npm - brainblast - Versions diffs - 0.2.0 → 0.3.0 - Mend

brainblast 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +73 -15
package/dist/chunk-BZVZ3WAU.js +1659 -0
package/dist/cli.js +68 -2
package/dist/index.d.ts +200 -2
package/dist/index.js +39 -1
package/dist/programs/directory.yaml +179 -0
package/dist/rules/anchor-init-if-needed-guarded.yaml +47 -0
package/dist/rules/bags-fee-share-creator-included.yaml +6 -1
package/dist/rules/metaplex-metadata-immutable.yaml +55 -0
package/dist/rules/privy-jwt-verification.yaml +5 -1
package/dist/rules/token-2022-program-id-pinned.yaml +55 -0
package/package.json +50 -9
package/dist/chunk-H2Y75CSH.js +0 -494

package/dist/chunk-H2Y75CSH.js DELETED Viewed

@@ -1,494 +0,0 @@
-// src/finder.ts
-import { Project, SyntaxKind } from "ts-morph";
-// src/walk.ts
-import { readdirSync, statSync } from "fs";
-import { join } from "path";
-function walk(dir, out = []) {
-  for (const entry of readdirSync(dir)) {
-    if (entry === "node_modules" || entry === ".git" || entry === ".gen") continue;
-    const p = join(dir, entry);
-    const st = statSync(p);
-    if (st.isDirectory()) walk(p, out);
-    else if (p.endsWith(".ts") && !p.endsWith(".test.ts") && !p.endsWith(".d.ts")) out.push(p);
-  }
-  return out;
-}
-// src/finder.ts
-function bodyCallsAnyOf(fn, names) {
-  if (names.size === 0) return false;
-  return fn.getDescendantsOfKind(SyntaxKind.CallExpression).some((c) => {
-    const exp = c.getExpression();
-    if (exp.getKind() === SyntaxKind.Identifier) return names.has(exp.getText());
-    if (exp.getKind() === SyntaxKind.PropertyAccessExpression) {
-      return names.has(exp.asKind(SyntaxKind.PropertyAccessExpression).getName());
-    }
-    return false;
-  });
-}
-function findCandidates(targetDir, rule) {
-  const files = walk(targetDir);
-  const project = new Project({ skipAddingFilesFromTsConfig: true, compilerOptions: { allowJs: false } });
-  const modules = new Set(rule.detect.modules);
-  const triggers = new Set(rule.detect.triggerCalls);
-  const nameRe = new RegExp(rule.detect.nameRegex, "i");
-  const out = [];
-  for (const file of files) {
-    const sf = project.addSourceFileAtPath(file);
-    const importsModule = sf.getImportDeclarations().some((d) => modules.has(d.getModuleSpecifierValue()));
-    const consider = (fn, name) => {
-      if (!(importsModule || name && nameRe.test(name) || bodyCallsAnyOf(fn, triggers))) return;
-      out.push({
-        filePath: file,
-        fnName: name || "(anonymous)",
-        params: fn.getParameters().map((p) => p.getName()),
-        fn
-      });
-    };
-    for (const fn of sf.getFunctions()) consider(fn, fn.getName() ?? "");
-    for (const v of sf.getVariableDeclarations()) {
-      const arrow = v.getInitializerIfKind(SyntaxKind.ArrowFunction);
-      if (arrow) consider(arrow, v.getName());
-    }
-  }
-  return out;
-}
-// src/checkers/positionalArgIdentity.ts
-import { SyntaxKind as SyntaxKind2 } from "ts-morph";
-var positionalArgIdentity = (c, p) => {
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind2.CallExpression).filter((call) => {
-    const exp = call.getExpression();
-    return exp.getKind() === SyntaxKind2.PropertyAccessExpression && exp.asKind(SyntaxKind2.PropertyAccessExpression).getName() === p.call;
-  });
-  if (calls.length === 0) return { result: "fail", detail: p.absentDetail };
-  const arg = calls[0].getArguments()[p.argIndex];
-  const wantParam = c.params[p.paramIndex];
-  if (arg && wantParam && arg.getKind() === SyntaxKind2.Identifier && arg.getText() === wantParam) {
-    return { result: "pass", detail: String(p.passDetail).replace("{param}", wantParam) };
-  }
-  if (arg && arg.getKind() === SyntaxKind2.CallExpression) {
-    return { result: "fail", detail: p.parsedDetail };
-  }
-  return {
-    result: "cant_tell",
