brainblast 0.4.0 → 0.4.2

package/dist/{chunk-WVHGN2HR.js → chunk-Q72MTJXQ.js}

@@ -4,9 +4,10 @@ import { Project, SyntaxKind } from "ts-morph";
 // src/walk.ts
 import { readdirSync, statSync } from "fs";
 import { join } from "path";
+var SKIP_DIRS = /* @__PURE__ */ new Set(["node_modules", ".git", ".gen", "dist", ".next", ".agent-research"]);
 function walk(dir, out = []) {
   for (const entry of readdirSync(dir)) {
-    if (entry === "node_modules" || entry === ".git" || entry === ".gen") continue;
+    if (SKIP_DIRS.has(entry)) continue;
     const p = join(dir, entry);
     const st = statSync(p);
     if (st.isDirectory()) walk(p, out);
@@ -14,6 +15,16 @@ function walk(dir, out = []) {
   }
   return out;
 }
+function walkAllFiles(dir, out = []) {
+  for (const entry of readdirSync(dir)) {
+    if (SKIP_DIRS.has(entry)) continue;
+    const p = join(dir, entry);
+    const st = statSync(p);
+    if (st.isDirectory()) walkAllFiles(p, out);
+    else out.push(p);
+  }
+  return out;
+}
 
 // src/finder.ts
 function bodyCallsAnyOf(fn, names) {
@@ -61,6 +72,42 @@ function findCandidates(targetDir, rule) {
   return out;
 }
 
+// src/configFinder.ts
+import { execFileSync } from "child_process";
+import { readFileSync } from "fs";
+import { relative, sep } from "path";
+function isGitIgnored(targetDir, rel) {
+  try {
+    execFileSync("git", ["check-ignore", "-q", "--", rel], { cwd: targetDir, stdio: "ignore" });
+    return true;
+  } catch (e) {
+    if (typeof e?.status === "number") return false;
+    return false;
+  }
+}
+function findConfigCandidates(targetDir, rule) {
+  const patterns = (rule.detect.filePatterns ?? []).map((p) => new RegExp(p));
+  if (patterns.length === 0) return [];
+  const files = walkAllFiles(targetDir);
+  const out = [];
+  for (const file of files) {
+    const rel = relative(targetDir, file).split(sep).join("/");
+    if (!patterns.some((re) => re.test(rel))) continue;
+    let content;
+    try {
+      content = readFileSync(file, "utf8");
+    } catch {
+      continue;
+    }
+    out.push({
+      filePath: file,
+      content,
+      tracked: !isGitIgnored(targetDir, rel)
+    });
+  }
+  return out;
+}
+
 // src/checkers/positionalArgIdentity.ts
 import { SyntaxKind as SyntaxKind2 } from "ts-morph";
 var positionalArgIdentity = (c, p) => {
@@ -410,6 +457,126 @@ function anchorInitIfNeededGuarded(c, p) {
   };
 }
 
