@snovon/solast 0.2.0

package/dist/rules/tiers.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Rule tier classification for SolAST detectors.
+ *
+ * Every registered detector MUST appear in this map with exactly one
+ * value of `"core"` or `"extended"`. The bidirectional tier-conformance
+ * contract enforces:
+ *   1. Every registered detector has a tier entry.
+ *   2. Every tier entry corresponds to a registered detector.
+ *   3. Every value is exactly `"core"` or `"extended"`.
+ *
+ * Classification criteria:
+ *   - `core`: stable, broadly applicable, high-confidence rules with strong
+ *     negative coverage and low expected false-positive rate.
+ *   - `extended`: niche, noisy, experimental, context-heavy, or recently
+ *     added rules.
+ *
+ * New detectors default to `"extended"` unless the PR explicitly justifies
+ * `"core"`. Promotion from extended to core requires a reviewed PR with
+ * justification against the criteria above.
+ *
+ * Rule ids are a public contract — do NOT encode tier into the rule id.
+ */
+export declare const ruleTiers: Record<string, "core" | "extended">;

package/dist/rules/tiers.js

@@ -0,0 +1,341 @@
+"use strict";
+/**
+ * Rule tier classification for SolAST detectors.
+ *
+ * Every registered detector MUST appear in this map with exactly one
+ * value of `"core"` or `"extended"`. The bidirectional tier-conformance
+ * contract enforces:
+ *   1. Every registered detector has a tier entry.
+ *   2. Every tier entry corresponds to a registered detector.
+ *   3. Every value is exactly `"core"` or `"extended"`.
+ *
+ * Classification criteria:
+ *   - `core`: stable, broadly applicable, high-confidence rules with strong
+ *     negative coverage and low expected false-positive rate.
+ *   - `extended`: niche, noisy, experimental, context-heavy, or recently
+ *     added rules.
+ *
+ * New detectors default to `"extended"` unless the PR explicitly justifies
+ * `"core"`. Promotion from extended to core requires a reviewed PR with
+ * justification against the criteria above.
+ *
+ * Rule ids are a public contract — do NOT encode tier into the rule id.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ruleTiers = void 0;
+exports.ruleTiers = {
+    "avs-slashing-without-quorum-check": "extended",
+    "cross-chain-input-validation": "extended",
+    "force-fed-eth-state-corruption": "extended",
+    "missing-zk-proof-verification": "extended",
+    "mint-hardcoded-asset-parity": "extended",
+    "parameter-access-control": "extended",
+    "permissionless-claim-amm-spot-pricing": "extended",
+    "unprotected-admin-or-fund-sink": "extended",
+    "balancer-flash-loan-manipulation": "extended",
+    "balancer-pause-guard": "extended",
+    "balancer-weighted-pool-flash-loan": "core",
+    "bytecode-divergence-risk": "extended",
+    "inheritance-override": "core",
+    "solhint-unchecked-low-level-call": "core",
+    "aave-v2-reentrancy": "extended",
+    "amm-spot-oracle-manipulation": "extended",
+    "access-control": "extended",
+    "add-reentrancy-on-weth-contract": "extended",
+    "ai-generated-randomness": "extended",
+    "insecure-randomness": "core",
+    "weak-random-mint": "extended",
+    "analyzing-the-uniswap-v3-exploit": "extended",
+    "any-token-is-destroyed": "extended",
+    "anyswap-insufficient-token-validation": "extended",
+    "anyswap-anytoken-permit-allowance-drain": "extended",
+    "approval-based-drain": "extended",
+    "arbitrum-cross-chain-message-replay": "extended",
+    "arbitrary-call": "extended",
+    "arbitrary-transfer-from": "core",
+    "arbitrary-address-spoofing": "extended",
+    "arbitrary-address-spoofing-attack": "extended",
+    "arbitrary-delegatecall-target": "core",
+    "arbitrary-recipient-no-access-control": "extended",
+    "bad-randomness-zero-blockhash": "core",
+    "calldata-secret-access-control": "extended",
+    "bad-debt-propagation": "extended",
+    "bad-k-value-verification": "extended",
+    "v2-error-k-value-attack": "extended",
+    "v2-k-invariant-bypass": "extended",
+    "batch-transfer-overflow": "extended",
+    "beneficiary-validation": "extended",
+    "borrow-behalf-consent": "extended",
+    "break-continue-scope": "extended",
+    "bridge-accounting-bypass": "extended",
+    "bridge-collateral-drain": "extended",
