@snovon/solast 0.2.0

package/dist/detectors/_common/ast.d.ts

@@ -0,0 +1,139 @@
+/**
+ * Shared AST helpers for SolAST detectors.
+ *
+ * The detector layer has accumulated dozens of identical copies of the same
+ * tiny helpers (`isNode`, `getName`, `buildLineOffsets`, etc.) and the same
+ * literal sets (the access-control modifier list). This module exists so that
+ * new and migrated detectors can import a single canonical implementation
+ * instead of redefining their own. Behavior of each helper here is the
+ * common-case implementation that already shipped across the detector files
+ * — adopting this module preserves observable behavior.
+ *
+ * Two notes for migration:
+ *   - `ACCESS_CONTROL_MODIFIERS` uses lower-case keys. Callers must normalize
+ *     before lookup. This matches the most-replicated form across detectors.
+ *   - `byteOffsetToLineColumn` is binary-search-based; some older detector
+ *     copies use a linear scan. Outputs are identical for all valid inputs.
+ */
+/**
+ * Test whether `node` carries the given AST node type. Accepts both the
+ * `@solidity-parser/parser` shape (`type` field) and the solc compact JSON
+ * shape (`nodeType` field) so detectors written against either AST produce
+ * the same predicate.
+ */
+export declare function isNode(node: any, kind: string): boolean;
+/**
+ * Best-effort name extractor for AST nodes. Most detectors that ask "what is
+ * this node called?" only care about the literal `name` string. The fuller
+ * variant (`getCallName`) is for chained member-access expressions and lives
+ * with the access-control logic in `src/index.ts`.
+ */
+export declare function getName(node: any): string;
+/**
+ * Set of guard modifier names recognized as proof of access control.
+ *
+ * Stored lower-case because the duplicated copies across detectors all
+ * compare with `.toLowerCase()`. Callers must lower-case the modifier name
+ * before lookup.
+ *
+ * NOTE: this is intentionally narrower than the per-detector regex
+ * `/owner|admin|role|.../` patterns some detectors use, which over-match.
+ * If you need that fuzzier surface, do it explicitly in the detector — don't
+ * widen this set silently.
+ */
+export declare const ACCESS_CONTROL_MODIFIERS: ReadonlySet<string>;
+export declare function isAccessControlModifierName(name: string): boolean;
+/**
+ * Build a `[lineStart, ...]` byte-offset table for a Solidity source text.
+ * Returns undefined when `sourceText` is undefined so callers can
+ * conditionally short-circuit. Identical in behavior to the shape duplicated
+ * across many detectors.
+ */
+export declare function buildLineOffsets(sourceText?: string): number[] | undefined;
+/**
+ * Resolve a UTF-8 byte offset back to (line, column). Lines are 1-indexed,
+ * columns are 0-indexed (matching `@solidity-parser/parser` conventions).
+ * Binary search keeps this O(log lines) per lookup; that matters because
+ * solc compact JSON gives every node a `src` offset, so the conversion is
+ * called once per visited node.
+ */
+export declare function byteOffsetToLineColumn(byteOffset: number, lineOffsets: number[]): {
+    line: number;
+    column: number;
+};
+/**
+ * Structured source location for emitting findings. The `line` and `endLine`
+ * fields are 1-based (matching `@solidity-parser/parser`'s convention).
+ */
+export interface LocInfo {
+    line: number;
+    endLine: number;
+    column: number;
+    endColumn: number;
+}
+/**
+ * Return the most specific available source location from `node`. If `node`
