brainblast 0.5.0 → 0.5.2

package/dist/{chunk-5LJXC66F.js → chunk-EYFKA33G.js}

@@ -662,6 +662,44 @@ var taintToSink = (c, p) => {
   return { result: "pass", detail: "No tracked source value flows to a sink within the analyzed call graph." };
 };
 
+// src/checkers/literalMultiplierWrongConstant.ts
+import { SyntaxKind as SyntaxKind8 } from "ts-morph";
+function callName4(call) {
+  const exp = call.getExpression();
+  if (exp.getKind() === SyntaxKind8.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind8.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind8.PropertyAccessExpression).getName();
+  }
+  return "";
+}
+function containsIdentifier(node, name) {
+  if (node.getKind() === SyntaxKind8.Identifier && node.getText() === name) return true;
+  return node.getDescendantsOfKind(SyntaxKind8.Identifier).some((id) => id.getText() === name);
+}
+var literalMultiplierWrongConstant = (c, p) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind8.CallExpression).filter((x) => callName4(x) === p.call);
+  if (calls.length === 0) {
+    return { result: "cant_tell", detail: p.absentCallDetail };
+  }
+  const arg = calls[0].getArguments()[p.argIndex];
+  if (!arg) {
+    return { result: "cant_tell", detail: p.absentCallDetail };
+  }
+  const forbidden = Array.isArray(p.forbiddenIdentifiers) ? p.forbiddenIdentifiers : [];
+  for (const name of forbidden) {
+    if (containsIdentifier(arg, name)) {
+      return { result: "fail", detail: String(p.failDetail).replace("{got}", name) };
+    }
+  }
+  const expected = Array.isArray(p.expectedIdentifiers) ? p.expectedIdentifiers : [];
+  for (const name of expected) {
+    if (containsIdentifier(arg, name)) {
+      return { result: "pass", detail: String(p.passDetail) };
+    }
+  }
+  return { result: "cant_tell", detail: p.cantTellDetail };
+};
+
 // src/checkers/index.ts
 var registry = {
   "positional-arg-identity": positionalArgIdentity,
@@ -671,7 +709,8 @@ var registry = {
   "object-arg-property-literal-equals": objectArgPropertyLiteralEquals,
   "anchor-init-if-needed-guarded": anchorInitIfNeededGuarded,
   "env-secrets-committed": envSecretsCommitted,
-  "taint-to-sink": taintToSink
+  "taint-to-sink": taintToSink,
+  "literal-multiplier-wrong-constant": literalMultiplierWrongConstant
 };
 function runChecker(kind, c, params) {
   const fn = registry[kind];
@@ -887,7 +926,7 @@ function findRustCandidates(targetDir, rule) {
 }
 
 // src/fixers/positionalArgIdentity.ts
-import { SyntaxKind as SyntaxKind8 } from "ts-morph";
+import { SyntaxKind as SyntaxKind9 } from "ts-morph";
 
 // src/fixers/diffUtil.ts
 function buildDiff(node, replacement) {
@@ -912,9 +951,9 @@ function buildDiff(node, replacement) {
 // src/fixers/positionalArgIdentity.ts
 var fixPositionalArgIdentity = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind8.CallExpression).filter((call) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind9.CallExpression).filter((call) => {
     const exp = call.getExpression();
-    return exp.getKind() === SyntaxKind8.PropertyAccessExpression && exp.asKind(SyntaxKind8.PropertyAccessExpression).getName() === p.call;
+    return exp.getKind() === SyntaxKind9.PropertyAccessExpression && exp.asKind(SyntaxKind9.PropertyAccessExpression).getName() === p.call;
   });
   if (calls.length === 0) {
     const wantParam2 = c.params[p.paramIndex] ?? "<rawBodyParam>";
@@ -929,7 +968,7 @@ Do not call JSON.parse() on the body before this verification step.`
   }
   const arg = calls[0].getArguments()[p.argIndex];
   const wantParam = c.params[p.paramIndex];
-  if (arg && wantParam && arg.getKind() === SyntaxKind8.CallExpression) {
+  if (arg && wantParam && arg.getKind() === SyntaxKind9.CallExpression) {
     return {
       summary: `Pass the raw body parameter '${wantParam}' to ${p.call} instead of a parsed value`,
       diff: buildDiff(arg, wantParam)
@@ -939,12 +978,12 @@ Do not call JSON.parse() on the body before this verification step.`
 };
 
