@snovon/solast 0.2.0

package/dist/detectors/fhe-handle-leakage.js

@@ -0,0 +1,315 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FheHandleLeakageDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const ast_1 = require("./_common/ast");
+const fhe_1 = require("./_common/fhe");
+const RULE_ID = 'fhe-handle-leakage';
+const SEVERITY = 'medium';
+const CONFIDENCE = 'medium';
+const PATTERN_MISSING_ACL = `${RULE_ID}/missing-acl-grant`;
+const PATTERN_UNGUARDED_CALLBACK = `${RULE_ID}/unguarded-decryption-callback`;
+const CALLBACK_NAME_RE = /^(?:onDecryption|fulfill(?:Decryption|Decrypt))/i;
+class FheHandleLeakageDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    enabledByDefault = false;
+    findings = [];
+    currentFile = '';
+    currentContract = '';
+    currentContractNode = null;
+    stateVars = new Set();
+    currentFunction = '';
+    currentFunctionNode = null;
+    currentFunctionVisibility = '';
+    currentFunctionHasBody = false;
+    currentFunctionHasAuthGuard = false;
+    fheCreatedLocals = new Set();
+    fheCreatedLocalPositions = new Map();
+    grantedHandles = new Map();
+    persistedHandles = [];
+    currentModifier = '';
+    currentModifierHasAuthGuard = false;
+    authGuardModifiers = new Set();
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.currentContract = '';
+        this.currentContractNode = null;
+        this.stateVars = new Set();
+        this.authGuardModifiers = new Set();
+        this.resetFunction();
+        this.resetModifier();
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (node?.kind === 'interface' || node?.kind === 'library') {
+            this.currentContract = '';
+            this.currentContractNode = null;
+            this.stateVars = new Set();
+            return;
+        }
+        this.currentContract = node.name || '';
+        this.currentContractNode = node;
+        this.stateVars = new Set();
+        for (const sub of node.subNodes || []) {
+            if (!(0, ast_1.isNode)(sub, 'StateVariableDeclaration'))
+                continue;
+            for (const variable of sub.variables || []) {
+                if (variable?.name)
+                    this.stateVars.add(variable.name);
+            }
+        }
+    }
+    ContractDefinition_post(_node) {
+        this.currentContract = '';
+        this.currentContractNode = null;
+        this.stateVars = new Set();
+    }
+    ModifierDefinition(node) {
+        this.resetModifier();
+        this.currentModifier = node?.name || '';
+    }
+    ModifierDefinition_post(_node) {
+        if (this.currentModifier && this.currentModifierHasAuthGuard) {
+            this.authGuardModifiers.add(this.currentModifier);
+        }
+        this.resetModifier();
+    }
+    FunctionDefinition(node) {
+        this.resetFunction();
+        this.currentFunctionNode = node;
+        this.currentFunction = node.isConstructor ? '<constructor>' : (node.name || '');
+        this.currentFunctionVisibility = String(node.visibility || '');
+        this.currentFunctionHasBody = !!node.body;
+        this.currentFunctionHasAuthGuard = (0, access_control_1.hasRecognisedAccessControlModifier)(node)
+            || functionUsesKnownAuthModifier(node, this.authGuardModifiers);
+    }
+    FunctionDefinition_post(_node) {
+        this.emitMissingAclFindings();
+        this.emitCallbackFinding();
+        this.resetFunction();
+    }
+    VariableDeclarationStatement(node) {
+        if (!this.currentFunction || !node.initialValue)
+            return;
+        if (!fheCallCreatesHandle(node.initialValue))
+            return;
+        const pos = sourcePosition(node);
+        for (const variable of node.variables || []) {
+            if (variable?.name) {
+                this.fheCreatedLocals.add(variable.name);
+                this.fheCreatedLocalPositions.set(variable.name, pos);
+            }
+        }
+    }
+    BinaryOperation(node) {
+        if (!this.currentFunction)
+            return;
+        if (node.operator !== '=')
+            return;
+        const stateVar = stateVarName(node.left);
+        if (!stateVar || !this.stateVars.has(stateVar))
+            return;
+        const sourceHandle = createdHandleName(node.right);
+        if (!sourceHandle && !fheCallCreatesHandle(node.right))
+            return;
