brainblast 0.6.0 → 0.6.2

package/dist/chunk-3RG5ZIWI.js

@@ -0,0 +1,10 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+export {
+  __require
+};

package/dist/chunk-EAKU3L7F.js

@@ -0,0 +1,183 @@
+import {
+  __require
+} from "./chunk-3RG5ZIWI.js";
+
+// src/drift.ts
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { join } from "path";
+var BASELINE_PATH = (dir) => join(dir, ".agent-research", "drift-baseline.json");
+function pkgKey(pkg) {
+  return `${pkg.ecosystem}:${pkg.name}@${pkg.version}`;
+}
+function loadBaseline(dir) {
+  const path = BASELINE_PATH(dir);
+  if (!existsSync(path)) return null;
+  try {
+    return JSON.parse(readFileSync(path, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function saveBaseline(dir, baseline) {
+  const outDir = join(dir, ".agent-research");
+  mkdirSync(outDir, { recursive: true });
+  writeFileSync(BASELINE_PATH(dir), JSON.stringify(baseline, null, 2));
+}
+async function queryOsvBatch(pkgs) {
+  const results = /* @__PURE__ */ new Map();
+  if (pkgs.length === 0) return results;
+  for (let i = 0; i < pkgs.length; i += 1e3) {
+    const batch = pkgs.slice(i, i + 1e3);
+    const body = JSON.stringify({
+      queries: batch.map((p) => ({
+        version: p.version,
+        package: { name: p.name, ecosystem: p.ecosystem }
+      }))
+    });
+    let res;
+    try {
+      res = await fetch("https://api.osv.dev/v1/querybatch", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body,
+        signal: AbortSignal.timeout(3e4)
+      });
+    } catch (e) {
+      throw new Error(`OSV batch request failed: ${e.message ?? String(e)}`);
+    }
+    if (!res.ok) throw new Error(`OSV batch API error: ${res.status} ${res.statusText}`);
+    const data = await res.json();
+    for (let j = 0; j < batch.length; j++) {
+      const pkg = batch[j];
+      const vulns = data.results[j]?.vulns ?? [];
+      const advisories = vulns.map((v) => {
+        const id = v["id"];
+        const severities = v["severity"] ?? [];
+        let severity = "high";
+        for (const sev of severities) {
+          if (sev.type === "CVSS_V3") {
+            const score = parseFloat(sev.score);
+            if (!isNaN(score)) {
+              severity = score >= 9 ? "critical" : score >= 7 ? "high" : score >= 4 ? "medium" : "low";
+              break;
+            }
+          }
+        }
+        const dbSpec = v["database_specific"] ?? {};
+        if (severity === "high") {
+          const ghsa = (dbSpec["severity"] ?? "").toUpperCase();
+          severity = { CRITICAL: "critical", HIGH: "high", MODERATE: "medium", LOW: "low" }[ghsa] ?? "high";
+        }
+        const rawSummary = v["summary"] ?? "";
+        const rawDetails = v["details"] ?? "";
+        return { id, severity, summary: rawSummary || rawDetails.slice(0, 200), url: `https://osv.dev/vulnerability/${id}` };
+      });
+      results.set(pkgKey(pkg), advisories);
+    }
+  }
+  return results;
+}
+function seedPackages(dir) {
+  const { execFileSync } = __require("child_process");
+  const scriptPaths = [
+    join(dir, "scripts", "seed-inventory.sh"),
+    join(__dirname, "..", "..", "scripts", "seed-inventory.sh")
+  ];
+  for (const script of scriptPaths) {
