brainblast 0.5.2 → 0.5.3

package/dist/{chunk-EYFKA33G.js → chunk-LHP6HFMS.js}

@@ -421,6 +421,66 @@ var objectArgPropertyLiteralEquals = (c, p) => {
   };
 };
 
+// src/checkers/objectArgPropertyForbiddenLiteral.ts
+import { SyntaxKind as SyntaxKind7 } from "ts-morph";
+var objectArgPropertyForbiddenLiteral = (c, p) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind7.CallExpression).filter((ce2) => {
+    const expr = ce2.getExpression();
+    if (expr.getKind() === SyntaxKind7.Identifier) return expr.getText() === p.call;
+    if (expr.getKind() === SyntaxKind7.PropertyAccessExpression) {
+      return expr.asKind(SyntaxKind7.PropertyAccessExpression).getName() === p.call;
+    }
+    return false;
+  });
+  if (calls.length === 0) {
+    return {
+      result: "cant_tell",
+      detail: p.absentCallDetail ?? `no ${p.call} call found`
+    };
+  }
+  const ce = calls[0];
+  const args = ce.getArguments();
+  const arg = args[p.argIndex];
+  const objLit = arg?.asKind(SyntaxKind7.ObjectLiteralExpression);
+  if (!objLit) {
+    return {
+      result: "cant_tell",
+      detail: p.absentArgDetail ?? `${p.call} arg[${p.argIndex}] is not an inline object literal \u2014 cannot statically inspect ${p.propName}`
+    };
+  }
+  const propAssignment = objLit.getProperties().map((prop) => prop.asKind(SyntaxKind7.PropertyAssignment)).find((pa) => pa?.getName() === p.propName);
+  if (!propAssignment) {
+    return {
+      result: "cant_tell",
+      detail: p.absentArgDetail ?? `${p.propName} is absent from the ${p.call} options`
+    };
+  }
+  const init = propAssignment.getInitializer();
+  if (!init) {
+    return { result: "cant_tell", detail: `${p.propName} has no initializer` };
+  }
+  const kind = init.getKind();
+  const text = init.getText();
+  const forbidden = JSON.stringify(p.forbiddenValue);
+  const isForbidden = (kind === SyntaxKind7.NumericLiteral || kind === SyntaxKind7.StringLiteral) && (text === forbidden || text === String(p.forbiddenValue));
+  if (isForbidden) {
+    return {
+      result: "fail",
+      detail: p.failDetail ?? `${p.propName} is ${p.forbiddenValue}`
+    };
+  }
+  if (kind === SyntaxKind7.NumericLiteral || kind === SyntaxKind7.StringLiteral) {
+    return {
+      result: "pass",
+      detail: p.passDetail ?? `${p.propName} is ${text}`
+    };
+  }
+  return {
+    result: "cant_tell",
+    detail: `${p.propName} is a non-literal expression \u2014 cannot determine statically`
+  };
+};
+
 // src/checkers/anchorInitIfNeededGuarded.ts
 var GUARD_PATTERNS = [
   /\brequire!\s*\(/,
@@ -488,18 +548,18 @@ var envSecretsCommitted = (c, p) => {
 };
 
