brainblast 0.3.0 → 0.4.0

package/dist/{chunk-BZVZ3WAU.js → chunk-WVHGN2HR.js}

@@ -38,7 +38,13 @@ function findCandidates(targetDir, rule) {
     const sf = project.addSourceFileAtPath(file);
     const importsModule = sf.getImportDeclarations().some((d) => modules.has(d.getModuleSpecifierValue()));
     const consider = (fn, name) => {
-      if (!(importsModule || name && nameRe.test(name) || bodyCallsAnyOf(fn, triggers))) return;
+      const hasName = !!(name && nameRe.test(name));
+      const hasTrigger = bodyCallsAnyOf(fn, triggers);
+      if (rule.detect.requiresImport) {
+        if (!(importsModule && (hasName || hasTrigger))) return;
+      } else {
+        if (!(hasName || hasTrigger)) return;
+      }
       out.push({
         filePath: file,
         fnName: name || "(anonymous)",
@@ -62,7 +68,20 @@ var positionalArgIdentity = (c, p) => {
     const exp = call.getExpression();
     return exp.getKind() === SyntaxKind2.PropertyAccessExpression && exp.asKind(SyntaxKind2.PropertyAccessExpression).getName() === p.call;
   });
-  if (calls.length === 0) return { result: "fail", detail: p.absentDetail };
+  if (calls.length === 0) {
+    const sf = c.fn.getSourceFile();
+    const existsInFile = sf.getDescendantsOfKind(SyntaxKind2.CallExpression).some((call) => {
+      const exp = call.getExpression();
+      return exp.getKind() === SyntaxKind2.PropertyAccessExpression && exp.asKind(SyntaxKind2.PropertyAccessExpression).getName() === p.call;
+    });
+    if (existsInFile) {
+      return {
+        result: "cant_tell",
+        detail: `${p.call} is called elsewhere in this file; unable to confirm this function's delegation path statically.`
+      };
+    }
+    return { result: "fail", detail: p.absentDetail };
+  }
   const arg = calls[0].getArguments()[p.argIndex];
   const wantParam = c.params[p.paramIndex];
   if (arg && wantParam && arg.getKind() === SyntaxKind2.Identifier && arg.getText() === wantParam) {
@@ -538,6 +557,136 @@ function findRustCandidates(targetDir, rule) {
   return out;
 }
 
