@trynullsec/s1-zk 1.0.0

package/examples/halo2/safe/safe-inverse.rs

@@ -0,0 +1,30 @@
+use halo2_proofs::plonk::{Advice, Column, ConstraintSystem, Selector};
+
+struct Config {
+    denominator: Column<Advice>,
+    inverse: Column<Advice>,
+    q_nonzero: Selector,
+}
+
+fn configure(meta: &mut ConstraintSystem<Fp>) -> Config {
+    let denominator = meta.advice_column();
+    let inverse = meta.advice_column();
+    let q_nonzero = meta.selector();
+    meta.create_gate("safe inverse", |meta| {
+        let s = meta.query_selector(q_nonzero);
+        let d = meta.query_advice(denominator, Rotation::cur());
+        let inv = meta.query_advice(inverse, Rotation::cur());
+        vec![s * (d * inv - Expression::Constant(Fp::one()))]
+    });
+    Config { denominator, inverse, q_nonzero }
+}
+
+fn synthesize(config: Config, mut layouter: impl Layouter<Fp>) {
+    layouter.assign_region(|| "safe inverse", |mut region| {
+        config.q_nonzero.enable(&mut region, 0)?;
+        assert!(!witness.denominator.is_zero());
+        let inv = witness.denominator.invert().unwrap();
+        region.assign_advice(|| "inverse", config.inverse, 0, || Value::known(inv))?;
+        Ok(())
+    });
+}

package/examples/halo2/safe/safe-selector.rs

@@ -0,0 +1,27 @@
+use halo2_proofs::plonk::{Advice, Column, ConstraintSystem, Selector};
+
+struct Config {
+    lhs: Column<Advice>,
+    rhs: Column<Advice>,
+    q_swap: Selector,
+}
+
+fn configure(meta: &mut ConstraintSystem<Fp>) -> Config {
+    let lhs = meta.advice_column();
+    let rhs = meta.advice_column();
+    let q_swap = meta.selector();
+    meta.create_gate("conditional swap", |meta| {
+        let s = meta.query_selector(q_swap);
+        let a = meta.query_advice(lhs, Rotation::cur());
+        let b = meta.query_advice(rhs, Rotation::cur());
+        vec![s.clone() * (a - b)]
+    });
+    Config { lhs, rhs, q_swap }
+}
+
+fn synthesize(config: Config, mut layouter: impl Layouter<Fp>) {
+    layouter.assign_region(|| "selector discipline", |mut region| {
+        config.q_swap.enable(&mut region, 0)?;
+        Ok(())
+    });
+}

package/examples/halo2/vulnerable/missing-selector-booleanity.rs

@@ -0,0 +1,20 @@
+use halo2_proofs::plonk::{Advice, Column, ConstraintSystem, Selector};
+
+struct Config {
+    lhs: Column<Advice>,
+    rhs: Column<Advice>,
+    q_swap: Selector,
+}
+
+fn configure(meta: &mut ConstraintSystem<Fp>) -> Config {
+    let lhs = meta.advice_column();
+    let rhs = meta.advice_column();
+    let q_swap = meta.selector();
+    meta.create_gate("conditional swap", |meta| {
+        let s = meta.query_selector(q_swap);
+        let a = meta.query_advice(lhs, Rotation::cur());
+        let b = meta.query_advice(rhs, Rotation::cur());
+        vec![s.clone() * (a - b)]
+    });
+    Config { lhs, rhs, q_swap }
+}

package/examples/halo2/vulnerable/partial-ec-mul.rs

@@ -0,0 +1,23 @@
+use halo2_proofs::plonk::{Advice, Column, ConstraintSystem};
+
+struct Config {
+    scalar: Column<Advice>,
+    point_x: Column<Advice>,
+    point_y: Column<Advice>,
+}
+
+fn configure(meta: &mut ConstraintSystem<Fp>) -> Config {
+    let scalar = meta.advice_column();
+    let point_x = meta.advice_column();
+    let point_y = meta.advice_column();
+    Config { scalar, point_x, point_y }
+}
+
+fn synthesize(config: Config, mut layouter: impl Layouter<Fp>) {
+    layouter.assign_region(|| "partial ec mul", |mut region| {
+        let variable_base_mul = curve_point * scalar;
+        region.assign_advice(|| "ec point x", config.point_x, 0, || Value::known(variable_base_mul.x))?;
+        region.assign_advice(|| "ec point y", config.point_y, 0, || Value::known(variable_base_mul.y))?;
+        Ok(())
+    });
+}

