brainblast 0.4.0 → 0.4.2

package/dist/cli.js

@@ -1,16 +1,20 @@
 #!/usr/bin/env node
 import {
   analyzeCosts,
+  applyDiffToFile,
   audit,
   buildTrustGraph,
   cacheSize,
   defaultCachePath,
+  getChangedRanges,
   isValidSolanaAddress,
   loadProgramCache,
+  parseDiff,
   renderCostReportMd,
   renderTrustGraphMd,
-  resolveRules
-} from "./chunk-WVHGN2HR.js";
+  resolveRules,
+  startWatch
+} from "./chunk-Q72MTJXQ.js";
 
 // src/cli.ts
 import { writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";
@@ -37,16 +41,16 @@ function loadMemory(targetDir2) {
     return { ...EMPTY_MEMORY, lastRun: [], fixHistory: [] };
   }
 }
-function saveMemory(targetDir2, memory2) {
+function saveMemory(targetDir2, memory) {
   mkdirSync(join(targetDir2, ".agent-research"), { recursive: true });
-  writeFileSync(memoryPath(targetDir2), JSON.stringify(memory2, null, 2));
+  writeFileSync(memoryPath(targetDir2), JSON.stringify(memory, null, 2));
 }
 var snapshotKey = (e) => `${e.ruleId}::${e.file}::${e.exportName}`;
 function precedentKey(c) {
   return `${c.ruleId}::${c.file}`;
 }
-function updateMemory(memory2, checks2, now = /* @__PURE__ */ new Date()) {
-  const prevByKey = new Map(memory2.lastRun.map((e) => [snapshotKey(e), e]));
+function updateMemory(memory, checks2, now = /* @__PURE__ */ new Date()) {
+  const prevByKey = new Map(memory.lastRun.map((e) => [snapshotKey(e), e]));
   const fixedAt = now.toISOString().slice(0, 10);
   const newFixEvents = [];
   for (const c of checks2) {
@@ -61,15 +65,15 @@ function updateMemory(memory2, checks2, now = /* @__PURE__ */ new Date()) {
       });
     }
   }
-  const fixHistory = [...memory2.fixHistory, ...newFixEvents];
-  const precedents2 = /* @__PURE__ */ new Map();
+  const fixHistory = [...memory.fixHistory, ...newFixEvents];
+  const precedents = /* @__PURE__ */ new Map();
   for (const c of checks2) {
     if (c.result !== "fail") continue;
     const pk = precedentKey(c);
-    if (precedents2.has(pk)) continue;
+    if (precedents.has(pk)) continue;
     const matches = fixHistory.filter((e) => e.ruleId === c.ruleId && e.file !== c.file).sort((a, b) => a.fixedAt < b.fixedAt ? 1 : a.fixedAt > b.fixedAt ? -1 : 0);
     if (matches[0]) {
-      precedents2.set(pk, {
+      precedents.set(pk, {
         file: matches[0].file,
         exportName: matches[0].exportName,
         fixedAt: matches[0].fixedAt,
@@ -84,31 +88,72 @@ function updateMemory(memory2, checks2, now = /* @__PURE__ */ new Date()) {
     result: c.result,
     detail: c.detail
   }));
-  return { memory: { schemaVersion: "1.0", lastRun, fixHistory }, precedents: precedents2 };
+  return { memory: { schemaVersion: "1.0", lastRun, fixHistory }, precedents };
 }
 
