brainblast 0.5.2 → 0.6.0

package/dist/{chunk-EYFKA33G.js → chunk-A56IF3UX.js}

@@ -421,6 +421,66 @@ var objectArgPropertyLiteralEquals = (c, p) => {
   };
 };
 
+// src/checkers/objectArgPropertyForbiddenLiteral.ts
+import { SyntaxKind as SyntaxKind7 } from "ts-morph";
+var objectArgPropertyForbiddenLiteral = (c, p) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind7.CallExpression).filter((ce2) => {
+    const expr = ce2.getExpression();
+    if (expr.getKind() === SyntaxKind7.Identifier) return expr.getText() === p.call;
+    if (expr.getKind() === SyntaxKind7.PropertyAccessExpression) {
+      return expr.asKind(SyntaxKind7.PropertyAccessExpression).getName() === p.call;
+    }
+    return false;
+  });
+  if (calls.length === 0) {
+    return {
+      result: "cant_tell",
+      detail: p.absentCallDetail ?? `no ${p.call} call found`
+    };
+  }
+  const ce = calls[0];
+  const args = ce.getArguments();
+  const arg = args[p.argIndex];
+  const objLit = arg?.asKind(SyntaxKind7.ObjectLiteralExpression);
+  if (!objLit) {
+    return {
+      result: "cant_tell",
+      detail: p.absentArgDetail ?? `${p.call} arg[${p.argIndex}] is not an inline object literal \u2014 cannot statically inspect ${p.propName}`
+    };
+  }
+  const propAssignment = objLit.getProperties().map((prop) => prop.asKind(SyntaxKind7.PropertyAssignment)).find((pa) => pa?.getName() === p.propName);
+  if (!propAssignment) {
+    return {
+      result: "cant_tell",
+      detail: p.absentArgDetail ?? `${p.propName} is absent from the ${p.call} options`
+    };
+  }
+  const init = propAssignment.getInitializer();
+  if (!init) {
+    return { result: "cant_tell", detail: `${p.propName} has no initializer` };
+  }
+  const kind = init.getKind();
+  const text = init.getText();
+  const forbidden = JSON.stringify(p.forbiddenValue);
+  const isForbidden = (kind === SyntaxKind7.NumericLiteral || kind === SyntaxKind7.StringLiteral) && (text === forbidden || text === String(p.forbiddenValue));
+  if (isForbidden) {
+    return {
+      result: "fail",
+      detail: p.failDetail ?? `${p.propName} is ${p.forbiddenValue}`
+    };
+  }
+  if (kind === SyntaxKind7.NumericLiteral || kind === SyntaxKind7.StringLiteral) {
+    return {
+      result: "pass",
+      detail: p.passDetail ?? `${p.propName} is ${text}`
+    };
+  }
+  return {
+    result: "cant_tell",
+    detail: `${p.propName} is a non-literal expression \u2014 cannot determine statically`
+  };
+};
+
 // src/checkers/anchorInitIfNeededGuarded.ts
 var GUARD_PATTERNS = [
   /\brequire!\s*\(/,
@@ -488,18 +548,18 @@ var envSecretsCommitted = (c, p) => {
 };
 
 // src/checkers/taintToSink.ts
-import { SyntaxKind as SyntaxKind7 } from "ts-morph";
+import { SyntaxKind as SyntaxKind8 } from "ts-morph";
 function calleeName(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind7.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind7.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind7.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind8.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind8.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind8.PropertyAccessExpression).getName();
   }
   return "";
 }
 function calleeIdentifierName(call) {
   const exp = call.getExpression();
-  return exp.getKind() === SyntaxKind7.Identifier ? exp.getText() : void 0;
+  return exp.getKind() === SyntaxKind8.Identifier ? exp.getText() : void 0;
 }
 function wordIn(text, name) {
   return new RegExp(`\\b${name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\b`).test(text);
@@ -509,14 +569,14 @@ function matchesSource(text, sourceRes) {
 }
 function localTaintedNames(fn, sourceRes) {
   const names = /* @__PURE__ */ new Set();
-  for (const decl of fn.getDescendantsOfKind(SyntaxKind7.VariableDeclaration)) {
+  for (const decl of fn.getDescendantsOfKind(SyntaxKind8.VariableDeclaration)) {
     const init = decl.getInitializer();
     if (init && matchesSource(init.getText(), sourceRes)) names.add(decl.getName());
   }
   return names;
 }
 function findDirectLeak(fn, sinkCalls, sourceRes, taintedNames) {
-  for (const call of fn.getDescendantsOfKind(SyntaxKind7.CallExpression)) {
+  for (const call of fn.getDescendantsOfKind(SyntaxKind8.CallExpression)) {
     const name = calleeName(call);
     if (!sinkCalls.has(name)) continue;
     for (const arg of call.getArguments()) {
@@ -548,7 +608,7 @@ function resolveFunction(sourceFile, name) {
 }
 function findForwardLeak(fn, rootName, sinkCalls, sourceRes, taintedNames, hopsLeft, visited) {
   if (hopsLeft <= 0) return void 0;
-  for (const call of fn.getDescendantsOfKind(SyntaxKind7.CallExpression)) {
+  for (const call of fn.getDescendantsOfKind(SyntaxKind8.CallExpression)) {
     const name = calleeIdentifierName(call);
     if (!name || name === rootName) continue;
     const args = call.getArguments();
@@ -590,7 +650,7 @@ function findForwardLeak(fn, rootName, sinkCalls, sourceRes, taintedNames, hopsL
 function paramsUsedInSink(fn, sinkCalls) {
   const params = new Set(fn.getParameters().map((p) => p.getName()));
   const sinked = /* @__PURE__ */ new Set();
-  for (const call of fn.getDescendantsOfKind(SyntaxKind7.CallExpression)) {
+  for (const call of fn.getDescendantsOfKind(SyntaxKind8.CallExpression)) {
     if (!sinkCalls.has(calleeName(call))) continue;
     for (const arg of call.getArguments()) {
       const text = arg.getText();
@@ -603,13 +663,13 @@ function paramsUsedInSink(fn, sinkCalls) {
 }
 function enclosingFunction(node) {
   return node.getFirstAncestor(
-    (a) => a.getKind() === SyntaxKind7.FunctionDeclaration || a.getKind() === SyntaxKind7.ArrowFunction
+    (a) => a.getKind() === SyntaxKind8.FunctionDeclaration || a.getKind() === SyntaxKind8.ArrowFunction
   );
 }
 function findBackwardLeak(candidateFn, fnName, candidateFile, params, sinkedParams, sourceRes) {
   const project = candidateFn.getProject();
   for (const sf of project.getSourceFiles()) {
-    for (const call of sf.getDescendantsOfKind(SyntaxKind7.CallExpression)) {
+    for (const call of sf.getDescendantsOfKind(SyntaxKind8.CallExpression)) {
       if (calleeIdentifierName(call) !== fnName) continue;
       if (call.getFirstAncestor((a) => a === candidateFn)) continue;
       const args = call.getArguments();
@@ -621,7 +681,7 @@ function findBackwardLeak(candidateFn, fnName, candidateFile, params, sinkedPara
         if (matchesSource(text, sourceRes)) {
