@trynullsec/s1-zk 1.0.0

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAGvD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,YAAY,CAAC;KAClB,WAAW,CAAC,gEAAgE,CAAC;KAC7E,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,QAAQ,CAAC,UAAU,EAAE,kCAAkC,CAAC;KACxD,MAAM,CAAC,mBAAmB,EAAE,oCAAoC,CAAC;KACjE,MAAM,CAAC,mBAAmB,EAAE,wCAAwC,CAAC;KACrE,MAAM,CAAC,cAAc,EAAE,+BAA+B,CAAC;KACvD,MAAM,CAAC,sBAAsB,EAAE,sCAAsC,CAAC;KACtE,MAAM,CAAC,iBAAiB,EAAE,kBAAkB,CAAC;KAC7C,MAAM,CAAC,KAAK,EAAE,MAAc,EAAE,OAAyG,EAAE,EAAE;IAC1I,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE;YACnC,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,OAAO,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS;YAClF,UAAU,EAAE,OAAO,CAAC,MAAM;SAC3B,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM;YAAE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtE,OAAO,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAClC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC,CAAC;QACtD,OAAO,CAAC,KAAK,CAAE,KAAe,CAAC,OAAO,CAAC,CAAC;QACxC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IACvB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,oCAAoC,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE;IACrF,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,EAAE,KAAK,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;IAC9E,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,YAAY,EAAE,qBAAqB,CAAC,CAAC,WAAW,CAAC,0BAA0B,CAAC,CAAC,MAAM,CAAC,CAAC,OAAe,EAAE,EAAE;IAC1I,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC;IACnE,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,EAAE,KAAK,MAAM,CAAC,CAAC;IACnE,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,KAAK,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,EAAE,KAAK,IAAI,CAAC,KAAK;;oBAEnB,IAAI,CAAC,eAAe;QAChC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;;EAE1B,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;AACtB,CAAC,CAAC,CAAC;AAEH,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,WAAW,CAAC,uCAAuC,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE;IACvF,IAAI,UAAU,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACnC,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACjD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,IAAI,GAAG,kBAAkB,EAAE,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,4 @@
+import type { NullsecConfig } from "./types.js";
+export declare const defaultConfig: NullsecConfig;
+export declare function loadConfig(cwd?: string, configPath?: string): NullsecConfig;
+export declare function writeDefaultConfig(cwd?: string): string;

package/dist/config.js

@@ -0,0 +1,41 @@
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { resolve } from "node:path";
+import { normalizeSeverity } from "./core/severity.js";
+export const defaultConfig = {
+    rules: {},
+    ignore: ["node_modules", "dist", "circomlib"],
+    failOn: "CRITICAL",
+    format: "terminal",
+    field: "BN254"
+};
+function isFormat(value) {
+    return value === "terminal" || value === "json" || value === "markdown" || value === "sarif";
+}
+export function loadConfig(cwd = process.cwd(), configPath) {
+    const path = configPath ? resolve(cwd, configPath) : resolve(cwd, ".nullsec-zk.json");
+    if (!existsSync(path))
+        return { ...defaultConfig, rules: { ...defaultConfig.rules }, ignore: [...defaultConfig.ignore] };
+    const parsed = JSON.parse(readFileSync(path, "utf8"));
+    return {
+        rules: parsed.rules ?? {},
+        ignore: Array.isArray(parsed.ignore) ? parsed.ignore : [...defaultConfig.ignore],
+        failOn: normalizeSeverity(String(parsed.failOn ?? defaultConfig.failOn), defaultConfig.failOn),
+        format: isFormat(parsed.format) ? parsed.format : defaultConfig.format,
+        field: parsed.field ?? defaultConfig.field
+    };
+}
+export function writeDefaultConfig(cwd = process.cwd()) {
+    const path = resolve(cwd, ".nullsec-zk.json");
+    const payload = {
+        rules: {
+            "NS-ZK-006": "medium"
+        },
+        ignore: ["node_modules", "circomlib"],
+        failOn: "CRITICAL",
+        format: "terminal",
+        field: "BN254"
+    };
+    writeFileSync(path, `${JSON.stringify(payload, null, 2)}\n`);
+    return path;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAEvD,MAAM,CAAC,MAAM,aAAa,GAAkB;IAC1C,KAAK,EAAE,EAAE;IACT,MAAM,EAAE,CAAC,cAAc,EAAE,MAAM,EAAE,WAAW,CAAC;IAC7C,MAAM,EAAE,UAAU;IAClB,MAAM,EAAE,UAAU;IAClB,KAAK,EAAE,OAAO;CACf,CAAC;AAEF,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,KAAK,KAAK,UAAU,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,UAAU,IAAI,KAAK,KAAK,OAAO,CAAC;AAC/F,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,EAAE,UAAmB;IACjE,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;IACtF,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,GAAG,aAAa,EAAE,KAAK,EAAE,EAAE,GAAG,aAAa,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;IAEzH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAA2B,CAAC;IAChF,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,EAAE;QACzB,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,MAAM,CAAC;QAChF,MAAM,EAAE,iBAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,IAAI,aAAa,CAAC,MAAM,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC;QAC9F,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,aAAa,CAAC,MAAM;QACtE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,aAAa,CAAC,KAAK;KAC3C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE;IACpD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;IAC9C,MAAM,OAAO,GAAG;QACd,KAAK,EAAE;YACL,WAAW,EAAE,QAAQ;SACtB;QACD,MAAM,EAAE,CAAC,cAAc,EAAE,WAAW,CAAC;QACrC,MAAM,EAAE,UAA6B;QACrC,MAAM,EAAE,UAAiC;QACzC,KAAK,EAAE,OAAO;KACf,CAAC;IACF,aAAa,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IAC7D,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/core/audit-engine.d.ts