 // src/checkers/taintToSink.ts
-import { SyntaxKind as SyntaxKind7 } from "ts-morph";
+import { SyntaxKind as SyntaxKind8 } from "ts-morph";
 function calleeName(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind7.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind7.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind7.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind8.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind8.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind8.PropertyAccessExpression).getName();
   }
   return "";
 }
 function calleeIdentifierName(call) {
   const exp = call.getExpression();
-  return exp.getKind() === SyntaxKind7.Identifier ? exp.getText() : void 0;
+  return exp.getKind() === SyntaxKind8.Identifier ? exp.getText() : void 0;
 }
 function wordIn(text, name) {
   return new RegExp(`\\b${name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\b`).test(text);
@@ -509,14 +569,14 @@ function matchesSource(text, sourceRes) {
 }
 function localTaintedNames(fn, sourceRes) {
   const names = /* @__PURE__ */ new Set();
-  for (const decl of fn.getDescendantsOfKind(SyntaxKind7.VariableDeclaration)) {
+  for (const decl of fn.getDescendantsOfKind(SyntaxKind8.VariableDeclaration)) {
     const init = decl.getInitializer();
     if (init && matchesSource(init.getText(), sourceRes)) names.add(decl.getName());
   }
   return names;
 }
 function findDirectLeak(fn, sinkCalls, sourceRes, taintedNames) {
-  for (const call of fn.getDescendantsOfKind(SyntaxKind7.CallExpression)) {
+  for (const call of fn.getDescendantsOfKind(SyntaxKind8.CallExpression)) {
     const name = calleeName(call);
     if (!sinkCalls.has(name)) continue;
     for (const arg of call.getArguments()) {
@@ -548,7 +608,7 @@ function resolveFunction(sourceFile, name) {
 }
 function findForwardLeak(fn, rootName, sinkCalls, sourceRes, taintedNames, hopsLeft, visited) {
   if (hopsLeft <= 0) return void 0;
-  for (const call of fn.getDescendantsOfKind(SyntaxKind7.CallExpression)) {
+  for (const call of fn.getDescendantsOfKind(SyntaxKind8.CallExpression)) {
     const name = calleeIdentifierName(call);
     if (!name || name === rootName) continue;
     const args = call.getArguments();
@@ -590,7 +650,7 @@ function findForwardLeak(fn, rootName, sinkCalls, sourceRes, taintedNames, hopsL
 function paramsUsedInSink(fn, sinkCalls) {
   const params = new Set(fn.getParameters().map((p) => p.getName()));
   const sinked = /* @__PURE__ */ new Set();
-  for (const call of fn.getDescendantsOfKind(SyntaxKind7.CallExpression)) {
+  for (const call of fn.getDescendantsOfKind(SyntaxKind8.CallExpression)) {
     if (!sinkCalls.has(calleeName(call))) continue;
     for (const arg of call.getArguments()) {
       const text = arg.getText();
@@ -603,13 +663,13 @@ function paramsUsedInSink(fn, sinkCalls) {
 }
 function enclosingFunction(node) {
   return node.getFirstAncestor(
-    (a) => a.getKind() === SyntaxKind7.FunctionDeclaration || a.getKind() === SyntaxKind7.ArrowFunction
+    (a) => a.getKind() === SyntaxKind8.FunctionDeclaration || a.getKind() === SyntaxKind8.ArrowFunction
   );
 }
 function findBackwardLeak(candidateFn, fnName, candidateFile, params, sinkedParams, sourceRes) {
   const project = candidateFn.getProject();
   for (const sf of project.getSourceFiles()) {
-    for (const call of sf.getDescendantsOfKind(SyntaxKind7.CallExpression)) {
+    for (const call of sf.getDescendantsOfKind(SyntaxKind8.CallExpression)) {
       if (calleeIdentifierName(call) !== fnName) continue;
       if (call.getFirstAncestor((a) => a === candidateFn)) continue;
       const args = call.getArguments();
@@ -621,7 +681,7 @@ function findBackwardLeak(candidateFn, fnName, candidateFile, params, sinkedPara
         if (matchesSource(text, sourceRes)) {
           return `'${fnName}' is called from ${sf.getFilePath()}:${call.getStartLineNumber()} with '${text}' as '${pname}', which this function passes to a sink.`;
         }
-        if (arg.getKind() === SyntaxKind7.Identifier) {
+        if (arg.getKind() === SyntaxKind8.Identifier) {
           const callerFn = enclosingFunction(arg);
           if (callerFn) {
             const callerTainted = localTaintedNames(callerFn, sourceRes);
@@ -663,21 +723,21 @@ var taintToSink = (c, p) => {
 };
 
 // src/checkers/literalMultiplierWrongConstant.ts
-import { SyntaxKind as SyntaxKind8 } from "ts-morph";
+import { SyntaxKind as SyntaxKind9 } from "ts-morph";
 function callName4(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind8.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind8.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind8.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind9.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind9.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind9.PropertyAccessExpression).getName();
   }
   return "";
 }
 function containsIdentifier(node, name) {
-  if (node.getKind() === SyntaxKind8.Identifier && node.getText() === name) return true;
-  return node.getDescendantsOfKind(SyntaxKind8.Identifier).some((id) => id.getText() === name);
+  if (node.getKind() === SyntaxKind9.Identifier && node.getText() === name) return true;
+  return node.getDescendantsOfKind(SyntaxKind9.Identifier).some((id) => id.getText() === name);
 }
 var literalMultiplierWrongConstant = (c, p) => {
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind8.CallExpression).filter((x) => callName4(x) === p.call);
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind9.CallExpression).filter((x) => callName4(x) === p.call);
   if (calls.length === 0) {
     return { result: "cant_tell", detail: p.absentCallDetail };
   }
@@ -700,6 +760,35 @@ var literalMultiplierWrongConstant = (c, p) => {
   return { result: "cant_tell", detail: p.cantTellDetail };
 };
 
