@snovon/solast 0.2.0

package/dist/detectors/access-control.js

@@ -0,0 +1,983 @@
+"use strict";
+/**
+ * Access-control detector (rule id `access-control`). Extracted from
+ * `src/index.ts` per roadmap item 1.1 slice 5/N. Public API surface
+ * is unchanged — `src/index.ts` re-exports `AccessControlDetector`
+ * so `createDefaultDetectorRegistry` and downstream consumers
+ * continue to see it at the same path.
+ *
+ * The detector flags externally callable privileged operations that
+ * lack a recognised access-control guard (modifier, msg.sender owner
+ * check, role-based check, etc.). See
+ * `docs/detectors/access-control.md` for the user-facing contract.
+ *
+ * Privileged-name recognition currently uses an inline regex
+ * (`/owner|admin|role|.../i`) — roadmap item 1.2 will centralise this
+ * predicate in `_common/access-control.ts:isPrivilegedIdentifier`.
+ * That refactor is intentionally a separate slice; this slice is
+ * mechanical extraction only.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccessControlDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const ast_1 = require("./_common/ast");
+class AccessControlDetector {
+    id = 'access-control';
+    patternKey = 'access-control';
+    supportedAstKinds = ['parser', 'solc'];
+    findings = [];
+    currentFile = '';
+    currentContract = '';
+    currentContractNode = null;
+    currentFunction = '';
+    currentFunctionNode = null;
+    currentFunctionExternal = false;
+    currentFunctionGuarded = false;
+    guardSeenBeforeFirstPrivilegedOp = false;
+    guardSeenBeforeFirstPrivilegedOpStack = [];
+    currentPrivilegedOperation = null;
+    currentPrivilegedOperationHadPriorInlineGuard = false;
+    stateVariablesByContract = new Map();
+    functionNodesByContract = new Map();
+    privilegedFunctionSummaryCache = new Map();
+    activePrivilegedFunctionSummaries = new Set();
+    localVariables = new Set();
+    semantic = undefined;
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.currentContract = '';
+        this.currentContractNode = null;
+        this.resetFunctionState();
+        this.stateVariablesByContract.clear();
+        this.functionNodesByContract.clear();
+        this.privilegedFunctionSummaryCache.clear();
+        this.activePrivilegedFunctionSummaries.clear();
+    }
+    setSemanticModel(model) {
+        // SemanticModel adoption (roadmap 3.3 / H.3 — Slice 2b). The model
+        // lets this detector see inherited privileged surfaces across files.
+        // When undefined (single-file callers without semantic context), the
+        // detector behaves exactly as before: the inherited-walk in
+        // ContractDefinition_post is skipped.
+        this.semantic = model;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContract = node.name || '<anonymous>';
+        this.currentContractNode = node;
+        if (!this.stateVariablesByContract.has(this.currentContract)) {
+            this.stateVariablesByContract.set(this.currentContract, new Set());
+        }
+        this.registerContractFunctions(node);
+        this.mergeInheritedStateVariables(node);
+    }
+    ContractDefinition_post(node) {
+        // After visiting every locally-declared FunctionDefinition, also
+        // scan the contract's MRO for inherited externally-callable
+        // functions that the visitor walk doesn't reach (their AST lives in
+        // a base contract, possibly in another file). Findings emitted here
+        // anchor at the CURRENT contract's definition line so the operator
+        // can locate the vulnerable surface in the file under scan.
+        this.walkInheritedFunctions(node);
+        this.currentContract = '';
+        this.currentContractNode = null;
+    }
+    StateVariableDeclaration(node) {
+        const stateVariables = this.getCurrentStateVariables();
+        for (const variable of node.variables || []) {
+            if (variable?.name) {
+                stateVariables.add(variable.name);
+            }
+        }
+    }
+    FunctionDefinition(node) {
+        this.resetFunctionState();
+        this.currentFunctionNode = node;
+        this.currentFunction = node.name || this.getFunctionKind(node) || '<anonymous>';
+        this.currentFunctionExternal = this.isExternallyCallable(node);
+        this.currentFunctionGuarded = this.hasRecognizedGuardModifier(node);
+        for (const parameter of node.parameters || []) {
+            if (parameter?.name)
+                this.localVariables.add(parameter.name);
+        }
+        for (const parameter of node.returnParameters || []) {
+            if (parameter?.name)
+                this.localVariables.add(parameter.name);
+        }
+        if (node.body?.statements) {
+            this.analyzeParserNode(node.body);
+            this.emitCurrentFinding();
+            this.resetFunctionState();
+        }
+    }
+    FunctionDefinition_post(_node) {
+        this.emitCurrentFinding();
+        this.resetFunctionState();
+    }
+    walkInheritedFunctions(contractNode) {
+        // === SemanticModel adoption (roadmap 3.3 / H.3 — Slice 2b) ===
+        //
+        // Mirror of the Slice-2a logic from `missing-access-control.ts`,
+        // adapted to this detector's visitor-style + per-statement privileged-
+        // operation tracking. For each inherited externally-callable function
+        // not overridden locally, run the SAME privileged-op + guard analysis
+        // against the inherited body, then emit a finding anchored at the
+        // current (Derived) contract's definition line — that's the surface
+        // an external caller can reach.
