brainblast 0.2.0 → 0.4.0

package/dist/chunk-WVHGN2HR.js

@@ -0,0 +1,1812 @@
+// src/finder.ts
+import { Project, SyntaxKind } from "ts-morph";
+
+// src/walk.ts
+import { readdirSync, statSync } from "fs";
+import { join } from "path";
+function walk(dir, out = []) {
+  for (const entry of readdirSync(dir)) {
+    if (entry === "node_modules" || entry === ".git" || entry === ".gen") continue;
+    const p = join(dir, entry);
+    const st = statSync(p);
+    if (st.isDirectory()) walk(p, out);
+    else if (p.endsWith(".ts") && !p.endsWith(".test.ts") && !p.endsWith(".d.ts")) out.push(p);
+  }
+  return out;
+}
+
+// src/finder.ts
+function bodyCallsAnyOf(fn, names) {
+  if (names.size === 0) return false;
+  return fn.getDescendantsOfKind(SyntaxKind.CallExpression).some((c) => {
+    const exp = c.getExpression();
+    if (exp.getKind() === SyntaxKind.Identifier) return names.has(exp.getText());
+    if (exp.getKind() === SyntaxKind.PropertyAccessExpression) {
+      return names.has(exp.asKind(SyntaxKind.PropertyAccessExpression).getName());
+    }
+    return false;
+  });
+}
+function findCandidates(targetDir, rule) {
+  const files = walk(targetDir);
+  const project = new Project({ skipAddingFilesFromTsConfig: true, compilerOptions: { allowJs: false } });
+  const modules = new Set(rule.detect.modules);
+  const triggers = new Set(rule.detect.triggerCalls);
+  const nameRe = new RegExp(rule.detect.nameRegex, "i");
+  const out = [];
+  for (const file of files) {
+    const sf = project.addSourceFileAtPath(file);
+    const importsModule = sf.getImportDeclarations().some((d) => modules.has(d.getModuleSpecifierValue()));
+    const consider = (fn, name) => {
+      const hasName = !!(name && nameRe.test(name));
+      const hasTrigger = bodyCallsAnyOf(fn, triggers);
+      if (rule.detect.requiresImport) {
+        if (!(importsModule && (hasName || hasTrigger))) return;
+      } else {
+        if (!(hasName || hasTrigger)) return;
+      }
+      out.push({
+        filePath: file,
+        fnName: name || "(anonymous)",
+        params: fn.getParameters().map((p) => p.getName()),
+        fn
+      });
+    };
+    for (const fn of sf.getFunctions()) consider(fn, fn.getName() ?? "");
+    for (const v of sf.getVariableDeclarations()) {
+      const arrow = v.getInitializerIfKind(SyntaxKind.ArrowFunction);
+      if (arrow) consider(arrow, v.getName());
+    }
+  }
+  return out;
+}
+
+// src/checkers/positionalArgIdentity.ts
+import { SyntaxKind as SyntaxKind2 } from "ts-morph";
+var positionalArgIdentity = (c, p) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind2.CallExpression).filter((call) => {
+    const exp = call.getExpression();
+    return exp.getKind() === SyntaxKind2.PropertyAccessExpression && exp.asKind(SyntaxKind2.PropertyAccessExpression).getName() === p.call;
+  });
+  if (calls.length === 0) {
+    const sf = c.fn.getSourceFile();
+    const existsInFile = sf.getDescendantsOfKind(SyntaxKind2.CallExpression).some((call) => {
+      const exp = call.getExpression();
+      return exp.getKind() === SyntaxKind2.PropertyAccessExpression && exp.asKind(SyntaxKind2.PropertyAccessExpression).getName() === p.call;
+    });
+    if (existsInFile) {
+      return {
+        result: "cant_tell",
+        detail: `${p.call} is called elsewhere in this file; unable to confirm this function's delegation path statically.`
+      };
+    }
+    return { result: "fail", detail: p.absentDetail };
+  }
+  const arg = calls[0].getArguments()[p.argIndex];
+  const wantParam = c.params[p.paramIndex];
+  if (arg && wantParam && arg.getKind() === SyntaxKind2.Identifier && arg.getText() === wantParam) {
+    return { result: "pass", detail: String(p.passDetail).replace("{param}", wantParam) };
+  }
+  if (arg && arg.getKind() === SyntaxKind2.CallExpression) {
+    return { result: "fail", detail: p.parsedDetail };
+  }
+  return {
+    result: "cant_tell",
+    detail: `Could not confirm argument ${p.argIndex} of ${p.call} is the raw input.`
+  };
+};
+
+// src/checkers/requiredCallWithOptions.ts
+import { SyntaxKind as SyntaxKind3 } from "ts-morph";
+function callName(call) {
+  const exp = call.getExpression();
+  if (exp.getKind() === SyntaxKind3.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind3.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind3.PropertyAccessExpression).getName();
+  }
+  return "";
+}
+function hasAllProps(call, groups) {
+  for (const arg of call.getArguments()) {
+    const obj = arg.asKind(SyntaxKind3.ObjectLiteralExpression);
+    if (!obj) continue;
+    const names = obj.getProperties().map((pr) => {
+      const pa = pr.asKind(SyntaxKind3.PropertyAssignment) ?? pr.asKind(SyntaxKind3.ShorthandPropertyAssignment);
+      return pa?.getName() ?? "";
+    });
+    if (groups.every((g) => g.some((n) => names.includes(n)))) return true;
+  }
+  return false;
+}
+var requiredCallWithOptions = (c, p) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind3.CallExpression);
+  const verify = calls.filter((x) => p.verifyCalls.includes(callName(x)));
+  const decode = calls.filter((x) => p.decodeCalls.includes(callName(x)));
+  if (verify.length > 0) {
+    if (verify.some((v) => hasAllProps(v, p.requiredProps))) {
+      return { result: "pass", detail: p.passDetail };
+    }
+    return { result: "fail", detail: p.missingPropsDetail };
+  }
+  if (decode.length > 0) return { result: "fail", detail: p.decodeOnlyDetail };
+  return { result: "cant_tell", detail: "No verification or decode call found." };
+};
+
+// src/checkers/feeAllocationShape.ts
+import { SyntaxKind as SyntaxKind4 } from "ts-morph";
+function callName2(call) {
+  const exp = call.getExpression();
+  if (exp.getKind() === SyntaxKind4.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind4.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind4.PropertyAccessExpression).getName();
+  }
+  return "";
+}
+function asArrayLiteral(expr, c) {
+  if (!expr) return void 0;
+  const direct = expr.asKind(SyntaxKind4.ArrayLiteralExpression);
+  if (direct) return direct;
+  if (expr.getKind() === SyntaxKind4.Identifier) {
+    const name = expr.getText();
+    for (const decl of c.fn.getDescendantsOfKind(SyntaxKind4.VariableDeclaration)) {
+      if (decl.getName() === name) {
+        return decl.getInitializerIfKind(SyntaxKind4.ArrayLiteralExpression);
+      }
+    }
+  }
+  return void 0;
+}
+function feeArray(call, prop, c) {
+  for (const arg of call.getArguments()) {
+    const obj = arg.asKind(SyntaxKind4.ObjectLiteralExpression);
+    if (!obj) continue;
+    const member = obj.getProperty(prop);
+    if (!member) continue;
+    const pa = member.asKind(SyntaxKind4.PropertyAssignment);
+    if (pa) return asArrayLiteral(pa.getInitializer(), c) ?? null;
+    const shorthand = member.asKind(SyntaxKind4.ShorthandPropertyAssignment);
+    if (shorthand) return asArrayLiteral(shorthand.getNameNode(), c) ?? null;
+    return null;
+  }
+  return void 0;
+}
+function propInit(entry, name) {
+  return entry.getProperty(name)?.asKind(SyntaxKind4.PropertyAssignment)?.getInitializer();
+}
+var feeAllocationShape = (c, p) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind4.CallExpression).filter((x) => callName2(x) === p.configCall);
+  if (calls.length === 0) return { result: "fail", detail: p.absentDetail };
+  const arr = feeArray(calls[0], p.arrayProp, c);
+  if (arr === void 0 || arr === null) {
+    return { result: "cant_tell", detail: p.dynamicDetail };
+  }
+  const entries = arr.getElements().map((e) => e.asKind(SyntaxKind4.ObjectLiteralExpression));
+  if (entries.length === 0 || entries.some((e) => !e)) {
+    return { result: "cant_tell", detail: p.dynamicDetail };