+// src/checkers/envSecretsCommitted.ts
+var envSecretsCommitted = (c, p) => {
+  if (!c.tracked) {
+    return {
+      result: "pass",
+      detail: p.ignoredDetail ?? "File is git-ignored; not committed to source control."
+    };
+  }
+  const keyRe = new RegExp(p.secretKeyPattern, "i");
+  const placeholderRe = new RegExp(p.placeholderPattern, "i");
+  const offenders = [];
+  for (const rawLine of c.content.split("\n")) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#")) continue;
+    const m = line.match(/^(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)$/);
+    if (!m) continue;
+    const [, key, rawValue] = m;
+    if (!keyRe.test(key)) continue;
+    const value = (rawValue ?? "").trim().replace(/^["']|["']$/g, "");
+    if (!value) continue;
+    if (placeholderRe.test(value)) continue;
+    offenders.push(key);
+  }
+  if (offenders.length > 0) {
+    const prefix = p.failDetailPrefix ?? "This file is tracked by git and contains secret-looking values";
+    return { result: "fail", detail: `${prefix}: ${offenders.join(", ")}.` };
+  }
+  return { result: "pass", detail: p.passDetail ?? "No committed secret-looking values found." };
+};
+
+// src/checkers/envTaintToSink.ts
+import { SyntaxKind as SyntaxKind7 } from "ts-morph";
+function calleeName(call) {
+  const exp = call.getExpression();
+  if (exp.getKind() === SyntaxKind7.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind7.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind7.PropertyAccessExpression).getName();
+  }
+  return "";
+}
+function envVarIn(text) {
+  const m = text.match(/process\.env\.([A-Za-z0-9_]+)/);
+  return m?.[1];
+}
+function wordIn(text, name) {
+  return new RegExp(`\\b${name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\b`).test(text);
+}
+function findDirectLeak(fn, sinkCalls, secretKeyRe, taintedNames) {
+  for (const call of fn.getDescendantsOfKind(SyntaxKind7.CallExpression)) {
+    const name = calleeName(call);
+    if (!sinkCalls.has(name)) continue;
+    for (const arg of call.getArguments()) {
+      const text = arg.getText();
+      const envVar = envVarIn(text);
+      if (envVar && secretKeyRe.test(envVar)) {
+        return `process.env.${envVar} is passed directly to ${name}(...) \u2014 secret values must not be logged or returned to clients.`;
+      }
+      for (const tv of taintedNames) {
+        if (wordIn(text, tv)) {
+          return `'${tv}' (holding a secret-shaped process.env value) is passed to ${name}(...) \u2014 secret values must not be logged or returned to clients.`;
+        }
+      }
+    }
+  }
+  return void 0;
+}
+var envTaintToSink = (c, p) => {
+  const sinkCalls = new Set(p.sinkCalls ?? []);
+  const secretKeyRe = new RegExp(p.secretKeyPattern, "i");
+  const fn = c.fn;
+  const taintedNames = /* @__PURE__ */ new Set();
+  for (const decl of fn.getDescendantsOfKind(SyntaxKind7.VariableDeclaration)) {
+    const init = decl.getInitializer();
+    if (!init) continue;
+    const envVar = envVarIn(init.getText());
+    if (envVar && secretKeyRe.test(envVar)) {
+      taintedNames.add(decl.getName());
+    }
+  }
+  const direct = findDirectLeak(fn, sinkCalls, secretKeyRe, taintedNames);
+  if (direct) return { result: "fail", detail: direct };
+  const sourceFile = fn.getSourceFile();
+  for (const call of fn.getDescendantsOfKind(SyntaxKind7.CallExpression)) {
+    const calleeExp = call.getExpression();
+    if (calleeExp.getKind() !== SyntaxKind7.Identifier) continue;
+    const calleeFnName = calleeExp.getText();
+    if (calleeFnName === (c.fnName ?? "")) continue;
+    const args = call.getArguments();
+    const taintedArgIndices = [];
+    args.forEach((arg, i) => {
+      const text = arg.getText();
+      const envVar = envVarIn(text);
+      if (envVar && secretKeyRe.test(envVar)) {
+        taintedArgIndices.push(i);
+        return;
+      }
+      for (const tv of taintedNames) {
+        if (wordIn(text, tv)) {
+          taintedArgIndices.push(i);
+          return;
+        }
+      }
+    });
+    if (taintedArgIndices.length === 0) continue;
+    const calleeFn = sourceFile.getFunction(calleeFnName);
+    if (!calleeFn) continue;
+    const params = calleeFn.getParameters().map((pr) => pr.getName());
+    const calleeTainted = new Set(taintedArgIndices.map((i) => params[i]).filter((x) => !!x));
+    if (calleeTainted.size === 0) continue;
+    const hop = findDirectLeak(calleeFn, sinkCalls, secretKeyRe, calleeTainted);
+    if (hop) {
+      return {
+        result: "fail",
+        detail: `A secret-shaped process.env value flows into '${calleeFnName}(...)' (called from '${c.fnName}'), where ${hop}`
+      };
+    }
+  }
+  return { result: "pass", detail: "No secret-shaped process.env value flows to a logging/response sink." };
+};
+
 // src/checkers/index.ts
 var registry = {
   "positional-arg-identity": positionalArgIdentity,
@@ -417,7 +584,9 @@ var registry = {
   "fee-allocation-shape": feeAllocationShape,
   "arg-equals-constant-identifier": argEqualsConstantIdentifier,
   "object-arg-property-literal-equals": objectArgPropertyLiteralEquals,
-  "anchor-init-if-needed-guarded": anchorInitIfNeededGuarded
+  "anchor-init-if-needed-guarded": anchorInitIfNeededGuarded,
+  "env-secrets-committed": envSecretsCommitted,
+  "env-taint-to-sink": envTaintToSink
 };
 function runChecker(kind, c, params) {
   const fn = registry[kind];
@@ -426,14 +595,89 @@ function runChecker(kind, c, params) {
 }
 var checkerKinds = Object.keys(registry);
 