-    detail: `Could not confirm argument ${p.argIndex} of ${p.call} is the raw input.`
-  };
-};
-// src/checkers/requiredCallWithOptions.ts
-import { SyntaxKind as SyntaxKind3 } from "ts-morph";
-function callName(call) {
-  const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind3.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind3.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind3.PropertyAccessExpression).getName();
-  }
-  return "";
-}
-function hasAllProps(call, groups) {
-  for (const arg of call.getArguments()) {
-    const obj = arg.asKind(SyntaxKind3.ObjectLiteralExpression);
-    if (!obj) continue;
-    const names = obj.getProperties().map((pr) => {
-      const pa = pr.asKind(SyntaxKind3.PropertyAssignment) ?? pr.asKind(SyntaxKind3.ShorthandPropertyAssignment);
-      return pa?.getName() ?? "";
-    });
-    if (groups.every((g) => g.some((n) => names.includes(n)))) return true;
-  }
-  return false;
-}
-var requiredCallWithOptions = (c, p) => {
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind3.CallExpression);
-  const verify = calls.filter((x) => p.verifyCalls.includes(callName(x)));
-  const decode = calls.filter((x) => p.decodeCalls.includes(callName(x)));
-  if (verify.length > 0) {
-    if (verify.some((v) => hasAllProps(v, p.requiredProps))) {
-      return { result: "pass", detail: p.passDetail };
-    }
-    return { result: "fail", detail: p.missingPropsDetail };
-  }
-  if (decode.length > 0) return { result: "fail", detail: p.decodeOnlyDetail };
-  return { result: "cant_tell", detail: "No verification or decode call found." };
-};
-// src/checkers/feeAllocationShape.ts
-import { SyntaxKind as SyntaxKind4 } from "ts-morph";
-function callName2(call) {
-  const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind4.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind4.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind4.PropertyAccessExpression).getName();
-  }
-  return "";
-}
-function asArrayLiteral(expr, c) {
-  if (!expr) return void 0;
-  const direct = expr.asKind(SyntaxKind4.ArrayLiteralExpression);
-  if (direct) return direct;
-  if (expr.getKind() === SyntaxKind4.Identifier) {
-    const name = expr.getText();
-    for (const decl of c.fn.getDescendantsOfKind(SyntaxKind4.VariableDeclaration)) {
-      if (decl.getName() === name) {
-        return decl.getInitializerIfKind(SyntaxKind4.ArrayLiteralExpression);
-      }
-    }
-  }
-  return void 0;
-}
-function feeArray(call, prop, c) {
-  for (const arg of call.getArguments()) {
-    const obj = arg.asKind(SyntaxKind4.ObjectLiteralExpression);
-    if (!obj) continue;
-    const member = obj.getProperty(prop);
-    if (!member) continue;
-    const pa = member.asKind(SyntaxKind4.PropertyAssignment);
-    if (pa) return asArrayLiteral(pa.getInitializer(), c) ?? null;
-    const shorthand = member.asKind(SyntaxKind4.ShorthandPropertyAssignment);
-    if (shorthand) return asArrayLiteral(shorthand.getNameNode(), c) ?? null;
-    return null;
-  }
-  return void 0;
-}
-function propInit(entry, name) {
-  return entry.getProperty(name)?.asKind(SyntaxKind4.PropertyAssignment)?.getInitializer();
-}
-var feeAllocationShape = (c, p) => {
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind4.CallExpression).filter((x) => callName2(x) === p.configCall);
-  if (calls.length === 0) return { result: "fail", detail: p.absentDetail };
-  const arr = feeArray(calls[0], p.arrayProp, c);
-  if (arr === void 0 || arr === null) {
-    return { result: "cant_tell", detail: p.dynamicDetail };
-  }
-  const entries = arr.getElements().map((e) => e.asKind(SyntaxKind4.ObjectLiteralExpression));
-  if (entries.length === 0 || entries.some((e) => !e)) {
-    return { result: "cant_tell", detail: p.dynamicDetail };
-  }
-  const creatorParam = c.params.find((name) => new RegExp(p.creatorParamRegex, "i").test(name));
