@elytrasec/engine 0.4.0 → 0.4.2

package/dist/index.d.ts

@@ -743,7 +743,7 @@ interface PatternRule$1 {
     title: string;
     description: string;
     suggestion: string;
-    pattern: RegExp;
+    pattern?: RegExp;
     multilinePattern?: RegExp;
     severity: Severity;
     category: string;
@@ -769,8 +769,8 @@ interface PatternRule {
     title: string;
     description: string;
     suggestion: string;
-    /** Applied once per line. */
-    pattern: RegExp;
+    /** Applied once per line. Optional — a rule may be multilinePattern-only. */
+    pattern?: RegExp;
     /** Applied against the full file content (use sparingly). */
     multilinePattern?: RegExp;
     severity: Severity;

package/dist/index.js

@@ -2921,7 +2921,13 @@ var securityRules = [
     title: "Potential SQL injection",
     description: "SQL query built with template literals or string concatenation. User input may flow into the query unsanitised.",
     suggestion: "Use parameterised queries or prepared statements instead of string interpolation.",
-    pattern: /(?:query|execute|exec|raw)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/i,
+    // Catches:
+    //   .query(`SELECT ... ${x}`)             — template literal interpolation
+    //   .query("SELECT '" + x + "'")          — double-quote outer + escaped single inside (the OWASP #1 shape)
+    //   .query('SELECT \\'" + x + "\\'')      — single-quote outer + escaped double inside
+    //   .queryRawUnsafe("SELECT ... " + req.x) — Prisma raw + concat
+    //   .execute("..." + var)                  — plain concat
+    pattern: /(?:query|execute|exec|raw|queryRaw|queryRawUnsafe|executeRaw|executeRawUnsafe)\s*\(\s*(?:`[^`]*\$\{|"(?:[^"\\]|\\.)*"\s*\+|'(?:[^'\\]|\\.)*'\s*\+)/i,
     multilinePattern: /(?:(?:let|const|var)\s+\w+\s*=\s*["'`](?:SELECT|INSERT|UPDATE|DELETE)\b[\s\S]{1,500}?\+\s*(?:req\.|params\.|query\.|body\.|args\.|user)|(?:let|const|var)\s+\w+\s*=\s*`[^`]*(?:SELECT|INSERT|UPDATE|DELETE)\b[^`]*\$\{[^`]*`)/gim,
     severity: "critical",
     category: "security",
@@ -3105,7 +3111,7 @@ var securityRules = [
     title: "Form without CSRF protection",
     description: "HTML form with method=POST but no visible CSRF token field. This may be vulnerable to cross-site request forgery.",
     suggestion: "Add a hidden CSRF token field to the form or use a framework-provided CSRF middleware.",
-    pattern: /method\s*=\s*["']post["'][^>]*>(?![\s\S]{0,500}csrf)/i,
+    multilinePattern: /method\s*=\s*["']post["'][^>]*>(?![\s\S]{0,500}csrf)/i,
     severity: "medium",
     category: "security",
     confidence: "low",
@@ -3161,7 +3167,7 @@ var securityRules = [
     title: "XML parsing without entity restriction (XXE)",
     description: "XML parsers that allow external entities can be exploited to read local files or perform SSRF.",
     suggestion: "Disable external entity processing: set noent: false, or use defusedxml in Python.",
-    pattern: /(?:parseXml|parseString|DOMParser|xml2js|libxmljs|XMLParser)\s*\((?![\s\S]*(?:noent:\s*false|resolve_entities:\s*false))/,
+    multilinePattern: /(?:parseXml|parseString|DOMParser|xml2js|libxmljs|XMLParser)\s*\((?![\s\S]*(?:noent:\s*false|resolve_entities:\s*false))/,
     severity: "high",
     category: "security",
     confidence: "medium",
@@ -3211,7 +3217,7 @@ var securityRules = [
     title: "Mass assignment via spread of user input",
     description: "Spreading req.body directly into a database create/update allows attackers to set arbitrary fields (e.g. isAdmin).",
     suggestion: "Explicitly pick allowed fields instead of spreading the entire request body.",
-    pattern: /(?:create|update|insert|save|upsert)\s*\(\s*\{[\s\S]{0,50}\.\.\.(?:req\.body|req\.query|body|input)\b/,
+    multilinePattern: /(?:create|update|insert|save|upsert)\s*\(\s*\{[\s\S]{0,50}\.\.\.(?:req\.body|req\.query|body|input)\b/,
     severity: "high",
     category: "security",
     confidence: "medium",
@@ -3278,7 +3284,7 @@ var securityRules = [
     title: "Cookie set without security flags",
     description: "Cookies set without Secure, HttpOnly, or SameSite flags are vulnerable to interception and XSS theft.",
     suggestion: "Set cookies with { secure: true, httpOnly: true, sameSite: 'strict' } flags.",
-    pattern: /(?:res\.cookie|setCookie|set-cookie|document\.cookie)\s*(?:\(|=)(?![\s\S]{0,100}(?:secure|httpOnly|SameSite))/i,
