@snovon/solast 0.2.0

package/dist/detectors/bridge-forged-proof.js

@@ -0,0 +1,754 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BridgeForgedProofDetector = void 0;
+const RULE_ID = 'bridge-forged-proof';
+const PAT_CALLER_CONTROLLED_ROOT = `${RULE_ID}/caller-controlled-root`;
+const PAT_UNTRUSTED_HEADER_ROOT = `${RULE_ID}/untrusted-header-root`;
+const PAT_MISSING_HEADER_AUTH = `${RULE_ID}/missing-header-authenticity`;
+const PAT_UNAUTH_OPTIMISTIC = `${RULE_ID}/unauthenticated-optimistic-root`;
+const PAT_UNTRUSTED_BLOCKHASH = `${RULE_ID}/untrusted-blockhash`;
+const SOURCE = 'x-2026-05-04-polygon-bridge-forged-proof';
+const BRIDGE_WITHDRAWAL_NAME = /(withdraw|release|unlock|redeem|exit|claim|mint|finaliz|execute|prove)/i;
+const PROOF_PARAM_RE = /^(.*proof.*|.*header.*|.*root.*|.*receipt.*|.*log.*|.*blockhash.*|.*block_hash.*)$/i;
+const HEADER_PARAM_RE = /header/i;
+const BLOCKHASH_PARAM_RE = /^block.*hash$|^blockhash$/i;
+const ROOT_PARAM_RE = /root$/i;
+const ROOT_MEMBER_RE = /^(root|receipts?Root|txRoot|transactionsRoot|stateRoot|blockHash)$/i;
+const HEADER_MEMBER_RE = /header|block/i;
+const TX_RE = /tx/i;
+const VERIFY_NAME_RE = /^_?verify/i;
+const PROPOSER_NAME_RE = /^propose/i;
+const ACCESS_CONTROL_MODIFIER = /^(only|require|restricted)/i;
+const ACCESS_CONTROL_MODIFIER_NAMES = new Set([
+    'onlyowner', 'onlyowners', 'onlyrole', 'onlyadmin', 'onlyauthorized',
+    'authorized', 'auth', 'onlyoperator', 'onlyoperators', 'onlyprotocol',
+    'onlygovernance', 'onlygovernor', 'onlyguardian', 'onlymanager',
+    'onlytrusted', 'onlytimelock', 'onlyrelayer', 'onlybridge', 'onlysigner',
+    'onlysigners', 'onlyproposer', 'onlyproposers', 'onlycommittee',
+]);
+class BridgeForgedProofDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const stateMappingNames = collectStateMappingNames(contract);
+            const stateVariableNames = collectStateVariableNames(contract);
+            const proposerInfo = collectProposers(contract);
+            const contractName = getName(contract) || '<anonymous>';
+            for (const fn of getContractFunctions(contract)) {
+                if (!isExternallyReachable(fn))
+                    continue;
+                const body = getFunctionBody(fn);
+                if (!body)
+                    continue;
+                const fnName = getName(fn) || '';
+                if (!fnName || !BRIDGE_WITHDRAWAL_NAME.test(fnName))
+                    continue;
+                const params = getParameters(fn)
+                    .map(p => ({ name: getName(p), node: p }))
+                    .filter(p => !!p.name);
+                if (params.length === 0)
+                    continue;
+                const proofLikeParams = params.filter(p => PROOF_PARAM_RE.test(p.name));
+                if (proofLikeParams.length === 0)
+                    continue;
+                const paramNames = new Set(params.map(p => p.name));
+                const headerParams = new Set(params.filter(p => HEADER_PARAM_RE.test(p.name)).map(p => p.name));
+                const blockHashParams = new Set(params.filter(p => BLOCKHASH_PARAM_RE.test(p.name)).map(p => p.name));
+                const rootParams = new Set(params.filter(p => ROOT_PARAM_RE.test(p.name)).map(p => p.name));
+                const verifyCalls = collectVerifyCalls(body);
+                if (verifyCalls.length === 0)
+                    continue;
+                const verifyCall = verifyCalls[0];
+                const calleeName = getCalleeName(verifyCall);
+                const args = getCallArguments(verifyCall);
+                const rootArg = args[1];
+                if (!rootArg)
+                    continue;
+                const localAssignments = collectLocalAssignments(body);
+                const rootClassification = classifyRoot(rootArg, paramNames, stateMappingNames, stateVariableNames, localAssignments, headerParams);
+                if (rootClassification.kind === 'state')
+                    continue;
+                if (rootClassification.kind === 'unknown')
+                    continue;
+                if (rootClassification.kind === 'function-call')
+                    continue;
+                const consensusBoundParams = new Set();
+                for (const h of headerParams)
+                    consensusBoundParams.add(h);
+                for (const b of blockHashParams)
+                    consensusBoundParams.add(b);
+                if (rootClassification.kind === 'param' && rootClassification.paramName) {