+  }
+  const creatorParam = c.params.find((name) => new RegExp(p.creatorParamRegex, "i").test(name));
+  const creatorIncluded = creatorParam ? entries.some((e) => propInit(e, p.walletProp)?.getText() === creatorParam) : false;
+  if (!creatorIncluded) return { result: "fail", detail: p.creatorMissingDetail };
+  let sum = 0;
+  let allNumeric = true;
+  for (const e of entries) {
+    const lit = propInit(e, p.bpsProp)?.asKind(SyntaxKind4.NumericLiteral);
+    if (!lit) {
+      allNumeric = false;
+      break;
+    }
+    sum += Number(lit.getLiteralValue());
+  }
+  if (!allNumeric) return { result: "cant_tell", detail: p.dynamicDetail };
+  if (sum !== p.bpsTotal) {
+    return { result: "fail", detail: String(p.bpsSumDetail).replace("{sum}", String(sum)) };
+  }
+  return { result: "pass", detail: String(p.passDetail).replace("{param}", creatorParam) };
+};
+
+// src/checkers/argEqualsConstantIdentifier.ts
+import { SyntaxKind as SyntaxKind5 } from "ts-morph";
+function callName3(call) {
+  const exp = call.getExpression();
+  if (exp.getKind() === SyntaxKind5.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind5.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind5.PropertyAccessExpression).getName();
+  }
+  return "";
+}
+function fileImports(sf, name) {
+  for (const decl of sf.getImportDeclarations()) {
+    if (decl.getDefaultImport()?.getText() === name) return true;
+    for (const n of decl.getNamedImports()) {
+      if (n.getName() === name || n.getAliasNode()?.getText() === name) return true;
+    }
+    if (decl.getNamespaceImport()?.getText() === name) return true;
+  }
+  return false;
+}
+var argEqualsConstantIdentifier = (c, p) => {
+  if (p.requireImport) {
+    const sf = c.fn.getSourceFile();
+    if (!fileImports(sf, p.requireImport)) {
+      return { result: "cant_tell", detail: p.scopeNotMetDetail };
+    }
+  }
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind5.CallExpression).filter((x) => callName3(x) === p.call);
+  if (calls.length === 0) {
+    return { result: "cant_tell", detail: p.absentCallDetail };
+  }
+  const arg = calls[0].getArguments()[p.argIndex];
+  const forbidden = Array.isArray(p.forbiddenIdentifiers) ? p.forbiddenIdentifiers : [];
+  if (!arg) {
+    return {
+      result: "fail",
+      detail: String(p.failMissingDetail).replace("{expected}", p.expectedIdentifier)
+    };
+  }
+  if (arg.getKind() === SyntaxKind5.Identifier) {
+    const text = arg.getText();
+    if (text === p.expectedIdentifier) {
+      return { result: "pass", detail: String(p.passDetail).replace("{expected}", p.expectedIdentifier) };
+    }
+    if (forbidden.includes(text)) {
+      return {
+        result: "fail",
+        detail: String(p.failForbiddenDetail).replace("{got}", text).replace("{expected}", p.expectedIdentifier)
+      };
+    }
+    return {
+      result: "fail",
+      detail: String(p.failOtherDetail).replace("{got}", text).replace("{expected}", p.expectedIdentifier)
+    };
+  }
+  if (arg.getKind() === SyntaxKind5.Identifier && arg.getText() === "undefined") {
+    return {
+      result: "fail",
+      detail: String(p.failMissingDetail).replace("{expected}", p.expectedIdentifier)
+    };
+  }
+  return {
+    result: "cant_tell",
+    detail: `Argument ${p.argIndex} of ${p.call} is a ${arg.getKindName()}; could not statically confirm it equals ${p.expectedIdentifier}.`
+  };
+};
+
+// src/checkers/objectArgPropertyLiteralEquals.ts
+import { SyntaxKind as SyntaxKind6 } from "ts-morph";
+function fileImports2(sf, name) {
+  return sf.getImportDeclarations().some((d) => {
+    if (d.getDefaultImport()?.getText() === name) return true;
+    if (d.getNamespaceImport()?.getText() === name) return true;
+    return d.getNamedImports().some((i) => i.getName() === name);
+  });
+}
+var objectArgPropertyLiteralEquals = (c, p) => {
+  if (p.requireImport) {
+    const sf = c.fn.getSourceFile();
+    if (!fileImports2(sf, p.requireImport)) {
+      return {
+        result: "cant_tell",
+        detail: p.scopeNotMetDetail ?? `no ${p.requireImport} import`
+      };
+    }
+  }
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind6.CallExpression).filter((ce2) => {
+    const expr = ce2.getExpression();
+    if (expr.getKind() === SyntaxKind6.Identifier) return expr.getText() === p.call;
+    if (expr.getKind() === SyntaxKind6.PropertyAccessExpression) {
+      return expr.asKind(SyntaxKind6.PropertyAccessExpression).getName() === p.call;
+    }
+    return false;
+  });
+  if (calls.length === 0) {
+    return {
+      result: "cant_tell",
+      detail: p.absentCallDetail ?? `no ${p.call} call found`
+    };
+  }
+  const ce = calls[0];
+  const args = ce.getArguments();
+  if (args.length <= p.argIndex) {
+    return {
+      result: "fail",
+      detail: p.failAbsentDetail ?? `${p.call} arg[${p.argIndex}] missing \u2014 ${p.propName} defaults to ${p.expectedValue === false ? "true" : p.expectedValue}`
+    };
+  }
+  const arg = args[p.argIndex];
+  const objLit = arg.asKind(SyntaxKind6.ObjectLiteralExpression);
+  if (!objLit) {
+    return {
+      result: "cant_tell",
+      detail: p.failArgDetail ?? `${p.call} arg[${p.argIndex}] is not an inline object literal \u2014 cannot statically inspect ${p.propName}`
+    };
+  }
+  const propAssignment = objLit.getProperties().map((prop) => prop.asKind(SyntaxKind6.PropertyAssignment)).find((pa) => pa?.getName() === p.propName);
+  if (!propAssignment) {
+    return {
+      result: "fail",
+      detail: p.failAbsentDetail ?? `${p.propName} is absent; the SDK defaults to ${p.expectedValue === false ? "mutable (true)" : String(p.expectedValue)}`
+    };
+  }
+  const init = propAssignment.getInitializer();
+  if (!init) {
+    return {
+      result: "cant_tell",
+      detail: p.failDynamicDetail ?? `${p.propName} has no initializer`
+    };
+  }
+  const kind = init.getKind();
+  if (p.expectedValue === false) {
+    if (kind === SyntaxKind6.FalseKeyword) {
+      return { result: "pass", detail: p.passDetail ?? `${p.propName} is false` };
+    }
+    if (kind === SyntaxKind6.TrueKeyword) {
+      return {
+        result: "fail",
+        detail: p.failWrongDetail ?? `${p.propName} is true \u2014 metadata will remain mutable after mint`
+      };
+    }
+    return {
+      result: "cant_tell",
+      detail: p.failDynamicDetail ?? `${p.propName} is a non-literal expression \u2014 cannot determine immutability statically`
+    };
+  }
+  if (p.expectedValue === true) {
+    if (kind === SyntaxKind6.TrueKeyword) return { result: "pass", detail: p.passDetail ?? `${p.propName} is true` };
+    if (kind === SyntaxKind6.FalseKeyword) {
+      return { result: "fail", detail: p.failWrongDetail ?? `${p.propName} is false` };
+    }
+    return { result: "cant_tell", detail: p.failDynamicDetail ?? `${p.propName} is a non-literal expression` };
+  }
+  const text = init.getText();
+  const expected = JSON.stringify(p.expectedValue);
+  if (text === expected || text === String(p.expectedValue)) {
+    return { result: "pass", detail: p.passDetail ?? `${p.propName} is ${p.expectedValue}` };
+  }
+  if (kind === SyntaxKind6.StringLiteral || kind === SyntaxKind6.NumericLiteral) {
+    return {
+      result: "fail",
+      detail: p.failWrongDetail ?? `${p.propName} is ${text} (expected ${p.expectedValue})`
+    };
+  }
+  return {
+    result: "cant_tell",
+    detail: p.failDynamicDetail ?? `${p.propName} is a non-literal expression`
+  };
+};
+
+// src/checkers/anchorInitIfNeededGuarded.ts
+var GUARD_PATTERNS = [
+  /\brequire!\s*\(/,
+  // require!(...)
+  /\brequire_eq!\s*\(/,
+  // require_eq!(...)
+  /\brequire_keys_eq!\s*\(/,
+  // require_keys_eq!(...)