           return `'${fnName}' is called from ${sf.getFilePath()}:${call.getStartLineNumber()} with '${text}' as '${pname}', which this function passes to a sink.`;
         }
-        if (arg.getKind() === SyntaxKind7.Identifier) {
+        if (arg.getKind() === SyntaxKind8.Identifier) {
           const callerFn = enclosingFunction(arg);
           if (callerFn) {
             const callerTainted = localTaintedNames(callerFn, sourceRes);
@@ -663,21 +723,21 @@ var taintToSink = (c, p) => {
 };
 
 // src/checkers/literalMultiplierWrongConstant.ts
-import { SyntaxKind as SyntaxKind8 } from "ts-morph";
+import { SyntaxKind as SyntaxKind9 } from "ts-morph";
 function callName4(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind8.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind8.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind8.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind9.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind9.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind9.PropertyAccessExpression).getName();
   }
   return "";
 }
 function containsIdentifier(node, name) {
-  if (node.getKind() === SyntaxKind8.Identifier && node.getText() === name) return true;
-  return node.getDescendantsOfKind(SyntaxKind8.Identifier).some((id) => id.getText() === name);
+  if (node.getKind() === SyntaxKind9.Identifier && node.getText() === name) return true;
+  return node.getDescendantsOfKind(SyntaxKind9.Identifier).some((id) => id.getText() === name);
 }
 var literalMultiplierWrongConstant = (c, p) => {
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind8.CallExpression).filter((x) => callName4(x) === p.call);
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind9.CallExpression).filter((x) => callName4(x) === p.call);
   if (calls.length === 0) {
     return { result: "cant_tell", detail: p.absentCallDetail };
   }
@@ -700,6 +760,35 @@ var literalMultiplierWrongConstant = (c, p) => {
   return { result: "cant_tell", detail: p.cantTellDetail };
 };
 
+// src/checkers/forbiddenCallReplacement.ts
+import { SyntaxKind as SyntaxKind10 } from "ts-morph";
+function callName5(call) {
+  const exp = call.getExpression();
+  if (exp.getKind() === SyntaxKind10.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind10.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind10.PropertyAccessExpression).getName();
+  }
+  return "";
+}
+var forbiddenCallReplacement = (c, p) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind10.CallExpression);
+  const names = calls.map(callName5);
+  const forbidden = p.forbiddenCalls ?? [];
+  const safer = p.saferCalls ?? [];
+  const usesSafer = names.some((n) => safer.includes(n));
+  if (usesSafer) {
+    return { result: "pass", detail: p.passDetail ?? `uses ${safer.join("/")}` };
+  }
+  const usesForbidden = names.some((n) => forbidden.includes(n));
+  if (usesForbidden) {
+    return { result: "fail", detail: p.failDetail ?? `uses ${forbidden.join("/")}` };
+  }
+  return {
+    result: "cant_tell",
+    detail: p.absentDetail ?? `neither ${forbidden.join("/")} nor ${safer.join("/")} found`
+  };
+};
+
 // src/checkers/index.ts
 var registry = {
   "positional-arg-identity": positionalArgIdentity,
@@ -707,10 +796,12 @@ var registry = {
   "fee-allocation-shape": feeAllocationShape,
   "arg-equals-constant-identifier": argEqualsConstantIdentifier,
   "object-arg-property-literal-equals": objectArgPropertyLiteralEquals,
+  "object-arg-property-forbidden-literal": objectArgPropertyForbiddenLiteral,
   "anchor-init-if-needed-guarded": anchorInitIfNeededGuarded,
   "env-secrets-committed": envSecretsCommitted,
   "taint-to-sink": taintToSink,
-  "literal-multiplier-wrong-constant": literalMultiplierWrongConstant
+  "literal-multiplier-wrong-constant": literalMultiplierWrongConstant,
+  "forbidden-call-replacement": forbiddenCallReplacement
 };
 function runChecker(kind, c, params) {
   const fn = registry[kind];
@@ -926,7 +1017,7 @@ function findRustCandidates(targetDir, rule) {
 }
 
 // src/fixers/positionalArgIdentity.ts
-import { SyntaxKind as SyntaxKind9 } from "ts-morph";
+import { SyntaxKind as SyntaxKind11 } from "ts-morph";
 
 // src/fixers/diffUtil.ts
 function buildDiff(node, replacement) {
@@ -951,9 +1042,9 @@ function buildDiff(node, replacement) {
 // src/fixers/positionalArgIdentity.ts
 var fixPositionalArgIdentity = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind9.CallExpression).filter((call) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind11.CallExpression).filter((call) => {
     const exp = call.getExpression();
-    return exp.getKind() === SyntaxKind9.PropertyAccessExpression && exp.asKind(SyntaxKind9.PropertyAccessExpression).getName() === p.call;
+    return exp.getKind() === SyntaxKind11.PropertyAccessExpression && exp.asKind(SyntaxKind11.PropertyAccessExpression).getName() === p.call;
   });
   if (calls.length === 0) {
     const wantParam2 = c.params[p.paramIndex] ?? "<rawBodyParam>";
@@ -968,7 +1059,7 @@ Do not call JSON.parse() on the body before this verification step.`
   }
   const arg = calls[0].getArguments()[p.argIndex];
   const wantParam = c.params[p.paramIndex];
-  if (arg && wantParam && arg.getKind() === SyntaxKind9.CallExpression) {
+  if (arg && wantParam && arg.getKind() === SyntaxKind11.CallExpression) {
     return {
       summary: `Pass the raw body parameter '${wantParam}' to ${p.call} instead of a parsed value`,
       diff: buildDiff(arg, wantParam)
@@ -978,12 +1069,12 @@ Do not call JSON.parse() on the body before this verification step.`
 };
 
 // src/fixers/requiredCallWithOptions.ts
-import { SyntaxKind as SyntaxKind10 } from "ts-morph";
-function callName5(call) {
+import { SyntaxKind as SyntaxKind12 } from "ts-morph";
+function callName6(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind10.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind10.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind10.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind12.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind12.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind12.PropertyAccessExpression).getName();
   }
   return "";
 }
@@ -1001,15 +1092,15 @@ function placeholderFor(propName) {
 }
 var fixRequiredCallWithOptions = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind10.CallExpression);
-  const verify = calls.filter((x) => p.verifyCalls.includes(callName5(x)));