+ * has no usable `loc.start.line`, fall back to `fallbackNode`'s loc. Throws
+ * if neither node carries usable location data — this surfaces malformed
+ * AST input immediately rather than silently emitting `line: 0`, which the
+ * 0.3 conformance gate fails on (review G.7, roadmap 2.14).
+ *
+ * Callers should pass the most specific available node first (typically the
+ * node the finding describes) and the enclosing function or contract as the
+ * fallback (always has `loc` unless the AST is entirely malformed):
+ *
+ *   const { line, endLine, column } = assertLoc(violationNode, this.currentFunctionNode);
+ *
+ * The single-arg form is for sites where the caller has already established
+ * that `node` has loc — but in those cases the explicit fallback is cheap
+ * and worth supplying for defence-in-depth.
+ */
+export declare function assertLoc(node: any, fallbackNode?: any): LocInfo;
+/**
+ * Non-throwing variant of `assertLoc`. Returns the most specific available
+ * source location from `node`, falling back to `fallbackNode`, or `null`
+ * when neither carries usable location data.
+ *
+ * Use cases that legitimately need `null` rather than a throw:
+ *
+ *   - **Synthetic AST nodes constructed inside a detector** for
+ *     deduplication or summary purposes (e.g. `arbitrary-account-balance-transfer.ts`'s
+ *     mutation/primitive nodes assembled from sub-trees). The synthetic
+ *     node is not a real AST node, has no `loc`, and surfacing that as
+ *     a scan crash would be wrong.
+ *   - **Dedup-key hash components** (e.g. `cross-chain-arbitrary-call.ts`'s
+ *     `fnStartLine` in an instance key). The value is hashed, not emitted
+ *     in a finding; producing a less-unique key is a graceful degradation.
+ *
+ * `assertLoc` is still the right choice when emitting a finding from a
+ * real AST node — silent `line: 0` emissions are the bug class roadmap
+ * 2.14 eliminates. `tryLoc` is the explicit escape hatch for the
+ * legitimate cases above.
+ */
+export declare function tryLoc(node: any, fallbackNode?: any): LocInfo | null;
+/**
+ * Resolve a node's source location across both AST shapes — parser-style
+ * (`node.loc.start`) and solc compact JSON (`node.src` byte offset).
+ *
+ * Returns `LocInfo | null` mirroring `tryLoc`. Use this when a detector
+ * declares `supportedAstKinds: ['parser', 'solc']` and a single helper
+ * needs to extract location data from whichever shape the AST node
+ * carries. Sibling detectors today duplicate this exact body ~80 times
+ * as a local `getLoc(node, lineOffsets?)` helper — adopting this shared
+ * version drops the duplication and standardises the null-on-missing
+ * semantics (some local copies return `undefined`, others return `null`).
+ *
+ * Behaviour matches the local copies' fast/slow path:
+ *   - Fast path: `node.loc.start.line >= 1` → returns the full LocInfo
+ *     (line, endLine, column, endColumn from `node.loc`).
+ *   - Slow path: `node.src` byte offset + `lineOffsets` → returns a
+ *     LocInfo with `endLine === line` and `endColumn === column` since
+ *     the solc compact JSON `src` field is the START offset only.
+ *   - Both unavailable → null. Callers that need a hard floor should
+ *     `?? { line: 0, column: 0, endLine: 0, endColumn: 0 }`.
+ *
+ * `lineOffsets` is required only for the slow path — call sites that
+ * never produce solc-AST input can pass `undefined`. The slow path is
+ * skipped entirely when `lineOffsets` is missing.
+ */
+export declare function getLoc(node: any, lineOffsets?: number[]): LocInfo | null;