+  /\.data_is_empty\s*\(\s*\)/,
+  // account.data_is_empty()
+  /\bis_initialized\b/
+  // is_initialized flag check
+];
+function hasReinitGuard(bodyText) {
+  return GUARD_PATTERNS.some((re) => re.test(bodyText));
+}
+function anchorInitIfNeededGuarded(c, p) {
+  const risky = c.accountFields.filter((f) => f.hasInitIfNeeded);
+  if (risky.length === 0) {
+    return {
+      result: "cant_tell",
+      detail: p.absentDetail ?? `Handler '${c.fnName}' has no #[account(init_if_needed)] fields; the reinit-guard rule does not apply.`
+    };
+  }
+  if (hasReinitGuard(c.fnBodyText)) {
+    return {
+      result: "pass",
+      detail: p.passDetail ?? `Handler '${c.fnName}' has #[account(init_if_needed)] on [${risky.map((f) => f.name).join(", ")}] and a reinitialization guard was detected.`
+    };
+  }
+  return {
+    result: "fail",
+    detail: p.failAbsentDetail ?? `Handler '${c.fnName}' has #[account(init_if_needed)] on [${risky.map((f) => f.name).join(", ")}] but no reinitialization guard (require!, data_is_empty, is_initialized). A second invocation will silently overwrite the account state.`
+  };
+}
+
+// src/checkers/index.ts
+var registry = {
+  "positional-arg-identity": positionalArgIdentity,
+  "required-call-with-options": requiredCallWithOptions,
+  "fee-allocation-shape": feeAllocationShape,
+  "arg-equals-constant-identifier": argEqualsConstantIdentifier,
+  "object-arg-property-literal-equals": objectArgPropertyLiteralEquals,
+  "anchor-init-if-needed-guarded": anchorInitIfNeededGuarded
+};
+function runChecker(kind, c, params) {
+  const fn = registry[kind];
+  if (!fn) return { result: "cant_tell", detail: `Unknown checker kind '${kind}'.` };
+  return fn(c, params);
+}
+var checkerKinds = Object.keys(registry);
+
+// src/rustFinder.ts
+import { readFileSync, readdirSync as readdirSync2, statSync as statSync2 } from "fs";
+import { join as join2 } from "path";
+import { createRequire } from "module";
+function walkRust(dir, out = []) {
+  for (const entry of readdirSync2(dir)) {
+    if (entry === "node_modules" || entry === ".git" || entry === "target") continue;
+    const p = join2(dir, entry);
+    const st = statSync2(p);
+    if (st.isDirectory()) walkRust(p, out);
+    else if (p.endsWith(".rs")) out.push(p);
+  }
+  return out;
+}
+var _require = createRequire(import.meta.url);
+var _parser = null;
+function getParser() {
+  if (_parser) return _parser;
+  const Parser = _require("tree-sitter");
+  const Rust = _require("tree-sitter-rust");
+  _parser = new Parser();
+  _parser.setLanguage(Rust);
+  return _parser;
+}
+function children(node) {
+  const out = [];
+  for (let i = 0; i < node.childCount; i++) out.push(node.child(i));
+  return out;
+}
+function named(node) {
+  return children(node).filter((c) => c.isNamed);
+}
+function accountsStructName(fnNode) {
+  const params = fnNode.childForFieldName("parameters");
+  if (!params) return null;
+  for (const param of named(params)) {
+    const typeNode = param.childForFieldName?.("type") ?? null;
+    if (!typeNode) continue;
+    const text = typeNode.text ?? "";
+    const m = text.match(/^Context\s*<\s*([A-Za-z_][A-Za-z0-9_]*)/);
+    if (m) return m[1];
+  }
+  return null;
+}
+function itemsWithAttrs(containerNode) {
+  const kids = named(containerNode);
+  const result = [];
+  let pending = [];
+  for (const kid of kids) {
+    if (kid.type === "attribute_item") {
+      pending.push(kid.text);
+    } else {
+      result.push({ attrs: pending, node: kid });
+      pending = [];
+    }
+  }
+  return result;
+}
+function parseAccountsStruct(structNode) {
+  const body = structNode.childForFieldName("body");
+  if (!body) return [];
+  const pairs = itemsWithAttrs(body);
+  const fields = [];
+  for (const { attrs, node } of pairs) {
+    if (node.type !== "field_declaration") continue;
+    const nameNode = node.childForFieldName("name");
+    const typeNode = node.childForFieldName("type");
+    if (!nameNode || !typeNode) continue;
+    const attrText = attrs.join("\n");
+    fields.push({
+      name: nameNode.text,
+      typeName: typeNode.text,
+      attrText,
+      hasInitIfNeeded: attrText.includes("init_if_needed")
+    });
+  }
+  return fields;
+}
+function findRustCandidates(targetDir, rule) {
+  const parser = getParser();
+  const nameRe = new RegExp(rule.detect.nameRegex, "i");
+  const triggerAttrs = new Set(
+    (rule.detect.triggerCalls ?? []).map((s) => s.toLowerCase())
+  );
+  const out = [];
+  for (const file of walkRust(targetDir)) {
+    if (!file.endsWith(".rs")) continue;
+    const src = readFileSync(file, "utf8");
+    const tree = parser.parse(src);
+    const structMap = /* @__PURE__ */ new Map();
+    const topPairs = itemsWithAttrs(tree.rootNode);
+    for (const { attrs, node } of topPairs) {
+      if (node.type !== "struct_item") continue;
+      const hasAccounts = attrs.some((a) => a.includes("Accounts"));
+      if (!hasAccounts) continue;
+      const nameNode = node.childForFieldName("name");
+      if (!nameNode) continue;
+      structMap.set(nameNode.text, parseAccountsStruct(node));
+    }
+    for (const { attrs, node } of topPairs) {
+      if (node.type !== "mod_item") continue;
+      const isProgram = attrs.some((a) => a.includes("program"));
+      if (!isProgram) continue;
+      const body = node.childForFieldName("body");
+      if (!body) continue;
+      for (const { node: item } of itemsWithAttrs(body)) {
+        if (item.type !== "function_item") continue;
+        const fnNameNode = item.childForFieldName("name");
+        if (!fnNameNode) continue;
+        const fnName = fnNameNode.text;
+        const structName = accountsStructName(item) ?? "";
+        const fields = structMap.get(structName) ?? [];
+        const nameMatch = nameRe.test(fnName);
+        const attrMatch = triggerAttrs.size > 0 && fields.some((f) => [...triggerAttrs].some((t) => f.attrText.includes(t)));
+        if (!nameMatch && !attrMatch) continue;
+        const bodyNode = item.childForFieldName("body");
+        if (!bodyNode) continue;
+        out.push({
+          filePath: file,
+          fnName,
+          accountStructName: structName,
+          accountFields: fields,
+          fnBodyText: bodyNode.text,
+          fnBodyNode: bodyNode
+        });
+      }
+    }
+  }
+  return out;
+}
+
+// src/fixers/positionalArgIdentity.ts
+import { SyntaxKind as SyntaxKind7 } from "ts-morph";
+
+// src/fixers/diffUtil.ts
+function buildDiff(node, replacement) {
+  const sf = node.getSourceFile();
+  const filePath = sf.getFilePath();
+  const fullText = sf.getFullText();
+  const start = node.getStart();
+  const end = node.getEnd();
+  const startPos = sf.getLineAndColumnAtPos(start);
+  const endPos = sf.getLineAndColumnAtPos(end);
+  const lines = fullText.split("\n");
+  const oldMiddle = lines.slice(startPos.line - 1, endPos.line);
+  const oldFirst = oldMiddle[0].slice(0, startPos.column - 1);
+  const oldLast = oldMiddle[oldMiddle.length - 1].slice(endPos.column - 1);
+  const newMiddle = (oldFirst + replacement + oldLast).split("\n");
+  const removed = oldMiddle.map((l) => `-${l}`);
+  const added = newMiddle.map((l) => `+${l}`);
+  const hunkHeader = `@@ -${startPos.line},${oldMiddle.length} +${startPos.line},${newMiddle.length} @@`;
+  return [`--- a${filePath}`, `+++ b${filePath}`, hunkHeader, ...removed, ...added].join("\n");
+}
+
+// src/fixers/positionalArgIdentity.ts
+var fixPositionalArgIdentity = (c, p, outcome) => {
+  if (outcome.result !== "fail") return void 0;
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind7.CallExpression).filter((call) => {
+    const exp = call.getExpression();
+    return exp.getKind() === SyntaxKind7.PropertyAccessExpression && exp.asKind(SyntaxKind7.PropertyAccessExpression).getName() === p.call;
+  });
+  if (calls.length === 0) {
+    const wantParam2 = c.params[p.paramIndex] ?? "<rawBodyParam>";
+    return {
+      summary: `Add a ${p.call} call that verifies the raw request body`,
+      suggestion: `No '${p.call}' call was found in this handler. Verify the signature against the raw, unparsed request body \u2014 parameter '${wantParam2}' \u2014 before trusting the event, e.g.:
+
+  const event = stripe.webhooks.constructEvent(${wantParam2}, signature, process.env.STRIPE_WEBHOOK_SECRET!);
+
+Do not call JSON.parse() on the body before this verification step.`
+    };
+  }
+  const arg = calls[0].getArguments()[p.argIndex];
+  const wantParam = c.params[p.paramIndex];
+  if (arg && wantParam && arg.getKind() === SyntaxKind7.CallExpression) {
+    return {
+      summary: `Pass the raw body parameter '${wantParam}' to ${p.call} instead of a parsed value`,
+      diff: buildDiff(arg, wantParam)
+    };
+  }
+  return void 0;
+};
+
+// src/fixers/requiredCallWithOptions.ts
+import { SyntaxKind as SyntaxKind8 } from "ts-morph";
+function callName4(call) {
+  const exp = call.getExpression();
+  if (exp.getKind() === SyntaxKind8.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind8.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind8.PropertyAccessExpression).getName();
+  }
+  return "";
+}
+function placeholderFor(propName) {
+  switch (propName) {
+    case "audience":
+    case "aud":
+      return `audience: process.env.PRIVY_APP_ID`;
+    case "issuer":
+    case "iss":
+      return `issuer: "https://privy.io"`;
+    default:
+      return `${propName}: undefined /* TODO: brainblast could not infer this value */`;
+  }
+}
+var fixRequiredCallWithOptions = (c, p, outcome) => {
+  if (outcome.result !== "fail") return void 0;
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind8.CallExpression);
+  const verify = calls.filter((x) => p.verifyCalls.includes(callName4(x)));
+  if (verify.length > 0) {
+    const call = verify[0];
+    const args = call.getArguments();
+    const lastArg = args[args.length - 1];
+    const obj = lastArg?.asKind(SyntaxKind8.ObjectLiteralExpression);
+    const presentNames = obj ? obj.getProperties().map((pr) => {
+      const pa = pr.asKind(SyntaxKind8.PropertyAssignment) ?? pr.asKind(SyntaxKind8.ShorthandPropertyAssignment);
+      return pa?.getName() ?? "";
