps(repoPath) {
   const deps = [];
   let vulnerableCount = 0;
   try {
-    const { stdout } = await exec5("cargo", ["audit", "--json"], {
+    const { stdout } = await exec6("cargo", ["audit", "--json"], {
       cwd: repoPath,
       timeout: 6e4,
       maxBuffer: 20 * 1024 * 1024
@@ -5971,7 +6550,7 @@ async function analyzePythonDeps(repoPath) {
   const deps = [];
   let vulnerableCount = 0;
   try {
-    const { stdout } = await exec5(
+    const { stdout } = await exec6(
       "pip-audit",
       ["-r", path5.join(repoPath, "requirements.txt"), "--format", "json"],
       { cwd: repoPath, timeout: 6e4, maxBuffer: 20 * 1024 * 1024 }
@@ -6053,10 +6632,10 @@ async function analyzeDependencies(repoPath, ecosystems) {
 }
 
 // src/upgrade/audit.ts
-import { execFile as execFile6 } from "child_process";
-import { promisify as promisify6 } from "util";
+import { execFile as execFile7 } from "child_process";
+import { promisify as promisify7 } from "util";
 import path6 from "path";
-var exec6 = promisify6(execFile6);
+var exec7 = promisify7(execFile7);
 async function runSlitherFullScan(repoPath, solFiles) {
   if (solFiles.length === 0) return [];
   const IMPACT_MAP2 = {
@@ -6069,7 +6648,7 @@ async function runSlitherFullScan(repoPath, solFiles) {
   try {
     let stdout;
     try {
-      const result = await exec6("slither", [repoPath, "--json", "-", "--no-fail"], {
+      const result = await exec7("slither", [repoPath, "--json", "-", "--no-fail"], {
         timeout: 18e4,
         maxBuffer: 50 * 1024 * 1024,
         cwd: repoPath
@@ -6110,7 +6689,7 @@ async function runSemgrepFullScan(repoPath) {
   try {
     let stdout;
     try {
-      const result = await exec6(
+      const result = await exec7(
         "semgrep",
         ["--config", "p/security-audit", "--json", "--timeout", "30", repoPath],
         { timeout: 18e4, maxBuffer: 50 * 1024 * 1024, cwd: repoPath }
@@ -6141,7 +6720,7 @@ async function runGitleaksFullScan(repoPath) {
   try {
     let stdout;
     try {
-      const result = await exec6(
+      const result = await exec7(
         "gitleaks",
         ["detect", "--source", repoPath, "--report-format", "json", "--report-path", "/dev/stdout", "--no-git", "--no-banner"],
         { timeout: 6e4, maxBuffer: 20 * 1024 * 1024, cwd: repoPath }
@@ -6967,7 +7546,7 @@ async function rewriteFiles(params) {
 
 // src/config.ts
 import { readFileSync, existsSync } from "fs";
-import { resolve, join } from "path";
+import { resolve, join as join2 } from "path";
 import yaml from "js-yaml";
 import { z as z3 } from "zod";
 var DEFAULT_CONFIG = {
@@ -7010,7 +7589,7 @@ function levenshtein(a, b) {
   return dp[m][n];
 }
 function loadConfig(dir) {
-  const configPath = resolve(join(dir, ".elytra.yml"));
+  const configPath = resolve(join2(dir, ".elytra.yml"));
   if (!existsSync(configPath)) return null;
   let raw;
   try {
@@ -7105,7 +7684,7 @@ function filterByConfig(findings, config) {
 
 // src/harden/harden.ts
 import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync2, readdirSync, statSync } from "fs";
-import { join as join2, relative } from "path";
+import { join as join3, relative } from "path";
 function readJson(filePath) {
   try {
     return JSON.parse(readFileSync2(filePath, "utf-8"));
@@ -7124,7 +7703,7 @@ function walkFiles(dir, exts, maxDepth = 6, depth = 0) {
   }
   for (const entry of entries) {
     if (entry === "node_modules" || entry === ".git" || entry === "dist" || entry === ".next") continue;
-    const full = join2(dir, entry);
+    const full = join3(dir, entry);
     let stat2;
     try {
       stat2 = statSync(full);