 // src/cli.ts
+import { execFileSync } from "child_process";
 var args = process.argv.slice(2);
 if (args[0] === "trust-graph") {
   await runTrustGraph(args.slice(1));
   process.exit(0);
 }
+if (args[0] === "watch") {
+  const watchDir = args.find((a, i) => i > 0 && !a.startsWith("--")) ?? process.cwd();
+  startWatch(watchDir);
+  process.on("SIGINT", () => process.exit(0));
+  process.on("SIGTERM", () => process.exit(0));
+  await new Promise(() => {
+  });
+}
+if (args[0] === "fix") {
+  await runFix(args.slice(1));
+  process.exit(0);
+}
 var ci = args.includes("--ci");
 var strict = args.includes("--strict");
-var targetDir = args.find((a) => !a.startsWith("--")) ?? process.cwd();
+var sinceIdx = args.indexOf("--since");
+var since = sinceIdx >= 0 ? args[sinceIdx + 1] : void 0;
+var targetDir = args.find((a, i) => !a.startsWith("--") && args[i - 1] !== "--since") ?? process.cwd();
+if (sinceIdx >= 0 && !since) {
+  console.error("error: --since requires a <ref> argument, e.g. --since origin/main");
+  process.exit(2);
+}
 var rules = resolveRules(targetDir);
-var { checks, report } = audit(targetDir, rules);
-var memory = loadMemory(targetDir);
-var { memory: nextMemory, precedents } = updateMemory(memory, checks);
-for (const c of checks) {
-  const p = precedents.get(precedentKey(c));
-  if (p) c.precedent = p;
+var changedRanges;
+if (since) {
+  try {
+    changedRanges = getChangedRanges(targetDir, since);
+  } catch (e) {
+    console.error(e.message ?? String(e));
+    process.exit(2);
+  }
 }
-for (const rc of report.checks) {
-  const p = precedents.get(precedentKey(rc));
-  if (p) rc.precedent = p;
+var { checks, report } = audit(targetDir, rules, changedRanges);
+if (!changedRanges) {
+  const memory = loadMemory(targetDir);
+  const { memory: nextMemory, precedents } = updateMemory(memory, checks);
+  for (const c of checks) {
+    const p = precedents.get(precedentKey(c));
+    if (p) c.precedent = p;
+  }
+  for (const rc of report.checks) {
+    const p = precedents.get(precedentKey(rc));
+    if (p) rc.precedent = p;
+  }
+  saveMemory(targetDir, nextMemory);
+} else {
+  const memory = loadMemory(targetDir);
+  const { precedents } = updateMemory(memory, checks);
+  for (const c of checks) {
+    const p = precedents.get(precedentKey(c));
+    if (p) c.precedent = p;
+  }
+  for (const rc of report.checks) {
+    const p = precedents.get(precedentKey(rc));
+    if (p) rc.precedent = p;
+  }
 }
-saveMemory(targetDir, nextMemory);
 var costReport = analyzeCosts(targetDir);
 report.costAnalysis = costReport;
 var outDir = join2(targetDir, ".agent-research");
@@ -199,3 +244,78 @@ async function runTrustGraph(argv) {
     console.error(`  program-cache: ${count} entries  (${cp})`);
   }
 }
+async function runFix(argv) {
+  const apply = argv.includes("--apply");
+  const branch = argv.includes("--branch");
+  const targetDir2 = argv.find((a) => !a.startsWith("--")) ?? process.cwd();
+  const rules2 = resolveRules(targetDir2);
+  const { checks: before } = audit(targetDir2, rules2);
+  const fixable = before.filter((c) => c.result === "fail" && c.fix?.diff);
+  if (fixable.length === 0) {
+    console.log("brainblast fix: no mechanical fixes available (no FAIL ships a fix.diff).");
+    const others = before.filter((c) => c.result === "fail" && c.fix?.suggestion);
+    for (const c of others) {
+      console.log(`  [GUIDANCE] ${c.ruleId}  ${c.file}:${c.line}`);
+      console.log(`             ${c.fix.summary}`);
+    }
+    return;
+  }
+  console.log(`brainblast fix: ${fixable.length} mechanical fix(es) found.`);
+  for (const c of fixable) {
+    console.log(`  [${apply ? "APPLY" : "DRY-RUN"}] ${c.ruleId}  ${c.file}:${c.line} \u2014 ${c.fix.summary}`);
+  }
+  if (!apply) {
+    console.log("\nRe-run with --apply to write these changes to disk.");
+    return;
+  }
+  const byFile = /* @__PURE__ */ new Map();
+  for (const c of fixable) {
+    const file = parseDiff(c.fix.diff).filePath;
+    byFile.set(file, [...byFile.get(file) ?? [], c]);
+  }
+  let applied = 0;
+  let skipped = 0;
+  for (const [, group] of byFile) {
+    const sorted = [...group].sort((a, b) => parseDiff(b.fix.diff).oldStart - parseDiff(a.fix.diff).oldStart);
+    for (const c of sorted) {
+      const ok = applyDiffToFile(c.fix.diff);
+      if (ok) applied++;
+      else {
+        skipped++;
+        console.log(`  [SKIP] ${c.ruleId}  ${c.file}:${c.line} \u2014 file no longer matches the fix's expected range`);
+      }
+    }
+  }
+  console.log(`
+Applied ${applied} fix(es)${skipped ? `, skipped ${skipped}` : ""}.`);
+  const { checks: after } = audit(targetDir2, rules2);
+  const stillFailing = fixable.filter((c) => {
+    const a = after.find((x) => x.ruleId === c.ruleId && x.file === c.file && x.exportName === c.exportName);
+    return a?.result === "fail";
+  });
+  if (stillFailing.length > 0) {
+    console.log(`
+Warning: ${stillFailing.length} fix(es) applied but the rule still fails:`);
+    for (const c of stillFailing) console.log(`  ${c.ruleId}  ${c.file}:${c.line}`);
+  } else if (applied > 0) {
+    console.log("All applied fixes now pass (or cant_tell) on re-audit. \u2713");
+  }
+  if (branch && applied > 0) {
+    const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+    const branchName = `brainblast/auto-fix-${ts}`;
+    try {
+      execFileSync("git", ["checkout", "-b", branchName], { cwd: targetDir2, stdio: "ignore" });
+      execFileSync("git", ["add", "-A"], { cwd: targetDir2, stdio: "ignore" });
+      execFileSync(
+        "git",
+        ["commit", "-q", "-m", `brainblast fix: apply ${applied} mechanical fix(es)`],
+        { cwd: targetDir2, stdio: "ignore" }
+      );
+      console.log(`
+Committed to new branch '${branchName}'.`);
+    } catch (e) {
+      console.error(`
+Warning: could not create branch/commit: ${e.message ?? e}`);
+    }
+  }
+}