+// src/fixers/positionalArgIdentity.ts
+import { SyntaxKind as SyntaxKind7 } from "ts-morph";
+
+// src/fixers/diffUtil.ts
+function buildDiff(node, replacement) {
+  const sf = node.getSourceFile();
+  const filePath = sf.getFilePath();
+  const fullText = sf.getFullText();
+  const start = node.getStart();
+  const end = node.getEnd();
+  const startPos = sf.getLineAndColumnAtPos(start);
+  const endPos = sf.getLineAndColumnAtPos(end);
+  const lines = fullText.split("\n");
+  const oldMiddle = lines.slice(startPos.line - 1, endPos.line);
+  const oldFirst = oldMiddle[0].slice(0, startPos.column - 1);
+  const oldLast = oldMiddle[oldMiddle.length - 1].slice(endPos.column - 1);
+  const newMiddle = (oldFirst + replacement + oldLast).split("\n");
+  const removed = oldMiddle.map((l) => `-${l}`);
+  const added = newMiddle.map((l) => `+${l}`);
+  const hunkHeader = `@@ -${startPos.line},${oldMiddle.length} +${startPos.line},${newMiddle.length} @@`;
+  return [`--- a${filePath}`, `+++ b${filePath}`, hunkHeader, ...removed, ...added].join("\n");
+}
+
+// src/fixers/positionalArgIdentity.ts
+var fixPositionalArgIdentity = (c, p, outcome) => {
+  if (outcome.result !== "fail") return void 0;
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind7.CallExpression).filter((call) => {
+    const exp = call.getExpression();
+    return exp.getKind() === SyntaxKind7.PropertyAccessExpression && exp.asKind(SyntaxKind7.PropertyAccessExpression).getName() === p.call;
+  });
+  if (calls.length === 0) {
+    const wantParam2 = c.params[p.paramIndex] ?? "<rawBodyParam>";
+    return {
+      summary: `Add a ${p.call} call that verifies the raw request body`,
+      suggestion: `No '${p.call}' call was found in this handler. Verify the signature against the raw, unparsed request body \u2014 parameter '${wantParam2}' \u2014 before trusting the event, e.g.:
+
+  const event = stripe.webhooks.constructEvent(${wantParam2}, signature, process.env.STRIPE_WEBHOOK_SECRET!);
+
+Do not call JSON.parse() on the body before this verification step.`
+    };
+  }
+  const arg = calls[0].getArguments()[p.argIndex];
+  const wantParam = c.params[p.paramIndex];
+  if (arg && wantParam && arg.getKind() === SyntaxKind7.CallExpression) {
+    return {
+      summary: `Pass the raw body parameter '${wantParam}' to ${p.call} instead of a parsed value`,
+      diff: buildDiff(arg, wantParam)
+    };
+  }
+  return void 0;
+};
+
+// src/fixers/requiredCallWithOptions.ts
+import { SyntaxKind as SyntaxKind8 } from "ts-morph";
+function callName4(call) {
+  const exp = call.getExpression();
+  if (exp.getKind() === SyntaxKind8.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind8.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind8.PropertyAccessExpression).getName();
+  }
+  return "";
+}
+function placeholderFor(propName) {
+  switch (propName) {
+    case "audience":
+    case "aud":
+      return `audience: process.env.PRIVY_APP_ID`;
+    case "issuer":
+    case "iss":
+      return `issuer: "https://privy.io"`;
+    default:
+      return `${propName}: undefined /* TODO: brainblast could not infer this value */`;
+  }
+}
+var fixRequiredCallWithOptions = (c, p, outcome) => {
+  if (outcome.result !== "fail") return void 0;
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind8.CallExpression);