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind12.CallExpression);
+  const verify = calls.filter((x) => p.verifyCalls.includes(callName6(x)));
   if (verify.length > 0) {
     const call = verify[0];
     const args = call.getArguments();
     const lastArg = args[args.length - 1];
-    const obj = lastArg?.asKind(SyntaxKind10.ObjectLiteralExpression);
+    const obj = lastArg?.asKind(SyntaxKind12.ObjectLiteralExpression);
     const presentNames = obj ? obj.getProperties().map((pr) => {
-      const pa = pr.asKind(SyntaxKind10.PropertyAssignment) ?? pr.asKind(SyntaxKind10.ShorthandPropertyAssignment);
+      const pa = pr.asKind(SyntaxKind12.PropertyAssignment) ?? pr.asKind(SyntaxKind12.ShorthandPropertyAssignment);
       return pa?.getName() ?? "";
     }) : [];
     const missingGroups = p.requiredProps.filter(
@@ -1017,7 +1108,7 @@ var fixRequiredCallWithOptions = (c, p, outcome) => {
     );
     if (missingGroups.length === 0) return void 0;
     const newProps = missingGroups.map((g) => placeholderFor(g[0])).join(", ");
-    const summary = `Add ${missingGroups.map((g) => g[0]).join(" and ")} to the ${callName5(call)} call`;
+    const summary = `Add ${missingGroups.map((g) => g[0]).join(" and ")} to the ${callName6(call)} call`;
     if (obj) {
       const inner = obj.getText().slice(1, -1).trim();
       const newText = inner.length > 0 ? `{ ${inner}, ${newProps} }` : `{ ${newProps} }`;
@@ -1029,7 +1120,7 @@ var fixRequiredCallWithOptions = (c, p, outcome) => {
     }
     return {
       summary,
-      suggestion: `Add an options object ({ ${newProps} }) as an argument to ${callName5(call)}.`
+      suggestion: `Add an options object ({ ${newProps} }) as an argument to ${callName6(call)}.`
     };
   }
   return {
@@ -1043,22 +1134,22 @@ JWKS must come from Privy's published JWKS endpoint for your app.`
 };
 
 // src/fixers/literalMultiplierWrongConstant.ts
-import { SyntaxKind as SyntaxKind11 } from "ts-morph";
-function callName6(call) {
+import { SyntaxKind as SyntaxKind13 } from "ts-morph";
+function callName7(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind11.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind11.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind11.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind13.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind13.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind13.PropertyAccessExpression).getName();
   }
   return "";
 }
 function findIdentifier(node, name) {
-  if (node.getKind() === SyntaxKind11.Identifier && node.getText() === name) return node;
-  return node.getDescendantsOfKind(SyntaxKind11.Identifier).find((id) => id.getText() === name);
+  if (node.getKind() === SyntaxKind13.Identifier && node.getText() === name) return node;
+  return node.getDescendantsOfKind(SyntaxKind13.Identifier).find((id) => id.getText() === name);
 }
 var fixLiteralMultiplierWrongConstant = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind11.CallExpression).filter((call) => callName6(call) === p.call);
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind13.CallExpression).filter((call) => callName7(call) === p.call);
   if (calls.length === 0) return void 0;
   const arg = calls[0].getArguments()[p.argIndex];
   if (!arg) return void 0;
@@ -1646,871 +1737,9 @@ function resolveRules(targetDir, extraPackDirs = []) {
   return all;
 }
 
-// src/trustGraph/directory.ts
-import { readFileSync as readFileSync6, existsSync as existsSync4 } from "fs";
-import { fileURLToPath as fileURLToPath2 } from "url";
-import { join as join8 } from "path";
-import { parse as parse3 } from "yaml";
-var cache = null;
-function bundledPath() {
-  const here = fileURLToPath2(new URL(".", import.meta.url));
-  const candidates = [
-    join8(here, "programs", "directory.yaml"),
-    // dist/programs/directory.yaml
-    join8(here, "..", "..", "programs", "directory.yaml"),
-    // src/../../programs/
-    join8(here, "..", "programs", "directory.yaml")
-    // fallback
-  ];
-  for (const c of candidates) {
-    if (existsSync4(c)) return c;
-  }
-  return candidates[0];
-}
-function loadDirectory(path = bundledPath()) {
-  if (cache && path === bundledPath()) return cache;
-  const raw = parse3(readFileSync6(path, "utf8"));
-  if (!raw || !Array.isArray(raw.programs)) {
-    throw new Error(`invalid program directory at ${path}: missing 'programs' array`);
-  }
-  const m = /* @__PURE__ */ new Map();
-  for (const p of raw.programs) {
-    if (!p.programId || !p.name) throw new Error(`directory entry missing programId/name: ${JSON.stringify(p)}`);
-    if (m.has(p.programId)) throw new Error(`directory has duplicate programId ${p.programId}`);
-    m.set(p.programId, { ...p, provenance: { ...p.provenance ?? {}, directoryFile: path } });
-  }
-  if (path === bundledPath()) cache = m;
-  return m;
-}
-
-// src/trustGraph/base58.ts
-var ALPHA = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
-var MAP = {};
-for (let i = 0; i < ALPHA.length; i++) MAP[ALPHA[i]] = i;
-function base58Encode(bytes) {
-  let zeros = 0;
-  while (zeros < bytes.length && bytes[zeros] === 0) zeros++;
-  const buf = Array.from(bytes);
-  const out = [];
-  let start = zeros;
-  while (start < buf.length) {
-    let rem = 0;
-    for (let i = start; i < buf.length; i++) {
-      const acc = rem * 256 + buf[i];
-      buf[i] = Math.floor(acc / 58);
-      rem = acc % 58;
-    }
-    out.push(rem);
-    if (buf[start] === 0) start++;
-  }
-  let s = "";
-  for (let i = 0; i < zeros; i++) s += "1";
-  for (let i = out.length - 1; i >= 0; i--) s += ALPHA[out[i]];
-  return s;
-}
-function base58Decode(s) {
-  let zeros = 0;
-  while (zeros < s.length && s[zeros] === "1") zeros++;
-  const buf = [];
-  for (let i = zeros; i < s.length; i++) {
-    const v = MAP[s[i]];
-    if (v === void 0) throw new Error(`base58: invalid char '${s[i]}' at ${i}`);
-    let carry = v;
-    for (let j = 0; j < buf.length; j++) {
-      const acc = buf[j] * 58 + carry;
-      buf[j] = acc & 255;
-      carry = acc >>> 8;
-    }
-    while (carry > 0) {
-      buf.push(carry & 255);
-      carry >>>= 8;
-    }
-  }
-  const out = new Uint8Array(zeros + buf.length);
-  for (let i = 0; i < buf.length; i++) out[zeros + buf.length - 1 - i] = buf[i];
-  return out;
-}
-function isValidSolanaAddress(s) {
-  if (typeof s !== "string" || s.length < 32 || s.length > 44) return false;