+    if (existsSync(script)) {
+      try {
+        const out = execFileSync("sh", [script, dir], { encoding: "utf8", timeout: 3e4 });
+        return JSON.parse(out);
+      } catch {
+      }
+    }
+  }
+  return [];
+}
+async function checkDrift(dir, opts = {}) {
+  const pkgs = opts.packages ?? seedPackages(dir);
+  const baseline = loadBaseline(dir);
+  const currentMap = await queryOsvBatch(pkgs);
+  const currentIds = {};
+  for (const pkg of pkgs) {
+    const key = pkgKey(pkg);
+    currentIds[key] = (currentMap.get(key) ?? []).map((a) => a.id);
+  }
+  const newAdvisories = [];
+  const resolvedAdvisories = [];
+  if (baseline) {
+    for (const pkg of pkgs) {
+      const key = pkgKey(pkg);
+      const prev = new Set(baseline.advisoryIds[key] ?? []);
+      const curr = currentMap.get(key) ?? [];
+      for (const adv of curr) {
+        if (!prev.has(adv.id)) {
+          newAdvisories.push({ ...adv, package: pkg.name, ecosystem: pkg.ecosystem, version: pkg.version });
+        }
+      }
+      const currIds = new Set(curr.map((a) => a.id));
+      for (const prevId of prev) {
+        if (!currIds.has(prevId)) {
+          resolvedAdvisories.push({
+            id: prevId,
+            severity: "low",
+            summary: "Advisory no longer reported by OSV",
+            url: `https://osv.dev/vulnerability/${prevId}`,
+            package: pkg.name,
+            ecosystem: pkg.ecosystem,
+            version: pkg.version
+          });
+        }
+      }
+    }
+  }
+  if (opts.updateBaseline || !baseline) {
+    saveBaseline(dir, {
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      packages: pkgs.length,
+      advisoryIds: currentIds
+    });
+  }
+  return {
+    newAdvisories,
+    resolvedAdvisories,
+    baselineExists: !!baseline,
+    baselineDate: baseline?.createdAt ?? null,
+    packagesChecked: pkgs.length
+  };
+}
+function renderDriftText(result) {
+  const lines = [];
+  if (!result.baselineExists) {
+    lines.push(`brainblast drift: baseline created \u2014 ${result.packagesChecked} packages indexed.`);
+    lines.push("Re-run without --update-baseline to detect new advisories.");
+    return lines.join("\n");
+  }
+  lines.push(`brainblast drift: checked ${result.packagesChecked} packages against baseline from ${result.baselineDate?.split("T")[0] ?? "unknown"}`);
+  if (result.newAdvisories.length === 0 && result.resolvedAdvisories.length === 0) {
+    lines.push("  No new advisories. Dependency risk profile unchanged.");
+    return lines.join("\n");
+  }
+  if (result.newAdvisories.length > 0) {
+    lines.push(`
+  NEW (${result.newAdvisories.length}):`);
+    for (const a of result.newAdvisories) {
+      lines.push(`    [${a.severity.toUpperCase()}] ${a.package}@${a.version} \u2014 ${a.id}: ${a.summary}`);
+      lines.push(`      ${a.url}`);
+    }
+  }
+  if (result.resolvedAdvisories.length > 0) {
+    lines.push(`
+  RESOLVED (${result.resolvedAdvisories.length}):`);
+    for (const a of result.resolvedAdvisories) {
+      lines.push(`    ${a.package}@${a.version} \u2014 ${a.id}`);
+    }
+  }
+  return lines.join("\n");
+}
+
+export {
+  seedPackages,
+  checkDrift,
+  renderDriftText
+};