+                    consensusBoundParams.add(rootClassification.paramName);
+                }
+                if (hasTrustedSourceCheck(body, stateMappingNames, consensusBoundParams))
+                    continue;
+                const blockHashCheckPresent = headerParams.size > 0 && blockHashParams.size > 0 &&
+                    hasUntrustedBlockHashCheck(body, headerParams, blockHashParams);
+                const optimisticPresent = rootClassification.kind === 'param' &&
+                    rootClassification.paramName !== undefined &&
+                    rootParams.has(rootClassification.paramName) &&
+                    hasOptimisticDelayCheck(body, stateMappingNames, paramNames) &&
+                    hasUnauthenticatedProposer(proposerInfo);
+                let pattern;
+                if (blockHashCheckPresent) {
+                    pattern = PAT_UNTRUSTED_BLOCKHASH;
+                }
+                else if (optimisticPresent) {
+                    pattern = PAT_UNAUTH_OPTIMISTIC;
+                }
+                else if (rootClassification.kind === 'header-derived') {
+                    pattern = PAT_UNTRUSTED_HEADER_ROOT;
+                }
+                else if (TX_RE.test(calleeName) && headerParams.size === 0) {
+                    pattern = PAT_MISSING_HEADER_AUTH;
+                }
+                else if (rootClassification.kind === 'param') {
+                    pattern = PAT_CALLER_CONTROLLED_ROOT;
+                }
+                else {
+                    continue;
+                }
+                const loc = getLoc(verifyCall, lineOffsets) || getLoc(fn, lineOffsets) || { line: 0, column: 0 };
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': fnName,
+                    line: loc.line,
+                    endLine: loc.line,
+                    column: loc.column,
+                    pattern,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'critical',
+                    message: messageFor(pattern, contractName, fnName),
+                    rationale: rationaleFor(pattern),
+                    suggestedFix: remediationFor(pattern),
+                    contractName,
+                    functionName: fnName,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    findingId: '',
+                    contractHash: '',
+                    source: SOURCE,
+                    provenance: SOURCE,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.BridgeForgedProofDetector = BridgeForgedProofDetector;
+function messageFor(pattern, contractName, fnName) {
+    switch (pattern) {
+        case PAT_CALLER_CONTROLLED_ROOT:
+            return `Bridge withdrawal in '${contractName}.${fnName}' verifies a Merkle proof against a caller-supplied root without binding it to a trusted checkpoint or block header.`;
+        case PAT_UNTRUSTED_HEADER_ROOT:
+            return `Bridge withdrawal in '${contractName}.${fnName}' derives the proof root from a caller-supplied block header without authenticating the header against trusted consensus.`;
+        case PAT_MISSING_HEADER_AUTH:
+            return `Bridge withdrawal in '${contractName}.${fnName}' validates a transaction or log proof but never anchors the underlying root to an authenticated block header.`;
+        case PAT_UNAUTH_OPTIMISTIC:
+            return `Bridge withdrawal in '${contractName}.${fnName}' relies on an optimistic delay against a root proposed by an unauthenticated function, leaving consensus binding to time alone.`;
+        case PAT_UNTRUSTED_BLOCKHASH:
+            return `Bridge withdrawal in '${contractName}.${fnName}' compares a caller-supplied block hash with a hash of caller-supplied header bytes — both inputs are attacker-controlled.`;
+    }
+    return `Bridge withdrawal in '${contractName}.${fnName}' is missing required proof verification controls.`;
+}
+function rationaleFor(pattern) {
+    switch (pattern) {
+        case PAT_CALLER_CONTROLLED_ROOT:
+            return 'Mirrors the Polygon bridge forged-proof shape: any caller can pass an arbitrary Merkle root and a self-consistent proof of an unrelated leaf, bypassing source-chain consensus and unlocking funds.';
+        case PAT_UNTRUSTED_HEADER_ROOT:
+            return 'Computing the proof root from a caller-supplied header without checking the header is anchored on chain lets an attacker forge a header that recovers any root they choose.';
+        case PAT_MISSING_HEADER_AUTH:
+            return 'Transaction- or log-style proofs must terminate at a root carried by an authenticated block header. Without that anchor, attackers can fabricate proofs against fictional roots.';
