brainblast 0.2.0 → 0.3.0

package/dist/cli.js

@@ -1,22 +1,38 @@
 #!/usr/bin/env node
 import {
+  analyzeCosts,
   audit,
+  buildTrustGraph,
+  cacheSize,
+  defaultCachePath,
+  isValidSolanaAddress,
+  loadProgramCache,
+  renderCostReportMd,
+  renderTrustGraphMd,
   resolveRules
-} from "./chunk-H2Y75CSH.js";
+} from "./chunk-BZVZ3WAU.js";
 
 // src/cli.ts
 import { writeFileSync, mkdirSync } from "fs";
 import { join } from "path";
 var args = process.argv.slice(2);
+if (args[0] === "trust-graph") {
+  await runTrustGraph(args.slice(1));
+  process.exit(0);
+}
 var ci = args.includes("--ci");
 var strict = args.includes("--strict");
 var targetDir = args.find((a) => !a.startsWith("--")) ?? process.cwd();
 var rules = resolveRules(targetDir);
 var { checks, report } = audit(targetDir, rules);
+var costReport = analyzeCosts(targetDir);
+report.costAnalysis = costReport;
 var outDir = join(targetDir, ".agent-research");
 mkdirSync(outDir, { recursive: true });
 var reportPath = join(outDir, "report.json");
 writeFileSync(reportPath, JSON.stringify(report, null, 2));
+var costMdPath = join(outDir, "cost-analysis.md");
+writeFileSync(costMdPath, renderCostReportMd(costReport));
 console.log(`brainblast: scanned ${targetDir} with ${rules.length} rule(s)`);
 if (checks.length === 0) console.log("  (no catastrophic components detected)");
 for (const c of checks) {
@@ -30,8 +46,58 @@ console.log(`  verdict: ${report.summary.verdict}  (fail=${fails}, cant_tell=${c
 if (cantTell > 0 && !strict) {
   console.log(`  warning: ${cantTell} cant_tell (not gating \u2014 pass --strict to fail on these)`);
 }
-console.log(`  report:  ${reportPath}`);
+console.log("\n\u2500\u2500 Cost & Rent \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+if (!costReport.priorityFee.found) {
+  console.log("  [HIGH ] priority fee not configured \u2014 add setComputeUnitPrice to critical paths");
+}
+if (costReport.accountFlows.length === 0) {
+  console.log("  (no account-creation flows from tracked modules detected)");
+} else {
+  for (const f of costReport.accountFlows) {
+    const file = f.file.split("/").slice(-2).join("/");
+    const scaleMark = f.scalable ? " [SCALABLE]" : "";
+    console.log(`  ${f.accountType}${scaleMark}  ${file}:${f.line}  +${f.lamports.toLocaleString()} lamports (${f.sol} SOL)`);
+  }
+  if (costReport.totalLockupLamports > 0) {
+    console.log(`  \u2500\u2500\u2500 static lockup total: ${costReport.totalLockupLamports.toLocaleString()} lamports (~${costReport.totalLockupSol} SOL)`);
+  }
+}
+console.log(`  cost report: ${costMdPath}`);
+console.log(`  report:      ${reportPath}`);
 if (ci) {
   const gateFail = fails > 0 || strict && cantTell > 0;
   process.exit(gateFail ? 1 : 0);
 }
+async function runTrustGraph(argv) {
+  const rpcIdx = argv.indexOf("--rpc");
+  const rpcUrl = rpcIdx >= 0 ? argv[rpcIdx + 1] : void 0;
+  const noProbe = argv.includes("--no-probe");
+  const jsonOut = argv.includes("--json");
+  const ids = argv.filter((a) => !a.startsWith("--") && a !== rpcUrl);
+  if (ids.length === 0) {
+    console.error("usage: brainblast trust-graph <programId> [<programId>...] [--rpc URL] [--no-probe] [--json]");
+    process.exit(1);
+  }
+  for (const id of ids) {
+    if (!isValidSolanaAddress(id)) {
+      console.error(`error: '${id}' is not a valid Solana address`);
+      process.exit(1);
+    }
+  }
+  const noCache = argv.includes("--no-cache");
+  const graph = await buildTrustGraph(ids, {
+    rpcUrl,
+    probeRpc: !noProbe,
+    cachePath: noCache ? null : void 0
+  });
+  if (jsonOut) {
+    console.log(JSON.stringify(graph, null, 2));
+  } else {
+    console.log(renderTrustGraphMd(graph));
+  }
+  if (!noCache) {
+    const cp = defaultCachePath();
+    const count = cacheSize(loadProgramCache(cp));
+    console.error(`  program-cache: ${count} entries  (${cp})`);
+  }
+}

package/dist/index.d.ts

@@ -1,5 +1,43 @@
 import { FunctionDeclaration, ArrowFunction } from 'ts-morph';
 