+        if (!this.semantic)
+            return;
+        if (!contractNode)
+            return;
+        const myId = `${this.currentFile}::${this.currentContract}`;
+        const myInfo = this.semantic.contracts.get(myId);
+        if (!myInfo || myInfo.bases.length === 0)
+            return;
+        // Functions declared locally on this contract are already handled by
+        // the regular visitor walk; skip them to avoid double-emit when
+        // Derived overrides a Base critical function.
+        const localFnNames = new Set();
+        const members = Array.isArray(contractNode?.subNodes) ? contractNode.subNodes
+            : Array.isArray(contractNode?.nodes) ? contractNode.nodes
+                : [];
+        for (const m of members) {
+            if (m?.type === 'FunctionDefinition' && typeof m?.name === 'string') {
+                localFnNames.add(m.name);
+            }
+        }
+        for (const inheritedFn of this.semantic.inheritedFunctions(myId)) {
+            if (inheritedFn.contractId === myId)
+                continue;
+            if (!inheritedFn.name)
+                continue;
+            if (localFnNames.has(inheritedFn.name))
+                continue;
+            const fnNode = inheritedFn.node;
+            if (!fnNode)
+                continue;
+            if (!this.isExternallyCallable(fnNode))
+                continue;
+            const body = fnNode.body;
+            if (!body || !Array.isArray(body.statements))
+                continue;
+            const declarer = this.semantic.contracts.get(inheritedFn.contractId);
+            const declarerName = declarer?.name || '<unknown>';
+            this.resetFunctionState();
+            this.currentFunctionNode = fnNode;
+            this.currentFunction = inheritedFn.name;
+            this.currentFunctionExternal = true;
+            this.currentFunctionGuarded = this.hasRecognizedGuardModifier(fnNode);
+            for (const parameter of fnNode.parameters || []) {
+                if (parameter?.name)
+                    this.localVariables.add(parameter.name);
+            }
+            for (const parameter of fnNode.returnParameters || []) {
+                if (parameter?.name)
+                    this.localVariables.add(parameter.name);
+            }
+            this.analyzeParserNode(body);
+            this.emitInheritedFinding(declarerName, contractNode);
+            this.resetFunctionState();
+        }
+    }
+    emitInheritedFinding(declarerName, anchorContractNode) {
+        if (!(this.currentFunctionExternal &&
+            this.currentPrivilegedOperation &&
+            !this.currentFunctionGuarded &&
+            !this.currentPrivilegedOperationHadPriorInlineGuard))
+            return;
+        // Anchor at the current (Derived) contract's definition line so the
+        // finding points at a surface in the file under scan, not at Base.sol
+        // (which fires separately via its own local walk when both files are
+        // in the scan). Falls back to line 1 column 0 defensively — line 0
+        // is banned per `docs/findings-taxonomy.md` and a planned test gate.
+        const anchorLoc = anchorContractNode?.loc?.start;
+        const line = anchorLoc?.line || 1;
+        const column = anchorLoc?.column || 0;
+        const operation = this.currentPrivilegedOperation;
+        const { rationale, suggestedFix } = this.describePrivilegedOperation(operation);
+        const fnName = this.currentFunction;
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.currentContract,
+            'function': fnName,
+            line,
+            endLine: line,
+            column,
+            pattern: 'access-control',
+            confidence: 'high',
+            ruleId: 'access-control',
+            severity: 'high',
+            message: `Externally callable privileged operation in '${fnName}' inherited from ${declarerName} ` +
+                `has no recognized access-control guard; override the inherited function in ${this.currentContract} ` +
+                `with onlyOwner, onlyRole(DEFAULT_ADMIN_ROLE), or an explicit msg.sender owner guard, ` +
+                `or restrict access in ${declarerName}.`,
+            rationale,
+            suggestedFix,
+            contractName: this.currentContract,
+            functionName: fnName,
+            sourceLocation: { line, column },
+            stateMutationNode: operation.expression || operation,
+            // Discriminator for computeFindingId: all inherited findings on a
+            // single derived contract share (file, line, ruleId) because
+            // they're anchored at the contract definition line. Without this,
+            // a derived contract inheriting two unguarded critical functions
+            // would emit two findings with identical findingId and the
+            // downstream dedup engine would silently drop one. Pattern matches
+            // missing-access-control.ts's Slice-2a discriminator.