@@ -0,0 +1,3 @@
+import type { AuditResult, NullsecConfig, ParsedCircuitFile } from "../types.js";
+import type { Halo2CircuitFile } from "../frontends/halo2/halo2-types.js";
+export declare function auditParsedFiles(target: string, parsedFiles: ParsedCircuitFile[], config: NullsecConfig, halo2Files?: Halo2CircuitFile[]): AuditResult;

package/dist/core/audit-engine.js

@@ -0,0 +1,31 @@
+import { buildCircuitIR } from "../frontends/circom/circom-ir-builder.js";
+import { buildHalo2IR } from "../frontends/halo2/halo2-ir-builder.js";
+import { ConstraintGraph } from "../ir/constraint-graph.js";
+import { allRules } from "../rules/index.js";
+import { summarizeIssues } from "../report/summary.js";
+import { RuleEngine } from "./rule-engine.js";
+function frontendName(circomCount, halo2Count) {
+    if (circomCount > 0 && halo2Count > 0)
+        return "Mixed";
+    if (halo2Count > 0)
+        return "Halo2";
+    return "Circom";
+}
+export function auditParsedFiles(target, parsedFiles, config, halo2Files = []) {
+    const ir = buildCircuitIR(parsedFiles);
+    const halo2 = buildHalo2IR(halo2Files);
+    const graph = new ConstraintGraph(ir);
+    const engine = new RuleEngine(allRules);
+    const { issues, rulesExecuted } = engine.run({ target, ir, graph, config, halo2 });
+    return {
+        tool: { name: "Nullsec S1-ZK", version: "1.0.0" },
+        target,
+        frontend: frontendName(parsedFiles.length, halo2Files.length),
+        filesScanned: parsedFiles.length + halo2Files.length,
+        rulesExecuted,
+        summary: summarizeIssues(issues),
+        issues,
+        parserWarnings: [...ir.parserWarnings, ...halo2.parserWarnings]
+    };
+}
+//# sourceMappingURL=audit-engine.js.map

package/dist/core/audit-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-engine.js","sourceRoot":"","sources":["../../src/core/audit-engine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,0CAA0C,CAAC;AAC1E,OAAO,EAAE,YAAY,EAAE,MAAM,wCAAwC,CAAC;AAEtE,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,SAAS,YAAY,CAAC,WAAmB,EAAE,UAAkB;IAC3D,IAAI,WAAW,GAAG,CAAC,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IACtD,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IACnC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAc,EAAE,WAAgC,EAAE,MAAqB,EAAE,aAAiC,EAAE;IAC3I,MAAM,EAAE,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,EAAE,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACnF,OAAO;QACL,IAAI,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,OAAO,EAAE;QACjD,MAAM;QACN,QAAQ,EAAE,YAAY,CAAC,WAAW,CAAC,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC;QAC7D,YAAY,EAAE,WAAW,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM;QACpD,aAAa;QACb,OAAO,EAAE,eAAe,CAAC,MAAM,CAAC;QAChC,MAAM;QACN,cAAc,EAAE,CAAC,GAAG,EAAE,CAAC,cAAc,EAAE,GAAG,KAAK,CAAC,cAAc,CAAC;KAChE,CAAC;AACJ,CAAC"}

package/dist/core/file-loader.d.ts

@@ -0,0 +1,6 @@
+export interface LoadedFile {
+    filePath: string;
+    rawSource: string;
+}
+export declare function loadCircomFiles(target: string, ignore?: string[]): Promise<LoadedFile[]>;
+export declare function loadRustFiles(target: string, ignore?: string[]): Promise<LoadedFile[]>;

package/dist/core/file-loader.js

@@ -0,0 +1,28 @@
+import { readFile } from "node:fs/promises";
+import { statSync } from "node:fs";
+import { resolve } from "node:path";
+import fg from "fast-glob";
+async function loadFilesByExtension(target, extensions, ignore = []) {
+    const absoluteTarget = resolve(process.cwd(), target);
+    const stat = statSync(absoluteTarget);
+    const patterns = stat.isDirectory() ? extensions.map((extension) => `**/*${extension}`) : [absoluteTarget];
+    const cwd = stat.isDirectory() ? absoluteTarget : process.cwd();
+    const entries = await fg(patterns, {
+        cwd,
+        absolute: true,
+        onlyFiles: true,
+        ignore: ignore.map((entry) => `**/${entry}/**`)
+    });
+    const unique = [...new Set(entries)].filter((file) => extensions.some((extension) => file.endsWith(extension)));
+    return Promise.all(unique.sort().map(async (filePath) => ({
+        filePath,
+        rawSource: await readFile(filePath, "utf8")
+    })));
+}
+export async function loadCircomFiles(target, ignore = []) {
+    return loadFilesByExtension(target, [".circom"], ignore);
+}
+export async function loadRustFiles(target, ignore = []) {
+    return loadFilesByExtension(target, [".rs"], ignore);
+}
+//# sourceMappingURL=file-loader.js.map