+    }) : [];
+    const missingGroups = p.requiredProps.filter(
+      (g) => !g.some((n) => presentNames.includes(n))
+    );
+    if (missingGroups.length === 0) return void 0;
+    const newProps = missingGroups.map((g) => placeholderFor(g[0])).join(", ");
+    const summary = `Add ${missingGroups.map((g) => g[0]).join(" and ")} to the ${callName4(call)} call`;
+    if (obj) {
+      const inner = obj.getText().slice(1, -1).trim();
+      const newText = inner.length > 0 ? `{ ${inner}, ${newProps} }` : `{ ${newProps} }`;
+      return { summary, diff: buildDiff(obj, newText) };
+    }
+    if (lastArg) {
+      const newText = `${lastArg.getText()}, { ${newProps} }`;
+      return { summary, diff: buildDiff(lastArg, newText) };
+    }
+    return {
+      summary,
+      suggestion: `Add an options object ({ ${newProps} }) as an argument to ${callName4(call)}.`
+    };
+  }
+  return {
+    summary: "Replace the decode-only call with a verified call",
+    suggestion: `This token is decoded without verifying its signature, accepting any forged token. Replace the decode call with a verifying call that asserts audience and issuer, e.g.:
+
+  const { payload } = await jwtVerify(token, JWKS, { audience: process.env.PRIVY_APP_ID, issuer: "https://privy.io" });
+
+JWKS must come from Privy's published JWKS endpoint for your app.`
+  };
+};
+
+// src/fixers/index.ts
+var registry2 = {
+  "positional-arg-identity": fixPositionalArgIdentity,
+  "required-call-with-options": fixRequiredCallWithOptions
+};
+function runFixer(kind, c, params, outcome) {
+  if (outcome.result !== "fail") return void 0;
+  const fn = registry2[kind];
+  if (!fn) return void 0;
+  return fn(c, params, outcome);
+}
+var fixerKinds = Object.keys(registry2);
+
+// src/emit.ts
+function buildReport(target, checks, rules2, costReport) {
+  const byId = new Map(rules2.map((r) => [r.id, r]));
+  const checkTotals = { pass: 0, fail: 0, cant_tell: 0 };
+  for (const c of checks) checkTotals[c.result]++;
+  const riskTotals = { critical: 0, high: 0, medium: 0, low: 0 };
+  for (const c of checks) if (c.result === "fail") riskTotals[c.severity]++;
+  const ruleIdsSeen = [...new Set(checks.map((c) => c.ruleId))];
+  const components = ruleIdsSeen.map((id) => {
+    const rule = byId.get(id);
+    const fails = checks.filter((c) => c.ruleId === id && c.result === "fail");
+    return {
+      name: rule?.component.name ?? id,
+      type: rule?.component.type ?? "Other",
+      version: rule?.component.version ?? "unversioned",
+      sourceUrl: rule?.component.sourceUrl ?? null,
+      status: "fresh",
+      risks: fails.map((c) => ({ severity: c.severity, title: c.title, detail: c.detail }))
+    };
+  });
+  const now = /* @__PURE__ */ new Date();
+  const totalFails = checkTotals.fail;
+  return {
+    schemaVersion: "1.0",
+    run: {
+      id: now.toISOString().replace(/[-:T]/g, "").slice(0, 14),
+      date: now.toISOString().slice(0, 10),
+      requirements: `Catastrophic-integration audit of ${target}`,
+      generator: "@brainblast/core"
+    },
+    summary: {
+      building: "external integrations",
+      verdict: totalFails > 0 ? "blocked" : "ready",
+      topRisk: totalFails > 0 ? checks.find((c) => c.result === "fail")?.detail ?? null : null,
+      mustDecideFirst: null,
+      watchOutFor: null
+    },
+    components,
+    riskTotals,
+    checks: checks.map((c) => ({
+      ruleId: c.ruleId,
+      severity: c.severity,
+      result: c.result,
+      file: c.file,
+      line: c.line,
+      title: c.title,
+      detail: c.detail,
+      ...c.fix ? { fix: c.fix } : {},
+      ...c.precedent ? { precedent: c.precedent } : {}
+    })),
+    checkTotals,
+    openQuestions: [],
+    costAnalysis: costReport ?? null
+  };
+}
+
+// src/audit.ts
+function auditWithRule(targetDir, rule) {
+  if (rule.detect.lang === "rust") {
+    return findRustCandidates(targetDir, rule).map((c) => {
+      const outcome = runChecker(rule.check.kind, c, rule.check.params);
+      return {
+        ruleId: rule.id,
+        severity: rule.severity,
+        title: rule.title,
+        file: c.filePath,
+        line: 1,
+        // tree-sitter line numbers available via fnBodyNode.startPosition.row + 1
+        exportName: c.fnName,
+        ...outcome
+      };
+    });
+  }
+  return findCandidates(targetDir, rule).map((c) => {
+    const outcome = runChecker(rule.check.kind, c, rule.check.params);
+    const fix = runFixer(rule.check.kind, c, rule.check.params, outcome);
+    return {
+      ruleId: rule.id,
+      severity: rule.severity,
+      title: rule.title,
+      file: c.filePath,
+      line: c.fn.getStartLineNumber(),
+      exportName: c.fnName,
+      ...outcome,
+      ...fix ? { fix } : {}
+    };
+  });
+}
+function audit(targetDir, rules2) {
+  const checks = rules2.flatMap((r) => auditWithRule(targetDir, r));
+  const report = buildReport(targetDir, checks, rules2);
+  return { checks, report };
+}
+
+// src/testTemplates/stripeWebhookSignature.ts
+var stripeWebhookSignature = ({ handlerImportPath, handlerExport }) => `// GENERATED by @brainblast/core. Durable guardrail \u2014 RED until the webhook
+// verifies the signature on the RAW body.
+import { describe, it, expect, beforeAll } from "vitest";
+import Stripe from "stripe";
+import { ${handlerExport} } from ${JSON.stringify(handlerImportPath)};
+
+const SECRET = "whsec_brainblast_test_secret";
+const stripe = new Stripe("sk_test_brainblast");
+const payload = JSON.stringify({ id: "evt_1", type: "payment_intent.succeeded", data: { object: { id: "pi_1" } } });
+
+beforeAll(() => {
+  process.env.STRIPE_WEBHOOK_SECRET = SECRET;
+  process.env.STRIPE_SECRET_KEY = "sk_test_brainblast";
+});
+
+describe("Stripe webhook signature verification (brainblast contract)", () => {
+  it("accepts a validly-signed event", () => {
+    const sig = stripe.webhooks.generateTestHeaderString({ payload, secret: SECRET });
+    expect(() => ${handlerExport}(payload, sig)).not.toThrow();
+  });
+  it("REJECTS an invalid signature (forged event)", () => {
+    expect(() => ${handlerExport}(payload, "t=1,v1=deadbeef")).toThrow();
+  });
+  it("REJECTS a mutated body under a valid-looking signature", () => {
+    const sig = stripe.webhooks.generateTestHeaderString({ payload, secret: SECRET });
+    const mutated = payload.replace("succeeded", "failed");
+    expect(() => ${handlerExport}(mutated, sig)).toThrow();
+  });
+});
+`;
+
+// src/testTemplates/privyJwtClaims.ts
+var privyJwtClaims = ({ handlerImportPath, handlerExport }) => `// GENERATED by @brainblast/core. Durable guardrail \u2014 RED until the token is
+// verified (signature + aud + iss).
+import { describe, it, expect, beforeAll } from "vitest";
+import { SignJWT, generateKeyPair, exportSPKI } from "jose";
+import { ${handlerExport} } from ${JSON.stringify(handlerImportPath)};
+
+const APP_ID = "app_brainblast";
+let valid = "", badSignature = "", wrongAudience = "", wrongIssuer = "";
+
+beforeAll(async () => {
+  const { publicKey, privateKey } = await generateKeyPair("ES256");
+  const attacker = await generateKeyPair("ES256");
+  process.env.PRIVY_APP_ID = APP_ID;
+  process.env.PRIVY_VERIFICATION_KEY = await exportSPKI(publicKey);
+
+  const mint = (signer: any, iss: string, aud: string) =>
+    new SignJWT({})
+      .setProtectedHeader({ alg: "ES256" })
+      .setIssuer(iss)
+      .setAudience(aud)
+      .setSubject("did:privy:user_1")
+      .setExpirationTime("1h")
+      .sign(signer);
+
+  valid = await mint(privateKey, "privy.io", APP_ID);
+  badSignature = await mint(attacker.privateKey, "privy.io", APP_ID);
+  wrongAudience = await mint(privateKey, "privy.io", "app_evil");
+  wrongIssuer = await mint(privateKey, "evil.com", APP_ID);
+});
+
+const call = (t: string) => Promise.resolve().then(() => ${handlerExport}(t));
+
+describe("Privy access-token verification (brainblast contract)", () => {
+  it("accepts a valid token", async () => { await expect(call(valid)).resolves.toBeDefined(); });
+  it("REJECTS a bad signature (forged token)", async () => { await expect(call(badSignature)).rejects.toThrow(); });
+  it("REJECTS a wrong audience (token from another app)", async () => { await expect(call(wrongAudience)).rejects.toThrow(); });
+  it("REJECTS a wrong issuer", async () => { await expect(call(wrongIssuer)).rejects.toThrow(); });
+});
+`;
+
+// src/testTemplates/bagsFeeShare.ts
+var bagsFeeShare = ({ handlerImportPath, handlerExport }) => `// GENERATED by @brainblast/core. Durable guardrail \u2014 RED until the fee-share
+// config includes the creator wallet with a non-zero userBps summing to 10000.
+import { describe, it, expect, vi, beforeEach } from "vitest";
+
+let captured: any;
+vi.mock("@bagsfm/bags-sdk", () => ({
+  createBagsFeeShareConfig: (cfg: any) => {
+    captured = cfg;
+    return { meteoraConfigKey: "mock-config-key" };
+  },
+  BagsSDK: class {},
+}));
+
+import { ${handlerExport} } from ${JSON.stringify(handlerImportPath)};
+
+const CREATOR = "CreatorWa11etPubKey1111111111111111111111111";
+
+describe("Bags fee-share creator inclusion (brainblast contract)", () => {
+  beforeEach(() => {
+    captured = undefined;
+  });
+
+  it("passes the creator wallet into feeClaimers", () => {
+    ${handlerExport}(CREATOR);
+    const claimers = captured?.feeClaimers ?? [];
+    expect(claimers.some((c: any) => c.user === CREATOR)).toBe(true);
+  });
+
+  it("allocates the creator a non-zero userBps", () => {
+    ${handlerExport}(CREATOR);
+    const entry = (captured?.feeClaimers ?? []).find((c: any) => c.user === CREATOR);
+    expect(entry?.userBps ?? 0).toBeGreaterThan(0);
+  });
+
+  it("feeClaimers userBps sum to exactly 10000", () => {
+    ${handlerExport}(CREATOR);
+    const sum = (captured?.feeClaimers ?? []).reduce((s: number, c: any) => s + c.userBps, 0);
+    expect(sum).toBe(10000);
+  });
+});
+`;
+
+// src/testTemplates/tokenProgramConsistency.ts
+var tokenProgramConsistency = ({ handlerImportPath, handlerExport }) => `// GENERATED by @brainblast/core. Durable guardrail \u2014 RED until createMint is
+// called with TOKEN_2022_PROGRAM_ID as the programId argument.