 // src/fixers/requiredCallWithOptions.ts
-import { SyntaxKind as SyntaxKind9 } from "ts-morph";
-function callName4(call) {
+import { SyntaxKind as SyntaxKind10 } from "ts-morph";
+function callName5(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind9.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind9.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind9.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind10.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind10.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind10.PropertyAccessExpression).getName();
   }
   return "";
 }
@@ -962,15 +1001,15 @@ function placeholderFor(propName) {
 }
 var fixRequiredCallWithOptions = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind9.CallExpression);
-  const verify = calls.filter((x) => p.verifyCalls.includes(callName4(x)));
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind10.CallExpression);
+  const verify = calls.filter((x) => p.verifyCalls.includes(callName5(x)));
   if (verify.length > 0) {
     const call = verify[0];
     const args = call.getArguments();
     const lastArg = args[args.length - 1];
-    const obj = lastArg?.asKind(SyntaxKind9.ObjectLiteralExpression);
+    const obj = lastArg?.asKind(SyntaxKind10.ObjectLiteralExpression);
     const presentNames = obj ? obj.getProperties().map((pr) => {
-      const pa = pr.asKind(SyntaxKind9.PropertyAssignment) ?? pr.asKind(SyntaxKind9.ShorthandPropertyAssignment);
+      const pa = pr.asKind(SyntaxKind10.PropertyAssignment) ?? pr.asKind(SyntaxKind10.ShorthandPropertyAssignment);
       return pa?.getName() ?? "";
     }) : [];
     const missingGroups = p.requiredProps.filter(
@@ -978,7 +1017,7 @@ var fixRequiredCallWithOptions = (c, p, outcome) => {
     );
     if (missingGroups.length === 0) return void 0;
     const newProps = missingGroups.map((g) => placeholderFor(g[0])).join(", ");
-    const summary = `Add ${missingGroups.map((g) => g[0]).join(" and ")} to the ${callName4(call)} call`;
+    const summary = `Add ${missingGroups.map((g) => g[0]).join(" and ")} to the ${callName5(call)} call`;
     if (obj) {
       const inner = obj.getText().slice(1, -1).trim();
       const newText = inner.length > 0 ? `{ ${inner}, ${newProps} }` : `{ ${newProps} }`;
@@ -990,7 +1029,7 @@ var fixRequiredCallWithOptions = (c, p, outcome) => {
     }
     return {
       summary,
-      suggestion: `Add an options object ({ ${newProps} }) as an argument to ${callName4(call)}.`
+      suggestion: `Add an options object ({ ${newProps} }) as an argument to ${callName5(call)}.`
     };
   }
   return {
@@ -1003,10 +1042,48 @@ JWKS must come from Privy's published JWKS endpoint for your app.`
   };
 };
 
+// src/fixers/literalMultiplierWrongConstant.ts
+import { SyntaxKind as SyntaxKind11 } from "ts-morph";
+function callName6(call) {
+  const exp = call.getExpression();
+  if (exp.getKind() === SyntaxKind11.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind11.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind11.PropertyAccessExpression).getName();
+  }
+  return "";
+}
+function findIdentifier(node, name) {
+  if (node.getKind() === SyntaxKind11.Identifier && node.getText() === name) return node;
+  return node.getDescendantsOfKind(SyntaxKind11.Identifier).find((id) => id.getText() === name);
+}
+var fixLiteralMultiplierWrongConstant = (c, p, outcome) => {
+  if (outcome.result !== "fail") return void 0;
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind11.CallExpression).filter((call) => callName6(call) === p.call);
+  if (calls.length === 0) return void 0;
+  const arg = calls[0].getArguments()[p.argIndex];
+  if (!arg) return void 0;
+  const forbidden = Array.isArray(p.forbiddenIdentifiers) ? p.forbiddenIdentifiers : [];
+  const forbiddenNode = forbidden.map((name) => findIdentifier(arg, name)).find((n) => n);
+  if (!forbiddenNode) return void 0;
+  const expected = Array.isArray(p.expectedIdentifiers) ? p.expectedIdentifiers : [];
+  const expectedName = expected.find((name) => c.params.includes(name));
+  if (!expectedName) {
+    return {
+      summary: `Scale by the mint's decimals instead of ${forbiddenNode.getText()}`,
+      suggestion: `'${forbiddenNode.getText()}' is the native-SOL lamports constant (1e9), not the mint's decimals. Add a 'decimals: number' parameter to this function (threaded from the mint's configuration) and scale the amount with '10 ** decimals' instead of '${forbiddenNode.getText()}'.`
+    };
+  }
+  return {
+    summary: `Scale by 10 ** ${expectedName} instead of ${forbiddenNode.getText()}`,
+    diff: buildDiff(forbiddenNode, `10 ** ${expectedName}`)
+  };
+};
+
 // src/fixers/index.ts
 var registry2 = {
   "positional-arg-identity": fixPositionalArgIdentity,
-  "required-call-with-options": fixRequiredCallWithOptions
+  "required-call-with-options": fixRequiredCallWithOptions,
+  "literal-multiplier-wrong-constant": fixLiteralMultiplierWrongConstant
 };
 function runFixer(kind, c, params, outcome) {
   if (outcome.result !== "fail") return void 0;
@@ -1956,7 +2033,7 @@ function renderTrustGraphMd(g) {
 }
 