+    "bridge-forged-proof": "extended",
+    "arbitrary-storage-proof-forgery": "extended",
+    "bridge-business-logic-flaw-incorrect-acc": "extended",
+    "bridge-swap-metapool-attack": "extended",
+    "bypassed-insolvency-check": "extended",
+    "business-logic-flaw-flashloan-price-mani": "extended",
+    "business-logic-flaw": "extended",
+    "business-logic-flaw-incorrect-recipient-balance": "extended",
+    "capital-cross-contract-reentrancy": "extended",
+    "cache-storage-reads": "extended",
+    "cartel-custom-approval-logic": "extended",
+    "cache-array-length": "extended",
+    "chain-coupling-risk": "extended",
+    "ccip-receiver-missing-replay-guard": "extended",
+    "coinbase-morpho-wethloan-policy": "extended",
+    "chainlink-deprecated-function": "extended",
+    "chainlink-tx-origin": "extended",
+    "check-effects-interactions": "extended",
+    "classic-reentrancy": "extended",
+    "compoundv2-inflation-attack": "extended",
+    "constructor-interface-no-address-validation": "extended",
+    "constructor-address-validation": "core",
+    "cross-chain-arbitrary-call": "extended",
+    "cross-contract-reentrancy": "extended",
+    "cross-chain-intent-replay": "extended",
+    "cross-chain-intent-stale-resolution": "extended",
+    "cross-chain-message-order-dependency": "extended",
+    "cross-chain-message-replay": "extended",
+    "cross-chain-messaging": "extended",
+    "cross-chain-msg-truncation": "extended",
+    "cross-chain-truncation": "extended",
+    "cross-contract-reentrancy-trusted-callee": "extended",
+    "cross-function-reentrancy": "extended",
+    "cross-protocol-contagion": "extended",
+    "quote-silent-zero": "extended",
+    "cross-protocol-oracle-collateral": "extended",
+    "cross-vm-reentrancy": "extended",
+    "unguarded-governance-executor": "extended",
+    "decimals-mismatch": "extended",
+    "delegate-transfer-unrestricted-caller": "extended",
+    "deflationary-token": "extended",
+    "delegatecall-in-loops": "extended",
+    "delegatecall-init": "extended",
+    "delegatecall-untrusted-implementation": "extended",
+    "delegated-authorization-bypass": "extended",
+    "denial-of-service": "extended",
+    "dos-unbounded-loop-external-call-revert": "extended",
+    "dn404-mirror-access-control": "extended",
+    "division-before-multiplication": "extended",
+    "doge-flashloan": "extended",
+    "donate-inflation-exchangerate-roundin": "extended",
+    "donation-share-inflation": "extended",
+    "dont-let-eth-get-rekt": "extended",
+    "eip712-domain-separator": "extended",
+    "eip712-signature-verification": "extended",
+    "eip1167-proxy-reentrancy": "extended",
+    "eip5792-auth-replay": "extended",
+    "eip7702-delegation-reentrancy": "extended",
+    "eip7702-delegation-risk": "extended",
+    "eip7702-eoa-assumption": "extended",
+    "eip7702-auth-replay": "extended",
+    "eip7702-delegated-eoa-approval-race": "extended",
+    "eip7702-cross-chain-replay": "extended",
+    "erc20-safe-wrapper-return-unchecked": "extended",
+    "intent-settlement-balance-manipulation": "extended",
+    "erc2771-context-spoofing": "core",
+    "fee-on-transfer-balance-mismatch": "extended",
+    "fee-mechanism-exploitation": "extended",
+    "erc1155-batch-missing-per-id-approval": "core",
+    "erc6909-balance-overflow": "extended",
+    "erc6909-operator-scope": "extended",
+    "erc721-unchecked-transfer": "extended",
+    "erc7683-fill-validation": "extended",
+    "erc7683-intent-resolution": "extended",
+    "erc777-callback-reentrancy": "extended",
+    "erc777-reentrancy": "extended",
+    "erc1155-reentrancy": "extended",
+    "erc777-tokens-to-send-reentrancy": "extended",
+    "permit-future-dated-deadline": "extended",
+    "estuary-token-flaw": "extended",
+    "euler-debt-token-manipulation": "extended",
+    "exploiting-a-vulnerability-in-curve-fina": "extended",
+    "farm-business-logic-flaw-lack-of-access": "extended",
+    "fallback-delegatecall-reentrancy": "extended",
+    "delegatecall-fallback-reentrancy-bypass": "extended",
+    "transfer-double-debit-pool-recipient": "extended",
+    "fhe-encrypted-input-validation": "extended",
+    "fhe-handle-leakage": "extended",
+    "logic-flaw": "extended",
