@snovon/solast 0.2.0

package/dist/detectors/_common/access-control.d.ts

@@ -0,0 +1,204 @@
+/**
+ * Shared structural predicates for access-control reasoning.
+ *
+ * Several detectors hand-roll the same AST predicates: "is this
+ * expression `msg.sender`?", "does this require argument express an
+ * access-control check?", "does this function carry a recognised
+ * `onlyOwner`-style modifier?". The implementations have drifted —
+ * the audit found 21+ files with their own copy of the modifier set
+ * and slightly-different regex name predicates — but the *shape* of
+ * each predicate is the same. This module exists so detectors can
+ * import one canonical AST walker and supply only the policy bits
+ * (which identifier names count as "privileged") that are actually
+ * detector-specific.
+ *
+ * Design notes for callers:
+ *
+ * - `isPrivilegedName` is intentionally a parameter to the structural
+ *   walkers below, not a fixed predicate on this module. Different
+ *   detectors include different keywords (`fee`, `treasury`,
+ *   `paused`, `auth`, `manager`, ...) and unifying them here would
+ *   change findings in subtle ways. Keep the policy local.
+ * - The structural shape of `requireExpressesAccessControl` mirrors
+ *   the predicate `arbitrary-call-error` shipped in PR #1813 with
+ *   one explicit parameterisation: the name predicate. New detectors
+ *   should prefer this helper over re-implementing the recursion.
+ * - `hasRecognisedAccessControlModifier` consults the canonical
+ *   `ACCESS_CONTROL_MODIFIERS` set from `_common/ast.ts` so we have
+ *   one source of truth for the modifier vocabulary.
+ */
+import { ACCESS_CONTROL_MODIFIERS, isAccessControlModifierName } from './ast';
+export { ACCESS_CONTROL_MODIFIERS, isAccessControlModifierName };
+/**
+ * Predicate used by the structural walkers to decide whether an
+ * identifier name (Solidity-level, not file-level) refers to a
+ * privileged storage slot or function. Detectors typically supply a
+ * regex match; the type is broader so callers can use sets, exact
+ * matches, or token-based checks.
+ */
+export type PrivilegedNamePredicate = (name: string) => boolean;
+/**
+ * Canonical default keyword set for privileged-identifier matching.
+ * Mirrors the legacy `AccessControlDetector` regex
+ * (`/owner|admin|role|paused|pause|guardian|timelock|governor|fee|treasury|operator/`)
+ * so detectors that want "the typical policy" don't need to spell it
+ * out. Detectors with a different vocabulary (e.g. `cartel-custom-approval-logic`
+ * adds `manager|authority|authorized`) pass their own list via the
+ * `keywords` option.
+ *
+ * Word-boundary semantics (G.5): the `governorRequiredFee` over-match
+ * called out in the architectural review is fixed under
+ * `isPrivilegedIdentifier(name, { mode: 'word-boundary' })`. The
+ * default mode is still `'substring'` for behaviour preservation; see
+ * `isPrivilegedIdentifier` below and ADR 0005 for the rollout plan.
+ */
+export declare const DEFAULT_PRIVILEGED_KEYWORDS: readonly string[];
+/**
+ * Available matching algorithms for `isPrivilegedIdentifier`. See
+ * `docs/adr/0005-word-boundary-privileged-identifier.md` for the
+ * tradeoffs and rollout plan.
+ */
+export type PrivilegedIdentifierMode = 'substring' | 'word-boundary';
+export interface PrivilegedIdentifierOptions {
+    /**
+     * Custom keyword vocabulary. When omitted the default canonical set
+     * (`DEFAULT_PRIVILEGED_KEYWORDS`) is used.
+     */
+    keywords?: readonly string[];
+    /**
+     * Matching algorithm. Defaults to `'substring'` for behaviour
+     * preservation across the ~12 existing callers. The `'word-boundary'`
+     * mode tokenises the identifier on snake_case / camelCase / PascalCase
+     * boundaries and matches if and only if (a) the FIRST token equals a
+     * keyword and (b) no OTHER token equals a keyword. See ADR 0005.
+     */
+    mode?: PrivilegedIdentifierMode;
+}
+/**
+ * Tokenise an identifier on snake_case and camelCase / PascalCase
+ * boundaries. Returns lowercased non-empty tokens.
