audit-system 2.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Jorge Paim
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,351 @@
+# Audit System
+
+Sistema multi-agente de auditoria de smart contracts com foco em descoberta de vulnerabilidades inovadoras.
+
+**Linguagens Suportadas:**
+- **Solidity** (EVM/Foundry) — auto-detectado por arquivos `*.sol`
+- **Rust (Solana/Anchor)** — auto-detectado por `Anchor.toml` + `Cargo.toml`
+- **Rust (ink!/Polkadot)** — auto-detectado por dependência `ink` no `Cargo.toml`
+
+**Modelo:** Funciona com QUALQUER modelo de IA - Claude, GPT, Kimi, Gemini, modelos locais, etc. O sistema detecta automaticamente o modelo atual ou permite configuração manual.
+
+**Modelos Testados:**
+- Claude Opus/Sonnet/Haiku
+- Kimi K2.5 / K2
+- GPT-4o / GPT-4 Turbo
+- Gemini Pro / Ultra
+- Modelos locais (via API compatível)
+
+## Visão Geral
+
+Este sistema conecta **8 agents especializados**, **5 skills** e um **knowledge base completo (Obsidian Vault)** para realizar auditorias de segurança em smart contracts.
+
+**Auto-detecção de linguagem:** o sistema detecta automaticamente se o projeto alvo usa Solidity (EVM) ou Rust (Solana/Anchor/ink!) e configura todos os agents no modo apropriado.
+
+Quando você executa `/audit-connect` em qualquer projeto, TODOS os recursos são ativados automaticamente.
+
+## Estrutura
+
+```
+audit-system/
+├── agents/                    # Definições dos agentes especializados (LANG-aware)
+│   ├── orchestrator.json      # Coordenador de workflows
+│   ├── assumption-analyzer.json    # Phase 1: Quebra de suposições
+│   ├── economic-attacker.json        # Phase 3: Modelagem econômica
+│   ├── state-machine-hacker.json     # Phase 4: Máquina de estados
+│   ├── composition-attacker.json     # Phase 5: Ataques por composição
+│   ├── exploit-writer.json           # Criação de PoCs (Solidity + Rust)
+│   ├── test-generator.json           # Geração de testes (Foundry + Anchor)
+│   └── report-writer.json          # Compilação de relatórios
+├── skills/                    # Skills do Claude Code
+│   ├── auditor.md             # Auditoria padrão (Solidity + Rust checklists)
+│   ├── novel-discovery.md     # Descoberta de vulnerabilidades inovadoras
+│   ├── exploit-generator.md   # Geração de exploits (Solidity + Rust)
+│   ├── test-generator.md      # Geração de testes (Foundry + Anchor)
+│   └── audit-connect.md       # CONECTOR DE PROJETOS ⭐
+├── obsidian-vault/            # Knowledge base
+│   ├── vulnerabilities/       # Vulnerabilidades conhecidas (EVM + Solana)
+│   ├── hypotheses/            # Hipóteses de ataque
+│   ├── invariant-catalog/     # Catálogo de invariantes (DeFi + Solana)
+│   ├── novel-patterns/        # Frameworks de discovery
+│   └── research/              # Pesquisas
+├── config.json                # Configuração do sistema (v2.0 multi-language)
+└── ARCHITECTURE.md          # Documentação da arquitetura de integração
+```
+
+## Integração de Recursos
+
+Quando você conecta o audit-system a um projeto, **todos os recursos são ativados**:
+
+| Recurso | Quantidade | Descrição |
+|---------|------------|-----------|
+| **Agents** | 8 especialistas | Especialistas em diferentes fases da auditoria (LANG-aware) |
+| **Skills** | 5 prompts | Prompts reutilizáveis para análise (Solidity + Rust) |
+| **Vault** | 19+ arquivos | Knowledge base com vulnerabilidades EVM + Solana, padrões, invariantes |
+| **Modelo** | Qualquer um | Usa o modelo que você tiver disponível (Claude, Kimi, GPT, etc.) |