+  const verify = calls.filter((x) => p.verifyCalls.includes(callName4(x)));
+  if (verify.length > 0) {
+    const call = verify[0];
+    const args = call.getArguments();
+    const lastArg = args[args.length - 1];
+    const obj = lastArg?.asKind(SyntaxKind8.ObjectLiteralExpression);
+    const presentNames = obj ? obj.getProperties().map((pr) => {
+      const pa = pr.asKind(SyntaxKind8.PropertyAssignment) ?? pr.asKind(SyntaxKind8.ShorthandPropertyAssignment);
+      return pa?.getName() ?? "";
+    }) : [];
+    const missingGroups = p.requiredProps.filter(
+      (g) => !g.some((n) => presentNames.includes(n))
+    );
+    if (missingGroups.length === 0) return void 0;
+    const newProps = missingGroups.map((g) => placeholderFor(g[0])).join(", ");
+    const summary = `Add ${missingGroups.map((g) => g[0]).join(" and ")} to the ${callName4(call)} call`;
+    if (obj) {
+      const inner = obj.getText().slice(1, -1).trim();
+      const newText = inner.length > 0 ? `{ ${inner}, ${newProps} }` : `{ ${newProps} }`;
+      return { summary, diff: buildDiff(obj, newText) };
+    }
+    if (lastArg) {
+      const newText = `${lastArg.getText()}, { ${newProps} }`;
+      return { summary, diff: buildDiff(lastArg, newText) };
+    }
+    return {
+      summary,
+      suggestion: `Add an options object ({ ${newProps} }) as an argument to ${callName4(call)}.`
+    };
+  }
+  return {
+    summary: "Replace the decode-only call with a verified call",
+    suggestion: `This token is decoded without verifying its signature, accepting any forged token. Replace the decode call with a verifying call that asserts audience and issuer, e.g.:
+
+  const { payload } = await jwtVerify(token, JWKS, { audience: process.env.PRIVY_APP_ID, issuer: "https://privy.io" });
+
+JWKS must come from Privy's published JWKS endpoint for your app.`
+  };
+};
+
+// src/fixers/index.ts
+var registry2 = {
+  "positional-arg-identity": fixPositionalArgIdentity,
+  "required-call-with-options": fixRequiredCallWithOptions
+};
+function runFixer(kind, c, params, outcome) {
+  if (outcome.result !== "fail") return void 0;
+  const fn = registry2[kind];
+  if (!fn) return void 0;
+  return fn(c, params, outcome);
+}
+var fixerKinds = Object.keys(registry2);
+
 // src/emit.ts
 function buildReport(target, checks, rules2, costReport) {
   const byId = new Map(rules2.map((r) => [r.id, r]));
@@ -584,7 +733,9 @@ function buildReport(target, checks, rules2, costReport) {
       file: c.file,
       line: c.line,
       title: c.title,
-      detail: c.detail
+      detail: c.detail,
+      ...c.fix ? { fix: c.fix } : {},
+      ...c.precedent ? { precedent: c.precedent } : {}
     })),
     checkTotals,
     openQuestions: [],
@@ -611,6 +762,7 @@ function auditWithRule(targetDir, rule) {
   }
   return findCandidates(targetDir, rule).map((c) => {
     const outcome = runChecker(rule.check.kind, c, rule.check.params);
+    const fix = runFixer(rule.check.kind, c, rule.check.params, outcome);
     return {
       ruleId: rule.id,
       severity: rule.severity,
@@ -618,7 +770,8 @@ function auditWithRule(targetDir, rule) {
       file: c.filePath,
       line: c.fn.getStartLineNumber(),
       exportName: c.fnName,
-      ...outcome
+      ...outcome,
+      ...fix ? { fix } : {}
     };
   });
 }
@@ -903,7 +1056,7 @@ mod brainblast_reinit_guard_test {
 `;
 