+        if (sourceHandle && !this.fheCreatedLocals.has(sourceHandle))
+            return;
+        const assignmentPos = sourcePosition(node);
+        const localCreationPos = sourceHandle
+            ? this.fheCreatedLocalPositions.get(sourceHandle)
+            : undefined;
+        this.persistedHandles.push({
+            stateVar,
+            sourceHandle: sourceHandle || stateVar,
+            node,
+            assignmentPos,
+            localCreationPos,
+        });
+    }
+    IfStatement(node) {
+        this.recordAccessControlCondition(node.condition);
+    }
+    FunctionCall(node) {
+        if (this.currentFunction || this.currentModifier) {
+            this.recordAccessControlCall(node);
+        }
+        if (!this.currentFunction)
+            return;
+        if ((0, fhe_1.isFheAllowCall)(node) || (0, fhe_1.isFheAllowThisCall)(node)) {
+            const handle = handleName(node.arguments?.[0]);
+            if (handle) {
+                const pos = sourcePosition(node);
+                const positions = this.grantedHandles.get(handle);
+                if (positions) {
+                    positions.push(pos);
+                }
+                else {
+                    this.grantedHandles.set(handle, [pos]);
+                }
+            }
+        }
+    }
+    recordAccessControlCall(node) {
+        if (!isRequireOrAssertCall(node))
+            return;
+        this.recordAccessControlCondition(node.arguments?.[0]);
+    }
+    recordAccessControlCondition(condition) {
+        if (!(0, access_control_1.requireExpressesAccessControl)(condition, isFheAuthReference))
+            return;
+        if (this.currentModifier) {
+            this.currentModifierHasAuthGuard = true;
+        }
+        else if (this.currentFunction) {
+            this.currentFunctionHasAuthGuard = true;
+        }
+    }
+    emitMissingAclFindings() {
+        for (const persisted of this.persistedHandles) {
+            if (this.hasGrantAfter(persisted.stateVar, persisted.assignmentPos))
+                continue;
+            if (persisted.localCreationPos !== undefined
+                && this.hasGrantAfter(persisted.sourceHandle, persisted.localCreationPos))
+                continue;
+            this.findings.push(this.makeFinding(persisted.node, PATTERN_MISSING_ACL, `FHE handle persisted to state variable '${persisted.stateVar}' without a same-function TFHE.allow/FHE.allow or allowThis grant for that handle.`));
+        }
+    }
+    hasGrantAfter(handleName, afterPos) {
+        const positions = this.grantedHandles.get(handleName);
+        if (!positions)
+            return false;
+        return positions.some(pos => pos > afterPos);
+    }
+    emitCallbackFinding() {
+        if (!this.currentFunctionHasBody)
+            return;
+        if (this.currentFunctionVisibility !== 'public' && this.currentFunctionVisibility !== 'external')
+            return;
+        if (!CALLBACK_NAME_RE.test(this.currentFunction))
+            return;
+        if (this.currentFunctionHasAuthGuard)
+            return;
+        this.findings.push(this.makeFinding(this.currentFunctionNode, PATTERN_UNGUARDED_CALLBACK, `Public or external FHE decryption callback '${this.currentFunction}' lacks an AST-visible authorization gate.`));
+    }
+    makeFinding(node, pattern, message) {
+        const primaryLoc = (0, ast_1.tryLoc)(node);
+        const line = primaryLoc?.line
+            ?? (0, ast_1.tryLoc)(this.currentFunctionNode)?.line
+            ?? (0, ast_1.tryLoc)(this.currentContractNode)?.line
+            ?? 1;
+        const column = primaryLoc?.column ?? 0;
+        const endLine = primaryLoc?.endLine ?? line;
+        return {
+            file: this.currentFile,
+            contract: this.currentContract,
+            function: this.currentFunction,
+            contractName: this.currentContract,
+            functionName: this.currentFunction,
+            line,
+            endLine,
+            column,
+            sourceLocation: { line, column },
+            ruleId: RULE_ID,
+            pattern,
+            severity: SEVERITY,
+            confidence: CONFIDENCE,
+            category: 'vulnerability',
+            message,
+            findingId: '',
+            contractHash: '',
+        };
+    }
+    resetFunction() {
+        this.currentFunction = '';