+// src/checkers/forbiddenCallReplacement.ts
+import { SyntaxKind as SyntaxKind10 } from "ts-morph";
+function callName5(call) {
+  const exp = call.getExpression();
+  if (exp.getKind() === SyntaxKind10.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind10.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind10.PropertyAccessExpression).getName();
+  }
+  return "";
+}
+var forbiddenCallReplacement = (c, p) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind10.CallExpression);
+  const names = calls.map(callName5);
+  const forbidden = p.forbiddenCalls ?? [];
+  const safer = p.saferCalls ?? [];
+  const usesSafer = names.some((n) => safer.includes(n));
+  if (usesSafer) {
+    return { result: "pass", detail: p.passDetail ?? `uses ${safer.join("/")}` };
+  }
+  const usesForbidden = names.some((n) => forbidden.includes(n));
+  if (usesForbidden) {
+    return { result: "fail", detail: p.failDetail ?? `uses ${forbidden.join("/")}` };
+  }
+  return {
+    result: "cant_tell",
+    detail: p.absentDetail ?? `neither ${forbidden.join("/")} nor ${safer.join("/")} found`
+  };
+};
+
 // src/checkers/index.ts
 var registry = {
   "positional-arg-identity": positionalArgIdentity,
@@ -707,10 +796,12 @@ var registry = {
   "fee-allocation-shape": feeAllocationShape,
   "arg-equals-constant-identifier": argEqualsConstantIdentifier,
   "object-arg-property-literal-equals": objectArgPropertyLiteralEquals,
+  "object-arg-property-forbidden-literal": objectArgPropertyForbiddenLiteral,
   "anchor-init-if-needed-guarded": anchorInitIfNeededGuarded,
   "env-secrets-committed": envSecretsCommitted,
   "taint-to-sink": taintToSink,
-  "literal-multiplier-wrong-constant": literalMultiplierWrongConstant
+  "literal-multiplier-wrong-constant": literalMultiplierWrongConstant,
+  "forbidden-call-replacement": forbiddenCallReplacement
 };
 function runChecker(kind, c, params) {
   const fn = registry[kind];
@@ -926,7 +1017,7 @@ function findRustCandidates(targetDir, rule) {
 }
 
 // src/fixers/positionalArgIdentity.ts
-import { SyntaxKind as SyntaxKind9 } from "ts-morph";
+import { SyntaxKind as SyntaxKind11 } from "ts-morph";
 
 // src/fixers/diffUtil.ts
 function buildDiff(node, replacement) {
@@ -951,9 +1042,9 @@ function buildDiff(node, replacement) {
 // src/fixers/positionalArgIdentity.ts
 var fixPositionalArgIdentity = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind9.CallExpression).filter((call) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind11.CallExpression).filter((call) => {
     const exp = call.getExpression();
-    return exp.getKind() === SyntaxKind9.PropertyAccessExpression && exp.asKind(SyntaxKind9.PropertyAccessExpression).getName() === p.call;
+    return exp.getKind() === SyntaxKind11.PropertyAccessExpression && exp.asKind(SyntaxKind11.PropertyAccessExpression).getName() === p.call;
   });
   if (calls.length === 0) {
     const wantParam2 = c.params[p.paramIndex] ?? "<rawBodyParam>";
@@ -968,7 +1059,7 @@ Do not call JSON.parse() on the body before this verification step.`
   }
   const arg = calls[0].getArguments()[p.argIndex];
   const wantParam = c.params[p.paramIndex];
-  if (arg && wantParam && arg.getKind() === SyntaxKind9.CallExpression) {
+  if (arg && wantParam && arg.getKind() === SyntaxKind11.CallExpression) {
     return {
       summary: `Pass the raw body parameter '${wantParam}' to ${p.call} instead of a parsed value`,
       diff: buildDiff(arg, wantParam)
@@ -978,12 +1069,12 @@ Do not call JSON.parse() on the body before this verification step.`
 };
 