+declare function rentExemptMinimum(dataLen: number): number;
+declare function lamportsToSol(lamports: number): string;
+type Recoverability = "recoverable" | "non-recoverable" | "conditionally-recoverable";
+interface AccountFlow {
+    call: string;
+    module: string;
+    accountType: string;
+    file: string;
+    line: number;
+    dataLen: number;
+    lamports: number;
+    sol: string;
+    recoverability: Recoverability;
+    recoverabilityNote: string;
+    /** Call appears inside a loop or .map()/.forEach() — cost scales with N */
+    scalable: boolean;
+    scalableNote?: string;
+}
+interface PriorityFeePosture {
+    /** true = setComputeUnitPrice call detected somewhere in the target */
+    found: boolean;
+    file?: string;
+    line?: number;
+    detail: string;
+}
+interface CostReport {
+    accountFlows: AccountFlow[];
+    priorityFee: PriorityFeePosture;
+    /** Sum of lamports across non-scalable flows (static lower bound) */
+    totalLockupLamports: number;
+    totalLockupSol: string;
+    /** Subset of flows that grow with N */
+    scalableFlows: AccountFlow[];
+    generatedAt: string;
+}
+declare function analyzeCosts(targetDir: string): CostReport;
+declare function renderCostReportMd(r: CostReport): string;
+
 type Severity = "critical" | "high" | "medium" | "low";
 type CheckResultKind = "pass" | "fail" | "cant_tell";
 interface Candidate {
@@ -8,6 +46,34 @@ interface Candidate {
     params: string[];
     fn: FunctionDeclaration | ArrowFunction;
 }
+interface RustAccountField {
+    /** Rust field identifier, e.g. "counter" */
+    name: string;
+    /** Raw type text, e.g. "Account<'info, Counter>", "Signer<'info>" */
+    typeName: string;
+    /** Full text of every #[account(...)] attribute on this field */
+    attrText: string;
+    /** Whether init_if_needed is present in attrText */
+    hasInitIfNeeded: boolean;
+}
+interface RustCandidate {
+    /** Source .rs file */
+    filePath: string;
+    /** Instruction handler name, e.g. "initialize" */
+    fnName: string;
+    /** Anchor Accounts struct name resolved from Context<X>, e.g. "Initialize" */
+    accountStructName: string;
+    /** All fields extracted from the Accounts struct */
+    accountFields: RustAccountField[];
+    /**
+     * Raw text of the instruction handler body block `{ ... }` — used by
+     * checkers that need to inspect companion calls (require!, data_is_empty, etc.)
+     * without a full tree-sitter traversal.
+     */
+    fnBodyText: string;
+    /** tree-sitter SyntaxNode for the function body — available for precise queries */
+    fnBodyNode: any;
+}
 interface CheckOutcome {
     result: CheckResultKind;
     detail: string;
@@ -34,6 +100,8 @@ interface Rule {
         modules: string[];
         nameRegex: string;
         triggerCalls: string[];
+        /** Defaults to "typescript". Set to "rust" for Anchor/Rust checker kinds. */
+        lang?: "typescript" | "rust";
     };
     check: {
         kind: string;
@@ -96,6 +164,7 @@ declare function audit(targetDir: string, rules: Rule[]): {
             cant_tell: number;
         };
         openQuestions: never[];
+        costAnalysis: CostReport | null;
     };
 };
 
@@ -114,9 +183,138 @@ declare function renderTest(kind: string, opts: {
 }): string;
 declare const testKinds: string[];
 
-declare function runChecker(kind: string, c: Candidate, params: any): CheckOutcome;
+declare function runChecker(kind: string, c: Candidate | RustCandidate, params: any): CheckOutcome;
 declare const checkerKinds: string[];
 
 declare function findCandidates(targetDir: string, rule: Rule): Candidate[];
 