-  const creatorIncluded = creatorParam ? entries.some((e) => propInit(e, p.walletProp)?.getText() === creatorParam) : false;
-  if (!creatorIncluded) return { result: "fail", detail: p.creatorMissingDetail };
-  let sum = 0;
-  let allNumeric = true;
-  for (const e of entries) {
-    const lit = propInit(e, p.bpsProp)?.asKind(SyntaxKind4.NumericLiteral);
-    if (!lit) {
-      allNumeric = false;
-      break;
-    }
-    sum += Number(lit.getLiteralValue());
-  }
-  if (!allNumeric) return { result: "cant_tell", detail: p.dynamicDetail };
-  if (sum !== p.bpsTotal) {
-    return { result: "fail", detail: String(p.bpsSumDetail).replace("{sum}", String(sum)) };
-  }
-  return { result: "pass", detail: String(p.passDetail).replace("{param}", creatorParam) };
-};
-// src/checkers/index.ts
-var registry = {
-  "positional-arg-identity": positionalArgIdentity,
-  "required-call-with-options": requiredCallWithOptions,
-  "fee-allocation-shape": feeAllocationShape
-};
-function runChecker(kind, c, params) {
-  const fn = registry[kind];
-  if (!fn) return { result: "cant_tell", detail: `Unknown checker kind '${kind}'.` };
-  return fn(c, params);
-}
-var checkerKinds = Object.keys(registry);
-// src/emit.ts
-function buildReport(target, checks, rules2) {
-  const byId = new Map(rules2.map((r) => [r.id, r]));
-  const checkTotals = { pass: 0, fail: 0, cant_tell: 0 };
-  for (const c of checks) checkTotals[c.result]++;
-  const riskTotals = { critical: 0, high: 0, medium: 0, low: 0 };
-  for (const c of checks) if (c.result === "fail") riskTotals[c.severity]++;
-  const ruleIdsSeen = [...new Set(checks.map((c) => c.ruleId))];
-  const components = ruleIdsSeen.map((id) => {
-    const rule = byId.get(id);
-    const fails = checks.filter((c) => c.ruleId === id && c.result === "fail");
-    return {
-      name: rule?.component.name ?? id,
-      type: rule?.component.type ?? "Other",
-      version: rule?.component.version ?? "unversioned",
-      sourceUrl: rule?.component.sourceUrl ?? null,
-      status: "fresh",
-      risks: fails.map((c) => ({ severity: c.severity, title: c.title, detail: c.detail }))
-    };
-  });
-  const now = /* @__PURE__ */ new Date();
-  const totalFails = checkTotals.fail;
-  return {
-    schemaVersion: "1.0",
-    run: {
-      id: now.toISOString().replace(/[-:T]/g, "").slice(0, 14),
-      date: now.toISOString().slice(0, 10),
-      requirements: `Catastrophic-integration audit of ${target}`,
-      generator: "@brainblast/core"
-    },
-    summary: {
-      building: "external integrations",
-      verdict: totalFails > 0 ? "blocked" : "ready",
-      topRisk: totalFails > 0 ? checks.find((c) => c.result === "fail")?.detail ?? null : null,
-      mustDecideFirst: null,
-      watchOutFor: null
-    },
-    components,
-    riskTotals,
-    checks: checks.map((c) => ({
-      ruleId: c.ruleId,
-      severity: c.severity,
-      result: c.result,
-      file: c.file,
-      line: c.line,
-      title: c.title,
-      detail: c.detail
-    })),
-    checkTotals,
-    openQuestions: []
-  };
-}
-// src/audit.ts
-function auditWithRule(targetDir, rule) {
-  return findCandidates(targetDir, rule).map((c) => {
-    const outcome = runChecker(rule.check.kind, c, rule.check.params);
-    return {
-      ruleId: rule.id,
-      severity: rule.severity,
-      title: rule.title,
-      file: c.filePath,
-      line: c.fn.getStartLineNumber(),
-      exportName: c.fnName,
-      ...outcome
-    };
-  });
-}
-function audit(targetDir, rules2) {
-  const checks = rules2.flatMap((r) => auditWithRule(targetDir, r));
-  const report = buildReport(targetDir, checks, rules2);
-  return { checks, report };
-}
-// src/testTemplates/stripeWebhookSignature.ts
-var stripeWebhookSignature = ({ handlerImportPath, handlerExport }) => `// GENERATED by @brainblast/core. Durable guardrail \u2014 RED until the webhook
-// verifies the signature on the RAW body.
