brainblast 0.4.1 → 0.4.2

package/README.md

@@ -12,6 +12,8 @@ npx brainblast .            # scan the repo, write .agent-research/report.json
 npx brainblast . --ci       # exit 1 if a confirmed FAIL remains
 npx brainblast . --ci --strict   # also fail on CANT_TELL (can't statically prove)
 npx brainblast . --since origin/main   # diff-aware: only audit what changed
+npx brainblast fix .                   # dry run: list mechanical fixes
+npx brainblast fix . --apply           # write fixes, re-audit RED -> GREEN
 ```
 
 Exit codes: **0** clean · **1** a confirmed FAIL · CANT_TELL is a warning by
@@ -58,6 +60,22 @@ git work tree). This is the integration point for an agent daemon — tail
 stdout for structured findings instead of polling `.agent-research/report.json`.
 Exit with Ctrl-C / SIGTERM.
 
+### Auto-fix (`brainblast fix`)
+
+```sh
+npx brainblast fix .            # dry run: list available mechanical fixes
+npx brainblast fix . --apply    # write each fix.diff to disk, then re-audit
+npx brainblast fix . --apply --branch   # also commit to brainblast/auto-fix-<ts>
+```
+
+Every confirmed FAIL that ships a mechanical `fix.diff` (e.g. Stripe raw-body,
+Privy `audience`/`issuer`) can be applied directly. `--apply` writes each diff,
+then re-runs the audit to confirm the finding now passes (RED -> GREEN) — any
+fix that doesn't take is reported, not silently dropped. Findings with only a
+`suggestion` (structural fixes brainblast won't auto-synthesize) are listed as
+guidance, not applied. `--branch` additionally creates a new branch and commits
+the applied changes.
+
 ## What it catches
 
 ### Web2 / Node.js
@@ -81,6 +99,7 @@ Exit with Ctrl-C / SIGTERM.
 | Rule | What's wrong | Consequence |
 |------|--------------|-------------|
 | `env-secrets-committed` | A `.env*` file (not `.env.example`/`.sample`/`.template`) is tracked by git and contains a secret-shaped key (`SECRET`, `*_PRIVATE_KEY`, `*_API_KEY`, `*_TOKEN`, `*_PASSWORD`, etc.) with a real-looking (non-placeholder) value | Anyone with read access to the repo — including forks of a public repo — can read the live credential |
+| `env-secret-leaked-to-sink` | A secret-shaped `process.env.X` value (directly, via a local variable, or one hop through a same-file helper) is passed to `console.log`/`res.json`/`res.send`/etc. | Credentials end up in logs, error trackers, or API responses — readable by anyone with log/response access |
 
 Each finding lands in `.agent-research/report.json` (stable `schemaVersion: "1.0"`)
 with a `checks[]` array a CI gate can read. Each confirmed FAIL ships a
@@ -164,7 +183,7 @@ All types are exported: `Rule`, `CheckResult`, `CostReport`, `AccountFlow`,
 
 ```sh
 npm install
-npm test         # unit suite (164 tests)
+npm test         # unit suite (173 tests)
 npm run prove    # end-to-end: generated tests RED on vulnerable, GREEN on fixed
 npm run build    # produce dist/ (the published artifact)
 ```

package/dist/{chunk-P7K7NRVN.js → chunk-Q72MTJXQ.js}

@@ -487,6 +487,96 @@ var envSecretsCommitted = (c, p) => {
   return { result: "pass", detail: p.passDetail ?? "No committed secret-looking values found." };
 };
 
+// src/checkers/envTaintToSink.ts
+import { SyntaxKind as SyntaxKind7 } from "ts-morph";
+function calleeName(call) {
+  const exp = call.getExpression();
+  if (exp.getKind() === SyntaxKind7.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind7.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind7.PropertyAccessExpression).getName();
+  }
+  return "";
+}
+function envVarIn(text) {