-  try {
-    return base58Decode(s).length === 32;
-  } catch {
-    return false;
-  }
-}
-
-// src/trustGraph/programCache.ts
-import { readFileSync as readFileSync7, writeFileSync, mkdirSync, existsSync as existsSync5 } from "fs";
-import { join as join9, dirname as dirname2 } from "path";
-import { homedir } from "os";
-var DEFAULT_TTL_HOURS = 168;
-var SCHEMA_VERSION = "1.0";
-function defaultCachePath() {
-  const envOverride = process.env["BRAINBLAST_CACHE_PATH"];
-  return envOverride ?? join9(homedir(), ".brainblast", "program-cache.json");
-}
-function emptyCache() {
-  return { schemaVersion: SCHEMA_VERSION, entries: {} };
-}
-function loadProgramCache(cachePath) {
-  const path = cachePath ?? defaultCachePath();
-  if (!existsSync5(path)) return emptyCache();
-  try {
-    const raw = JSON.parse(readFileSync7(path, "utf8"));
-    if (raw?.schemaVersion !== SCHEMA_VERSION) {
-      return emptyCache();
-    }
-    if (!raw.entries || typeof raw.entries !== "object") return emptyCache();
-    return { schemaVersion: SCHEMA_VERSION, entries: raw.entries };
-  } catch {
-    return emptyCache();
-  }
-}
-function saveProgramCache(cache2, cachePath) {
-  const path = cachePath ?? defaultCachePath();
-  mkdirSync(dirname2(path), { recursive: true });
-  writeFileSync(path, JSON.stringify(cache2, null, 2), "utf8");
-}
-function getCacheEntry(cache2, programId, ttlHoursOverride) {
-  const entry = cache2.entries[programId];
-  if (!entry) return null;
-  if (isEntryExpired(entry, ttlHoursOverride)) return null;
-  return entry.program;
-}
-function putCacheEntry(cache2, programId, program, sourceRun, ttlHours = DEFAULT_TTL_HOURS) {
-  cache2.entries[programId] = {
-    program,
-    cachedAt: (/* @__PURE__ */ new Date()).toISOString(),
-    sourceRun,
-    ttlHours
-  };
-  return cache2;
-}
-function getCacheEntryMeta(cache2, programId) {
-  return cache2.entries[programId] ?? null;
-}
-function isEntryExpired(entry, ttlHoursOverride) {
-  const ttl = ttlHoursOverride ?? entry.ttlHours ?? DEFAULT_TTL_HOURS;
-  if (ttl <= 0) return true;
-  const cachedMs = Date.parse(entry.cachedAt);
-  if (Number.isNaN(cachedMs)) return true;
-  const ageMs = Date.now() - cachedMs;
-  return ageMs >= ttl * 36e5;
-}
-function cacheSize(cache2, ttlHoursOverride) {
-  return Object.values(cache2.entries).filter((e) => !isEntryExpired(e, ttlHoursOverride)).length;
-}
-
-// src/trustGraph/rpc.ts
-var BPF_UPGRADEABLE_LOADER = "BPFLoaderUpgradeab1e11111111111111111111111";
-var BPF_LOADER_2 = "BPFLoader2111111111111111111111111111111111";
-var NATIVE_LOADER = "NativeLoader1111111111111111111111111111111";
-var DEFAULT_RPC = "https://api.mainnet-beta.solana.com";
-async function rpc(method, params, opts) {
-  const url = opts.rpcUrl ?? DEFAULT_RPC;
-  const fetchImpl = opts.fetchImpl ?? fetch;
-  const ac = new AbortController();
-  const t = setTimeout(() => ac.abort(), opts.timeoutMs ?? 1e4);
-  try {
-    const res = await fetchImpl(url, {
-      method: "POST",
-      headers: { "content-type": "application/json" },
-      body: JSON.stringify({ jsonrpc: "2.0", id: 1, method, params }),
-      signal: ac.signal
-    });
-    if (!res.ok) throw new Error(`rpc ${method}: HTTP ${res.status}`);
-    const body = await res.json();
-    if (body.error) throw new Error(`rpc ${method}: ${body.error.message}`);
-    if (body.result === void 0) throw new Error(`rpc ${method}: empty result`);
-    return body.result;
-  } finally {
-    clearTimeout(t);
-  }
-}
-async function getAccountInfo(address, opts = {}) {
-  if (!isValidSolanaAddress(address)) throw new Error(`invalid Solana address: ${address}`);
-  const result = await rpc(
-    "getAccountInfo",
-    [address, { encoding: "base64", commitment: "confirmed" }],
-    opts
-  );
-  if (!result || !result.value) return null;
-  const v = result.value;
-  const [b64] = v.data;
-  return {
-    owner: v.owner,
-    data: Buffer.from(b64, "base64"),
-    executable: v.executable,
-    lamports: v.lamports
-  };
-}
-async function probeUpgradeAuthority(programId, opts = {}) {
-  const acct = await getAccountInfo(programId, opts);
-  if (!acct) {
-    return {
-      kind: "unknown",
-      address: null,
-      source: "rpc",
-      checkedAt: (/* @__PURE__ */ new Date()).toISOString()
-    };
-  }
-  if (acct.owner === BPF_LOADER_2 || acct.owner === NATIVE_LOADER) {
-    return {
-      kind: "renounced",
-      address: null,
-      source: "rpc",
-      checkedAt: (/* @__PURE__ */ new Date()).toISOString()
-    };
-  }
-  if (acct.owner !== BPF_UPGRADEABLE_LOADER) {
-    throw new Error(
-      `program ${programId} is owned by ${acct.owner}, not a known loader; not a deployed program?`
-    );
-  }
-  if (acct.data.length < 36) throw new Error(`program account too small: ${acct.data.length}`);
-  const tag = acct.data[0] | acct.data[1] << 8 | acct.data[2] << 16 | acct.data[3] << 24;
-  if (tag !== 2) throw new Error(`expected Program (tag=2) state, got tag=${tag}`);
-  const programDataAddr = base58Encode(acct.data.subarray(4, 36));
-  const pd = await getAccountInfo(programDataAddr, opts);
-  if (!pd) {
-    throw new Error(`program ${programId} ProgramData ${programDataAddr} not found`);
-  }
-  if (pd.data.length < 45) throw new Error(`ProgramData account too small: ${pd.data.length}`);
-  const pdTag = pd.data[0] | pd.data[1] << 8 | pd.data[2] << 16 | pd.data[3] << 24;
-  if (pdTag !== 3) throw new Error(`expected ProgramData (tag=3), got tag=${pdTag}`);
-  const optionTag = pd.data[12];
-  const checkedAt = (/* @__PURE__ */ new Date()).toISOString();
-  if (optionTag === 0) {
-    return { kind: "renounced", address: null, source: "rpc", checkedAt };
-  }
-  if (optionTag !== 1) throw new Error(`unexpected Option tag in ProgramData: ${optionTag}`);
-  const authority = base58Encode(pd.data.subarray(13, 45));
-  return { kind: "unknown", address: authority, source: "rpc", checkedAt };
-}
-
-// src/trustGraph/build.ts
-async function buildTrustGraph(programIds, opts = {}) {
-  const dir = loadDirectory(opts.directoryPath);
-  const programs = [];
-  const unresolved = [];
-  const cacheEnabled = opts.cachePath !== null;
-  const cachePathArg = opts.cachePath === null ? void 0 : opts.cachePath;
-  const cache2 = cacheEnabled ? loadProgramCache(cachePathArg) : null;
-  const newFromRpc = [];
-  const runId = (/* @__PURE__ */ new Date()).toISOString().replace(/[-:T]/g, "").slice(0, 14);