package/dist/index.d.ts

@@ -74,6 +74,14 @@ interface RustCandidate {
     /** tree-sitter SyntaxNode for the function body — available for precise queries */
     fnBodyNode: any;
 }
+interface ConfigCandidate {
+    /** Source file (absolute path) */
+    filePath: string;
+    /** Raw file contents */
+    content: string;
+    /** Whether this file is tracked by git / not covered by .gitignore */
+    tracked: boolean;
+}
 interface CheckOutcome {
     result: CheckResultKind;
     detail: string;
@@ -115,8 +123,17 @@ interface Rule {
         modules: string[];
         nameRegex: string;
         triggerCalls: string[];
-        /** Defaults to "typescript". Set to "rust" for Anchor/Rust checker kinds. */
-        lang?: "typescript" | "rust";
+        /**
+         * Defaults to "typescript". Set to "rust" for Anchor/Rust checker kinds,
+         * or "config" for whole-file config/env audits (see `filePatterns`).
+         */
+        lang?: "typescript" | "rust" | "config";
+        /**
+         * Required when `lang: "config"`. Regexes (matched against the file path
+         * relative to the scan root) selecting which files this rule audits,
+         * e.g. `["(^|/)\\.env(\\.[^/]+)?$"]`. Ignored for "typescript"/"rust".
+         */
+        filePatterns?: string[];
         /**
          * When true, a module import from `modules` is a REQUIRED condition for
          * detection: a candidate must be in a file that imports one of the listed
@@ -140,9 +157,18 @@ interface Rule {
         params?: Record<string, any>;
     };
 }
+type Checker = (candidate: Candidate, params: any) => CheckOutcome;
+type RustChecker = (candidate: RustCandidate, params: any) => CheckOutcome;
+type ConfigChecker = (candidate: ConfigCandidate, params: any) => CheckOutcome;
 
-declare function auditWithRule(targetDir: string, rule: Rule): CheckResult[];
-declare function audit(targetDir: string, rules: Rule[]): {
+type ChangedRanges = Map<string, Array<[number, number]>>;
+declare function getChangedRanges(targetDir: string, ref: string): ChangedRanges;
+declare function getWorkingTreeChanges(targetDir: string): ChangedRanges;
+declare function fileChanged(ranges: ChangedRanges, file: string): boolean;
+declare function rangeChanged(ranges: ChangedRanges, file: string, startLine: number, endLine: number): boolean;
+
+declare function auditWithRule(targetDir: string, rule: Rule, changedRanges?: ChangedRanges): CheckResult[];
+declare function audit(targetDir: string, rules: Rule[], changedRanges?: ChangedRanges): {
     checks: CheckResult[];
     report: {
         schemaVersion: string;
@@ -213,11 +239,52 @@ declare function renderTest(kind: string, opts: {
 }): string;
 declare const testKinds: string[];
 
-declare function runChecker(kind: string, c: Candidate | RustCandidate, params: any): CheckOutcome;
+declare function runChecker(kind: string, c: Candidate | RustCandidate | ConfigCandidate, params: any): CheckOutcome;
 declare const checkerKinds: string[];
 
 declare function findCandidates(targetDir: string, rule: Rule): Candidate[];
 