+    multilinePattern: /(?:res\.cookie|setCookie|set-cookie|document\.cookie)\s*(?:\(|=)(?![\s\S]{0,100}(?:secure|httpOnly|SameSite))/i,
     severity: "medium",
     category: "security",
     confidence: "medium",
@@ -3306,7 +3312,7 @@ var securityRules = [
     title: "CORS credentials with wildcard origin",
     description: "Enabling credentials with a wildcard or reflected origin allows any site to make authenticated cross-origin requests.",
     suggestion: "When using credentials: true, specify explicit trusted origins instead of '*' or reflecting the Origin header.",
-    pattern: /credentials\s*:\s*true[\s\S]{0,200}origin\s*:\s*(?:["']\*["']|req\.headers\.origin|true)/,
+    multilinePattern: /credentials\s*:\s*true[\s\S]{0,200}origin\s*:\s*(?:["']\*["']|req\.headers\.origin|true)/,
     severity: "high",
     category: "security",
     confidence: "high",
@@ -3343,8 +3349,10 @@ var solidityRules2 = [
     title: "Potential reentrancy \u2014 review external call sequencing",
     description: "An external call via `.call{value:...}` is present. The classic reentrancy pattern requires the call to occur BEFORE a state update \u2014 a same-line regex can't verify the order across multiple lines, so this is flagged for manual or AI review. `.send` and `.transfer` are intentionally not flagged because their 2300-gas stipend prevents reentrancy except in pathological cases (post-EIP-1884 gas changes).",
     suggestion: "Follow checks-effects-interactions: update state before external calls. Or use OpenZeppelin's ReentrancyGuard. Confirm by reading the surrounding function or running AI deep-review.",
-    pattern: /\.call\s*\{(?:[^}]*value[^}]*)?\}/,
-    severity: "high",
+    // Only fire when .call{value:} appears AND no reentrancy-guard / OZ helper is visible
+    // in the same file. Reduces FP storm on Governor, ERC7579, ERC4626, etc.
+    multilinePattern: /\.call\s*\{(?:[^}]*value[^}]*)?\}\s*\([\s\S]{0,80}?\)(?![\s\S]{0,3000}?(?:nonReentrant|ReentrancyGuard|_NOT_ENTERED|_REENTRANCY_GUARD|onlyRole|onlyGovernance|_checkAuthorized|Address\.functionCall|Address\.sendValue))/,
+    severity: "medium",
     category: "security",
     confidence: "low",
     languages: SOL
@@ -3354,7 +3362,9 @@ var solidityRules2 = [
     title: "tx.origin used for authorization",
     description: "tx.origin returns the original sender of a transaction. Using it for auth allows phishing attacks via intermediary contracts.",
     suggestion: "Use msg.sender instead of tx.origin for authorization checks.",
-    pattern: /tx\.origin/,
+    // Only flag actual auth use (tx.origin in a require/== check or returned from a getter).
+    // Suppress comments, immutable deployer fingerprints, and Lifebuoy-style "I might add ecrecover" notes.
+    pattern: /(?:require\s*\(\s*tx\.origin\s*==|require\s*\(\s*msg\.sender\s*==\s*tx\.origin|if\s*\(\s*tx\.origin\s*==|return\s+tx\.origin\s*;)/,
     severity: "high",
     category: "security",
     confidence: "high",
@@ -3365,10 +3375,12 @@ var solidityRules2 = [
     title: "Unchecked low-level call return value",
     description: "Low-level call() returns a boolean success flag. Ignoring it can silently swallow failures.",
     suggestion: "Always check the return value: `(bool success, ) = addr.call{...}(...); require(success);`",
-    pattern: /\.call\s*[\({][^)]*\)\s*;/,
-    severity: "high",
+    // Match low-level call result discarded (no return capture). Suppress if (bool,...) = .call() or
+    // .call returned to a variable; suppress if onlyGovernance / onlyOwner / nonReentrant context nearby.
+    multilinePattern: /(?<![\)\]]\s*=\s*[^=])\b\w+\.call\s*[\({][^)]{0,200}?\)\s*;(?![\s\S]{0,500}?(?:onlyGovernance|onlyRole|nonReentrant|onlyOwner))/,
+    severity: "medium",
     category: "security",
-    confidence: "medium",
+    confidence: "low",
     languages: SOL
   },
   {
@@ -3477,10 +3489,12 @@ var solidityRules2 = [
     title: "balanceOf used for pricing without flash loan guards",
     description: "Using balanceOf() for pricing calculations is vulnerable to flash loan manipulation.",
     suggestion: "Use time-weighted average prices (TWAP) or Chainlink oracles instead of spot balanceOf for pricing.",
-    pattern: /balanceOf\s*\([^)]*\)[\s\S]{0,20}(?:\*|\/)/,
+    // Require the balanceOf call to be inside an actual function body (not a docstring/comment block),
+    // and must NOT have TWAP/oracle/Chainlink keywords visible nearby.