+    "reflection-token-balance-desync": "extended",
+    "simpleswap-unverified-approval": "extended",
+    "manipulation-of-funds": "extended",
+    "fhe-oz-pattern-misuse": "extended",
+    "fhe-state-leakage": "extended",
+    "fi-bridges": "extended",
+    "finance-access-control-price-oracle-man": "extended",
+    "finance-bridge-address0safetransferfrom": "extended",
+    "finance-business-logic-in-mint": "extended",
+    "finance-erc667-reentrancy": "extended",
+    "finance-flashloan-price-oracle-manipul": "extended",
+    "finance-flashloan-reentrancy": "extended",
+    "finance-swap-metapool-attack": "extended",
+    "flashloan-price-manipulation": "extended",
+    "bridge-missing-message-nonce": "extended",
+    "flashloan-reentrancy": "extended",
+    "flashloan-token-migrate": "extended",
+    "fusion-v1-settlement-arbitrary-yul-calld": "extended",
+    "free-mint-bug": "core",
+    "arbitrary-account-balance-transfer": "extended",
+    "front-running-shared-collateral-write": "extended",
+    "generalized-frontrunning": "extended",
+    "front-running-orderbook-state-update": "extended",
+    "governance-flash-loan": "core",
+    "governance-flashloan-vote": "extended",
+    "incorrect-access-control": "core",
+    "incorrect-burn-accounting": "extended",
+    "incorrect-dividends": "extended",
+    "incorrect-dividends-calculation": "extended",
+    "incorrect-input-validation": "extended",
+    "infinite-loop": "extended",
+    "infinite-number-of-loans": "extended",
+    "initialization-access-control": "extended",
+    "integer-overflow": "extended",
+    "cross-contract-integer-overflow": "extended",
+    "integer-overflow-underflow": "extended",
+    "integer-underflow": "extended",
+    "insufficient-dvn-threshold": "extended",
+    "insufficient-access-control-trusted-param": "core",
+    "layerzero-dvn-quorum-missing": "extended",
+    "l1-to-l2-message-reentrancy": "extended",
+    "l2-withdrawal-validation": "extended",
+    "lack-of-access-control": "extended",
+    "lack-of-calldata-validation": "extended",
+    "lack-of-validation-data": "extended",
+    "lack-of-input-validation-reentrancy": "extended",
+    "lack-of-slippage-control": "extended",
+    "lack-of-slippage-protection": "extended",
+    "lack-of-validation": "extended",
+    "lack-of-validation-pool": "extended",
+    "lack-of-validation-userdata": "extended",
+    "layerzero-v2-unverified-origin": "extended",
+    "liquidation-gain-manipulation": "extended",
+    "liquidation-accounting-desync": "extended",
+    "liquidation-price-rounding-advantage": "extended",
+    "liquidity-poisoning": "extended",
+    "loans-malicious-proposal-price-oracle": "extended",
+    "mev-boost-timestamp": "extended",
+    "mev-merge-exploit": "extended",
+    "mevbot-insufficient-validation": "extended",
+    "mev-sandwich-vulnerability": "extended",
+    "mev-slot-manipulation": "extended",
+    "merkl-unsafe-claim-callback": "extended",
+    "migration-rebalance-without-bound": "extended",
+    "miscalculation-on-spendallowance": "extended",
+    "misconfiguration": "extended",
+    "missing-access-control": "extended",
+    "missing-swap-deadline-slippage": "extended",
+    "unprotected-dex-swap": "core",
+    "unprotected-pair-initializer": "extended",
+    "missing-storage-gap": "extended",
+    "missing-sequencer-uptime-check": "extended",
+    "receipt-redemption-missing-validation": "extended",
+    "my-experience-with-yearn-finance": "extended",
+    "network-bridge": "extended",
+    "network-bridge-ronin": "extended",
+    "network-underflow": "extended",
+    "nft-denial-of-service": "extended",
+    "nft-marketplace-order-reentrancy": "extended",
+    "reentrancy-on-sell-nft": "extended",
+    "nft-token-standard-access-control": "extended",
+    "oracle-manipulation": "extended",
+    "oracle-manipulation-amm-spot-price": "extended",
+    "oracle-manipulation-liquidity-withdrawal": "core",
+    "oracle-vortex-manipulation": "extended",
+    "overpriced-asset-in-oracle": "core",
+    "oz-access-control-roles": "extended",
+    "oracle-staleness": "extended",
+    "oracle/price-feed-verification": "extended",
+    "parameter-manipulation": "extended",
+    "pair-manipulation-transfer-hook": "extended",
+    "parity-multisig-delegatecall": "extended",