+        case PAT_UNAUTH_OPTIMISTIC:
+            return 'Optimistic finality requires the proposer to be a trusted relayer or staked actor. When any address can call propose-root and the only check is a delay, the delay only changes when the forged proof unlocks, not whether it does.';
+        case PAT_UNTRUSTED_BLOCKHASH:
+            return 'Hashing a caller-supplied header and comparing it against a caller-supplied block hash is self-consistent for any input; the bridge has not bound the header to authenticated consensus.';
+    }
+    return 'Bridge withdrawal accepts externally supplied proof data without binding it to authenticated source-chain consensus.';
+}
+function remediationFor(pattern) {
+    switch (pattern) {
+        case PAT_CALLER_CONTROLLED_ROOT:
+            return 'Constrain the proof root to a trusted set: `require(trustedRoots[root], ...)` against a mapping populated only by an access-controlled relayer or signer-set.';
+        case PAT_UNTRUSTED_HEADER_ROOT:
+            return 'Require `validHeaderHash[keccak256(header)]` (or equivalent canonical-header check) before deriving any root from the header bytes.';
+        case PAT_MISSING_HEADER_AUTH:
+            return 'Bind the transaction/log proof to a block-header-authenticated receipt or transaction root before accepting it for withdrawal.';
+        case PAT_UNAUTH_OPTIMISTIC:
+            return 'Restrict the proposer to a vetted relayer set (modifier or signature threshold), and treat the delay only as a fraud-proof window, not as the source of authenticity.';
+        case PAT_UNTRUSTED_BLOCKHASH:
+            return 'Either accept only `blockhash(n)` from an authenticated relayer-supplied checkpoint, or require `validHeaderHash[blockHash]` against trusted storage; do not compare two caller-controlled values.';
+    }
+    return 'Bind every withdrawal proof to a trusted, access-controlled source of source-chain consensus before releasing funds.';
+}
+function collectVerifyCalls(body) {
+    const out = [];
+    walk(body, node => {
+        if (!isNode(node, 'FunctionCall'))
+            return;
+        const callee = unwrapCallOptions(getCallExpression(node));
+        if (isNode(callee, 'Identifier') && VERIFY_NAME_RE.test(String(callee.name || ''))) {
+            out.push(node);
+        }
+        else if (isNode(callee, 'MemberAccess') && VERIFY_NAME_RE.test(String(callee.memberName || ''))) {
+            out.push(node);
+        }
+    });
+    return out;
+}
+function getCalleeName(call) {
+    const callee = unwrapCallOptions(getCallExpression(call));
+    if (!callee)
+        return '';
+    if (isNode(callee, 'Identifier'))
+        return String(callee.name || '');
+    if (isNode(callee, 'MemberAccess'))
+        return String(callee.memberName || '');
+    return '';
+}
+function getCallExpression(call) {
+    return call?.expression ?? null;
+}
+function getCallArguments(call) {
+    if (Array.isArray(call?.arguments))
+        return call.arguments;
+    if (Array.isArray(call?.args))
+        return call.args;
+    return [];
+}
+function unwrapCallOptions(expr) {
+    let cur = expr;
+    while (cur && (isNode(cur, 'NameValueExpression') || isNode(cur, 'FunctionCallOptions'))) {
+        cur = cur.expression;
+    }
+    return cur;
+}
+function classifyRoot(expr, paramNames, stateMappingNames, stateVariableNames, localAssignments, headerParams) {
+    if (!expr)
+        return { kind: 'unknown' };
+    if (isNode(expr, 'Identifier')) {
+        const name = String(expr.name || '');
+        if (paramNames.has(name))
+            return { kind: 'param', paramName: name };
+        if (stateMappingNames.has(name))
+            return { kind: 'state' };
+        const assigns = localAssignments.get(name) || [];
+        for (const value of assigns) {
+            const sub = classifyRoot(value, paramNames, stateMappingNames, stateVariableNames, localAssignments, headerParams);
+            if (sub.kind === 'header-derived')
+                return sub;
+            if (sub.kind === 'state')
+                return sub;
+            if (sub.kind === 'param')
+                return sub;
+        }
+        if (assigns.length === 0) {
+            // Bare identifier that is neither param, state mapping, nor a tracked
+            // local — probably a state variable read of a non-mapping (e.g.,
+            // `bytes32 public allowlistRoot`). Treat as trusted storage.