+            instance_key: `${this.currentContract}::${fnName}`,
+            findingId: '',
+            contractHash: ''
+        });
+    }
+    emitCurrentFinding() {
+        if (this.currentFunctionExternal &&
+            this.currentPrivilegedOperation &&
+            !this.currentFunctionGuarded &&
+            !this.currentPrivilegedOperationHadPriorInlineGuard) {
+            const operation = this.currentPrivilegedOperation;
+            // tryLoc-with-floor + two-arg fallback: operation as primary,
+            // enclosing function as fallback (covers solc-walker loc=0 cases
+            // and synthesised operation nodes).
+            const loc = (0, ast_1.tryLoc)(operation, this.currentFunctionNode) ?? { line: 0, endLine: 0, column: 0 };
+            const { line, endLine, column } = loc;
+            const { rationale, suggestedFix } = this.describePrivilegedOperation(operation);
+            this.findings.push({
+                file: this.currentFile,
+                contract: this.currentContract,
+                'function': this.currentFunction,
+                line,
+                endLine,
+                column,
+                pattern: 'access-control',
+                confidence: 'high',
+                ruleId: 'access-control',
+                severity: 'high',
+                message: `Externally callable privileged operation in '${this.currentFunction}' has no recognized access-control guard; add onlyOwner, onlyRole(DEFAULT_ADMIN_ROLE), or an explicit msg.sender owner guard.`,
+                rationale,
+                suggestedFix,
+                contractName: this.currentContract,
+                functionName: this.currentFunction,
+                sourceLocation: { line, column },
+                stateMutationNode: operation.expression || operation,
+                findingId: '',
+                contractHash: ''
+            });
+        }
+    }
+    VariableDeclarationStatement(node) {
+        for (const variable of node.variables || []) {
+            if (variable?.name)
+                this.localVariables.add(variable.name);
+        }
+        if (!this.currentFunctionExternal)
+            return;
+        this.recordPrivilegedOperation(node.initialValue, node);
+        if (!this.currentPrivilegedOperation && this.containsRecognizedInlineGuard(node.initialValue)) {
+            this.guardSeenBeforeFirstPrivilegedOp = true;
+        }
+    }
+    ExpressionStatement(node) {
+        if (!this.currentFunctionExternal)
+            return;
+        this.recordPrivilegedOperation(node.expression, node);
+        if (!this.currentPrivilegedOperation && this.containsRecognizedInlineGuard(node.expression)) {
+            this.guardSeenBeforeFirstPrivilegedOp = true;
+        }
+    }
+    resetFunctionState() {
+        this.currentFunction = '';
+        this.currentFunctionNode = null;
+        this.currentFunctionExternal = false;
+        this.currentFunctionGuarded = false;
+        this.guardSeenBeforeFirstPrivilegedOp = false;
+        this.guardSeenBeforeFirstPrivilegedOpStack = [];
+        this.currentPrivilegedOperation = null;
+        this.currentPrivilegedOperationHadPriorInlineGuard = false;
+        this.localVariables.clear();
+    }
+    enterNestedStatementBody() {
+        this.guardSeenBeforeFirstPrivilegedOpStack.push(this.guardSeenBeforeFirstPrivilegedOp);
+    }
+    exitNestedStatementBody() {
+        const previous = this.guardSeenBeforeFirstPrivilegedOpStack.pop();
+        if (previous !== undefined) {
+            this.guardSeenBeforeFirstPrivilegedOp = previous;
+        }
+    }
+    analyzeNestedParserNode(node) {
+        this.enterNestedStatementBody();
+        try {
+            this.analyzeParserNode(node);
+        }
+        finally {
+            this.exitNestedStatementBody();
+        }
+    }
+    analyzeParserNode(node) {
+        if (!node || typeof node !== 'object')
+            return;
+        if (node.type === 'VariableDeclarationStatement') {
+            this.VariableDeclarationStatement(node);
+            return;
+        }
+        if (node.type === 'ExpressionStatement') {
+            this.ExpressionStatement(node);
+            return;
+        }
+        if (node.type === 'IfStatement') {
+            this.analyzeParserNode(node.condition);
+            this.analyzeNestedParserNode(node.trueBody);
+            this.analyzeNestedParserNode(node.falseBody);
+            return;
+        }
+        if (node.type === 'ForStatement') {
+            this.analyzeParserNode(node.initializationExpression || node.initExpression);
+            this.analyzeParserNode(node.condition || node.conditionExpression);
+            this.analyzeParserNode(node.loopExpression);
+            this.analyzeNestedParserNode(node.body);
+            return;
+        }
+        if (node.type === 'WhileStatement' || node.type === 'DoWhileStatement') {
+            this.analyzeParserNode(node.condition);
+            this.analyzeNestedParserNode(node.body);
+            return;
+        }
+        if (node.type === 'UncheckedStatement') {
+            this.analyzeNestedParserNode(node.body || node.block);
+            return;
+        }
+        for (const key of [
