@trynullsec/s1-zk 1.0.5 → 1.0.6

package/CHANGELOG.md

@@ -0,0 +1,23 @@
+# Changelog
+
+## 1.0.5
+
+### Added
+
+- Circom frontend with tokenizer, parser, constraint graph, examples, reports, and rule coverage.
+- Halo2-style Rust frontend with heuristic gate, assignment, equality, selector, lookup, and public binding extraction.
+- Graph-aware Halo2 constraint analysis.
+- Proof obligation deep mode.
+- Deterministic exploit hypotheses.
+- Orchard-inspired synthetic Halo2 benchmark.
+- npm package `@trynullsec/s1-zk`.
+
+### Changed
+
+- README and package metadata now present the project as deterministic, graph-aware static analysis.
+- Version reporting is synchronized from `package.json`.
+
+### Fixed
+
+- CLI/report version mismatch.
+- Prompt-builder code fence language for Halo2 issues.

package/CONTRIBUTING.md

@@ -0,0 +1,31 @@
+# Contributing
+
+Thanks for helping improve Nullsec S1-ZK.
+
+## Development
+
+```bash
+npm install
+npm run build
+npm test
+npm run benchmark
+```
+
+## Rule Contributions
+
+Every new rule should include:
+
+- Rule implementation.
+- Vulnerable fixture.
+- Safe fixture when practical.
+- Test coverage.
+- `RULES.md` documentation.
+
+Rule naming:
+
+- `NS-ZK-*` for generic or Circom ZK rules.
+- `NS-H2-*` for Halo2 rules.
+
+## Notes
+
+Keep findings precise and avoid formal-verification claims unless the implementation actually proves a property. Prefer deterministic static-analysis evidence, clear confidence levels, and honest limitations.

package/README.md

@@ -6,19 +6,21 @@
 
 <p align="center">
   <a href="https://www.npmjs.com/package/@trynullsec/s1-zk"><img src="https://img.shields.io/npm/v/@trynullsec/s1-zk?color=111827&label=npm" alt="npm version" /></a>
+  <a href="https://github.com/trynullsec/nullsec-s1-zk/actions/workflows/ci.yml"><img src="https://github.com/trynullsec/nullsec-s1-zk/actions/workflows/ci.yml/badge.svg" alt="CI" /></a>
   <img src="https://img.shields.io/badge/TypeScript-5.x-3178c6" alt="TypeScript" />
   <img src="https://img.shields.io/badge/Circom-supported-16a34a" alt="Circom supported" />
-  <img src="https://img.shields.io/badge/Halo2-supported-7c3aed" alt="Halo2 supported" />
-  <img src="https://img.shields.io/badge/status-active-16a34a" alt="status active" />
+  <img src="https://img.shields.io/badge/Halo2-heuristic-7c3aed" alt="Halo2 heuristic" />
   <img src="https://img.shields.io/badge/license-MIT-blue" alt="MIT license" />
 </p>
 
-**AI-native auditing for zero-knowledge circuits.**
+**Deterministic, graph-aware static analysis for zero-knowledge circuits.**
 
 Nullsec S1-ZK is an open-source security engine for zero-knowledge circuits.
 
 It analyzes Circom and Halo2 circuits, builds constraint graphs, infers proof obligations, and generates exploit hypotheses for underconstraint risks.
 
+S1-ZK is fully local and deterministic. It sends no code to external services. LLM-assisted reasoning is planned, but not required by the current engine.
+
 **Find underconstraints before they mint infinite money.**
 
 ```bash
@@ -37,6 +39,13 @@ The tool is designed for ZK auditors, protocol engineers, security researchers,
 
 ## Supported Frontends
 
+| Frontend | Status | Notes |
+| --- | --- | --- |
+| Circom | Full | Tokenizer, parser, constraint graph, rule coverage |
+| Halo2-style Rust | Heuristic | Pattern/dataflow based; no full Rust AST yet |
+| Noir | Planned | Adapter stub only |
+| gnark | Planned | Adapter stub only |
+
 ### Circom
 
 The Circom frontend parses `.circom` files and builds a signal/constraint graph for high-signal soundness checks:
@@ -138,14 +147,21 @@ Target: ./examples
 Frontend: Mixed
 Files scanned: 24
 Rules executed: 18
-Issues found: 33
+Issues found: 34
 
 Severity summary:
 CRITICAL  2
-HIGH      12
-MEDIUM    15
-LOW       4
-INFO      0
+HIGH      20
+MEDIUM    8
+LOW       3
+INFO      1
+
+Proof obligations:
+Total      68
+Satisfied  59
+Partial    0
+Missing    9
+Unknown    0
 ```
 