package/dist/detectors/_common/ast.js

@@ -0,0 +1,239 @@
+"use strict";
+/**
+ * Shared AST helpers for SolAST detectors.
+ *
+ * The detector layer has accumulated dozens of identical copies of the same
+ * tiny helpers (`isNode`, `getName`, `buildLineOffsets`, etc.) and the same
+ * literal sets (the access-control modifier list). This module exists so that
+ * new and migrated detectors can import a single canonical implementation
+ * instead of redefining their own. Behavior of each helper here is the
+ * common-case implementation that already shipped across the detector files
+ * — adopting this module preserves observable behavior.
+ *
+ * Two notes for migration:
+ *   - `ACCESS_CONTROL_MODIFIERS` uses lower-case keys. Callers must normalize
+ *     before lookup. This matches the most-replicated form across detectors.
+ *   - `byteOffsetToLineColumn` is binary-search-based; some older detector
+ *     copies use a linear scan. Outputs are identical for all valid inputs.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ACCESS_CONTROL_MODIFIERS = void 0;
+exports.isNode = isNode;
+exports.getName = getName;
+exports.isAccessControlModifierName = isAccessControlModifierName;
+exports.buildLineOffsets = buildLineOffsets;
+exports.byteOffsetToLineColumn = byteOffsetToLineColumn;
+exports.assertLoc = assertLoc;
+exports.tryLoc = tryLoc;
+exports.getLoc = getLoc;
+/**
+ * Test whether `node` carries the given AST node type. Accepts both the
+ * `@solidity-parser/parser` shape (`type` field) and the solc compact JSON
+ * shape (`nodeType` field) so detectors written against either AST produce
+ * the same predicate.
+ */
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+/**
+ * Best-effort name extractor for AST nodes. Most detectors that ask "what is
+ * this node called?" only care about the literal `name` string. The fuller
+ * variant (`getCallName`) is for chained member-access expressions and lives
+ * with the access-control logic in `src/index.ts`.
+ */
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+/**
+ * Set of guard modifier names recognized as proof of access control.
+ *
+ * Stored lower-case because the duplicated copies across detectors all
+ * compare with `.toLowerCase()`. Callers must lower-case the modifier name
+ * before lookup.
+ *
+ * NOTE: this is intentionally narrower than the per-detector regex
+ * `/owner|admin|role|.../` patterns some detectors use, which over-match.
+ * If you need that fuzzier surface, do it explicitly in the detector — don't
+ * widen this set silently.
+ */
+exports.ACCESS_CONTROL_MODIFIERS = new Set([
+    'onlyowner',
+    'onlyowners',
+    'onlyrole',
+    'onlyadmin',
+    'onlyauthorized',
+    'onlyoperator',
+    'onlyoperators',
+    'onlygovernance',
+    'onlygovernor',
+    'onlyguardian',
+    'onlymanager',
+]);
+function isAccessControlModifierName(name) {
+    return exports.ACCESS_CONTROL_MODIFIERS.has(name.toLowerCase());
+}
+/**
+ * Build a `[lineStart, ...]` byte-offset table for a Solidity source text.
+ * Returns undefined when `sourceText` is undefined so callers can
+ * conditionally short-circuit. Identical in behavior to the shape duplicated
+ * across many detectors.
+ */
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const lineOffsets = [0];
+    let byteOffset = 0;
+    for (const char of sourceText) {
+        byteOffset += Buffer.byteLength(char, 'utf8');
+        if (char === '\n')
+            lineOffsets.push(byteOffset);
+    }
+    return lineOffsets;
+}
+/**
+ * Resolve a UTF-8 byte offset back to (line, column). Lines are 1-indexed,
+ * columns are 0-indexed (matching `@solidity-parser/parser` conventions).
+ * Binary search keeps this O(log lines) per lookup; that matters because
+ * solc compact JSON gives every node a `src` offset, so the conversion is
+ * called once per visited node.
+ */
+function byteOffsetToLineColumn(byteOffset, lineOffsets) {
+    let low = 0;
+    let high = lineOffsets.length - 1;
+    let lineIndex = 0;
+    while (low <= high) {
+        const mid = Math.floor((low + high) / 2);
+        if (lineOffsets[mid] <= byteOffset) {
+            lineIndex = mid;
+            low = mid + 1;
+        }
+        else {
+            high = mid - 1;
+        }
+    }
+    return { line: lineIndex + 1, column: byteOffset - lineOffsets[lineIndex] };
+}
+function tryExtractLoc(node) {
+    if (!node || typeof node !== 'object')
+        return null;
+    const startLine = node.loc?.start?.line;
+    if (typeof startLine !== 'number' || startLine <= 0)
+        return null;
+    const endLine = typeof node.loc?.end?.line === 'number' && node.loc.end.line > 0
+        ? node.loc.end.line
+        : startLine;
+    const column = typeof node.loc?.start?.column === 'number' && node.loc.start.column >= 0
+        ? node.loc.start.column
+        : 0;
+    // endColumn falls back to startColumn when end is missing or invalid —
+    // mirrors the endLine→startLine fallback above and matches the inline
+    // `<node>.loc?.end?.column || <startColumn>` pattern the f-stream is