+    multilinePattern: /function\s+\w+[^{]*\{[\s\S]{0,2000}?balanceOf\s*\([^)]*\)[\s\S]{0,20}(?:\*|\/)\s*\w(?![\s\S]{0,400}?(?:TWAP|twap|Chainlink|chainlink|oracle\.|priceFeed|latestAnswer|getRoundData|observe\s*\())/,
     severity: "high",
     category: "security",
-    confidence: "medium",
+    confidence: "low",
     languages: SOL
   },
   {
@@ -3537,7 +3551,7 @@ var javaRules = [
     title: "XPath injection via string concatenation",
     description: "Building XPath queries with string concatenation allows injection attacks.",
     suggestion: "Use XPath parameterization via XPathExpression or sanitize input.",
-    pattern: /(?:XPath|xpath)[\s\S]{0,50}\.(?:evaluate|compile)\s*\(\s*(?:["'][^"']*["']\s*\+|.*\+\s*["'])/,
+    multilinePattern: /(?:XPath|xpath)[\s\S]{0,50}\.(?:evaluate|compile)\s*\(\s*(?:["'][^"']*["']\s*\+|.*\+\s*["'])/,
     severity: "high",
     category: "security",
     confidence: "medium",
@@ -3931,7 +3945,7 @@ var performanceRules = [
     title: "Potential N+1 query \u2014 database call inside a loop",
     description: "A database query inside a loop makes N separate round-trips instead of 1 batch query. This causes severe performance degradation at scale.",
     suggestion: "Batch the queries: collect all IDs first, then execute a single WHERE IN query.",
-    pattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?(?:\.find\(|\.findOne\(|\.findUnique\(|\.query\(|\.execute\(|SELECT\b)/,
+    multilinePattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?(?:\.find\(|\.findOne\(|\.findUnique\(|\.query\(|\.execute\(|SELECT\b)/,
     severity: "high",
     category: "performance",
     confidence: "medium",
@@ -3942,7 +3956,7 @@ var performanceRules = [
     title: "Nested iteration \u2014 Array search inside a loop",
     description: "Using Array.find/filter/some/indexOf inside a loop is O(n*m). Use a Map or Set for O(n) lookups.",
     suggestion: "Build a Map or Set from the inner array before the loop, then use .get()/.has() for O(1) lookup.",
-    pattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?\.(?:find|filter|some|indexOf|includes)\s*\(/,
+    multilinePattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?\.(?:find|filter|some|indexOf|includes)\s*\(/,
     severity: "low",
     category: "performance",
     confidence: "medium",
@@ -3965,7 +3979,7 @@ var performanceRules = [
     title: "RegExp construction inside a loop",
     description: "Creating a new RegExp object on every iteration is wasteful. Regex compilation is expensive.",
     suggestion: "Move the RegExp construction outside the loop and reuse the compiled pattern.",
-    pattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?new\s+RegExp\s*\(/,
+    multilinePattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?new\s+RegExp\s*\(/,
     severity: "low",
     category: "performance",
     confidence: "medium",
@@ -3976,7 +3990,7 @@ var performanceRules = [
     title: "JSON.parse inside a loop",
     description: "Parsing JSON inside a loop is CPU-intensive. If the same data is re-parsed, cache the result.",
     suggestion: "Parse the JSON once before the loop and reuse the result, or use streaming JSON parsing for large datasets.",
-    pattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?JSON\.parse\s*\(/,
+    multilinePattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?JSON\.parse\s*\(/,
     severity: "low",
     category: "performance",
     confidence: "medium",
@@ -3987,7 +4001,7 @@ var performanceRules = [
     title: "Sequential await inside a loop",
     description: "Using await inside a loop executes async operations sequentially. Independent operations can run in parallel with Promise.all.",
     suggestion: "Collect promises in an array and use Promise.all() or Promise.allSettled() for parallel execution.",
-    pattern: /(?:for|while)\s*\([\s\S]*?await\s+/,
+    multilinePattern: /(?:for|while)\s*\([\s\S]*?await\s+/,
     severity: "low",
     category: "performance",
     confidence: "low",
@@ -4648,7 +4662,11 @@ var eip7702Rules = [
     title: "EIP-7702 delegation: unguarded initializer",
     description: "Contracts intended as EIP-7702 delegation targets must guard initializers \u2014 constructors don't run on delegated EOAs. An unguarded `initialize()` can be front-run, letting an attacker take ownership. The pattern also matches generic proxy initializers, which usually ARE guarded (just not by an `initializer` keyword on the same line), so confirm whether this contract is actually a 7702 target before treating as critical.",
     suggestion: "If this is a 7702 delegation target: add `initializer` modifier (OpenZeppelin) or a boolean guard. For regular proxies, confirm the initializer is gated by the proxy factory.",
-    pattern: /function\s+initialize\s*\([^)]*\)\s*(?:external|public)(?!\s+\w*[Ii]nitializer)/,
+    // Suppress: initialize() with explicit access guard (onlyOwner, onlyEntryPoint, noDelegateCall),
+    // initializer modifier, ERC1967/UUPS proxy patterns, or 'once' guard.