-  const seen = /* @__PURE__ */ new Set();
-  const ordered = programIds.filter((id) => seen.has(id) ? false : (seen.add(id), true));
-  for (const id of ordered) {
-    const directoryHit = dir.get(id);
-    if (directoryHit) {
-      programs.push(directoryHit);
-      continue;
-    }
-    if (cache2) {
-      const cached = getCacheEntry(cache2, id);
-      if (cached) {
-        const meta = getCacheEntryMeta(cache2, id);
-        programs.push({
-          ...cached,
-          provenance: {
-            ...cached.provenance ?? {},
-            notes: [
-              cached.provenance?.notes,
-              `cache-hit: cachedAt=${meta.cachedAt} sourceRun=${meta.sourceRun}`
-            ].filter(Boolean).join("; ")
-          }
-        });
-        continue;
-      }
-    }
-    if (opts.probeRpc === false) {
-      unresolved.push({
-        programId: id,
-        reason: "not_in_directory_or_cache_and_rpc_disabled"
-      });
-      continue;
-    }
-    let authority;
-    try {
-      authority = await probeUpgradeAuthority(id, opts);
-    } catch (e) {
-      unresolved.push({ programId: id, reason: `rpc_error: ${e?.message ?? String(e)}` });
-      continue;
-    }
-    const probed = {
-      programId: id,
-      name: `Unknown program (${id.slice(0, 8)}\u2026)`,
-      kind: "app",
-      upgradeAuthority: authority,
-      verifiedBuild: { state: "unknown" },
-      audits: [],
-      parity: { mainnet: "unknown", devnet: "unknown" },
-      provenance: { rpcUrl: opts.rpcUrl, notes: "live-probed; not in curated directory" }
-    };
-    programs.push(probed);
-    newFromRpc.push(id);
-    if (cache2) {
-      putCacheEntry(cache2, id, probed, runId);
-    }
-  }
-  if (cache2 && newFromRpc.length > 0) {
-    saveProgramCache(cache2, cachePathArg);
-  }
-  return { programs, unresolved, generatedAt: (/* @__PURE__ */ new Date()).toISOString() };
-}
-
-// src/trustGraph/render.ts
-function renderAuthority(p) {
-  const a = p.upgradeAuthority;
-  switch (a.kind) {
-    case "renounced":
-      return "\u{1F512} **Renounced** \u2014 program is frozen; no key can upgrade it.";
-    case "single-key":
-      return `\u26A0\uFE0F **Single key** \`${a.address}\` \u2014 one private key can replace this program at any time.`;
-    case "multisig":
-      return `\u{1F510} **Multisig** \`${a.address}\` \u2014 a threshold of signers can upgrade.`;
-    case "dao":
-      return `\u{1F3DB} **DAO** \`${a.address}\` \u2014 governance program controls upgrades.`;
-    case "unknown":
-      return a.address ? `\u2753 **Unclassified authority** \`${a.address}\` \u2014 needs research to confirm single-key vs multisig/DAO.` : "\u2753 **Unknown** \u2014 could not determine upgrade authority.";
-  }
-}
-function renderVerified(p) {
-  const v = p.verifiedBuild;
-  switch (v.state) {
-    case "verified":
-      return `\u2705 Verified build${v.commit ? ` @ \`${v.commit.slice(0, 12)}\`` : ""} \u2014 [registry](${v.registryUrl})`;
-    case "unverified":
-      return "\u274C Unverified \u2014 on-chain bytecode does not match any source we trust.";
-    case "unknown":
-      return "\u2753 Verified-build status not checked.";
-  }
-}
-function renderAudits(p) {
-  if (!p.audits.length) return "_No audits on file._";
-  return p.audits.map((a) => `- ${a.firm} (${a.date}) \u2014 [report](${a.reportUrl})${a.auditedCommit ? ` @ \`${a.auditedCommit.slice(0, 12)}\`` : ""}`).join("\n");
-}
-function renderParity(p) {
-  const { mainnet, devnet, testnet, notes } = p.parity;
-  const cells = [`mainnet=\`${mainnet}\``, `devnet=\`${devnet}\``];
-  if (testnet) cells.push(`testnet=\`${testnet}\``);
-  return cells.join(" \xB7 ") + (notes ? `  
-  _${notes}_` : "");
-}
-function renderProgram(p) {
-  return [
-    `### ${p.name}`,
-    "",
-    `\`${p.programId}\`${p.kind ? ` \xB7 kind: \`${p.kind}\`` : ""}`,
-    "",
-    `- **Upgrade authority:** ${renderAuthority(p)}`,
-    `- **Verified build:** ${renderVerified(p)}`,
-    `- **Parity:** ${renderParity(p)}`,
-    `- **Audits:**
-${renderAudits(p).split("\n").map((l) => "  " + l).join("\n")}`,
-    p.invokes && p.invokes.length ? `- **Invokes (CPI):** ${p.invokes.map((id) => `\`${id}\``).join(", ")}` : ""
-  ].filter(Boolean).join("\n");
-}
-function renderTrustGraphMd(g) {
-  const head = [
-    "# Trust Graph",
-    "",
-    `_Generated ${g.generatedAt}._`,
-    "",
-    "Every program your code transitively invokes, with the authority that controls it, the build-verification status, and the audits we found.",
-    ""
-  ].join("\n");
-  const body = g.programs.map(renderProgram).join("\n\n---\n\n");
-  const tail = g.unresolved.length ? [
-    "",
-    "---",
-    "",
-    "## Unresolved",
-    "",
-    ...g.unresolved.map((u) => `- \`${u.programId}\` \u2014 ${u.reason}`)
-  ].join("\n") : "";
-  return head + body + tail + "\n";
-}
-
-// src/costAnalysis.ts
-import { Project as Project2, SyntaxKind as SyntaxKind12 } from "ts-morph";
-var LAMPORTS_PER_BYTE_YEAR = 3480;
-var EXEMPTION_THRESHOLD = 2;
-var OVERHEAD_BYTES = 128;
-var LAMPORTS_PER_SOL = 1e9;
-function rentExemptMinimum(dataLen) {
-  return (dataLen + OVERHEAD_BYTES) * LAMPORTS_PER_BYTE_YEAR * EXEMPTION_THRESHOLD;
-}
-function lamportsToSol(lamports) {
-  return (lamports / LAMPORTS_PER_SOL).toFixed(9).replace(/\.?0+$/, "");
-}
-var KNOWN_FLOWS = [
-  {
-    call: "createMint",
-    module: "@solana/spl-token",
-    accountType: "SPL Token Mint",
-    dataLen: 82,
-    recoverability: "conditionally-recoverable",
-    recoverabilityNote: "Recoverable via `closeAccount` on the mint \u2014 requires mint supply = 0 and mint authority disabled. Most production mints never meet these conditions."
-  },
-  {
-    call: "createAssociatedTokenAccount",
-    module: "@solana/spl-token",
-    accountType: "Associated Token Account (ATA)",
-    dataLen: 165,
-    recoverability: "recoverable",
-    recoverabilityNote: "Recovered by calling `closeAccount`; lamports return to the destination wallet. Requires zero token balance."
-  },
-  {
-    call: "createAssociatedTokenAccountIdempotent",
-    module: "@solana/spl-token",
-    accountType: "Associated Token Account (ATA, idempotent)",
-    dataLen: 165,
-    recoverability: "recoverable",
-    recoverabilityNote: "Recovered by calling `closeAccount`; lamports return to the destination wallet. Requires zero token balance."