+  const m = text.match(/process\.env\.([A-Za-z0-9_]+)/);
+  return m?.[1];
+}
+function wordIn(text, name) {
+  return new RegExp(`\\b${name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\b`).test(text);
+}
+function findDirectLeak(fn, sinkCalls, secretKeyRe, taintedNames) {
+  for (const call of fn.getDescendantsOfKind(SyntaxKind7.CallExpression)) {
+    const name = calleeName(call);
+    if (!sinkCalls.has(name)) continue;
+    for (const arg of call.getArguments()) {
+      const text = arg.getText();
+      const envVar = envVarIn(text);
+      if (envVar && secretKeyRe.test(envVar)) {
+        return `process.env.${envVar} is passed directly to ${name}(...) \u2014 secret values must not be logged or returned to clients.`;
+      }
+      for (const tv of taintedNames) {
+        if (wordIn(text, tv)) {
+          return `'${tv}' (holding a secret-shaped process.env value) is passed to ${name}(...) \u2014 secret values must not be logged or returned to clients.`;
+        }
+      }
+    }
+  }
+  return void 0;
+}
+var envTaintToSink = (c, p) => {
+  const sinkCalls = new Set(p.sinkCalls ?? []);
+  const secretKeyRe = new RegExp(p.secretKeyPattern, "i");
+  const fn = c.fn;
+  const taintedNames = /* @__PURE__ */ new Set();
+  for (const decl of fn.getDescendantsOfKind(SyntaxKind7.VariableDeclaration)) {
+    const init = decl.getInitializer();
+    if (!init) continue;
+    const envVar = envVarIn(init.getText());
+    if (envVar && secretKeyRe.test(envVar)) {
+      taintedNames.add(decl.getName());
+    }
+  }
+  const direct = findDirectLeak(fn, sinkCalls, secretKeyRe, taintedNames);
+  if (direct) return { result: "fail", detail: direct };
+  const sourceFile = fn.getSourceFile();
+  for (const call of fn.getDescendantsOfKind(SyntaxKind7.CallExpression)) {
+    const calleeExp = call.getExpression();
+    if (calleeExp.getKind() !== SyntaxKind7.Identifier) continue;
+    const calleeFnName = calleeExp.getText();
+    if (calleeFnName === (c.fnName ?? "")) continue;
+    const args = call.getArguments();
+    const taintedArgIndices = [];
+    args.forEach((arg, i) => {
+      const text = arg.getText();
+      const envVar = envVarIn(text);
+      if (envVar && secretKeyRe.test(envVar)) {
+        taintedArgIndices.push(i);
+        return;
+      }
+      for (const tv of taintedNames) {
+        if (wordIn(text, tv)) {
+          taintedArgIndices.push(i);
+          return;
+        }
+      }
+    });
+    if (taintedArgIndices.length === 0) continue;
+    const calleeFn = sourceFile.getFunction(calleeFnName);
+    if (!calleeFn) continue;
+    const params = calleeFn.getParameters().map((pr) => pr.getName());
+    const calleeTainted = new Set(taintedArgIndices.map((i) => params[i]).filter((x) => !!x));
+    if (calleeTainted.size === 0) continue;
+    const hop = findDirectLeak(calleeFn, sinkCalls, secretKeyRe, calleeTainted);
+    if (hop) {
+      return {
+        result: "fail",
+        detail: `A secret-shaped process.env value flows into '${calleeFnName}(...)' (called from '${c.fnName}'), where ${hop}`
+      };
+    }
+  }
+  return { result: "pass", detail: "No secret-shaped process.env value flows to a logging/response sink." };
+};
+
 // src/checkers/index.ts
 var registry = {
   "positional-arg-identity": positionalArgIdentity,
@@ -495,7 +585,8 @@ var registry = {
   "arg-equals-constant-identifier": argEqualsConstantIdentifier,
   "object-arg-property-literal-equals": objectArgPropertyLiteralEquals,
   "anchor-init-if-needed-guarded": anchorInitIfNeededGuarded,
-  "env-secrets-committed": envSecretsCommitted