-export { type Candidate, type CheckOutcome, type CheckResult, type CheckResultKind, type Rule, type Severity, audit, auditWithRule, rules as bundledRules, checkerKinds, findCandidates, generateTestForResult, loadRules, renderTest, resolveRules, runChecker, testKinds };
+type UpgradeAuthorityKind = "renounced" | "single-key" | "multisig" | "dao" | "unknown";
+type UpgradeAuthoritySource = "directory" | "rpc" | "research";
+interface UpgradeAuthority {
+    kind: UpgradeAuthorityKind;
+    address: string | null;
+    source: UpgradeAuthoritySource;
+    checkedAt?: string;
+}
+type VerifiedBuildState = {
+    state: "verified";
+    registryUrl: string;
+    commit?: string;
+} | {
+    state: "unverified";
+} | {
+    state: "unknown";
+};
+interface AuditRef {
+    firm: string;
+    date: string;
+    reportUrl: string;
+    auditedCommit?: string;
+}
+interface ParityNote {
+    mainnet: "present" | "absent" | "different" | "unknown";
+    devnet: "present" | "absent" | "different" | "unknown";
+    testnet?: "present" | "absent" | "different" | "unknown";
+    notes?: string;
+}
+interface OnChainProgram {
+    programId: string;
+    name: string;
+    kind?: string;
+    upgradeAuthority: UpgradeAuthority;
+    verifiedBuild: VerifiedBuildState;
+    audits: AuditRef[];
+    parity: ParityNote;
+    invokes?: string[];
+    provenance?: {
+        directoryFile?: string;
+        rpcUrl?: string;
+        researchRun?: string;
+        notes?: string;
+    };
+}
+interface TrustGraph {
+    programs: OnChainProgram[];
+    unresolved: Array<{
+        programId: string;
+        reason: string;
+    }>;
+    generatedAt: string;
+}
+
+interface RpcOpts {
+    rpcUrl?: string;
+    timeoutMs?: number;
+    fetchImpl?: typeof fetch;
+}
+
+interface BuildOpts extends RpcOpts {
+    probeRpc?: boolean;
+    directoryPath?: string;
+    cachePath?: string | null;
+}
+declare function buildTrustGraph(programIds: string[], opts?: BuildOpts): Promise<TrustGraph>;
+
+declare function renderTrustGraphMd(g: TrustGraph): string;
+
+declare function loadDirectory(path?: string): Map<string, OnChainProgram>;
+
+declare function base58Encode(bytes: Uint8Array): string;
+declare function base58Decode(s: string): Uint8Array;
+declare function isValidSolanaAddress(s: string): boolean;
+
+declare const DEFAULT_TTL_HOURS = 168;
+declare const SCHEMA_VERSION = "1.0";
+interface ProgramCacheEntry {
+    program: OnChainProgram;
+    /** ISO 8601 timestamp of when this entry was written. */
+    cachedAt: string;
+    /** The run.id from the brainblast report that produced this entry. */
+    sourceRun: string;
+    /** Hours until this entry expires. Defaults to DEFAULT_TTL_HOURS. */
+    ttlHours?: number;
+}
+interface ProgramCache {
+    schemaVersion: typeof SCHEMA_VERSION;
+    entries: Record<string, ProgramCacheEntry>;
+}
+declare function defaultCachePath(): string;
+/**
+ * Load the program cache from disk.
+ *
+ * Returns an empty cache if the file does not exist, is unreadable, or has an
+ * incompatible schemaVersion. Never throws on missing/corrupt files — callers
+ * can always start fresh.
+ */
+declare function loadProgramCache(cachePath?: string): ProgramCache;
+/**
+ * Persist the program cache to disk, creating parent directories as needed.
+ * Throws only on unrecoverable write errors (e.g. permission denied on the
+ * home directory itself).
+ */
+declare function saveProgramCache(cache: ProgramCache, cachePath?: string): void;
+/**
+ * Return the cached OnChainProgram for programId, or null if:
+ *   - the entry does not exist
+ *   - the entry has exceeded its TTL
+ *
+ * @param ttlHoursOverride - optional override for the TTL check (e.g. for tests)
+ */
+declare function getCacheEntry(cache: ProgramCache, programId: string, ttlHoursOverride?: number): OnChainProgram | null;
+/**
+ * Write (or overwrite) a cache entry for programId.
+ * Mutates the cache object in place and returns it for chaining.
+ */
+declare function putCacheEntry(cache: ProgramCache, programId: string, program: OnChainProgram, sourceRun: string, ttlHours?: number): ProgramCache;
+/**
+ * Return the raw ProgramCacheEntry for programId (including metadata), or null.
+ * Useful for rendering provenance to users ("cached 3 days ago by run X").
+ */
+declare function getCacheEntryMeta(cache: ProgramCache, programId: string): ProgramCacheEntry | null;
+declare function isEntryExpired(entry: ProgramCacheEntry, ttlHoursOverride?: number): boolean;
+/**
+ * Count of non-expired entries in the cache (useful for status lines).
+ */
+declare function cacheSize(cache: ProgramCache, ttlHoursOverride?: number): number;
+
+export { type AccountFlow, type AuditRef, type BuildOpts, type Candidate, type CheckOutcome, type CheckResult, type CheckResultKind, type CostReport, DEFAULT_TTL_HOURS, type OnChainProgram, type ParityNote, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type Rule, type RustAccountField, type RustCandidate, type Severity, type TrustGraph, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, analyzeCosts, audit, auditWithRule, base58Decode, base58Encode, buildTrustGraph, rules as bundledRules, cacheSize, checkerKinds, defaultCachePath, findCandidates, generateTestForResult, getCacheEntry, getCacheEntryMeta, isEntryExpired, isValidSolanaAddress, lamportsToSol, loadDirectory, loadProgramCache, loadRules, putCacheEntry, renderCostReportMd, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, runChecker, saveProgramCache, testKinds };