@@ -7171,7 +7750,7 @@ function checkHelmet(projectPath, sourceFiles, frameworks) {
   if (!frameworks.includes("express")) return null;
   const helmetFile = anyFileContains(sourceFiles, /\bhelmet\s*\(/);
   if (helmetFile) return null;
-  const pkgJson = readJson(join2(projectPath, "package.json"));
+  const pkgJson = readJson(join3(projectPath, "package.json"));
   const deps = {
     ...pkgJson?.dependencies ?? {},
     ...pkgJson?.devDependencies ?? {}
@@ -7312,9 +7891,9 @@ app.use(cors({
   return null;
 }
 function checkEnvLeakage(projectPath) {
-  const gitignorePath = join2(projectPath, ".gitignore");
+  const gitignorePath = join3(projectPath, ".gitignore");
   if (!existsSync2(gitignorePath)) {
-    const hasEnvFile = existsSync2(join2(projectPath, ".env")) || existsSync2(join2(projectPath, ".env.local"));
+    const hasEnvFile = existsSync2(join3(projectPath, ".env")) || existsSync2(join3(projectPath, ".env.local"));
     if (!hasEnvFile) return null;
     return {
       id: "harden-env-no-gitignore",
@@ -7333,7 +7912,7 @@ function checkEnvLeakage(projectPath) {
     const gitignore = readFileSync2(gitignorePath, "utf-8");
     const hasEnvRule = /^\.env$/m.test(gitignore) || /^\.env\.\*$/m.test(gitignore) || /^\.env\*$/m.test(gitignore) || /^\.env\.local$/m.test(gitignore);
     if (hasEnvRule) return null;
-    const hasEnvFile = existsSync2(join2(projectPath, ".env")) || existsSync2(join2(projectPath, ".env.local")) || existsSync2(join2(projectPath, ".env.production"));
+    const hasEnvFile = existsSync2(join3(projectPath, ".env")) || existsSync2(join3(projectPath, ".env.local")) || existsSync2(join3(projectPath, ".env.production"));
     if (!hasEnvFile) return null;
     return {
       id: "harden-env-not-gitignored",
@@ -7441,7 +8020,7 @@ res.cookie("token", value, {
   };
 }
 function checkTsStrict(projectPath) {
-  const tsconfigPath = join2(projectPath, "tsconfig.json");
+  const tsconfigPath = join3(projectPath, "tsconfig.json");
   if (!existsSync2(tsconfigPath)) return null;
   const tsconfig = readJson(tsconfigPath);
   if (!tsconfig) return null;
@@ -7461,7 +8040,7 @@ function checkTsStrict(projectPath) {
 function applyHardenFix(projectPath, suggestion) {
   if (!suggestion.autoFixable) return false;
   if (suggestion.id === "harden-ts-no-strict") {
-    const tsconfigPath = join2(projectPath, "tsconfig.json");
+    const tsconfigPath = join3(projectPath, "tsconfig.json");
     const tsconfig = readJson(tsconfigPath);
     if (!tsconfig) return false;
     const compilerOptions = tsconfig.compilerOptions ?? {};
@@ -7477,7 +8056,7 @@ function applyHardenFix(projectPath, suggestion) {
   return false;
 }
 function runHarden(projectPath) {
-  const pkgJsonPath = join2(projectPath, "package.json");
+  const pkgJsonPath = join3(projectPath, "package.json");
   const pkgJson = readJson(pkgJsonPath);
   if (!pkgJson) {
     return { suggestions: [], projectPath, frameworksDetected: [] };
@@ -7588,7 +8167,7 @@ Respond with a valid JSON object:
 // src/full-scan-discovery.ts
 import { execSync } from "child_process";
 import { readdirSync as readdirSync2, statSync as statSync2 } from "fs";
-import { join as join3, relative as relative2, extname } from "path";
+import { join as join4, relative as relative2, extname } from "path";
 var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([
   ".ts",
   ".tsx",
@@ -7717,7 +8296,7 @@ function discoverViaGit(targetPath, maxFileSizeKB) {
   for (const line of raw.split("\n")) {
     const rel = line.trim();
     if (!rel || !isSourceFile(rel)) continue;
-    const abs = join3(targetPath, rel);
+    const abs = join4(targetPath, rel);