 // src/fixers/requiredCallWithOptions.ts
-import { SyntaxKind as SyntaxKind10 } from "ts-morph";
-function callName5(call) {
+import { SyntaxKind as SyntaxKind12 } from "ts-morph";
+function callName6(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind10.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind10.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind10.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind12.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind12.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind12.PropertyAccessExpression).getName();
   }
   return "";
 }
@@ -1001,15 +1092,15 @@ function placeholderFor(propName) {
 }
 var fixRequiredCallWithOptions = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind10.CallExpression);
-  const verify = calls.filter((x) => p.verifyCalls.includes(callName5(x)));
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind12.CallExpression);
+  const verify = calls.filter((x) => p.verifyCalls.includes(callName6(x)));
   if (verify.length > 0) {
     const call = verify[0];
     const args = call.getArguments();
     const lastArg = args[args.length - 1];
-    const obj = lastArg?.asKind(SyntaxKind10.ObjectLiteralExpression);
+    const obj = lastArg?.asKind(SyntaxKind12.ObjectLiteralExpression);
     const presentNames = obj ? obj.getProperties().map((pr) => {
-      const pa = pr.asKind(SyntaxKind10.PropertyAssignment) ?? pr.asKind(SyntaxKind10.ShorthandPropertyAssignment);
+      const pa = pr.asKind(SyntaxKind12.PropertyAssignment) ?? pr.asKind(SyntaxKind12.ShorthandPropertyAssignment);
       return pa?.getName() ?? "";
     }) : [];
     const missingGroups = p.requiredProps.filter(
@@ -1017,7 +1108,7 @@ var fixRequiredCallWithOptions = (c, p, outcome) => {
     );
     if (missingGroups.length === 0) return void 0;
     const newProps = missingGroups.map((g) => placeholderFor(g[0])).join(", ");
-    const summary = `Add ${missingGroups.map((g) => g[0]).join(" and ")} to the ${callName5(call)} call`;
+    const summary = `Add ${missingGroups.map((g) => g[0]).join(" and ")} to the ${callName6(call)} call`;
     if (obj) {
       const inner = obj.getText().slice(1, -1).trim();
       const newText = inner.length > 0 ? `{ ${inner}, ${newProps} }` : `{ ${newProps} }`;
@@ -1029,7 +1120,7 @@ var fixRequiredCallWithOptions = (c, p, outcome) => {
     }
     return {
       summary,
-      suggestion: `Add an options object ({ ${newProps} }) as an argument to ${callName5(call)}.`
+      suggestion: `Add an options object ({ ${newProps} }) as an argument to ${callName6(call)}.`
     };
   }
   return {
@@ -1043,22 +1134,22 @@ JWKS must come from Privy's published JWKS endpoint for your app.`
 };
 
 // src/fixers/literalMultiplierWrongConstant.ts
-import { SyntaxKind as SyntaxKind11 } from "ts-morph";
-function callName6(call) {
+import { SyntaxKind as SyntaxKind13 } from "ts-morph";
+function callName7(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind11.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind11.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind11.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind13.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind13.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind13.PropertyAccessExpression).getName();
   }
   return "";
 }
 function findIdentifier(node, name) {
-  if (node.getKind() === SyntaxKind11.Identifier && node.getText() === name) return node;
-  return node.getDescendantsOfKind(SyntaxKind11.Identifier).find((id) => id.getText() === name);
+  if (node.getKind() === SyntaxKind13.Identifier && node.getText() === name) return node;
+  return node.getDescendantsOfKind(SyntaxKind13.Identifier).find((id) => id.getText() === name);
 }
 var fixLiteralMultiplierWrongConstant = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind11.CallExpression).filter((call) => callName6(call) === p.call);
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind13.CallExpression).filter((call) => callName7(call) === p.call);
   if (calls.length === 0) return void 0;
   const arg = calls[0].getArguments()[p.argIndex];
   if (!arg) return void 0;
@@ -2033,7 +2124,7 @@ function renderTrustGraphMd(g) {
 }
 
