npm - brainblast - Versions diffs - 0.2.0 → 0.3.0 - Mend

brainblast 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +73 -15
package/dist/chunk-BZVZ3WAU.js +1659 -0
package/dist/cli.js +68 -2
package/dist/index.d.ts +200 -2
package/dist/index.js +39 -1
package/dist/programs/directory.yaml +179 -0
package/dist/rules/anchor-init-if-needed-guarded.yaml +47 -0
package/dist/rules/bags-fee-share-creator-included.yaml +6 -1
package/dist/rules/metaplex-metadata-immutable.yaml +55 -0
package/dist/rules/privy-jwt-verification.yaml +5 -1
package/dist/rules/token-2022-program-id-pinned.yaml +55 -0
package/package.json +50 -9
package/dist/chunk-H2Y75CSH.js +0 -494

package/dist/rules/metaplex-metadata-immutable.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+# Pure-data rule (facts). Binds to vetted templates by `check.kind`/`test.kind`.
+# Promoted from findings/metaplex-metadata-immutable.json after the
+# proof-as-classifier loop (synth-prove) closed RED->GREEN against the
+# new `object-arg-property-literal-equals` checker kind.
+id: metaplex-metadata-immutable
+severity: critical
+title: Metaplex createV1 called with isMutable false to seal token metadata at mint
+component:
+  name: Metaplex Token Metadata
+  type: Blockchain
+  version: unversioned
+  sourceUrl: https://developers.metaplex.com/token-metadata
+detect:
+  modules: ["@metaplex-foundation/mpl-token-metadata"]
+  # Brand-specific terms only. Bare "token"/"mint" cross-match SPL-token,
+  # Bags, and other handlers. Metaplex candidates still resolve via the
+  # @metaplex-foundation/mpl-token-metadata import or the createV1/createNft
+  # trigger calls.
+  nameRegex: "metaplex|mpl|createNft"
+  triggerCalls: [createV1, createNft, createAndMint, createMetadataAccountV3]
+check:
+  kind: object-arg-property-literal-equals
+  params:
+    call: createV1
+    argIndex: 1
+    propName: isMutable
+    expectedValue: false
+    passDetail: >-
+      createV1 passes isMutable: false — token metadata is permanently sealed
+      at mint time. Name, symbol, and URI cannot be changed regardless of who
+      holds the update authority.
+    failAbsentDetail: >-
+      createV1 omits isMutable (SDK defaults to true). The update authority
+      retains the ability to change the token name, symbol, and URI after mint —
+      permanently. Seal the metadata by passing isMutable: false. There is no
+      on-chain migration path once metadata is minted as mutable.
+    failWrongDetail: >-
+      createV1 passes isMutable: true explicitly. Token metadata will remain
+      mutable after mint — the update authority key becomes a permanent attack
+      surface. Pass isMutable: false to seal it at mint time.
+    failArgDetail: >-
+      createV1's options argument is not an inline object literal; cannot
+      statically verify isMutable. Inline the options object so static analysis
+      can confirm isMutable: false.
+    failDynamicDetail: >-
+      isMutable is set via a variable or expression; cannot confirm it resolves
+      to false statically. Use the boolean literal false directly.
+    absentCallDetail: >-
+      Handler is in Metaplex scope but does not call createV1; the
+      metadata-immutability rule does not apply here.
+    scopeNotMetDetail: >-
+      File does not import from @metaplex-foundation/mpl-token-metadata; the
+      metadata-immutability rule does not apply.
+test:
+  kind: metaplex-immutable-metadata

package/dist/rules/privy-jwt-verification.yaml CHANGED Viewed

@@ -9,7 +9,11 @@ component:
   sourceUrl: https://docs.privy.io/authentication/user-authentication/access-tokens
 detect:
   modules: [jose, jsonwebtoken, "@privy-io/node", "@privy-io/server-auth"]
-  nameRegex: "token|auth|verify|privy|jwt"
+  # Brand-specific terms only. Bare "token"/"auth" cross-match unrelated
+  # Solana handlers (launchToken, etc.) and produce spurious cant_tell noise.
+  # Privy handlers are still picked up by the @privy-io/* / jose / jsonwebtoken
+  # imports, and by triggerCalls like decodeJwt / jwtVerify.
+  nameRegex: "privy|jwt"
   triggerCalls: [decodeJwt, jwtVerify, verify, decode]
 check:
   kind: required-call-with-options