-// src/rustFinder.ts
-import { readFileSync, readdirSync as readdirSync2, statSync as statSync2 } from "fs";
+// src/gitDiff.ts
+import { execFileSync as execFileSync2 } from "child_process";
+import { readFileSync as readFileSync2 } from "fs";
 import { join as join2 } from "path";
+function getChangedRanges(targetDir, ref) {
+  let out;
+  try {
+    out = execFileSync2(
+      "git",
+      ["diff", "--unified=0", "--no-color", "--no-renames", "--diff-filter=ACMR", "--relative", ref, "--"],
+      { cwd: targetDir, encoding: "utf8", maxBuffer: 64 * 1024 * 1024 }
+    );
+  } catch (e) {
+    const stderr = e?.stderr?.toString?.() ?? e?.message ?? String(e);
+    throw new Error(`brainblast: 'git diff ${ref}' failed: ${stderr.trim()}`);
+  }
+  const ranges = /* @__PURE__ */ new Map();
+  let currentFile = null;
+  for (const line of out.split("\n")) {
+    if (line.startsWith("+++ ")) {
+      const raw = line.slice(4).trim();
+      if (raw === "/dev/null") {
+        currentFile = null;
+        continue;
+      }
+      const rel = raw.startsWith("b/") ? raw.slice(2) : raw;
+      currentFile = join2(targetDir, rel);
+      continue;
+    }
+    if (line.startsWith("@@") && currentFile) {
+      const m = line.match(/\+(\d+)(?:,(\d+))?/);
+      if (!m) continue;
+      const start = parseInt(m[1], 10);
+      const count = m[2] !== void 0 ? parseInt(m[2], 10) : 1;
+      if (count === 0) continue;
+      const end = start + count - 1;
+      const arr = ranges.get(currentFile) ?? [];
+      arr.push([start, end]);
+      ranges.set(currentFile, arr);
+    }
+  }
+  return ranges;
+}
+function getWorkingTreeChanges(targetDir) {
+  const ranges = getChangedRanges(targetDir, "HEAD");
+  let untracked;
+  try {
+    untracked = execFileSync2("git", ["ls-files", "--others", "--exclude-standard", "--", "."], {
+      cwd: targetDir,
+      encoding: "utf8"
+    });
+  } catch {
+    return ranges;
+  }
+  for (const rel of untracked.split("\n").map((s) => s.trim()).filter(Boolean)) {
+    const abs = join2(targetDir, rel);
+    let lineCount = 1;
+    try {
+      lineCount = readFileSync2(abs, "utf8").split("\n").length;
+    } catch {
+      continue;
+    }
+    ranges.set(abs, [[1, lineCount]]);
+  }
+  return ranges;
+}
+function fileChanged(ranges, file) {
+  return ranges.has(file);
+}
+function rangeChanged(ranges, file, startLine, endLine) {
+  const fileRanges = ranges.get(file);
+  if (!fileRanges) return false;
+  return fileRanges.some(([s, e]) => startLine <= e && endLine >= s);
+}
+
+// src/rustFinder.ts
+import { readFileSync as readFileSync3, readdirSync as readdirSync2, statSync as statSync2 } from "fs";
+import { join as join3 } from "path";
 import { createRequire } from "module";
 function walkRust(dir, out = []) {
   for (const entry of readdirSync2(dir)) {
     if (entry === "node_modules" || entry === ".git" || entry === "target") continue;
-    const p = join2(dir, entry);
+    const p = join3(dir, entry);
     const st = statSync2(p);
     if (st.isDirectory()) walkRust(p, out);
     else if (p.endsWith(".rs")) out.push(p);
@@ -513,7 +757,7 @@ function findRustCandidates(targetDir, rule) {
   const out = [];
   for (const file of walkRust(targetDir)) {
     if (!file.endsWith(".rs")) continue;
-    const src = readFileSync(file, "utf8");
+    const src = readFileSync3(file, "utf8");
     const tree = parser.parse(src);
     const structMap = /* @__PURE__ */ new Map();
     const topPairs = itemsWithAttrs(tree.rootNode);
@@ -558,7 +802,7 @@ function findRustCandidates(targetDir, rule) {
 }
 