-  },
-  {
-    call: "createAccount",
-    module: "@solana/spl-token",
-    accountType: "SPL Token Account (explicit)",
-    dataLen: 165,
-    recoverability: "recoverable",
-    recoverabilityNote: "Recovered by calling `closeAccount`; lamports return to the destination wallet. Requires zero token balance."
-  },
-  {
-    call: "createV1",
-    module: "@metaplex-foundation/mpl-token-metadata",
-    accountType: "Metaplex Token Metadata",
-    // Base metadata: 1(key) + 32(update_auth) + 32(mint) + 4+name + 4+symbol + 4+uri
-    // + 2(seller_fee) + 1(creators opt) + 1(primary_sale) + 1(is_mutable) ≈ 679 bytes typical
-    dataLen: 679,
-    recoverability: "non-recoverable",
-    recoverabilityNote: "Metaplex metadata accounts cannot be closed. The lamport lockup is permanent for the lifetime of the token."
-  },
-  {
-    call: "createNft",
-    module: "@metaplex-foundation/mpl-token-metadata",
-    accountType: "Metaplex NFT Metadata",
-    dataLen: 679,
-    recoverability: "non-recoverable",
-    recoverabilityNote: "Metaplex metadata accounts cannot be closed. The lamport lockup is permanent."
-  },
-  {
-    call: "createAndMint",
-    module: "@metaplex-foundation/mpl-token-metadata",
-    accountType: "Metaplex Token Metadata + Mint",
-    dataLen: 679 + 82,
-    // metadata + mint
-    recoverability: "non-recoverable",
-    recoverabilityNote: "Metadata accounts cannot be closed. Mint rent is conditionally recoverable (requires 0 supply + disabled authority)."
-  },
-  {
-    call: "createFungible",
-    module: "@metaplex-foundation/mpl-token-metadata",
-    accountType: "Metaplex Fungible Token Metadata",
-    dataLen: 679,
-    recoverability: "non-recoverable",
-    recoverabilityNote: "Metaplex metadata accounts cannot be closed. The lamport lockup is permanent."
-  }
-];
-var LOOP_NODE_KINDS = /* @__PURE__ */ new Set([
-  SyntaxKind12.ForStatement,
-  SyntaxKind12.ForOfStatement,
-  SyntaxKind12.ForInStatement,
-  SyntaxKind12.WhileStatement,
-  SyntaxKind12.DoStatement
-]);
-var ARRAY_METHOD_LOOPS = /* @__PURE__ */ new Set(["map", "forEach", "flatMap", "reduce", "filter"]);
-function isInsideLoop(node) {
-  let cur = node;
-  while (cur) {
-    const k = cur.getKind?.();
-    if (k !== void 0 && LOOP_NODE_KINDS.has(k)) {
-      return { scalable: true, note: `call is inside a ${SyntaxKind12[k]} \u2014 cost scales with loop iterations` };
-    }
-    if (k === SyntaxKind12.CallExpression) {
-      const expr = cur.getExpression?.();
-      if (expr?.getKind?.() === SyntaxKind12.PropertyAccessExpression) {
-        const name = expr.asKind?.(SyntaxKind12.PropertyAccessExpression)?.getName?.();
-        if (name && ARRAY_METHOD_LOOPS.has(name)) {
-          return { scalable: true, note: `call is inside .${name}() \u2014 cost scales with array length` };
-        }
-      }
-    }
-    cur = cur.getParent?.();
-  }
-  return { scalable: false };
-}
-function detectPriorityFee(targetDir) {
-  const project = new Project2({ skipAddingFilesFromTsConfig: true });
-  for (const file of walk(targetDir)) {
-    const sf = project.addSourceFileAtPath(file);
-    const calls = sf.getDescendantsOfKind(SyntaxKind12.CallExpression);
-    for (const ce of calls) {
-      const expr = ce.getExpression();
-      const text = expr.getText();
-      if (text.includes("setComputeUnitPrice")) {
-        return {
-          found: true,
-          file,
-          line: ce.getStartLineNumber(),
-          detail: `ComputeBudgetProgram.setComputeUnitPrice detected at ${file}:${ce.getStartLineNumber()} \u2014 priority fee configured.`
-        };
-      }
-    }
-  }
-  return {
-    found: false,
-    detail: "No setComputeUnitPrice call detected. During network congestion, transactions without a priority fee may stall or be dropped. Add ComputeBudgetProgram.setComputeUnitPrice() to critical transaction paths."
-  };
-}
-function detectAccountFlows(targetDir) {
-  const project = new Project2({ skipAddingFilesFromTsConfig: true });
-  const callIndex = new Map(KNOWN_FLOWS.map((f) => [f.call, f]));
-  const flows = [];
-  for (const file of walk(targetDir)) {
-    const sf = project.addSourceFileAtPath(file);
-    const importedModules = new Set(
-      sf.getImportDeclarations().map((d) => d.getModuleSpecifierValue())
-    );
-    for (const ce of sf.getDescendantsOfKind(SyntaxKind12.CallExpression)) {
-      const expr = ce.getExpression();
-      let callName7 = null;
-      if (expr.getKind() === SyntaxKind12.Identifier) {
-        callName7 = expr.getText();
-      } else if (expr.getKind() === SyntaxKind12.PropertyAccessExpression) {
-        callName7 = expr.asKind(SyntaxKind12.PropertyAccessExpression).getName();
-      }
-      if (!callName7) continue;
-      const known = callIndex.get(callName7);
-      if (!known) continue;
-      if (!importedModules.has(known.module)) continue;
-      const lamports = rentExemptMinimum(known.dataLen);
-      const { scalable, note } = isInsideLoop(ce);
-      flows.push({
-        call: callName7,
-        module: known.module,
-        accountType: known.accountType,
-        file,
-        line: ce.getStartLineNumber(),
-        dataLen: known.dataLen,
-        lamports,
-        sol: lamportsToSol(lamports),
-        recoverability: known.recoverability,
-        recoverabilityNote: known.recoverabilityNote,
-        scalable,
-        scalableNote: note
-      });
-    }
-  }
-  return flows;
-}
-function analyzeCosts(targetDir) {
-  const accountFlows = detectAccountFlows(targetDir);
-  const priorityFee = detectPriorityFee(targetDir);
-  const staticFlows = accountFlows.filter((f) => !f.scalable);
-  const scalableFlows = accountFlows.filter((f) => f.scalable);
-  const totalLockupLamports = staticFlows.reduce((s, f) => s + f.lamports, 0);
-  return {
-    accountFlows,
-    priorityFee,
-    totalLockupLamports,
-    totalLockupSol: lamportsToSol(totalLockupLamports),
-    scalableFlows,
-    generatedAt: (/* @__PURE__ */ new Date()).toISOString()
-  };
-}
-function renderCostReportMd(r) {
-  const lines = ["## Cost & Rent Analysis\n"];