+            'statements',
+            'body',
+            'trueBody',
+            'falseBody',
+            'expression',
+            'left',
+            'right',
+            'subExpression',
+            'initialValue',
+            'condition',
+            'conditionExpression',
+            'initializationExpression',
+            'initExpression',
+            'loopExpression',
+            'block'
+        ]) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value)
+                    this.analyzeParserNode(item);
+            }
+            else if ((key === 'body' && node.type !== 'Block') || key === 'block') {
+                this.analyzeNestedParserNode(value);
+            }
+            else {
+                this.analyzeParserNode(value);
+            }
+        }
+    }
+    getCurrentStateVariables() {
+        if (!this.stateVariablesByContract.has(this.currentContract)) {
+            this.stateVariablesByContract.set(this.currentContract, new Set());
+        }
+        return this.stateVariablesByContract.get(this.currentContract);
+    }
+    registerContractFunctions(node) {
+        const functions = new Map();
+        for (const member of this.getContractMembers(node)) {
+            if (member?.type === 'FunctionDefinition' && member.name) {
+                functions.set(member.name, member);
+            }
+        }
+        this.functionNodesByContract.set(this.currentContract, functions);
+    }
+    getContractMembers(node) {
+        if (Array.isArray(node?.subNodes))
+            return node.subNodes;
+        if (Array.isArray(node?.nodes))
+            return node.nodes;
+        return [];
+    }
+    mergeInheritedStateVariables(node) {
+        const stateVariables = this.getCurrentStateVariables();
+        for (const baseName of this.getBaseContractNames(node)) {
+            const baseStateVariables = this.stateVariablesByContract.get(baseName);
+            if (!baseStateVariables)
+                continue;
+            for (const variableName of baseStateVariables) {
+                stateVariables.add(variableName);
+            }
+        }
+    }
+    getBaseContractNames(node) {
+        const names = [];
+        for (const base of node.baseContracts || []) {
+            const name = this.getNodeName(base.baseName || base);
+            if (name)
+                names.push(name);
+        }
+        return names;
+    }
+    isExternallyCallable(node) {
+        const kind = this.getFunctionKind(node).toLowerCase();
+        if (kind === 'constructor')
+            return false;
+        const visibility = String(node.visibility || '').toLowerCase();
+        if (visibility === 'public' || visibility === 'external' || kind === 'fallback' || kind === 'receive') {
+            return true;
+        }
+        if ((!visibility || visibility === 'default') && !!node.body) {
+            // A no-visibility function whose name matches the enclosing contract is
+            // an old-style (pre-0.5) constructor — it runs once at deployment and is
+            // not externally callable post-deploy. Treat it as the constructor, not
+            // an entry point, so seeding owner state in it is not a false finding.
+            const name = String(node.name || '');
+            if (name && name === this.currentContract)
+                return false;
+            // Default-visibility functions only occur in pre-0.5 source. The
+            // detector recognises only onlyOwner/onlyRole guard modifiers by
+            // name, so a default-visibility function carrying any other custom
+            // guard modifier would otherwise read as unguarded and produce a
+            // false positive. The genuine Parity-shape unguarded surface has no
+            // modifier at all — restrict the default-visibility entry surface to
+            // modifier-free functions. Explicit public/external functions are
+            // unaffected by this carve-out.
+            if (Array.isArray(node.modifiers) && node.modifiers.length > 0)
+                return false;
+            return true;
+        }
+        return false;
+    }
+    getFunctionKind(node) {
+        if (node.isConstructor)
+            return 'constructor';
+        return node.kind || node.functionKind || '';
+    }
+    hasRecognizedGuardModifier(node) {
+        for (const modifier of node.modifiers || []) {
+            const name = this.getNodeName(modifier);
+            if (this.isRecognizedGuardName(name))
+                return true;
+        }
+        return false;
+    }
+    isRecognizedGuardName(name) {
+        const normalized = name.toLowerCase();
+        return normalized === 'onlyowner' ||
+            normalized === 'onlyrole';
+    }
+    containsRecognizedInlineGuard(expr) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if (this.isRecognizedInlineGuard(expr))
+            return true;
+        for (const child of this.childNodes(expr)) {
+            if (this.containsRecognizedInlineGuard(child))
+                return true;
+        }
+        return false;
+    }
+    isRecognizedInlineGuard(expr) {
+        if (!expr || expr.type !== 'FunctionCall')
+            return false;
+        const callee = this.getCallName(expr.expression).toLowerCase();