 // src/fixers/positionalArgIdentity.ts
-import { SyntaxKind as SyntaxKind7 } from "ts-morph";
+import { SyntaxKind as SyntaxKind8 } from "ts-morph";
 
 // src/fixers/diffUtil.ts
 function buildDiff(node, replacement) {
@@ -583,9 +827,9 @@ function buildDiff(node, replacement) {
 // src/fixers/positionalArgIdentity.ts
 var fixPositionalArgIdentity = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind7.CallExpression).filter((call) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind8.CallExpression).filter((call) => {
     const exp = call.getExpression();
-    return exp.getKind() === SyntaxKind7.PropertyAccessExpression && exp.asKind(SyntaxKind7.PropertyAccessExpression).getName() === p.call;
+    return exp.getKind() === SyntaxKind8.PropertyAccessExpression && exp.asKind(SyntaxKind8.PropertyAccessExpression).getName() === p.call;
   });
   if (calls.length === 0) {
     const wantParam2 = c.params[p.paramIndex] ?? "<rawBodyParam>";
@@ -600,7 +844,7 @@ Do not call JSON.parse() on the body before this verification step.`
   }
   const arg = calls[0].getArguments()[p.argIndex];
   const wantParam = c.params[p.paramIndex];
-  if (arg && wantParam && arg.getKind() === SyntaxKind7.CallExpression) {
+  if (arg && wantParam && arg.getKind() === SyntaxKind8.CallExpression) {
     return {
       summary: `Pass the raw body parameter '${wantParam}' to ${p.call} instead of a parsed value`,
       diff: buildDiff(arg, wantParam)
@@ -610,12 +854,12 @@ Do not call JSON.parse() on the body before this verification step.`
 };
 
 // src/fixers/requiredCallWithOptions.ts
-import { SyntaxKind as SyntaxKind8 } from "ts-morph";
+import { SyntaxKind as SyntaxKind9 } from "ts-morph";
 function callName4(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind8.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind8.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind8.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind9.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind9.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind9.PropertyAccessExpression).getName();
   }
   return "";
 }
@@ -633,15 +877,15 @@ function placeholderFor(propName) {
 }
 var fixRequiredCallWithOptions = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind8.CallExpression);
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind9.CallExpression);
   const verify = calls.filter((x) => p.verifyCalls.includes(callName4(x)));
   if (verify.length > 0) {
     const call = verify[0];
     const args = call.getArguments();
     const lastArg = args[args.length - 1];
-    const obj = lastArg?.asKind(SyntaxKind8.ObjectLiteralExpression);
+    const obj = lastArg?.asKind(SyntaxKind9.ObjectLiteralExpression);
     const presentNames = obj ? obj.getProperties().map((pr) => {
-      const pa = pr.asKind(SyntaxKind8.PropertyAssignment) ?? pr.asKind(SyntaxKind8.ShorthandPropertyAssignment);
+      const pa = pr.asKind(SyntaxKind9.PropertyAssignment) ?? pr.asKind(SyntaxKind9.ShorthandPropertyAssignment);
       return pa?.getName() ?? "";
     }) : [];
     const missingGroups = p.requiredProps.filter(
@@ -744,9 +988,28 @@ function buildReport(target, checks, rules2, costReport) {
 }
 