+    "post-insolvency-check": "extended",
+    "phishing-attack-bybit": "extended",
+    "precision-loss-vulnerability": "extended",
+    "precision-truncation": "extended",
+    "price-dependency-veth": "extended",
+    "vulnerable-price-dependency": "extended",
+    "price-oracle-manipulation": "extended",
+    "price-manipulation-reentrancy": "extended",
+    "price-manipulation-via-reentranc": "extended",
+    "protocol-reentrancy": "extended",
+    "proxy-init-race": "extended",
+    "proxy-storage-slot-collision": "extended",
+    "public-internal-function": "extended",
+    "read-only-reentrancy": "extended",
+    "reentrancy-balance": "extended",
+    "reentrancy-business-logic-game": "extended",
+    "rollup-unvalidated-state-update": "extended",
+    "s-horizon-bridge-private-key-compromis": "extended",
+    "share-price-manipulation": "extended",
+    "signature-replay": "extended",
+    "skim-token-balance": "extended",
+    "single-spot-oracle-collateral-valuation": "extended",
+    "sky-oft-governance-payload": "extended",
+    "sky-oft-governance-truncation": "extended",
+    "solana-evm-bridge-truncation": "extended",
+    "stablecoin-pair-spot-oracle": "extended",
+    "staked-rate-as-oracle": "extended",
+    "starkware-proof-validation-gap": "extended",
+    "steth-transfer-reentrancy": "extended",
+    "storage-collision-malicious-proposal": "extended",
+    "timestamp-manipulation": "extended",
+    "token-access-control": "extended",
+    "token-transfer-logic-flaw": "extended",
+    "wrong-function-visibility": "extended",
+    "treasury-reentrancy": "extended",
+    "deferred-state-update": "extended",
+    "tstore-poison": "extended",
+    "tstore-race-condition": "extended",
+    "unauthorized-payer-transferfrom": "extended",
+    "unauthorized-transferfrom": "extended",
+    "unbound-zk-verifier-input": "extended",
+    "unbounded-share-price-collateral-oracle": "extended",
+    "unvalidated-interface-address": "extended",
+    "uncapped-reward-emission": "extended",
+    "unchecked-external-call": "extended",
+    "unchecked-external-call-unconditional-state-mutation": "extended",
+    "unchecked-call-forwarding": "extended",
+    "unchecked-oft-return": "extended",
+    "erc4626-totalassets-stub": "extended",
+    "eip4626-vault-reentrancy": "extended",
+    "erc20-unchecked-non-standard-return": "extended",
+    "erc7579-module-install-without-threshold": "extended",
+    "erc4337-validation-storage-access": "extended",
+    "erc2612-permit-frontrunning": "extended",
+    "check-permit-missing-chainid": "extended",
+    "incorrect-signature-verification": "extended",
+    "token-incorrect-signature-verification": "extended",
+    "erc1271-stub-implementation": "extended",
+    "unguarded-governance-execution": "extended",
+    "unindexed-event-address": "extended",
+    "uninitialized-implementation": "extended",
+    "uninitialized-storage-pointer": "extended",
+    "uniswap-skim-token-balance-attack": "extended",
+    "unprotected-initializer": "extended",
+    "unprotected-upgrade-function": "extended",
+    "unreachable-code-0.8.28": "extended",
+    "unsafe-proxy-storage": "extended",
+    "unsafe-transient-storage": "extended",
+    "unsafe-tx-origin": "extended",
+    "unsigned-validity-window": "extended",
+    "user-controlled-arbitrary-call": "extended",
+    "uups-uninitialized-storage": "extended",
+    "v4-hook-reentrancy": "extended",
+    "v4-hook-state-manipulation": "extended",
+    "vault-inflation-rounding": "extended",
+    "vault-share-price-manipulation": "extended",
+    "yearn-vault-v2-share-price-manipulation": "extended",
+    "vortex-interaction-guard": "extended",
+    "withdraw-be-to-withdraw": "extended",
+    "wrong-price-calculation": "extended",
+    "zero-fee": "extended",
+    "zetachain-gateway-hack-analysis": "extended",
+    "zk-rollup-da-gap": "extended",
+    "zksync-batch-validation": "extended",
+    "zksync-era-rollup-state-update": "extended",
+    "zksync-simulation-drift": "extended",
+    "vortex-protocol-reentrancy-guard": "extended",
+};
+//# sourceMappingURL=tiers.js.map

package/dist/scan-worker.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/scan-worker.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Worker entry point for `scanFilesParallel`.