+declare function findConfigCandidates(targetDir: string, rule: Rule): ConfigCandidate[];
+
+type WatchEvent = {
+    type: "watch_started";
+    targetDir: string;
+} | {
+    type: "scan_error";
+    message: string;
+} | {
+    type: "finding";
+    ruleId: string;
+    severity: string;
+    result: "fail" | "cant_tell";
+    file: string;
+    line: number;
+    detail: string;
+    fix?: unknown;
+} | {
+    type: "scan_complete";
+    filesChanged: number;
+    findings: number;
+    durationMs: number;
+};
+interface WatchOptions {
+    debounceMs?: number;
+    emit?: (event: WatchEvent) => void;
+}
+declare function runIncrementalScan(targetDir: string, rules: Rule[], emit: (e: WatchEvent) => void): void;
+declare function startWatch(targetDir: string, opts?: WatchOptions): {
+    close: () => void;
+};
+
+interface ParsedDiff {
+    filePath: string;
+    oldStart: number;
+    oldCount: number;
+    newLines: string[];
+}
+declare function parseDiff(diff: string): ParsedDiff;
+declare function applyDiffToFile(diff: string): boolean;
+
 type UpgradeAuthorityKind = "renounced" | "single-key" | "multisig" | "dao" | "unknown";
 type UpgradeAuthoritySource = "directory" | "rpc" | "research";
 interface UpgradeAuthority {
@@ -347,4 +414,4 @@ declare function isEntryExpired(entry: ProgramCacheEntry, ttlHoursOverride?: num
  */
 declare function cacheSize(cache: ProgramCache, ttlHoursOverride?: number): number;
 
-export { type AccountFlow, type AuditRef, type BuildOpts, type Candidate, type CheckOutcome, type CheckResult, type CheckResultKind, type CostReport, DEFAULT_TTL_HOURS, type OnChainProgram, type ParityNote, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type Rule, type RustAccountField, type RustCandidate, type Severity, type TrustGraph, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, analyzeCosts, audit, auditWithRule, base58Decode, base58Encode, buildTrustGraph, rules as bundledRules, cacheSize, checkerKinds, defaultCachePath, findCandidates, generateTestForResult, getCacheEntry, getCacheEntryMeta, isEntryExpired, isValidSolanaAddress, lamportsToSol, loadDirectory, loadProgramCache, loadRules, putCacheEntry, renderCostReportMd, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, runChecker, saveProgramCache, testKinds };
+export { type AccountFlow, type AuditRef, type BuildOpts, type Candidate, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_TTL_HOURS, type OnChainProgram, type ParityNote, type ParsedDiff, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type Rule, type RustAccountField, type RustCandidate, type RustChecker, type Severity, type TrustGraph, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type WatchEvent, type WatchOptions, analyzeCosts, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, buildTrustGraph, rules as bundledRules, cacheSize, checkerKinds, defaultCachePath, fileChanged, findCandidates, findConfigCandidates, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getWorkingTreeChanges, isEntryExpired, isValidSolanaAddress, lamportsToSol, loadDirectory, loadProgramCache, loadRules, parseDiff, putCacheEntry, rangeChanged, renderCostReportMd, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, runChecker, runIncrementalScan, saveProgramCache, startWatch, testKinds };

package/dist/index.js

@@ -1,6 +1,7 @@
 import {
   DEFAULT_TTL_HOURS,
   analyzeCosts,
+  applyDiffToFile,
   audit,
   auditWithRule,
   base58Decode,
@@ -9,16 +10,22 @@ import {
   cacheSize,
   checkerKinds,
   defaultCachePath,
+  fileChanged,
   findCandidates,
+  findConfigCandidates,
   getCacheEntry,
   getCacheEntryMeta,
+  getChangedRanges,
+  getWorkingTreeChanges,
   isEntryExpired,
   isValidSolanaAddress,
   lamportsToSol,
   loadDirectory,
   loadProgramCache,
   loadRules,
+  parseDiff,
   putCacheEntry,
+  rangeChanged,
   renderCostReportMd,
   renderTest,
   renderTrustGraphMd,
@@ -26,9 +33,11 @@ import {
   resolveRules,
   rules,
   runChecker,
+  runIncrementalScan,
   saveProgramCache,
+  startWatch,
   testKinds
-} from "./chunk-WVHGN2HR.js";
+} from "./chunk-Q72MTJXQ.js";
 