package/dist/index.js

@@ -1,15 +1,34 @@
 import {
+  DEFAULT_TTL_HOURS,
+  analyzeCosts,
   audit,
   auditWithRule,
+  base58Decode,
+  base58Encode,
+  buildTrustGraph,
+  cacheSize,
   checkerKinds,
+  defaultCachePath,
   findCandidates,
+  getCacheEntry,
+  getCacheEntryMeta,
+  isEntryExpired,
+  isValidSolanaAddress,
+  lamportsToSol,
+  loadDirectory,
+  loadProgramCache,
   loadRules,
+  putCacheEntry,
+  renderCostReportMd,
   renderTest,
+  renderTrustGraphMd,
+  rentExemptMinimum,
   resolveRules,
   rules,
   runChecker,
+  saveProgramCache,
   testKinds
-} from "./chunk-H2Y75CSH.js";
+} from "./chunk-BZVZ3WAU.js";
 
 // src/generate.ts
 import { writeFileSync, mkdirSync } from "fs";
@@ -25,15 +44,34 @@ function generateTestForResult(result, rule, outPath) {
   return outPath;
 }
 export {
+  DEFAULT_TTL_HOURS,
+  analyzeCosts,
   audit,
   auditWithRule,
+  base58Decode,
+  base58Encode,
+  buildTrustGraph,
   rules as bundledRules,
+  cacheSize,
   checkerKinds,
+  defaultCachePath,
   findCandidates,
   generateTestForResult,
+  getCacheEntry,
+  getCacheEntryMeta,
+  isEntryExpired,
+  isValidSolanaAddress,
+  lamportsToSol,
+  loadDirectory,
+  loadProgramCache,
   loadRules,
+  putCacheEntry,
+  renderCostReportMd,
   renderTest,
+  renderTrustGraphMd,
+  rentExemptMinimum,
   resolveRules,
   runChecker,
+  saveProgramCache,
   testKinds
 };