+ *
+ *   `governor`              → ['governor']
+ *   `governorAddress`       → ['governor', 'address']
+ *   `governor_required_fee` → ['governor', 'required', 'fee']
+ *   `OWNER`                 → ['owner']
+ *   `_admin`                → ['admin']
+ *   `XYZOwner`              → ['xyz', 'owner']
+ *
+ * Exported for direct testing and for detectors that need their own
+ * token-aware predicate variant.
+ */
+export declare function splitIdentifierTokens(name: string): string[];
+/**
+ * Privileged-identifier predicate — does `name` look like the
+ * Solidity-level identifier of a privileged storage slot, function,
+ * or modifier?
+ *
+ * Centralises the substring regex that detectors used to inline
+ * (G.5 / J.4 / roadmap 1.2).
+ *
+ * Two modes are supported (see ADR 0005):
+ *
+ * - `'substring'` (default) — case-insensitive
+ *   `/keyword1|keyword2|.../i.test(lower(name))`. Faithfully preserves
+ *   the legacy inline-regex behaviour. Over-matches identifiers like
+ *   `governorRequiredFee` that happen to embed multiple keywords.
+ *
+ * - `'word-boundary'` — tokenise on snake/camelCase boundaries
+ *   (`splitIdentifierTokens`) and match if the FIRST token is a keyword
+ *   AND no other token is a keyword. So `governor`, `governorAddress`,
+ *   `owner_address` all match; `governorRequiredFee`, `paramOwner`,
+ *   `controllerFee`, `configRole` do not. This is the eventual
+ *   semantics for G.5; today it is opt-in per call site so each
+ *   detector can validate the recall impact independently.
+ */
+export declare function isPrivilegedIdentifier(name: string, options?: PrivilegedIdentifierOptions): boolean;
+/**
+ * `msg.sender` exactly: a `MemberAccess` whose `memberName` is
+ * `'sender'` and whose `expression` is the `Identifier` `msg`.
+ * Accepts both parser and solc AST shapes.
+ */
+export declare function isMsgSenderExpr(expr: any): boolean;
+/**
+ * Caller-identity expression: any AST shape that resolves to the
+ * current transaction sender. Three shapes are recognised:
+ *
+ *   `msg.sender`                — the canonical built-in
+ *   `_msgSender()`              — the OpenZeppelin `Context` helper
+ *                                  (zero arguments only)
+ *   `this._msgSender()`         — the same helper invoked as a member
+ *                                  call on the contract itself
+ *
+ * Recognition is limited to zero-argument calls so that lookalike
+ * helpers that take arguments (`_msgSender(metaTxBytes)`, etc.) are
+ * not silently treated as caller-identity.
+ */
+export declare function isCallerIdentityExpression(expr: any): boolean;
+/**
+ * Recognise `hasRole(...)`, `checkRole(...)`, or `_checkRole(...)`
+ * style calls — the standard OpenZeppelin AccessControl entry points
+ * that callers use to delegate the access check to a role registry.
+ *
+ * `getCalleeName` is supplied by the caller so detectors that
+ * already have a richer name resolver (chained MemberAccess, etc.)
+ * can pass it in. If you don't have one, `getCalleeNameDefault`
+ * below is a reasonable starting point.
+ */
+export declare function isHasRoleStyleCall(expr: any, getCalleeName: (call: any) => string): boolean;
+/**
+ * Default callee-name resolver suitable for most detectors. Walks
+ * `expr.expression` through `Identifier` and `MemberAccess` nodes
+ * and returns the dotted form (`base.member.tail`).
+ */
+export declare function getCalleeNameDefault(call: any): string;
+/**
+ * Walk an expression looking for ANY identifier, member name, or
+ * mapping base whose name matches `isPrivilegedName`. Returns true
+ * on first hit. Recurses through `Identifier`, `MemberAccess`,
+ * `IndexAccess`, and `FunctionCall` chains — the same shape every
+ * existing detector reimplements.
+ *
+ * Example: with `isPrivilegedName = name => /owner|admin/i.test(name)`
+ *
+ *   `owner`              → true (Identifier match)
+ *   `state.owner`        → true (MemberAccess memberName match)
+ *   `_admins[user]`      → true (IndexAccess base match)
+ *   `getOwner()`         → true (FunctionCall callee match)
+ *   `unrelatedField`     → false
+ */
+export declare function isPrivilegedReference(expr: any, isPrivilegedName: PrivilegedNamePredicate): boolean;
+/**
+ * Recognise the structural shape of an access-control predicate
+ * inside a `require(...)` argument (or any boolean condition).
+ * Accepted shapes:
+ *
+ *   `msg.sender == owner`              `BinaryOperation '=='`
+ *   `admin == msg.sender`              with msg.sender on either
+ *                                      operand and the other side
+ *                                      a privileged reference.