+  "env-secrets-committed": envSecretsCommitted,
+  "env-taint-to-sink": envTaintToSink
 };
 function runChecker(kind, c, params) {
   const fn = registry[kind];
@@ -711,7 +802,7 @@ function findRustCandidates(targetDir, rule) {
 }
 
 // src/fixers/positionalArgIdentity.ts
-import { SyntaxKind as SyntaxKind7 } from "ts-morph";
+import { SyntaxKind as SyntaxKind8 } from "ts-morph";
 
 // src/fixers/diffUtil.ts
 function buildDiff(node, replacement) {
@@ -736,9 +827,9 @@ function buildDiff(node, replacement) {
 // src/fixers/positionalArgIdentity.ts
 var fixPositionalArgIdentity = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind7.CallExpression).filter((call) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind8.CallExpression).filter((call) => {
     const exp = call.getExpression();
-    return exp.getKind() === SyntaxKind7.PropertyAccessExpression && exp.asKind(SyntaxKind7.PropertyAccessExpression).getName() === p.call;
+    return exp.getKind() === SyntaxKind8.PropertyAccessExpression && exp.asKind(SyntaxKind8.PropertyAccessExpression).getName() === p.call;
   });
   if (calls.length === 0) {
     const wantParam2 = c.params[p.paramIndex] ?? "<rawBodyParam>";
@@ -753,7 +844,7 @@ Do not call JSON.parse() on the body before this verification step.`
   }
   const arg = calls[0].getArguments()[p.argIndex];
   const wantParam = c.params[p.paramIndex];
-  if (arg && wantParam && arg.getKind() === SyntaxKind7.CallExpression) {
+  if (arg && wantParam && arg.getKind() === SyntaxKind8.CallExpression) {
     return {
       summary: `Pass the raw body parameter '${wantParam}' to ${p.call} instead of a parsed value`,
       diff: buildDiff(arg, wantParam)
@@ -763,12 +854,12 @@ Do not call JSON.parse() on the body before this verification step.`
 };
 
 // src/fixers/requiredCallWithOptions.ts
-import { SyntaxKind as SyntaxKind8 } from "ts-morph";
+import { SyntaxKind as SyntaxKind9 } from "ts-morph";
 function callName4(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind8.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind8.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind8.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind9.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind9.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind9.PropertyAccessExpression).getName();
   }
   return "";
 }
@@ -786,15 +877,15 @@ function placeholderFor(propName) {
 }
 var fixRequiredCallWithOptions = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind8.CallExpression);
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind9.CallExpression);
   const verify = calls.filter((x) => p.verifyCalls.includes(callName4(x)));
   if (verify.length > 0) {
     const call = verify[0];
     const args = call.getArguments();
     const lastArg = args[args.length - 1];
-    const obj = lastArg?.asKind(SyntaxKind8.ObjectLiteralExpression);
+    const obj = lastArg?.asKind(SyntaxKind9.ObjectLiteralExpression);
     const presentNames = obj ? obj.getProperties().map((pr) => {
-      const pa = pr.asKind(SyntaxKind8.PropertyAssignment) ?? pr.asKind(SyntaxKind8.ShorthandPropertyAssignment);
+      const pa = pr.asKind(SyntaxKind9.PropertyAssignment) ?? pr.asKind(SyntaxKind9.ShorthandPropertyAssignment);
       return pa?.getName() ?? "";
     }) : [];
     const missingGroups = p.requiredProps.filter(
@@ -1730,7 +1821,7 @@ function renderTrustGraphMd(g) {
 }
 
 // src/costAnalysis.ts
-import { Project as Project2, SyntaxKind as SyntaxKind9 } from "ts-morph";