 // src/costAnalysis.ts
-import { Project as Project2, SyntaxKind as SyntaxKind12 } from "ts-morph";
+import { Project as Project2, SyntaxKind as SyntaxKind14 } from "ts-morph";
 var LAMPORTS_PER_BYTE_YEAR = 3480;
 var EXEMPTION_THRESHOLD = 2;
 var OVERHEAD_BYTES = 128;
@@ -2114,11 +2205,11 @@ var KNOWN_FLOWS = [
   }
 ];
 var LOOP_NODE_KINDS = /* @__PURE__ */ new Set([
-  SyntaxKind12.ForStatement,
-  SyntaxKind12.ForOfStatement,
-  SyntaxKind12.ForInStatement,
-  SyntaxKind12.WhileStatement,
-  SyntaxKind12.DoStatement
+  SyntaxKind14.ForStatement,
+  SyntaxKind14.ForOfStatement,
+  SyntaxKind14.ForInStatement,
+  SyntaxKind14.WhileStatement,
+  SyntaxKind14.DoStatement
 ]);
 var ARRAY_METHOD_LOOPS = /* @__PURE__ */ new Set(["map", "forEach", "flatMap", "reduce", "filter"]);
 function isInsideLoop(node) {
@@ -2126,12 +2217,12 @@ function isInsideLoop(node) {
   while (cur) {
     const k = cur.getKind?.();
     if (k !== void 0 && LOOP_NODE_KINDS.has(k)) {
-      return { scalable: true, note: `call is inside a ${SyntaxKind12[k]} \u2014 cost scales with loop iterations` };
+      return { scalable: true, note: `call is inside a ${SyntaxKind14[k]} \u2014 cost scales with loop iterations` };
     }
-    if (k === SyntaxKind12.CallExpression) {
+    if (k === SyntaxKind14.CallExpression) {
       const expr = cur.getExpression?.();
-      if (expr?.getKind?.() === SyntaxKind12.PropertyAccessExpression) {
-        const name = expr.asKind?.(SyntaxKind12.PropertyAccessExpression)?.getName?.();
+      if (expr?.getKind?.() === SyntaxKind14.PropertyAccessExpression) {
+        const name = expr.asKind?.(SyntaxKind14.PropertyAccessExpression)?.getName?.();
         if (name && ARRAY_METHOD_LOOPS.has(name)) {
           return { scalable: true, note: `call is inside .${name}() \u2014 cost scales with array length` };
         }
@@ -2145,7 +2236,7 @@ function detectPriorityFee(targetDir) {
   const project = new Project2({ skipAddingFilesFromTsConfig: true });
   for (const file of walk(targetDir)) {
     const sf = project.addSourceFileAtPath(file);
-    const calls = sf.getDescendantsOfKind(SyntaxKind12.CallExpression);
+    const calls = sf.getDescendantsOfKind(SyntaxKind14.CallExpression);
     for (const ce of calls) {
       const expr = ce.getExpression();
       const text = expr.getText();
@@ -2173,22 +2264,22 @@ function detectAccountFlows(targetDir) {
     const importedModules = new Set(
       sf.getImportDeclarations().map((d) => d.getModuleSpecifierValue())
     );
-    for (const ce of sf.getDescendantsOfKind(SyntaxKind12.CallExpression)) {
+    for (const ce of sf.getDescendantsOfKind(SyntaxKind14.CallExpression)) {
       const expr = ce.getExpression();
-      let callName7 = null;
-      if (expr.getKind() === SyntaxKind12.Identifier) {
-        callName7 = expr.getText();
-      } else if (expr.getKind() === SyntaxKind12.PropertyAccessExpression) {
-        callName7 = expr.asKind(SyntaxKind12.PropertyAccessExpression).getName();
+      let callName8 = null;
+      if (expr.getKind() === SyntaxKind14.Identifier) {
+        callName8 = expr.getText();
+      } else if (expr.getKind() === SyntaxKind14.PropertyAccessExpression) {
+        callName8 = expr.asKind(SyntaxKind14.PropertyAccessExpression).getName();
       }
-      if (!callName7) continue;
-      const known = callIndex.get(callName7);
+      if (!callName8) continue;
+      const known = callIndex.get(callName8);
       if (!known) continue;
       if (!importedModules.has(known.module)) continue;
       const lamports = rentExemptMinimum(known.dataLen);
       const { scalable, note } = isInsideLoop(ce);
       flows.push({
-        call: callName7,
+        call: callName8,
         module: known.module,
         accountType: known.accountType,
         file,

package/dist/cli.js

@@ -20,7 +20,7 @@ import {
   submitTelemetry,
   telemetryFilePath,
   validatePack
-} from "./chunk-EYFKA33G.js";
+} from "./chunk-LHP6HFMS.js";
 
 // src/cli.ts
 import { writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";

package/dist/index.js

@@ -50,7 +50,7 @@ import {
   testKinds,
   validatePack,
   validatePackManifest
-} from "./chunk-EYFKA33G.js";
+} from "./chunk-LHP6HFMS.js";
 
 // src/generate.ts
 import { writeFileSync, mkdirSync } from "fs";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brainblast",
-  "version": "0.5.2",
+  "version": "0.5.3",
   "type": "module",
   "description": "Deterministic auditor for catastrophic AI-integration bugs: scan a repo, find the silent money/auth traps, and generate the behavioral test that proves they're fixed.",
   "keywords": [