-import { describe, it, expect, beforeAll } from "vitest";
-import Stripe from "stripe";
-import { ${handlerExport} } from ${JSON.stringify(handlerImportPath)};
-const SECRET = "whsec_brainblast_test_secret";
-const stripe = new Stripe("sk_test_brainblast");
-const payload = JSON.stringify({ id: "evt_1", type: "payment_intent.succeeded", data: { object: { id: "pi_1" } } });
-beforeAll(() => {
-  process.env.STRIPE_WEBHOOK_SECRET = SECRET;
-  process.env.STRIPE_SECRET_KEY = "sk_test_brainblast";
-});
-describe("Stripe webhook signature verification (brainblast contract)", () => {
-  it("accepts a validly-signed event", () => {
-    const sig = stripe.webhooks.generateTestHeaderString({ payload, secret: SECRET });
-    expect(() => ${handlerExport}(payload, sig)).not.toThrow();
-  });
-  it("REJECTS an invalid signature (forged event)", () => {
-    expect(() => ${handlerExport}(payload, "t=1,v1=deadbeef")).toThrow();
-  });
-  it("REJECTS a mutated body under a valid-looking signature", () => {
-    const sig = stripe.webhooks.generateTestHeaderString({ payload, secret: SECRET });
-    const mutated = payload.replace("succeeded", "failed");
-    expect(() => ${handlerExport}(mutated, sig)).toThrow();
-  });
-});
-`;
-// src/testTemplates/privyJwtClaims.ts
-var privyJwtClaims = ({ handlerImportPath, handlerExport }) => `// GENERATED by @brainblast/core. Durable guardrail \u2014 RED until the token is
-// verified (signature + aud + iss).
-import { describe, it, expect, beforeAll } from "vitest";
-import { SignJWT, generateKeyPair, exportSPKI } from "jose";
-import { ${handlerExport} } from ${JSON.stringify(handlerImportPath)};
-const APP_ID = "app_brainblast";
-let valid = "", badSignature = "", wrongAudience = "", wrongIssuer = "";
-beforeAll(async () => {
-  const { publicKey, privateKey } = await generateKeyPair("ES256");
-  const attacker = await generateKeyPair("ES256");
-  process.env.PRIVY_APP_ID = APP_ID;
-  process.env.PRIVY_VERIFICATION_KEY = await exportSPKI(publicKey);
-  const mint = (signer: any, iss: string, aud: string) =>
-    new SignJWT({})
-      .setProtectedHeader({ alg: "ES256" })
-      .setIssuer(iss)
-      .setAudience(aud)
-      .setSubject("did:privy:user_1")
-      .setExpirationTime("1h")
-      .sign(signer);
-  valid = await mint(privateKey, "privy.io", APP_ID);
-  badSignature = await mint(attacker.privateKey, "privy.io", APP_ID);
-  wrongAudience = await mint(privateKey, "privy.io", "app_evil");
-  wrongIssuer = await mint(privateKey, "evil.com", APP_ID);
-});
-const call = (t: string) => Promise.resolve().then(() => ${handlerExport}(t));
-describe("Privy access-token verification (brainblast contract)", () => {
-  it("accepts a valid token", async () => { await expect(call(valid)).resolves.toBeDefined(); });
-  it("REJECTS a bad signature (forged token)", async () => { await expect(call(badSignature)).rejects.toThrow(); });
-  it("REJECTS a wrong audience (token from another app)", async () => { await expect(call(wrongAudience)).rejects.toThrow(); });
-  it("REJECTS a wrong issuer", async () => { await expect(call(wrongIssuer)).rejects.toThrow(); });
-});
-`;
-// src/testTemplates/bagsFeeShare.ts
-var bagsFeeShare = ({ handlerImportPath, handlerExport }) => `// GENERATED by @brainblast/core. Durable guardrail \u2014 RED until the fee-share
-// config includes the creator wallet with a non-zero userBps summing to 10000.