package/dist/cli.js

@@ -23,6 +23,7 @@ import {
   getChangedRanges,
   resolveRules
 } from "./chunk-A56IF3UX.js";
+import "./chunk-3RG5ZIWI.js";
 
 // src/cli.ts
 import { writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";
@@ -113,8 +114,12 @@ if (args[0] === "diff") {
   await runDiff(args.slice(1));
   process.exit(0);
 }
+if (args[0] === "drift") {
+  await runDrift(args.slice(1));
+  process.exit(0);
+}
 if (args[0] === "mcp") {
-  const { startMcpServer } = await import("./mcp-RUVILE2Y.js");
+  const { startMcpServer } = await import("./mcp-AFYJQ7K6.js");
   await startMcpServer();
   process.exit(0);
 }
@@ -429,6 +434,26 @@ Warning: could not create branch/commit: ${e.message ?? e}`);
     }
   }
 }
+async function runDrift(argv) {
+  const updateBaseline = argv.includes("--update-baseline");
+  const jsonOut = argv.includes("--json");
+  const targetDir2 = argv.find((a) => !a.startsWith("--")) ?? process.cwd();
+  const { checkDrift, renderDriftText } = await import("./drift-JQ7DDZIF.js");
+  let result;
+  try {
+    result = await checkDrift(targetDir2, { updateBaseline });
+  } catch (e) {
+    console.error(`brainblast drift: ${e.message ?? String(e)}`);
+    process.exit(1);
+  }
+  if (jsonOut) {
+    console.log(JSON.stringify(result, null, 2));
+    if (result.newAdvisories.length > 0) process.exit(1);
+    return;
+  }
+  console.log(renderDriftText(result));
+  if (result.newAdvisories.length > 0) process.exit(1);
+}
 function splitPkgVersion(arg) {
   if (arg.startsWith("@")) {
     const rest = arg.slice(1);
@@ -485,7 +510,7 @@ async function runDiff(argv) {
     console.error("  e.g.: brainblast diff lodash@4.17.20 lodash@4.17.21");
     process.exit(2);
   }
-  const { diffVersions, renderDiffText, renderDiffMd, riskScore } = await import("./diff-PZKZYBKF.js");
+  const { diffVersions, renderDiffText, renderDiffMd, riskScore } = await import("./diff-KIR4PCBC.js");
   let result;
   try {
     result = await diffVersions(ecosystem, pkgName, fromVersion, toVersion);

package/dist/{diff-PZKZYBKF.js → diff-KIR4PCBC.js}

@@ -4,6 +4,7 @@ import {
   renderDiffText,
   riskScore
 } from "./chunk-SC6RNNDW.js";
+import "./chunk-3RG5ZIWI.js";
 export {
   diffVersions,
   renderDiffMd,

package/dist/drift-JQ7DDZIF.js

@@ -0,0 +1,11 @@
+import {
+  checkDrift,
+  renderDriftText,
+  seedPackages
+} from "./chunk-EAKU3L7F.js";
+import "./chunk-3RG5ZIWI.js";
+export {
+  checkDrift,
+  renderDriftText,
+  seedPackages
+};

package/dist/index.d.ts

@@ -520,4 +520,39 @@ declare function riskScore(result: DiffResult): number;
 declare function renderDiffText(result: DiffResult): string;
 declare function renderDiffMd(result: DiffResult): string;
 