package/examples/halo2/vulnerable/unbound-instance.rs

@@ -0,0 +1,20 @@
+use halo2_proofs::plonk::{Advice, Column, ConstraintSystem, Instance};
+
+struct Config {
+    advice: Column<Advice>,
+    instance: Column<Instance>,
+}
+
+fn configure(meta: &mut ConstraintSystem<Fp>) -> Config {
+    let advice = meta.advice_column();
+    let instance = meta.instance_column();
+    Config { advice, instance }
+}
+
+fn synthesize(config: Config, mut layouter: impl Layouter<Fp>) {
+    let public = meta.query_instance(config.instance, Rotation::cur());
+    layouter.assign_region(|| "unbound public value", |mut region| {
+        region.assign_advice(|| "private copy", config.advice, 0, || Value::known(witness))?;
+        Ok(())
+    });
+}

package/examples/halo2/vulnerable/unconstrained-advice.rs

@@ -0,0 +1,24 @@
+use halo2_proofs::plonk::{Advice, Column, ConstraintSystem, Selector};
+
+struct Config {
+    value: Column<Advice>,
+    q_enable: Selector,
+}
+
+fn configure(meta: &mut ConstraintSystem<Fp>) -> Config {
+    let value = meta.advice_column();
+    let q_enable = meta.selector();
+    meta.create_gate("unrelated gate", |meta| {
+        let s = meta.query_selector(q_enable);
+        vec![s]
+    });
+    Config { value, q_enable }
+}
+
+fn synthesize(config: Config, mut layouter: impl Layouter<Fp>) {
+    layouter.assign_region(|| "unconstrained witness", |mut region| {
+        config.q_enable.enable(&mut region, 0)?;
+        region.assign_advice(|| "secret amount", config.value, 0, || Value::known(secret_amount))?;
+        Ok(())
+    });
+}

package/examples/halo2/vulnerable/unsafe-inverse.rs

@@ -0,0 +1,20 @@
+use halo2_proofs::plonk::{Advice, Column, ConstraintSystem};
+
+struct Config {
+    denominator: Column<Advice>,
+    inverse: Column<Advice>,
+}
+
+fn configure(meta: &mut ConstraintSystem<Fp>) -> Config {
+    let denominator = meta.advice_column();
+    let inverse = meta.advice_column();
+    Config { denominator, inverse }
+}
+
+fn synthesize(config: Config, mut layouter: impl Layouter<Fp>) {
+    layouter.assign_region(|| "unsafe inverse", |mut region| {
+        let inv = witness.denominator.invert().unwrap();
+        region.assign_advice(|| "inverse", config.inverse, 0, || Value::known(inv))?;
+        Ok(())
+    });
+}

package/examples/safe/safe-boolean.circom

@@ -0,0 +1,15 @@
+pragma circom 2.1.0;
+
+template SafeBoolean() {
+  signal input isAdmin;
+  signal input balance;
+  signal output allowedAmount;
+
+  component balanceBits = Num2Bits(64);
+  balanceBits.in <== balance;
+
+  isAdmin * (isAdmin - 1) === 0;
+  allowedAmount <== isAdmin * balance;
+}
+
+component main = SafeBoolean();

package/examples/safe/safe-component-output.circom

@@ -0,0 +1,18 @@
+pragma circom 2.1.0;
+
+template SafeComponentOutput() {
+  signal input secret;
+  signal input amount;
+  signal output commitment;
+
+  component amountBits = Num2Bits(64);
+  amountBits.in <== amount;
+
+  component h = Poseidon(2);
+  h.inputs[0] <== secret;
+  h.inputs[1] <== amount;
+
+  commitment <== h.out;
+}
+
+component main = SafeComponentOutput();

package/examples/safe/safe-division.circom

@@ -0,0 +1,14 @@
+pragma circom 2.1.0;
+
+template SafeDivision() {
+  signal input numerator;
+  signal input denominator;
+  signal output quotient;
+  signal inverse;
+
+  inverse <-- 1 / denominator;
+  denominator * inverse === 1;
+  quotient <== numerator * inverse;
+}
+
+component main = SafeDivision();

package/examples/safe/safe-public-input.circom

@@ -0,0 +1,15 @@
+pragma circom 2.1.0;
+
+template SafePublicInput() {
+  signal input root;
+  signal input nullifierHash;
+  signal input computedRoot;
+  signal input computedNullifierHash;
+  signal output ok;
+
+  root === computedRoot;
+  nullifierHash === computedNullifierHash;
+  ok <== 1;
+}
+
+component main = SafePublicInput();

package/examples/safe/safe-range-check.circom

@@ -0,0 +1,16 @@
+pragma circom 2.1.0;
+
+template SafeRangeCheck() {
+  signal input amount;
+  signal input balance;
+  signal output remainingBalance;
+
+  component amountBits = Num2Bits(64);
+  component balanceBits = Num2Bits(64);
+  amountBits.in <== amount;
+  balanceBits.in <== balance;
+
+  remainingBalance <== balance - amount;
+}
+
+component main = SafeRangeCheck();