 ## Rule Coverage
@@ -185,6 +201,33 @@ Run it with deep analysis:
 npx @trynullsec/s1-zk scan ./benchmarks/historical/orchard-inspired --deep
 ```
 
+## Benchmark
+
+Run the bundled regression corpus:
+
+```bash
+npm run benchmark
+```
+
+Current output:
+
+```text
+vuln=14 safe=10 TP=13 FN=1 TN=10 FP=0
+precision=100.00% recall=92.86% false_safe_rate=7.14% false_positive_rate=0.00%
+MISSED: examples/halo2/vulnerable/missing-selector-booleanity.rs
+```
+
+| Metric | Value |
+| --- | ---: |
+| False-safe rate | 7.14% |
+| False-positive rate | 0.00% |
+| Precision | 100.00% |
+| Recall | 92.86% |
+
+Bundled corpus size is small and intentionally synthetic. These numbers are regression signals for this repository, not a general claim about all ZK circuits.
+
+Known miss: `examples/halo2/vulnerable/missing-selector-booleanity.rs`. Selector-booleanity detection for this fixture is not yet covered by `NS-H2-003`.
+
 ## Reports
 
 Nullsec S1-ZK supports:

package/SECURITY.md

@@ -0,0 +1,13 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please email [security@trynullsec.com](mailto:security@trynullsec.com).
+
+Do not open public GitHub issues for vulnerabilities.
+
+We aim to acknowledge reports within 48 hours and provide a remediation timeline within 5 business days.
+
+## Scope
+
+Nullsec S1-ZK performs best-effort static analysis. It does not prove circuit soundness and does not replace expert ZK audits. See [LIMITATIONS.md](./LIMITATIONS.md).

package/benchmarks/run.mjs

@@ -0,0 +1,72 @@
+import { execFileSync } from "node:child_process";
+import { readdirSync } from "node:fs";
+import { join } from "node:path";
+
+const root = new URL("..", import.meta.url).pathname;
+
+const sets = [
+  { vulnerable: "examples/vulnerable", safe: "examples/safe" },
+  { vulnerable: "examples/halo2/vulnerable", safe: "examples/halo2/safe" }
+];
+
+function filesIn(dir) {
+  return readdirSync(join(root, dir))
+    .filter((file) => file.endsWith(".circom") || file.endsWith(".rs"))
+    .map((file) => join(dir, file));
+}
+
+function scan(file) {
+  try {
+    return JSON.parse(execFileSync("node", ["dist/cli.js", "scan", file, "--format", "json"], { cwd: root, encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] }));
+  } catch (error) {
+    const stdout = error.stdout?.toString() ?? "";
+    if (stdout.trim()) return JSON.parse(stdout);
+    throw error;
+  }
+}
+
+function hasHighOrCritical(result) {
+  return result.issues.some((issue) => issue.severity === "CRITICAL" || issue.severity === "HIGH");
+}
+
+let vuln = 0;
+let safe = 0;
+let TP = 0;
+let FN = 0;
+let TN = 0;
+let FP = 0;
+const missed = [];
+const falsePositives = [];
+
+for (const set of sets) {
+  for (const file of filesIn(set.vulnerable)) {
+    vuln += 1;
+    if (hasHighOrCritical(scan(file))) TP += 1;
+    else {
+      FN += 1;
+      missed.push(file);
+    }
+  }
+  for (const file of filesIn(set.safe)) {
+    safe += 1;
+    if (hasHighOrCritical(scan(file))) {
+      FP += 1;
+      falsePositives.push(file);
+    } else {
+      TN += 1;
+    }
+  }
+}
+
+const pct = (numerator, denominator) => (denominator === 0 ? "0.00" : ((numerator / denominator) * 100).toFixed(2));
+const precision = pct(TP, TP + FP);
+const recall = pct(TP, TP + FN);
+const falseSafeRate = pct(FN, vuln);
+const falsePositiveRate = pct(FP, safe);
+
+console.log(`vuln=${vuln} safe=${safe} TP=${TP} FN=${FN} TN=${TN} FP=${FP}`);
+console.log(`precision=${precision}% recall=${recall}% false_safe_rate=${falseSafeRate}% false_positive_rate=${falsePositiveRate}%`);
+for (const file of missed) console.log(`MISSED: ${file}`);
+for (const file of falsePositives) console.log(`FALSE POSITIVE: ${file}`);
+
+if (FP > 0) process.exit(1);

package/dist/ai/prompt-builder.js

@@ -1,4 +1,5 @@
 export function buildReasoningPrompt(issue, surroundingCode, circuitIntent = "Unknown from static analysis") {