-  if (r.priorityFee.found) {
-    lines.push(`\u2705 **Priority fee configured** \u2014 \`setComputeUnitPrice\` detected.`);
-    lines.push(`   ${r.priorityFee.detail}
-`);
-  } else {
-    lines.push(`\u26A0\uFE0F  **HIGH \u2014 Priority fee not configured**`);
-    lines.push(`   ${r.priorityFee.detail}
-`);
-  }
-  if (r.accountFlows.length === 0) {
-    lines.push("_No account-creation calls from tracked modules detected._\n");
-    return lines.join("\n");
-  }
-  lines.push("### Account Creation Flows\n");
-  lines.push("| Call | Account Type | Data | Lamports Locked | SOL | Recoverable? |");
-  lines.push("|------|-------------|------|-----------------|-----|--------------|");
-  for (const f of r.accountFlows) {
-    const file = f.file.split("/").slice(-2).join("/");
-    const recov = f.recoverability === "recoverable" ? "\u2705 Yes" : f.recoverability === "conditionally-recoverable" ? "\u26A0\uFE0F  Conditional" : "\u274C No";
-    const scaleMark = f.scalable ? " \u{1F504}" : "";
-    lines.push(
-      `| \`${f.call}\`${scaleMark} (${file}:${f.line}) | ${f.accountType} | ${f.dataLen} B | ${f.lamports.toLocaleString()} | ${f.sol} SOL | ${recov} |`
-    );
-  }
-  lines.push("");
-  const unique = /* @__PURE__ */ new Map();
-  for (const f of r.accountFlows) unique.set(f.accountType, f.recoverabilityNote);
-  lines.push("**Recoverability notes:**");
-  for (const [type, note] of unique) lines.push(`- **${type}:** ${note}`);
-  lines.push("");
-  if (r.totalLockupLamports > 0) {
-    lines.push(
-      `**Total static lockup: ${r.totalLockupLamports.toLocaleString()} lamports (~${r.totalLockupSol} SOL)**`
-    );
-    lines.push(
-      `_(Excludes ${r.scalableFlows.length} scalable flow(s) whose cost grows with N \u2014 see below.)_
-`
-    );
-  }
-  if (r.scalableFlows.length > 0) {
-    lines.push("### Scalable Cost Flows (cost grows with N)\n");
-    for (const f of r.scalableFlows) {
-      const file = f.file.split("/").slice(-2).join("/");
-      lines.push(
-        `- **\`${f.call}\`** at \`${file}:${f.line}\` \u2014 ${f.scalableNote}
-  Per-iteration cost: ${f.lamports.toLocaleString()} lamports (${f.sol} SOL) for each ${f.accountType}.`
-      );
-    }
-    lines.push("");
-  }
-  return lines.join("\n");
-}
-
-// src/watch.ts
-import { watch as fsWatch } from "fs";
-function runIncrementalScan(targetDir, rules2, emit) {
-  const start = Date.now();
-  let changedRanges;
-  try {
-    changedRanges = getWorkingTreeChanges(targetDir);
-  } catch (e) {
-    emit({ type: "scan_error", message: e?.message ?? String(e) });
-    return;
-  }
-  if (changedRanges.size === 0) {
-    emit({ type: "scan_complete", filesChanged: 0, findings: 0, durationMs: Date.now() - start });
-    return;
-  }
-  const { checks } = audit(targetDir, rules2, changedRanges);
-  let findings = 0;
-  for (const c of checks) {
-    if (c.result === "pass") continue;
-    findings++;
-    emit({
-      type: "finding",
-      ruleId: c.ruleId,
-      severity: c.severity,
-      result: c.result,
-      file: c.file,
-      line: c.line,
-      detail: c.detail,
-      ...c.fix ? { fix: c.fix } : {}
-    });
-  }
-  emit({ type: "scan_complete", filesChanged: changedRanges.size, findings, durationMs: Date.now() - start });
-}
-function startWatch(targetDir, opts = {}) {
-  const debounceMs = opts.debounceMs ?? 300;
-  const emit = opts.emit ?? ((e) => process.stdout.write(JSON.stringify(e) + "\n"));
-  const rules2 = resolveRules(targetDir);
-  let timer;
-  const scheduleScan = () => {
-    if (timer) clearTimeout(timer);
-    timer = setTimeout(() => runIncrementalScan(targetDir, rules2, emit), debounceMs);
-  };
-  const watcher = fsWatch(targetDir, { recursive: true }, (_event, filename) => {
-    if (!filename) return;
-    const parts = filename.split(/[\\/]/);
-    if (parts.some((p) => SKIP_DIRS.has(p))) return;
-    scheduleScan();
-  });
-  emit({ type: "watch_started", targetDir });
-  return {
-    close: () => {
-      if (timer) clearTimeout(timer);
-      watcher.close();
-    }
-  };
-}
-
-// src/fixers/applyDiff.ts
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync2 } from "fs";
-function parseDiff(diff) {
-  const lines = diff.split("\n");
-  const fileLine = lines.find((l) => l.startsWith("+++ b"));
-  if (!fileLine) throw new Error("parseDiff: no '+++ b<path>' line found");
-  const filePath = fileLine.slice("+++ b".length);
-  const hunkLine = lines.find((l) => l.startsWith("@@"));
-  if (!hunkLine) throw new Error("parseDiff: no hunk header found");
-  const m = hunkLine.match(/^@@ -(\d+),(\d+) \+\d+,\d+ @@/);
-  if (!m) throw new Error(`parseDiff: unrecognized hunk header '${hunkLine}'`);
-  const oldStart = Number(m[1]);
-  const oldCount = Number(m[2]);
-  const newLines = lines.filter((l) => l.startsWith("+") && !l.startsWith("+++")).map((l) => l.slice(1));
-  return { filePath, oldStart, oldCount, newLines };
-}
-function applyDiffToFile(diff) {
-  const { filePath, oldStart, oldCount, newLines } = parseDiff(diff);
-  const content = readFileSync8(filePath, "utf8");
-  const fileLines = content.split("\n");
-  const removedLines = diff.split("\n").filter((l) => l.startsWith("-") && !l.startsWith("---")).map((l) => l.slice(1));
-  const actual = fileLines.slice(oldStart - 1, oldStart - 1 + oldCount);
-  if (JSON.stringify(actual) !== JSON.stringify(removedLines)) return false;
-  fileLines.splice(oldStart - 1, oldCount, ...newLines);
-  writeFileSync2(filePath, fileLines.join("\n"));
-  return true;
-}
-
-// src/pack.ts
-import { existsSync as existsSync6, mkdirSync as mkdirSync2, writeFileSync as writeFileSync3 } from "fs";
-import { join as join10 } from "path";
-function initPack(dir, opts) {
-  if (existsSync6(join10(dir, PACK_MANIFEST_FILE))) {
-    throw new Error(`${dir} already contains a ${PACK_MANIFEST_FILE}`);
-  }
-  const manifest = {
-    id: opts.id,
-    name: opts.name ?? opts.id,
-    version: opts.version ?? "0.1.0",
-    author: opts.author ?? "unknown",
-    ...opts.description ? { description: opts.description } : {}
-  };
-  mkdirSync2(dir, { recursive: true });