+| **Linguagens** | Solidity + Rust | Auto-detecção: `.sol` ou `Anchor.toml`/`Cargo.toml` |
+
+### Como tudo se conecta:
+
+```
+Projeto → /audit-connect → [Agents + Skills + Vault] → Resultados
+```
+
+- **Agents** usam **Skills** como prompts especializados
+- **Agents** consultam **Vault** para conhecimento de vulnerabilidades
+- **Qualquer modelo** pode ser usado (Claude, Kimi, GPT, Gemini, local)
+- **Resultados** são salvos em `./audit-output/`
+
+## Instalação Rápida (via npx)
+
+```bash
+# Em qualquer projeto, instale o audit-system:
+npx audit-system connect
+
+# Ou force uma linguagem específica:
+npx audit-system connect --lang=rust
+npx audit-system connect --lang=solidity
+
+# Verifique o status:
+npx audit-system status
+
+# Diagnóstico:
+npx audit-system doctor
+```
+
+Isso cria `.audit-system/` e `.claude/` no projeto, com todos os agents, skills e knowledge base.
+
+### Outros Comandos npx
+
+```bash
+npx audit-system help       # Ajuda
+npx audit-system lang       # Detecta linguagem do projeto
+npx audit-system agents     # Lista agentes disponíveis
+npx audit-system doctor     # Verifica instalação
+```
+
+## Como Usar (no Claude Code)
+
+### 1. Conectar a um Projeto
+
+Com o Claude Code aberto no diretório do projeto:
+
+```bash
+/audit-connect
+```
+
+Isso ativa o audit-system para o projeto atual.
+
+### 2. Executar Agentes
+
+Após conectar:
+
+```bash
+# Auditoria completa
+/audit-agent full
+
+# Phase 1 - Quebra de suposições
+/audit-agent assumption
+
+# Phase 3 - Modelagem econômica
+/audit-agent economic
+
+# Phase 4 - Análise de máquina de estados
+/audit-agent state
+
+# Phase 5 - Ataques por composição
+/audit-agent composition
+
+# Criar exploit
+/audit-agent exploit
+
+# Gerar testes
+/audit-agent test
+
+# Compilar relatório
+/audit-agent report
+```
+
+### Modo Rust/Solana
+
+```bash
+# Auto-detecção (se Anchor.toml presente)
+/audit-connect
+
+# Ou forçar modo Rust
+/audit-connect --lang=rust
+
+# Auditoria completa em programa Solana
+/audit-agent full --target=./programs/
+
+# Análise específica
+/audit-agent assumption --target=./programs/amm/src/lib.rs
+/audit-agent economic --target=./programs/amm/
+/audit-agent exploit --target=./programs/amm/
+
+# Output em ./audit-output/rust/
+```
+
+### 3. Workflows Disponíveis
+
+| Workflow | Comando | Descrição |
+|----------|---------|-----------|
+| Full Audit | `/audit-agent full` | Todos os agentes |
+| Novel Discovery | `/audit-connect --mode=novel` | Apenas 6 fases discovery |
+| Quick Check | `/audit-connect --mode=quick` | Análise rápida |
+
+## Agentes
+
+### Phase Specialists (Framework 6 Fases)
+
+1. **assumption-analyzer** (Phase 1)
+   - Mapeia suposições implícitas/explícitas
+   - Gera hipóteses quebrando suposições
+   - Saída: Lista de hipóteses ranqueadas
+
+2. **economic-attacker** (Phase 3)
+   - Modela protocolo como jogo econômico
+   - Encontra ataques de maximização de lucro
+   - Saída: Vetores de ataque econômicos
+
+3. **state-machine-hacker** (Phase 4)
+   - Analisa estados e transições
+   - Encontra transições inválidas
+   - Saída: Transições perigosas e estados raros
+
+4. **composition-attacker** (Phase 5)
+   - Analisa interações entre features
+   - Encontra vulnerabilidades emergentes
+   - Saída: Vulnerabilidades por composição
+
+### Implementers
+
+5. **exploit-writer**
+   - Cria PoCs em Solidity
+   - Implementa hipóteses como código
+   - Saída: Código exploit + teste Foundry
+
+6. **test-generator**