package/dist/core/file-loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-loader.js","sourceRoot":"","sources":["../../src/core/file-loader.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,MAAM,WAAW,CAAC;AAO3B,KAAK,UAAU,oBAAoB,CAAC,MAAc,EAAE,UAAoB,EAAE,SAAmB,EAAE;IAC7F,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,QAAQ,CAAC,cAAc,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,OAAO,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;IAC3G,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;IAChE,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,EAAE;QACjC,GAAG;QACH,QAAQ,EAAE,IAAI;QACd,SAAS,EAAE,IAAI;QACf,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,KAAK,KAAK,CAAC;KAChD,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAChH,OAAO,OAAO,CAAC,GAAG,CAChB,MAAM,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;QACrC,QAAQ;QACR,SAAS,EAAE,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;KAC5C,CAAC,CAAC,CACJ,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAc,EAAE,SAAmB,EAAE;IACzE,OAAO,oBAAoB,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAc,EAAE,SAAmB,EAAE;IACvE,OAAO,oBAAoB,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,CAAC;AACvD,CAAC"}

package/dist/core/issue-builder.d.ts

@@ -0,0 +1,16 @@
+import type { Confidence, Issue, Severity, SourceLocation } from "../types.js";
+export declare function resetIssueCounter(): void;
+export declare function buildIssue(input: {
+    ruleId: string;
+    title: string;
+    severity: Severity;
+    confidence?: Confidence;
+    location: SourceLocation;
+    signalName?: string;
+    explanation: string;
+    impact: string;
+    suggestedFix: string;
+    references?: string[];
+    tags?: string[];
+    metadata?: Record<string, unknown>;
+}): Issue;

package/dist/core/issue-builder.js

@@ -0,0 +1,27 @@
+let issueCounter = 0;
+export function resetIssueCounter() {
+    issueCounter = 0;
+}
+export function buildIssue(input) {
+    issueCounter += 1;
+    return {
+        id: `${input.ruleId}-${String(issueCounter).padStart(4, "0")}`,
+        ruleId: input.ruleId,
+        title: input.title,
+        severity: input.severity,
+        confidence: input.confidence ?? "HIGH",
+        file: input.location.file,
+        line: input.location.line,
+        column: input.location.column,
+        snippet: input.location.snippet,
+        templateName: input.location.templateName,
+        signalName: input.signalName,
+        explanation: input.explanation,
+        impact: input.impact,
+        suggestedFix: input.suggestedFix,
+        references: input.references,
+        tags: input.tags ?? [],
+        metadata: input.metadata
+    };
+}
+//# sourceMappingURL=issue-builder.js.map

package/dist/core/issue-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"issue-builder.js","sourceRoot":"","sources":["../../src/core/issue-builder.ts"],"names":[],"mappings":"AAEA,IAAI,YAAY,GAAG,CAAC,CAAC;AAErB,MAAM,UAAU,iBAAiB;IAC/B,YAAY,GAAG,CAAC,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,KAa1B;IACC,YAAY,IAAI,CAAC,CAAC;IAClB,OAAO;QACL,EAAE,EAAE,GAAG,KAAK,CAAC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;QAC9D,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,MAAM;QACtC,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI;QACzB,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI;QACzB,MAAM,EAAE,KAAK,CAAC,QAAQ,CAAC,MAAM;QAC7B,OAAO,EAAE,KAAK,CAAC,QAAQ,CAAC,OAAO;QAC/B,YAAY,EAAE,KAAK,CAAC,QAAQ,CAAC,YAAY;QACzC,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,YAAY,EAAE,KAAK,CAAC,YAAY;QAChC,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,IAAI,EAAE,KAAK,CAAC,IAAI,IAAI,EAAE;QACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ;KACzB,CAAC;AACJ,CAAC"}

package/dist/core/range-check-classifier.d.ts

@@ -0,0 +1,16 @@
+import type { AuditContext, Confidence, Severity, SignalDeclaration, SignalKind } from "../types.js";
+export type RangeCheckCategory = "amount" | "balance" | "fee" | "nonce" | "index" | "timestamp" | "quantity" | "count" | "size" | "limb" | "hash" | "commitment" | "root" | "nullifier" | "selector" | "derived" | "unknown";
+export interface RangeCheckAssessment {
+    shouldReport: boolean;
+    category: RangeCheckCategory;
+    confidence: Confidence;
+    severity: Severity;
+    explanation: string;
+}
+export declare function classifyRangeCheckSignal(name: string, kind: SignalKind): RangeCheckCategory;
+export declare function isHashLikeCategory(category: RangeCheckCategory): boolean;
+export declare function isPrimaryRangeCategory(category: RangeCheckCategory): boolean;
+export declare function isHashComponentOutput(signal: SignalDeclaration, context: AuditContext): boolean;
+export declare function isUsedAsBoundedInteger(signal: SignalDeclaration, context: AuditContext): boolean;
+export declare function operandsHaveRangeCheck(signal: SignalDeclaration, context: AuditContext): boolean;
+export declare function assessRangeCheckRisk(signal: SignalDeclaration, context: AuditContext): RangeCheckAssessment;