+import { Project as Project2, SyntaxKind as SyntaxKind10 } from "ts-morph";
 var LAMPORTS_PER_BYTE_YEAR = 3480;
 var EXEMPTION_THRESHOLD = 2;
 var OVERHEAD_BYTES = 128;
@@ -1811,11 +1902,11 @@ var KNOWN_FLOWS = [
   }
 ];
 var LOOP_NODE_KINDS = /* @__PURE__ */ new Set([
-  SyntaxKind9.ForStatement,
-  SyntaxKind9.ForOfStatement,
-  SyntaxKind9.ForInStatement,
-  SyntaxKind9.WhileStatement,
-  SyntaxKind9.DoStatement
+  SyntaxKind10.ForStatement,
+  SyntaxKind10.ForOfStatement,
+  SyntaxKind10.ForInStatement,
+  SyntaxKind10.WhileStatement,
+  SyntaxKind10.DoStatement
 ]);
 var ARRAY_METHOD_LOOPS = /* @__PURE__ */ new Set(["map", "forEach", "flatMap", "reduce", "filter"]);
 function isInsideLoop(node) {
@@ -1823,12 +1914,12 @@ function isInsideLoop(node) {
   while (cur) {
     const k = cur.getKind?.();
     if (k !== void 0 && LOOP_NODE_KINDS.has(k)) {
-      return { scalable: true, note: `call is inside a ${SyntaxKind9[k]} \u2014 cost scales with loop iterations` };
+      return { scalable: true, note: `call is inside a ${SyntaxKind10[k]} \u2014 cost scales with loop iterations` };
     }
-    if (k === SyntaxKind9.CallExpression) {
+    if (k === SyntaxKind10.CallExpression) {
       const expr = cur.getExpression?.();
-      if (expr?.getKind?.() === SyntaxKind9.PropertyAccessExpression) {
-        const name = expr.asKind?.(SyntaxKind9.PropertyAccessExpression)?.getName?.();
+      if (expr?.getKind?.() === SyntaxKind10.PropertyAccessExpression) {
+        const name = expr.asKind?.(SyntaxKind10.PropertyAccessExpression)?.getName?.();
         if (name && ARRAY_METHOD_LOOPS.has(name)) {
           return { scalable: true, note: `call is inside .${name}() \u2014 cost scales with array length` };
         }
@@ -1842,7 +1933,7 @@ function detectPriorityFee(targetDir) {
   const project = new Project2({ skipAddingFilesFromTsConfig: true });
   for (const file of walk(targetDir)) {
     const sf = project.addSourceFileAtPath(file);
-    const calls = sf.getDescendantsOfKind(SyntaxKind9.CallExpression);
+    const calls = sf.getDescendantsOfKind(SyntaxKind10.CallExpression);
     for (const ce of calls) {
       const expr = ce.getExpression();
       const text = expr.getText();
@@ -1870,13 +1961,13 @@ function detectAccountFlows(targetDir) {
     const importedModules = new Set(
       sf.getImportDeclarations().map((d) => d.getModuleSpecifierValue())
     );
-    for (const ce of sf.getDescendantsOfKind(SyntaxKind9.CallExpression)) {
+    for (const ce of sf.getDescendantsOfKind(SyntaxKind10.CallExpression)) {
       const expr = ce.getExpression();
       let callName5 = null;
-      if (expr.getKind() === SyntaxKind9.Identifier) {
+      if (expr.getKind() === SyntaxKind10.Identifier) {
         callName5 = expr.getText();
-      } else if (expr.getKind() === SyntaxKind9.PropertyAccessExpression) {
-        callName5 = expr.asKind(SyntaxKind9.PropertyAccessExpression).getName();
+      } else if (expr.getKind() === SyntaxKind10.PropertyAccessExpression) {
+        callName5 = expr.asKind(SyntaxKind10.PropertyAccessExpression).getName();
       }
       if (!callName5) continue;
       const known = callIndex.get(callName5);
@@ -2029,6 +2120,34 @@ function startWatch(targetDir, opts = {}) {
   };
 }
 
+// src/fixers/applyDiff.ts
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync2 } from "fs";
+function parseDiff(diff) {
+  const lines = diff.split("\n");
+  const fileLine = lines.find((l) => l.startsWith("+++ b"));
+  if (!fileLine) throw new Error("parseDiff: no '+++ b<path>' line found");
+  const filePath = fileLine.slice("+++ b".length);