 // src/costAnalysis.ts
-import { Project as Project2, SyntaxKind as SyntaxKind10 } from "ts-morph";
+import { Project as Project2, SyntaxKind as SyntaxKind12 } from "ts-morph";
 var LAMPORTS_PER_BYTE_YEAR = 3480;
 var EXEMPTION_THRESHOLD = 2;
 var OVERHEAD_BYTES = 128;
@@ -2037,11 +2114,11 @@ var KNOWN_FLOWS = [
   }
 ];
 var LOOP_NODE_KINDS = /* @__PURE__ */ new Set([
-  SyntaxKind10.ForStatement,
-  SyntaxKind10.ForOfStatement,
-  SyntaxKind10.ForInStatement,
-  SyntaxKind10.WhileStatement,
-  SyntaxKind10.DoStatement
+  SyntaxKind12.ForStatement,
+  SyntaxKind12.ForOfStatement,
+  SyntaxKind12.ForInStatement,
+  SyntaxKind12.WhileStatement,
+  SyntaxKind12.DoStatement
 ]);
 var ARRAY_METHOD_LOOPS = /* @__PURE__ */ new Set(["map", "forEach", "flatMap", "reduce", "filter"]);
 function isInsideLoop(node) {
@@ -2049,12 +2126,12 @@ function isInsideLoop(node) {
   while (cur) {
     const k = cur.getKind?.();
     if (k !== void 0 && LOOP_NODE_KINDS.has(k)) {
-      return { scalable: true, note: `call is inside a ${SyntaxKind10[k]} \u2014 cost scales with loop iterations` };
+      return { scalable: true, note: `call is inside a ${SyntaxKind12[k]} \u2014 cost scales with loop iterations` };
     }
-    if (k === SyntaxKind10.CallExpression) {
+    if (k === SyntaxKind12.CallExpression) {
       const expr = cur.getExpression?.();
-      if (expr?.getKind?.() === SyntaxKind10.PropertyAccessExpression) {
-        const name = expr.asKind?.(SyntaxKind10.PropertyAccessExpression)?.getName?.();
+      if (expr?.getKind?.() === SyntaxKind12.PropertyAccessExpression) {
+        const name = expr.asKind?.(SyntaxKind12.PropertyAccessExpression)?.getName?.();
         if (name && ARRAY_METHOD_LOOPS.has(name)) {
           return { scalable: true, note: `call is inside .${name}() \u2014 cost scales with array length` };
         }
@@ -2068,7 +2145,7 @@ function detectPriorityFee(targetDir) {
   const project = new Project2({ skipAddingFilesFromTsConfig: true });
   for (const file of walk(targetDir)) {
     const sf = project.addSourceFileAtPath(file);
-    const calls = sf.getDescendantsOfKind(SyntaxKind10.CallExpression);
+    const calls = sf.getDescendantsOfKind(SyntaxKind12.CallExpression);
     for (const ce of calls) {
       const expr = ce.getExpression();
       const text = expr.getText();
@@ -2096,22 +2173,22 @@ function detectAccountFlows(targetDir) {
     const importedModules = new Set(
       sf.getImportDeclarations().map((d) => d.getModuleSpecifierValue())
     );
-    for (const ce of sf.getDescendantsOfKind(SyntaxKind10.CallExpression)) {
+    for (const ce of sf.getDescendantsOfKind(SyntaxKind12.CallExpression)) {
       const expr = ce.getExpression();
-      let callName5 = null;
-      if (expr.getKind() === SyntaxKind10.Identifier) {
-        callName5 = expr.getText();
-      } else if (expr.getKind() === SyntaxKind10.PropertyAccessExpression) {
-        callName5 = expr.asKind(SyntaxKind10.PropertyAccessExpression).getName();
+      let callName7 = null;
+      if (expr.getKind() === SyntaxKind12.Identifier) {
+        callName7 = expr.getText();
+      } else if (expr.getKind() === SyntaxKind12.PropertyAccessExpression) {
+        callName7 = expr.asKind(SyntaxKind12.PropertyAccessExpression).getName();
       }
-      if (!callName5) continue;
-      const known = callIndex.get(callName5);
+      if (!callName7) continue;
+      const known = callIndex.get(callName7);
       if (!known) continue;
       if (!importedModules.has(known.module)) continue;
       const lamports = rentExemptMinimum(known.dataLen);
       const { scalable, note } = isInsideLoop(ce);
       flows.push({
-        call: callName5,
+        call: callName7,
         module: known.module,
         accountType: known.accountType,
         file,

package/dist/cli.js

@@ -20,7 +20,7 @@ import {
   submitTelemetry,
   telemetryFilePath,
   validatePack
-} from "./chunk-5LJXC66F.js";
+} from "./chunk-EYFKA33G.js";
 
 // src/cli.ts
 import { writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";

package/dist/index.js

@@ -50,7 +50,7 @@ import {
   testKinds,
   validatePack,
   validatePackManifest
-} from "./chunk-5LJXC66F.js";
+} from "./chunk-EYFKA33G.js";
 
 // src/generate.ts
 import { writeFileSync, mkdirSync } from "fs";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brainblast",
-  "version": "0.5.0",
+  "version": "0.5.2",
   "type": "module",
   "description": "Deterministic auditor for catastrophic AI-integration bugs: scan a repo, find the silent money/auth traps, and generate the behavioral test that proves they're fixed.",
   "keywords": [