package/dist/core/range-check-classifier.js

@@ -0,0 +1,194 @@
+import { baseSignalName } from "../frontends/circom/circom-utils.js";
+const PRIMARY_RANGE_CATEGORIES = new Set([
+    "amount",
+    "balance",
+    "fee",
+    "nonce",
+    "index",
+    "timestamp",
+    "quantity",
+    "count",
+    "size",
+    "limb"
+]);
+const HASH_COMPONENT_PATTERN = /Poseidon|Pedersen|Rescue|MiMC|MimcSponge|Sha256|Blake/i;
+function sameTemplate(a, b) {
+    if (!a || !b)
+        return true;
+    return a === b;
+}
+export function classifyRangeCheckSignal(name, kind) {
+    const lower = name.toLowerCase();
+    if (/nullifier/.test(lower))
+        return "nullifier";
+    if (/hash/.test(lower))
+        return "hash";
+    if (/commitment/.test(lower))
+        return "commitment";
+    if (/^root$|merkleroot|merkle_root|computedroot|state_root|treeroot/.test(lower) || (lower.includes("root") && kind === "input")) {
+        return "root";
+    }
+    if (kind === "output" && /^remaining|^allowed|^total|^new|^updated|^adjusted|^resulting|^computed/.test(lower)) {
+        return "derived";
+    }
+    if (/selector|select/.test(lower))
+        return "selector";
+    if (lower === "amount" || /(^|_)amount($|_)/.test(lower))
+        return "amount";
+    if (lower === "balance" || /(^|_)balance($|_)/.test(lower))
+        return "balance";
+    if (/\bfee\b|^fee|_fee$/.test(lower))
+        return "fee";
+    if (/\bnonce\b/.test(lower))
+        return "nonce";
+    if (/\bindex\b|\bidx\b|_index$|_idx$/.test(lower))
+        return "index";
+    if (/timestamp|time_stamp/.test(lower))
+        return "timestamp";
+    if (/\bquantity\b|\bqty\b/.test(lower))
+        return "quantity";
+    if (/\bcount\b/.test(lower))
+        return "count";
+    if (/\bsize\b|\blength\b/.test(lower))
+        return "size";
+    if (/\blimb\b|\blimbs\b/.test(lower))
+        return "limb";
+    return "unknown";
+}
+export function isHashLikeCategory(category) {
+    return category === "hash" || category === "commitment" || category === "root" || category === "nullifier";
+}
+export function isPrimaryRangeCategory(category) {
+    return PRIMARY_RANGE_CATEGORIES.has(category);
+}
+function namesEquivalent(reference, signalName) {
+    return baseSignalName(reference) === baseSignalName(signalName);
+}
+export function isHashComponentOutput(signal, context) {
+    return context.graph.assignmentsForSignal(signal.name).some((assignment) => {
+        const match = assignment.rhs.match(/^([A-Za-z_][A-Za-z0-9_]*)\.out\b/);
+        if (!match)
+            return false;
+        const component = context.ir.components.find((candidate) => candidate.name === match[1]);
+        return Boolean(component && HASH_COMPONENT_PATTERN.test(component.templateType ?? ""));
+    });
+}
+export function isUsedAsBoundedInteger(signal, context) {
+    const references = context.graph.signalReferences(signal.name).filter((ref) => sameTemplate(ref.templateName, signal.templateName));
+    return references.some((ref) => {
+        const snippet = (ref.snippet ?? "").replace(/\s+/g, " ");
+        if (/LessThan|LessEqThan|GreaterThan|GreaterEqThan|Num2Bits|RangeCheck|rangeCheck|AliasCheck|Decompose/.test(snippet)) {
+            return true;
+        }
+        const mentionsSignal = snippet.includes(signal.baseName);
+        if (!mentionsSignal)
+            return false;
+        if (/[+\-*/]/.test(snippet) && !/===/.test(snippet))
+            return true;
+        if (/===/.test(snippet) && /[+\-*/]/.test(snippet))
+            return true;
+        return false;
+    });
+}
+export function operandsHaveRangeCheck(signal, context) {
+    const assignments = context.graph
+        .assignmentsForSignal(signal.name)
+        .filter((assignment) => sameTemplate(assignment.templateName, signal.templateName));
+    return assignments.some((assignment) => {
+        const operands = assignment.referencedSignals.filter((ref) => !namesEquivalent(ref, signal.name));
+        const primaryOperands = operands.filter((operand) => isPrimaryRangeCategory(classifyRangeCheckSignal(baseSignalName(operand), "input")));
+        if (primaryOperands.length === 0)
+            return true;
+        return primaryOperands.every((operand) => context.graph.hasRangeCheck(operand, signal.templateName));
+    });
+}
+function isArithmeticOutput(signal, context) {
+    if (signal.kind !== "output")
+        return false;
+    return context.graph
+        .assignmentsForSignal(signal.name)
+        .filter((assignment) => sameTemplate(assignment.templateName, signal.templateName))
+        .some((assignment) => /[+\-*/]/.test(assignment.rhs));
+}
+export function assessRangeCheckRisk(signal, context) {
+    const category = classifyRangeCheckSignal(signal.baseName, signal.kind);
+    const templateName = signal.templateName;
+    if (context.graph.hasRangeCheck(signal.name, templateName)) {
+        return {
+            shouldReport: false,
+            category,
+            confidence: "HIGH",
+            severity: "INFO",
+            explanation: "Signal already has an obvious range-check pattern."
+        };
+    }
+    if (context.graph.signalReferences(signal.name).filter((ref) => sameTemplate(ref.templateName, templateName)).length === 0) {
+        return {
+            shouldReport: false,
+            category,
+            confidence: "LOW",
+            severity: "INFO",
+            explanation: "Signal is not referenced in parsed constraints or assignments."
+        };
+    }
+    const hashOutput = isHashComponentOutput(signal, context);
+    const boundedIntegerUse = isUsedAsBoundedInteger(signal, context);
+    const derivedOutput = category === "derived" || isArithmeticOutput(signal, context);
+    const operandsChecked = operandsHaveRangeCheck(signal, context);
+    if (hashOutput || isHashLikeCategory(category)) {
+        if (!boundedIntegerUse) {
+            return {
+                shouldReport: false,
+                category,
+                confidence: "LOW",
+                severity: "INFO",
+                explanation: `The ${category} signal \`${signal.name}\` is used for binding or hashing, not as a bounded integer.`
+            };
+        }
+        return {
+            shouldReport: true,
+            category,
+            confidence: "LOW",
+            severity: "LOW",
+            explanation: `The ${category} signal \`${signal.name}\` is used in arithmetic without an obvious range-check pattern. Confidence is low because hash-like values are usually field elements, not bounded integers.`
+        };
+    }
+    if (category === "derived" || derivedOutput) {
+        if (operandsChecked) {
+            return {
+                shouldReport: false,
+                category: "derived",
+                confidence: "LOW",
+                severity: "INFO",
+                explanation: `The derived output \`${signal.name}\` is computed from operands that already have range checks.`
+            };
+        }
+        if (signal.kind === "output") {
+            return {
+                shouldReport: true,
+                category: "derived",
+                confidence: "LOW",
+                severity: "MEDIUM",
+                explanation: `The derived output \`${signal.name}\` is produced by arithmetic without an obvious range check on its operands or result.`
+            };
+        }
+    }
+    if (isPrimaryRangeCategory(category)) {
+        const inputTarget = signal.kind === "input";
+        return {
+            shouldReport: true,
+            category,
+            confidence: inputTarget ? "HIGH" : "MEDIUM",
+            severity: inputTarget ? "HIGH" : "MEDIUM",
+            explanation: `The ${category} signal \`${signal.name}\` is used without an obvious Num2Bits, RangeCheck, comparator, decomposition, or AliasCheck pattern.`
+        };
+    }
+    return {
+        shouldReport: false,
+        category,
+        confidence: "LOW",
+        severity: "INFO",
+        explanation: `The signal \`${signal.name}\` does not match a primary bounded-integer range-check target.`
+    };
+}
+//# sourceMappingURL=range-check-classifier.js.map