+ *   `_authorized[msg.sender]`          `IndexAccess` whose base is
+ *                                      privileged-named and whose
+ *                                      index is `msg.sender`.
+ *   `hasRole(role, msg.sender)`        `FunctionCall` whose callee
+ *   `_checkRole(role, ...)`            tail matches a known role-
+ *                                      check helper.
+ *
+ * Recurses through `&&`, `||`, `!`, and `TupleExpression` so
+ * multi-clause predicates are handled. Returns false for shapes
+ * that don't match — callers can wrap with their own fallback if
+ * they need broader recall (e.g. `arbitrary-call-error` uses a
+ * flattened-name match as a final fallback to catch wrapper-style
+ * helpers like `require(_isAuthorized(msg.sender))`).
+ */
+export declare function requireExpressesAccessControl(expr: any, isPrivilegedName: PrivilegedNamePredicate, getCalleeName?: (call: any) => string): boolean;
+/**
+ * Does the function definition carry at least one of the canonical
+ * access-control modifiers (`onlyOwner`, `onlyRole`, `onlyAdmin`,
+ * etc., as defined in `_common/ast.ts:ACCESS_CONTROL_MODIFIERS`)?
+ *
+ * Note: this set is intentionally narrower than some detectors'
+ * inline regex matchers. If a detector treats `whenNotPaused` or
+ * `initializer` as a guard, it should keep its own list rather than
+ * widening the canonical set silently.
+ */
+export declare function hasRecognisedAccessControlModifier(fn: any): boolean;

package/dist/detectors/_common/access-control.js

@@ -0,0 +1,377 @@
+"use strict";
+/**
+ * Shared structural predicates for access-control reasoning.
+ *
+ * Several detectors hand-roll the same AST predicates: "is this
+ * expression `msg.sender`?", "does this require argument express an
+ * access-control check?", "does this function carry a recognised
+ * `onlyOwner`-style modifier?". The implementations have drifted —
+ * the audit found 21+ files with their own copy of the modifier set
+ * and slightly-different regex name predicates — but the *shape* of
+ * each predicate is the same. This module exists so detectors can
+ * import one canonical AST walker and supply only the policy bits
+ * (which identifier names count as "privileged") that are actually
+ * detector-specific.
+ *
+ * Design notes for callers:
+ *
+ * - `isPrivilegedName` is intentionally a parameter to the structural
+ *   walkers below, not a fixed predicate on this module. Different
+ *   detectors include different keywords (`fee`, `treasury`,
+ *   `paused`, `auth`, `manager`, ...) and unifying them here would
+ *   change findings in subtle ways. Keep the policy local.
+ * - The structural shape of `requireExpressesAccessControl` mirrors
+ *   the predicate `arbitrary-call-error` shipped in PR #1813 with
+ *   one explicit parameterisation: the name predicate. New detectors
+ *   should prefer this helper over re-implementing the recursion.
+ * - `hasRecognisedAccessControlModifier` consults the canonical
+ *   `ACCESS_CONTROL_MODIFIERS` set from `_common/ast.ts` so we have
+ *   one source of truth for the modifier vocabulary.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_PRIVILEGED_KEYWORDS = exports.isAccessControlModifierName = exports.ACCESS_CONTROL_MODIFIERS = void 0;
+exports.splitIdentifierTokens = splitIdentifierTokens;
+exports.isPrivilegedIdentifier = isPrivilegedIdentifier;
+exports.isMsgSenderExpr = isMsgSenderExpr;
+exports.isCallerIdentityExpression = isCallerIdentityExpression;
+exports.isHasRoleStyleCall = isHasRoleStyleCall;
+exports.getCalleeNameDefault = getCalleeNameDefault;
+exports.isPrivilegedReference = isPrivilegedReference;
+exports.requireExpressesAccessControl = requireExpressesAccessControl;
+exports.hasRecognisedAccessControlModifier = hasRecognisedAccessControlModifier;
+const ast_1 = require("./ast");
+Object.defineProperty(exports, "ACCESS_CONTROL_MODIFIERS", { enumerable: true, get: function () { return ast_1.ACCESS_CONTROL_MODIFIERS; } });
+Object.defineProperty(exports, "isAccessControlModifierName", { enumerable: true, get: function () { return ast_1.isAccessControlModifierName; } });
+/**
+ * Canonical default keyword set for privileged-identifier matching.