 // src/testTemplates/index.ts
-var registry2 = {
+var registry3 = {
   "stripe-webhook-signature": stripeWebhookSignature,
   "privy-jwt-claims": privyJwtClaims,
   "bags-fee-share": bagsFeeShare,
@@ -913,14 +1066,14 @@ var registry2 = {
 };
 var JS_IDENTIFIER = /^[A-Za-z_$][\w$]*$/;
 function renderTest(kind, opts) {
-  const tpl = registry2[kind];
+  const tpl = registry3[kind];
   if (!tpl) throw new Error(`Unknown test template kind '${kind}'.`);
   if (!JS_IDENTIFIER.test(opts.handlerExport)) {
     throw new Error(`Unsafe handler export name '${opts.handlerExport}' (not a JS identifier).`);
   }
   return tpl(opts);
 }
-var testKinds = Object.keys(registry2);
+var testKinds = Object.keys(registry3);
 
 // src/loadRules.ts
 import { readdirSync as readdirSync3, readFileSync as readFileSync2 } from "fs";
@@ -1384,7 +1537,7 @@ function renderTrustGraphMd(g) {
 }
 
 // src/costAnalysis.ts
-import { Project as Project2, SyntaxKind as SyntaxKind7 } from "ts-morph";
+import { Project as Project2, SyntaxKind as SyntaxKind9 } from "ts-morph";
 var LAMPORTS_PER_BYTE_YEAR = 3480;
 var EXEMPTION_THRESHOLD = 2;
 var OVERHEAD_BYTES = 128;
@@ -1465,11 +1618,11 @@ var KNOWN_FLOWS = [
   }
 ];
 var LOOP_NODE_KINDS = /* @__PURE__ */ new Set([
-  SyntaxKind7.ForStatement,
-  SyntaxKind7.ForOfStatement,
-  SyntaxKind7.ForInStatement,
-  SyntaxKind7.WhileStatement,
-  SyntaxKind7.DoStatement
+  SyntaxKind9.ForStatement,
+  SyntaxKind9.ForOfStatement,
+  SyntaxKind9.ForInStatement,
+  SyntaxKind9.WhileStatement,
+  SyntaxKind9.DoStatement
 ]);
 var ARRAY_METHOD_LOOPS = /* @__PURE__ */ new Set(["map", "forEach", "flatMap", "reduce", "filter"]);
 function isInsideLoop(node) {
@@ -1477,12 +1630,12 @@ function isInsideLoop(node) {
   while (cur) {
     const k = cur.getKind?.();
     if (k !== void 0 && LOOP_NODE_KINDS.has(k)) {
-      return { scalable: true, note: `call is inside a ${SyntaxKind7[k]} \u2014 cost scales with loop iterations` };
+      return { scalable: true, note: `call is inside a ${SyntaxKind9[k]} \u2014 cost scales with loop iterations` };
     }
-    if (k === SyntaxKind7.CallExpression) {
+    if (k === SyntaxKind9.CallExpression) {
       const expr = cur.getExpression?.();
-      if (expr?.getKind?.() === SyntaxKind7.PropertyAccessExpression) {
-        const name = expr.asKind?.(SyntaxKind7.PropertyAccessExpression)?.getName?.();
+      if (expr?.getKind?.() === SyntaxKind9.PropertyAccessExpression) {
+        const name = expr.asKind?.(SyntaxKind9.PropertyAccessExpression)?.getName?.();
         if (name && ARRAY_METHOD_LOOPS.has(name)) {
           return { scalable: true, note: `call is inside .${name}() \u2014 cost scales with array length` };
         }
@@ -1496,7 +1649,7 @@ function detectPriorityFee(targetDir) {
   const project = new Project2({ skipAddingFilesFromTsConfig: true });
   for (const file of walk(targetDir)) {
     const sf = project.addSourceFileAtPath(file);
-    const calls = sf.getDescendantsOfKind(SyntaxKind7.CallExpression);
+    const calls = sf.getDescendantsOfKind(SyntaxKind9.CallExpression);
     for (const ce of calls) {
       const expr = ce.getExpression();
       const text = expr.getText();
@@ -1524,22 +1677,22 @@ function detectAccountFlows(targetDir) {
     const importedModules = new Set(
       sf.getImportDeclarations().map((d) => d.getModuleSpecifierValue())
     );
-    for (const ce of sf.getDescendantsOfKind(SyntaxKind7.CallExpression)) {
+    for (const ce of sf.getDescendantsOfKind(SyntaxKind9.CallExpression)) {
       const expr = ce.getExpression();
-      let callName4 = null;
-      if (expr.getKind() === SyntaxKind7.Identifier) {
-        callName4 = expr.getText();
-      } else if (expr.getKind() === SyntaxKind7.PropertyAccessExpression) {
-        callName4 = expr.asKind(SyntaxKind7.PropertyAccessExpression).getName();
+      let callName5 = null;
+      if (expr.getKind() === SyntaxKind9.Identifier) {
+        callName5 = expr.getText();
+      } else if (expr.getKind() === SyntaxKind9.PropertyAccessExpression) {
+        callName5 = expr.asKind(SyntaxKind9.PropertyAccessExpression).getName();
       }
-      if (!callName4) continue;
-      const known = callIndex.get(callName4);
+      if (!callName5) continue;
+      const known = callIndex.get(callName5);
       if (!known) continue;
       if (!importedModules.has(known.module)) continue;
       const lamports = rentExemptMinimum(known.dataLen);
       const { scalable, note } = isInsideLoop(ce);
       flows.push({
-        call: callName4,
+        call: callName5,
         module: known.module,
         accountType: known.accountType,
         file,