-import { describe, it, expect, vi, beforeEach } from "vitest";
-let captured: any;
-vi.mock("@bagsfm/bags-sdk", () => ({
-  createBagsFeeShareConfig: (cfg: any) => {
-    captured = cfg;
-    return { meteoraConfigKey: "mock-config-key" };
-  },
-  BagsSDK: class {},
-}));
-import { ${handlerExport} } from ${JSON.stringify(handlerImportPath)};
-const CREATOR = "CreatorWa11etPubKey1111111111111111111111111";
-describe("Bags fee-share creator inclusion (brainblast contract)", () => {
-  beforeEach(() => {
-    captured = undefined;
-  });
-  it("passes the creator wallet into feeClaimers", () => {
-    ${handlerExport}(CREATOR);
-    const claimers = captured?.feeClaimers ?? [];
-    expect(claimers.some((c: any) => c.user === CREATOR)).toBe(true);
-  });
-  it("allocates the creator a non-zero userBps", () => {
-    ${handlerExport}(CREATOR);
-    const entry = (captured?.feeClaimers ?? []).find((c: any) => c.user === CREATOR);
-    expect(entry?.userBps ?? 0).toBeGreaterThan(0);
-  });
-  it("feeClaimers userBps sum to exactly 10000", () => {
-    ${handlerExport}(CREATOR);
-    const sum = (captured?.feeClaimers ?? []).reduce((s: number, c: any) => s + c.userBps, 0);
-    expect(sum).toBe(10000);
-  });
-});
-`;
-// src/testTemplates/index.ts
-var registry2 = {
-  "stripe-webhook-signature": stripeWebhookSignature,
-  "privy-jwt-claims": privyJwtClaims,
-  "bags-fee-share": bagsFeeShare
-};
-var JS_IDENTIFIER = /^[A-Za-z_$][\w$]*$/;
-function renderTest(kind, opts) {
-  const tpl = registry2[kind];
-  if (!tpl) throw new Error(`Unknown test template kind '${kind}'.`);
-  if (!JS_IDENTIFIER.test(opts.handlerExport)) {
-    throw new Error(`Unsafe handler export name '${opts.handlerExport}' (not a JS identifier).`);
-  }
-  return tpl(opts);
-}
-var testKinds = Object.keys(registry2);
-// src/loadRules.ts
-import { readdirSync as readdirSync2, readFileSync } from "fs";
-import { join as join2 } from "path";
-import { parse } from "yaml";
-var SEVERITIES = ["critical", "high", "medium", "low"];
-function validateRule(r, file) {
-  const errs = [];
-  if (!r || typeof r !== "object") {
-    throw new Error(`invalid rule in ${file}: not a mapping`);
-  }
-  if (!r.id || typeof r.id !== "string") errs.push("missing id");
-  if (!SEVERITIES.includes(r.severity)) errs.push(`bad severity '${r.severity}'`);
-  if (!r.title || typeof r.title !== "string") errs.push("missing title");
-  if (!r.component || !r.component.name || !r.component.type) errs.push("missing component.name/type");
-  if (!r.detect || !Array.isArray(r.detect.modules) || typeof r.detect.nameRegex !== "string" || !Array.isArray(r.detect.triggerCalls)) {
-    errs.push("detect must have modules[], nameRegex (string), triggerCalls[]");
-  } else {
-    try {
-      new RegExp(r.detect.nameRegex);
-    } catch {
-      errs.push(`detect.nameRegex is not a valid regex: ${r.detect.nameRegex}`);
-    }
-  }
-  if (!r.check || !checkerKinds.includes(r.check.kind)) {
-    errs.push(`check.kind must be one of ${checkerKinds.join("|")} (got '${r.check?.kind}')`);
-  }
-  if (!r.test || !testKinds.includes(r.test.kind)) {
-    errs.push(`test.kind must be one of ${testKinds.join("|")} (got '${r.test?.kind}')`);
-  }
-  if (errs.length) throw new Error(`invalid rule in ${file}: ${errs.join("; ")}`);
-}
-function loadRules(dir) {
-  const files = readdirSync2(dir).filter((f) => f.endsWith(".yaml") || f.endsWith(".yml")).sort();
-  const rules2 = [];
-  for (const f of files) {
-    const raw = parse(readFileSync(join2(dir, f), "utf8"));
-    validateRule(raw, f);
-    rules2.push(raw);
-  }
-  return rules2;
-}
-// rules/index.ts
-import { existsSync } from "fs";
-import { dirname, join as join3 } from "path";
-import { fileURLToPath } from "url";
-function bundledRulesDir() {
-  const here = dirname(fileURLToPath(import.meta.url));
-  if (existsSync(join3(here, "stripe-webhook-raw-body.yaml"))) return here;
-  const sub = join3(here, "rules");
-  if (existsSync(join3(sub, "stripe-webhook-raw-body.yaml"))) return sub;
-  return here;
-}
-var rules = loadRules(bundledRulesDir());
-// src/resolveRules.ts
-import { existsSync as existsSync2 } from "fs";
-import { join as join4 } from "path";
-function resolveRules(targetDir) {
-  const all = [...rules];
-  const projDir = join4(targetDir, ".agent-research", "rules");
-  if (existsSync2(projDir)) {
-    const seen = new Set(all.map((r) => r.id));
-    for (const r of loadRules(projDir)) {
-      if (seen.has(r.id)) {
-        console.warn(`brainblast: project rule '${r.id}' shadows a bundled rule; keeping bundled.`);
-        continue;
-      }
-      all.push(r);
-      seen.add(r.id);
-    }
-  }
-  return all;
-}
-export {
-  findCandidates,
-  runChecker,
-  checkerKinds,
-  auditWithRule,
-  audit,
-  renderTest,
-  testKinds,
-  loadRules,
-  rules,
-  resolveRules
-};