package/dist/core/range-check-classifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"range-check-classifier.js","sourceRoot":"","sources":["../../src/core/range-check-classifier.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,qCAAqC,CAAC;AAqBrE,MAAM,wBAAwB,GAAG,IAAI,GAAG,CAAqB;IAC3D,QAAQ;IACR,SAAS;IACT,KAAK;IACL,OAAO;IACP,OAAO;IACP,WAAW;IACX,UAAU;IACV,OAAO;IACP,MAAM;IACN,MAAM;CACP,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,wDAAwD,CAAC;AAUxF,SAAS,YAAY,CAAC,CAAU,EAAE,CAAU;IAC1C,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1B,OAAO,CAAC,KAAK,CAAC,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,IAAY,EAAE,IAAgB;IACrE,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IAEjC,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,WAAW,CAAC;IAChD,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IACtC,IAAI,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,YAAY,CAAC;IAClD,IAAI,gEAAgE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,KAAK,OAAO,CAAC,EAAE,CAAC;QACjI,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,IAAI,KAAK,QAAQ,IAAI,yEAAyE,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/G,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,UAAU,CAAC;IAErD,IAAI,KAAK,KAAK,QAAQ,IAAI,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC1E,IAAI,KAAK,KAAK,SAAS,IAAI,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAC7E,IAAI,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACnD,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,OAAO,CAAC;IAC5C,IAAI,iCAAiC,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,OAAO,CAAC;IAClE,IAAI,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,WAAW,CAAC;IAC3D,IAAI,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,UAAU,CAAC;IAC1D,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,OAAO,CAAC;IAC5C,IAAI,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IACrD,IAAI,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAEpD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,QAA4B;IAC7D,OAAO,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,WAAW,CAAC;AAC7G,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,QAA4B;IACjE,OAAO,wBAAwB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,eAAe,CAAC,SAAiB,EAAE,UAAkB;IAC5D,OAAO,cAAc,CAAC,SAAS,CAAC,KAAK,cAAc,CAAC,UAAU,CAAC,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,MAAyB,EAAE,OAAqB;IACpF,OAAO,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,EAAE;QACzE,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACvE,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,MAAM,SAAS,GAAG,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACzF,OAAO,OAAO,CAAC,SAAS,IAAI,sBAAsB,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,CAAC;IACzF,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,MAAyB,EAAE,OAAqB;IACrF,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;IAEpI,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE;QAC7B,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACzD,IAAI,mGAAmG,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACtH,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACzD,IAAI,CAAC,cAAc;YAAE,OAAO,KAAK,CAAC;QAElC,IAAI,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;QACjE,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;QAEhE,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,MAAyB,EAAE,OAAqB;IACrF,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK;SAC9B,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC;SACjC,MAAM,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;IAEtF,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,EAAE;QACrC,MAAM,QAAQ,GAAG,UAAU,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QAClG,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,sBAAsB,CAAC,wBAAwB,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;QAEzI,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC9C,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;IACvG,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAyB,EAAE,OAAqB;IAC1E,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC3C,OAAO,OAAO,CAAC,KAAK;SACjB,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC;SACjC,MAAM,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;SAClF,IAAI,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,MAAyB,EAAE,OAAqB;IACnF,MAAM,QAAQ,GAAG,wBAAwB,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;IACxE,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;IAEzC,IAAI,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,EAAE,YAAY,CAAC,EAAE,CAAC;QAC3D,OAAO;YACL,YAAY,EAAE,KAAK;YACnB,QAAQ;YACR,UAAU,EAAE,MAAM;YAClB,QAAQ,EAAE,MAAM;YAChB,WAAW,EAAE,oDAAoD;SAClE,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3H,OAAO;YACL,YAAY,EAAE,KAAK;YACnB,QAAQ;YACR,UAAU,EAAE,KAAK;YACjB,QAAQ,EAAE,MAAM;YAChB,WAAW,EAAE,gEAAgE;SAC9E,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,qBAAqB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1D,MAAM,iBAAiB,GAAG,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,QAAQ,KAAK,SAAS,IAAI,kBAAkB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACpF,MAAM,eAAe,GAAG,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEhE,IAAI,UAAU,IAAI,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/C,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,OAAO;gBACL,YAAY,EAAE,KAAK;gBACnB,QAAQ;gBACR,UAAU,EAAE,KAAK;gBACjB,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,OAAO,QAAQ,aAAa,MAAM,CAAC,IAAI,8DAA8D;aACnH,CAAC;QACJ,CAAC;QAED,OAAO;YACL,YAAY,EAAE,IAAI;YAClB,QAAQ;YACR,UAAU,EAAE,KAAK;YACjB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,OAAO,QAAQ,aAAa,MAAM,CAAC,IAAI,+JAA+J;SACpN,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,KAAK,SAAS,IAAI,aAAa,EAAE,CAAC;QAC5C,IAAI,eAAe,EAAE,CAAC;YACpB,OAAO;gBACL,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,SAAS;gBACnB,UAAU,EAAE,KAAK;gBACjB,QAAQ,EAAE,MAAM;gBAChB,WAAW,EAAE,wBAAwB,MAAM,CAAC,IAAI,8DAA8D;aAC/G,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,OAAO;gBACL,YAAY,EAAE,IAAI;gBAClB,QAAQ,EAAE,SAAS;gBACnB,UAAU,EAAE,KAAK;gBACjB,QAAQ,EAAE,QAAQ;gBAClB,WAAW,EAAE,wBAAwB,MAAM,CAAC,IAAI,wFAAwF;aACzI,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,sBAAsB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACrC,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,KAAK,OAAO,CAAC;QAC5C,OAAO;YACL,YAAY,EAAE,IAAI;YAClB,QAAQ;YACR,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;YAC3C,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;YACzC,WAAW,EAAE,OAAO,QAAQ,aAAa,MAAM,CAAC,IAAI,uGAAuG;SAC5J,CAAC;IACJ,CAAC;IAED,OAAO;QACL,YAAY,EAAE,KAAK;QACnB,QAAQ;QACR,UAAU,EAAE,KAAK;QACjB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,gBAAgB,MAAM,CAAC,IAAI,iEAAiE;KAC1G,CAAC;AACJ,CAAC"}