 // src/audit.ts
-function auditWithRule(targetDir, rule) {
+function auditWithRule(targetDir, rule, changedRanges) {
+  if (rule.detect.lang === "config") {
+    return findConfigCandidates(targetDir, rule).filter((c) => !changedRanges || fileChanged(changedRanges, c.filePath)).map((c) => {
+      const outcome = runChecker(rule.check.kind, c, rule.check.params);
+      return {
+        ruleId: rule.id,
+        severity: rule.severity,
+        title: rule.title,
+        file: c.filePath,
+        line: 1,
+        exportName: c.filePath,
+        ...outcome
+      };
+    });
+  }
   if (rule.detect.lang === "rust") {
-    return findRustCandidates(targetDir, rule).map((c) => {
+    return findRustCandidates(targetDir, rule).filter((c) => {
+      if (!changedRanges) return true;
+      const start = (c.fnBodyNode?.startPosition?.row ?? 0) + 1;
+      const end = (c.fnBodyNode?.endPosition?.row ?? start - 1) + 1;
+      return rangeChanged(changedRanges, c.filePath, start, end);
+    }).map((c) => {
       const outcome = runChecker(rule.check.kind, c, rule.check.params);
       return {
         ruleId: rule.id,
@@ -760,7 +1023,10 @@ function auditWithRule(targetDir, rule) {
       };
     });
   }
-  return findCandidates(targetDir, rule).map((c) => {
+  return findCandidates(targetDir, rule).filter((c) => {
+    if (!changedRanges) return true;
+    return rangeChanged(changedRanges, c.filePath, c.fn.getStartLineNumber(), c.fn.getEndLineNumber());
+  }).map((c) => {
     const outcome = runChecker(rule.check.kind, c, rule.check.params);
     const fix = runFixer(rule.check.kind, c, rule.check.params, outcome);
     return {
@@ -775,8 +1041,8 @@ function auditWithRule(targetDir, rule) {
     };
   });
 }
-function audit(targetDir, rules2) {
-  const checks = rules2.flatMap((r) => auditWithRule(targetDir, r));
+function audit(targetDir, rules2, changedRanges) {
+  const checks = rules2.flatMap((r) => auditWithRule(targetDir, r, changedRanges));
   const report = buildReport(targetDir, checks, rules2);
   return { checks, report };
 }
@@ -1055,6 +1321,11 @@ mod brainblast_reinit_guard_test {
 }
 `;
 
+// src/testTemplates/none.ts
+var none = (opts) => `// No behavioral contract test applies to this rule.
+// Finding: ${opts.handlerExport} (${opts.handlerImportPath})
+`;
+
 // src/testTemplates/index.ts
 var registry3 = {
   "stripe-webhook-signature": stripeWebhookSignature,
@@ -1062,7 +1333,8 @@ var registry3 = {
   "bags-fee-share": bagsFeeShare,
   "token-program-consistency": tokenProgramConsistency,
   "metaplex-immutable-metadata": metaplexImmutableMetadata,
-  "anchor-program-test": anchorProgramTest
+  "anchor-program-test": anchorProgramTest,
+  none
 };
 var JS_IDENTIFIER = /^[A-Za-z_$][\w$]*$/;
 function renderTest(kind, opts) {
@@ -1076,8 +1348,8 @@ function renderTest(kind, opts) {
 var testKinds = Object.keys(registry3);
 
 // src/loadRules.ts
-import { readdirSync as readdirSync3, readFileSync as readFileSync2 } from "fs";
-import { join as join3 } from "path";
+import { readdirSync as readdirSync3, readFileSync as readFileSync4 } from "fs";
+import { join as join4 } from "path";
 import { parse } from "yaml";
 var SEVERITIES = ["critical", "high", "medium", "low"];
 function validateRule(r, file) {
@@ -1089,7 +1361,19 @@ function validateRule(r, file) {
   if (!SEVERITIES.includes(r.severity)) errs.push(`bad severity '${r.severity}'`);
   if (!r.title || typeof r.title !== "string") errs.push("missing title");
   if (!r.component || !r.component.name || !r.component.type) errs.push("missing component.name/type");
-  if (!r.detect || !Array.isArray(r.detect.modules) || typeof r.detect.nameRegex !== "string" || !Array.isArray(r.detect.triggerCalls)) {
+  if (r.detect?.lang === "config") {
+    if (!Array.isArray(r.detect.filePatterns) || r.detect.filePatterns.length === 0) {
+      errs.push("detect.filePatterns must be a non-empty array when detect.lang is 'config'");
+    } else {
+      for (const pat of r.detect.filePatterns) {
+        try {
+          new RegExp(pat);
+        } catch {
+          errs.push(`detect.filePatterns contains an invalid regex: ${pat}`);
+        }
+      }
+    }
+  } else if (!r.detect || !Array.isArray(r.detect.modules) || typeof r.detect.nameRegex !== "string" || !Array.isArray(r.detect.triggerCalls)) {
     errs.push("detect must have modules[], nameRegex (string), triggerCalls[]");
   } else {
     try {
@@ -1110,7 +1394,7 @@ function loadRules(dir) {
   const files = readdirSync3(dir).filter((f) => f.endsWith(".yaml") || f.endsWith(".yml")).sort();
   const rules2 = [];
   for (const f of files) {
-    const raw = parse(readFileSync2(join3(dir, f), "utf8"));
+    const raw = parse(readFileSync4(join4(dir, f), "utf8"));
     validateRule(raw, f);
     rules2.push(raw);
   }
@@ -1119,23 +1403,23 @@ function loadRules(dir) {
 