+    // draining (roadmap 2.14.f).
+    const endColumn = typeof node.loc?.end?.column === 'number' && node.loc.end.column >= 0
+        ? node.loc.end.column
+        : column;
+    return { line: startLine, endLine, column, endColumn };
+}
+/**
+ * Return the most specific available source location from `node`. If `node`
+ * has no usable `loc.start.line`, fall back to `fallbackNode`'s loc. Throws
+ * if neither node carries usable location data — this surfaces malformed
+ * AST input immediately rather than silently emitting `line: 0`, which the
+ * 0.3 conformance gate fails on (review G.7, roadmap 2.14).
+ *
+ * Callers should pass the most specific available node first (typically the
+ * node the finding describes) and the enclosing function or contract as the
+ * fallback (always has `loc` unless the AST is entirely malformed):
+ *
+ *   const { line, endLine, column } = assertLoc(violationNode, this.currentFunctionNode);
+ *
+ * The single-arg form is for sites where the caller has already established
+ * that `node` has loc — but in those cases the explicit fallback is cheap
+ * and worth supplying for defence-in-depth.
+ */
+function assertLoc(node, fallbackNode) {
+    const primary = tryExtractLoc(node);
+    if (primary)
+        return primary;
+    if (fallbackNode !== undefined) {
+        const fb = tryExtractLoc(fallbackNode);
+        if (fb)
+            return fb;
+    }
+    const nodeKind = node?.type ?? node?.nodeType ?? 'unknown';
+    const fallbackHint = fallbackNode !== undefined ? ' and fallback node has no usable loc either' : '';
+    throw new Error(`assertLoc: node has no usable loc.start.line (node kind ${nodeKind})${fallbackHint}`);
+}
+/**
+ * Non-throwing variant of `assertLoc`. Returns the most specific available
+ * source location from `node`, falling back to `fallbackNode`, or `null`
+ * when neither carries usable location data.
+ *
+ * Use cases that legitimately need `null` rather than a throw:
+ *
+ *   - **Synthetic AST nodes constructed inside a detector** for
+ *     deduplication or summary purposes (e.g. `arbitrary-account-balance-transfer.ts`'s
+ *     mutation/primitive nodes assembled from sub-trees). The synthetic
+ *     node is not a real AST node, has no `loc`, and surfacing that as
+ *     a scan crash would be wrong.
+ *   - **Dedup-key hash components** (e.g. `cross-chain-arbitrary-call.ts`'s
+ *     `fnStartLine` in an instance key). The value is hashed, not emitted
+ *     in a finding; producing a less-unique key is a graceful degradation.
+ *
+ * `assertLoc` is still the right choice when emitting a finding from a
+ * real AST node — silent `line: 0` emissions are the bug class roadmap
+ * 2.14 eliminates. `tryLoc` is the explicit escape hatch for the
+ * legitimate cases above.
+ */
+function tryLoc(node, fallbackNode) {
+    const primary = tryExtractLoc(node);
+    if (primary)
+        return primary;
+    if (fallbackNode !== undefined) {
+        const fb = tryExtractLoc(fallbackNode);
+        if (fb)
+            return fb;
+    }
+    return null;
+}
+/**
+ * Resolve a node's source location across both AST shapes — parser-style
+ * (`node.loc.start`) and solc compact JSON (`node.src` byte offset).
+ *
+ * Returns `LocInfo | null` mirroring `tryLoc`. Use this when a detector
+ * declares `supportedAstKinds: ['parser', 'solc']` and a single helper
+ * needs to extract location data from whichever shape the AST node
+ * carries. Sibling detectors today duplicate this exact body ~80 times
+ * as a local `getLoc(node, lineOffsets?)` helper — adopting this shared
+ * version drops the duplication and standardises the null-on-missing
+ * semantics (some local copies return `undefined`, others return `null`).
+ *
+ * Behaviour matches the local copies' fast/slow path:
+ *   - Fast path: `node.loc.start.line >= 1` → returns the full LocInfo
+ *     (line, endLine, column, endColumn from `node.loc`).
+ *   - Slow path: `node.src` byte offset + `lineOffsets` → returns a
+ *     LocInfo with `endLine === line` and `endColumn === column` since
+ *     the solc compact JSON `src` field is the START offset only.
+ *   - Both unavailable → null. Callers that need a hard floor should
+ *     `?? { line: 0, column: 0, endLine: 0, endColumn: 0 }`.
+ *
+ * `lineOffsets` is required only for the slow path — call sites that
+ * never produce solc-AST input can pass `undefined`. The slow path is
+ * skipped entirely when `lineOffsets` is missing.
+ */
+function getLoc(node, lineOffsets) {
+    const primary = tryExtractLoc(node);
+    if (primary)
+        return primary;
+    if (!lineOffsets)
+        return null;
+    const src = node?.src;
+    if (typeof src !== 'string')
+        return null;
+    const offset = Number(src.split(':')[0]);
+    if (!Number.isFinite(offset) || offset < 0)
+        return null;
+    const { line, column } = byteOffsetToLineColumn(offset, lineOffsets);
+    return { line, endLine: line, column, endColumn: column };
+}
+//# sourceMappingURL=ast.js.map