+            return { kind: 'state' };
+        }
+        return { kind: 'unknown' };
+    }
+    if (isNode(expr, 'FunctionCall')) {
+        if (callContainsHeaderParam(expr, headerParams)) {
+            return { kind: 'header-derived' };
+        }
+        return { kind: 'function-call' };
+    }
+    if (isNode(expr, 'MemberAccess')) {
+        const memberName = String(expr.memberName || '');
+        const baseName = memberAccessBaseIdentifierName(expr);
+        if (baseName && paramNames.has(baseName)) {
+            if (!ROOT_MEMBER_RE.test(memberName))
+                return { kind: 'unknown' };
+            if (headerParams.has(baseName) || memberAccessLooksHeaderDerived(expr)) {
+                return { kind: 'header-derived' };
+            }
+            return { kind: 'param', paramName: baseName };
+        }
+        if (baseName && stateVariableNames.has(baseName))
+            return { kind: 'state' };
+        if (baseName && stateMappingNames.has(baseName))
+            return { kind: 'state' };
+    }
+    return { kind: 'unknown' };
+}
+function memberAccessBaseIdentifierName(expr) {
+    let cur = expr;
+    while (cur && isNode(cur, 'MemberAccess')) {
+        cur = cur.expression;
+    }
+    if (cur && isNode(cur, 'IndexAccess'))
+        return rootIdentifierName(cur);
+    if (cur && isNode(cur, 'Identifier'))
+        return String(cur.name || '');
+    return '';
+}
+function memberAccessLooksHeaderDerived(expr) {
+    let cur = expr;
+    while (cur && isNode(cur, 'MemberAccess')) {
+        if (HEADER_MEMBER_RE.test(String(cur.memberName || '')))
+            return true;
+        cur = cur.expression;
+    }
+    return false;
+}
+function callContainsHeaderParam(call, headerParams) {
+    if (headerParams.size === 0)
+        return false;
+    return walkAny(call, node => {
+        if (!isNode(node, 'Identifier'))
+            return false;
+        return headerParams.has(String(node.name || ''));
+    });
+}
+function collectLocalAssignments(body) {
+    const out = new Map();
+    walk(body, node => {
+        if (isNode(node, 'VariableDeclarationStatement')) {
+            const decls = Array.isArray(node.variables) ? node.variables :
+                Array.isArray(node.declarations) ? node.declarations : [];
+            const init = node.initialValue ?? node.initialvalue ?? null;
+            if (init && decls.length === 1 && decls[0]?.name) {
+                addAssignment(out, String(decls[0].name), init);
+            }
+            return;
+        }
+        if (isNode(node, 'BinaryOperation') && String(node.operator || '') === '=') {
+            const left = node.left ?? node.leftExpression ?? node.leftHandSide;
+            const right = node.right ?? node.rightExpression ?? node.rightHandSide;
+            if (isNode(left, 'Identifier') && right) {
+                addAssignment(out, String(left.name || ''), right);
+            }
+            return;
+        }
+        if (isNode(node, 'Assignment')) {
+            const left = node.leftHandSide ?? node.left;
+            const right = node.rightHandSide ?? node.right;
+            if (isNode(left, 'Identifier') && right) {
+                addAssignment(out, String(left.name || ''), right);
+            }
+        }
+    });
+    return out;
+}
+function addAssignment(map, name, value) {
+    if (!name)
+        return;
+    const prev = map.get(name);
+    if (prev)
+        prev.push(value);
+    else
+        map.set(name, [value]);
+}
+function hasTrustedSourceCheck(body, stateMappingNames, consensusBoundParams) {
+    if (consensusBoundParams.size === 0)
+        return false;
+    return walkAny(body, node => {
+        if (!isNode(node, 'FunctionCall'))
+            return false;
+        const callee = unwrapCallOptions(getCallExpression(node));
+        if (!isNode(callee, 'Identifier'))
+            return false;
+        const name = String(callee.name || '').toLowerCase();
+        if (name !== 'require' && name !== 'assert')
+            return false;
+        const args = getCallArguments(node);
+        const condition = args[0];