 // rules/index.ts
 import { existsSync } from "fs";
-import { dirname, join as join4 } from "path";
+import { dirname, join as join5 } from "path";
 import { fileURLToPath } from "url";
 function bundledRulesDir() {
   const here = dirname(fileURLToPath(import.meta.url));
-  if (existsSync(join4(here, "stripe-webhook-raw-body.yaml"))) return here;
-  const sub = join4(here, "rules");
-  if (existsSync(join4(sub, "stripe-webhook-raw-body.yaml"))) return sub;
+  if (existsSync(join5(here, "stripe-webhook-raw-body.yaml"))) return here;
+  const sub = join5(here, "rules");
+  if (existsSync(join5(sub, "stripe-webhook-raw-body.yaml"))) return sub;
   return here;
 }
 var rules = loadRules(bundledRulesDir());
 
 // src/resolveRules.ts
 import { existsSync as existsSync2 } from "fs";
-import { join as join5 } from "path";
+import { join as join6 } from "path";
 function resolveRules(targetDir) {
   const all = [...rules];
-  const projDir = join5(targetDir, ".agent-research", "rules");
+  const projDir = join6(targetDir, ".agent-research", "rules");
   if (existsSync2(projDir)) {
     const seen = new Set(all.map((r) => r.id));
     for (const r of loadRules(projDir)) {
@@ -1151,19 +1435,19 @@ function resolveRules(targetDir) {
 }
 
 // src/trustGraph/directory.ts
-import { readFileSync as readFileSync3, existsSync as existsSync3 } from "fs";
+import { readFileSync as readFileSync5, existsSync as existsSync3 } from "fs";
 import { fileURLToPath as fileURLToPath2 } from "url";
-import { join as join6 } from "path";
+import { join as join7 } from "path";
 import { parse as parse2 } from "yaml";
 var cache = null;
 function bundledPath() {
   const here = fileURLToPath2(new URL(".", import.meta.url));
   const candidates = [
-    join6(here, "programs", "directory.yaml"),
+    join7(here, "programs", "directory.yaml"),
     // dist/programs/directory.yaml
-    join6(here, "..", "..", "programs", "directory.yaml"),
+    join7(here, "..", "..", "programs", "directory.yaml"),
     // src/../../programs/
-    join6(here, "..", "programs", "directory.yaml")
+    join7(here, "..", "programs", "directory.yaml")
     // fallback
   ];
   for (const c of candidates) {
@@ -1173,7 +1457,7 @@ function bundledPath() {
 }
 function loadDirectory(path = bundledPath()) {
   if (cache && path === bundledPath()) return cache;
-  const raw = parse2(readFileSync3(path, "utf8"));
+  const raw = parse2(readFileSync5(path, "utf8"));
   if (!raw || !Array.isArray(raw.programs)) {
     throw new Error(`invalid program directory at ${path}: missing 'programs' array`);
   }
@@ -1244,14 +1528,14 @@ function isValidSolanaAddress(s) {
 }
 
 // src/trustGraph/programCache.ts
-import { readFileSync as readFileSync4, writeFileSync, mkdirSync, existsSync as existsSync4 } from "fs";
-import { join as join7, dirname as dirname2 } from "path";
+import { readFileSync as readFileSync6, writeFileSync, mkdirSync, existsSync as existsSync4 } from "fs";
+import { join as join8, dirname as dirname2 } from "path";
 import { homedir } from "os";
 var DEFAULT_TTL_HOURS = 168;
 var SCHEMA_VERSION = "1.0";
 function defaultCachePath() {
   const envOverride = process.env["BRAINBLAST_CACHE_PATH"];
-  return envOverride ?? join7(homedir(), ".brainblast", "program-cache.json");
+  return envOverride ?? join8(homedir(), ".brainblast", "program-cache.json");
 }
 function emptyCache() {
   return { schemaVersion: SCHEMA_VERSION, entries: {} };
@@ -1260,7 +1544,7 @@ function loadProgramCache(cachePath) {
   const path = cachePath ?? defaultCachePath();
   if (!existsSync4(path)) return emptyCache();
   try {
-    const raw = JSON.parse(readFileSync4(path, "utf8"));
+    const raw = JSON.parse(readFileSync6(path, "utf8"));
     if (raw?.schemaVersion !== SCHEMA_VERSION) {
       return emptyCache();
     }
@@ -1537,7 +1821,7 @@ function renderTrustGraphMd(g) {
 }
 
