brainblast 0.5.2 → 0.6.0

package/dist/chunk-ZZ6LBZV5.js

@@ -0,0 +1,909 @@
+import {
+  PACK_MANIFEST_FILE,
+  SKIP_DIRS,
+  audit,
+  auditWithRule,
+  getWorkingTreeChanges,
+  loadPack,
+  resolveRules,
+  walk
+} from "./chunk-A56IF3UX.js";
+
+// src/trustGraph/directory.ts
+import { readFileSync, existsSync } from "fs";
+import { fileURLToPath } from "url";
+import { join } from "path";
+import { parse } from "yaml";
+var cache = null;
+function bundledPath() {
+  const here = fileURLToPath(new URL(".", import.meta.url));
+  const candidates = [
+    join(here, "programs", "directory.yaml"),
+    // dist/programs/directory.yaml
+    join(here, "..", "..", "programs", "directory.yaml"),
+    // src/../../programs/
+    join(here, "..", "programs", "directory.yaml")
+    // fallback
+  ];
+  for (const c of candidates) {
+    if (existsSync(c)) return c;
+  }
+  return candidates[0];
+}
+function loadDirectory(path = bundledPath()) {
+  if (cache && path === bundledPath()) return cache;
+  const raw = parse(readFileSync(path, "utf8"));
+  if (!raw || !Array.isArray(raw.programs)) {
+    throw new Error(`invalid program directory at ${path}: missing 'programs' array`);
+  }
+  const m = /* @__PURE__ */ new Map();
+  for (const p of raw.programs) {
+    if (!p.programId || !p.name) throw new Error(`directory entry missing programId/name: ${JSON.stringify(p)}`);
+    if (m.has(p.programId)) throw new Error(`directory has duplicate programId ${p.programId}`);
+    m.set(p.programId, { ...p, provenance: { ...p.provenance ?? {}, directoryFile: path } });
+  }
+  if (path === bundledPath()) cache = m;
+  return m;
+}
+
+// src/trustGraph/base58.ts
+var ALPHA = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+var MAP = {};
+for (let i = 0; i < ALPHA.length; i++) MAP[ALPHA[i]] = i;
+function base58Encode(bytes) {
+  let zeros = 0;
+  while (zeros < bytes.length && bytes[zeros] === 0) zeros++;
+  const buf = Array.from(bytes);
+  const out = [];
+  let start = zeros;
+  while (start < buf.length) {
+    let rem = 0;
+    for (let i = start; i < buf.length; i++) {
+      const acc = rem * 256 + buf[i];
+      buf[i] = Math.floor(acc / 58);
+      rem = acc % 58;
+    }
+    out.push(rem);
+    if (buf[start] === 0) start++;
+  }
+  let s = "";
+  for (let i = 0; i < zeros; i++) s += "1";
+  for (let i = out.length - 1; i >= 0; i--) s += ALPHA[out[i]];
+  return s;
+}
+function base58Decode(s) {
+  let zeros = 0;
+  while (zeros < s.length && s[zeros] === "1") zeros++;
+  const buf = [];
+  for (let i = zeros; i < s.length; i++) {
+    const v = MAP[s[i]];
+    if (v === void 0) throw new Error(`base58: invalid char '${s[i]}' at ${i}`);
+    let carry = v;
+    for (let j = 0; j < buf.length; j++) {
+      const acc = buf[j] * 58 + carry;
+      buf[j] = acc & 255;
+      carry = acc >>> 8;
+    }
+    while (carry > 0) {
+      buf.push(carry & 255);
+      carry >>>= 8;
+    }
+  }
+  const out = new Uint8Array(zeros + buf.length);
+  for (let i = 0; i < buf.length; i++) out[zeros + buf.length - 1 - i] = buf[i];
+  return out;
+}
+function isValidSolanaAddress(s) {
+  if (typeof s !== "string" || s.length < 32 || s.length > 44) return false;
+  try {
+    return base58Decode(s).length === 32;
+  } catch {
+    return false;
+  }
+}
+
+// src/trustGraph/programCache.ts
+import { readFileSync as readFileSync2, writeFileSync, mkdirSync, existsSync as existsSync2 } from "fs";
+import { join as join2, dirname } from "path";
+import { homedir } from "os";
+var DEFAULT_TTL_HOURS = 168;
+var SCHEMA_VERSION = "1.0";
+function defaultCachePath() {
+  const envOverride = process.env["BRAINBLAST_CACHE_PATH"];
+  return envOverride ?? join2(homedir(), ".brainblast", "program-cache.json");
+}
+function emptyCache() {
+  return { schemaVersion: SCHEMA_VERSION, entries: {} };
+}
+function loadProgramCache(cachePath) {
+  const path = cachePath ?? defaultCachePath();
+  if (!existsSync2(path)) return emptyCache();
+  try {
+    const raw = JSON.parse(readFileSync2(path, "utf8"));
+    if (raw?.schemaVersion !== SCHEMA_VERSION) {
+      return emptyCache();
+    }
+    if (!raw.entries || typeof raw.entries !== "object") return emptyCache();