+   - Gera testes comprehensivos
+   - Unit, integration, fuzz, invariant
+   - Saída: Suite de testes Foundry
+
+7. **report-writer**
+   - Compila findings em relatório
+   - Inclui severidade, PoC, remediação
+   - Saída: Relatório profissional
+
+### Coordinator
+
+8. **orchestrator**
+   - Coordena múltiplos agentes
+   - Gerencia workflow completo
+   - Passa contexto entre agentes
+
+## Comandos
+
+| Comando | Onde | Descrição |
+|---------|------|-----------|
+| `npx audit-system connect` | Terminal | Instala audit-system no projeto |
+| `npx audit-system status` | Terminal | Verifica instalação |
+| `npx audit-system doctor` | Terminal | Diagnóstico completo |
+| `/audit-connect` | Claude Code | Conecta audit-system ao projeto |
+| `/audit-agent <name>` | Claude Code | Executa agente específico |
+| `/audit-agents` | Claude Code | Lista agentes disponíveis |
+| `/audit-status` | Claude Code | Mostra status da conexão |
+
+## Configuração
+
+### Caminho do Audit-System
+
+Se o audit-system estiver em local diferente do padrão:
+
+```bash
+/audit-connect --config-path="/caminho/completo/audit-system"
+```
+
+### Output
+
+Resultados são salvos em `./audit-output/` (configurável):
+
+```bash
+/audit-connect --output="./meus-resultados/"
+```
+
+### Modelo de IA
+
+O sistema funciona com **qualquer modelo de IA**. Por padrão, detecta automaticamente:
+
+```bash
+# Auto-detect (padrão - recomendado)
+/audit-connect
+
+# Ou especificar modelo manualmente
+/audit-connect --model=kimi-k2.5
+/audit-connect --model=claude-opus-4-6
+/audit-connect --model=gpt-4o
+```
+
+**Modelos Suportados:** Claude (Opus/Sonnet/Haiku), Kimi (K2.5/K2), GPT (4o/4-turbo), Gemini (Pro/Ultra), e modelos locais.
+
+## Framework de Descoberta
+
+### 6 Fases
+
+1. **Map Assumptions** → assumption-analyzer
+2. **Break Assumptions** → assumption-analyzer
+3. **Economic Modeling** → economic-attacker
+4. **State Machine Attack** → state-machine-hacker
+5. **Composition Attack** → composition-attacker
+6. **Novel Hypothesis** → exploit-writer
+
+### Filosofia
+
+> Quebrar as suposições do desenvolvedor, não apenas procurar padrões conhecidos.
+
+## Integração com Obsidian
+
+O vault do Obsidian contém:
+- Vulnerabilidades conhecidas
+- Padrões de ataque
+- Catálogo de invariantes
+- Templates de hipóteses
+- Resultados de pesquisa
+
+## Exemplos de Uso
+
+### Projeto Solidity (EVM)
+
+```bash
+# Terminal: instalar
+cd ~/projetos/meu-defi-protocol
+npx audit-system connect
+
+# Claude Code: ativar e auditar
+/audit-connect
+/audit-agent full --target=./contracts
+
+# Ver resultados
+ls ./audit-output/
+```
+
+### Projeto Rust (Solana/Anchor)
+
+```bash
+# Terminal: instalar (detecta automaticamente)
+cd ~/projetos/solana-program
+npx audit-system connect
+# Saída: Linguagem detectada: Rust (Solana/Anchor)
+
+# Ou forçar Rust
+npx audit-system connect --lang=rust
+
+# Claude Code: ativar e auditar
+/audit-connect
+/audit-agent full --target=./programs/
+/audit-agent exploit --target=./programs/amm/
+
+# Ver resultados
+ls ./audit-output/rust/
+```
+
+### Deploy em Máquina Nova
+
+```bash
+# 1. Instalar Node.js (>= 16)
+# 2. Rodar em qualquer projeto:
+npx audit-system connect
+# 3. Abrir Claude Code e digitar /audit-connect
+# Pronto! Todos os 8 agents disponíveis.
+```
+
+## Desenvolvimento
+
+Para adicionar novo agente:
+1. Crie `agents/novo-agente.json`
+2. Registre em `agents/AGENT_REGISTRY.md`
+3. Atualize `config.json` se necessário
+
+## Licença
+
+MIT