     try {
       const stat2 = statSync2(abs);
       if (!stat2.isFile()) continue;
@@ -7749,9 +8328,9 @@ function discoverViaWalk(targetPath, maxFileSizeKB) {
       if (entry.isDirectory()) {
         if (SKIP_DIRS.has(entry.name)) continue;
         if (entry.name.startsWith(".") && !ALLOWED_HIDDEN_DIRS.has(entry.name)) continue;
-        walk(join3(dir, entry.name));
+        walk(join4(dir, entry.name));
       } else if (entry.isFile()) {
-        const abs = join3(dir, entry.name);
+        const abs = join4(dir, entry.name);
         const rel = relative2(targetPath, abs);
         if (!isSourceFile(rel)) continue;
         try {
@@ -8023,175 +8602,6 @@ function buildSummary2(findings, fileCount, toolsRan) {
   }
   return summary;
 }
-
-// src/ai/poc-generator.ts
-import { execFile as execFile7 } from "child_process";
-import { writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
-import { promisify as promisify7 } from "util";
-import { tmpdir } from "os";
-import { join as join4 } from "path";
-import { randomBytes } from "crypto";
-var exec7 = promisify7(execFile7);
-var SYSTEM_PROMPT = `You are an expert smart contract security researcher who writes Foundry (forge) exploit tests to demonstrate vulnerabilities.
-
-Given a security finding and the vulnerable contract source code, write a minimal Foundry test that:
-1. Deploys the vulnerable contract (or a minimal reproduction of the vulnerable pattern)
-2. Demonstrates the exploit in a test function named test_exploit()
-3. Uses vm.expectRevert() or assertions to show the vulnerability is real
-4. Includes a brief comment explaining the attack vector
-
-Rules:
-- Use Solidity ^0.8.20 and Foundry's Test base
-- Import only from forge-std (available: Test, console, Vm, StdCheats)
-- If the contract needs an RPC fork (e.g. for on-chain state), emit a // @fork-required comment on line 1
-- Keep it minimal \u2014 prove the bug, nothing else
-- Return ONLY valid Solidity, no markdown fences, no explanation outside comments
-
-Format:
-\`\`\`solidity
-// SPDX-License-Identifier: MIT
-pragma solidity ^0.8.20;
-
-import "forge-std/Test.sol";
-
-contract ExploitTest is Test {
-    // ...setup...
-
-    function test_exploit() public {
-        // ...exploit...
-    }
-}
-\`\`\``;
-function buildUserMessage(finding, contractSource) {
-  return `## Vulnerability Finding
-
-Rule ID: ${finding.ruleId}
-Title: ${finding.title}
-Severity: ${finding.severity}
-File: ${finding.filePath} (lines ${finding.startLine}\u2013${finding.endLine})
-Description: ${finding.description}
-
-Vulnerable code snippet:
-\`\`\`solidity
-${finding.codeSnippet}
-\`\`\`
-
-Fix suggestion: ${finding.suggestion}
-
-## Full Contract Source
-
-\`\`\`solidity
-${contractSource}
-\`\`\`
-
-Write the Foundry exploit test now.`;
-}
-function extractSolidity(text) {
-  const fenceMatch = text.match(/```(?:solidity)?\s*([\s\S]*?)```/);
-  if (fenceMatch) return fenceMatch[1].trim();
-  return text.trim();
-}
-async function forgeAvailable() {
-  try {
-    await exec7("forge", ["--version"], { timeout: 5e3 });
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function runForgeTest(pocCode, rpcUrl) {
-  const id = randomBytes(6).toString("hex");
-  const dir = join4(tmpdir(), `elytra-poc-${id}`);
-  const srcDir = join4(dir, "src");
-  const testDir = join4(dir, "test");
-  const libDir = join4(dir, "lib");
-  try {
-    await mkdir2(srcDir, { recursive: true });
-    await mkdir2(testDir, { recursive: true });
-    await mkdir2(libDir, { recursive: true });
-    await writeFile2(
-      join4(dir, "foundry.toml"),
-      `[profile.default]