package/dist/cli.js

@@ -10,11 +10,84 @@ import {
   renderCostReportMd,
   renderTrustGraphMd,
   resolveRules
-} from "./chunk-BZVZ3WAU.js";
+} from "./chunk-WVHGN2HR.js";
 
 // src/cli.ts
-import { writeFileSync, mkdirSync } from "fs";
+import { writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";
+import { join as join2 } from "path";
+
+// src/memory.ts
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from "fs";
 import { join } from "path";
+var EMPTY_MEMORY = { schemaVersion: "1.0", lastRun: [], fixHistory: [] };
+function memoryPath(targetDir2) {
+  return join(targetDir2, ".agent-research", "memory.json");
+}
+function loadMemory(targetDir2) {
+  const p = memoryPath(targetDir2);
+  if (!existsSync(p)) return { ...EMPTY_MEMORY, lastRun: [], fixHistory: [] };
+  try {
+    const parsed = JSON.parse(readFileSync(p, "utf8"));
+    return {
+      schemaVersion: parsed.schemaVersion ?? "1.0",
+      lastRun: Array.isArray(parsed.lastRun) ? parsed.lastRun : [],
+      fixHistory: Array.isArray(parsed.fixHistory) ? parsed.fixHistory : []
+    };
+  } catch {
+    return { ...EMPTY_MEMORY, lastRun: [], fixHistory: [] };
+  }
+}
+function saveMemory(targetDir2, memory2) {
+  mkdirSync(join(targetDir2, ".agent-research"), { recursive: true });
+  writeFileSync(memoryPath(targetDir2), JSON.stringify(memory2, null, 2));
+}
+var snapshotKey = (e) => `${e.ruleId}::${e.file}::${e.exportName}`;
+function precedentKey(c) {
+  return `${c.ruleId}::${c.file}`;
+}
+function updateMemory(memory2, checks2, now = /* @__PURE__ */ new Date()) {
+  const prevByKey = new Map(memory2.lastRun.map((e) => [snapshotKey(e), e]));
+  const fixedAt = now.toISOString().slice(0, 10);
+  const newFixEvents = [];
+  for (const c of checks2) {
+    const prev = prevByKey.get(snapshotKey(c));
+    if (prev?.result === "fail" && c.result !== "fail") {
+      newFixEvents.push({
+        ruleId: c.ruleId,
+        file: c.file,
+        exportName: c.exportName,
+        fixedAt,
+        detail: prev.detail
+      });
+    }
+  }
+  const fixHistory = [...memory2.fixHistory, ...newFixEvents];
+  const precedents2 = /* @__PURE__ */ new Map();
+  for (const c of checks2) {
+    if (c.result !== "fail") continue;
+    const pk = precedentKey(c);
+    if (precedents2.has(pk)) continue;
+    const matches = fixHistory.filter((e) => e.ruleId === c.ruleId && e.file !== c.file).sort((a, b) => a.fixedAt < b.fixedAt ? 1 : a.fixedAt > b.fixedAt ? -1 : 0);
+    if (matches[0]) {
+      precedents2.set(pk, {
+        file: matches[0].file,
+        exportName: matches[0].exportName,
+        fixedAt: matches[0].fixedAt,
+        detail: matches[0].detail
+      });
+    }
+  }
+  const lastRun = checks2.map((c) => ({
+    ruleId: c.ruleId,
+    file: c.file,
+    exportName: c.exportName,
+    result: c.result,
+    detail: c.detail
+  }));
+  return { memory: { schemaVersion: "1.0", lastRun, fixHistory }, precedents: precedents2 };
+}
+
+// src/cli.ts
 var args = process.argv.slice(2);
 if (args[0] === "trust-graph") {
   await runTrustGraph(args.slice(1));
@@ -25,20 +98,45 @@ var strict = args.includes("--strict");
 var targetDir = args.find((a) => !a.startsWith("--")) ?? process.cwd();
 var rules = resolveRules(targetDir);
 var { checks, report } = audit(targetDir, rules);
+var memory = loadMemory(targetDir);
+var { memory: nextMemory, precedents } = updateMemory(memory, checks);
+for (const c of checks) {
+  const p = precedents.get(precedentKey(c));
+  if (p) c.precedent = p;
+}
+for (const rc of report.checks) {
+  const p = precedents.get(precedentKey(rc));
+  if (p) rc.precedent = p;
+}
+saveMemory(targetDir, nextMemory);
 var costReport = analyzeCosts(targetDir);
 report.costAnalysis = costReport;
-var outDir = join(targetDir, ".agent-research");
-mkdirSync(outDir, { recursive: true });
-var reportPath = join(outDir, "report.json");
-writeFileSync(reportPath, JSON.stringify(report, null, 2));
-var costMdPath = join(outDir, "cost-analysis.md");
-writeFileSync(costMdPath, renderCostReportMd(costReport));
+var outDir = join2(targetDir, ".agent-research");
+mkdirSync2(outDir, { recursive: true });
+var reportPath = join2(outDir, "report.json");
+writeFileSync2(reportPath, JSON.stringify(report, null, 2));
+var costMdPath = join2(outDir, "cost-analysis.md");
+writeFileSync2(costMdPath, renderCostReportMd(costReport));
 console.log(`brainblast: scanned ${targetDir} with ${rules.length} rule(s)`);
 if (checks.length === 0) console.log("  (no catastrophic components detected)");
 for (const c of checks) {
   const tag = c.result === "pass" ? "PASS " : c.result === "fail" ? "FAIL " : "WARN ";
   console.log(`  [${tag}] ${c.ruleId}  ${c.file}:${c.line}`);
   console.log(`          ${c.detail}`);
+  if (c.precedent) {
+    console.log(
+      `          memory: same issue (${c.ruleId}) was fixed in ${c.precedent.file} on ${c.precedent.fixedAt}`
+    );
+  }
+  if (c.fix) {
+    console.log(`          fix: ${c.fix.summary}`);
+    if (c.fix.diff) {
+      for (const line of c.fix.diff.split("\n")) console.log(`            ${line}`);
+    }
+    if (c.fix.suggestion) {
+      for (const line of c.fix.suggestion.split("\n")) console.log(`            ${line}`);
+    }
+  }
 }
 var fails = checks.filter((c) => c.result === "fail").length;
 var cantTell = checks.filter((c) => c.result === "cant_tell").length;