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { PublicKey } from "@solana/web3.js";
+
+// Keep the well-known token program addresses as strings; we compare via
+// .toString() so we never depend on PublicKey identity across the mock
+// boundary. Defined at module scope (not used inside vi.mock factory, which
+// is hoisted before any const initializations).
+const TOKEN_PROGRAM_ID_STR = "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA";
+const TOKEN_2022_PROGRAM_ID_STR = "TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb";
+
+// The capture target. vi.hoisted runs before vi.mock factory hoisting, so the
+// factory below can close over \`captured\` safely.
+const captured = vi.hoisted(() => ({ value: { programId: undefined as any } }));
+
+vi.mock("@solana/spl-token", () => {
+  // PublicKey instantiation lives INSIDE the factory so it runs after the
+  // import from @solana/web3.js has resolved.
+  const { PublicKey: PK } = require("@solana/web3.js");
+  const TOKEN_PROGRAM_ID = new PK("TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA");
+  const TOKEN_2022_PROGRAM_ID = new PK("TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb");
+  const FAKE_MINT = new PK("11111111111111111111111111111111");
+  return {
+    TOKEN_PROGRAM_ID,
+    TOKEN_2022_PROGRAM_ID,
+    createMint: (
+      _connection: any,
+      _payer: any,
+      _mintAuthority: any,
+      _freezeAuthority: any,
+      _decimals: any,
+      _keypair: any,
+      _confirmOptions: any,
+      programId: any,
+    ) => {
+      captured.value.programId = programId;
+      return Promise.resolve(FAKE_MINT);
+    },
+  };
+});
+
+import { ${handlerExport} } from ${JSON.stringify(handlerImportPath)};
+
+describe("Token-2022 program-ID pinning (brainblast contract)", () => {
+  beforeEach(() => {
+    captured.value.programId = undefined;
+  });
+
+  it("passes TOKEN_2022_PROGRAM_ID as the createMint programId argument", async () => {
+    await Promise.resolve(${handlerExport}({} as any));
+    expect(captured.value.programId, "createMint was not called or did not receive a programId").toBeDefined();
+    expect(String(captured.value.programId)).toBe(TOKEN_2022_PROGRAM_ID_STR);
+  });
+
+  it("does not default to the legacy token program", async () => {
+    await Promise.resolve(${handlerExport}({} as any));
+    expect(String(captured.value.programId)).not.toBe(TOKEN_PROGRAM_ID_STR);
+  });
+});
+`;
+
+// src/testTemplates/metaplexImmutableMetadata.ts
+var metaplexImmutableMetadata = ({ handlerImportPath, handlerExport }) => `// GENERATED by @brainblast/core. Durable guardrail \u2014 RED until the metadata
+// creation call includes isMutable: false.
+import { describe, it, expect, vi, beforeEach } from "vitest";
+
+// Capture target \u2014 vi.hoisted ensures this is initialized before vi.mock factories run.
+const captured = vi.hoisted(() => ({ value: { isMutable: undefined as boolean | undefined } }));
+
+vi.mock("@metaplex-foundation/mpl-token-metadata", () => ({
+  createV1: (_umi: any, opts: any) => {
+    captured.value.isMutable = opts.isMutable;
+    return Promise.resolve();
+  },
+  createNft: (_metaplex: any, opts: any) => {
+    captured.value.isMutable = opts.isMutable;
+    return Promise.resolve({ nft: {} });
+  },
+  createAndMint: (_umi: any, opts: any) => {
+    captured.value.isMutable = opts.isMutable;
+    return Promise.resolve();
+  },
+  // Stub enums so import-only references don't crash
+  TokenStandard: { Fungible: 2, FungibleAsset: 3, NonFungible: 0, NonFungibleEdition: 1 },
+  printSupply: (x: any) => x,
+  percentAmount: (n: number) => n,
+}));
+
+import { ${handlerExport} } from ${JSON.stringify(handlerImportPath)};
+
+describe("Metaplex metadata immutability (brainblast contract)", () => {
+  beforeEach(() => {
+    captured.value.isMutable = undefined;
+  });
+
+  it("passes isMutable: false to the metadata creation call", async () => {
+    await Promise.resolve(${handlerExport}({} as any));
+    expect(
+      captured.value.isMutable,
+      "createV1/createNft/createAndMint was not called or isMutable was not passed",
+    ).toBeDefined();
+    expect(captured.value.isMutable).toBe(false);
+  });
+
+  it("does not leave metadata mutable (isMutable !== true)", async () => {
+    await Promise.resolve(${handlerExport}({} as any));
+    expect(captured.value.isMutable).not.toBe(true);
+  });
+});
+`;
+
+// src/testTemplates/anchorProgramTest.ts
+var anchorProgramTest = ({ handlerImportPath, handlerExport }) => `// GENERATED by @brainblast/core. Durable guardrail \u2014 paste into your
+// Anchor program's tests/ directory and run: anchor test
+//
+// Handler under test: ${handlerExport} (${handlerImportPath})
+//
+// Contract: calling the instruction a second time on the same account must
+// fail with an AlreadyInitialized error (or equivalent). If it succeeds,
+// the account state has been silently overwritten.
+
+use anchor_lang::prelude::*;
+use anchor_lang::solana_program::instruction::InstructionError;
+
+// NOTE: Replace MyProgram with your program's generated client and adjust
+// the instruction call to match your handler's signature.
+
+#[cfg(test)]
+mod brainblast_reinit_guard_test {
+    // Import your program's client \u2014 e.g.:
+    //   use my_program::*;
+    //   use anchor_lang::solana_program::pubkey::Pubkey;
+
+    #[tokio::test]
+    async fn first_call_succeeds() {
+        // Arrange: set up a fresh program test environment
+        // let program_test = ProgramTest::new("${handlerExport}", id(), None);
+        // let (mut banks_client, payer, recent_blockhash) = program_test.start().await;
+
+        // Act: invoke ${handlerExport} for the first time
+        // assert!(result.is_ok(), "First initialization must succeed");
+        todo!("implement: first call to ${handlerExport} should succeed");
+    }
+
+    #[tokio::test]
+    async fn second_call_is_rejected() {
+        // Arrange: initialize the account (same as above)
+        // Act: invoke ${handlerExport} a SECOND time on the same account
+        // Assert: must fail \u2014 AlreadyInitialized or similar
+        // let err = result.unwrap_err();
+        // assert!(matches!(err, ...AlreadyInitialized));
+        todo!("implement: second call to ${handlerExport} must be rejected");
+    }
+}
+`;
+
+// src/testTemplates/index.ts
+var registry3 = {
+  "stripe-webhook-signature": stripeWebhookSignature,
+  "privy-jwt-claims": privyJwtClaims,
+  "bags-fee-share": bagsFeeShare,
+  "token-program-consistency": tokenProgramConsistency,
+  "metaplex-immutable-metadata": metaplexImmutableMetadata,
+  "anchor-program-test": anchorProgramTest
+};
+var JS_IDENTIFIER = /^[A-Za-z_$][\w$]*$/;
+function renderTest(kind, opts) {
+  const tpl = registry3[kind];
+  if (!tpl) throw new Error(`Unknown test template kind '${kind}'.`);
+  if (!JS_IDENTIFIER.test(opts.handlerExport)) {
+    throw new Error(`Unsafe handler export name '${opts.handlerExport}' (not a JS identifier).`);
+  }
+  return tpl(opts);
+}
+var testKinds = Object.keys(registry3);
+
+// src/loadRules.ts
+import { readdirSync as readdirSync3, readFileSync as readFileSync2 } from "fs";
+import { join as join3 } from "path";
+import { parse } from "yaml";
+var SEVERITIES = ["critical", "high", "medium", "low"];
+function validateRule(r, file) {
+  const errs = [];
+  if (!r || typeof r !== "object") {
+    throw new Error(`invalid rule in ${file}: not a mapping`);
+  }
+  if (!r.id || typeof r.id !== "string") errs.push("missing id");
+  if (!SEVERITIES.includes(r.severity)) errs.push(`bad severity '${r.severity}'`);
+  if (!r.title || typeof r.title !== "string") errs.push("missing title");
+  if (!r.component || !r.component.name || !r.component.type) errs.push("missing component.name/type");
+  if (!r.detect || !Array.isArray(r.detect.modules) || typeof r.detect.nameRegex !== "string" || !Array.isArray(r.detect.triggerCalls)) {
+    errs.push("detect must have modules[], nameRegex (string), triggerCalls[]");
+  } else {
+    try {
+      new RegExp(r.detect.nameRegex);
+    } catch {
+      errs.push(`detect.nameRegex is not a valid regex: ${r.detect.nameRegex}`);
+    }
+  }
+  if (!r.check || !checkerKinds.includes(r.check.kind)) {
+    errs.push(`check.kind must be one of ${checkerKinds.join("|")} (got '${r.check?.kind}')`);
+  }
+  if (!r.test || !testKinds.includes(r.test.kind)) {
+    errs.push(`test.kind must be one of ${testKinds.join("|")} (got '${r.test?.kind}')`);
+  }
+  if (errs.length) throw new Error(`invalid rule in ${file}: ${errs.join("; ")}`);
+}
+function loadRules(dir) {
+  const files = readdirSync3(dir).filter((f) => f.endsWith(".yaml") || f.endsWith(".yml")).sort();