package/dist/core/rule-engine.d.ts

@@ -0,0 +1,10 @@
+import type { AuditContext, Issue, Rule } from "../types.js";
+export declare class RuleEngine {
+    private readonly rules;
+    constructor(rules: Rule[]);
+    run(context: AuditContext): {
+        issues: Issue[];
+        rulesExecuted: number;
+    };
+    private sortAndDeduplicate;
+}

package/dist/core/rule-engine.js

@@ -0,0 +1,41 @@
+import { compareSeverity, normalizeSeverity } from "./severity.js";
+import { resetIssueCounter } from "./issue-builder.js";
+function configuredSeverity(ruleId, configValue, fallback) {
+    return normalizeSeverity(configValue, fallback);
+}
+export class RuleEngine {
+    rules;
+    constructor(rules) {
+        this.rules = rules;
+    }
+    run(context) {
+        resetIssueCounter();
+        const issues = [];
+        let rulesExecuted = 0;
+        for (const rule of this.rules) {
+            const setting = context.config.rules[rule.id] ?? context.config.rules[rule.id.replace(/-.*/, "")];
+            if (String(setting).toLowerCase() === "off")
+                continue;
+            rulesExecuted += 1;
+            const ruleIssues = rule.analyze(context).map((issue) => ({
+                ...issue,
+                severity: configuredSeverity(rule.id, typeof setting === "string" ? setting : undefined, issue.severity)
+            }));
+            issues.push(...ruleIssues);
+        }
+        return { issues: this.sortAndDeduplicate(issues), rulesExecuted };
+    }
+    sortAndDeduplicate(issues) {
+        const seen = new Set();
+        const deduped = [];
+        for (const issue of issues) {
+            const key = `${issue.ruleId}:${issue.file}:${issue.line}:${issue.signalName ?? ""}:${issue.snippet ?? ""}`;
+            if (seen.has(key))
+                continue;
+            seen.add(key);
+            deduped.push(issue);
+        }
+        return deduped.sort((a, b) => compareSeverity(a.severity, b.severity) || a.file.localeCompare(b.file) || a.line - b.line);
+    }
+}
+//# sourceMappingURL=rule-engine.js.map