package/dist/programs/directory.yaml

@@ -0,0 +1,179 @@
+# Curated Solana program directory. Human-authored facts; never LLM-edited in
+# place. Every entry is a program brainblast considers "known enough to
+# describe without an RPC call." For anything not in this file, the
+# trust-graph builder falls back to live RPC probing for upgrade authority and
+# reports verifiedBuild=unknown / audits=[] unless the research skill
+# enriches it.
+#
+# Add an entry only when you can cite a primary source for every field.
+# Comments above each entry name those sources.
+
+programs:
+  # System Program — owns wallets, transfers SOL, allocates accounts. Core
+  # runtime; not an upgradeable program. https://docs.solana.com/runtime/programs
+  - programId: "11111111111111111111111111111111"
+    name: System Program
+    kind: runtime
+    upgradeAuthority:
+      kind: renounced
+      address: null
+      source: directory
+    verifiedBuild:
+      state: verified
+      registryUrl: https://github.com/anza-xyz/agave
+    audits: []
+    parity:
+      mainnet: present
+      devnet: present
+      testnet: present
+      notes: Identical on every cluster; part of the validator binary.
+
+  # SPL Token — the legacy SPL token program. Native, non-upgradeable.
+  # https://spl.solana.com/token
+  - programId: "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA"
+    name: SPL Token
+    kind: token
+    upgradeAuthority:
+      kind: renounced
+      address: null
+      source: directory
+    verifiedBuild:
+      state: verified
+      registryUrl: https://github.com/solana-program/token
+    audits:
+      - firm: Kudelski Security
+        date: "2020-08-01"
+        reportUrl: https://github.com/solana-program/token/tree/main/audits
+    parity:
+      mainnet: present
+      devnet: present
+      testnet: present
+      notes: Same address everywhere. Distinct from Token-2022; consumers must pick one and never mix.
+
+  # SPL Token-2022 — the new token program with transfer hooks, fees, and
+  # confidential transfers. DIFFERENT program id from legacy Token; mixing the
+  # two is the #1 trap in the deep-dive research.
+  # https://spl.solana.com/token-2022
+  - programId: "TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb"
+    name: SPL Token-2022
+    kind: token
+    upgradeAuthority:
+      kind: multisig
+      address: "9YBjtad6ZxR7hxNXyTjRRPnPipFbuAU6c2EVHTSVTQAW"
+      source: directory
+      checkedAt: "2025-04-15"
+    verifiedBuild:
+      state: verified
+      registryUrl: https://github.com/solana-program/token-2022
+    audits:
+      - firm: OtterSec
+        date: "2024-02-01"
+        reportUrl: https://github.com/solana-program/token-2022/tree/main/audits
+    parity:
+      mainnet: present
+      devnet: present
+      testnet: present
+      notes: >-
+        Same address on every cluster. Behavior identical, but extensions like transfer-fee
+        and transfer-hook can encode mainnet-only economics that don't show up in devnet
+        testing of a fresh mint.
+
+  # Metaplex Token Metadata. The metadata account for every NFT and most
+  # SPL-token branding goes through this program. isMutable / collection
+  # verification are immutable-after-mint decisions worth flagging.
+  # https://developers.metaplex.com/token-metadata
+  - programId: "metaqbxxUerdq28cj1RbAWkYQm3ybzjb6a8bt518x1s"
+    name: Metaplex Token Metadata
+    kind: metadata
+    upgradeAuthority:
+      kind: multisig
+      address: "BFV9MAfDjT8azkAArh9k4iAjwboTBA9z3PNK7BFNKaiK"
+      source: directory
+      checkedAt: "2025-04-15"
+    verifiedBuild:
+      state: verified
+      registryUrl: https://github.com/metaplex-foundation/mpl-token-metadata
+    audits:
+      - firm: OtterSec
+        date: "2023-09-01"
+        reportUrl: https://github.com/metaplex-foundation/mpl-token-metadata/tree/main/programs/token-metadata/audits
+    parity:
+      mainnet: present
+      devnet: present
+      testnet: present
+      notes: Same address everywhere; metadata is the standard NFT/token-info layer.
+
+  # Memo Program. Lets transactions include UTF-8 notes; no state. Useful in
+  # CPI but trivially safe.
+  - programId: "MemoSq4gqABAXKb96qnH8TysNcWxMyWCqXgDLGmfcHr"
+    name: SPL Memo
+    kind: utility
+    upgradeAuthority:
+      kind: renounced
+      address: null
+      source: directory
+    verifiedBuild:
+      state: verified
+      registryUrl: https://github.com/solana-program/memo
+    audits: []
+    parity:
+      mainnet: present
+      devnet: present
+      testnet: present
+
+  # Compute Budget Program. Lets a tx set its compute unit price/limit. Pure
+  # runtime; not upgradeable. Worth knowing for fee posture in the cost report.
+  - programId: "ComputeBudget111111111111111111111111111111"
+    name: Compute Budget Program
+    kind: runtime
+    upgradeAuthority:
+      kind: renounced
+      address: null
+      source: directory
+    verifiedBuild:
+      state: verified
+      registryUrl: https://github.com/anza-xyz/agave
+    audits: []
+    parity:
+      mainnet: present
+      devnet: present
+      testnet: present
+
+  # Address Lookup Table Program. Lets transactions reference more accounts
+  # than the legacy 32-account limit allows.
+  - programId: "AddressLookupTab1e1111111111111111111111111"
+    name: Address Lookup Table Program
+    kind: runtime
+    upgradeAuthority:
+      kind: renounced
+      address: null
+      source: directory
+    verifiedBuild:
+      state: verified
+      registryUrl: https://github.com/anza-xyz/agave
+    audits: []
+    parity:
+      mainnet: present
+      devnet: present
+      testnet: present
+
+  # BPF Upgradeable Loader. The program that owns every upgradeable program;
+  # `setAuthority` and `upgrade` instructions go through here. The trust
+  # graph routinely reads ProgramData accounts owned by this address to
+  # resolve the upgrade authority of any other upgradeable program.
+  - programId: "BPFLoaderUpgradeab1e11111111111111111111111"
+    name: BPF Upgradeable Loader
+    kind: loader
+    upgradeAuthority:
+      kind: renounced
+      address: null
+      source: directory
+    verifiedBuild:
+      state: verified
+      registryUrl: https://github.com/anza-xyz/agave
+    audits: []
+    parity:
+      mainnet: present
+      devnet: present
+      testnet: present
+      notes: The loader itself is part of the validator and not upgradeable in the BPF sense.