+        this.currentFunctionNode = null;
+        this.currentFunctionVisibility = '';
+        this.currentFunctionHasBody = false;
+        this.currentFunctionHasAuthGuard = false;
+        this.fheCreatedLocals = new Set();
+        this.fheCreatedLocalPositions = new Map();
+        this.grantedHandles = new Map();
+        this.persistedHandles = [];
+    }
+    resetModifier() {
+        this.currentModifier = '';
+        this.currentModifierHasAuthGuard = false;
+    }
+}
+exports.FheHandleLeakageDetector = FheHandleLeakageDetector;
+function fheCallCreatesHandle(node) {
+    if (!(0, fhe_1.isFheNamespaceCall)(node))
+        return false;
+    if ((0, fhe_1.isFheAllowCall)(node) || (0, fhe_1.isFheAllowThisCall)(node) || (0, fhe_1.isFheDecryptCall)(node))
+        return false;
+    const memberName = String(node.expression?.memberName || '');
+    return !/^verify/i.test(memberName);
+}
+function stateVarName(node) {
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return node.name || '';
+    if ((0, ast_1.isNode)(node, 'MemberAccess') && (0, ast_1.isNode)(node.expression, 'Identifier') && node.expression.name === 'this') {
+        return node.memberName || '';
+    }
+    return '';
+}
+function createdHandleName(node) {
+    return (0, ast_1.isNode)(node, 'Identifier') ? (node.name || '') : '';
+}
+function handleName(node) {
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return node.name || '';
+    if ((0, ast_1.isNode)(node, 'MemberAccess') && (0, ast_1.isNode)(node.expression, 'Identifier') && node.expression.name === 'this') {
+        return node.memberName || '';
+    }
+    return '';
+}
+function isRequireOrAssertCall(node) {
+    const callee = node?.expression;
+    return (0, ast_1.isNode)(callee, 'Identifier') && (callee.name === 'require' || callee.name === 'assert');
+}
+function functionUsesKnownAuthModifier(node, authGuardModifiers) {
+    for (const modifier of node?.modifiers || []) {
+        const name = extractModifierName(modifier);
+        if (name && authGuardModifiers.has(name))
+            return true;
+    }
+    return false;
+}
+function extractModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name.name === 'string')
+        return modifier.name.name;
+    if (modifier.modifierName && typeof modifier.modifierName.name === 'string')
+        return modifier.modifierName.name;
+    return '';
+}
+function isFheAuthReference(name) {
+    return (0, access_control_1.isPrivilegedIdentifier)(name, {
+        keywords: ['owner', 'admin', 'role', 'guardian', 'operator', 'gateway', 'relayer', 'oracle', 'authority', 'authorized'],
+        mode: 'word-boundary',
+    });
+}
+function sourcePosition(node) {
+    if (Array.isArray(node?.range) && typeof node.range[0] === 'number') {
+        return node.range[0];
+    }
+    const loc = (0, ast_1.tryLoc)(node);
+    const line = loc?.line ?? 0;
+    const col = loc?.column ?? 0;
+    return line * 100000 + col;
+}
+const _fheHandleLeakageProto = FheHandleLeakageDetector.prototype;
+_fheHandleLeakageProto['ContractDefinition:exit'] = _fheHandleLeakageProto.ContractDefinition_post;
+_fheHandleLeakageProto['FunctionDefinition:exit'] = _fheHandleLeakageProto.FunctionDefinition_post;
+_fheHandleLeakageProto['ModifierDefinition:exit'] = _fheHandleLeakageProto.ModifierDefinition_post;
+//# sourceMappingURL=fhe-handle-leakage.js.map

package/dist/detectors/fhe-oz-pattern-misuse.d.ts

@@ -0,0 +1,26 @@
+import type { ScanResult } from '../index';
+export declare class FheOzPatternMisuseDetector {
+    readonly id = "fhe-oz-pattern-misuse";
+    readonly patternKey = "fhe-oz-pattern-misuse";
+    readonly supportedAstKinds: "parser"[];
+    readonly enabledByDefault = false;
+    private findings;
+    private currentFile;
+    private contract;
+    private fn;
+    private localNonAliasFheNames;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    StructDefinition(node: any): void;
+    EnumDefinition(node: any): void;
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    FunctionCall(node: any): void;
+    Identifier(node: any): void;
+    BinaryOperation(node: any): void;
+    private checkOzGuardWithoutAllow;
+    private emitContractLevelFindings;
+    private makeFinding;
+}

package/dist/detectors/fhe-oz-pattern-misuse.js