+  const hunkLine = lines.find((l) => l.startsWith("@@"));
+  if (!hunkLine) throw new Error("parseDiff: no hunk header found");
+  const m = hunkLine.match(/^@@ -(\d+),(\d+) \+\d+,\d+ @@/);
+  if (!m) throw new Error(`parseDiff: unrecognized hunk header '${hunkLine}'`);
+  const oldStart = Number(m[1]);
+  const oldCount = Number(m[2]);
+  const newLines = lines.filter((l) => l.startsWith("+") && !l.startsWith("+++")).map((l) => l.slice(1));
+  return { filePath, oldStart, oldCount, newLines };
+}
+function applyDiffToFile(diff) {
+  const { filePath, oldStart, oldCount, newLines } = parseDiff(diff);
+  const content = readFileSync7(filePath, "utf8");
+  const fileLines = content.split("\n");
+  const removedLines = diff.split("\n").filter((l) => l.startsWith("-") && !l.startsWith("---")).map((l) => l.slice(1));
+  const actual = fileLines.slice(oldStart - 1, oldStart - 1 + oldCount);
+  if (JSON.stringify(actual) !== JSON.stringify(removedLines)) return false;
+  fileLines.splice(oldStart - 1, oldCount, ...newLines);
+  writeFileSync2(filePath, fileLines.join("\n"));
+  return true;
+}
+
 export {
   findCandidates,
   findConfigCandidates,
@@ -2065,5 +2184,7 @@ export {
   analyzeCosts,
   renderCostReportMd,
   runIncrementalScan,
-  startWatch
+  startWatch,
+  parseDiff,
+  applyDiffToFile
 };

package/dist/cli.js

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 import {
   analyzeCosts,
+  applyDiffToFile,
   audit,
   buildTrustGraph,
   cacheSize,
@@ -8,11 +9,12 @@ import {
   getChangedRanges,
   isValidSolanaAddress,
   loadProgramCache,
+  parseDiff,
   renderCostReportMd,
   renderTrustGraphMd,
   resolveRules,
   startWatch
-} from "./chunk-P7K7NRVN.js";
+} from "./chunk-Q72MTJXQ.js";
 
 // src/cli.ts
 import { writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";
@@ -90,6 +92,7 @@ function updateMemory(memory, checks2, now = /* @__PURE__ */ new Date()) {
 }
 
 // src/cli.ts
+import { execFileSync } from "child_process";
 var args = process.argv.slice(2);
 if (args[0] === "trust-graph") {
   await runTrustGraph(args.slice(1));
@@ -103,6 +106,10 @@ if (args[0] === "watch") {
   await new Promise(() => {
   });
 }
+if (args[0] === "fix") {
+  await runFix(args.slice(1));
+  process.exit(0);
+}
 var ci = args.includes("--ci");
 var strict = args.includes("--strict");
 var sinceIdx = args.indexOf("--since");
@@ -237,3 +244,78 @@ async function runTrustGraph(argv) {
     console.error(`  program-cache: ${count} entries  (${cp})`);
   }
 }
+async function runFix(argv) {
+  const apply = argv.includes("--apply");
+  const branch = argv.includes("--branch");
+  const targetDir2 = argv.find((a) => !a.startsWith("--")) ?? process.cwd();
+  const rules2 = resolveRules(targetDir2);
+  const { checks: before } = audit(targetDir2, rules2);
+  const fixable = before.filter((c) => c.result === "fail" && c.fix?.diff);
+  if (fixable.length === 0) {
+    console.log("brainblast fix: no mechanical fixes available (no FAIL ships a fix.diff).");
+    const others = before.filter((c) => c.result === "fail" && c.fix?.suggestion);
+    for (const c of others) {
+      console.log(`  [GUIDANCE] ${c.ruleId}  ${c.file}:${c.line}`);
+      console.log(`             ${c.fix.summary}`);
+    }
+    return;
+  }
+  console.log(`brainblast fix: ${fixable.length} mechanical fix(es) found.`);
+  for (const c of fixable) {
+    console.log(`  [${apply ? "APPLY" : "DRY-RUN"}] ${c.ruleId}  ${c.file}:${c.line} \u2014 ${c.fix.summary}`);
+  }
+  if (!apply) {
+    console.log("\nRe-run with --apply to write these changes to disk.");