+    const codeFenceLanguage = issue.ruleId.startsWith("NS-H2") ? "rust" : "circom";
     return `You are reviewing a zero-knowledge circuit issue reported by Nullsec S1-ZK.
 
 Circuit intent:
@@ -19,7 +20,7 @@ Impact:
 ${issue.impact}
 
 Surrounding code:
-\`\`\`circom
+\`\`\`${codeFenceLanguage}
 ${surroundingCode}
 \`\`\`
 

package/dist/ai/prompt-builder.js.map

@@ -1 +1 @@
-{"version":3,"file":"prompt-builder.js","sourceRoot":"","sources":["../../src/ai/prompt-builder.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,oBAAoB,CAAC,KAAY,EAAE,eAAuB,EAAE,aAAa,GAAG,8BAA8B;IACxH,OAAO;;;EAGP,aAAa;;;UAGL,KAAK,CAAC,MAAM;WACX,KAAK,CAAC,KAAK;cACR,KAAK,CAAC,QAAQ;gBACZ,KAAK,CAAC,UAAU;UACtB,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI;YACtB,KAAK,CAAC,UAAU,IAAI,SAAS;;;EAGvC,KAAK,CAAC,WAAW;;;EAGjB,KAAK,CAAC,MAAM;;;;EAIZ,eAAe;;;;;;;;+DAQ8C,CAAC;AAChE,CAAC"}
+{"version":3,"file":"prompt-builder.js","sourceRoot":"","sources":["../../src/ai/prompt-builder.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,oBAAoB,CAAC,KAAY,EAAE,eAAuB,EAAE,aAAa,GAAG,8BAA8B;IACxH,MAAM,iBAAiB,GAAG,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC;IAC/E,OAAO;;;EAGP,aAAa;;;UAGL,KAAK,CAAC,MAAM;WACX,KAAK,CAAC,KAAK;cACR,KAAK,CAAC,QAAQ;gBACZ,KAAK,CAAC,UAAU;UACtB,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI;YACtB,KAAK,CAAC,UAAU,IAAI,SAAS;;;EAGvC,KAAK,CAAC,WAAW;;;EAGjB,KAAK,CAAC,MAAM;;;QAGN,iBAAiB;EACvB,eAAe;;;;;;;;+DAQ8C,CAAC;AAChE,CAAC"}

package/dist/cli.js

@@ -6,11 +6,12 @@ import { scanTarget } from "./scanner.js";
 import { writeDefaultConfig } from "./config.js";
 import { allRules } from "./rules/index.js";
 import { normalizeSeverity } from "./core/severity.js";
+import { VERSION } from "./version.js";
 const program = new Command();
 program
     .name("nullsec-zk")
-    .description("Nullsec S1-ZK: AI-native auditing for zero-knowledge circuits.")
-    .version("1.0.0");
+    .description("Nullsec S1-ZK: deterministic, graph-aware static analysis for zero-knowledge circuits.")
+    .version(VERSION);
 program
     .command("scan")
     .argument("<target>", "Circom file or directory to scan")

package/dist/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAGvD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,YAAY,CAAC;KAClB,WAAW,CAAC,gEAAgE,CAAC;KAC7E,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,QAAQ,CAAC,UAAU,EAAE,kCAAkC,CAAC;KACxD,MAAM,CAAC,mBAAmB,EAAE,oCAAoC,CAAC;KACjE,MAAM,CAAC,mBAAmB,EAAE,wCAAwC,CAAC;KACrE,MAAM,CAAC,cAAc,EAAE,+BAA+B,CAAC;KACvD,MAAM,CAAC,sBAAsB,EAAE,sCAAsC,CAAC;KACtE,MAAM,CAAC,iBAAiB,EAAE,kBAAkB,CAAC;KAC7C,MAAM,CAAC,QAAQ,EAAE,sEAAsE,CAAC;KACxF,MAAM,CAAC,KAAK,EAAE,MAAc,EAAE,OAAyH,EAAE,EAAE;IAC1J,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE;YACnC,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,OAAO,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS;YAClF,UAAU,EAAE,OAAO,CAAC,MAAM;YAC1B,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM;YAAE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtE,OAAO,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAClC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC,CAAC;QACtD,OAAO,CAAC,KAAK,CAAE,KAAe,CAAC,OAAO,CAAC,CAAC;QACxC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IACvB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,oCAAoC,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE;IACrF,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,EAAE,KAAK,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;IAC9E,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,YAAY,EAAE,qBAAqB,CAAC,CAAC,WAAW,CAAC,0BAA0B,CAAC,CAAC,MAAM,CAAC,CAAC,OAAe,EAAE,EAAE;IAC1I,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC;IACnE,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,EAAE,KAAK,MAAM,CAAC,CAAC;IACnE,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,KAAK,