+    return { schemaVersion: SCHEMA_VERSION, entries: raw.entries };
+  } catch {
+    return emptyCache();
+  }
+}
+function saveProgramCache(cache2, cachePath) {
+  const path = cachePath ?? defaultCachePath();
+  mkdirSync(dirname(path), { recursive: true });
+  writeFileSync(path, JSON.stringify(cache2, null, 2), "utf8");
+}
+function getCacheEntry(cache2, programId, ttlHoursOverride) {
+  const entry = cache2.entries[programId];
+  if (!entry) return null;
+  if (isEntryExpired(entry, ttlHoursOverride)) return null;
+  return entry.program;
+}
+function putCacheEntry(cache2, programId, program, sourceRun, ttlHours = DEFAULT_TTL_HOURS) {
+  cache2.entries[programId] = {
+    program,
+    cachedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    sourceRun,
+    ttlHours
+  };
+  return cache2;
+}
+function getCacheEntryMeta(cache2, programId) {
+  return cache2.entries[programId] ?? null;
+}
+function isEntryExpired(entry, ttlHoursOverride) {
+  const ttl = ttlHoursOverride ?? entry.ttlHours ?? DEFAULT_TTL_HOURS;
+  if (ttl <= 0) return true;
+  const cachedMs = Date.parse(entry.cachedAt);
+  if (Number.isNaN(cachedMs)) return true;
+  const ageMs = Date.now() - cachedMs;
+  return ageMs >= ttl * 36e5;
+}
+function cacheSize(cache2, ttlHoursOverride) {
+  return Object.values(cache2.entries).filter((e) => !isEntryExpired(e, ttlHoursOverride)).length;
+}
+
+// src/trustGraph/rpc.ts
+var BPF_UPGRADEABLE_LOADER = "BPFLoaderUpgradeab1e11111111111111111111111";
+var BPF_LOADER_2 = "BPFLoader2111111111111111111111111111111111";
+var NATIVE_LOADER = "NativeLoader1111111111111111111111111111111";
+var DEFAULT_RPC = "https://api.mainnet-beta.solana.com";
+async function rpc(method, params, opts) {
+  const url = opts.rpcUrl ?? DEFAULT_RPC;
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const ac = new AbortController();
+  const t = setTimeout(() => ac.abort(), opts.timeoutMs ?? 1e4);
+  try {
+    const res = await fetchImpl(url, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ jsonrpc: "2.0", id: 1, method, params }),
+      signal: ac.signal
+    });
+    if (!res.ok) throw new Error(`rpc ${method}: HTTP ${res.status}`);
+    const body = await res.json();
+    if (body.error) throw new Error(`rpc ${method}: ${body.error.message}`);
+    if (body.result === void 0) throw new Error(`rpc ${method}: empty result`);
+    return body.result;
+  } finally {
+    clearTimeout(t);
+  }
+}
+async function getAccountInfo(address, opts = {}) {
+  if (!isValidSolanaAddress(address)) throw new Error(`invalid Solana address: ${address}`);
+  const result = await rpc(
+    "getAccountInfo",
+    [address, { encoding: "base64", commitment: "confirmed" }],
+    opts
+  );
+  if (!result || !result.value) return null;
+  const v = result.value;
+  const [b64] = v.data;
+  return {
+    owner: v.owner,
+    data: Buffer.from(b64, "base64"),
+    executable: v.executable,
+    lamports: v.lamports
+  };
+}
+async function probeUpgradeAuthority(programId, opts = {}) {
+  const acct = await getAccountInfo(programId, opts);
+  if (!acct) {
+    return {
+      kind: "unknown",
+      address: null,
+      source: "rpc",
+      checkedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  if (acct.owner === BPF_LOADER_2 || acct.owner === NATIVE_LOADER) {
+    return {
+      kind: "renounced",
+      address: null,
+      source: "rpc",
+      checkedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  if (acct.owner !== BPF_UPGRADEABLE_LOADER) {
+    throw new Error(
+      `program ${programId} is owned by ${acct.owner}, not a known loader; not a deployed program?`
+    );
+  }
+  if (acct.data.length < 36) throw new Error(`program account too small: ${acct.data.length}`);
+  const tag = acct.data[0] | acct.data[1] << 8 | acct.data[2] << 16 | acct.data[3] << 24;
+  if (tag !== 2) throw new Error(`expected Program (tag=2) state, got tag=${tag}`);
+  const programDataAddr = base58Encode(acct.data.subarray(4, 36));
+  const pd = await getAccountInfo(programDataAddr, opts);
+  if (!pd) {
+    throw new Error(`program ${programId} ProgramData ${programDataAddr} not found`);
+  }