package/dist/detectors/_common/compiler-profile.d.ts

@@ -0,0 +1,14 @@
+export type SolidityArithmeticProfile = {
+    allowsPre08Semantics: boolean;
+    source: 'pragma' | 'context' | 'unknown';
+    raw: string;
+};
+/**
+ * Classify Solidity arithmetic semantics at the 0.8.0 checked-arithmetic
+ * boundary. Ambiguous or unrecognized ranges are conservative: if any branch
+ * can select a pre-0.8 compiler, callers should assume unchecked arithmetic is
+ * possible unless a detector proves otherwise.
+ */
+export declare function classifySolidityArithmeticProfile(pragmaValues: string[], fallbackSolcVersion?: string): SolidityArithmeticProfile;
+export declare function arithmeticMayWrap(profile: SolidityArithmeticProfile, uncheckedDepth: number): boolean;
+export declare function pragmaAllowsPre080(pragmaValue: string): boolean;

package/dist/detectors/_common/compiler-profile.js

@@ -0,0 +1,66 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.classifySolidityArithmeticProfile = classifySolidityArithmeticProfile;
+exports.arithmeticMayWrap = arithmeticMayWrap;
+exports.pragmaAllowsPre080 = pragmaAllowsPre080;
+/**
+ * Classify Solidity arithmetic semantics at the 0.8.0 checked-arithmetic
+ * boundary. Ambiguous or unrecognized ranges are conservative: if any branch
+ * can select a pre-0.8 compiler, callers should assume unchecked arithmetic is
+ * possible unless a detector proves otherwise.
+ */
+function classifySolidityArithmeticProfile(pragmaValues, fallbackSolcVersion) {
+    const solidityPragmas = pragmaValues
+        .map(value => String(value || '').trim())
+        .filter(Boolean);
+    if (solidityPragmas.length > 0) {
+        return {
+            allowsPre08Semantics: solidityPragmas.some(pragmaAllowsPre080),
+            source: 'pragma',
+            raw: solidityPragmas.join(' || '),
+        };
+    }
+    const fallback = String(fallbackSolcVersion || '').trim();
+    if (fallback) {
+        return {
+            allowsPre08Semantics: pragmaAllowsPre080(fallback),
+            source: 'context',
+            raw: fallback,
+        };
+    }
+    return { allowsPre08Semantics: true, source: 'unknown', raw: '' };
+}
+function arithmeticMayWrap(profile, uncheckedDepth) {
+    return profile.allowsPre08Semantics || uncheckedDepth > 0;
+}
+function pragmaAllowsPre080(pragmaValue) {
+    if (!pragmaValue)
+        return true;
+    const normalized = pragmaValue.replace(/^v(?=\d)/i, '').replace(/\+commit\.[a-f0-9]+/ig, '');
+    const branches = normalized.split('||');
+    for (const branch of branches) {
+        const tokens = branch.trim().split(/\s+/).filter(Boolean);
+        if (tokens.length === 0)
+            return true;
+        let lowerMinor = -1;
+        let sawComparator = false;
+        for (const token of tokens) {
+            const match = token.match(/^([\^~]|>=|>|<=|<|=)?\s*0\.(\d+)(?:\.(\d+))?/);
+            if (!match)
+                continue;
+            const op = match[1] || '=';
+            const minor = parseInt(match[2], 10);
+            if (op === '<' || op === '<=')
+                continue;
+            sawComparator = true;
+            if (lowerMinor < 0 || minor > lowerMinor)
+                lowerMinor = minor;
+        }
+        if (!sawComparator)
+            return true;
+        if (lowerMinor < 8)
+            return true;
+    }
+    return false;
+}
+//# sourceMappingURL=compiler-profile.js.map