-  mkdirSync2(join10(dir, "rules"), { recursive: true });
-  mkdirSync2(join10(dir, "fixtures"), { recursive: true });
-  const manifestYaml = [
-    `id: ${manifest.id}`,
-    `name: ${manifest.name}`,
-    `version: ${manifest.version}`,
-    `author: ${manifest.author}`,
-    ...manifest.description ? [`description: ${manifest.description}`] : [],
-    ""
-  ].join("\n");
-  const manifestFile = join10(dir, PACK_MANIFEST_FILE);
-  writeFileSync3(manifestFile, manifestYaml, "utf8");
-  return manifestFile;
-}
-function validatePack(dir) {
-  const { manifest, rules: rules2 } = loadPack(dir);
-  const fixturesRoot = join10(dir, "fixtures");
-  const ruleResults = rules2.map((rule) => {
-    const ruleFixturesDir = join10(fixturesRoot, rule.id);
-    const vulnerableDir = join10(ruleFixturesDir, "vulnerable");
-    const fixedDir = join10(ruleFixturesDir, "fixed");
-    if (!existsSync6(vulnerableDir) || !existsSync6(fixedDir)) {
-      return {
-        ruleId: rule.id,
-        status: "missing-fixtures",
-        detail: `no fixtures/${rule.id}/{vulnerable,fixed}/ directory \u2014 prove gate skipped`
-      };
-    }
-    const redChecks = auditWithRule(vulnerableDir, rule);
-    const redFails = redChecks.filter((c) => c.result === "fail");
-    if (redFails.length === 0) {
-      return {
-        ruleId: rule.id,
-        status: "red-failed",
-        detail: `expected at least one FAIL against fixtures/${rule.id}/vulnerable/, got none`
-      };
-    }
-    const greenChecks = auditWithRule(fixedDir, rule);
-    const greenFails = greenChecks.filter((c) => c.result === "fail");
-    if (greenFails.length > 0) {
-      return {
-        ruleId: rule.id,
-        status: "green-failed",
-        detail: `expected no FAIL against fixtures/${rule.id}/fixed/, got ${greenFails.length}`
-      };
-    }
-    return { ruleId: rule.id, status: "ok", detail: "RED -> GREEN proven" };
-  });
-  const ok = ruleResults.every((r) => r.status === "ok" || r.status === "missing-fixtures");
-  return { manifest, rules: rules2, ruleResults, ok };
-}
-
-// src/telemetry.ts
-import { createHash, randomUUID } from "crypto";
-import { appendFileSync, existsSync as existsSync7, mkdirSync as mkdirSync3, readFileSync as readFileSync9, writeFileSync as writeFileSync4 } from "fs";
-import { execFileSync as execFileSync3 } from "child_process";
-import { homedir as homedir2 } from "os";
-import { dirname as dirname3, join as join11, resolve } from "path";
-function sha256Hex(s) {
-  return createHash("sha256").update(s).digest("hex");
-}
-function isTelemetryEnabled(targetDir) {
-  const env = process.env.BRAINBLAST_TELEMETRY;
-  if (env === "1" || env === "true") return true;
-  if (env === "0" || env === "false") return false;
-  const configPath = join11(targetDir, ".agent-research", "config.json");
-  if (!existsSync7(configPath)) return false;
-  try {
-    const cfg = JSON.parse(readFileSync9(configPath, "utf8"));
-    return cfg?.telemetry === true;
-  } catch {
-    return false;
-  }
-}
-function getUserHash() {
-  const idPath = join11(homedir2(), ".brainblast", "telemetry-id");
-  let id;
-  if (existsSync7(idPath)) {
-    id = readFileSync9(idPath, "utf8").trim();
-  } else {
-    id = randomUUID();
-    mkdirSync3(dirname3(idPath), { recursive: true });
-    writeFileSync4(idPath, id, "utf8");
-  }
-  return sha256Hex(id).slice(0, 16);
-}
-function getRepoHash(targetDir) {
-  let key = "";
-  try {
-    key = execFileSync3("git", ["config", "--get", "remote.origin.url"], {
-      cwd: targetDir,
-      encoding: "utf8",
-      stdio: ["ignore", "pipe", "ignore"]
-    }).trim();
-  } catch {
-  }
-  if (!key) key = resolve(targetDir);
-  return sha256Hex(key).slice(0, 16);
-}
-function telemetryFilePath(targetDir) {
-  return join11(targetDir, ".agent-research", "telemetry.ndjson");
-}
-var DEFAULT_REGISTRY_URL = "https://registry.brainblast.tech";
-async function submitTelemetry(targetDir, registryUrl = process.env.BRAINBLAST_REGISTRY_URL || DEFAULT_REGISTRY_URL) {
-  const file = telemetryFilePath(targetDir);
-  if (!existsSync7(file)) {
-    return { submitted: 0, accepted: 0, rejected: 0, graduations: [] };
-  }
-  const events = readFileSync9(file, "utf8").trim().split("\n").filter(Boolean).map((line) => JSON.parse(line));
-  if (events.length === 0) {
-    return { submitted: 0, accepted: 0, rejected: 0, graduations: [] };
-  }
-  const res = await fetch(`${registryUrl.replace(/\/$/, "")}/api/telemetry`, {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify({ events })
-  });
-  if (!res.ok) {
-    const body = await res.text().catch(() => "");
-    throw new Error(`telemetry submit failed: ${res.status} ${res.statusText} ${body}`.trim());
-  }
-  const json = await res.json();
-  return { submitted: events.length, ...json };
-}
-function recordGraduationEvents(targetDir, events) {
-  if (events.length === 0) return;
-  const file = telemetryFilePath(targetDir);
-  mkdirSync3(dirname3(file), { recursive: true });
-  const repo_hash = getRepoHash(targetDir);
-  const user_hash = getUserHash();
-  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-  const lines = events.map((e) => JSON.stringify({ ...e, repo_hash, user_hash, timestamp })).join("\n");
-  appendFileSync(file, lines + "\n", "utf8");
-}
-
 export {
+  SKIP_DIRS,
+  walk,
   findCandidates,
   findConfigCandidates,
   runChecker,
@@ -2529,37 +1758,5 @@ export {
   loadPack,
   loadPacksFromDir,
   rules,
-  resolveRules,
-  loadDirectory,
-  base58Encode,
-  base58Decode,
-  isValidSolanaAddress,
-  DEFAULT_TTL_HOURS,
-  defaultCachePath,
-  loadProgramCache,
-  saveProgramCache,
-  getCacheEntry,
-  putCacheEntry,
-  getCacheEntryMeta,
-  isEntryExpired,
-  cacheSize,
-  buildTrustGraph,
-  renderTrustGraphMd,
-  rentExemptMinimum,
-  lamportsToSol,
-  analyzeCosts,
-  renderCostReportMd,
-  runIncrementalScan,
-  startWatch,
-  parseDiff,
-  applyDiffToFile,
-  initPack,
-  validatePack,
-  isTelemetryEnabled,
-  getUserHash,
-  getRepoHash,
-  telemetryFilePath,
-  DEFAULT_REGISTRY_URL,
-  submitTelemetry,
-  recordGraduationEvents
+  resolveRules
 };