+    // Broader suppression: ERC-4337/7579 accounts use _setOwner pattern, OZ uses initializer modifier,
+    // proxies use ERC1967, V4 PoolManager.initialize is permissionless-by-design with noDelegateCall.
+    multilinePattern: /function\s+initialize\s*\([^)]*\)\s*(?:external|public)[^{;]*\{(?![\s\S]{0,800}?(?:initializer|reinitializer|_disableInitializers|require\s*\([^)]*!\s*initialized|require\s*\([^)]*owner\s*==\s*address\s*\(\s*0|noDelegateCall|onlyOwner|onlyEntryPoint|onlyProxy|ERC1967|UUPS|_setOwner|_initialize|EntryPoint|UserOperation|getStorage|StorageSlot))/,
     severity: "high",
     category: "solidity",
     confidence: "low",
@@ -4672,10 +4690,12 @@ var tstoreRules = [
     title: "Transient storage (TSTORE) used \u2014 verify reentrancy safety",
     description: "Transient storage (EIP-1153, live since Cancun) does not impose the 2300 gas minimum of SSTORE-based guards. If this contract also uses `transfer()` or `send()` for ETH, those calls are no longer reentrancy-safe \u2014 the callee has enough gas to re-enter via TLOAD/TSTORE paths.",
     suggestion: 'Audit every ETH transfer in this contract. Replace `transfer()`/`send()` with `call{value:}("")` + explicit reentrancy check. Ensure TSTORE lock is written before any external call.',
-    pattern: /assembly\s*\{[^}]*tstore\s*\(|TransientSlot|tstore\s*\(/i,
-    severity: "high",
+    // Only fire on ACTUAL tstore() use inside inline assembly with no nonReentrant-style guard
+    // visible in the same file. Imports of TransientSlot alone are not a finding.
+    multilinePattern: /assembly\s*\{[^}]{0,400}?\btstore\s*\((?![\s\S]{0,2000}?(?:nonReentrant|ReentrancyGuard|_NOT_ENTERED|_REENTRANCY_GUARD|LockBitmap|onlyByPosm|onlyByPoolManager))/,
+    severity: "medium",
     category: "solidity",
-    confidence: "medium",
+    confidence: "low",
     languages: SOL
   },
   {
@@ -4696,7 +4716,9 @@ var uniswapV4Rules = [
     title: "Uniswap v4 hook: missing PoolManager sender validation",
     description: "Hook callbacks (`beforeSwap`, `afterSwap`, `beforeAddLiquidity`, etc.) must verify `msg.sender == address(poolManager)`. Without this check, any address can call the hook directly and manipulate its state.",
     suggestion: 'Add `require(msg.sender == address(poolManager), "not PoolManager");` as the first line of every hook callback, or inherit from `BaseHook` which enforces this automatically.',
-    pattern: /function\s+(?:before|after)(?:Swap|AddLiquidity|RemoveLiquidity|Initialize|Donate)\s*\(/,
+    // Require function BODY (not interface signature ending in ;) AND missing sender check.
+    // Skip interface files and abstract declarations.
+    multilinePattern: /function\s+(?:before|after)(?:Swap|AddLiquidity|RemoveLiquidity|Initialize|Donate)\s*\([^)]*\)\s*(?:external|public)[^{;]*\{(?![\s\S]{0,300}?(?:msg\.sender\s*==\s*(?:address\s*\()?\s*(?:poolManager|manager|_poolManager|POOL_MANAGER|i_poolManager)|onlyByPoolManager|onlyByManager|onlyPoolManager|BaseHook|_validatePoolManager))/,
     severity: "critical",
     category: "solidity",
     confidence: "medium",
@@ -4719,7 +4741,9 @@ var uniswapV4Rules = [
     title: "Uniswap v4 hook: BalanceDelta returned without settle/take",
     description: "Hooks that return a modified `BalanceDelta` must ensure the delta is fully consumed (settled or taken) within the same unlock cycle. An unconsumed delta causes `CurrencyNotSettled` revert; partial consumption can silently strand tokens.",
     suggestion: "Ensure `poolManager.settle()` or `poolManager.take()` is called for both currency0 and currency1 before returning from the unlock callback.",
-    pattern: /returns\s*\([^)]*BalanceDelta[^)]*\)(?![\s\S]{0,800}?(?:settle|\.take)\s*\()/,
+    // Only fire on hook callbacks specifically (before/after-Swap etc.) — not interface decls,
+    // not PoolManager itself (which is the singleton, returns deltas BY DESIGN).