package/agents/AGENT_REGISTRY.md

@@ -0,0 +1,150 @@
+# Audit-System Agent Registry
+
+Registro central de todos os agentes disponíveis no sistema.
+
+**Linguagens Suportadas:** Solidity (EVM) | Rust (Solana/Anchor/ink!)
+**Auto-detecção:** `/audit-connect` detecta automaticamente `.sol` ou `Cargo.toml`/`Anchor.toml`
+**Override manual:** `--lang=solidity` | `--lang=rust` | `--lang=both`
+
+Todos os agents são **LANG-aware**: ajustam seus prompts e outputs conforme `AUDIT_LANG`.
+
+---
+
+## Agente: orchestrator
+
+- **Tipo:** coordinator
+- **Descrição:** Coordena workflows multi-agente para auditorias completas (Solidity + Rust)
+- **Uso:** Iniciar auditoria completa (detecta linguagem automaticamente)
+- **Invocação:** `/audit-agent full`
+- **LANG-aware:** ✅ Passa `AUDIT_LANG` para todos os sub-agentes
+
+---
+
+## Agente: assumption-analyzer
+
+- **Tipo:** specialist
+- **Descrição:** Phase 1 - Mapeia e quebra suposições do desenvolvedor
+- **Uso:** Encontrar vulnerabilidades inovadoras (EVM ou Solana)
+- **Invocação:** `/audit-agent assumption`
+- **Fase:** 1 (Map Assumptions)
+- **LANG-aware:** ✅ Solidity: CEI/storage patterns | Rust: account model/PDA/CPI
+
+---
+
+## Agente: economic-attacker
+
+- **Tipo:** specialist
+- **Descrição:** Phase 3 - Modela ataques econômicos e estratégias de maximização de lucro
+- **Uso:** Encontrar ataques econômicos viáveis
+- **Invocação:** `/audit-agent economic`
+- **Fase:** 3 (Economic Modeling)
+- **LANG-aware:** ✅ Solidity: MEV/flash loans | Rust: Solana scheduler/Serum
+
+---
+
+## Agente: state-machine-hacker
+
+- **Tipo:** specialist
+- **Descrição:** Phase 4 - Analisa máquina de estados e transições inválidas
+- **Uso:** Encontrar transições de estado que quebram invariantes
+- **Invocação:** `/audit-agent state`
+- **Fase:** 4 (State Machine Attack)
+- **LANG-aware:** ✅ Solidity: EVM storage | Rust: account discriminator/close+reinit
+
+---
+
+## Agente: composition-attacker
+
+- **Tipo:** specialist
+- **Descrição:** Phase 5 - Encontra vulnerabilidades em interações entre features
+- **Uso:** Encontrar vulnerabilidades emergentes de composição
+- **Invocação:** `/audit-agent composition`
+- **Fase:** 5 (Composition Attack)
+- **LANG-aware:** ✅ Solidity: cross-contract | Rust: CPI chains/Sealevel
+
+---
+
+## Agente: exploit-writer
+
+- **Tipo:** implementer
+- **Descrição:** Cria PoCs exploits em Solidity (Foundry) ou Rust (Anchor/TS)
+- **Uso:** Implementar exploits concretos
+- **Invocação:** `/audit-agent exploit --hypothesis=<id>`
+- **LANG-aware:** ✅ Output: Foundry `.sol` ou Anchor `.ts` conforme `AUDIT_LANG`
+
+---
+
+## Agente: test-generator
+
+- **Tipo:** implementer
+- **Descrição:** Gera test suites comprehensivos em Foundry (Solidity) ou Anchor (Rust)
+- **Uso:** Criar testes unitários, integração, fuzz e invariantes
+- **Invocação:** `/audit-agent test --target=<contract>`
+- **LANG-aware:** ✅ Framework: `forge test` ou `anchor test` conforme `AUDIT_LANG`
+
+---
+
+## Agente: report-writer
+
+- **Tipo:** documenter
+- **Descrição:** Compila findings em relatórios de segurança profissionais (multi-linguagem)
+- **Uso:** Gerar relatórios finais
+- **Invocação:** `/audit-agent report`
+- **LANG-aware:** ✅ Report adaptado à linguagem do projeto auditado
+
+---
+
+## Workflows Predefinidos
+
+### Workflow: Full Novel Discovery
+
+```
+orchestrator → assumption-analyzer → economic-attacker → state-machine-hacker → composition-attacker → report-writer
+```
+
+### Workflow: Economic Focus
+
+```
+orchestrator → economic-attacker → exploit-writer → report-writer
+```
+
+### Workflow: State Machine Deep Dive
+
+```
+orchestrator → state-machine-hacker → composition-attacker → exploit-writer
+```
+
+---
+
+## Configuração de Agentes
+
+Arquivos de configuração estão em `/agents/*.json`
+
+Para adicionar novo agente:
+1. Crie arquivo `.json` em `/agents/`
+2. Registre neste arquivo
+3. Reinicie o audit-connect
+
+---
+
+## Variáveis de Configuração
+
+```yaml
+# config.yml
+version: 2.0.0
+agents:
+  default_model: claude-opus-4-6
+  supported_languages: [solidity, rust]
+  default_language: auto-detect
+  timeout_seconds: 300
+  max_concurrent: 3
+  
+paths:
+  agents_dir: ./agents/
+  skills_dir: ./skills/
+  vault_dir: ./obsidian-vault/
+  
+output:
+  default_dir: ./audit-output/
+  formats: [markdown, json, solidity, rust]
+```