+  if (pd.data.length < 45) throw new Error(`ProgramData account too small: ${pd.data.length}`);
+  const pdTag = pd.data[0] | pd.data[1] << 8 | pd.data[2] << 16 | pd.data[3] << 24;
+  if (pdTag !== 3) throw new Error(`expected ProgramData (tag=3), got tag=${pdTag}`);
+  const optionTag = pd.data[12];
+  const checkedAt = (/* @__PURE__ */ new Date()).toISOString();
+  if (optionTag === 0) {
+    return { kind: "renounced", address: null, source: "rpc", checkedAt };
+  }
+  if (optionTag !== 1) throw new Error(`unexpected Option tag in ProgramData: ${optionTag}`);
+  const authority = base58Encode(pd.data.subarray(13, 45));
+  return { kind: "unknown", address: authority, source: "rpc", checkedAt };
+}
+
+// src/trustGraph/build.ts
+async function buildTrustGraph(programIds, opts = {}) {
+  const dir = loadDirectory(opts.directoryPath);
+  const programs = [];
+  const unresolved = [];
+  const cacheEnabled = opts.cachePath !== null;
+  const cachePathArg = opts.cachePath === null ? void 0 : opts.cachePath;
+  const cache2 = cacheEnabled ? loadProgramCache(cachePathArg) : null;
+  const newFromRpc = [];
+  const runId = (/* @__PURE__ */ new Date()).toISOString().replace(/[-:T]/g, "").slice(0, 14);
+  const seen = /* @__PURE__ */ new Set();
+  const ordered = programIds.filter((id) => seen.has(id) ? false : (seen.add(id), true));
+  for (const id of ordered) {
+    const directoryHit = dir.get(id);
+    if (directoryHit) {
+      programs.push(directoryHit);
+      continue;
+    }
+    if (cache2) {
+      const cached = getCacheEntry(cache2, id);
+      if (cached) {
+        const meta = getCacheEntryMeta(cache2, id);
+        programs.push({
+          ...cached,
+          provenance: {
+            ...cached.provenance ?? {},
+            notes: [
+              cached.provenance?.notes,
+              `cache-hit: cachedAt=${meta.cachedAt} sourceRun=${meta.sourceRun}`
+            ].filter(Boolean).join("; ")
+          }
+        });
+        continue;
+      }
+    }
+    if (opts.probeRpc === false) {
+      unresolved.push({
+        programId: id,
+        reason: "not_in_directory_or_cache_and_rpc_disabled"
+      });
+      continue;
+    }
+    let authority;
+    try {
+      authority = await probeUpgradeAuthority(id, opts);
+    } catch (e) {
+      unresolved.push({ programId: id, reason: `rpc_error: ${e?.message ?? String(e)}` });
+      continue;
+    }
+    const probed = {
+      programId: id,
+      name: `Unknown program (${id.slice(0, 8)}\u2026)`,
+      kind: "app",
+      upgradeAuthority: authority,
+      verifiedBuild: { state: "unknown" },
+      audits: [],
+      parity: { mainnet: "unknown", devnet: "unknown" },
+      provenance: { rpcUrl: opts.rpcUrl, notes: "live-probed; not in curated directory" }
+    };
+    programs.push(probed);
+    newFromRpc.push(id);
+    if (cache2) {
+      putCacheEntry(cache2, id, probed, runId);
+    }
+  }
+  if (cache2 && newFromRpc.length > 0) {
+    saveProgramCache(cache2, cachePathArg);
+  }
+  return { programs, unresolved, generatedAt: (/* @__PURE__ */ new Date()).toISOString() };
+}
+
+// src/trustGraph/render.ts
+function renderAuthority(p) {
+  const a = p.upgradeAuthority;
+  switch (a.kind) {
+    case "renounced":
+      return "\u{1F512} **Renounced** \u2014 program is frozen; no key can upgrade it.";
+    case "single-key":
+      return `\u26A0\uFE0F **Single key** \`${a.address}\` \u2014 one private key can replace this program at any time.`;
+    case "multisig":
+      return `\u{1F510} **Multisig** \`${a.address}\` \u2014 a threshold of signers can upgrade.`;
+    case "dao":
+      return `\u{1F3DB} **DAO** \`${a.address}\` \u2014 governance program controls upgrades.`;
+    case "unknown":
+      return a.address ? `\u2753 **Unclassified authority** \`${a.address}\` \u2014 needs research to confirm single-key vs multisig/DAO.` : "\u2753 **Unknown** \u2014 could not determine upgrade authority.";
+  }
+}
+function renderVerified(p) {
+  const v = p.verifiedBuild;
+  switch (v.state) {
+    case "verified":
+      return `\u2705 Verified build${v.commit ? ` @ \`${v.commit.slice(0, 12)}\`` : ""} \u2014 [registry](${v.registryUrl})`;
+    case "unverified":