package/dist/rules/anchor-init-if-needed-guarded.yaml

@@ -0,0 +1,47 @@
+# Pure-data rule (facts). Binds to vetted templates by `check.kind`/`test.kind`.
+# Promoted from findings/anchor-init-if-needed-reinit.json after the
+# proof-as-classifier loop (synth-prove) closed RED->GREEN against the
+# new `anchor-init-if-needed-guarded` checker kind (tree-sitter-rust based).
+id: anchor-init-if-needed-guarded
+severity: critical
+title: Anchor init_if_needed account has a reinitialization guard
+component:
+  name: Anchor Framework
+  type: Blockchain
+  version: ">=0.26.0"
+  sourceUrl: https://www.anchor-lang.com/docs/the-accounts-struct#init_if_needed
+detect:
+  # This rule operates on Rust source files — requires tree-sitter-rust.
+  lang: rust
+  modules:
+    - "@coral-xyz/anchor"
+    - "@project-serum/anchor"
+  # Match instruction handlers that initialize accounts. Detection also
+  # triggers on any function whose Accounts struct has init_if_needed.
+  nameRegex: "initialize|init_if_needed"
+  triggerCalls:
+    - init_if_needed
+check:
+  kind: anchor-init-if-needed-guarded
+  params:
+    passDetail: >-
+      Handler has #[account(init_if_needed)] and a reinitialization guard
+      (require!, data_is_empty, or is_initialized check). A second invocation
+      will be rejected before writing to the account.
+    failAbsentDetail: >-
+      Handler uses #[account(init_if_needed)] without a reinitialization guard.
+      A malicious caller can invoke the instruction a second time to overwrite
+      the account's data — a full state-wipe with no on-chain recourse.
+      Add: require!(account_field.field == initial_value, ErrorCode::AlreadyInitialized)
+      at the top of the handler body.
+    absentDetail: >-
+      Handler has no #[account(init_if_needed)] fields; the reinit-guard rule
+      does not apply.
+test:
+  kind: anchor-program-test
+  params:
+    scenario: reinit-attempt
+    description: >-
+      Calls the instruction twice on the same account; the second call must
+      fail with AlreadyInitialized (or equivalent). If it succeeds, the
+      account state has been silently overwritten.

package/dist/rules/bags-fee-share-creator-included.yaml

@@ -9,7 +9,12 @@ component:
   sourceUrl: https://docs.bags.fm/changelog/changelog
 detect:
   modules: ["@bagsfm/bags-sdk"]
-  nameRegex: "feeshare|feeclaimer|bagsfee|launchtoken|tokenlaunch"
+  # Keep the regex tight to Bags-specific terms; broad terms like
+  # "launchtoken"/"tokenlaunch" cross-matched non-Bags Solana handlers
+  # (e.g. Token-2022 launch helpers) and produced spurious "no Bags fee
+  # config" failures. Bags candidates still resolve via the import or the
+  # createBagsFeeShareConfig trigger call.
+  nameRegex: "feeshare|feeclaimer|bagsfee"
   triggerCalls: [createBagsFeeShareConfig]
 check:
   kind: fee-allocation-shape