+        const args = expr.arguments || [];
+        if (callee === 'require' || callee === 'assert') {
+            return args.some((arg) => this.isAuthPredicate(arg));
+        }
+        return callee === '_checkrole' || callee === 'checkrole' || callee.endsWith('._checkrole');
+    }
+    isAuthPredicate(expr) {
+        if (!expr)
+            return false;
+        if (expr.type === 'BinaryOperation') {
+            const left = expr.left || expr.leftExpression;
+            const right = expr.right || expr.rightExpression;
+            if (expr.operator === '&&') {
+                return this.isAuthPredicate(left) || this.isAuthPredicate(right);
+            }
+            if (expr.operator === '||') {
+                return this.isAuthPredicate(left) && this.isAuthPredicate(right);
+            }
+        }
+        return this.isMsgSenderEqualityLeaf(expr) ||
+            this.isHasRoleCallLeaf(expr) ||
+            this.isRenounceRoleSelfCheckLeaf(expr);
+    }
+    isMsgSenderEqualityLeaf(expr) {
+        if (!expr || expr.type !== 'BinaryOperation')
+            return false;
+        if (expr.operator !== '==' && expr.operator !== '===')
+            return false;
+        if (this.isMsgSender(expr.left) && !this.isMsgSender(expr.right)) {
+            return this.isAuthorizationTarget(expr.right);
+        }
+        if (this.isMsgSender(expr.right) && !this.isMsgSender(expr.left)) {
+            return this.isAuthorizationTarget(expr.left);
+        }
+        return false;
+    }
+    isAuthorizationTarget(expr) {
+        if (!expr)
+            return false;
+        if (this.isPrivilegedStateReference(expr))
+            return true;
+        if (expr.type === 'FunctionCall' &&
+            (expr.arguments || []).length === 0 &&
+            expr.expression?.type === 'Identifier') {
+            const callee = expr.expression.name || '';
+            if (callee && !this.localVariables.has(callee) && this.isPrivilegedName(callee)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    isHasRoleCallLeaf(expr) {
+        if (!expr || expr.type !== 'FunctionCall')
+            return false;
+        const callee = this.getCallName(expr.expression).toLowerCase();
+        if (callee !== 'hasrole' && !callee.endsWith('.hasrole'))
+            return false;
+        return (expr.arguments || []).some((arg) => this.isMsgSender(arg));
+    }
+    isRenounceRoleSelfCheckLeaf(expr) {
+        if (this.currentFunction.toLowerCase() !== 'renouncerole')
+            return false;
+        if (!expr || expr.type !== 'BinaryOperation')
+            return false;
+        if (expr.operator !== '==' && expr.operator !== '===')
+            return false;
+        const left = expr.left || expr.leftExpression;
+        const right = expr.right || expr.rightExpression;
+        return (this.isMsgSender(left) && this.isAccountReference(right)) ||
+            (this.isMsgSender(right) && this.isAccountReference(left));
+    }
+    isAccountReference(expr) {
+        return expr?.type === 'Identifier' && String(expr.name || '').toLowerCase() === 'account';
+    }
+    isMsgSender(expr) {
+        return (0, access_control_1.isCallerIdentityExpression)(expr);
+    }
+    recordPrivilegedOperation(expr, statementNode) {
+        if (this.currentPrivilegedOperation || !expr)
+            return;
+        if (this.containsPrivilegedOperation(expr)) {
+            this.currentPrivilegedOperation = statementNode || expr;
+            this.currentPrivilegedOperationHadPriorInlineGuard = this.guardSeenBeforeFirstPrivilegedOp;
+        }
+    }
+    describePrivilegedOperation(operation) {
+        const expr = operation?.expression || operation;
+        const privilegedCall = this.findPrivilegedCall(expr);
+        if (privilegedCall) {
+            const callee = this.getCallName(privilegedCall.expression).toLowerCase();
+            if (callee === 'grantrole' || callee.endsWith('.grantrole')) {
+                return {
+                    rationale: 'Unguarded role grant: an externally callable function can grant role authority without a recognized owner or role-admin guard.',
+                    suggestedFix: 'Add onlyRole(DEFAULT_ADMIN_ROLE) or an equivalent role-admin check before granting roles.'
+                };
+            }
+            if (callee === 'renounceownership' || callee.endsWith('.renounceownership')) {
+                return {
+                    rationale: 'Unguarded ownership removal: an externally callable function can clear ownership without recognized owner or admin authorization.',
+                    suggestedFix: 'Restrict ownership removal to the current owner or admin with onlyOwner, onlyRole(DEFAULT_ADMIN_ROLE), or an equivalent msg.sender owner guard.'
+                };
+            }
+            if (callee === 'transferownership' || callee.endsWith('.transferownership')) {
+                return {
+                    rationale: 'Unguarded ownership handoff: an externally callable function can transfer ownership without recognized current-owner or admin authorization.',
+                    suggestedFix: 'Require current owner or admin authorization before transferring ownership.'