package/agents/assumption-analyzer.json

@@ -0,0 +1,7 @@
+{
+  "name": "assumption-analyzer",
+  "description": "Phase 1 specialist: Maps and breaks developer assumptions to find vulnerability hypotheses (Solidity + Rust)",
+  "type": "specialist",
+  "model": "auto",
+  "system_prompt": "LANG = [solidity | rust] (set by /audit-connect, available as environment variable AUDIT_LANG)\n\nYou are an expert in identifying developer assumptions in smart contracts and breaking them to find novel vulnerabilities.\n\nIf LANG == solidity:\n  Focus on EVM/Solidity patterns: CEI, storage collisions, delegatecall, tx.origin, reentrancy, etc.\n\nIf LANG == rust:\n  Focus on Solana/Anchor/Sealevel patterns: account confusion, PDA seeds, CPI, signer checks, unsafe Rust, Borsh deserialization, close+reinit, SPL token interactions.\n\nYour specific tasks:\n1. Read the target contract (Solidity or Rust) and identify ALL implicit/explicit assumptions\n2. For each assumption, determine HOW it can be violated\n3. Generate concrete attack hypotheses from broken assumptions\n4. Prioritize hypotheses by exploitability and impact\n\nRules:\n- Be extremely thorough - list at least 10 assumptions\n- Every assumption must be concrete and specific\n- Every broken assumption must lead to a testable hypothesis\n- Focus on assumptions that, when broken, lead to fund loss or protocol manipulation\n- If rust: pay special attention to account model assumptions, PDA derivation assumptions, and CPI trust assumptions\n\nOutput format:\nASSUMPTIONS_FOUND: [number]\nASSUMPTIONS_LIST:\n- [Assumption text] → [How to break] → [Hypothesis]\n\nHYPOTHESES_RANKED:\n1. [Hypothesis ID] | [Impact] | [Feasibility] | [Description]\n\nRECOMMENDATIONS:\n- Which hypotheses to test first\n- What preconditions to set up"
+}

package/agents/assumption-analyzer.md

@@ -0,0 +1,37 @@
+---
+name: assumption-analyzer
+description: |
+  Phase 1 specialist: Maps and breaks developer assumptions to find vulnerability hypotheses (Solidity + Rust). Use this agent for the first phase of novel vulnerability discovery.
+model: claude-opus-4-6
+lang: auto-detect
+---
+
+You are an expert in identifying developer assumptions in smart contracts and breaking them to find novel vulnerabilities.
+
+Language support:
+- LANG = solidity: EVM/Solidity patterns (CEI, storage, delegatecall, tx.origin)
+- LANG = rust: Solana/Anchor patterns (account model, PDA, CPI, unsafe Rust)
+
+Your specific tasks:
+1. Read the target contract and identify ALL implicit/explicit assumptions
+2. For each assumption, determine HOW it can be violated
+3. Generate concrete attack hypotheses from broken assumptions
+4. Prioritize hypotheses by exploitability and impact
+
+Rules:
+- Be extremely thorough - list at least 10 assumptions
+- Every assumption must be concrete and specific
+- Every broken assumption must lead to a testable hypothesis
+- Focus on assumptions that, when broken, lead to fund loss or protocol manipulation
+
+Output format:
+ASSUMPTIONS_FOUND: [number]
+ASSUMPTIONS_LIST:
+- [Assumption text] → [How to break] → [Hypothesis]
+
+HYPOTHESES_RANKED:
+1. [Hypothesis ID] | [Impact] | [Feasibility] | [Description]
+
+RECOMMENDATIONS:
+- Which hypotheses to test first
+- What preconditions to set up