package/dist/core/rule-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rule-engine.js","sourceRoot":"","sources":["../../src/core/rule-engine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAEvD,SAAS,kBAAkB,CAAC,MAAc,EAAE,WAA+B,EAAE,QAAkB;IAC7F,OAAO,iBAAiB,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,OAAO,UAAU;IACQ;IAA7B,YAA6B,KAAa;QAAb,UAAK,GAAL,KAAK,CAAQ;IAAG,CAAC;IAE9C,GAAG,CAAC,OAAqB;QACvB,iBAAiB,EAAE,CAAC;QACpB,MAAM,MAAM,GAAY,EAAE,CAAC;QAC3B,IAAI,aAAa,GAAG,CAAC,CAAC;QAEtB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;YAClG,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,KAAK,KAAK;gBAAE,SAAS;YACtD,aAAa,IAAI,CAAC,CAAC;YACnB,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACvD,GAAG,KAAK;gBACR,QAAQ,EAAE,kBAAkB,CAAC,IAAI,CAAC,EAAE,EAAE,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,KAAK,CAAC,QAAQ,CAAC;aACzG,CAAC,CAAC,CAAC;YACJ,MAAM,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QAC7B,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,EAAE,aAAa,EAAE,CAAC;IACpE,CAAC;IAEO,kBAAkB,CAAC,MAAe;QACxC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,MAAM,OAAO,GAAY,EAAE,CAAC;QAC5B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,UAAU,IAAI,EAAE,IAAI,KAAK,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;YAC3G,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACd,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;QACD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;IAC5H,CAAC;CACF"}

package/dist/core/severity.d.ts

@@ -0,0 +1,6 @@
+import type { Severity } from "../types.js";
+export declare const severityOrder: Record<Severity, number>;
+export declare const severities: Severity[];
+export declare function normalizeSeverity(value: string | undefined, fallback: Severity): Severity;
+export declare function isAtOrAbove(severity: Severity, threshold: Severity): boolean;
+export declare function compareSeverity(a: Severity, b: Severity): number;

package/dist/core/severity.js

@@ -0,0 +1,21 @@
+export const severityOrder = {
+    CRITICAL: 5,
+    HIGH: 4,
+    MEDIUM: 3,
+    LOW: 2,
+    INFO: 1
+};
+export const severities = ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"];
+export function normalizeSeverity(value, fallback) {
+    if (!value)
+        return fallback;
+    const upper = value.toUpperCase();
+    return severities.includes(upper) ? upper : fallback;
+}
+export function isAtOrAbove(severity, threshold) {
+    return severityOrder[severity] >= severityOrder[threshold];
+}
+export function compareSeverity(a, b) {
+    return severityOrder[b] - severityOrder[a];
+}
+//# sourceMappingURL=severity.js.map

package/dist/core/severity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"severity.js","sourceRoot":"","sources":["../../src/core/severity.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,aAAa,GAA6B;IACrD,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAe,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;AAEpF,MAAM,UAAU,iBAAiB,CAAC,KAAyB,EAAE,QAAkB;IAC7E,IAAI,CAAC,KAAK;QAAE,OAAO,QAAQ,CAAC;IAC5B,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAClC,OAAO,UAAU,CAAC,QAAQ,CAAC,KAAiB,CAAC,CAAC,CAAC,CAAE,KAAkB,CAAC,CAAC,CAAC,QAAQ,CAAC;AACjF,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,QAAkB,EAAE,SAAmB;IACjE,OAAO,aAAa,CAAC,QAAQ,CAAC,IAAI,aAAa,CAAC,SAAS,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,CAAW,EAAE,CAAW;IACtD,OAAO,aAAa,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;AAC7C,CAAC"}

package/dist/core/source-map.d.ts

@@ -0,0 +1,3 @@
+export declare function getLine(source: string, line: number): string;
+export declare function columnOf(lineText: string, needle: string): number;
+export declare function lineStartOffsets(source: string): number[];

package/dist/core/source-map.js

@@ -0,0 +1,16 @@
+export function getLine(source, line) {
+    return source.split(/\r?\n/)[line - 1]?.trimEnd() ?? "";
+}
+export function columnOf(lineText, needle) {
+    const index = lineText.indexOf(needle);
+    return index >= 0 ? index + 1 : 1;
+}
+export function lineStartOffsets(source) {
+    const starts = [0];
+    for (let i = 0; i < source.length; i += 1) {
+        if (source[i] === "\n")
+            starts.push(i + 1);
+    }
+    return starts;
+}
+//# sourceMappingURL=source-map.js.map

package/dist/core/source-map.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"source-map.js","sourceRoot":"","sources":["../../src/core/source-map.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,OAAO,CAAC,MAAc,EAAE,IAAY;IAClD,OAAO,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,QAAgB,EAAE,MAAc;IACvD,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACvC,OAAO,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI;YAAE,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/frontends/circom/circom-comments.d.ts