-src = "src"
-out = "out"
-libs = ["lib"]
-`
-    );
-    const testFile = join4(testDir, "Exploit.t.sol");
-    await writeFile2(testFile, pocCode);
-    const args = ["test", "--match-contract", "ExploitTest", "--no-match-coverage", "-vv"];
-    if (rpcUrl) {
-      args.push("--fork-url", rpcUrl);
-    }
-    const { stdout, stderr } = await exec7("forge", args, {
-      cwd: dir,
-      timeout: 6e4,
-      env: { ...process.env, FOUNDRY_PROFILE: "default" }
-    });
-    const output = [stdout, stderr].filter(Boolean).join("\n");
-    const passed = output.includes("PASS") || output.includes("ok");
-    return { success: passed, output };
-  } catch (err) {
-    const output = err.stdout ?? err.stderr ?? String(err);
-    return { success: false, output };
-  } finally {
-    exec7("rm", ["-rf", dir]).catch(() => {
-    });
-  }
-}
-var PocGenerator = class {
-  provider;
-  constructor(provider) {
-    this.provider = provider;
-  }
-  async generate(finding, contractSource, rpcUrl) {
-    if (finding.category !== "solidity" && !finding.ruleId.startsWith("cp-sol")) {
-      return {
-        status: "error",
-        pocCode: "",
-        output: "PoC generation only supported for Solidity findings"
-      };
-    }
-    let pocCode = "";
-    try {
-      const response = await this.provider.complete({
-        messages: [
-          { role: "system", content: SYSTEM_PROMPT },
-          { role: "user", content: buildUserMessage(finding, contractSource) }
-        ],
-        maxTokens: 4096
-      });
-      pocCode = extractSolidity(response.text);
-      if (!pocCode) {
-        return { status: "error", pocCode: "", output: "AI returned empty response" };
-      }
-    } catch (err) {
-      logger.error(`PocGenerator: AI call failed: ${err}`);
-      return { status: "error", pocCode: "", output: String(err) };
-    }
-    const hasForge = await forgeAvailable();
-    if (!hasForge) {
-      logger.info("PocGenerator: forge not available, returning generated code only");
-      return {
-        status: "generated",
-        pocCode,
-        output: "forge not installed \u2014 PoC generated but not executed",
-        rpcUrl
-      };
-    }
-    const forkRequired = pocCode.includes("@fork-required");
-    const { success, output } = await runForgeTest(
-      pocCode,
-      forkRequired ? rpcUrl : void 0
-    );
-    return {
-      status: success ? "confirmed" : "not-exploitable",
-      pocCode,
-      output,
-      rpcUrl: forkRequired ? rpcUrl : void 0
-    };
-  }
-};
 export {
   AIClient,
   AnthropicProvider,

package/package.json

@@ -1,20 +1,15 @@
 {
   "name": "@elytrasec/engine",
-  "version": "0.3.1",
-  "description": "Core analysis engine for Elytra — 120+ detection rules, static + AI scanning, scoring",
+  "version": "0.4.0",
+  "description": "Core analysis engine for Elytra — 173 detection rules including 12 famous-hack patterns and 11 rug-surface checks, static + AI scanning, scoring.",
   "license": "MIT",
   "author": "ElytraSec <hello@elytrasec.io>",
   "homepage": "https://elytrasec.io",
-  "bugs": "https://github.com/ElytraSec/elytrasecsec/issues",
-  "keywords": ["security", "scanner", "static-analysis", "code-review", "vulnerability-detection"],
+  "bugs": "https://elytrasec.io/agents",
+  "keywords": ["security", "scanner", "static-analysis", "code-review", "vulnerability-detection", "solidity", "defi", "rug-surface"],
   "engines": {
     "node": ">=20"
   },
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/ElytraSec/elytrasecsec.git",
-    "directory": "packages/engine"
-  },
   "publishConfig": {
     "access": "public"
   },