package/dist/index.d.ts

@@ -78,6 +78,17 @@ interface CheckOutcome {
     result: CheckResultKind;
     detail: string;
 }
+interface Fix {
+    summary: string;
+    diff?: string;
+    suggestion?: string;
+}
+interface Precedent {
+    file: string;
+    exportName: string;
+    fixedAt: string;
+    detail: string;
+}
 interface CheckResult extends CheckOutcome {
     ruleId: string;
     severity: Severity;
@@ -85,6 +96,10 @@ interface CheckResult extends CheckOutcome {
     file: string;
     line: number;
     exportName: string;
+    /** Present when result === "fail" and a vetted fixer for check.kind produced one. */
+    fix?: Fix;
+    /** Present when result === "fail" and the same rule was previously fixed elsewhere. */
+    precedent?: Precedent;
 }
 interface Rule {
     id: string;
@@ -102,6 +117,19 @@ interface Rule {
         triggerCalls: string[];
         /** Defaults to "typescript". Set to "rust" for Anchor/Rust checker kinds. */
         lang?: "typescript" | "rust";
+        /**
+         * When true, a module import from `modules` is a REQUIRED condition for
+         * detection: a candidate must be in a file that imports one of the listed
+         * modules, AND either its name matches nameRegex or its body calls a
+         * triggerCall.  This prevents generic name-only matches (e.g. a Fastify
+         * middleware named "verifyJwt" that calls `request.jwtVerify()`) from
+         * triggering jose-specific rules.
+         *
+         * When false or omitted (default), detection is: nameRegex match OR
+         * triggerCall in body.  Module import is not required, so rules like
+         * stripe-webhook can still catch handlers that don't import stripe directly.
+         */
+        requiresImport?: boolean;
     };
     check: {
         kind: string;
@@ -150,6 +178,8 @@ declare function audit(targetDir: string, rules: Rule[]): {
             low: number;
         };
         checks: {
+            precedent?: Precedent | undefined;
+            fix?: Fix | undefined;
             ruleId: string;
             severity: Severity;
             result: CheckResultKind;

package/dist/index.js

@@ -28,7 +28,7 @@ import {
   runChecker,
   saveProgramCache,
   testKinds
-} from "./chunk-BZVZ3WAU.js";
+} from "./chunk-WVHGN2HR.js";
 
 // src/generate.ts
 import { writeFileSync, mkdirSync } from "fs";

package/dist/rules/privy-jwt-verification.yaml

@@ -14,7 +14,19 @@ detect:
   # Privy handlers are still picked up by the @privy-io/* / jose / jsonwebtoken
   # imports, and by triggerCalls like decodeJwt / jwtVerify.
   nameRegex: "privy|jwt"
-  triggerCalls: [decodeJwt, jwtVerify, verify, decode]
+  # Only decodeJwt triggers detection; it's specific to jose and unambiguously
+  # indicates a decode-only pattern.  jwtVerify/verify/decode were removed because:
+  #   - "verify" matches Node.js crypto.verify(), jsonwebtoken jwt.verify(), etc.
+  #   - "decode" matches bs58.decode() (Solana), Buffer.from(), etc.
+  #   - "jwtVerify" matches Fastify's request.jwtVerify() plugin method, which is
+  #     not a jose-based call and requires no audience/issuer options.
+  # Functions that import jose/@privy-io/* and are named with "privy|jwt" are still
+  # detected via requiresImport + (importsModule && hasName), the primary detection path.
+  triggerCalls: [decodeJwt]
+  # A module import is REQUIRED to be a candidate.  Without this guard, a Fastify
+  # middleware named "verifyJwt" (which calls request.jwtVerify(), a completely
+  # different library) would match the nameRegex and be flagged as missing aud/iss.
+  requiresImport: true
 check:
   kind: required-call-with-options
   params:

package/dist/rules/stripe-webhook-raw-body.yaml

@@ -11,6 +11,11 @@ detect:
   modules: [stripe]
   nameRegex: webhook
   triggerCalls: [constructEvent]
+  # Require the file to import stripe.  Without this guard, any function whose
+  # name contains "webhook" — even LemonSqueezy, Polar, or Sendgrid handlers —
+  # is flagged for missing stripe.webhooks.constructEvent, producing false
+  # positives on non-Stripe payment integrations.
+  requiresImport: true
 check:
   kind: positional-arg-identity
   params:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brainblast",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "type": "module",
   "description": "Deterministic auditor for catastrophic AI-integration bugs: scan a repo, find the silent money/auth traps, and generate the behavioral test that proves they're fixed.",
   "keywords": [