+        if (!condition)
+            return false;
+        if (containsBlockMember(condition))
+            return false;
+        return conditionLooksLikeTrustedMappingCheck(condition, stateMappingNames, consensusBoundParams);
+    });
+}
+function conditionLooksLikeTrustedMappingCheck(condition, stateMappingNames, consensusBoundParams) {
+    if (!condition)
+        return false;
+    if (isNode(condition, 'IndexAccess')) {
+        return isStateMappingIndexedByParam(condition, stateMappingNames, consensusBoundParams);
+    }
+    if (isNode(condition, 'BinaryOperation')) {
+        const op = String(condition.operator || '');
+        if (op === '&&' || op === '||') {
+            const left = condition.left ?? condition.leftExpression ?? condition.leftHandSide;
+            const right = condition.right ?? condition.rightExpression ?? condition.rightHandSide;
+            return conditionLooksLikeTrustedMappingCheck(left, stateMappingNames, consensusBoundParams) ||
+                conditionLooksLikeTrustedMappingCheck(right, stateMappingNames, consensusBoundParams);
+        }
+        return false;
+    }
+    // Negated mapping accesses such as `require(!processed[leaf])` are replay /
+    // consumed-message guards, not consensus bindings, so they must not suppress
+    // the forged-proof finding even when the mapping happens to be keyed by the
+    // root/header.
+    return false;
+}
+function isStateMappingIndexedByParam(indexAccess, stateMappingNames, paramNames) {
+    const baseName = rootIdentifierName(indexAccess);
+    if (!baseName || !stateMappingNames.has(baseName))
+        return false;
+    return indexExpressionReferencesParam(indexAccess, paramNames);
+}
+function indexExpressionReferencesParam(node, paramNames) {
+    return walkAny(node, n => {
+        if (!isNode(n, 'Identifier'))
+            return false;
+        return paramNames.has(String(n.name || ''));
+    });
+}
+function rootIdentifierName(node) {
+    let cur = node;
+    while (cur && isNode(cur, 'IndexAccess')) {
+        cur = cur.base ?? cur.baseExpression;
+    }
+    if (cur && isNode(cur, 'Identifier'))
+        return String(cur.name || '');
+    if (cur && isNode(cur, 'MemberAccess'))
+        return String(cur.memberName || '');
+    return '';
+}
+function containsBlockMember(expr) {
+    return walkAny(expr, node => {
+        if (!isNode(node, 'MemberAccess'))
+            return false;
+        const inner = node.expression;
+        if (!inner)
+            return false;
+        if (isNode(inner, 'Identifier') && String(inner.name || '') === 'block')
+            return true;
+        return false;
+    });
+}
+function hasUntrustedBlockHashCheck(body, headerParams, blockHashParams) {
+    return walkAny(body, node => {
+        if (!isNode(node, 'FunctionCall'))
+            return false;
+        const callee = unwrapCallOptions(getCallExpression(node));
+        if (!isNode(callee, 'Identifier'))
+            return false;
+        const name = String(callee.name || '').toLowerCase();
+        if (name !== 'require' && name !== 'assert')
+            return false;
+        const cond = getCallArguments(node)[0];
+        if (!cond || !isNode(cond, 'BinaryOperation'))
+            return false;
+        if (String(cond.operator || '') !== '==' && String(cond.operator || '') !== '!=')
+            return false;
+        const left = cond.left ?? cond.leftExpression ?? cond.leftHandSide;
+        const right = cond.right ?? cond.rightExpression ?? cond.rightHandSide;
+        return sidesMatchKeccakHeaderVsBlockHash(left, right, headerParams, blockHashParams) ||
+            sidesMatchKeccakHeaderVsBlockHash(right, left, headerParams, blockHashParams);
+    });
+}
+function sidesMatchKeccakHeaderVsBlockHash(hashSide, paramSide, headerParams, blockHashParams) {
+    if (!isFunctionCallNamed(hashSide, 'keccak256'))
+        return false;
+    const args = getCallArguments(hashSide);
+    const usesHeader = args.some(arg => isParamRefIn(arg, headerParams));
+    if (!usesHeader)
+        return false;