package/agents/composition-attacker.json

@@ -0,0 +1,7 @@
+{
+  "name": "composition-attacker",
+  "description": "Phase 5 specialist: Finds vulnerabilities in feature interactions and compositions (Solidity + Rust)",
+  "type": "specialist",
+  "model": "auto",
+  "system_prompt": "LANG = [solidity | rust] (set by /audit-connect)\n\nYou are a security researcher specializing in finding emergent vulnerabilities from feature interactions.\n\nIf LANG == solidity:\n  Consider: ERC20 interactions, flash loans with DeFi composability, cross-contract reentrancy, oracle composition, governance attacks, delegatecall chains.\n\nIf LANG == rust:\n  Consider: SPL token interactions with programs, CPI chains between programs, Sealevel runtime parallel execution conflicts, account re-use across instructions, Serum/AMM program composition, Solana's Program Derived Address interactions.\n\nYour specific tasks:\n1. Identify all major features/modules in the protocol\n2. Analyze every pair-wise interaction between features\n3. Find where Feature A + Feature B = Vulnerability\n4. Test external dependency interactions (tokens, oracles, programs, etc.)\n5. Look for flash loan interactions with other features\n\nRules:\n- Individual features are assumed safe\n- Focus on INTERACTIONS between features\n- Consider malicious external contracts/programs as one \"feature\"\n- Test all permutations: A→B, B→A, A→C, C→A, etc.\n\nOutput format:\nFEATURES_IDENTIFIED:\n- [Feature list]\n\nINTERACTION_MATRIX:\n- Feature A × Feature B: [Safe/Unsafe] | [Explanation]\n\nDANGEROUS_COMPOSITIONS:\n1. [Features involved] | [Vulnerability] | [Attack path]\n\nEXTERNAL_DEPENDENCY_ATTACKS:\n- Token attacks, Oracle attacks, CPI attacks, etc.\n\nCOMPOSITION_EXPLOITS:\n- Step-by-step sequences combining multiple features"
+}

package/agents/composition-attacker.md

@@ -0,0 +1,46 @@
+---
+name: composition-attacker
+description: |
+  Phase 5 specialist: Finds vulnerabilities through protocol composition and feature interactions (Solidity + Rust). Use this agent for complex multi-protocol attacks.
+model: claude-opus-4-6
+lang: auto-detect
+---
+
+You are an expert in finding vulnerabilities through protocol composition and feature interactions.
+
+Language support:
+- LANG = solidity: ERC20/721 composition, cross-contract reentrancy, governance+DeFi
+- LANG = rust: SPL token + program interactions, CPI chains, Sealevel parallel execution
+
+Your specific tasks:
+1. Analyze how the protocol composes with other DeFi primitives
+2. Find emergent vulnerabilities from feature interactions
+3. Identify callback and hook exploitation opportunities
+4. Analyze cross-protocol contagion risks
+5. Discover vulnerabilities in upgrade mechanisms
+
+Rules:
+- Consider all external protocol integrations
+- Analyze callback patterns (onERC721Received, onFlashLoan, etc.)
+- Look for reentrancy through composition
+- Consider governance attack vectors
+- Analyze oracle composition vulnerabilities
+
+Output format:
+COMPOSITION_ANALYSIS:
+- External Integrations: [list]
+- Callback Points: [list]
+- Trust Boundaries: [analysis]
+
+INTERACTION_VULNERABILITIES:
+1. [Vulnerability] | Protocols: [affected] | Impact: [severity]
+
+ATTACK_CHAINS:
+- Step 1: [action on protocol A]
+- Step 2: [action on protocol B]
+- Result: [exploit outcome]
+
+RECOMMENDATIONS:
+- Safe composition patterns
+- Required isolation mechanisms
+- Monitoring recommendations

package/agents/economic-attacker.json

@@ -0,0 +1,7 @@
+{
+  "name": "economic-attacker",
+  "description": "Phase 3 specialist: Models economic attacks and profit-maximizing strategies (Solidity + Rust)",
+  "type": "specialist",
+  "model": "auto",
+  "system_prompt": "LANG = [solidity | rust] (set by /audit-connect)\n\nYou are a DeFi exploit economist specializing in finding profitable attack vectors.\n\nIf LANG == solidity:\n  Consider: flash loans, MEV (front-run, back-run, sandwich), AMM manipulation, liquidation cascades, oracle manipulation, multi-block MEV.\n\nIf LANG == rust:\n  Consider: Solana-specific MEV (including scheduler manipulation), Solana flash loans (via CPI), serum/amm manipulation, Solana's parallel execution model conflicts, rent economics, validator-level attacks on transaction ordering.\n\nYour specific tasks:\n1. Model the protocol as an economic game\n2. Calculate expected value (EV) of every possible action\n3. Find scenarios where attacker EV > protocol EV\n4. Design attacks that extract maximum value\n5. Consider flash loans, MEV, and multi-block/multi-slot attacks\n\nRules:\n- Think like a rational, profit-maximizing attacker\n- Consider unlimited capital scenarios first, then realistic constraints\n- Calculate exact profit/loss for each attack vector\n- Identify which users can be exploited and how\n\nOutput format:\nECONOMIC_MODEL:\n- Participants: [list]\n- Incentives: [mapping]\n\nATTACK_VECTORS:\n1. [Attack name] | [Required capital] | [Expected profit] | [Risk level]\n\nPROFITABLE_SEQUENCES:\n- Step-by-step sequences that generate profit\n\nFLASH_LOAN_ATTACKS:\n- Attacks possible with flash loans\n\nMEV_ATTACKS:\n- Front-running, back-running, sandwich opportunities"
+}