-export { type AccountFlow, type AuditRef, type BuildOpts, type Candidate, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_TTL_HOURS, type DiffResult, type GraduationEvent, type OnChainProgram, type OsvAdvisory, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type Rule, type RustAccountField, type RustCandidate, type RustChecker, type Severity, type TelemetrySubmitResult, type TrustGraph, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type WatchEvent, type WatchOptions, analyzeCosts, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, buildTrustGraph, rules as bundledRules, cacheSize, checkerKinds, defaultCachePath, diffVersions, fileChanged, findCandidates, findConfigCandidates, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getRepoHash, getUserHash, getWorkingTreeChanges, initPack, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseDiff, putCacheEntry, queryOsv, rangeChanged, recordGraduationEvents, renderCostReportMd, renderDiffMd, renderDiffText, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, riskScore, runChecker, runIncrementalScan, saveProgramCache, startWatch, submitTelemetry, telemetryFilePath, testKinds, validatePack, validatePackManifest };
+interface DriftPackage {
+    name: string;
+    version: string;
+    ecosystem: string;
+    source: string;
+}
+interface DriftAdvisory extends OsvAdvisory {
+    package: string;
+    ecosystem: string;
+    version: string;
+}
+interface DriftBaseline {
+    createdAt: string;
+    packages: number;
+    /** Map from "ecosystem:name@version" to array of advisory IDs. */
+    advisoryIds: Record<string, string[]>;
+}
+interface DriftResult {
+    newAdvisories: DriftAdvisory[];
+    resolvedAdvisories: DriftAdvisory[];
+    baselineExists: boolean;
+    baselineDate: string | null;
+    packagesChecked: number;
+}
+/**
+ * Seed packages from lockfiles in the project directory.
+ * Shells out to scripts/seed-inventory.sh for parity with the skill.
+ */
+declare function seedPackages(dir: string): DriftPackage[];
+declare function checkDrift(dir: string, opts?: {
+    updateBaseline?: boolean;
+    packages?: DriftPackage[];
+}): Promise<DriftResult>;
+declare function renderDriftText(result: DriftResult): string;
+
+export { type AccountFlow, type AuditRef, type BuildOpts, type Candidate, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_TTL_HOURS, type DiffResult, type DriftAdvisory, type DriftBaseline, type DriftPackage, type DriftResult, type GraduationEvent, type OnChainProgram, type OsvAdvisory, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type Rule, type RustAccountField, type RustCandidate, type RustChecker, type Severity, type TelemetrySubmitResult, type TrustGraph, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type WatchEvent, type WatchOptions, analyzeCosts, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, buildTrustGraph, rules as bundledRules, cacheSize, checkDrift, checkerKinds, defaultCachePath, diffVersions, fileChanged, findCandidates, findConfigCandidates, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getRepoHash, getUserHash, getWorkingTreeChanges, initPack, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseDiff, putCacheEntry, queryOsv, rangeChanged, recordGraduationEvents, renderCostReportMd, renderDiffMd, renderDiffText, renderDriftText, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, riskScore, runChecker, runIncrementalScan, saveProgramCache, seedPackages, startWatch, submitTelemetry, telemetryFilePath, testKinds, validatePack, validatePackManifest };

package/dist/index.js

@@ -60,6 +60,12 @@ import {
   renderDiffText,
   riskScore
 } from "./chunk-SC6RNNDW.js";
+import {
+  checkDrift,
+  renderDriftText,
+  seedPackages
+} from "./chunk-EAKU3L7F.js";
+import "./chunk-3RG5ZIWI.js";
 
 // src/generate.ts
 import { writeFileSync, mkdirSync } from "fs";
@@ -87,6 +93,7 @@ export {
   buildTrustGraph,
   rules as bundledRules,
   cacheSize,
+  checkDrift,
   checkerKinds,
   defaultCachePath,
   diffVersions,
@@ -118,6 +125,7 @@ export {
   renderCostReportMd,
   renderDiffMd,
   renderDiffText,
+  renderDriftText,
   renderTest,
   renderTrustGraphMd,
   rentExemptMinimum,
@@ -126,6 +134,7 @@ export {
   runChecker,
   runIncrementalScan,
   saveProgramCache,
+  seedPackages,
   startWatch,
   submitTelemetry,
   telemetryFilePath,

package/dist/{mcp-RUVILE2Y.js → mcp-AFYJQ7K6.js}

@@ -6,6 +6,7 @@ import {
   diffVersions,
   queryOsv
 } from "./chunk-SC6RNNDW.js";
+import "./chunk-3RG5ZIWI.js";
 
 // src/mcp.ts
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";