package/examples/safe/safe-transfer.circom

@@ -0,0 +1,19 @@
+pragma circom 2.1.0;
+
+template SafeTransfer() {
+  signal input sender;
+  signal input receiver;
+  signal input amount;
+  signal output commitment;
+
+  component amountBits = Num2Bits(64);
+  amountBits.in <== amount;
+
+  component hasher = Poseidon(3);
+  hasher.inputs[0] <== sender;
+  hasher.inputs[1] <== receiver;
+  hasher.inputs[2] <== amount;
+  commitment <== hasher.out;
+}
+
+component main = SafeTransfer();

package/examples/vulnerable/alias-overflow-risk.circom

@@ -0,0 +1,12 @@
+pragma circom 2.1.0;
+
+template AliasRisk() {
+  signal input value;
+  signal output out;
+
+  component bits = Num2Bits(254);
+  bits.in <== value;
+  out <== value;
+}
+
+component main = AliasRisk();

package/examples/vulnerable/merkle-selector-bug.circom

@@ -0,0 +1,12 @@
+pragma circom 2.1.0;
+
+template MerkleSelector() {
+  signal input left;
+  signal input right;
+  signal input pathIndex;
+  signal output selected;
+
+  selected <== pathIndex * left + (1 - pathIndex) * right;
+}
+
+component main = MerkleSelector();

package/examples/vulnerable/missing-boolean.circom

@@ -0,0 +1,11 @@
+pragma circom 2.1.0;
+
+template AdminGate() {
+  signal input isAdmin;
+  signal input balance;
+  signal output allowedAmount;
+
+  allowedAmount <== isAdmin * balance;
+}
+
+component main = AdminGate();

package/examples/vulnerable/missing-range-check.circom

@@ -0,0 +1,11 @@
+pragma circom 2.1.0;
+
+template Payment() {
+  signal input amount;
+  signal input balance;
+  signal output remainingBalance;
+
+  remainingBalance <== balance - amount;
+}
+
+component main = Payment();

package/examples/vulnerable/public-input-not-bound.circom

@@ -0,0 +1,12 @@
+pragma circom 2.1.0;
+
+template PublicBinding() {
+  signal input root;
+  signal input nullifierHash;
+  signal input secret;
+  signal output out;
+
+  out <== secret * secret;
+}
+
+component main = PublicBinding();

package/examples/vulnerable/unconstrained-component-output.circom

@@ -0,0 +1,15 @@
+pragma circom 2.1.0;
+
+template Commitment() {
+  signal input secret;
+  signal input amount;
+  signal output commitment;
+
+  component h = Poseidon(2);
+  h.inputs[0] <== secret;
+  h.inputs[1] <== amount;
+
+  commitment <-- h.out;
+}
+
+component main = Commitment();

package/examples/vulnerable/unconstrained-transfer.circom

@@ -0,0 +1,17 @@
+pragma circom 2.1.0;
+
+template Transfer() {
+  signal input sender;
+  signal input receiver;
+  signal input amount;
+  signal output commitment;
+
+  component hasher = Poseidon(3);
+  hasher.inputs[0] <== sender;
+  hasher.inputs[1] <== receiver;
+  hasher.inputs[2] <== amount;
+
+  commitment <-- hasher.out;
+}
+
+component main = Transfer();

package/examples/vulnerable/unsafe-assertion.circom

@@ -0,0 +1,12 @@
+pragma circom 2.1.0;
+
+template AssertSecret() {
+  signal input secret;
+  signal input expected;
+  signal output ok;
+
+  assert(secret === expected);
+  ok <== 1;
+}
+
+component main = AssertSecret();

package/examples/vulnerable/unsafe-division.circom

@@ -0,0 +1,11 @@
+pragma circom 2.1.0;
+
+template UnsafeDivision() {
+  signal input numerator;
+  signal input denominator;
+  signal output quotient;
+
+  quotient <-- numerator / denominator;
+}
+
+component main = UnsafeDivision();

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "@trynullsec/s1-zk",
+  "version": "1.0.0",
+  "description": "Nullsec S1-ZK: AI-native auditing for zero-knowledge circuits.",
+  "type": "module",
+  "bin": {
+    "nullsec-zk": "dist/cli.js"
+  },
+  "exports": {
+    ".": "./dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "dev": "tsx src/cli.ts",
+    "test": "vitest run tests",
+    "lint": "tsc -p tsconfig.json --noEmit"
+  },
+  "keywords": [
+    "zk",
+    "circom",
+    "security",
+    "static-analysis",
+    "auditing"
+  ],
+  "license": "UNLICENSED",
+  "dependencies": {
+    "chalk": "^5.6.2",
+    "commander": "^14.0.2",
+    "fast-glob": "^3.3.3"
+  },
+  "devDependencies": {
+    "@types/node": "^24.10.2",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.14"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "RULES.md",
+    "LIMITATIONS.md",
+    "ROADMAP.md",
+    "examples",
+    "benchmarks"
+  ]
+}