+ *
+ * Spawned via `new Worker(__dirname + '/scan-worker.js', { workerData })`
+ * from `src/parallel-scan.ts`. Each worker:
+ *
+ *   1. Loads the solast programmatic API (`scanFiles` from
+ *      `./index`). The first import is the heavy part — building the
+ *      detector registry walks ~100+ class prototypes — so the parent
+ *      hands a worker a *batch* of files (not one file at a time) to
+ *      amortise the import cost.
+ *   2. Listens for `{ type: 'scan', files }` messages, runs the sync
+ *      scan, and posts back `{ type: 'result', findings }` /
+ *      `{ type: 'error', message, stack }`.
+ *   3. Exits cleanly when the parent posts `{ type: 'shutdown' }`.
+ *
+ * Worker isolation: each Worker is its own V8 isolate, so detector
+ * state never leaks across the boundary. The cost is that registry
+ * setup happens once per worker rather than once per scan; with the
+ * batched protocol the parent uses below this is paid at most once
+ * per worker per parallel run.
+ */
+const worker_threads_1 = require("worker_threads");
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { scanFiles } = require('./index');
+if (!worker_threads_1.parentPort) {
+    throw new Error('scan-worker started without a parent port');
+}
+const port = worker_threads_1.parentPort;
+const init = worker_threads_1.workerData;
+const options = init?.options ?? {};
+port.on('message', (msg) => {
+    if (msg.type === 'shutdown') {
+        port.close();
+        return;
+    }
+    if (msg.type !== 'scan')
+        return;
+    let findings;
+    try {
+        findings = scanFiles(msg.files, options);
+    }
+    catch (e) {
+        port.postMessage({
+            type: 'error',
+            batchId: msg.batchId,
+            message: e instanceof Error ? e.message : String(e),
+            stack: e instanceof Error ? e.stack : undefined,
+        });
+        return;
+    }
+    port.postMessage({
+        type: 'result',
+        batchId: msg.batchId,
+        findings,
+        sourceSuppressionDiagnostics: findings._sourceSuppressionDiagnostics ?? [],
+    });
+});
+//# sourceMappingURL=scan-worker.js.map

package/dist/scan.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Scan orchestration. Extracted from `src/index.ts` per roadmap item
+ * 1.1 slice 6/N. Public API surface is unchanged — `src/index.ts`
+ * re-exports `scanFiles`, `scanAst`, and `discoverFiles` so external
+ * consumers (the CLI, downstream packages) continue to see them at
+ * the same path.
+ *
+ * `scanFiles` orchestrates the per-file scan loop: read source, parse
+ * AST, run the registry, stamp finding metadata via the hashing
+ * primitives, optionally dedup. `scanAst` is the AST-already-parsed
+ * entry point on the programmatic API. `discoverFiles`
+ * walks an input path or list and produces a sorted, deduplicated
+ * list of `.sol` files.
+ */
+import type { ScanResult, ScanOptions } from './api';
+export declare class SolidityParseError extends Error {
+    readonly unsupportedVersionHint: boolean;
+    constructor(message: string, unsupportedVersionHint?: boolean);
+}
+export declare function discoverFiles(inputPaths: string | string[]): string[];
+export declare function scanFiles(files: string[], options?: ScanOptions): ScanResult[];
+export declare function parseSolidityContent(content: string): any;
+export declare function validateSolidityParseResult(ast: any): any;
+export declare function scanAst(ast: any, file?: string, sourceText?: string, options?: ScanOptions): ScanResult[];