+    multilinePattern: /function\s+(?:before|after)(?:Swap|AddLiquidity|RemoveLiquidity|Donate)\s*\([^)]*\)\s*(?:external|public)[^{;]*returns\s*\([^)]*BalanceDelta[^)]*\)[^{;]*\{(?![\s\S]{0,800}?(?:settle|\.take\s*\(|poolManager\.))/,
     severity: "high",
     category: "solidity",
     confidence: "low",
@@ -4730,7 +4754,7 @@ var uniswapV4Rules = [
     title: "Uniswap v4 hook: overly broad hook permissions",
     description: "Hook permissions are set at deployment via the address bit-flags and cannot be changed. Requesting permissions you don't need (e.g. `BEFORE_SWAP_RETURNS_DELTA` when you never return a delta) increases attack surface and gas costs for every pool interaction.",
     suggestion: "Return only the minimum required `Hooks.Permissions` from `getHookPermissions()`. Audit each permission flag against your actual callback implementations.",
-    pattern: /getHookPermissions\s*\(\s*\)\s*(?:public|external|override)[^{]*\{[\s\S]{0,300}?true/,
+    multilinePattern: /getHookPermissions\s*\(\s*\)\s*(?:public|external|override)[^{]*\{[\s\S]{0,300}?true/,
     severity: "medium",
     category: "solidity",
     confidence: "low",
@@ -4741,7 +4765,9 @@ var uniswapV4Rules = [
     title: "Uniswap v4 hook: spot sqrtPriceX96 used for pricing without limit",
     description: "Using spot `sqrtPriceX96` read from pool state inside a hook callback for pricing decisions without a `sqrtPriceLimitX96` bound is sandwich-attackable. The price reflects post-swap state which may be manipulated.",
     suggestion: "Pass `sqrtPriceLimitX96` to all swap calls from hooks. Use a TWAP oracle for pricing rather than spot price.",
-    pattern: /sqrtPriceX96\s*[*/+-]\s*\w|sqrtPriceX96\s*=\s*(?!.*[Ll]imit)/,
+    // Only fire inside hook callback functions (before/after Swap/AddLiquidity), not library files
+    // (Pool.sol, TickMath.sol, etc.) which legitimately work with raw sqrt prices.
+    multilinePattern: /function\s+(?:before|after)(?:Swap|AddLiquidity|RemoveLiquidity|Donate)\s*\([^)]*\)\s*(?:external|public)[^{;]*\{[\s\S]{0,1500}?sqrtPriceX96\s*[*/+\-]\s*\w(?![\s\S]{0,300}?(?:TWAP|twap|sqrtPriceLimitX96|observe\s*\())/,
     severity: "high",
     category: "solidity",
     confidence: "low",
@@ -4773,7 +4799,9 @@ var hackReplayRules = [
     title: "Euler hack pattern \u2014 donate function reachable from liquidation path",
     description: "A donate/donateTo* function in a lending or vault context can be weaponized to artificially worsen the caller's health factor, then trigger self-liquidation at a profit. This is the exact vector that drained $197M from Euler Finance in March 2023.",
     suggestion: "Either remove the donate function, or (a) require donations to come from accounts with no active borrows, (b) recompute health AFTER the donation as if the donated assets remained the donor's, and (c) prevent same-block liquidation of the donor.",
-    pattern: /function\s+donate[A-Za-z]*\s*\(/,
+    // Only flag donate functions in lending/health/liquidation contexts. Skip pure liquidity-pool
+    // donate functions (Uniswap V4 PoolManager.donate gives fees to LPs — different semantics).