+      return "\u274C Unverified \u2014 on-chain bytecode does not match any source we trust.";
+    case "unknown":
+      return "\u2753 Verified-build status not checked.";
+  }
+}
+function renderAudits(p) {
+  if (!p.audits.length) return "_No audits on file._";
+  return p.audits.map((a) => `- ${a.firm} (${a.date}) \u2014 [report](${a.reportUrl})${a.auditedCommit ? ` @ \`${a.auditedCommit.slice(0, 12)}\`` : ""}`).join("\n");
+}
+function renderParity(p) {
+  const { mainnet, devnet, testnet, notes } = p.parity;
+  const cells = [`mainnet=\`${mainnet}\``, `devnet=\`${devnet}\``];
+  if (testnet) cells.push(`testnet=\`${testnet}\``);
+  return cells.join(" \xB7 ") + (notes ? `  
+  _${notes}_` : "");
+}
+function renderProgram(p) {
+  return [
+    `### ${p.name}`,
+    "",
+    `\`${p.programId}\`${p.kind ? ` \xB7 kind: \`${p.kind}\`` : ""}`,
+    "",
+    `- **Upgrade authority:** ${renderAuthority(p)}`,
+    `- **Verified build:** ${renderVerified(p)}`,
+    `- **Parity:** ${renderParity(p)}`,
+    `- **Audits:**
+${renderAudits(p).split("\n").map((l) => "  " + l).join("\n")}`,
+    p.invokes && p.invokes.length ? `- **Invokes (CPI):** ${p.invokes.map((id) => `\`${id}\``).join(", ")}` : ""
+  ].filter(Boolean).join("\n");
+}
+function renderTrustGraphMd(g) {
+  const head = [
+    "# Trust Graph",
+    "",
+    `_Generated ${g.generatedAt}._`,
+    "",
+    "Every program your code transitively invokes, with the authority that controls it, the build-verification status, and the audits we found.",
+    ""
+  ].join("\n");
+  const body = g.programs.map(renderProgram).join("\n\n---\n\n");
+  const tail = g.unresolved.length ? [
+    "",
+    "---",
+    "",
+    "## Unresolved",
+    "",
+    ...g.unresolved.map((u) => `- \`${u.programId}\` \u2014 ${u.reason}`)
+  ].join("\n") : "";
+  return head + body + tail + "\n";
+}
+
+// src/costAnalysis.ts
+import { Project, SyntaxKind } from "ts-morph";
+var LAMPORTS_PER_BYTE_YEAR = 3480;
+var EXEMPTION_THRESHOLD = 2;
+var OVERHEAD_BYTES = 128;
+var LAMPORTS_PER_SOL = 1e9;
+function rentExemptMinimum(dataLen) {
+  return (dataLen + OVERHEAD_BYTES) * LAMPORTS_PER_BYTE_YEAR * EXEMPTION_THRESHOLD;
+}
+function lamportsToSol(lamports) {
+  return (lamports / LAMPORTS_PER_SOL).toFixed(9).replace(/\.?0+$/, "");
+}
+var KNOWN_FLOWS = [
+  {
+    call: "createMint",
+    module: "@solana/spl-token",
+    accountType: "SPL Token Mint",
+    dataLen: 82,
+    recoverability: "conditionally-recoverable",
+    recoverabilityNote: "Recoverable via `closeAccount` on the mint \u2014 requires mint supply = 0 and mint authority disabled. Most production mints never meet these conditions."
+  },
+  {
+    call: "createAssociatedTokenAccount",
+    module: "@solana/spl-token",
+    accountType: "Associated Token Account (ATA)",
+    dataLen: 165,
+    recoverability: "recoverable",
+    recoverabilityNote: "Recovered by calling `closeAccount`; lamports return to the destination wallet. Requires zero token balance."
+  },
+  {
+    call: "createAssociatedTokenAccountIdempotent",
+    module: "@solana/spl-token",
+    accountType: "Associated Token Account (ATA, idempotent)",
+    dataLen: 165,
+    recoverability: "recoverable",
+    recoverabilityNote: "Recovered by calling `closeAccount`; lamports return to the destination wallet. Requires zero token balance."
+  },
+  {
+    call: "createAccount",
+    module: "@solana/spl-token",
+    accountType: "SPL Token Account (explicit)",
+    dataLen: 165,
+    recoverability: "recoverable",
+    recoverabilityNote: "Recovered by calling `closeAccount`; lamports return to the destination wallet. Requires zero token balance."
+  },
+  {
+    call: "createV1",
+    module: "@metaplex-foundation/mpl-token-metadata",
+    accountType: "Metaplex Token Metadata",
+    // Base metadata: 1(key) + 32(update_auth) + 32(mint) + 4+name + 4+symbol + 4+uri
+    // + 2(seller_fee) + 1(creators opt) + 1(primary_sale) + 1(is_mutable) ≈ 679 bytes typical
+    dataLen: 679,
+    recoverability: "non-recoverable",
+    recoverabilityNote: "Metaplex metadata accounts cannot be closed. The lamport lockup is permanent for the lifetime of the token."