+ * Mirrors the legacy `AccessControlDetector` regex
+ * (`/owner|admin|role|paused|pause|guardian|timelock|governor|fee|treasury|operator/`)
+ * so detectors that want "the typical policy" don't need to spell it
+ * out. Detectors with a different vocabulary (e.g. `cartel-custom-approval-logic`
+ * adds `manager|authority|authorized`) pass their own list via the
+ * `keywords` option.
+ *
+ * Word-boundary semantics (G.5): the `governorRequiredFee` over-match
+ * called out in the architectural review is fixed under
+ * `isPrivilegedIdentifier(name, { mode: 'word-boundary' })`. The
+ * default mode is still `'substring'` for behaviour preservation; see
+ * `isPrivilegedIdentifier` below and ADR 0005 for the rollout plan.
+ */
+exports.DEFAULT_PRIVILEGED_KEYWORDS = Object.freeze([
+    'owner', 'admin', 'role', 'paused', 'pause',
+    'guardian', 'timelock', 'governor', 'fee', 'treasury', 'operator',
+]);
+const KEYWORD_REGEX_CACHE = new Map();
+const KEYWORD_SET_CACHE = new Map();
+function keywordRegex(keywords) {
+    const cacheKey = keywords.join('|');
+    let regex = KEYWORD_REGEX_CACHE.get(cacheKey);
+    if (!regex) {
+        regex = new RegExp(cacheKey, 'i');
+        KEYWORD_REGEX_CACHE.set(cacheKey, regex);
+    }
+    return regex;
+}
+function keywordSet(keywords) {
+    const cacheKey = keywords.join('|');
+    let set = KEYWORD_SET_CACHE.get(cacheKey);
+    if (!set) {
+        set = new Set(keywords.map((k) => k.toLowerCase()));
+        KEYWORD_SET_CACHE.set(cacheKey, set);
+    }
+    return set;
+}
+/**
+ * Tokenise an identifier on snake_case and camelCase / PascalCase
+ * boundaries. Returns lowercased non-empty tokens.
+ *
+ *   `governor`              → ['governor']
+ *   `governorAddress`       → ['governor', 'address']
+ *   `governor_required_fee` → ['governor', 'required', 'fee']
+ *   `OWNER`                 → ['owner']
+ *   `_admin`                → ['admin']
+ *   `XYZOwner`              → ['xyz', 'owner']
+ *
+ * Exported for direct testing and for detectors that need their own
+ * token-aware predicate variant.
+ */
+function splitIdentifierTokens(name) {
+    if (!name)
+        return [];
+    const spaced = name
+        .replace(/_+/g, ' ')
+        .replace(/([a-z\d])([A-Z])/g, '$1 $2')
+        .replace(/([A-Z]+)([A-Z][a-z])/g, '$1 $2');
+    return spaced
+        .toLowerCase()
+        .split(/\s+/)
+        .filter((tok) => tok.length > 0);
+}
+/**
+ * Privileged-identifier predicate — does `name` look like the
+ * Solidity-level identifier of a privileged storage slot, function,
+ * or modifier?
+ *
+ * Centralises the substring regex that detectors used to inline
+ * (G.5 / J.4 / roadmap 1.2).
+ *
+ * Two modes are supported (see ADR 0005):
+ *
+ * - `'substring'` (default) — case-insensitive
+ *   `/keyword1|keyword2|.../i.test(lower(name))`. Faithfully preserves
+ *   the legacy inline-regex behaviour. Over-matches identifiers like
+ *   `governorRequiredFee` that happen to embed multiple keywords.
+ *
+ * - `'word-boundary'` — tokenise on snake/camelCase boundaries
+ *   (`splitIdentifierTokens`) and match if the FIRST token is a keyword
+ *   AND no other token is a keyword. So `governor`, `governorAddress`,
+ *   `owner_address` all match; `governorRequiredFee`, `paramOwner`,
+ *   `controllerFee`, `configRole` do not. This is the eventual
+ *   semantics for G.5; today it is opt-in per call site so each
+ *   detector can validate the recall impact independently.