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,EAAE,KAAK,IAAI,CAAC,KAAK;;oBAEnB,IAAI,CAAC,eAAe;QAChC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;;EAE1B,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;AACtB,CAAC,CAAC,CAAC;AAEH,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,WAAW,CAAC,uCAAuC,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE;IACvF,IAAI,UAAU,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACnC,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACjD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,IAAI,GAAG,kBAAkB,EAAE,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAGvC,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,YAAY,CAAC;KAClB,WAAW,CAAC,wFAAwF,CAAC;KACrG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,QAAQ,CAAC,UAAU,EAAE,kCAAkC,CAAC;KACxD,MAAM,CAAC,mBAAmB,EAAE,oCAAoC,CAAC;KACjE,MAAM,CAAC,mBAAmB,EAAE,wCAAwC,CAAC;KACrE,MAAM,CAAC,cAAc,EAAE,+BAA+B,CAAC;KACvD,MAAM,CAAC,sBAAsB,EAAE,sCAAsC,CAAC;KACtE,MAAM,CAAC,iBAAiB,EAAE,kBAAkB,CAAC;KAC7C,MAAM,CAAC,QAAQ,EAAE,sEAAsE,CAAC;KACxF,MAAM,CAAC,KAAK,EAAE,MAAc,EAAE,OAAyH,EAAE,EAAE;IAC1J,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE;YACnC,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,OAAO,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS;YAClF,UAAU,EAAE,OAAO,CAAC,MAAM;YAC1B,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM;YAAE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtE,OAAO,CAAC,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAClC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC,CAAC;QACtD,OAAO,CAAC,KAAK,CAAE,KAAe,CAAC,OAAO,CAAC,CAAC;QACxC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IACvB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,oCAAoC,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE;IACrF,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,EAAE,KAAK,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;IAC9E,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,YAAY,EAAE,qBAAqB,CAAC,CAAC,WAAW,CAAC,0BAA0B,CAAC,CAAC,MAAM,CAAC,CAAC,OAAe,EAAE,EAAE;IAC1I,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC;IACnE,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,EAAE,KAAK,MAAM,CAAC,CAAC;IACnE,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,KAAK,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,EAAE,KAAK,IAAI,CAAC,KAAK;;oBAEnB,IAAI,CAAC,eAAe;QAChC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;;EAE1B,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;AACtB,CAAC,CAAC,CAAC;AAEH,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,WAAW,CAAC,uCAAuC,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE;IACvF,IAAI,UAAU,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACnC,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACjD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,IAAI,GAAG,kBAAkB,EAAE,CAAC;IAClC,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/dist/core/audit-engine.js

@@ -4,6 +4,7 @@ import { ConstraintGraph } from "../ir/constraint-graph.js";
 import { runDeepAnalysis } from "../analysis/deep-analysis.js";
 import { allRules } from "../rules/index.js";
 import { summarizeIssues } from "../report/summary.js";
+import { VERSION } from "../version.js";
 import { RuleEngine } from "./rule-engine.js";
 function frontendName(circomCount, halo2Count) {
     if (circomCount > 0 && halo2Count > 0)
@@ -20,7 +21,7 @@ export function auditParsedFiles(target, parsedFiles, config, halo2Files = [], d
     const context = { target, ir, graph, config, halo2 };
     const { issues, rulesExecuted } = engine.run(context);
     return {
-        tool: { name: "Nullsec S1-ZK", version: "1.0.0" },
+        tool: { name: "Nullsec S1-ZK", version: VERSION },
         target,
         frontend: frontendName(parsedFiles.length, halo2Files.length),
         filesScanned: parsedFiles.length + halo2Files.length,