+  const rules2 = [];
+  for (const f of files) {
+    const raw = parse(readFileSync2(join3(dir, f), "utf8"));
+    validateRule(raw, f);
+    rules2.push(raw);
+  }
+  return rules2;
+}
+
+// rules/index.ts
+import { existsSync } from "fs";
+import { dirname, join as join4 } from "path";
+import { fileURLToPath } from "url";
+function bundledRulesDir() {
+  const here = dirname(fileURLToPath(import.meta.url));
+  if (existsSync(join4(here, "stripe-webhook-raw-body.yaml"))) return here;
+  const sub = join4(here, "rules");
+  if (existsSync(join4(sub, "stripe-webhook-raw-body.yaml"))) return sub;
+  return here;
+}
+var rules = loadRules(bundledRulesDir());
+
+// src/resolveRules.ts
+import { existsSync as existsSync2 } from "fs";
+import { join as join5 } from "path";
+function resolveRules(targetDir) {
+  const all = [...rules];
+  const projDir = join5(targetDir, ".agent-research", "rules");
+  if (existsSync2(projDir)) {
+    const seen = new Set(all.map((r) => r.id));
+    for (const r of loadRules(projDir)) {
+      if (seen.has(r.id)) {
+        console.warn(`brainblast: project rule '${r.id}' shadows a bundled rule; keeping bundled.`);
+        continue;
+      }
+      all.push(r);
+      seen.add(r.id);
+    }
+  }
+  return all;
+}
+
+// src/trustGraph/directory.ts
+import { readFileSync as readFileSync3, existsSync as existsSync3 } from "fs";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { join as join6 } from "path";
+import { parse as parse2 } from "yaml";
+var cache = null;
+function bundledPath() {
+  const here = fileURLToPath2(new URL(".", import.meta.url));
+  const candidates = [
+    join6(here, "programs", "directory.yaml"),
+    // dist/programs/directory.yaml
+    join6(here, "..", "..", "programs", "directory.yaml"),
+    // src/../../programs/
+    join6(here, "..", "programs", "directory.yaml")
+    // fallback
+  ];
+  for (const c of candidates) {
+    if (existsSync3(c)) return c;
+  }
+  return candidates[0];
+}
+function loadDirectory(path = bundledPath()) {
+  if (cache && path === bundledPath()) return cache;
+  const raw = parse2(readFileSync3(path, "utf8"));
+  if (!raw || !Array.isArray(raw.programs)) {
+    throw new Error(`invalid program directory at ${path}: missing 'programs' array`);
+  }
+  const m = /* @__PURE__ */ new Map();
+  for (const p of raw.programs) {
+    if (!p.programId || !p.name) throw new Error(`directory entry missing programId/name: ${JSON.stringify(p)}`);
+    if (m.has(p.programId)) throw new Error(`directory has duplicate programId ${p.programId}`);
+    m.set(p.programId, { ...p, provenance: { ...p.provenance ?? {}, directoryFile: path } });
+  }
+  if (path === bundledPath()) cache = m;
+  return m;
+}
+
+// src/trustGraph/base58.ts
+var ALPHA = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+var MAP = {};
+for (let i = 0; i < ALPHA.length; i++) MAP[ALPHA[i]] = i;
+function base58Encode(bytes) {
+  let zeros = 0;
+  while (zeros < bytes.length && bytes[zeros] === 0) zeros++;
+  const buf = Array.from(bytes);
+  const out = [];
+  let start = zeros;
+  while (start < buf.length) {
+    let rem = 0;
+    for (let i = start; i < buf.length; i++) {
+      const acc = rem * 256 + buf[i];
+      buf[i] = Math.floor(acc / 58);
+      rem = acc % 58;
+    }
+    out.push(rem);
+    if (buf[start] === 0) start++;
+  }
+  let s = "";
+  for (let i = 0; i < zeros; i++) s += "1";
+  for (let i = out.length - 1; i >= 0; i--) s += ALPHA[out[i]];
+  return s;
+}
+function base58Decode(s) {
+  let zeros = 0;
+  while (zeros < s.length && s[zeros] === "1") zeros++;
+  const buf = [];
+  for (let i = zeros; i < s.length; i++) {
+    const v = MAP[s[i]];
+    if (v === void 0) throw new Error(`base58: invalid char '${s[i]}' at ${i}`);
+    let carry = v;
+    for (let j = 0; j < buf.length; j++) {
+      const acc = buf[j] * 58 + carry;
+      buf[j] = acc & 255;
+      carry = acc >>> 8;
+    }
+    while (carry > 0) {
+      buf.push(carry & 255);
+      carry >>>= 8;
+    }
+  }
+  const out = new Uint8Array(zeros + buf.length);
+  for (let i = 0; i < buf.length; i++) out[zeros + buf.length - 1 - i] = buf[i];
+  return out;
+}
+function isValidSolanaAddress(s) {
+  if (typeof s !== "string" || s.length < 32 || s.length > 44) return false;
+  try {
+    return base58Decode(s).length === 32;
+  } catch {
+    return false;
+  }
+}
+
+// src/trustGraph/programCache.ts
+import { readFileSync as readFileSync4, writeFileSync, mkdirSync, existsSync as existsSync4 } from "fs";
+import { join as join7, dirname as dirname2 } from "path";
+import { homedir } from "os";
+var DEFAULT_TTL_HOURS = 168;
+var SCHEMA_VERSION = "1.0";
+function defaultCachePath() {
+  const envOverride = process.env["BRAINBLAST_CACHE_PATH"];
+  return envOverride ?? join7(homedir(), ".brainblast", "program-cache.json");
+}
+function emptyCache() {
+  return { schemaVersion: SCHEMA_VERSION, entries: {} };
+}
+function loadProgramCache(cachePath) {
+  const path = cachePath ?? defaultCachePath();
+  if (!existsSync4(path)) return emptyCache();
+  try {
+    const raw = JSON.parse(readFileSync4(path, "utf8"));
+    if (raw?.schemaVersion !== SCHEMA_VERSION) {
+      return emptyCache();
+    }
+    if (!raw.entries || typeof raw.entries !== "object") return emptyCache();
+    return { schemaVersion: SCHEMA_VERSION, entries: raw.entries };
+  } catch {
+    return emptyCache();
+  }
+}
+function saveProgramCache(cache2, cachePath) {
+  const path = cachePath ?? defaultCachePath();
+  mkdirSync(dirname2(path), { recursive: true });
+  writeFileSync(path, JSON.stringify(cache2, null, 2), "utf8");
+}
+function getCacheEntry(cache2, programId, ttlHoursOverride) {
+  const entry = cache2.entries[programId];
+  if (!entry) return null;
+  if (isEntryExpired(entry, ttlHoursOverride)) return null;
+  return entry.program;
+}
+function putCacheEntry(cache2, programId, program, sourceRun, ttlHours = DEFAULT_TTL_HOURS) {
+  cache2.entries[programId] = {
+    program,
+    cachedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    sourceRun,
+    ttlHours
+  };
+  return cache2;
+}
+function getCacheEntryMeta(cache2, programId) {
+  return cache2.entries[programId] ?? null;
+}
+function isEntryExpired(entry, ttlHoursOverride) {
+  const ttl = ttlHoursOverride ?? entry.ttlHours ?? DEFAULT_TTL_HOURS;
+  if (ttl <= 0) return true;
+  const cachedMs = Date.parse(entry.cachedAt);
+  if (Number.isNaN(cachedMs)) return true;
+  const ageMs = Date.now() - cachedMs;
+  return ageMs >= ttl * 36e5;
+}
+function cacheSize(cache2, ttlHoursOverride) {
+  return Object.values(cache2.entries).filter((e) => !isEntryExpired(e, ttlHoursOverride)).length;
+}
+
+// src/trustGraph/rpc.ts
+var BPF_UPGRADEABLE_LOADER = "BPFLoaderUpgradeab1e11111111111111111111111";
+var BPF_LOADER_2 = "BPFLoader2111111111111111111111111111111111";
+var NATIVE_LOADER = "NativeLoader1111111111111111111111111111111";
+var DEFAULT_RPC = "https://api.mainnet-beta.solana.com";
+async function rpc(method, params, opts) {
+  const url = opts.rpcUrl ?? DEFAULT_RPC;
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const ac = new AbortController();
+  const t = setTimeout(() => ac.abort(), opts.timeoutMs ?? 1e4);
+  try {
+    const res = await fetchImpl(url, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ jsonrpc: "2.0", id: 1, method, params }),
+      signal: ac.signal
+    });
+    if (!res.ok) throw new Error(`rpc ${method}: HTTP ${res.status}`);
+    const body = await res.json();
+    if (body.error) throw new Error(`rpc ${method}: ${body.error.message}`);
+    if (body.result === void 0) throw new Error(`rpc ${method}: empty result`);
+    return body.result;
+  } finally {
+    clearTimeout(t);
+  }
+}
+async function getAccountInfo(address, opts = {}) {
+  if (!isValidSolanaAddress(address)) throw new Error(`invalid Solana address: ${address}`);
+  const result = await rpc(
+    "getAccountInfo",
+    [address, { encoding: "base64", commitment: "confirmed" }],
+    opts
+  );
+  if (!result || !result.value) return null;
+  const v = result.value;
+  const [b64] = v.data;
+  return {
+    owner: v.owner,
+    data: Buffer.from(b64, "base64"),
+    executable: v.executable,
+    lamports: v.lamports
+  };
+}
+async function probeUpgradeAuthority(programId, opts = {}) {
+  const acct = await getAccountInfo(programId, opts);
+  if (!acct) {
+    return {
+      kind: "unknown",
+      address: null,
+      source: "rpc",
+      checkedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  if (acct.owner === BPF_LOADER_2 || acct.owner === NATIVE_LOADER) {
+    return {
+      kind: "renounced",
+      address: null,