package/dist/rules/jsonwebtoken-algorithm-pinned.yaml

@@ -0,0 +1,36 @@
+# Pure-data rule (facts). Binds to vetted templates by `check.kind`/`test.kind`.
+id: jsonwebtoken-algorithm-pinned
+severity: critical
+title: jsonwebtoken verify() must pin the accepted algorithm(s)
+component:
+  name: jsonwebtoken
+  type: Auth
+  version: unversioned
+  sourceUrl: https://github.com/auth0/node-jsonwebtoken/blob/master/README.md#jwtverifytoken-secretorpublickey-options-callback
+detect:
+  lang: typescript
+  modules: [jsonwebtoken]
+  # Functions that import jsonwebtoken and contain verification logic.
+  nameRegex: "auth|jwt|token|verify|middleware"
+  triggerCalls: [verify]
+  requiresImport: true
+check:
+  kind: required-call-with-options
+  params:
+    verifyCalls: [verify]
+    decodeCalls: [decode]
+    requiredProps:
+      - [algorithms]
+    passDetail: >-
+      jwt.verify() pins the accepted algorithm(s) via the 'algorithms' option —
+      algorithm-confusion attacks are blocked.
+    missingPropsDetail: >-
+      jwt.verify() is called without an 'algorithms' option. An attacker who controls
+      the token header can switch to 'none' (no signature) or to an asymmetric algorithm
+      using the public key as the HMAC secret, bypassing signature verification entirely.
+      Always pass algorithms: ['HS256'] (or whichever algorithm you use).
+    decodeOnlyDetail: >-
+      Token is decoded with jwt.decode() (no signature verification). Any token —
+      forged or expired — is accepted. Use jwt.verify() with a pinned algorithms list.
+test:
+  kind: none

package/dist/rules/open-redirect.yaml

@@ -0,0 +1,32 @@
+# Pure-data rule (facts). Binds to vetted templates by `check.kind`/`test.kind`.
+id: open-redirect
+severity: high
+title: Untrusted request input used as a redirect destination
+component:
+  name: Node.js HTTP (Express / Next.js)
+  type: API
+  version: unversioned
+  sourceUrl: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
+detect:
+  lang: typescript
+  modules: []
+  # Trigger on any function that calls res.redirect / router.redirect / NextResponse.redirect.
+  nameRegex: "(?!)"
+  triggerCalls:
+    - redirect
+    - setHeader
+  requiresImport: false
+check:
+  kind: taint-to-sink
+  params:
+    sources:
+      - name: request-input
+        # req.query / req.params are the most common entry points for open-redirect attacks.
+        # req.body included for completeness (e.g. POST-based login redirects).
+        pattern: "\\b(req|request)\\.(query|params|body|headers)\\b"
+    sinkCalls:
+      - redirect
+      - setHeader
+    maxHops: 2
+test:
+  kind: none

package/dist/rules/prisma-raw-injection.yaml

@@ -0,0 +1,35 @@
+# Pure-data rule (facts). Binds to vetted templates by `check.kind`/`test.kind`.
+id: prisma-raw-injection
+severity: critical
+title: Untrusted request input flows into a Prisma raw query
+component:
+  name: Prisma ORM
+  type: SDK
+  version: unversioned
+  sourceUrl: https://www.prisma.io/docs/orm/prisma-client/using-raw-sql/raw-queries#sql-injection-prevention
+detect:
+  lang: typescript
+  modules: ["@prisma/client", "prisma"]
+  # Never matches by name alone — only the sink triggerCalls below select candidates.
+  nameRegex: "(?!)"
+  triggerCalls:
+    - $queryRaw
+    - $executeRaw
+    - $queryRawUnsafe
+    - $executeRawUnsafe
+  requiresImport: false
+check:
+  kind: taint-to-sink
+  params:
+    sources:
+      - name: request-input
+        # req.body / req.query / req.params / req.headers — canonical untrusted HTTP input.
+        pattern: "\\b(req|request)\\.(body|query|params|headers)\\b"
+    sinkCalls:
+      - $queryRaw
+      - $executeRaw
+      - $queryRawUnsafe
+      - $executeRawUnsafe
+    maxHops: 2
+test:
+  kind: none

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brainblast",
-  "version": "0.6.0",
+  "version": "0.6.2",
   "type": "module",
   "description": "Deterministic auditor for catastrophic AI-integration bugs: scan a repo, find the silent money/auth traps, and generate the behavioral test that proves they're fixed.",
   "keywords": [