package/dist/core/audit-engine.js.map

@@ -1 +1 @@
-{"version":3,"file":"audit-engine.js","sourceRoot":"","sources":["../../src/core/audit-engine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,0CAA0C,CAAC;AAC1E,OAAO,EAAE,YAAY,EAAE,MAAM,wCAAwC,CAAC;AAEtE,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,SAAS,YAAY,CAAC,WAAmB,EAAE,UAAkB;IAC3D,IAAI,WAAW,GAAG,CAAC,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IACtD,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IACnC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAc,EAAE,WAAgC,EAAE,MAAqB,EAAE,aAAiC,EAAE,EAAE,IAAI,GAAG,KAAK;IACzJ,MAAM,EAAE,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,EAAE,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC;IACxC,MAAM,OAAO,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IACrD,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACtD,OAAO;QACL,IAAI,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,OAAO,EAAE;QACjD,MAAM;QACN,QAAQ,EAAE,YAAY,CAAC,WAAW,CAAC,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC;QAC7D,YAAY,EAAE,WAAW,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM;QACpD,aAAa;QACb,OAAO,EAAE,eAAe,CAAC,MAAM,CAAC;QAChC,MAAM;QACN,cAAc,EAAE,CAAC,GAAG,EAAE,CAAC,cAAc,EAAE,GAAG,KAAK,CAAC,cAAc,CAAC;QAC/D,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS;KAClE,CAAC;AACJ,CAAC"}
+{"version":3,"file":"audit-engine.js","sourceRoot":"","sources":["../../src/core/audit-engine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,0CAA0C,CAAC;AAC1E,OAAO,EAAE,YAAY,EAAE,MAAM,wCAAwC,CAAC;AAEtE,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,SAAS,YAAY,CAAC,WAAmB,EAAE,UAAkB;IAC3D,IAAI,WAAW,GAAG,CAAC,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IACtD,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IACnC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAc,EAAE,WAAgC,EAAE,MAAqB,EAAE,aAAiC,EAAE,EAAE,IAAI,GAAG,KAAK;IACzJ,MAAM,EAAE,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,EAAE,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC;IACxC,MAAM,OAAO,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IACrD,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACtD,OAAO;QACL,IAAI,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,OAAO,EAAE;QACjD,MAAM;QACN,QAAQ,EAAE,YAAY,CAAC,WAAW,CAAC,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC;QAC7D,YAAY,EAAE,WAAW,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM;QACpD,aAAa;QACb,OAAO,EAAE,eAAe,CAAC,MAAM,CAAC;QAChC,MAAM;QACN,cAAc,EAAE,CAAC,GAAG,EAAE,CAAC,cAAc,EAAE,GAAG,KAAK,CAAC,cAAc,CAAC;QAC/D,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS;KAClE,CAAC;AACJ,CAAC"}

package/dist/version.d.ts

@@ -0,0 +1 @@
+export declare const VERSION = "1.0.6";

package/dist/version.js

@@ -0,0 +1,2 @@
+export const VERSION = "1.0.6";
+//# sourceMappingURL=version.js.map

package/dist/version.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"version.js","sourceRoot":"","sources":["../src/version.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@trynullsec/s1-zk",
-  "version": "1.0.5",
-  "description": "Nullsec S1-ZK: AI-native auditing for zero-knowledge circuits.",
+  "version": "1.0.6",
+  "description": "Deterministic, graph-aware static analysis for zero-knowledge circuits.",
   "type": "module",
   "bin": {
     "nullsec-zk": "dist/cli.js"
@@ -10,10 +10,12 @@
     ".": "./dist/index.js"
   },
   "scripts": {
+    "prebuild": "node scripts/sync-version.mjs",
     "build": "tsc -p tsconfig.json",
     "dev": "tsx src/cli.ts",
     "test": "vitest run tests",
-    "lint": "tsc -p tsconfig.json --noEmit"
+    "lint": "tsc -p tsconfig.json --noEmit",
+    "benchmark": "npm run build && node benchmarks/run.mjs"
   },
   "keywords": [
     "zk",
@@ -51,6 +53,9 @@
     "dist",
     "README.md",
     "LICENSE",
+    "SECURITY.md",
+    "CONTRIBUTING.md",
+    "CHANGELOG.md",
     "RULES.md",
     "LIMITATIONS.md",
     "ROADMAP.md",