 // src/costAnalysis.ts
-import { Project as Project2, SyntaxKind as SyntaxKind9 } from "ts-morph";
+import { Project as Project2, SyntaxKind as SyntaxKind10 } from "ts-morph";
 var LAMPORTS_PER_BYTE_YEAR = 3480;
 var EXEMPTION_THRESHOLD = 2;
 var OVERHEAD_BYTES = 128;
@@ -1618,11 +1902,11 @@ var KNOWN_FLOWS = [
   }
 ];
 var LOOP_NODE_KINDS = /* @__PURE__ */ new Set([
-  SyntaxKind9.ForStatement,
-  SyntaxKind9.ForOfStatement,
-  SyntaxKind9.ForInStatement,
-  SyntaxKind9.WhileStatement,
-  SyntaxKind9.DoStatement
+  SyntaxKind10.ForStatement,
+  SyntaxKind10.ForOfStatement,
+  SyntaxKind10.ForInStatement,
+  SyntaxKind10.WhileStatement,
+  SyntaxKind10.DoStatement
 ]);
 var ARRAY_METHOD_LOOPS = /* @__PURE__ */ new Set(["map", "forEach", "flatMap", "reduce", "filter"]);
 function isInsideLoop(node) {
@@ -1630,12 +1914,12 @@ function isInsideLoop(node) {
   while (cur) {
     const k = cur.getKind?.();
     if (k !== void 0 && LOOP_NODE_KINDS.has(k)) {
-      return { scalable: true, note: `call is inside a ${SyntaxKind9[k]} \u2014 cost scales with loop iterations` };
+      return { scalable: true, note: `call is inside a ${SyntaxKind10[k]} \u2014 cost scales with loop iterations` };
     }
-    if (k === SyntaxKind9.CallExpression) {
+    if (k === SyntaxKind10.CallExpression) {
       const expr = cur.getExpression?.();
-      if (expr?.getKind?.() === SyntaxKind9.PropertyAccessExpression) {
-        const name = expr.asKind?.(SyntaxKind9.PropertyAccessExpression)?.getName?.();
+      if (expr?.getKind?.() === SyntaxKind10.PropertyAccessExpression) {
+        const name = expr.asKind?.(SyntaxKind10.PropertyAccessExpression)?.getName?.();
         if (name && ARRAY_METHOD_LOOPS.has(name)) {
           return { scalable: true, note: `call is inside .${name}() \u2014 cost scales with array length` };
         }
@@ -1649,7 +1933,7 @@ function detectPriorityFee(targetDir) {
   const project = new Project2({ skipAddingFilesFromTsConfig: true });
   for (const file of walk(targetDir)) {
     const sf = project.addSourceFileAtPath(file);
-    const calls = sf.getDescendantsOfKind(SyntaxKind9.CallExpression);
+    const calls = sf.getDescendantsOfKind(SyntaxKind10.CallExpression);
     for (const ce of calls) {
       const expr = ce.getExpression();
       const text = expr.getText();
@@ -1677,13 +1961,13 @@ function detectAccountFlows(targetDir) {
     const importedModules = new Set(
       sf.getImportDeclarations().map((d) => d.getModuleSpecifierValue())
     );
-    for (const ce of sf.getDescendantsOfKind(SyntaxKind9.CallExpression)) {
+    for (const ce of sf.getDescendantsOfKind(SyntaxKind10.CallExpression)) {
       const expr = ce.getExpression();
       let callName5 = null;
-      if (expr.getKind() === SyntaxKind9.Identifier) {
+      if (expr.getKind() === SyntaxKind10.Identifier) {
         callName5 = expr.getText();
-      } else if (expr.getKind() === SyntaxKind9.PropertyAccessExpression) {
-        callName5 = expr.asKind(SyntaxKind9.PropertyAccessExpression).getName();
+      } else if (expr.getKind() === SyntaxKind10.PropertyAccessExpression) {
+        callName5 = expr.asKind(SyntaxKind10.PropertyAccessExpression).getName();
       }
       if (!callName5) continue;
       const known = callIndex.get(callName5);
@@ -1779,10 +2063,100 @@ function renderCostReportMd(r) {
   return lines.join("\n");
 }
 