+    multilinePattern: /function\s+donate[A-Za-z]*\s*\([^)]*\)[^{;]*\{[\s\S]{0,2000}?(?:healthFactor|accountHealth|isHealthy|borrow|collateral|liquidat|debt|vault|reserves)/,
     severity: "high",
     category: "hack-replay",
     confidence: "medium",
@@ -4789,7 +4817,7 @@ var hackReplayRules = [
     title: "Radiant hack pattern \u2014 single-step ownership transfer (no Ownable2Step)",
     description: "transferOwnership is implemented as a single-call function \u2014 the new owner takes effect immediately. This is the same pattern the Radiant Capital ($53M, Oct 2024) attackers exploited after compromising a multisig signer's UI: ownership flipped before anyone could react. A two-step or timelocked pattern would have created a defensive window.",
     suggestion: "Inherit from OpenZeppelin Ownable2Step (requires acceptOwnership from the new owner) AND gate it behind a timelock for production deployments. Never let a single signature transfer ownership atomically.",
-    pattern: /function\s+transferOwnership\s*\(\s*address\s+\w+\s*\)\s*(?:public|external)(?![\s\S]{0,400}?(?:pendingOwner|_pendingOwner|acceptOwnership|Ownable2Step|timelock|Timelock|TimelockController))/,
+    multilinePattern: /function\s+transferOwnership\s*\(\s*address\s+\w+\s*\)\s*(?:public|external)(?![\s\S]{0,400}?(?:pendingOwner|_pendingOwner|acceptOwnership|Ownable2Step|timelock|Timelock|TimelockController))/,
     severity: "high",
     category: "hack-replay",
     confidence: "medium",
@@ -4841,7 +4869,13 @@ var hackReplayRules = [
     title: "Beanstalk hack pattern \u2014 governance execute() with no timelock between vote and call",
     description: "A governance contract exposes an execute() / executeProposal() / propose() function callable in the same block as voting. This is the exact $182M Beanstalk vector (April 2022): an attacker flash-loaned the governance token, voted yes on a self-draining proposal, and called execute() in the same transaction. A timelock between successful vote and execution would have made the flash-loan economically pointless.",
     suggestion: "Add a queue/execute split: successful proposals enter a TimelockController with a minimum delay (24-48h is standard). Require execute() to verify block.timestamp >= queuedAt + delay. Never let voting power, proposal acceptance, and code execution happen atomically.",
-    pattern: /function\s+(?:execute(?:Proposal)?|propose(?:AndExecute)?)\s*\([^)]*\)\s*(?:external|public)(?:\s+payable)?(?:\s+returns)?[^{]*\{(?![\s\S]{0,600}?(?:timelock|Timelock|TimelockController|queued|block\.timestamp\s*[><]=?\s*\w+\s*\+))/,
+    // Expanded negative lookahead to suppress OZ Governor/AccessManager/AccessControl
+    // patterns that use proper auth/delay even if "timelock" keyword isn't right next to execute().
+    // Suppress: ERC-4337/7579 account abstraction execute(mode, data), OZ Governor, AccessManager,
+    // anything with auth modifiers. Real Beanstalk-shape is execute(proposalId) on a governance contract.
+    // Suppress: interface signatures (ending in ;), OZ Governor/IGovernor, AccessManager, account
+    // abstraction execute() patterns, anything with proper auth. Requires actual function BODY.
+    multilinePattern: /function\s+(?:execute(?:Proposal)?|propose(?:AndExecute)?)\s*\([^)]*\)\s*(?:external|public)(?:\s+payable)?(?:\s+returns)?[^{;]*\{(?![\s\S]{0,1500}?(?:timelock|Timelock|TimelockController|queued|block\.timestamp\s*[><]=?\s*\w+\s*\+|onlyRole|onlyGovernance|onlyEntryPoint|onlyEntryPointOrSelf|_checkAuthorized|_authorizeUpgrade|AccessControl|AccessManager|Governor|IGovernor|hasRole|getMinDelay|delay\s*\(|_executeOperations|hashOperation|isOperationReady|EntryPoint|ERC7579|ERC4337|ERC7821|IAccount|_validateUserOp|UserOperation|state\s*\(\s*proposalId|_castVote|votingDelay))/,
     severity: "critical",
     category: "hack-replay",
     confidence: "low",
@@ -4857,7 +4891,7 @@ var hackReplayRules = [
     title: "Multichain hack pattern \u2014 bridge withdraw/unlock gated by single owner role",
     description: "A bridge function (withdraw, unlock, releaseTo, claim, mintBridged) is gated only by onlyOwner or a single-address admin check. This was the structural failure behind the $126M Multichain collapse (July 2023): the CEO's MPC key controlled bridge outflows, and when he was detained, attackers (or insiders) drained the bridge. Bridge withdraw functions are the highest-value attack surface in crypto and must be multi-party.",