+ */
+function isPrivilegedIdentifier(name, options = {}) {
+    if (!name)
+        return false;
+    const keywords = options.keywords ?? exports.DEFAULT_PRIVILEGED_KEYWORDS;
+    if (keywords.length === 0)
+        return false;
+    const mode = options.mode ?? 'substring';
+    if (mode === 'substring') {
+        return keywordRegex(keywords).test(name.toLowerCase());
+    }
+    const tokens = splitIdentifierTokens(name);
+    if (tokens.length === 0)
+        return false;
+    const set = keywordSet(keywords);
+    if (!set.has(tokens[0]))
+        return false;
+    for (let i = 1; i < tokens.length; i += 1) {
+        if (set.has(tokens[i]))
+            return false;
+    }
+    return true;
+}
+/**
+ * `msg.sender` exactly: a `MemberAccess` whose `memberName` is
+ * `'sender'` and whose `expression` is the `Identifier` `msg`.
+ * Accepts both parser and solc AST shapes.
+ */
+function isMsgSenderExpr(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (!(0, ast_1.isNode)(expr, 'MemberAccess'))
+        return false;
+    if (String(expr.memberName || '') !== 'sender')
+        return false;
+    const inner = expr.expression;
+    return !!inner && (0, ast_1.isNode)(inner, 'Identifier') && (inner.name || '') === 'msg';
+}
+/**
+ * Caller-identity expression: any AST shape that resolves to the
+ * current transaction sender. Three shapes are recognised:
+ *
+ *   `msg.sender`                — the canonical built-in
+ *   `_msgSender()`              — the OpenZeppelin `Context` helper
+ *                                  (zero arguments only)
+ *   `this._msgSender()`         — the same helper invoked as a member
+ *                                  call on the contract itself
+ *
+ * Recognition is limited to zero-argument calls so that lookalike
+ * helpers that take arguments (`_msgSender(metaTxBytes)`, etc.) are
+ * not silently treated as caller-identity.
+ */
+function isCallerIdentityExpression(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isMsgSenderExpr(expr))
+        return true;
+    if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return false;
+    const args = expr.arguments || [];
+    if (Array.isArray(args) && args.length !== 0)
+        return false;
+    const callee = expr.expression;
+    if (!callee)
+        return false;
+    if ((0, ast_1.isNode)(callee, 'Identifier') && String(callee.name || '') === '_msgSender')
+        return true;
+    if ((0, ast_1.isNode)(callee, 'MemberAccess')) {
+        if (String(callee.memberName || '') !== '_msgSender')
+            return false;
+        const base = callee.expression;
+        return !!base && (0, ast_1.isNode)(base, 'Identifier') && String(base.name || '') === 'this';
+    }
+    return false;
+}
+/**
+ * Recognise `hasRole(...)`, `checkRole(...)`, or `_checkRole(...)`
+ * style calls — the standard OpenZeppelin AccessControl entry points
+ * that callers use to delegate the access check to a role registry.
+ *
+ * `getCalleeName` is supplied by the caller so detectors that
+ * already have a richer name resolver (chained MemberAccess, etc.)
+ * can pass it in. If you don't have one, `getCalleeNameDefault`
+ * below is a reasonable starting point.
+ */
+function isHasRoleStyleCall(expr, getCalleeName) {
+    if (!expr || !(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return false;
+    const callee = getCalleeName(expr).toLowerCase();
+    const tail = callee.includes('.') ? callee.split('.').pop() || callee : callee;
+    return tail === 'hasrole' || tail === 'checkrole' || tail === '_checkrole';
+}
+/**
+ * Default callee-name resolver suitable for most detectors. Walks
+ * `expr.expression` through `Identifier` and `MemberAccess` nodes
+ * and returns the dotted form (`base.member.tail`).
+ */
+function getCalleeNameDefault(call) {
+    if (!call)
+        return '';
+    const expr = call.expression;
+    if (!expr)
+        return '';
+    return resolveCalleeName(expr);
+}
+function resolveCalleeName(expr) {
+    if (!expr)
+        return '';
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        const prefix = resolveCalleeName(expr.expression);
+        const member = String(expr.memberName || '');
+        return prefix ? `${prefix}.${member}` : member;
+    }
+    return '';
+}
+/**
+ * Walk an expression looking for ANY identifier, member name, or
+ * mapping base whose name matches `isPrivilegedName`. Returns true
+ * on first hit. Recurses through `Identifier`, `MemberAccess`,
+ * `IndexAccess`, and `FunctionCall` chains — the same shape every
+ * existing detector reimplements.