+                };
+            }
+        }
+        const assignedRoot = this.findPrivilegedAssignmentRoot(expr);
+        const functionName = this.currentFunction.toLowerCase();
+        if (functionName === 'grantrole') {
+            return {
+                rationale: 'Unguarded role grant: an externally callable role-grant API mutates role authority state without a recognized role-admin guard.',
+                suggestedFix: 'Add onlyRole(DEFAULT_ADMIN_ROLE) or an equivalent role-admin check before granting roles.'
+            };
+        }
+        if (functionName === 'renounceownership') {
+            return {
+                rationale: 'Unguarded ownership removal: an externally callable ownership API clears ownership without recognized owner or admin authorization.',
+                suggestedFix: 'Restrict ownership removal to the current owner or admin with onlyOwner, onlyRole(DEFAULT_ADMIN_ROLE), or an equivalent msg.sender owner guard.'
+            };
+        }
+        if (functionName === 'transferownership') {
+            return {
+                rationale: 'Unguarded ownership handoff: an externally callable ownership-transfer API updates owner authority without recognized current-owner or admin authorization.',
+                suggestedFix: 'Require current owner or admin authorization before transferring ownership.'
+            };
+        }
+        if (/role/i.test(assignedRoot)) {
+            return {
+                rationale: 'Unguarded role grant: an externally callable function mutates role authority state without a recognized owner or role-admin guard.',
+                suggestedFix: 'Add onlyRole(DEFAULT_ADMIN_ROLE) or an equivalent role-admin check before mutating role state.'
+            };
+        }
+        if (/owner/i.test(assignedRoot) || functionName.includes('ownership')) {
+            return {
+                rationale: 'Unguarded owner/authority state mutation: an externally callable function updates ownership state without a recognized owner or role guard.',
+                suggestedFix: 'Add onlyOwner, onlyRole(DEFAULT_ADMIN_ROLE), or an equivalent msg.sender owner guard before the authority mutation.'
+            };
+        }
+        if (/fee|treasury|admin|guardian|operator|paused|pause|timelock|governor/i.test(assignedRoot)) {
+            return {
+                rationale: 'Unguarded privileged configuration mutation: an externally callable function updates privileged configuration without recognized owner or admin authorization.',
+                suggestedFix: 'Add owner or admin authorization, such as onlyOwner, onlyRole(DEFAULT_ADMIN_ROLE), or an equivalent msg.sender owner guard.'
+            };
+        }
+        return {
+            rationale: 'Unguarded privileged operation: an externally callable function performs an authority-sensitive action without a recognized access-control guard.',
+            suggestedFix: 'Add onlyOwner, onlyRole(DEFAULT_ADMIN_ROLE), or an equivalent msg.sender owner guard before the privileged operation.'
+        };
+    }
+    findPrivilegedCall(expr) {
+        if (!expr || typeof expr !== 'object')
+            return null;
+        if (expr.type === 'FunctionCall') {
+            const callee = this.getCallName(expr.expression).toLowerCase();
+            if (callee === 'transferownership' ||
+                callee.endsWith('.transferownership') ||
+                callee === 'grantrole' ||
+                callee.endsWith('.grantrole') ||
+                callee === 'renounceownership' ||
+                callee.endsWith('.renounceownership')) {
+                return expr;
+            }
+        }
+        for (const child of this.childNodes(expr)) {
+            const found = this.findPrivilegedCall(child);
+            if (found)
+                return found;
+        }
+        return null;
+    }
+    findPrivilegedAssignmentRoot(expr) {
+        if (!expr || typeof expr !== 'object')
+            return '';
+        if (expr.type === 'BinaryOperation' && this.isAssignmentOperator(expr.operator)) {
+            const root = this.getReferenceRoot(expr.left);
+            if (root && this.isPrivilegedName(root) && !this.localVariables.has(root))
+                return root;
+        }
+        if (expr.type === 'UnaryOperation' && (expr.operator === '++' || expr.operator === '--')) {
+            const root = this.getReferenceRoot(expr.subExpression);
+            if (root && this.isPrivilegedName(root) && !this.localVariables.has(root))
+                return root;
+        }
+        for (const child of this.childNodes(expr)) {
+            const root = this.findPrivilegedAssignmentRoot(child);
+            if (root)
+                return root;
+        }
+        return '';
+    }
+    containsPrivilegedOperation(expr) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if (this.isPrivilegedOperation(expr))
+            return true;
+        for (const child of this.childNodes(expr)) {
+            if (this.containsPrivilegedOperation(child))
+                return true;
+        }
+        return false;
+    }
+    isPrivilegedOperation(expr) {
+        if (expr.type === 'BinaryOperation' && this.isAssignmentOperator(expr.operator)) {
+            return this.isPrivilegedStateReference(expr.left);
+        }
+        if (expr.type === 'UnaryOperation' && (expr.operator === '++' || expr.operator === '--')) {
+            return this.isPrivilegedStateReference(expr.subExpression);
+        }
+        if (expr.type === 'FunctionCall') {
+            if (this.isSameContractPrivilegedHelperCall(expr))
+                return true;
+            if (this.isValueTransfer(expr))
+                return this.isPrivilegedFundTransferFunction();
+            const callee = this.getCallName(expr.expression).toLowerCase();
+            return callee === 'selfdestruct' ||
+                callee === 'suicide' ||
+                callee.endsWith('.transferownership') ||
+                callee === 'transferownership' ||
+                callee.endsWith('.grantrole') ||
+                callee === 'grantrole' ||
+                callee === '_grantrole' ||
+                callee.endsWith('.revokerole') ||
+                callee === 'revokerole' ||
+                callee === '_revokerole' ||
+                callee.endsWith('.renounceownership') ||
+                callee === 'renounceownership' ||
+                callee === '_setroleadmin';
+        }
+        return false;
+    }
+    isSameContractPrivilegedHelperCall(expr) {
+        const callee = this.getCallName(expr.expression);
+        if (!callee || callee.includes('.'))