+  },
+  {
+    call: "createNft",
+    module: "@metaplex-foundation/mpl-token-metadata",
+    accountType: "Metaplex NFT Metadata",
+    dataLen: 679,
+    recoverability: "non-recoverable",
+    recoverabilityNote: "Metaplex metadata accounts cannot be closed. The lamport lockup is permanent."
+  },
+  {
+    call: "createAndMint",
+    module: "@metaplex-foundation/mpl-token-metadata",
+    accountType: "Metaplex Token Metadata + Mint",
+    dataLen: 679 + 82,
+    // metadata + mint
+    recoverability: "non-recoverable",
+    recoverabilityNote: "Metadata accounts cannot be closed. Mint rent is conditionally recoverable (requires 0 supply + disabled authority)."
+  },
+  {
+    call: "createFungible",
+    module: "@metaplex-foundation/mpl-token-metadata",
+    accountType: "Metaplex Fungible Token Metadata",
+    dataLen: 679,
+    recoverability: "non-recoverable",
+    recoverabilityNote: "Metaplex metadata accounts cannot be closed. The lamport lockup is permanent."
+  }
+];
+var LOOP_NODE_KINDS = /* @__PURE__ */ new Set([
+  SyntaxKind.ForStatement,
+  SyntaxKind.ForOfStatement,
+  SyntaxKind.ForInStatement,
+  SyntaxKind.WhileStatement,
+  SyntaxKind.DoStatement
+]);
+var ARRAY_METHOD_LOOPS = /* @__PURE__ */ new Set(["map", "forEach", "flatMap", "reduce", "filter"]);
+function isInsideLoop(node) {
+  let cur = node;
+  while (cur) {
+    const k = cur.getKind?.();
+    if (k !== void 0 && LOOP_NODE_KINDS.has(k)) {
+      return { scalable: true, note: `call is inside a ${SyntaxKind[k]} \u2014 cost scales with loop iterations` };
+    }
+    if (k === SyntaxKind.CallExpression) {
+      const expr = cur.getExpression?.();
+      if (expr?.getKind?.() === SyntaxKind.PropertyAccessExpression) {
+        const name = expr.asKind?.(SyntaxKind.PropertyAccessExpression)?.getName?.();
+        if (name && ARRAY_METHOD_LOOPS.has(name)) {
+          return { scalable: true, note: `call is inside .${name}() \u2014 cost scales with array length` };
+        }
+      }
+    }
+    cur = cur.getParent?.();
+  }
+  return { scalable: false };
+}
+function detectPriorityFee(targetDir) {
+  const project = new Project({ skipAddingFilesFromTsConfig: true });
+  for (const file of walk(targetDir)) {
+    const sf = project.addSourceFileAtPath(file);
+    const calls = sf.getDescendantsOfKind(SyntaxKind.CallExpression);
+    for (const ce of calls) {
+      const expr = ce.getExpression();
+      const text = expr.getText();
+      if (text.includes("setComputeUnitPrice")) {
+        return {
+          found: true,
+          file,
+          line: ce.getStartLineNumber(),
+          detail: `ComputeBudgetProgram.setComputeUnitPrice detected at ${file}:${ce.getStartLineNumber()} \u2014 priority fee configured.`
+        };
+      }
+    }
+  }
+  return {
+    found: false,
+    detail: "No setComputeUnitPrice call detected. During network congestion, transactions without a priority fee may stall or be dropped. Add ComputeBudgetProgram.setComputeUnitPrice() to critical transaction paths."