+ *
+ * Example: with `isPrivilegedName = name => /owner|admin/i.test(name)`
+ *
+ *   `owner`              → true (Identifier match)
+ *   `state.owner`        → true (MemberAccess memberName match)
+ *   `_admins[user]`      → true (IndexAccess base match)
+ *   `getOwner()`         → true (FunctionCall callee match)
+ *   `unrelatedField`     → false
+ */
+function isPrivilegedReference(expr, isPrivilegedName) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'Identifier')) {
+        return isPrivilegedName(String(expr.name || ''));
+    }
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        if (isPrivilegedName(String(expr.memberName || '')))
+            return true;
+        return isPrivilegedReference(expr.expression, isPrivilegedName);
+    }
+    if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+        return isPrivilegedReference(expr.base || expr.baseExpression, isPrivilegedName);
+    }
+    if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+        return isPrivilegedReference(expr.expression, isPrivilegedName);
+    }
+    return false;
+}
+/**
+ * Recognise the structural shape of an access-control predicate
+ * inside a `require(...)` argument (or any boolean condition).
+ * Accepted shapes:
+ *
+ *   `msg.sender == owner`              `BinaryOperation '=='`
+ *   `admin == msg.sender`              with msg.sender on either
+ *                                      operand and the other side
+ *                                      a privileged reference.
+ *   `_authorized[msg.sender]`          `IndexAccess` whose base is
+ *                                      privileged-named and whose
+ *                                      index is `msg.sender`.
+ *   `hasRole(role, msg.sender)`        `FunctionCall` whose callee
+ *   `_checkRole(role, ...)`            tail matches a known role-
+ *                                      check helper.
+ *
+ * Recurses through `&&`, `||`, `!`, and `TupleExpression` so
+ * multi-clause predicates are handled. Returns false for shapes
+ * that don't match — callers can wrap with their own fallback if
+ * they need broader recall (e.g. `arbitrary-call-error` uses a
+ * flattened-name match as a final fallback to catch wrapper-style
+ * helpers like `require(_isAuthorized(msg.sender))`).
+ */
+function requireExpressesAccessControl(expr, isPrivilegedName, getCalleeName = getCalleeNameDefault) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isHasRoleStyleCall(expr, getCalleeName))
+        return true;
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation') && (expr.operator === '==' || expr.operator === '!=' || expr.operator === '===')) {
+        const left = expr.left || expr.leftExpression;
+        const right = expr.right || expr.rightExpression;
+        if ((isMsgSenderExpr(left) && isPrivilegedReference(right, isPrivilegedName))
+            || (isMsgSenderExpr(right) && isPrivilegedReference(left, isPrivilegedName))) {
+            return true;
+        }
+    }
+    if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+        const base = expr.base || expr.baseExpression;
+        const index = expr.index || expr.indexExpression;
+        if (isMsgSenderExpr(index) && isPrivilegedReference(base, isPrivilegedName))
+            return true;
+    }
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation') && (expr.operator === '&&' || expr.operator === '||')) {
+        const left = expr.left || expr.leftExpression;
+        const right = expr.right || expr.rightExpression;
+        if (requireExpressesAccessControl(left, isPrivilegedName, getCalleeName))
+            return true;
+        if (requireExpressesAccessControl(right, isPrivilegedName, getCalleeName))
+            return true;
+    }
+    if ((0, ast_1.isNode)(expr, 'UnaryOperation') && expr.operator === '!') {
+        const inner = expr.subExpression;
+        if (requireExpressesAccessControl(inner, isPrivilegedName, getCalleeName))
+            return true;
+    }
+    if ((0, ast_1.isNode)(expr, 'TupleExpression')) {
+        for (const child of expr.components || []) {
+            if (requireExpressesAccessControl(child, isPrivilegedName, getCalleeName))
+                return true;
+        }
+    }
+    return false;
+}
+/**
+ * Does the function definition carry at least one of the canonical
+ * access-control modifiers (`onlyOwner`, `onlyRole`, `onlyAdmin`,
+ * etc., as defined in `_common/ast.ts:ACCESS_CONTROL_MODIFIERS`)?
+ *
+ * Note: this set is intentionally narrower than some detectors'
+ * inline regex matchers. If a detector treats `whenNotPaused` or
+ * `initializer` as a guard, it should keep its own list rather than
+ * widening the canonical set silently.
+ */
+function hasRecognisedAccessControlModifier(fn) {
+    for (const modifier of fn?.modifiers || []) {
+        const name = extractModifierName(modifier);
+        if (name && (0, ast_1.isAccessControlModifierName)(name))
+            return true;
+    }
+    return false;
+}
+function extractModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name.name === 'string')
+        return modifier.name.name;
+    if (modifier.modifierName && typeof modifier.modifierName.name === 'string')
+        return modifier.modifierName.name;
+    return '';
+}
+//# sourceMappingURL=access-control.js.map