+    return isNode(paramSide, 'Identifier') && blockHashParams.has(String(paramSide.name || ''));
+}
+function isFunctionCallNamed(node, name) {
+    if (!isNode(node, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(getCallExpression(node));
+    if (!callee)
+        return false;
+    if (isNode(callee, 'Identifier'))
+        return String(callee.name || '') === name;
+    return false;
+}
+function isParamRefIn(expr, params) {
+    if (!expr)
+        return false;
+    if (isNode(expr, 'Identifier'))
+        return params.has(String(expr.name || ''));
+    return walkAny(expr, n => isNode(n, 'Identifier') && params.has(String(n.name || '')));
+}
+function hasOptimisticDelayCheck(body, stateMappingNames, paramNames) {
+    return walkAny(body, node => {
+        if (!isNode(node, 'FunctionCall'))
+            return false;
+        const callee = unwrapCallOptions(getCallExpression(node));
+        if (!isNode(callee, 'Identifier'))
+            return false;
+        const name = String(callee.name || '').toLowerCase();
+        if (name !== 'require' && name !== 'assert')
+            return false;
+        const cond = getCallArguments(node)[0];
+        if (!cond)
+            return false;
+        if (!containsBlockMember(cond))
+            return false;
+        return walkAny(cond, n => {
+            if (!isNode(n, 'IndexAccess'))
+                return false;
+            return isStateMappingIndexedByParam(n, stateMappingNames, paramNames);
+        });
+    });
+}
+function collectProposers(contract) {
+    const unauth = [];
+    for (const fn of getContractFunctions(contract)) {
+        if (!isExternallyReachable(fn))
+            continue;
+        const name = getName(fn) || '';
+        if (!PROPOSER_NAME_RE.test(name))
+            continue;
+        if (hasAccessControlGuard(fn))
+            continue;
+        unauth.push(name);
+    }
+    return { unauthenticatedNames: unauth };
+}
+function hasUnauthenticatedProposer(info) {
+    return info.unauthenticatedNames.length > 0;
+}
+function hasAccessControlGuard(fn) {
+    for (const m of fn?.modifiers || []) {
+        const n = getModifierName(m).toLowerCase();
+        if (ACCESS_CONTROL_MODIFIER_NAMES.has(n))
+            return true;
+        if (ACCESS_CONTROL_MODIFIER.test(n))
+            return true;
+    }
+    const body = getFunctionBody(fn);
+    if (!body)
+        return false;
+    return walkAny(body, node => {
+        if (!isNode(node, 'FunctionCall'))
+            return false;
+        const callee = unwrapCallOptions(getCallExpression(node));
+        if (!isNode(callee, 'Identifier'))
+            return false;
+        const callName = String(callee.name || '').toLowerCase();
+        if (callName !== 'require' && callName !== 'assert')
+            return false;
+        const cond = getCallArguments(node)[0];
+        if (!cond)
+            return false;
+        return walkAny(cond, n => {
+            if (!isNode(n, 'MemberAccess'))
+                return false;
+            if (String(n.memberName || '') !== 'sender')
+                return false;
+            const inner = n.expression;
+            return isNode(inner, 'Identifier') && String(inner.name || '') === 'msg';
+        });
+    });
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name === 'object') {
+        if (typeof modifier.name.name === 'string')
+            return modifier.name.name;
+        if (typeof modifier.name.namePath === 'string')
+            return modifier.name.namePath;
+    }
+    if (modifier.modifierName) {
+        const inner = modifier.modifierName;
+        if (typeof inner === 'string')
+            return inner;
+        if (inner && typeof inner.name === 'string')
+            return inner.name;
+    }
+    return '';
+}
+function collectStateMappingNames(contract) {
+    const out = new Set();
+    for (const member of getContractMembers(contract)) {
+        if (isNode(member, 'StateVariableDeclaration')) {
+            for (const variable of member.variables || []) {
+                if (variable?.name && isMappingType(variable.typeName))
+                    out.add(String(variable.name));