     suggestion: "Require a multi-sig (Safe / Gnosis), a multi-party MPC (TSS), or an N-of-M validator set before any bridge outflow. Never let a single private key sign a withdraw of bridged assets. Add per-asset and per-block outflow caps as a defense-in-depth limit.",
-    pattern: /function\s+(?:withdraw|unlock|releaseTo|releaseFor|claim|mintBridged|bridgeOut|relayOut)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin|onlyMPC)(?![\s\S]{0,200}?(?:multisig|Multisig|threshold|N_OF_M|validators|attestors))/,
+    multilinePattern: /function\s+(?:withdraw|unlock|releaseTo|releaseFor|claim|mintBridged|bridgeOut|relayOut)\s*\([^)]*\)\s*(?:external|public)\s+(?:onlyOwner|onlyAdmin|onlyMPC)(?![\s\S]{0,200}?(?:multisig|Multisig|threshold|N_OF_M|validators|attestors))/,
     severity: "critical",
     category: "hack-replay",
     confidence: "medium",
@@ -4909,8 +4943,11 @@ var hackReplayRules = [
     title: "Wormhole hack pattern \u2014 guardian/validator signature accepted without strict set verification",
     description: "A function verifies a signature against a validator/guardian set but does not strictly check that the set hash matches the expected current set (or compares against a default/empty value). The $325M Wormhole hack (Feb 2022) exploited a stub `verify_signatures` path that accepted forged signatures because the validator set comparison was missing/insecure. ecrecover-based signature schemes need every validator set rotation tracked by an explicit hash check.",
     suggestion: "Verify the signed message includes a strict hash of the current validator set. Reject signatures where the recovered signer is not in the active set. Never use `default!()` or zero-initialized guardian arrays in signature paths.",
-    pattern: /(?:ecrecover|recover)\s*\([\s\S]{0,400}?\)(?![\s\S]{0,300}?(?:guardianSet|validatorSet|currentSetHash|setHash|require\s*\([^)]*==\s*expected))/,
-    severity: "critical",
+    // Suppress legitimate EIP-712 / Permit / typed-data signature flows (OZ ECDSA, EIP-2612 permits,
+    // ERC-4337 user-op validation) which use ecrecover correctly. Only fire on bridge/oracle-shaped
+    // contexts where signer-set verification matters.
+    multilinePattern: /(?:ecrecover|ECDSA\.recover|\.recover)\s*\([\s\S]{0,400}?\)(?![\s\S]{0,800}?(?:guardianSet|validatorSet|currentSetHash|setHash|_hashTypedDataV4|EIP712|DOMAIN_SEPARATOR|PERMIT_TYPEHASH|DELEGATION_TYPEHASH|ERC1271|isValidSignature|nonces\s*\[|require\s*\([^)]*==\s*expected))/,
+    severity: "high",
     category: "hack-replay",
     confidence: "low",
     languages: SOL
@@ -4945,7 +4982,7 @@ var hackReplayRules = [
     // Tightened: require the call to appear in a function whose name implies
     // lending / collateral / liquidation context (the actual hack surface).
     // Plain DEX pool internals like Uniswap getReserves are not at risk.
-    pattern: /function\s+(?:borrow\w*|liquidat\w*|isHealthy|collateralValue|getAccountHealth|maxBorrow|withdrawCollateral|getBorrowable)[\s\S]{0,600}?\b(?:getPrice|latestAnswer|peek|read)\s*\((?![\s\S]{0,400}?(?:twap|TWAP|deviation|maxDeviation|stalenessThreshold|secondaryPrice|sanity))/,
+    multilinePattern: /function\s+(?:borrow\w*|liquidat\w*|isHealthy|collateralValue|getAccountHealth|maxBorrow|withdrawCollateral|getBorrowable)[\s\S]{0,600}?\b(?:getPrice|latestAnswer|peek|read)\s*\((?![\s\S]{0,400}?(?:twap|TWAP|deviation|maxDeviation|stalenessThreshold|secondaryPrice|sanity))/,
     severity: "medium",
     category: "hack-replay",
     confidence: "low",
@@ -5035,7 +5072,9 @@ var rugSurfaceRules = [
     title: "Role admin can grant itself any role",
     description: "DEFAULT_ADMIN_ROLE or a self-managed role can call grantRole() on itself or on other privileged roles. Single admin compromise = full takeover.",
     suggestion: "Use AccessControlEnumerable + revoke admin's ability to manage its own role. Move sensitive roles to a separate multisig.",
-    pattern: /_setupRole\s*\(\s*DEFAULT_ADMIN_ROLE|_grantRole\s*\(\s*DEFAULT_ADMIN_ROLE|grantRole\s*\([^,]+,\s*msg\.sender\s*\)/,
+    // Only flag PUBLIC/EXTERNAL grantRole(role, msg.sender) or non-constructor _grantRole.
+    // OZ AccessControl's constructor _grantRole(DEFAULT_ADMIN_ROLE, initialAdmin) is legit setup.