package/dist/detectors/_common/dataflow.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Dataflow primitives shared by detectors that compute fixed points
+ * over taint, reachability, or other monotone-over-finite-set
+ * lattices.
+ *
+ * Today this module exports one primitive — `runFixedPoint` — used by
+ * the inter-procedural taint analyses in `arbitrary-call-error`,
+ * `lack-of-calldata-validation`, and `halborn-security-report-aave-v3`.
+ * Each of those detectors used to hand-roll its own
+ * `for (let pass = 0; changed && pass < N; pass++)` loop, with
+ * different N values and (in one case) no cap at all. The audit's
+ * concern was the inconsistency: a copy-paste with a typo could
+ * silently spin forever, and there was no shared place to add
+ * observability or change the cap policy. This primitive collapses
+ * the three loops into one well-documented signature.
+ */
+export interface FixedPointOptions {
+    /**
+     * Maximum number of `step` invocations before we give up. Default
+     * 32. The lattices the existing detectors use are all monotone
+     * over a finite set (parameter indexes, function names), so 32 is
+     * comfortably above any real workload — if a detector hits this
+     * cap, the step function is almost certainly not shrinking the
+     * dirty set on each iteration and that's the bug to fix, not the
+     * cap to raise.
+     */
+    maxPasses?: number;
+    /**
+     * Optional label used in non-convergence error messages. Pass the
+     * detector or analysis name so a stack trace points to which
+     * fixed-point failed.
+     */
+    name?: string;
+    /**
+     * When the cap is hit and `step` is still returning `true`, the
+     * default is to return `{ converged: false }` so the caller can
+     * decide what to do (some lattices are "best-effort"). Set this
+     * flag to throw instead — useful in tests where non-convergence
+     * is the bug being asserted against.
+     */
+    throwOnNonConvergence?: boolean;
+}
+export interface FixedPointResult {
+    /** Number of times `step` was invoked, i.e. the iteration count. */
+    passes: number;
+    /** True when `step` returned `false` before the cap. */
+    converged: boolean;
+}
+/**
+ * Run an imperative fixed-point loop. `step` is called repeatedly
+ * until either it returns `false` (no work was done this iteration —
+ * convergence) or the `maxPasses` cap is hit. `step` is responsible
+ * for the actual state mutations; this helper only enforces the
+ * loop shape.
+ *
+ * The shape `step: () => boolean` is intentional. The detectors
+ * mutate `Set`s and `Map`s in place, so a functional
+ * `(prev: T) => T` signature would force every detector to either
+ * deep-copy on each iteration or produce a wrapper that fakes
+ * immutability. Instead the caller mutates and returns whether any
+ * mutation actually happened — which is what the original hand-
+ * rolled loops already tracked via a `changed` flag.
+ *
+ * Example:
+ *
+ *     const propagated = new Map<string, Set<number>>();
+ *     runFixedPoint(() => {
+ *       let didWork = false;
+ *       for (const fn of functions) {
+ *         // ... compute new tainted args, set didWork=true if added ...
+ *       }
+ *       return didWork;
+ *     }, { maxPasses: 12, name: 'propagateParamTaint' });
+ */
+export declare function runFixedPoint(step: () => boolean, opts?: FixedPointOptions): FixedPointResult;