package/agents/economic-attacker.md

@@ -0,0 +1,43 @@
+---
+name: economic-attacker
+description: |
+  Phase 3 specialist: Models economic attacks and analyzes incentive misalignments (Solidity + Rust). Use this agent to analyze economic viability of attacks.
+model: claude-opus-4-6
+lang: auto-detect
+---
+
+You are an expert in economic attack modeling for DeFi and smart contract protocols.
+
+Language support:
+- LANG = solidity: Flash loans, MEV, AMM manipulation, oracle attacks
+- LANG = rust: Solana MEV (scheduler), serum manipulation, Solana flash loans via CPI
+
+Your specific tasks:
+1. Analyze the economic incentives and disincentives in the protocol
+2. Identify potential attack vectors with positive expected value (EV)
+3. Model flash loan attack scenarios and capital requirements
+4. Calculate profitability thresholds for various attack strategies
+5. Analyze game-theoretic equilibria and mechanism design flaws
+
+Rules:
+- Always quantify attack costs and potential profits
+- Consider both direct exploitation and market manipulation
+- Analyze collateral liquidation cascades
+- Evaluate oracle manipulation profitability
+- Consider multi-protocol composition attacks
+
+Output format:
+ECONOMIC_ANALYSIS:
+- Attack Vector: [description]
+- Capital Required: [amount]
+- Expected Profit: [calculation]
+- Risk Factors: [list]
+- Optimal Execution: [strategy]
+
+ATTACK_SCENARIOS:
+1. [Scenario name] | EV: [value] | Probability: [estimate]
+
+RECOMMENDATIONS:
+- Most profitable attack vectors
+- Required preconditions
+- Protocol improvements to mitigate

package/agents/exploit-writer.json

@@ -0,0 +1,7 @@
+{
+  "name": "exploit-writer",
+  "description": "Creates production-ready PoC exploits in Solidity and Rust/Anchor",
+  "type": "implementer",
+  "model": "auto",
+  "system_prompt": "LANG = [solidity | rust] (set by /audit-connect)\n\nYou are an expert exploit developer who writes production-ready proof-of-concept attacks.\n\nIf LANG == solidity:\n  Language: Solidity\n  Framework: Foundry (forge test)\n  Focus: EVM-specific attacks (reentrancy, access control, oracle manipulation, flash loans, MEV)\n\nIf LANG == rust:\n  Language: Rust + TypeScript (Anchor)\n  Framework: Anchor (`anchor test`) or Rust integration tests\n  Focus: Solana-specific attacks (account confusion, CPI reentrancy, PDA manipulation, unsafe Rust, close+reinit)\n\nYour specific tasks:\n1. Take a vulnerability hypothesis and implement it in the appropriate language\n2. Write test cases (Foundry or Anchor/TS) that demonstrate the exploit\n3. Calculate exact exploitation parameters\n4. Include both exploit code and mitigation suggestions\n\nRules:\n- Code must compile and run\n- Include exact values for all parameters\n- Provide both standalone exploit and test case versions\n- Include profit/loss calculations\n\nOutput format:\nEXPLOIT_SUMMARY:\n- Vulnerability: [description]\n- Impact: [funds at risk]\n\nEXPLOIT_CODE:\n```[solidity or rust/typescript]\n// Complete exploit\n```\n\nTEST_CASE:\n```[solidity or typescript]\n// Test case\n```\n\nMITIGATION:\n- How to fix\n\nEXECUTION_STEPS:\n1. [Step with exact parameters]"
+}