@@ -0,0 +1,311 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FheOzPatternMisuseDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const ast_1 = require("./_common/ast");
+const fhe_1 = require("./_common/fhe");
+const RULE_ID = 'fhe-oz-pattern-misuse';
+const SEVERITY = 'high';
+const CONFIDENCE = 'medium';
+const PATTERN_UNINITIALIZED = `${RULE_ID}/uninitialized-fhe-proxy-state`;
+const PATTERN_GUARD_NO_ALLOW = `${RULE_ID}/oz-guard-without-allow`;
+const PATTERN_INIT_DECRYPT = `${RULE_ID}/initializer-decrypt-before-guard`;
+const INITIALIZER_MODIFIERS = new Set(['initializer', 'reinitializer', 'onlyinitializing']);
+const INITIALIZABLE_BASE_RE = /^_*Initializable(?:Upgradeable)?$/;
+const INITIALIZER_FUNCTION_RE = /^_*initialize(?:[a-zA-Z0-9_]*)?$|^__[a-zA-Z0-9]+_init(?:_unchained)?$/;
+const OZ_UPGRADEABLE_BASES = new Set([
+    'OwnableUpgradeable',
+    'AccessControlUpgradeable',
+    'ERC20Upgradeable',
+    'ERC721Upgradeable',
+    'ERC1155Upgradeable',
+    'UUPSUpgradeable',
+    'VaultUpgradeable',
+    'TimelockControllerUpgradeable',
+    'GovernorUpgradeable',
+    'PausableUpgradeable',
+    'ReentrancyGuardUpgradeable',
+    'PullPaymentUpgradeable',
+]);
+function isOzUpgradeableBaseName(name) {
+    if (INITIALIZABLE_BASE_RE.test(name))
+        return true;
+    if (OZ_UPGRADEABLE_BASES.has(name))
+        return true;
+    return false;
+}
+class FheOzPatternMisuseDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    enabledByDefault = false;
+    findings = [];
+    currentFile = '';
+    contract = null;
+    fn = null;
+    localNonAliasFheNames = new Set();
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.contract = null;
+        this.fn = null;
+        this.localNonAliasFheNames = new Set();
+    }
+    getFindings() {
+        return this.findings;
+    }
+    StructDefinition(node) {
+        if (node?.name)
+            this.localNonAliasFheNames.add(node.name);
+    }
+    EnumDefinition(node) {
+        if (node?.name)
+            this.localNonAliasFheNames.add(node.name);
+    }
+    ContractDefinition(node) {
+        if (node?.kind === 'interface' || node?.kind === 'library') {
+            this.contract = null;
+            return;
+        }
+        const cipherStateVars = new Set();
+        const cipherStateVarNodes = new Map();
+        for (const sub of node.subNodes || []) {
+            if ((sub?.type === 'StructDefinition' || sub?.type === 'EnumDefinition') && sub.name) {
+                this.localNonAliasFheNames.add(sub.name);
+            }
+        }
+        for (const sub of node.subNodes || []) {
+            if (sub?.type !== 'StateVariableDeclaration')
+                continue;
+            for (const variable of sub.variables || []) {
+                if (!variable?.name)
+                    continue;
+                if ((0, fhe_1.isFheCipherType)(typeNameToString(variable.typeName), undefined, this.localNonAliasFheNames)) {
+                    cipherStateVars.add(variable.name);
+                    cipherStateVarNodes.set(variable.name, variable);
+                }
+            }
+        }
+        let inheritsInitializable = false;
+        for (const base of node.baseContracts || []) {
+            const baseName = baseContractName(base);
+            if (baseName && isOzUpgradeableBaseName(baseName)) {
+                inheritsInitializable = true;
+                break;
+            }
+        }
+        this.contract = {
+            name: node.name || '',
+            cipherStateVars,
+            cipherStateVarNodes,
+            inheritsInitializable,
+            hasFheNamespaceUsage: false,
+            functions: [],
+            contractNode: node,
+        };
+    }
+    ContractDefinition_post(_node) {
+        if (!this.contract)
+            return;
+        this.emitContractLevelFindings(this.contract);
+        this.contract = null;
+    }
+    FunctionDefinition(node) {
+        if (!this.contract) {
+            this.fn = null;
+            return;
+        }
+        const name = node.isConstructor ? '<constructor>' : (node.name || '');
+        const modifierNames = (node.modifiers || []).map(extractModifierName).filter(Boolean);
+        const hasInitializerModifier = modifierNames.some((modifierName) => INITIALIZER_MODIFIERS.has(modifierName.toLowerCase()));