+  };
+}
+function detectAccountFlows(targetDir) {
+  const project = new Project({ skipAddingFilesFromTsConfig: true });
+  const callIndex = new Map(KNOWN_FLOWS.map((f) => [f.call, f]));
+  const flows = [];
+  for (const file of walk(targetDir)) {
+    const sf = project.addSourceFileAtPath(file);
+    const importedModules = new Set(
+      sf.getImportDeclarations().map((d) => d.getModuleSpecifierValue())
+    );
+    for (const ce of sf.getDescendantsOfKind(SyntaxKind.CallExpression)) {
+      const expr = ce.getExpression();
+      let callName = null;
+      if (expr.getKind() === SyntaxKind.Identifier) {
+        callName = expr.getText();
+      } else if (expr.getKind() === SyntaxKind.PropertyAccessExpression) {
+        callName = expr.asKind(SyntaxKind.PropertyAccessExpression).getName();
+      }
+      if (!callName) continue;
+      const known = callIndex.get(callName);
+      if (!known) continue;
+      if (!importedModules.has(known.module)) continue;
+      const lamports = rentExemptMinimum(known.dataLen);
+      const { scalable, note } = isInsideLoop(ce);
+      flows.push({
+        call: callName,
+        module: known.module,
+        accountType: known.accountType,
+        file,
+        line: ce.getStartLineNumber(),
+        dataLen: known.dataLen,
+        lamports,
+        sol: lamportsToSol(lamports),
+        recoverability: known.recoverability,
+        recoverabilityNote: known.recoverabilityNote,
+        scalable,
+        scalableNote: note
+      });
+    }
+  }
+  return flows;
+}
+function analyzeCosts(targetDir) {
+  const accountFlows = detectAccountFlows(targetDir);
+  const priorityFee = detectPriorityFee(targetDir);
+  const staticFlows = accountFlows.filter((f) => !f.scalable);
+  const scalableFlows = accountFlows.filter((f) => f.scalable);
+  const totalLockupLamports = staticFlows.reduce((s, f) => s + f.lamports, 0);
+  return {
+    accountFlows,
+    priorityFee,
+    totalLockupLamports,
+    totalLockupSol: lamportsToSol(totalLockupLamports),
+    scalableFlows,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function renderCostReportMd(r) {
+  const lines = ["## Cost & Rent Analysis\n"];
+  if (r.priorityFee.found) {
+    lines.push(`\u2705 **Priority fee configured** \u2014 \`setComputeUnitPrice\` detected.`);
+    lines.push(`   ${r.priorityFee.detail}
+`);
+  } else {
+    lines.push(`\u26A0\uFE0F  **HIGH \u2014 Priority fee not configured**`);
+    lines.push(`   ${r.priorityFee.detail}
+`);
+  }
+  if (r.accountFlows.length === 0) {
+    lines.push("_No account-creation calls from tracked modules detected._\n");
+    return lines.join("\n");
+  }
+  lines.push("### Account Creation Flows\n");
+  lines.push("| Call | Account Type | Data | Lamports Locked | SOL | Recoverable? |");
+  lines.push("|------|-------------|------|-----------------|-----|--------------|");
+  for (const f of r.accountFlows) {
+    const file = f.file.split("/").slice(-2).join("/");
+    const recov = f.recoverability === "recoverable" ? "\u2705 Yes" : f.recoverability === "conditionally-recoverable" ? "\u26A0\uFE0F  Conditional" : "\u274C No";
+    const scaleMark = f.scalable ? " \u{1F504}" : "";
+    lines.push(
+      `| \`${f.call}\`${scaleMark} (${file}:${f.line}) | ${f.accountType} | ${f.dataLen} B | ${f.lamports.toLocaleString()} | ${f.sol} SOL | ${recov} |`
+    );
+  }
+  lines.push("");
+  const unique = /* @__PURE__ */ new Map();
+  for (const f of r.accountFlows) unique.set(f.accountType, f.recoverabilityNote);
+  lines.push("**Recoverability notes:**");
+  for (const [type, note] of unique) lines.push(`- **${type}:** ${note}`);
+  lines.push("");
+  if (r.totalLockupLamports > 0) {
+    lines.push(
+      `**Total static lockup: ${r.totalLockupLamports.toLocaleString()} lamports (~${r.totalLockupSol} SOL)**`
+    );
+    lines.push(
+      `_(Excludes ${r.scalableFlows.length} scalable flow(s) whose cost grows with N \u2014 see below.)_
+`
+    );
+  }
+  if (r.scalableFlows.length > 0) {
+    lines.push("### Scalable Cost Flows (cost grows with N)\n");
+    for (const f of r.scalableFlows) {
+      const file = f.file.split("/").slice(-2).join("/");
+      lines.push(
+        `- **\`${f.call}\`** at \`${file}:${f.line}\` \u2014 ${f.scalableNote}
+  Per-iteration cost: ${f.lamports.toLocaleString()} lamports (${f.sol} SOL) for each ${f.accountType}.`
+      );
+    }
+    lines.push("");
+  }
+  return lines.join("\n");
+}
+
+// src/watch.ts
+import { watch as fsWatch } from "fs";
+function runIncrementalScan(targetDir, rules, emit) {
+  const start = Date.now();
+  let changedRanges;
+  try {
+    changedRanges = getWorkingTreeChanges(targetDir);