+    return;
+  }
+  const byFile = /* @__PURE__ */ new Map();
+  for (const c of fixable) {
+    const file = parseDiff(c.fix.diff).filePath;
+    byFile.set(file, [...byFile.get(file) ?? [], c]);
+  }
+  let applied = 0;
+  let skipped = 0;
+  for (const [, group] of byFile) {
+    const sorted = [...group].sort((a, b) => parseDiff(b.fix.diff).oldStart - parseDiff(a.fix.diff).oldStart);
+    for (const c of sorted) {
+      const ok = applyDiffToFile(c.fix.diff);
+      if (ok) applied++;
+      else {
+        skipped++;
+        console.log(`  [SKIP] ${c.ruleId}  ${c.file}:${c.line} \u2014 file no longer matches the fix's expected range`);
+      }
+    }
+  }
+  console.log(`
+Applied ${applied} fix(es)${skipped ? `, skipped ${skipped}` : ""}.`);
+  const { checks: after } = audit(targetDir2, rules2);
+  const stillFailing = fixable.filter((c) => {
+    const a = after.find((x) => x.ruleId === c.ruleId && x.file === c.file && x.exportName === c.exportName);
+    return a?.result === "fail";
+  });
+  if (stillFailing.length > 0) {
+    console.log(`
+Warning: ${stillFailing.length} fix(es) applied but the rule still fails:`);
+    for (const c of stillFailing) console.log(`  ${c.ruleId}  ${c.file}:${c.line}`);
+  } else if (applied > 0) {
+    console.log("All applied fixes now pass (or cant_tell) on re-audit. \u2713");
+  }
+  if (branch && applied > 0) {
+    const ts = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+    const branchName = `brainblast/auto-fix-${ts}`;
+    try {
+      execFileSync("git", ["checkout", "-b", branchName], { cwd: targetDir2, stdio: "ignore" });
+      execFileSync("git", ["add", "-A"], { cwd: targetDir2, stdio: "ignore" });
+      execFileSync(
+        "git",
+        ["commit", "-q", "-m", `brainblast fix: apply ${applied} mechanical fix(es)`],
+        { cwd: targetDir2, stdio: "ignore" }
+      );
+      console.log(`
+Committed to new branch '${branchName}'.`);
+    } catch (e) {
+      console.error(`
+Warning: could not create branch/commit: ${e.message ?? e}`);
+    }
+  }
+}

package/dist/index.d.ts

@@ -276,6 +276,15 @@ declare function startWatch(targetDir: string, opts?: WatchOptions): {
     close: () => void;
 };
 
+interface ParsedDiff {
+    filePath: string;
+    oldStart: number;
+    oldCount: number;
+    newLines: string[];
+}
+declare function parseDiff(diff: string): ParsedDiff;
+declare function applyDiffToFile(diff: string): boolean;
+
 type UpgradeAuthorityKind = "renounced" | "single-key" | "multisig" | "dao" | "unknown";
 type UpgradeAuthoritySource = "directory" | "rpc" | "research";
 interface UpgradeAuthority {
@@ -405,4 +414,4 @@ declare function isEntryExpired(entry: ProgramCacheEntry, ttlHoursOverride?: num
  */
 declare function cacheSize(cache: ProgramCache, ttlHoursOverride?: number): number;
 
-export { type AccountFlow, type AuditRef, type BuildOpts, type Candidate, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_TTL_HOURS, type OnChainProgram, type ParityNote, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type Rule, type RustAccountField, type RustCandidate, type RustChecker, type Severity, type TrustGraph, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type WatchEvent, type WatchOptions, analyzeCosts, audit, auditWithRule, base58Decode, base58Encode, buildTrustGraph, rules as bundledRules, cacheSize, checkerKinds, defaultCachePath, fileChanged, findCandidates, findConfigCandidates, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getWorkingTreeChanges, isEntryExpired, isValidSolanaAddress, lamportsToSol, loadDirectory, loadProgramCache, loadRules, putCacheEntry, rangeChanged, renderCostReportMd, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, runChecker, runIncrementalScan, saveProgramCache, startWatch, testKinds };