+            return false;
+        if (callee === this.currentFunction)
+            return false;
+        if (!this.isAuthorityHelperPropagationCandidate(this.currentFunction, callee))
+            return false;
+        const functions = this.functionNodesByContract.get(this.currentContract);
+        const target = functions?.get(callee);
+        if (!target?.body)
+            return false;
+        // A helper carrying any modifier is very likely guarded by it — the
+        // Parity propagation shape (initWallet -> initMultiowned) flows
+        // through modifier-free helpers. Propagating an unguarded-operation
+        // verdict through a modifier-guarded helper produces a false
+        // positive: the helper's own modifier already restricts the caller.
+        if (Array.isArray(target.modifiers) && target.modifiers.length > 0)
+            return false;
+        return this.functionMutatesPrivilegedState(callee, target);
+    }
+    isAuthorityHelperPropagationCandidate(entryName, helperName) {
+        return this.isAuthoritySetupOrManagementName(entryName) &&
+            this.isAuthoritySetupOrManagementName(helperName);
+    }
+    isAuthoritySetupOrManagementName(name) {
+        // Intentionally narrow: an authority-management name must mention an
+        // ownership / role concept. A bare `init*` prefix is NOT sufficient —
+        // most `init*` functions seed unrelated configuration, and treating
+        // every one as an authority entry point inflates the access-control
+        // false-positive rate (the Parity propagation path only needs the
+        // ownership-named init helpers: `initWallet`, `initMultiowned`, ...).
+        const normalized = String(name || '').toLowerCase();
+        return /(?:owner|admin|role|multiowned|authority|permission|wallet)/.test(normalized);
+    }
+    functionMutatesPrivilegedState(name, node) {
+        const cacheKey = `${this.currentContract}::${name}`;
+        const cached = this.privilegedFunctionSummaryCache.get(cacheKey);
+        if (cached !== undefined)
+            return cached;
+        if (this.activePrivilegedFunctionSummaries.has(cacheKey))
+            return false;
+        this.activePrivilegedFunctionSummaries.add(cacheKey);
+        const savedLocalVariables = this.localVariables;
+        this.localVariables = this.collectFunctionLocalVariables(node);
+        try {
+            const result = this.containsPrivilegedOperationInSubtree(node.body);
+            this.privilegedFunctionSummaryCache.set(cacheKey, result);
+            return result;
+        }
+        finally {
+            this.localVariables = savedLocalVariables;
+            this.activePrivilegedFunctionSummaries.delete(cacheKey);
+        }
+    }
+    containsPrivilegedOperationInSubtree(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (this.isPrivilegedOperation(node))
+            return true;
+        for (const key of [
+            'statements',
+            'body',
+            'trueBody',
+            'falseBody',
+            'expression',
+            'left',
+            'right',
+            'subExpression',
+            'base',
+            'index',
+            'initialValue',
+            'condition',
+            'conditionExpression',
+            'initializationExpression',
+            'initExpression',
+            'loopExpression',
+            'block',
+            'arguments',
+            'components'
+        ]) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (this.containsPrivilegedOperationInSubtree(item))
+                        return true;
+                }
+            }
+            else if (this.containsPrivilegedOperationInSubtree(value)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    collectFunctionLocalVariables(node) {
+        const locals = new Set();
+        for (const parameter of node.parameters || []) {
+            if (parameter?.name)
+                locals.add(parameter.name);
+        }
+        for (const parameter of node.returnParameters || []) {
+            if (parameter?.name)
+                locals.add(parameter.name);
+        }
+        this.collectLocalVariableDeclarations(node.body, locals);
+        return locals;
+    }
+    collectLocalVariableDeclarations(node, locals) {
+        if (!node || typeof node !== 'object')
+            return;
+        if (node.type === 'VariableDeclarationStatement') {
+            for (const variable of node.variables || []) {
+                if (variable?.name)
+                    locals.add(variable.name);
+            }
+        }
+        for (const key of [
+            'statements',
+            'body',
+            'trueBody',
+            'falseBody',
+            'expression',
+            'left',
+            'right',
+            'subExpression',
+            'initialValue',
+            'condition',
+            'conditionExpression',
+            'initializationExpression',
+            'initExpression',
+            'loopExpression',
+            'block'
+        ]) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value)
+                    this.collectLocalVariableDeclarations(item, locals);
+            }
+            else {
+                this.collectLocalVariableDeclarations(value, locals);
+            }
+        }
+    }
+    isAssignmentOperator(operator) {
+        return ['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>='].includes(operator);
+    }
+    isPrivilegedStateReference(expr) {
+        const root = this.getReferenceRoot(expr);
+        if (!root || this.localVariables.has(root))
+            return false;
+        return this.isPrivilegedName(root);
+    }
+    getReferenceRoot(expr) {
+        if (!expr)
+            return '';
+        if (expr.type === 'Identifier')
+            return expr.name || '';
+        if (expr.type === 'IndexAccess')
+            return this.getReferenceRoot(expr.base);
+        if (expr.type === 'MemberAccess')
+            return this.getReferenceRoot(expr.expression);
+        return '';
+    }
+    isPrivilegedName(name) {
+        // Delegates to the canonical helper in _common/access-control
+        // (roadmap 1.2). The default keyword set there mirrors this
+        // detector's legacy regex exactly, so behaviour is preserved.