 // src/generate.ts
 import { writeFileSync, mkdirSync } from "fs";
@@ -46,6 +55,7 @@ function generateTestForResult(result, rule, outPath) {
 export {
   DEFAULT_TTL_HOURS,
   analyzeCosts,
+  applyDiffToFile,
   audit,
   auditWithRule,
   base58Decode,
@@ -55,23 +65,31 @@ export {
   cacheSize,
   checkerKinds,
   defaultCachePath,
+  fileChanged,
   findCandidates,
+  findConfigCandidates,
   generateTestForResult,
   getCacheEntry,
   getCacheEntryMeta,
+  getChangedRanges,
+  getWorkingTreeChanges,
   isEntryExpired,
   isValidSolanaAddress,
   lamportsToSol,
   loadDirectory,
   loadProgramCache,
   loadRules,
+  parseDiff,
   putCacheEntry,
+  rangeChanged,
   renderCostReportMd,
   renderTest,
   renderTrustGraphMd,
   rentExemptMinimum,
   resolveRules,
   runChecker,
+  runIncrementalScan,
   saveProgramCache,
+  startWatch,
   testKinds
 };

package/dist/rules/env-secret-leaked-to-sink.yaml

@@ -0,0 +1,43 @@
+# Pure-data rule (facts). Binds to vetted templates by `check.kind`/`test.kind`.
+id: env-secret-leaked-to-sink
+severity: high
+title: Secret-shaped environment value flows to a logging/response sink
+component:
+  name: Environment configuration
+  type: Config
+  version: unversioned
+  sourceUrl: https://12factor.net/config
+detect:
+  lang: typescript
+  modules: []
+  # Never matches by name alone — only the triggerCalls (sink calls) below
+  # select candidates. Keeps this from firing on every function in a repo.
+  nameRegex: "(?!)"
+  triggerCalls:
+    - log
+    - error
+    - warn
+    - info
+    - debug
+    - json
+    - send
+    - write
+    - end
+  requiresImport: false
+check:
+  kind: env-taint-to-sink
+  params:
+    sinkCalls:
+      - log
+      - error
+      - warn
+      - info
+      - debug
+      - json
+      - send
+      - write
+      - end
+    # Key names that typically hold credentials/secrets.
+    secretKeyPattern: "(SECRET|PRIVATE_KEY|API_KEY|ACCESS_KEY|TOKEN|PASSWORD|CREDENTIAL)"
+test:
+  kind: none

package/dist/rules/env-secrets-committed.yaml

@@ -0,0 +1,32 @@
+# Pure-data rule (facts). Binds to vetted templates by `check.kind`/`test.kind`.
+id: env-secrets-committed
+severity: critical
+title: Secret-looking values are not committed to source control
+component:
+  name: Environment configuration
+  type: Config
+  version: unversioned
+  sourceUrl: https://12factor.net/config
+detect:
+  lang: config
+  # .env, .env.local, .env.production, etc. — but not .env.example/.sample/.template,
+  # which are meant to be committed and document expected keys with placeholders.
+  filePatterns:
+    - "(^|/)\\.env(\\.(?!example$|sample$|template$)[^/]+)?$"
+check:
+  kind: env-secrets-committed
+  params:
+    # Key names that typically hold credentials/secrets.
+    secretKeyPattern: "(SECRET|PRIVATE_KEY|API_KEY|ACCESS_KEY|TOKEN|PASSWORD|CREDENTIAL)"
+    # Values that look like placeholders, not real secrets — these are fine to commit.
+    placeholderPattern: "^(your[_-]|xxx|changeme|change[_-]?me|replace|example|<|sk_test_|pk_test_|test[_-]|dummy|placeholder|\\*+$|\\.\\.\\.$)"
+    ignoredDetail: >-
+      File is git-ignored and not committed to source control.
+    passDetail: >-
+      File is tracked but contains no secret-looking values (placeholders only).
+    failDetailPrefix: >-
+      This file is committed to source control and contains what look like real
+      secret values. Anyone with read access to the repo (including forks) can
+      read these credentials
+test:
+  kind: none

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brainblast",
-  "version": "0.4.0",
+  "version": "0.4.2",
   "type": "module",
   "description": "Deterministic auditor for catastrophic AI-integration bugs: scan a repo, find the silent money/auth traps, and generate the behavioral test that proves they're fixed.",
   "keywords": [