+    multilinePattern: /function\s+\w+\s*\([^)]*\)\s*(?:external|public)[^{]*\{[\s\S]{0,400}?(?:_setupRole\s*\(\s*DEFAULT_ADMIN_ROLE|_grantRole\s*\(\s*DEFAULT_ADMIN_ROLE|grantRole\s*\([^,]+,\s*msg\.sender\s*\))/,
     severity: "high",
     category: "rug-surface",
     confidence: "medium",
@@ -5046,7 +5085,7 @@ var rugSurfaceRules = [
     title: "Renounceable ownership without evidence of renunciation",
     description: "Contract inherits Ownable / OwnableUpgradeable but the constructor / initializer doesn't transfer ownership to a known-safe address (zero, multisig, timelock). Owner power may still be active.",
     suggestion: "Either renounce ownership in the constructor (acceptably for fully-immutable contracts), or transfer to a multisig. Document this explicitly.",
-    pattern: /(?:contract|abstract\s+contract)\s+\w+[\s\S]{0,500}?\bis\s+[\w,\s]*?Ownable(?:Upgradeable)?\b(?![\s\S]{0,2000}?(?:renounceOwnership\s*\(\)|transferOwnership\s*\(\s*address\(0x|TimelockController|Safe\s*\())/,
+    multilinePattern: /(?:contract|abstract\s+contract)\s+\w+[\s\S]{0,500}?\bis\s+[\w,\s]*?Ownable(?:Upgradeable)?\b(?![\s\S]{0,2000}?(?:renounceOwnership\s*\(\)|transferOwnership\s*\(\s*address\(0x|TimelockController|Safe\s*\())/,
     severity: "medium",
     category: "rug-surface",
     confidence: "low",
@@ -5068,7 +5107,7 @@ var rugSurfaceRules = [
     title: "Privileged modifier without visible role check in body",
     description: "A modifier name doesn't suggest privilege (e.g. `lock`, `safe`, `nonReentrant`-shaped names) but its body restricts access. Auditors miss these; users assume the function is open.",
     suggestion: "Rename modifier to make privilege explicit (e.g. `onlyOperator`). Or move check inline so reviewers see it in the function body.",
-    pattern: /modifier\s+(?!onlyOwner|onlyAdmin|onlyRole|nonReentrant|whenNotPaused|whenPaused|initializer|reinitializer)(\w+)\s*\(\s*\)\s*\{[\s\S]{0,200}?require\s*\(\s*msg\.sender\s*==\s*\w+/,
+    multilinePattern: /modifier\s+(?!onlyOwner|onlyAdmin|onlyRole|nonReentrant|whenNotPaused|whenPaused|initializer|reinitializer)(\w+)\s*\(\s*\)\s*\{[\s\S]{0,200}?require\s*\(\s*msg\.sender\s*==\s*\w+/,
     severity: "medium",
     category: "rug-surface",
     confidence: "low",
@@ -5395,6 +5434,7 @@ function scanFile(relPath, content, rules, changedRanges) {
   const applicableRules = rules.filter((r) => ruleAppliesToFile(r, relPath));
   if (applicableRules.length === 0) return findings;
   for (const rule of applicableRules) {
+    if (!rule.pattern) continue;
     for (let i = 0; i < lines.length; i++) {
       const lineNumber = i + 1;
       const line = lines[i];
@@ -5426,8 +5466,10 @@ function scanFile(relPath, content, rules, changedRanges) {
     if (rule.id === "cp-clean-callback-hell" && isTestFile(relPath)) continue;
     if (rule.id === "cp-sec-command-injection" && isScriptDir(relPath)) continue;
     rule.multilinePattern.lastIndex = 0;
+    const isGlobal = rule.multilinePattern.flags.includes("g");
     let match;
     while ((match = rule.multilinePattern.exec(content)) !== null) {
+      const breakAfter = !isGlobal;
       const textBefore = content.slice(0, match.index);
       const startLine = textBefore.split("\n").length;
       const matchLines = match[0].split("\n").length;
@@ -5453,6 +5495,7 @@ function scanFile(relPath, content, rules, changedRanges) {
       if (match[0].length === 0) {
         rule.multilinePattern.lastIndex++;
       }
+      if (breakAfter) break;
     }
   }
   if (rules.some((r) => r.category === "code-cleaning")) {

package/package.json

@@ -1,12 +1,21 @@
 {
   "name": "@elytrasec/engine",
-  "version": "0.4.0",
-  "description": "Core analysis engine for Elytra — 173 detection rules including 12 famous-hack patterns and 11 rug-surface checks, static + AI scanning, scoring.",
+  "version": "0.4.2",
+  "description": "Core analysis engine for Elytra \u2014 173 detection rules including 12 famous-hack patterns and 11 rug-surface checks, static + AI scanning, scoring.",
   "license": "MIT",
   "author": "ElytraSec <hello@elytrasec.io>",
   "homepage": "https://elytrasec.io",
   "bugs": "https://elytrasec.io/agents",
-  "keywords": ["security", "scanner", "static-analysis", "code-review", "vulnerability-detection", "solidity", "defi", "rug-surface"],
+  "keywords": [
+    "security",
+    "scanner",
+    "static-analysis",
+    "code-review",
+    "vulnerability-detection",
+    "solidity",
+    "defi",
+    "rug-surface"
+  ],
   "engines": {
     "node": ">=20"
   },