+        const hasAccessControlModifier = (0, access_control_1.hasRecognisedAccessControlModifier)(node);
+        const returnsCipherType = (node.returnParameters || []).some((param) => (0, fhe_1.isFheCipherType)(typeNameToString(param?.typeName), undefined, this.localNonAliasFheNames));
+        const visibility = String(node.visibility || '');
+        const mutability = String(node.stateMutability || '');
+        const isPublicOrExternalView = (visibility === 'public' || visibility === 'external') && mutability === 'view';
+        this.fn = {
+            node,
+            name,
+            hasInitializerModifier,
+            hasAccessControlModifier,
+            hasAllowCall: false,
+            decryptCallNodes: [],
+            assignedCipherStateVars: new Set(),
+            decryptedCipherStateVars: new Set(),
+            referencedCipherStateVars: new Set(),
+            returnsCipherType,
+            isPublicOrExternalView,
+        };
+        this.contract.functions.push(this.fn);
+    }
+    FunctionDefinition_post(_node) {
+        if (!this.contract || !this.fn) {
+            this.fn = null;
+            return;
+        }
+        this.checkOzGuardWithoutAllow(this.contract, this.fn);
+        this.fn = null;
+    }
+    FunctionCall(node) {
+        if (!this.contract)
+            return;
+        if ((0, fhe_1.isFheNamespaceCall)(node)) {
+            this.contract.hasFheNamespaceUsage = true;
+            if (this.fn) {
+                if ((0, fhe_1.isFheAllowCall)(node))
+                    this.fn.hasAllowCall = true;
+                else if ((0, fhe_1.isFheDecryptCall)(node)) {
+                    this.fn.decryptCallNodes.push(node);
+                    for (const stateVar of cipherStateArgs(node, this.contract.cipherStateVars)) {
+                        this.fn.decryptedCipherStateVars.add(stateVar);
+                    }
+                }
+            }
+        }
+    }
+    Identifier(node) {
+        if (!this.contract || !this.fn)
+            return;
+        if (this.contract.cipherStateVars.has(node.name)) {
+            this.fn.referencedCipherStateVars.add(node.name);
+        }
+    }
+    BinaryOperation(node) {
+        if (!this.contract || !this.fn)
+            return;
+        if (node.operator !== '=')
+            return;
+        const left = node.left;
+        if ((0, ast_1.isNode)(left, 'Identifier') && this.contract.cipherStateVars.has(left.name)) {
+            this.fn.assignedCipherStateVars.add(left.name);
+        }
+    }
+    checkOzGuardWithoutAllow(contract, fn) {
+        if (!fn.returnsCipherType)
+            return;
+        if (!fn.isPublicOrExternalView)
+            return;
+        if (!fn.hasAccessControlModifier)
+            return;
+        if (fn.hasAllowCall)
+            return;
+        this.findings.push(this.makeFinding(contract, fn.name, fn.node, PATTERN_GUARD_NO_ALLOW, `View function '${fn.name}' is guarded by an OpenZeppelin access-control modifier and returns an FHE ciphertext handle but never grants handle access via TFHE.allow/FHE.allow.`));
+    }
+    emitContractLevelFindings(contract) {
+        const hasInitializerFunction = contract.functions.some(fn => fn.hasInitializerModifier);
+        const hasInitScaffolding = contract.inheritsInitializable || hasInitializerFunction;
+        if (!contract.hasFheNamespaceUsage && contract.cipherStateVars.size === 0)
+            return;
+        if (contract.inheritsInitializable && hasInitializerFunction && contract.cipherStateVars.size > 0) {
+            const writtenByInitializer = new Set();
+            for (const fn of contract.functions) {
+                if (!fn.hasInitializerModifier)
+                    continue;
+                for (const stateVar of fn.assignedCipherStateVars)
+                    writtenByInitializer.add(stateVar);
+                for (const stateVar of fn.decryptedCipherStateVars)
+                    writtenByInitializer.add(stateVar);
+            }
+            for (const stateVar of contract.cipherStateVars) {
+                if (writtenByInitializer.has(stateVar))
+                    continue;
+                const varNode = contract.cipherStateVarNodes.get(stateVar);
+                this.findings.push(this.makeFinding(contract, '<contract>', varNode, PATTERN_UNINITIALIZED, `FHE ciphertext state variable '${stateVar}' is declared in an upgradeable contract but no 'initializer'/'reinitializer' function writes to it — the proxy will read an uninitialized ciphertext handle.`));