+      source: "rpc",
+      checkedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  if (acct.owner !== BPF_UPGRADEABLE_LOADER) {
+    throw new Error(
+      `program ${programId} is owned by ${acct.owner}, not a known loader; not a deployed program?`
+    );
+  }
+  if (acct.data.length < 36) throw new Error(`program account too small: ${acct.data.length}`);
+  const tag = acct.data[0] | acct.data[1] << 8 | acct.data[2] << 16 | acct.data[3] << 24;
+  if (tag !== 2) throw new Error(`expected Program (tag=2) state, got tag=${tag}`);
+  const programDataAddr = base58Encode(acct.data.subarray(4, 36));
+  const pd = await getAccountInfo(programDataAddr, opts);
+  if (!pd) {
+    throw new Error(`program ${programId} ProgramData ${programDataAddr} not found`);
+  }
+  if (pd.data.length < 45) throw new Error(`ProgramData account too small: ${pd.data.length}`);
+  const pdTag = pd.data[0] | pd.data[1] << 8 | pd.data[2] << 16 | pd.data[3] << 24;
+  if (pdTag !== 3) throw new Error(`expected ProgramData (tag=3), got tag=${pdTag}`);
+  const optionTag = pd.data[12];
+  const checkedAt = (/* @__PURE__ */ new Date()).toISOString();
+  if (optionTag === 0) {
+    return { kind: "renounced", address: null, source: "rpc", checkedAt };
+  }
+  if (optionTag !== 1) throw new Error(`unexpected Option tag in ProgramData: ${optionTag}`);
+  const authority = base58Encode(pd.data.subarray(13, 45));
+  return { kind: "unknown", address: authority, source: "rpc", checkedAt };
+}
+
+// src/trustGraph/build.ts
+async function buildTrustGraph(programIds, opts = {}) {
+  const dir = loadDirectory(opts.directoryPath);
+  const programs = [];
+  const unresolved = [];
+  const cacheEnabled = opts.cachePath !== null;
+  const cachePathArg = opts.cachePath === null ? void 0 : opts.cachePath;
+  const cache2 = cacheEnabled ? loadProgramCache(cachePathArg) : null;
+  const newFromRpc = [];
+  const runId = (/* @__PURE__ */ new Date()).toISOString().replace(/[-:T]/g, "").slice(0, 14);
+  const seen = /* @__PURE__ */ new Set();
+  const ordered = programIds.filter((id) => seen.has(id) ? false : (seen.add(id), true));
+  for (const id of ordered) {
+    const directoryHit = dir.get(id);
+    if (directoryHit) {
+      programs.push(directoryHit);
+      continue;
+    }
+    if (cache2) {
+      const cached = getCacheEntry(cache2, id);
+      if (cached) {
+        const meta = getCacheEntryMeta(cache2, id);
+        programs.push({
+          ...cached,
+          provenance: {
+            ...cached.provenance ?? {},
+            notes: [
+              cached.provenance?.notes,
+              `cache-hit: cachedAt=${meta.cachedAt} sourceRun=${meta.sourceRun}`
+            ].filter(Boolean).join("; ")
+          }
+        });
+        continue;
+      }
+    }
+    if (opts.probeRpc === false) {
+      unresolved.push({
+        programId: id,
+        reason: "not_in_directory_or_cache_and_rpc_disabled"
+      });
+      continue;
+    }
+    let authority;
+    try {
+      authority = await probeUpgradeAuthority(id, opts);
+    } catch (e) {
+      unresolved.push({ programId: id, reason: `rpc_error: ${e?.message ?? String(e)}` });
+      continue;
+    }
+    const probed = {
+      programId: id,
+      name: `Unknown program (${id.slice(0, 8)}\u2026)`,
+      kind: "app",
+      upgradeAuthority: authority,
+      verifiedBuild: { state: "unknown" },
+      audits: [],
+      parity: { mainnet: "unknown", devnet: "unknown" },
+      provenance: { rpcUrl: opts.rpcUrl, notes: "live-probed; not in curated directory" }
+    };
+    programs.push(probed);
+    newFromRpc.push(id);
+    if (cache2) {
+      putCacheEntry(cache2, id, probed, runId);
+    }
+  }
+  if (cache2 && newFromRpc.length > 0) {
+    saveProgramCache(cache2, cachePathArg);
+  }
+  return { programs, unresolved, generatedAt: (/* @__PURE__ */ new Date()).toISOString() };
+}
+
+// src/trustGraph/render.ts
+function renderAuthority(p) {
+  const a = p.upgradeAuthority;
+  switch (a.kind) {
+    case "renounced":
+      return "\u{1F512} **Renounced** \u2014 program is frozen; no key can upgrade it.";
+    case "single-key":
+      return `\u26A0\uFE0F **Single key** \`${a.address}\` \u2014 one private key can replace this program at any time.`;
+    case "multisig":
+      return `\u{1F510} **Multisig** \`${a.address}\` \u2014 a threshold of signers can upgrade.`;
+    case "dao":
+      return `\u{1F3DB} **DAO** \`${a.address}\` \u2014 governance program controls upgrades.`;
+    case "unknown":
+      return a.address ? `\u2753 **Unclassified authority** \`${a.address}\` \u2014 needs research to confirm single-key vs multisig/DAO.` : "\u2753 **Unknown** \u2014 could not determine upgrade authority.";
+  }
+}
+function renderVerified(p) {
+  const v = p.verifiedBuild;
+  switch (v.state) {
+    case "verified":
+      return `\u2705 Verified build${v.commit ? ` @ \`${v.commit.slice(0, 12)}\`` : ""} \u2014 [registry](${v.registryUrl})`;
+    case "unverified":
+      return "\u274C Unverified \u2014 on-chain bytecode does not match any source we trust.";
+    case "unknown":
+      return "\u2753 Verified-build status not checked.";
+  }
+}
+function renderAudits(p) {
+  if (!p.audits.length) return "_No audits on file._";
+  return p.audits.map((a) => `- ${a.firm} (${a.date}) \u2014 [report](${a.reportUrl})${a.auditedCommit ? ` @ \`${a.auditedCommit.slice(0, 12)}\`` : ""}`).join("\n");
+}
+function renderParity(p) {
+  const { mainnet, devnet, testnet, notes } = p.parity;
+  const cells = [`mainnet=\`${mainnet}\``, `devnet=\`${devnet}\``];
+  if (testnet) cells.push(`testnet=\`${testnet}\``);
+  return cells.join(" \xB7 ") + (notes ? `  
+  _${notes}_` : "");
+}
+function renderProgram(p) {
+  return [
+    `### ${p.name}`,
+    "",
+    `\`${p.programId}\`${p.kind ? ` \xB7 kind: \`${p.kind}\`` : ""}`,
+    "",
+    `- **Upgrade authority:** ${renderAuthority(p)}`,
+    `- **Verified build:** ${renderVerified(p)}`,
+    `- **Parity:** ${renderParity(p)}`,
+    `- **Audits:**
+${renderAudits(p).split("\n").map((l) => "  " + l).join("\n")}`,
+    p.invokes && p.invokes.length ? `- **Invokes (CPI):** ${p.invokes.map((id) => `\`${id}\``).join(", ")}` : ""
+  ].filter(Boolean).join("\n");
+}
+function renderTrustGraphMd(g) {
+  const head = [
+    "# Trust Graph",
+    "",
+    `_Generated ${g.generatedAt}._`,
+    "",
+    "Every program your code transitively invokes, with the authority that controls it, the build-verification status, and the audits we found.",
+    ""
+  ].join("\n");
+  const body = g.programs.map(renderProgram).join("\n\n---\n\n");
+  const tail = g.unresolved.length ? [
+    "",
+    "---",
+    "",
+    "## Unresolved",
+    "",
+    ...g.unresolved.map((u) => `- \`${u.programId}\` \u2014 ${u.reason}`)
+  ].join("\n") : "";
+  return head + body + tail + "\n";
+}
+
+// src/costAnalysis.ts
+import { Project as Project2, SyntaxKind as SyntaxKind9 } from "ts-morph";
+var LAMPORTS_PER_BYTE_YEAR = 3480;
+var EXEMPTION_THRESHOLD = 2;
+var OVERHEAD_BYTES = 128;
+var LAMPORTS_PER_SOL = 1e9;
+function rentExemptMinimum(dataLen) {
+  return (dataLen + OVERHEAD_BYTES) * LAMPORTS_PER_BYTE_YEAR * EXEMPTION_THRESHOLD;
+}
+function lamportsToSol(lamports) {
+  return (lamports / LAMPORTS_PER_SOL).toFixed(9).replace(/\.?0+$/, "");
+}
+var KNOWN_FLOWS = [
+  {
+    call: "createMint",
+    module: "@solana/spl-token",
+    accountType: "SPL Token Mint",
+    dataLen: 82,
+    recoverability: "conditionally-recoverable",
+    recoverabilityNote: "Recoverable via `closeAccount` on the mint \u2014 requires mint supply = 0 and mint authority disabled. Most production mints never meet these conditions."
+  },
+  {
+    call: "createAssociatedTokenAccount",
+    module: "@solana/spl-token",
+    accountType: "Associated Token Account (ATA)",
+    dataLen: 165,
+    recoverability: "recoverable",
+    recoverabilityNote: "Recovered by calling `closeAccount`; lamports return to the destination wallet. Requires zero token balance."
+  },
+  {
+    call: "createAssociatedTokenAccountIdempotent",
+    module: "@solana/spl-token",
+    accountType: "Associated Token Account (ATA, idempotent)",
+    dataLen: 165,
+    recoverability: "recoverable",
+    recoverabilityNote: "Recovered by calling `closeAccount`; lamports return to the destination wallet. Requires zero token balance."
+  },
+  {
+    call: "createAccount",
+    module: "@solana/spl-token",
+    accountType: "SPL Token Account (explicit)",
+    dataLen: 165,
+    recoverability: "recoverable",
+    recoverabilityNote: "Recovered by calling `closeAccount`; lamports return to the destination wallet. Requires zero token balance."