package/dist/rules/token-2022-program-id-pinned.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+# Pure-data rule (facts). Binds to vetted templates by `check.kind`/`test.kind`.
+# Promoted from findings/token-2022-program-id-mismatch.json after the
+# proof-as-classifier loop (synth-prove) closed RED->GREEN against the
+# new `arg-equals-constant-identifier` checker kind.
+id: token-2022-program-id-pinned
+severity: critical
+title: Token-2022 createMint passes TOKEN_2022_PROGRAM_ID as the program ID argument
+component:
+  name: SPL Token-2022
+  type: Blockchain
+  version: unversioned
+  sourceUrl: https://spl.solana.com/token-2022
+detect:
+  modules: ["@solana/spl-token"]
+  # Keep the regex narrow to terms specific to SPL-token-mint construction;
+  # bare "token"/"launch" would cross-match unrelated handlers (Privy
+  # verifyPrivyToken, etc.). Real Token-2022 handlers still resolve via the
+  # @solana/spl-token import or the createMint trigger call.
+  nameRegex: "createMint|mint22|token2022"
+  triggerCalls: [createMint]
+check:
+  kind: arg-equals-constant-identifier
+  params:
+    call: createMint
+    argIndex: 7
+    expectedIdentifier: TOKEN_2022_PROGRAM_ID
+    forbiddenIdentifiers: [TOKEN_PROGRAM_ID]
+    # Scope predicate: only enforce when the file imports TOKEN_2022_PROGRAM_ID.
+    # Without this, every legacy-mint codebase would false-positive.
+    requireImport: TOKEN_2022_PROGRAM_ID
+    passDetail: >-
+      createMint passes {expected} as its programId argument — Token-2022
+      features will work as designed.
+    failForbiddenDetail: >-
+      createMint passes {got} (legacy Token program) where Token-2022 was
+      intended. The mint will be owned by the legacy program; Token-2022
+      features (transfer hooks, transfer fees, confidential transfers) will
+      not work and there is NO on-chain fix — a mint's owner program is part
+      of its identity.
+    failMissingDetail: >-
+      createMint omits its programId argument (or passes undefined), which
+      silently defaults to the LEGACY Token program even though the file
+      imports {expected}. Pass {expected} explicitly.
+    failOtherDetail: >-
+      createMint passes '{got}' as programId; expected {expected}. If this is
+      a custom constant, alias it to {expected} or pass the canonical name so
+      the trap detector and downstream readers agree.
+    absentCallDetail: >-
+      Handler is in the SPL-token scope but does not call createMint; the
+      Token-2022 pin rule does not apply here.
+    scopeNotMetDetail: >-
+      File does not import TOKEN_2022_PROGRAM_ID; legacy-token codebase — the
+      Token-2022 pin rule does not apply.
+test:
+  kind: token-program-consistency

package/package.json CHANGED Viewed

@@ -1,35 +1,76 @@
 {
   "name": "brainblast",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "type": "module",
   "description": "Deterministic auditor for catastrophic AI-integration bugs: scan a repo, find the silent money/auth traps, and generate the behavioral test that proves they're fixed.",
-  "keywords": ["security", "static-analysis", "stripe", "webhook", "jwt", "solana", "bags", "ci", "ai", "audit"],
+  "keywords": [
+    "security",
+    "static-analysis",
+    "audit",
+    "stripe",
+    "webhook",
+    "jwt",
+    "solana",
+    "anchor",
+    "metaplex",
+    "token-2022",
+    "trust-graph",
+    "bags",
+    "rent",
+    "ci",
+    "ai"
+  ],
   "license": "MIT",
   "author": "DSB-117",
   "homepage": "https://github.com/DSB-117/brainblast/tree/main/packages/core#readme",
-  "bugs": { "url": "https://github.com/DSB-117/brainblast/issues" },
-  "repository": { "type": "git", "url": "git+https://github.com/DSB-117/brainblast.git", "directory": "packages/core" },
-  "bin": { "brainblast": "dist/cli.js" },
+  "bugs": {
+    "url": "https://github.com/DSB-117/brainblast/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/DSB-117/brainblast.git",
+    "directory": "packages/core"
+  },
+  "bin": {
+    "brainblast": "dist/cli.js"
+  },
   "exports": {
-    ".": { "types": "./dist/index.d.ts", "import": "./dist/index.js" }
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
   },
-  "files": ["dist", "README.md"],
-  "engines": { "node": ">=18" },
-  "publishConfig": { "access": "public", "provenance": true },
   "scripts": {
     "build": "tsup",
     "prepublishOnly": "npm run typecheck && npm test && npm run build",
     "audit": "tsx src/cli.ts",
     "prove": "tsx scripts/prove.ts",
+    "synth": "tsx scripts/synth-prove.ts",
+    "synth:bags": "tsx scripts/synth-prove.ts findings/bags-known-answer.json",
     "test": "vitest run",
     "coverage": "vitest run --coverage",
     "typecheck": "tsc --noEmit -p tsconfig.json"
   },
   "dependencies": {
+    "tree-sitter": "^0.22.4",
+    "tree-sitter-rust": "^0.24.0",
     "ts-morph": "^23",
     "yaml": "^2"
   },
   "devDependencies": {
+    "@metaplex-foundation/mpl-token-metadata": "^3.4.0",
+    "@solana/spl-token": "^0.4.14",
     "@types/node": "^22",
     "@vitest/coverage-v8": "^2",
     "jose": "^5",