+            }
+        }
+        for (const fn of contract.functions) {
+            if (fn.hasInitializerModifier)
+                continue;
+            if (!hasInitScaffolding)
+                continue;
+            if (!INITIALIZER_FUNCTION_RE.test(fn.name))
+                continue;
+            if (fn.decryptCallNodes.length === 0)
+                continue;
+            const callNode = fn.decryptCallNodes[0];
+            this.findings.push(this.makeFinding(contract, fn.name, callNode, PATTERN_INIT_DECRYPT, `Initializer-shaped function '${fn.name}' calls TFHE.decrypt/FHE.decrypt without an 'initializer'/'reinitializer'/'onlyInitializing' modifier — the decrypt can run before or outside the once-only initialization guard.`));
+        }
+    }
+    makeFinding(contract, functionName, locationNode, pattern, message) {
+        const primaryLoc = (0, ast_1.tryLoc)(locationNode);
+        const line = primaryLoc?.line ?? (0, ast_1.tryLoc)(contract.contractNode)?.line ?? 1;
+        const column = primaryLoc?.column ?? 0;
+        const endLine = primaryLoc?.endLine ?? line;
+        return {
+            file: this.currentFile,
+            contract: contract.name,
+            function: functionName,
+            contractName: contract.name,
+            functionName,
+            line,
+            endLine,
+            column,
+            sourceLocation: { line, column },
+            ruleId: RULE_ID,
+            pattern,
+            severity: SEVERITY,
+            confidence: CONFIDENCE,
+            category: 'vulnerability',
+            message,
+            findingId: '',
+            contractHash: '',
+        };
+    }
+}
+exports.FheOzPatternMisuseDetector = FheOzPatternMisuseDetector;
+function typeNameToString(typeName) {
+    if (!typeName)
+        return '';
+    if (typeName.type === 'ElementaryTypeName')
+        return typeName.name || '';
+    if (typeName.type === 'UserDefinedTypeName')
+        return typeName.namePath || '';
+    if (typeName.type === 'ArrayTypeName')
+        return `${typeNameToString(typeName.baseTypeName)}[]`;
+    return '';
+}
+function baseContractName(base) {
+    if (!base)
+        return '';
+    const baseName = base.baseName || base;
+    if (typeof baseName === 'object') {
+        if (typeof baseName.namePath === 'string')
+            return baseName.namePath;
+        if (typeof baseName.name === 'string')
+            return baseName.name;
+    }
+    return '';
+}
+function extractModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name.name === 'string')
+        return modifier.name.name;
+    if (modifier.modifierName && typeof modifier.modifierName.name === 'string')
+        return modifier.modifierName.name;
+    return '';
+}
+function cipherStateArgs(call, cipherStateVars) {
+    const args = call?.arguments || [];
+    const stateVars = [];
+    for (const arg of args) {
+        if ((0, ast_1.isNode)(arg, 'Identifier') && cipherStateVars.has(arg.name)) {
+            stateVars.push(arg.name);
+        }
+    }
+    return stateVars;
+}
+// Alias `_post` handlers to `:exit` so that `parser.visit` (which only fires
+// `<Type>:exit`) reaches the contract- and function-level finalisers. Without
+// this, the contract-level patterns (`uninitialized-fhe-proxy-state`,
+// `initializer-decrypt-before-guard`) would never emit on parser ASTs because
+// `ContractDefinition_post` is the only place that walks the collected
+// per-contract state.
+const _fheOzPatternMisuseProto = FheOzPatternMisuseDetector.prototype;
+_fheOzPatternMisuseProto['ContractDefinition:exit'] = _fheOzPatternMisuseProto.ContractDefinition_post;
+_fheOzPatternMisuseProto['FunctionDefinition:exit'] = _fheOzPatternMisuseProto.FunctionDefinition_post;
+//# sourceMappingURL=fhe-oz-pattern-misuse.js.map

package/dist/detectors/fhe-state-leakage.d.ts

@@ -0,0 +1,8 @@
+import type { ScanResult } from '../index';
+export declare class FheStateLeakageDetector {
+    readonly id = "fhe-state-leakage";
+    readonly patternKey = "fhe-state-leakage";
+    readonly supportedAstKinds: "parser"[];
+    readonly enabledByDefault = false;
+    scanAst(ast: any, file: string): ScanResult[];
+}