+export { type AccountFlow, type AuditRef, type BuildOpts, type Candidate, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_TTL_HOURS, type OnChainProgram, type ParityNote, type ParsedDiff, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type Rule, type RustAccountField, type RustCandidate, type RustChecker, type Severity, type TrustGraph, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type WatchEvent, type WatchOptions, analyzeCosts, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, buildTrustGraph, rules as bundledRules, cacheSize, checkerKinds, defaultCachePath, fileChanged, findCandidates, findConfigCandidates, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getWorkingTreeChanges, isEntryExpired, isValidSolanaAddress, lamportsToSol, loadDirectory, loadProgramCache, loadRules, parseDiff, putCacheEntry, rangeChanged, renderCostReportMd, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, runChecker, runIncrementalScan, saveProgramCache, startWatch, testKinds };

package/dist/index.js

@@ -1,6 +1,7 @@
 import {
   DEFAULT_TTL_HOURS,
   analyzeCosts,
+  applyDiffToFile,
   audit,
   auditWithRule,
   base58Decode,
@@ -22,6 +23,7 @@ import {
   loadDirectory,
   loadProgramCache,
   loadRules,
+  parseDiff,
   putCacheEntry,
   rangeChanged,
   renderCostReportMd,
@@ -35,7 +37,7 @@ import {
   saveProgramCache,
   startWatch,
   testKinds
-} from "./chunk-P7K7NRVN.js";
+} from "./chunk-Q72MTJXQ.js";
 
 // src/generate.ts
 import { writeFileSync, mkdirSync } from "fs";
@@ -53,6 +55,7 @@ function generateTestForResult(result, rule, outPath) {
 export {
   DEFAULT_TTL_HOURS,
   analyzeCosts,
+  applyDiffToFile,
   audit,
   auditWithRule,
   base58Decode,
@@ -76,6 +79,7 @@ export {
   loadDirectory,
   loadProgramCache,
   loadRules,
+  parseDiff,
   putCacheEntry,
   rangeChanged,
   renderCostReportMd,

package/dist/rules/env-secret-leaked-to-sink.yaml

@@ -0,0 +1,43 @@
+# Pure-data rule (facts). Binds to vetted templates by `check.kind`/`test.kind`.
+id: env-secret-leaked-to-sink
+severity: high
+title: Secret-shaped environment value flows to a logging/response sink
+component:
+  name: Environment configuration
+  type: Config
+  version: unversioned
+  sourceUrl: https://12factor.net/config
+detect:
+  lang: typescript
+  modules: []
+  # Never matches by name alone — only the triggerCalls (sink calls) below
+  # select candidates. Keeps this from firing on every function in a repo.
+  nameRegex: "(?!)"
+  triggerCalls:
+    - log
+    - error
+    - warn
+    - info
+    - debug
+    - json
+    - send
+    - write
+    - end
+  requiresImport: false
+check:
+  kind: env-taint-to-sink
+  params:
+    sinkCalls:
+      - log
+      - error
+      - warn
+      - info
+      - debug
+      - json
+      - send
+      - write
+      - end
+    # Key names that typically hold credentials/secrets.
+    secretKeyPattern: "(SECRET|PRIVATE_KEY|API_KEY|ACCESS_KEY|TOKEN|PASSWORD|CREDENTIAL)"
+test:
+  kind: none

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brainblast",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "type": "module",
   "description": "Deterministic auditor for catastrophic AI-integration bugs: scan a repo, find the silent money/auth traps, and generate the behavioral test that proves they're fixed.",
   "keywords": [