@@ -0,0 +1,8 @@
+export interface CommentStripResult {
+    source: string;
+    comments: Array<{
+        line: number;
+        text: string;
+    }>;
+}
+export declare function stripCircomComments(source: string): CommentStripResult;

package/dist/frontends/circom/circom-comments.js

@@ -0,0 +1,52 @@
+export function stripCircomComments(source) {
+    let output = "";
+    const comments = [];
+    let line = 1;
+    let i = 0;
+    while (i < source.length) {
+        const ch = source[i];
+        const next = source[i + 1];
+        if (ch === "/" && next === "/") {
+            const startLine = line;
+            let text = "";
+            while (i < source.length && source[i] !== "\n") {
+                text += source[i];
+                output += " ";
+                i += 1;
+            }
+            comments.push({ line: startLine, text });
+            continue;
+        }
+        if (ch === "/" && next === "*") {
+            const startLine = line;
+            let text = "";
+            while (i < source.length) {
+                const current = source[i];
+                const following = source[i + 1];
+                text += current;
+                if (current === "\n") {
+                    output += "\n";
+                    line += 1;
+                }
+                else {
+                    output += " ";
+                }
+                i += 1;
+                if (current === "*" && following === "/") {
+                    text += following;
+                    output += " ";
+                    i += 1;
+                    break;
+                }
+            }
+            comments.push({ line: startLine, text });
+            continue;
+        }
+        output += ch;
+        if (ch === "\n")
+            line += 1;
+        i += 1;
+    }
+    return { source: output, comments };
+}
+//# sourceMappingURL=circom-comments.js.map

package/dist/frontends/circom/circom-comments.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"circom-comments.js","sourceRoot":"","sources":["../../../src/frontends/circom/circom-comments.ts"],"names":[],"mappings":"AAKA,MAAM,UAAU,mBAAmB,CAAC,MAAc;IAChD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,MAAM,QAAQ,GAA0C,EAAE,CAAC;IAC3D,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,IAAI,CAAC,GAAG,CAAC,CAAC;IAEV,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;QACzB,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACrB,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAE3B,IAAI,EAAE,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAG,IAAI,CAAC;YACvB,IAAI,IAAI,GAAG,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC/C,IAAI,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC;gBAClB,MAAM,IAAI,GAAG,CAAC;gBACd,CAAC,IAAI,CAAC,CAAC;YACT,CAAC;YACD,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACzC,SAAS;QACX,CAAC;QAED,IAAI,EAAE,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAG,IAAI,CAAC;YACvB,IAAI,IAAI,GAAG,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC1B,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAChC,IAAI,IAAI,OAAO,CAAC;gBAChB,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;oBACrB,MAAM,IAAI,IAAI,CAAC;oBACf,IAAI,IAAI,CAAC,CAAC;gBACZ,CAAC;qBAAM,CAAC;oBACN,MAAM,IAAI,GAAG,CAAC;gBAChB,CAAC;gBACD,CAAC,IAAI,CAAC,CAAC;gBACP,IAAI,OAAO,KAAK,GAAG,IAAI,SAAS,KAAK,GAAG,EAAE,CAAC;oBACzC,IAAI,IAAI,SAAS,CAAC;oBAClB,MAAM,IAAI,GAAG,CAAC;oBACd,CAAC,IAAI,CAAC,CAAC;oBACP,MAAM;gBACR,CAAC;YACH,CAAC;YACD,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACzC,SAAS;QACX,CAAC;QAED,MAAM,IAAI,EAAE,CAAC;QACb,IAAI,EAAE,KAAK,IAAI;YAAE,IAAI,IAAI,CAAC,CAAC;QAC3B,CAAC,IAAI,CAAC,CAAC;IACT,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AACtC,CAAC"}

package/dist/frontends/circom/circom-ir-builder.d.ts

@@ -0,0 +1,2 @@
+import type { CircuitIR, ParsedCircuitFile } from "../../types.js";
+export declare function buildCircuitIR(files: ParsedCircuitFile[]): CircuitIR;

package/dist/frontends/circom/circom-ir-builder.js

@@ -0,0 +1,12 @@
+export function buildCircuitIR(files) {
+    return {
+        files,
+        signals: files.flatMap((file) => file.signals),
+        components: files.flatMap((file) => file.components),
+        assignments: files.flatMap((file) => file.assignments),
+        constraints: files.flatMap((file) => file.constraints),
+        assertions: files.flatMap((file) => file.assertions),
+        parserWarnings: files.flatMap((file) => file.parserWarnings)
+    };
+}
+//# sourceMappingURL=circom-ir-builder.js.map

package/dist/frontends/circom/circom-ir-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"circom-ir-builder.js","sourceRoot":"","sources":["../../../src/frontends/circom/circom-ir-builder.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,cAAc,CAAC,KAA0B;IACvD,OAAO;QACL,KAAK;QACL,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;QAC9C,UAAU,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;QACpD,WAAW,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC;QACtD,WAAW,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC;QACtD,UAAU,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;QACpD,cAAc,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC;KAC7D,CAAC;AACJ,CAAC"}