package/dist/detectors/_common/dataflow.js

@@ -0,0 +1,57 @@
+"use strict";
+/**
+ * Dataflow primitives shared by detectors that compute fixed points
+ * over taint, reachability, or other monotone-over-finite-set
+ * lattices.
+ *
+ * Today this module exports one primitive — `runFixedPoint` — used by
+ * the inter-procedural taint analyses in `arbitrary-call-error`,
+ * `lack-of-calldata-validation`, and `halborn-security-report-aave-v3`.
+ * Each of those detectors used to hand-roll its own
+ * `for (let pass = 0; changed && pass < N; pass++)` loop, with
+ * different N values and (in one case) no cap at all. The audit's
+ * concern was the inconsistency: a copy-paste with a typo could
+ * silently spin forever, and there was no shared place to add
+ * observability or change the cap policy. This primitive collapses
+ * the three loops into one well-documented signature.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runFixedPoint = runFixedPoint;
+/**
+ * Run an imperative fixed-point loop. `step` is called repeatedly
+ * until either it returns `false` (no work was done this iteration —
+ * convergence) or the `maxPasses` cap is hit. `step` is responsible
+ * for the actual state mutations; this helper only enforces the
+ * loop shape.
+ *
+ * The shape `step: () => boolean` is intentional. The detectors
+ * mutate `Set`s and `Map`s in place, so a functional
+ * `(prev: T) => T` signature would force every detector to either
+ * deep-copy on each iteration or produce a wrapper that fakes
+ * immutability. Instead the caller mutates and returns whether any
+ * mutation actually happened — which is what the original hand-
+ * rolled loops already tracked via a `changed` flag.
+ *
+ * Example:
+ *
+ *     const propagated = new Map<string, Set<number>>();
+ *     runFixedPoint(() => {
+ *       let didWork = false;
+ *       for (const fn of functions) {
+ *         // ... compute new tainted args, set didWork=true if added ...
+ *       }
+ *       return didWork;
+ *     }, { maxPasses: 12, name: 'propagateParamTaint' });
+ */
+function runFixedPoint(step, opts = {}) {
+    const maxPasses = opts.maxPasses ?? 32;
+    for (let pass = 1; pass <= maxPasses; pass++) {
+        if (!step())
+            return { passes: pass, converged: true };
+    }
+    if (opts.throwOnNonConvergence) {
+        throw new Error(`runFixedPoint(${opts.name || 'anonymous'}) did not converge after ${maxPasses} passes`);
+    }
+    return { passes: maxPasses, converged: false };
+}
+//# sourceMappingURL=dataflow.js.map

package/dist/detectors/_common/fhe.d.ts

@@ -0,0 +1,7 @@
+export declare function isFheTypeName(typeName: string): boolean;
+export declare function isFheCipherType(typeName: string, fheAliases?: Set<string>, localNonAliasFheNames?: Set<string>): boolean;
+export declare function isFheNamespaceCall(node: any): boolean;
+export declare function isFheNamespaceMemberCall(node: any, memberName: string): boolean;
+export declare function isFheAllowCall(node: any): boolean;
+export declare function isFheAllowThisCall(node: any): boolean;
+export declare function isFheDecryptCall(node: any): boolean;

package/dist/detectors/_common/fhe.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isFheTypeName = isFheTypeName;
+exports.isFheCipherType = isFheCipherType;
+exports.isFheNamespaceCall = isFheNamespaceCall;
+exports.isFheNamespaceMemberCall = isFheNamespaceMemberCall;
+exports.isFheAllowCall = isFheAllowCall;
+exports.isFheAllowThisCall = isFheAllowThisCall;
+exports.isFheDecryptCall = isFheDecryptCall;
+const ast_1 = require("./ast");
+const FHE_NAMESPACES = new Set(['TFHE', 'FHE']);
+const FHE_TYPE_RE = /^e(?:bool|uint(?:[0-9]+)?)$/;
+function isFheTypeName(typeName) {
+    return FHE_TYPE_RE.test(typeName);
+}
+function isFheCipherType(typeName, fheAliases = new Set(), localNonAliasFheNames = new Set()) {
+    return fheAliases.has(typeName) || (isFheTypeName(typeName) && !localNonAliasFheNames.has(typeName));
+}
+function isFheNamespaceCall(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const callee = node.expression;
+    if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+        return false;
+    const receiver = callee.expression;
+    return !!receiver && (0, ast_1.isNode)(receiver, 'Identifier') && FHE_NAMESPACES.has(receiver.name);
+}
+function isFheNamespaceMemberCall(node, memberName) {
+    return isFheNamespaceCall(node) && node.expression?.memberName === memberName;
+}
+function isFheAllowCall(node) {
+    return isFheNamespaceMemberCall(node, 'allow');
+}
+function isFheAllowThisCall(node) {
+    return isFheNamespaceMemberCall(node, 'allowThis');
+}
+function isFheDecryptCall(node) {
+    return isFheNamespaceMemberCall(node, 'decrypt');
+}
+//# sourceMappingURL=fhe.js.map