+  } catch (e) {
+    emit({ type: "scan_error", message: e?.message ?? String(e) });
+    return;
+  }
+  if (changedRanges.size === 0) {
+    emit({ type: "scan_complete", filesChanged: 0, findings: 0, durationMs: Date.now() - start });
+    return;
+  }
+  const { checks } = audit(targetDir, rules, changedRanges);
+  let findings = 0;
+  for (const c of checks) {
+    if (c.result === "pass") continue;
+    findings++;
+    emit({
+      type: "finding",
+      ruleId: c.ruleId,
+      severity: c.severity,
+      result: c.result,
+      file: c.file,
+      line: c.line,
+      detail: c.detail,
+      ...c.fix ? { fix: c.fix } : {}
+    });
+  }
+  emit({ type: "scan_complete", filesChanged: changedRanges.size, findings, durationMs: Date.now() - start });
+}
+function startWatch(targetDir, opts = {}) {
+  const debounceMs = opts.debounceMs ?? 300;
+  const emit = opts.emit ?? ((e) => process.stdout.write(JSON.stringify(e) + "\n"));
+  const rules = resolveRules(targetDir);
+  let timer;
+  const scheduleScan = () => {
+    if (timer) clearTimeout(timer);
+    timer = setTimeout(() => runIncrementalScan(targetDir, rules, emit), debounceMs);
+  };
+  const watcher = fsWatch(targetDir, { recursive: true }, (_event, filename) => {
+    if (!filename) return;
+    const parts = filename.split(/[\\/]/);
+    if (parts.some((p) => SKIP_DIRS.has(p))) return;
+    scheduleScan();
+  });
+  emit({ type: "watch_started", targetDir });
+  return {
+    close: () => {
+      if (timer) clearTimeout(timer);
+      watcher.close();
+    }
+  };
+}
+
+// src/fixers/applyDiff.ts
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+function parseDiff(diff) {
+  const lines = diff.split("\n");
+  const fileLine = lines.find((l) => l.startsWith("+++ b"));
+  if (!fileLine) throw new Error("parseDiff: no '+++ b<path>' line found");
+  const filePath = fileLine.slice("+++ b".length);
+  const hunkLine = lines.find((l) => l.startsWith("@@"));
+  if (!hunkLine) throw new Error("parseDiff: no hunk header found");
+  const m = hunkLine.match(/^@@ -(\d+),(\d+) \+\d+,\d+ @@/);
+  if (!m) throw new Error(`parseDiff: unrecognized hunk header '${hunkLine}'`);
+  const oldStart = Number(m[1]);
+  const oldCount = Number(m[2]);
+  const newLines = lines.filter((l) => l.startsWith("+") && !l.startsWith("+++")).map((l) => l.slice(1));
+  return { filePath, oldStart, oldCount, newLines };
+}
+function applyDiffToFile(diff) {
+  const { filePath, oldStart, oldCount, newLines } = parseDiff(diff);
+  const content = readFileSync3(filePath, "utf8");
+  const fileLines = content.split("\n");
+  const removedLines = diff.split("\n").filter((l) => l.startsWith("-") && !l.startsWith("---")).map((l) => l.slice(1));
+  const actual = fileLines.slice(oldStart - 1, oldStart - 1 + oldCount);
+  if (JSON.stringify(actual) !== JSON.stringify(removedLines)) return false;
+  fileLines.splice(oldStart - 1, oldCount, ...newLines);
+  writeFileSync2(filePath, fileLines.join("\n"));
+  return true;
+}
+
+// src/pack.ts
+import { existsSync as existsSync3, mkdirSync as mkdirSync2, writeFileSync as writeFileSync3 } from "fs";
+import { join as join3 } from "path";
+function initPack(dir, opts) {
+  if (existsSync3(join3(dir, PACK_MANIFEST_FILE))) {
+    throw new Error(`${dir} already contains a ${PACK_MANIFEST_FILE}`);
+  }
+  const manifest = {
+    id: opts.id,
+    name: opts.name ?? opts.id,
+    version: opts.version ?? "0.1.0",
+    author: opts.author ?? "unknown",
+    ...opts.description ? { description: opts.description } : {}
+  };
+  mkdirSync2(dir, { recursive: true });
+  mkdirSync2(join3(dir, "rules"), { recursive: true });
+  mkdirSync2(join3(dir, "fixtures"), { recursive: true });
+  const manifestYaml = [
+    `id: ${manifest.id}`,
+    `name: ${manifest.name}`,
+    `version: ${manifest.version}`,
+    `author: ${manifest.author}`,
+    ...manifest.description ? [`description: ${manifest.description}`] : [],
+    ""
+  ].join("\n");
+  const manifestFile = join3(dir, PACK_MANIFEST_FILE);
+  writeFileSync3(manifestFile, manifestYaml, "utf8");
+  return manifestFile;
+}
+function validatePack(dir) {
+  const { manifest, rules } = loadPack(dir);
+  const fixturesRoot = join3(dir, "fixtures");
+  const ruleResults = rules.map((rule) => {
+    const ruleFixturesDir = join3(fixturesRoot, rule.id);
+    const vulnerableDir = join3(ruleFixturesDir, "vulnerable");
+    const fixedDir = join3(ruleFixturesDir, "fixed");
+    if (!existsSync3(vulnerableDir) || !existsSync3(fixedDir)) {
+      return {
+        ruleId: rule.id,
+        status: "missing-fixtures",
+        detail: `no fixtures/${rule.id}/{vulnerable,fixed}/ directory \u2014 prove gate skipped`