+// src/watch.ts
+import { watch as fsWatch } from "fs";
+function runIncrementalScan(targetDir, rules2, emit) {
+  const start = Date.now();
+  let changedRanges;
+  try {
+    changedRanges = getWorkingTreeChanges(targetDir);
+  } catch (e) {
+    emit({ type: "scan_error", message: e?.message ?? String(e) });
+    return;
+  }
+  if (changedRanges.size === 0) {
+    emit({ type: "scan_complete", filesChanged: 0, findings: 0, durationMs: Date.now() - start });
+    return;
+  }
+  const { checks } = audit(targetDir, rules2, changedRanges);
+  let findings = 0;
+  for (const c of checks) {
+    if (c.result === "pass") continue;
+    findings++;
+    emit({
+      type: "finding",
+      ruleId: c.ruleId,
+      severity: c.severity,
+      result: c.result,
+      file: c.file,
+      line: c.line,
+      detail: c.detail,
+      ...c.fix ? { fix: c.fix } : {}
+    });
+  }
+  emit({ type: "scan_complete", filesChanged: changedRanges.size, findings, durationMs: Date.now() - start });
+}
+function startWatch(targetDir, opts = {}) {
+  const debounceMs = opts.debounceMs ?? 300;
+  const emit = opts.emit ?? ((e) => process.stdout.write(JSON.stringify(e) + "\n"));
+  const rules2 = resolveRules(targetDir);
+  let timer;
+  const scheduleScan = () => {
+    if (timer) clearTimeout(timer);
+    timer = setTimeout(() => runIncrementalScan(targetDir, rules2, emit), debounceMs);
+  };
+  const watcher = fsWatch(targetDir, { recursive: true }, (_event, filename) => {
+    if (!filename) return;
+    const parts = filename.split(/[\\/]/);
+    if (parts.some((p) => SKIP_DIRS.has(p))) return;
+    scheduleScan();
+  });
+  emit({ type: "watch_started", targetDir });
+  return {
+    close: () => {
+      if (timer) clearTimeout(timer);
+      watcher.close();
+    }
+  };
+}
+
+// src/fixers/applyDiff.ts
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync2 } from "fs";
+function parseDiff(diff) {
+  const lines = diff.split("\n");
+  const fileLine = lines.find((l) => l.startsWith("+++ b"));
+  if (!fileLine) throw new Error("parseDiff: no '+++ b<path>' line found");
+  const filePath = fileLine.slice("+++ b".length);
+  const hunkLine = lines.find((l) => l.startsWith("@@"));
+  if (!hunkLine) throw new Error("parseDiff: no hunk header found");
+  const m = hunkLine.match(/^@@ -(\d+),(\d+) \+\d+,\d+ @@/);
+  if (!m) throw new Error(`parseDiff: unrecognized hunk header '${hunkLine}'`);
+  const oldStart = Number(m[1]);
+  const oldCount = Number(m[2]);
+  const newLines = lines.filter((l) => l.startsWith("+") && !l.startsWith("+++")).map((l) => l.slice(1));
+  return { filePath, oldStart, oldCount, newLines };
+}
+function applyDiffToFile(diff) {
+  const { filePath, oldStart, oldCount, newLines } = parseDiff(diff);
+  const content = readFileSync7(filePath, "utf8");
+  const fileLines = content.split("\n");
+  const removedLines = diff.split("\n").filter((l) => l.startsWith("-") && !l.startsWith("---")).map((l) => l.slice(1));
+  const actual = fileLines.slice(oldStart - 1, oldStart - 1 + oldCount);
+  if (JSON.stringify(actual) !== JSON.stringify(removedLines)) return false;
+  fileLines.splice(oldStart - 1, oldCount, ...newLines);
+  writeFileSync2(filePath, fileLines.join("\n"));
+  return true;
+}
+
 export {
   findCandidates,
+  findConfigCandidates,
   runChecker,
   checkerKinds,
+  getChangedRanges,
+  getWorkingTreeChanges,
+  fileChanged,
+  rangeChanged,
   auditWithRule,
   audit,
   renderTest,
@@ -1808,5 +2182,9 @@ export {
   rentExemptMinimum,
   lamportsToSol,
   analyzeCosts,
-  renderCostReportMd
+  renderCostReportMd,
+  runIncrementalScan,
+  startWatch,
+  parseDiff,
+  applyDiffToFile
 };