+  },
+  {
+    call: "createV1",
+    module: "@metaplex-foundation/mpl-token-metadata",
+    accountType: "Metaplex Token Metadata",
+    // Base metadata: 1(key) + 32(update_auth) + 32(mint) + 4+name + 4+symbol + 4+uri
+    // + 2(seller_fee) + 1(creators opt) + 1(primary_sale) + 1(is_mutable) ≈ 679 bytes typical
+    dataLen: 679,
+    recoverability: "non-recoverable",
+    recoverabilityNote: "Metaplex metadata accounts cannot be closed. The lamport lockup is permanent for the lifetime of the token."
+  },
+  {
+    call: "createNft",
+    module: "@metaplex-foundation/mpl-token-metadata",
+    accountType: "Metaplex NFT Metadata",
+    dataLen: 679,
+    recoverability: "non-recoverable",
+    recoverabilityNote: "Metaplex metadata accounts cannot be closed. The lamport lockup is permanent."
+  },
+  {
+    call: "createAndMint",
+    module: "@metaplex-foundation/mpl-token-metadata",
+    accountType: "Metaplex Token Metadata + Mint",
+    dataLen: 679 + 82,
+    // metadata + mint
+    recoverability: "non-recoverable",
+    recoverabilityNote: "Metadata accounts cannot be closed. Mint rent is conditionally recoverable (requires 0 supply + disabled authority)."
+  },
+  {
+    call: "createFungible",
+    module: "@metaplex-foundation/mpl-token-metadata",
+    accountType: "Metaplex Fungible Token Metadata",
+    dataLen: 679,
+    recoverability: "non-recoverable",
+    recoverabilityNote: "Metaplex metadata accounts cannot be closed. The lamport lockup is permanent."
+  }
+];
+var LOOP_NODE_KINDS = /* @__PURE__ */ new Set([
+  SyntaxKind9.ForStatement,
+  SyntaxKind9.ForOfStatement,
+  SyntaxKind9.ForInStatement,
+  SyntaxKind9.WhileStatement,
+  SyntaxKind9.DoStatement
+]);
+var ARRAY_METHOD_LOOPS = /* @__PURE__ */ new Set(["map", "forEach", "flatMap", "reduce", "filter"]);
+function isInsideLoop(node) {
+  let cur = node;
+  while (cur) {
+    const k = cur.getKind?.();
+    if (k !== void 0 && LOOP_NODE_KINDS.has(k)) {
+      return { scalable: true, note: `call is inside a ${SyntaxKind9[k]} \u2014 cost scales with loop iterations` };
+    }
+    if (k === SyntaxKind9.CallExpression) {
+      const expr = cur.getExpression?.();
+      if (expr?.getKind?.() === SyntaxKind9.PropertyAccessExpression) {
+        const name = expr.asKind?.(SyntaxKind9.PropertyAccessExpression)?.getName?.();
+        if (name && ARRAY_METHOD_LOOPS.has(name)) {
+          return { scalable: true, note: `call is inside .${name}() \u2014 cost scales with array length` };
+        }
+      }
+    }
+    cur = cur.getParent?.();
+  }
+  return { scalable: false };
+}
+function detectPriorityFee(targetDir) {
+  const project = new Project2({ skipAddingFilesFromTsConfig: true });
+  for (const file of walk(targetDir)) {
+    const sf = project.addSourceFileAtPath(file);
+    const calls = sf.getDescendantsOfKind(SyntaxKind9.CallExpression);
+    for (const ce of calls) {
+      const expr = ce.getExpression();
+      const text = expr.getText();
+      if (text.includes("setComputeUnitPrice")) {
+        return {
+          found: true,
+          file,
+          line: ce.getStartLineNumber(),
+          detail: `ComputeBudgetProgram.setComputeUnitPrice detected at ${file}:${ce.getStartLineNumber()} \u2014 priority fee configured.`
+        };
+      }
+    }
+  }
+  return {
+    found: false,
+    detail: "No setComputeUnitPrice call detected. During network congestion, transactions without a priority fee may stall or be dropped. Add ComputeBudgetProgram.setComputeUnitPrice() to critical transaction paths."
+  };
+}
+function detectAccountFlows(targetDir) {
+  const project = new Project2({ skipAddingFilesFromTsConfig: true });
+  const callIndex = new Map(KNOWN_FLOWS.map((f) => [f.call, f]));
+  const flows = [];
+  for (const file of walk(targetDir)) {
+    const sf = project.addSourceFileAtPath(file);
+    const importedModules = new Set(
+      sf.getImportDeclarations().map((d) => d.getModuleSpecifierValue())
+    );
+    for (const ce of sf.getDescendantsOfKind(SyntaxKind9.CallExpression)) {
+      const expr = ce.getExpression();
+      let callName5 = null;
+      if (expr.getKind() === SyntaxKind9.Identifier) {
+        callName5 = expr.getText();
+      } else if (expr.getKind() === SyntaxKind9.PropertyAccessExpression) {
+        callName5 = expr.asKind(SyntaxKind9.PropertyAccessExpression).getName();
+      }
+      if (!callName5) continue;
+      const known = callIndex.get(callName5);
+      if (!known) continue;
+      if (!importedModules.has(known.module)) continue;
+      const lamports = rentExemptMinimum(known.dataLen);
+      const { scalable, note } = isInsideLoop(ce);
+      flows.push({
+        call: callName5,
+        module: known.module,
+        accountType: known.accountType,
+        file,
+        line: ce.getStartLineNumber(),
+        dataLen: known.dataLen,
+        lamports,
+        sol: lamportsToSol(lamports),
+        recoverability: known.recoverability,
+        recoverabilityNote: known.recoverabilityNote,
+        scalable,
+        scalableNote: note
+      });
+    }
+  }
+  return flows;
+}
+function analyzeCosts(targetDir) {
+  const accountFlows = detectAccountFlows(targetDir);
+  const priorityFee = detectPriorityFee(targetDir);
+  const staticFlows = accountFlows.filter((f) => !f.scalable);
+  const scalableFlows = accountFlows.filter((f) => f.scalable);
+  const totalLockupLamports = staticFlows.reduce((s, f) => s + f.lamports, 0);
+  return {
+    accountFlows,
+    priorityFee,
+    totalLockupLamports,
+    totalLockupSol: lamportsToSol(totalLockupLamports),
+    scalableFlows,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function renderCostReportMd(r) {
+  const lines = ["## Cost & Rent Analysis\n"];
+  if (r.priorityFee.found) {
+    lines.push(`\u2705 **Priority fee configured** \u2014 \`setComputeUnitPrice\` detected.`);
+    lines.push(`   ${r.priorityFee.detail}
+`);
+  } else {
+    lines.push(`\u26A0\uFE0F  **HIGH \u2014 Priority fee not configured**`);
+    lines.push(`   ${r.priorityFee.detail}
+`);
+  }
+  if (r.accountFlows.length === 0) {
+    lines.push("_No account-creation calls from tracked modules detected._\n");
+    return lines.join("\n");
+  }
+  lines.push("### Account Creation Flows\n");
+  lines.push("| Call | Account Type | Data | Lamports Locked | SOL | Recoverable? |");
+  lines.push("|------|-------------|------|-----------------|-----|--------------|");
+  for (const f of r.accountFlows) {
+    const file = f.file.split("/").slice(-2).join("/");
+    const recov = f.recoverability === "recoverable" ? "\u2705 Yes" : f.recoverability === "conditionally-recoverable" ? "\u26A0\uFE0F  Conditional" : "\u274C No";
+    const scaleMark = f.scalable ? " \u{1F504}" : "";
+    lines.push(
+      `| \`${f.call}\`${scaleMark} (${file}:${f.line}) | ${f.accountType} | ${f.dataLen} B | ${f.lamports.toLocaleString()} | ${f.sol} SOL | ${recov} |`
+    );
+  }
+  lines.push("");
+  const unique = /* @__PURE__ */ new Map();
+  for (const f of r.accountFlows) unique.set(f.accountType, f.recoverabilityNote);
+  lines.push("**Recoverability notes:**");
+  for (const [type, note] of unique) lines.push(`- **${type}:** ${note}`);
+  lines.push("");
+  if (r.totalLockupLamports > 0) {
+    lines.push(
+      `**Total static lockup: ${r.totalLockupLamports.toLocaleString()} lamports (~${r.totalLockupSol} SOL)**`
+    );
+    lines.push(
+      `_(Excludes ${r.scalableFlows.length} scalable flow(s) whose cost grows with N \u2014 see below.)_
+`
+    );
+  }
+  if (r.scalableFlows.length > 0) {
+    lines.push("### Scalable Cost Flows (cost grows with N)\n");
+    for (const f of r.scalableFlows) {
+      const file = f.file.split("/").slice(-2).join("/");
+      lines.push(
+        `- **\`${f.call}\`** at \`${file}:${f.line}\` \u2014 ${f.scalableNote}
+  Per-iteration cost: ${f.lamports.toLocaleString()} lamports (${f.sol} SOL) for each ${f.accountType}.`
+      );
+    }
+    lines.push("");
+  }
+  return lines.join("\n");
+}
+
+export {
+  findCandidates,
+  runChecker,
+  checkerKinds,
+  auditWithRule,
+  audit,
+  renderTest,
+  testKinds,
+  loadRules,
+  rules,
+  resolveRules,
+  loadDirectory,
+  base58Encode,
+  base58Decode,
+  isValidSolanaAddress,
+  DEFAULT_TTL_HOURS,
+  defaultCachePath,
+  loadProgramCache,
+  saveProgramCache,
+  getCacheEntry,
+  putCacheEntry,
+  getCacheEntryMeta,
+  isEntryExpired,
+  cacheSize,
+  buildTrustGraph,
+  renderTrustGraphMd,
+  rentExemptMinimum,
+  lamportsToSol,
+  analyzeCosts,
+  renderCostReportMd
+};