+        return (0, access_control_1.isPrivilegedIdentifier)(name);
+    }
+    isPrivilegedFundTransferFunction() {
+        const normalized = this.currentFunction.toLowerCase();
+        return /sweep|drain|rescue|recover|skim|withdrawfee|withdrawfund|transferfund|treasury|emergency/.test(normalized);
+    }
+    isValueTransfer(expr) {
+        let current = expr.expression;
+        if (current?.type === 'NameValueExpression') {
+            return this.nameValueExpressionHasValue(current) && this.memberName(current.expression) === 'call';
+        }
+        const member = this.memberName(current);
+        return member === 'send' || member === 'transfer';
+    }
+    nameValueExpressionHasValue(expr) {
+        if (!expr)
+            return false;
+        const argumentNames = Array.isArray(expr.arguments)
+            ? expr.arguments.map((arg) => arg?.name).filter(Boolean)
+            : (expr.arguments?.names || []);
+        const names = expr.names || argumentNames || [];
+        if (Array.isArray(names) && names.some((name) => String(name).toLowerCase() === 'value')) {
+            return true;
+        }
+        return Array.isArray(expr.arguments) && expr.arguments.length > 0;
+    }
+    memberName(expr) {
+        return expr?.type === 'MemberAccess' ? String(expr.memberName || '').toLowerCase() : '';
+    }
+    getCallName(expr) {
+        if (!expr)
+            return '';
+        if (expr.type === 'Identifier')
+            return expr.name || '';
+        if (expr.type === 'MemberAccess') {
+            const prefix = this.getCallName(expr.expression);
+            return prefix ? `${prefix}.${expr.memberName || ''}` : (expr.memberName || '');
+        }
+        if (expr.type === 'NameValueExpression')
+            return this.getCallName(expr.expression);
+        return this.getNodeName(expr);
+    }
+    getNodeName(node) {
+        if (!node)
+            return '';
+        if (typeof node === 'string')
+            return node;
+        if (node.name)
+            return this.getNodeName(node.name);
+        if (node.namePath)
+            return String(node.namePath);
+        if (node.type === 'Identifier')
+            return node.name || '';
+        if (node.type === 'ModifierInvocation')
+            return this.getNodeName(node.name);
+        if (node.type === 'MemberAccess')
+            return node.memberName || '';
+        return '';
+    }
+    childNodes(node) {
+        const children = [];
+        for (const key of [
+            'expression',
+            'left',
+            'right',
+            'subExpression',
+            'base',
+            'index',
+            'initialValue',
+            'arguments',
+            'components'
+        ]) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        children.push(item);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                children.push(value);
+            }
+        }
+        return children;
+    }
+}
+exports.AccessControlDetector = AccessControlDetector;
+// Alias `_post` handlers to `:exit` so that `parser.visit` (which fires
+// `<Type>:exit`) and the solc-walker (which fires `<Type>_post`) both
+// reach the same handler. The pre-Slice-2b `ContractDefinition_post`
+// existed for the solc path but did nothing observable; the inherited-
+// function walk added in Slice 2b (roadmap 3.3) needs the parser-AST
+// alias for combined-source and two-file scans to fire. Pattern matches
+// classic-reentrancy.ts / fallback-delegatecall-reentrancy.ts.
+const _accProto = AccessControlDetector.prototype;
+_accProto['ContractDefinition:exit'] = _accProto.ContractDefinition_post;
+//# sourceMappingURL=access-control.js.map