+            }
+        }
+        else if (isNode(member, 'VariableDeclaration') && member.stateVariable === true) {
+            if (member.name && isMappingType(member.typeName))
+                out.add(String(member.name));
+        }
+    }
+    return out;
+}
+function collectStateVariableNames(contract) {
+    const out = new Set();
+    for (const member of getContractMembers(contract)) {
+        if (isNode(member, 'StateVariableDeclaration')) {
+            for (const variable of member.variables || []) {
+                if (variable?.name)
+                    out.add(String(variable.name));
+            }
+        }
+        else if (isNode(member, 'VariableDeclaration') && member.stateVariable === true) {
+            if (member.name)
+                out.add(String(member.name));
+        }
+    }
+    return out;
+}
+function isMappingType(typeName) {
+    if (!typeName || typeof typeName !== 'object')
+        return false;
+    if (isNode(typeName, 'Mapping'))
+        return true;
+    if (typeof typeName.typeString === 'string' && typeName.typeString.startsWith('mapping('))
+        return true;
+    return false;
+}
+function isExternallyReachable(fn) {
+    if (!fn)
+        return false;
+    if (fn.isConstructor === true)
+        return false;
+    const kind = String(fn.kind || '').toLowerCase();
+    if (kind === 'constructor')
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    if (visibility === 'public' || visibility === 'external')
+        return true;
+    if (kind === 'fallback' || kind === 'receive')
+        return true;
+    return false;
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getFunctionBody(fn) {
+    return fn?.body || null;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function getParameters(fn) {
+    if (Array.isArray(fn?.parameters))
+        return fn.parameters;
+    if (Array.isArray(fn?.parameters?.parameters))
+        return fn.parameters.parameters;
+    return [];
+}
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(node => isNode(node, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (!contract || typeof contract !== 'object')
+        return [];
+    if (Array.isArray(contract.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract.nodes))
+        return contract.nodes;
+    return [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walkContracts(ast, out);
+    return out;
+}
+function walkContracts(node, out) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition')) {
+        out.push(node);
+        return;
+    }
+    for (const child of childrenOf(node))
+        walkContracts(child, out);
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walk(child, visit);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    for (const child of childrenOf(node)) {
+        if (walkAny(child, predicate))
+            return true;
+    }
+    return false;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' ||
+            key === 'id' || key === 'scope')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    out.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const ch of sourceText) {
+        byteOffset += Buffer.byteLength(ch, 'utf8');
+        if (ch === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start) {
+        return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+    }
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const [offsetRaw] = String(node.src).split(':');
+    const offset = Number(offsetRaw);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    return byteOffsetToLineColumn(offset, lineOffsets);
+}
+function byteOffsetToLineColumn(byteOffset, lineOffsets) {
+    let low = 0;
+    let high = lineOffsets.length - 1;
+    let lineIdx = 0;
+    while (low <= high) {
+        const mid = Math.floor((low + high) / 2);
+        if (lineOffsets[mid] <= byteOffset) {
+            lineIdx = mid;
+            low = mid + 1;
+        }
+        else {
+            high = mid - 1;
+        }
+    }
+    return { line: lineIdx + 1, column: byteOffset - lineOffsets[lineIdx] };
+}
+//# sourceMappingURL=bridge-forged-proof.js.map