+      };
+    }
+    const redChecks = auditWithRule(vulnerableDir, rule);
+    const redFails = redChecks.filter((c) => c.result === "fail");
+    if (redFails.length === 0) {
+      return {
+        ruleId: rule.id,
+        status: "red-failed",
+        detail: `expected at least one FAIL against fixtures/${rule.id}/vulnerable/, got none`
+      };
+    }
+    const greenChecks = auditWithRule(fixedDir, rule);
+    const greenFails = greenChecks.filter((c) => c.result === "fail");
+    if (greenFails.length > 0) {
+      return {
+        ruleId: rule.id,
+        status: "green-failed",
+        detail: `expected no FAIL against fixtures/${rule.id}/fixed/, got ${greenFails.length}`
+      };
+    }
+    return { ruleId: rule.id, status: "ok", detail: "RED -> GREEN proven" };
+  });
+  const ok = ruleResults.every((r) => r.status === "ok" || r.status === "missing-fixtures");
+  return { manifest, rules, ruleResults, ok };
+}
+
+// src/telemetry.ts
+import { createHash, randomUUID } from "crypto";
+import { appendFileSync, existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
+import { execFileSync } from "child_process";
+import { homedir as homedir2 } from "os";
+import { dirname as dirname2, join as join4, resolve } from "path";
+function sha256Hex(s) {
+  return createHash("sha256").update(s).digest("hex");
+}
+function isTelemetryEnabled(targetDir) {
+  const env = process.env.BRAINBLAST_TELEMETRY;
+  if (env === "1" || env === "true") return true;
+  if (env === "0" || env === "false") return false;
+  const configPath = join4(targetDir, ".agent-research", "config.json");
+  if (!existsSync4(configPath)) return false;
+  try {
+    const cfg = JSON.parse(readFileSync4(configPath, "utf8"));
+    return cfg?.telemetry === true;
+  } catch {
+    return false;
+  }
+}
+function getUserHash() {
+  const idPath = join4(homedir2(), ".brainblast", "telemetry-id");
+  let id;
+  if (existsSync4(idPath)) {
+    id = readFileSync4(idPath, "utf8").trim();
+  } else {
+    id = randomUUID();
+    mkdirSync3(dirname2(idPath), { recursive: true });
+    writeFileSync4(idPath, id, "utf8");
+  }
+  return sha256Hex(id).slice(0, 16);
+}
+function getRepoHash(targetDir) {
+  let key = "";
+  try {
+    key = execFileSync("git", ["config", "--get", "remote.origin.url"], {
+      cwd: targetDir,
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "ignore"]
+    }).trim();
+  } catch {
+  }
+  if (!key) key = resolve(targetDir);
+  return sha256Hex(key).slice(0, 16);
+}
+function telemetryFilePath(targetDir) {
+  return join4(targetDir, ".agent-research", "telemetry.ndjson");
+}
+var DEFAULT_REGISTRY_URL = "https://registry.brainblast.tech";
+async function submitTelemetry(targetDir, registryUrl = process.env.BRAINBLAST_REGISTRY_URL || DEFAULT_REGISTRY_URL) {
+  const file = telemetryFilePath(targetDir);
+  if (!existsSync4(file)) {
+    return { submitted: 0, accepted: 0, rejected: 0, graduations: [] };
+  }
+  const events = readFileSync4(file, "utf8").trim().split("\n").filter(Boolean).map((line) => JSON.parse(line));
+  if (events.length === 0) {
+    return { submitted: 0, accepted: 0, rejected: 0, graduations: [] };
+  }
+  const res = await fetch(`${registryUrl.replace(/\/$/, "")}/api/telemetry`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ events })
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(`telemetry submit failed: ${res.status} ${res.statusText} ${body}`.trim());
+  }
+  const json = await res.json();
+  return { submitted: events.length, ...json };
+}
+function recordGraduationEvents(targetDir, events) {
+  if (events.length === 0) return;
+  const file = telemetryFilePath(targetDir);
+  mkdirSync3(dirname2(file), { recursive: true });
+  const repo_hash = getRepoHash(targetDir);
+  const user_hash = getUserHash();
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const lines = events.map((e) => JSON.stringify({ ...e, repo_hash, user_hash, timestamp })).join("\n");
+  appendFileSync(file, lines + "\n", "utf8");
+}
+
+export {
+  loadDirectory,
+  base58Encode,
+  base58Decode,
+  isValidSolanaAddress,
+  DEFAULT_TTL_HOURS,
+  defaultCachePath,
+  loadProgramCache,
+  saveProgramCache,
+  getCacheEntry,
+  putCacheEntry,
+  getCacheEntryMeta,
+  isEntryExpired,
+  cacheSize,
+  buildTrustGraph,
+  renderTrustGraphMd,
+  rentExemptMinimum,
+  lamportsToSol,
+  analyzeCosts,
+  renderCostReportMd,
+  runIncrementalScan,
+  startWatch,
+  parseDiff,
+  applyDiffToFile,
+  initPack,
+  validatePack,
+  isTelemetryEnabled,
+  getUserHash,
+  getRepoHash,
+  telemetryFilePath,
+  DEFAULT_REGISTRY_URL,
+  submitTelemetry,
+  recordGraduationEvents
+};